npm - @agent-native/core - Versions diffs - 0.7.14 → 0.7.16 - Mend

@agent-native/core 0.7.14 → 0.7.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (803) hide show

package/README.md +56 -6
package/dist/a2a/handlers.d.ts.map +1 -1
package/dist/a2a/handlers.js +149 -24
package/dist/a2a/handlers.js.map +1 -1
package/dist/a2a/server.d.ts.map +1 -1
package/dist/a2a/server.js +180 -51
package/dist/a2a/server.js.map +1 -1
package/dist/a2a/task-store.d.ts +10 -1
package/dist/a2a/task-store.d.ts.map +1 -1
package/dist/a2a/task-store.js +36 -2
package/dist/a2a/task-store.js.map +1 -1
package/dist/action.d.ts +16 -0
package/dist/action.d.ts.map +1 -1
package/dist/action.js +11 -0
package/dist/action.js.map +1 -1
package/dist/agent/default-model.d.ts +21 -0
package/dist/agent/default-model.d.ts.map +1 -0
package/dist/agent/default-model.js +21 -0
package/dist/agent/default-model.js.map +1 -0
package/dist/agent/engine/ai-sdk-engine.d.ts.map +1 -1
package/dist/agent/engine/ai-sdk-engine.js +7 -4
package/dist/agent/engine/ai-sdk-engine.js.map +1 -1
package/dist/agent/engine/anthropic-engine.d.ts +1 -1
package/dist/agent/engine/anthropic-engine.d.ts.map +1 -1
package/dist/agent/engine/anthropic-engine.js +10 -4
package/dist/agent/engine/anthropic-engine.js.map +1 -1
package/dist/agent/engine/builder-engine.d.ts.map +1 -1
package/dist/agent/engine/builder-engine.js +4 -1
package/dist/agent/engine/builder-engine.js.map +1 -1
package/dist/agent/engine/builtin.js +1 -1
package/dist/agent/engine/builtin.js.map +1 -1
package/dist/agent/engine/registry.d.ts +27 -7
package/dist/agent/engine/registry.d.ts.map +1 -1
package/dist/agent/engine/registry.js +101 -20
package/dist/agent/engine/registry.js.map +1 -1
package/dist/agent/index.d.ts +1 -0
package/dist/agent/index.d.ts.map +1 -1
package/dist/agent/index.js +1 -0
package/dist/agent/index.js.map +1 -1
package/dist/agent/production-agent.d.ts +32 -7
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +230 -70
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/run-manager.d.ts.map +1 -1
package/dist/agent/run-manager.js +0 -3
package/dist/agent/run-manager.js.map +1 -1
package/dist/agent/types.d.ts +0 -4
package/dist/agent/types.d.ts.map +1 -1
package/dist/application-state/handlers.d.ts.map +1 -1
package/dist/application-state/handlers.js +10 -6
package/dist/application-state/handlers.js.map +1 -1
package/dist/application-state/script-helpers.d.ts +1 -1
package/dist/application-state/script-helpers.d.ts.map +1 -1
package/dist/application-state/script-helpers.js +12 -8
package/dist/application-state/script-helpers.js.map +1 -1
package/dist/application-state/store.d.ts.map +1 -1
package/dist/application-state/store.js +19 -10
package/dist/application-state/store.js.map +1 -1
package/dist/chat-threads/store.d.ts.map +1 -1
package/dist/chat-threads/store.js +4 -1
package/dist/chat-threads/store.js.map +1 -1
package/dist/cli/create.d.ts +3 -1
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +106 -16
package/dist/cli/create.js.map +1 -1
package/dist/cli/index.js +97 -39
package/dist/cli/index.js.map +1 -1
package/dist/cli/templates-meta.d.ts +4 -0
package/dist/cli/templates-meta.d.ts.map +1 -1
package/dist/cli/templates-meta.js +56 -12
package/dist/cli/templates-meta.js.map +1 -1
package/dist/cli/workspacify.d.ts +2 -0
package/dist/cli/workspacify.d.ts.map +1 -1
package/dist/cli/workspacify.js +5 -4
package/dist/cli/workspacify.js.map +1 -1
package/dist/client/AgentPanel.d.ts +5 -2
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +64 -25
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/AgentTaskCard.d.ts.map +1 -1
package/dist/client/AgentTaskCard.js +3 -2
package/dist/client/AgentTaskCard.js.map +1 -1
package/dist/client/AssistantChat.d.ts +0 -6
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +98 -100
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ConnectBuilderCard.d.ts.map +1 -1
package/dist/client/ConnectBuilderCard.js +2 -1
package/dist/client/ConnectBuilderCard.js.map +1 -1
package/dist/client/DefaultSpinner.d.ts +1 -1
package/dist/client/DefaultSpinner.d.ts.map +1 -1
package/dist/client/DefaultSpinner.js +2 -9
package/dist/client/DefaultSpinner.js.map +1 -1
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +24 -22
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +4 -3
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-chat.d.ts.map +1 -1
package/dist/client/agent-chat.js +6 -4
package/dist/client/agent-chat.js.map +1 -1
package/dist/client/analytics.d.ts.map +1 -1
package/dist/client/analytics.js +70 -1
package/dist/client/analytics.js.map +1 -1
package/dist/client/api-path.d.ts +5 -0
package/dist/client/api-path.d.ts.map +1 -0
package/dist/client/api-path.js +48 -0
package/dist/client/api-path.js.map +1 -0
package/dist/client/components/ApiKeySettings.d.ts.map +1 -1
package/dist/client/components/ApiKeySettings.js +3 -2
package/dist/client/components/ApiKeySettings.js.map +1 -1
package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
package/dist/client/components/CodeRequiredDialog.js +3 -2
package/dist/client/components/CodeRequiredDialog.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts +3 -1
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +17 -9
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/composer/draft-key.d.ts +2 -0
package/dist/client/composer/draft-key.d.ts.map +1 -0
package/dist/client/composer/draft-key.js +8 -0
package/dist/client/composer/draft-key.js.map +1 -0
package/dist/client/composer/use-file-search.d.ts.map +1 -1
package/dist/client/composer/use-file-search.js +2 -1
package/dist/client/composer/use-file-search.js.map +1 -1
package/dist/client/composer/use-mention-search.d.ts.map +1 -1
package/dist/client/composer/use-mention-search.js +2 -1
package/dist/client/composer/use-mention-search.js.map +1 -1
package/dist/client/composer/use-skills.d.ts.map +1 -1
package/dist/client/composer/use-skills.js +2 -1
package/dist/client/composer/use-skills.js.map +1 -1
package/dist/client/composer/useVoiceDictation.d.ts +1 -1
package/dist/client/composer/useVoiceDictation.d.ts.map +1 -1
package/dist/client/composer/useVoiceDictation.js +16 -8
package/dist/client/composer/useVoiceDictation.js.map +1 -1
package/dist/client/dev-mode.d.ts +14 -0
package/dist/client/dev-mode.d.ts.map +1 -0
package/dist/client/dev-mode.js +14 -0
package/dist/client/dev-mode.js.map +1 -0
package/dist/client/dev-overlay/DevOverlay.d.ts +26 -0
package/dist/client/dev-overlay/DevOverlay.d.ts.map +1 -0
package/dist/client/dev-overlay/DevOverlay.js +315 -0
package/dist/client/dev-overlay/DevOverlay.js.map +1 -0
package/dist/client/dev-overlay/builtins.d.ts +6 -0
package/dist/client/dev-overlay/builtins.d.ts.map +1 -0
package/dist/client/dev-overlay/builtins.js +35 -0
package/dist/client/dev-overlay/builtins.js.map +1 -0
package/dist/client/dev-overlay/index.d.ts +6 -0
package/dist/client/dev-overlay/index.d.ts.map +1 -0
package/dist/client/dev-overlay/index.js +5 -0
package/dist/client/dev-overlay/index.js.map +1 -0
package/dist/client/dev-overlay/registry.d.ts +13 -0
package/dist/client/dev-overlay/registry.d.ts.map +1 -0
package/dist/client/dev-overlay/registry.js +63 -0
package/dist/client/dev-overlay/registry.js.map +1 -0
package/dist/client/dev-overlay/types.d.ts +56 -0
package/dist/client/dev-overlay/types.d.ts.map +1 -0
package/dist/client/dev-overlay/types.js +9 -0
package/dist/client/dev-overlay/types.js.map +1 -0
package/dist/client/dev-overlay/use-dev-option.d.ts +12 -0
package/dist/client/dev-overlay/use-dev-option.d.ts.map +1 -0
package/dist/client/dev-overlay/use-dev-option.js +73 -0
package/dist/client/dev-overlay/use-dev-option.js.map +1 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.d.ts +6 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.d.ts.map +1 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.js +29 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.js.map +1 -0
package/dist/client/frame-protocol.d.ts +61 -10
package/dist/client/frame-protocol.d.ts.map +1 -1
package/dist/client/frame.d.ts +1 -0
package/dist/client/frame.d.ts.map +1 -1
package/dist/client/frame.js +37 -16
package/dist/client/frame.js.map +1 -1
package/dist/client/index.d.ts +5 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +5 -1
package/dist/client/index.js.map +1 -1
package/dist/client/integrations/IntegrationCard.d.ts.map +1 -1
package/dist/client/integrations/IntegrationCard.js +3 -2
package/dist/client/integrations/IntegrationCard.js.map +1 -1
package/dist/client/integrations/IntegrationsPanel.d.ts.map +1 -1
package/dist/client/integrations/IntegrationsPanel.js +3 -2
package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
package/dist/client/integrations/useIntegrationStatus.d.ts.map +1 -1
package/dist/client/integrations/useIntegrationStatus.js +2 -1
package/dist/client/integrations/useIntegrationStatus.js.map +1 -1
package/dist/client/notifications/NotificationsBell.d.ts.map +1 -1
package/dist/client/notifications/NotificationsBell.js +26 -8
package/dist/client/notifications/NotificationsBell.js.map +1 -1
package/dist/client/observability/ThumbsFeedback.d.ts.map +1 -1
package/dist/client/observability/ThumbsFeedback.js +2 -1
package/dist/client/observability/ThumbsFeedback.js.map +1 -1
package/dist/client/observability/useObservability.d.ts.map +1 -1
package/dist/client/observability/useObservability.js +2 -1
package/dist/client/observability/useObservability.js.map +1 -1
package/dist/client/onboarding/OnboardingPanel.d.ts +0 -7
package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -1
package/dist/client/onboarding/OnboardingPanel.js +20 -10
package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
package/dist/client/onboarding/index.d.ts +1 -0
package/dist/client/onboarding/index.d.ts.map +1 -1
package/dist/client/onboarding/index.js +1 -0
package/dist/client/onboarding/index.js.map +1 -1
package/dist/client/onboarding/use-onboarding.d.ts +1 -7
package/dist/client/onboarding/use-onboarding.d.ts.map +1 -1
package/dist/client/onboarding/use-onboarding.js +27 -13
package/dist/client/onboarding/use-onboarding.js.map +1 -1
package/dist/client/onboarding/use-preview-mode.d.ts +10 -0
package/dist/client/onboarding/use-preview-mode.d.ts.map +1 -0
package/dist/client/onboarding/use-preview-mode.js +35 -0
package/dist/client/onboarding/use-preview-mode.js.map +1 -0
package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
package/dist/client/org/OrgSwitcher.js +2 -1
package/dist/client/org/OrgSwitcher.js.map +1 -1
package/dist/client/org/TeamPage.d.ts.map +1 -1
package/dist/client/org/TeamPage.js +7 -5
package/dist/client/org/TeamPage.js.map +1 -1
package/dist/client/org/hooks.d.ts.map +1 -1
package/dist/client/org/hooks.js +2 -1
package/dist/client/org/hooks.js.map +1 -1
package/dist/client/progress/RunsTray.d.ts.map +1 -1
package/dist/client/progress/RunsTray.js +2 -1
package/dist/client/progress/RunsTray.js.map +1 -1
package/dist/client/resources/McpServerDetail.d.ts +0 -8
package/dist/client/resources/McpServerDetail.d.ts.map +1 -1
package/dist/client/resources/McpServerDetail.js +6 -1
package/dist/client/resources/McpServerDetail.js.map +1 -1
package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
package/dist/client/resources/ResourceEditor.js +2 -1
package/dist/client/resources/ResourceEditor.js.map +1 -1
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
package/dist/client/resources/ResourcesPanel.js +2 -1
package/dist/client/resources/ResourcesPanel.js.map +1 -1
package/dist/client/resources/use-mcp-servers.d.ts.map +1 -1
package/dist/client/resources/use-mcp-servers.js +7 -2
package/dist/client/resources/use-mcp-servers.js.map +1 -1
package/dist/client/resources/use-resources.d.ts.map +1 -1
package/dist/client/resources/use-resources.js +9 -7
package/dist/client/resources/use-resources.js.map +1 -1
package/dist/client/settings/AgentsSection.d.ts.map +1 -1
package/dist/client/settings/AgentsSection.js +7 -5
package/dist/client/settings/AgentsSection.js.map +1 -1
package/dist/client/settings/AutomationsSection.d.ts.map +1 -1
package/dist/client/settings/AutomationsSection.js +9 -5
package/dist/client/settings/AutomationsSection.js.map +1 -1
package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -1
package/dist/client/settings/BackgroundAgentSection.js +2 -1
package/dist/client/settings/BackgroundAgentSection.js.map +1 -1
package/dist/client/settings/SecretsSection.d.ts.map +1 -1
package/dist/client/settings/SecretsSection.js +12 -4
package/dist/client/settings/SecretsSection.js.map +1 -1
package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
package/dist/client/settings/SettingsPanel.js +15 -23
package/dist/client/settings/SettingsPanel.js.map +1 -1
package/dist/client/settings/UsageSection.d.ts.map +1 -1
package/dist/client/settings/UsageSection.js +2 -1
package/dist/client/settings/UsageSection.js.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.d.ts +2 -4
package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.js +66 -23
package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
package/dist/client/settings/useBuilderStatus.d.ts +9 -0
package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
package/dist/client/settings/useBuilderStatus.js +31 -3
package/dist/client/settings/useBuilderStatus.js.map +1 -1
package/dist/client/sharing/ShareButton.d.ts.map +1 -1
package/dist/client/sharing/ShareButton.js +7 -2
package/dist/client/sharing/ShareButton.js.map +1 -1
package/dist/client/sharing/ShareDialog.d.ts.map +1 -1
package/dist/client/sharing/ShareDialog.js +4 -3
package/dist/client/sharing/ShareDialog.js.map +1 -1
package/dist/client/sse-event-processor.d.ts +1 -3
package/dist/client/sse-event-processor.d.ts.map +1 -1
package/dist/client/sse-event-processor.js +3 -24
package/dist/client/sse-event-processor.js.map +1 -1
package/dist/client/terminal/AgentTerminal.d.ts +1 -0
package/dist/client/terminal/AgentTerminal.d.ts.map +1 -1
package/dist/client/terminal/AgentTerminal.js +14 -10
package/dist/client/terminal/AgentTerminal.js.map +1 -1
package/dist/client/tools/EmbeddedTool.d.ts +20 -0
package/dist/client/tools/EmbeddedTool.d.ts.map +1 -0
package/dist/client/tools/EmbeddedTool.js +154 -0
package/dist/client/tools/EmbeddedTool.js.map +1 -0
package/dist/client/tools/ExtensionSlot.d.ts +27 -0
package/dist/client/tools/ExtensionSlot.d.ts.map +1 -0
package/dist/client/tools/ExtensionSlot.js +96 -0
package/dist/client/tools/ExtensionSlot.js.map +1 -0
package/dist/client/tools/ToolEditor.d.ts.map +1 -1
package/dist/client/tools/ToolEditor.js +5 -4
package/dist/client/tools/ToolEditor.js.map +1 -1
package/dist/client/tools/ToolViewer.d.ts.map +1 -1
package/dist/client/tools/ToolViewer.js +75 -44
package/dist/client/tools/ToolViewer.js.map +1 -1
package/dist/client/tools/ToolViewerPage.d.ts.map +1 -1
package/dist/client/tools/ToolViewerPage.js +2 -1
package/dist/client/tools/ToolViewerPage.js.map +1 -1
package/dist/client/tools/ToolsListPage.d.ts.map +1 -1
package/dist/client/tools/ToolsListPage.js +3 -2
package/dist/client/tools/ToolsListPage.js.map +1 -1
package/dist/client/tools/ToolsSidebarSection.d.ts.map +1 -1
package/dist/client/tools/ToolsSidebarSection.js +4 -3
package/dist/client/tools/ToolsSidebarSection.js.map +1 -1
package/dist/client/tools/iframe-bridge.d.ts +38 -0
package/dist/client/tools/iframe-bridge.d.ts.map +1 -0
package/dist/client/tools/iframe-bridge.js +207 -0
package/dist/client/tools/iframe-bridge.js.map +1 -0
package/dist/client/tools/index.d.ts +2 -0
package/dist/client/tools/index.d.ts.map +1 -1
package/dist/client/tools/index.js +2 -0
package/dist/client/tools/index.js.map +1 -1
package/dist/client/use-action.d.ts.map +1 -1
package/dist/client/use-action.js +2 -1
package/dist/client/use-action.js.map +1 -1
package/dist/client/use-agent-chat.js +2 -2
package/dist/client/use-agent-chat.js.map +1 -1
package/dist/client/use-avatar.d.ts.map +1 -1
package/dist/client/use-avatar.js +3 -2
package/dist/client/use-avatar.js.map +1 -1
package/dist/client/use-builder-enabled.d.ts.map +1 -1
package/dist/client/use-builder-enabled.js +2 -1
package/dist/client/use-builder-enabled.js.map +1 -1
package/dist/client/use-chat-threads.d.ts.map +1 -1
package/dist/client/use-chat-threads.js +2 -1
package/dist/client/use-chat-threads.js.map +1 -1
package/dist/client/use-db-sync.d.ts.map +1 -1
package/dist/client/use-db-sync.js +3 -2
package/dist/client/use-db-sync.js.map +1 -1
package/dist/client/use-dev-mode.d.ts.map +1 -1
package/dist/client/use-dev-mode.js +2 -1
package/dist/client/use-dev-mode.js.map +1 -1
package/dist/client/use-send-to-agent-chat.d.ts.map +1 -1
package/dist/client/use-send-to-agent-chat.js +5 -3
package/dist/client/use-send-to-agent-chat.js.map +1 -1
package/dist/client/use-session.d.ts.map +1 -1
package/dist/client/use-session.js +2 -1
package/dist/client/use-session.js.map +1 -1
package/dist/client/useProductionAgent.d.ts.map +1 -1
package/dist/client/useProductionAgent.js +4 -3
package/dist/client/useProductionAgent.js.map +1 -1
package/dist/collab/client.d.ts.map +1 -1
package/dist/collab/client.js +3 -2
package/dist/collab/client.js.map +1 -1
package/dist/credentials/index.d.ts +27 -10
package/dist/credentials/index.d.ts.map +1 -1
package/dist/credentials/index.js +61 -19
package/dist/credentials/index.js.map +1 -1
package/dist/db/client.d.ts.map +1 -1
package/dist/db/client.js +10 -1
package/dist/db/client.js.map +1 -1
package/dist/db/migrations.d.ts +13 -5
package/dist/db/migrations.d.ts.map +1 -1
package/dist/db/migrations.js +9 -2
package/dist/db/migrations.js.map +1 -1
package/dist/deploy/build.d.ts +12 -1
package/dist/deploy/build.d.ts.map +1 -1
package/dist/deploy/build.js +195 -23
package/dist/deploy/build.js.map +1 -1
package/dist/file-upload/registry.d.ts.map +1 -1
package/dist/file-upload/registry.js +25 -1
package/dist/file-upload/registry.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -2
package/dist/index.js.map +1 -1
package/dist/integrations/adapters/email.d.ts.map +1 -1
package/dist/integrations/adapters/email.js +152 -32
package/dist/integrations/adapters/email.js.map +1 -1
package/dist/integrations/adapters/slack.d.ts +13 -0
package/dist/integrations/adapters/slack.d.ts.map +1 -1
package/dist/integrations/adapters/slack.js +302 -32
package/dist/integrations/adapters/slack.js.map +1 -1
package/dist/integrations/adapters/telegram.d.ts.map +1 -1
package/dist/integrations/adapters/telegram.js +37 -2
package/dist/integrations/adapters/telegram.js.map +1 -1
package/dist/integrations/adapters/whatsapp.d.ts.map +1 -1
package/dist/integrations/adapters/whatsapp.js +91 -12
package/dist/integrations/adapters/whatsapp.js.map +1 -1
package/dist/integrations/google-docs-poller.d.ts.map +1 -1
package/dist/integrations/google-docs-poller.js +5 -2
package/dist/integrations/google-docs-poller.js.map +1 -1
package/dist/integrations/internal-token.d.ts.map +1 -1
package/dist/integrations/internal-token.js +17 -1
package/dist/integrations/internal-token.js.map +1 -1
package/dist/integrations/pending-tasks-retry-job.d.ts.map +1 -1
package/dist/integrations/pending-tasks-retry-job.js +23 -9
package/dist/integrations/pending-tasks-retry-job.js.map +1 -1
package/dist/integrations/pending-tasks-store.d.ts +16 -0
package/dist/integrations/pending-tasks-store.d.ts.map +1 -1
package/dist/integrations/pending-tasks-store.js +58 -5
package/dist/integrations/pending-tasks-store.js.map +1 -1
package/dist/integrations/plugin.d.ts.map +1 -1
package/dist/integrations/plugin.js +198 -15
package/dist/integrations/plugin.js.map +1 -1
package/dist/integrations/types.d.ts +33 -2
package/dist/integrations/types.d.ts.map +1 -1
package/dist/integrations/webhook-handler.d.ts +6 -0
package/dist/integrations/webhook-handler.d.ts.map +1 -1
package/dist/integrations/webhook-handler.js +141 -61
package/dist/integrations/webhook-handler.js.map +1 -1
package/dist/jobs/cron.d.ts.map +1 -1
package/dist/jobs/cron.js +12 -4
package/dist/jobs/cron.js.map +1 -1
package/dist/jobs/scheduler.d.ts.map +1 -1
package/dist/jobs/scheduler.js +141 -16
package/dist/jobs/scheduler.js.map +1 -1
package/dist/jobs/tools.d.ts.map +1 -1
package/dist/jobs/tools.js +94 -3
package/dist/jobs/tools.js.map +1 -1
package/dist/mcp/server.d.ts.map +1 -1
package/dist/mcp/server.js +128 -62
package/dist/mcp/server.js.map +1 -1
package/dist/mcp-client/hub-routes.d.ts +14 -0
package/dist/mcp-client/hub-routes.d.ts.map +1 -1
package/dist/mcp-client/hub-routes.js +42 -2
package/dist/mcp-client/hub-routes.js.map +1 -1
package/dist/mcp-client/index.d.ts +1 -1
package/dist/mcp-client/index.d.ts.map +1 -1
package/dist/mcp-client/index.js +1 -1
package/dist/mcp-client/index.js.map +1 -1
package/dist/mcp-client/manager.d.ts.map +1 -1
package/dist/mcp-client/manager.js +28 -3
package/dist/mcp-client/manager.js.map +1 -1
package/dist/mcp-client/remote-store.d.ts +49 -1
package/dist/mcp-client/remote-store.d.ts.map +1 -1
package/dist/mcp-client/remote-store.js +253 -6
package/dist/mcp-client/remote-store.js.map +1 -1
package/dist/mcp-client/routes.d.ts.map +1 -1
package/dist/mcp-client/routes.js +11 -9
package/dist/mcp-client/routes.js.map +1 -1
package/dist/mcp-client/visibility.d.ts +7 -3
package/dist/mcp-client/visibility.d.ts.map +1 -1
package/dist/mcp-client/visibility.js +16 -7
package/dist/mcp-client/visibility.js.map +1 -1
package/dist/notifications/actions.d.ts.map +1 -1
package/dist/notifications/actions.js +7 -1
package/dist/notifications/actions.js.map +1 -1
package/dist/notifications/routes.d.ts +1 -1
package/dist/notifications/routes.d.ts.map +1 -1
package/dist/notifications/routes.js +20 -3
package/dist/notifications/routes.js.map +1 -1
package/dist/notifications/store.d.ts.map +1 -1
package/dist/notifications/store.js +6 -1
package/dist/notifications/store.js.map +1 -1
package/dist/oauth-tokens/store.d.ts +43 -2
package/dist/oauth-tokens/store.d.ts.map +1 -1
package/dist/oauth-tokens/store.js +83 -14
package/dist/oauth-tokens/store.js.map +1 -1
package/dist/observability/cleanup-job.d.ts +38 -0
package/dist/observability/cleanup-job.d.ts.map +1 -0
package/dist/observability/cleanup-job.js +107 -0
package/dist/observability/cleanup-job.js.map +1 -0
package/dist/observability/experiments.js +5 -5
package/dist/observability/experiments.js.map +1 -1
package/dist/observability/index.d.ts +2 -1
package/dist/observability/index.d.ts.map +1 -1
package/dist/observability/index.js +2 -1
package/dist/observability/index.js.map +1 -1
package/dist/observability/plugin.d.ts.map +1 -1
package/dist/observability/plugin.js +11 -0
package/dist/observability/plugin.js.map +1 -1
package/dist/observability/routes.d.ts.map +1 -1
package/dist/observability/routes.js +37 -8
package/dist/observability/routes.js.map +1 -1
package/dist/observability/store.d.ts +16 -0
package/dist/observability/store.d.ts.map +1 -1
package/dist/observability/store.js +54 -3
package/dist/observability/store.js.map +1 -1
package/dist/observability/traces.d.ts +5 -0
package/dist/observability/traces.d.ts.map +1 -1
package/dist/observability/traces.js +44 -1
package/dist/observability/traces.js.map +1 -1
package/dist/observability/types.d.ts +7 -0
package/dist/observability/types.d.ts.map +1 -1
package/dist/observability/types.js.map +1 -1
package/dist/onboarding/default-steps.d.ts.map +1 -1
package/dist/onboarding/default-steps.js +1 -2
package/dist/onboarding/default-steps.js.map +1 -1
package/dist/onboarding/plugin.d.ts.map +1 -1
package/dist/onboarding/plugin.js +63 -32
package/dist/onboarding/plugin.js.map +1 -1
package/dist/onboarding/types.d.ts +6 -1
package/dist/onboarding/types.d.ts.map +1 -1
package/dist/org/accept-pending.d.ts.map +1 -1
package/dist/org/accept-pending.js +2 -1
package/dist/org/accept-pending.js.map +1 -1
package/dist/progress/actions.d.ts.map +1 -1
package/dist/progress/actions.js +10 -1
package/dist/progress/actions.js.map +1 -1
package/dist/progress/routes.d.ts +1 -1
package/dist/progress/routes.d.ts.map +1 -1
package/dist/progress/routes.js +20 -3
package/dist/progress/routes.js.map +1 -1
package/dist/progress/store.d.ts.map +1 -1
package/dist/progress/store.js +6 -1
package/dist/progress/store.js.map +1 -1
package/dist/resources/handlers.d.ts.map +1 -1
package/dist/resources/handlers.js +35 -7
package/dist/resources/handlers.js.map +1 -1
package/dist/resources/script-helpers.d.ts.map +1 -1
package/dist/resources/script-helpers.js +15 -3
package/dist/resources/script-helpers.js.map +1 -1
package/dist/resources/store.d.ts.map +1 -1
package/dist/resources/store.js +12 -4
package/dist/resources/store.js.map +1 -1
package/dist/scripts/call-agent.d.ts +1 -0
package/dist/scripts/call-agent.d.ts.map +1 -1
package/dist/scripts/call-agent.js +78 -40
package/dist/scripts/call-agent.js.map +1 -1
package/dist/scripts/chat/search-chats.d.ts.map +1 -1
package/dist/scripts/chat/search-chats.js +3 -2
package/dist/scripts/chat/search-chats.js.map +1 -1
package/dist/scripts/db/exec.d.ts +1 -1
package/dist/scripts/db/exec.d.ts.map +1 -1
package/dist/scripts/db/exec.js +171 -5
package/dist/scripts/db/exec.js.map +1 -1
package/dist/scripts/db/migrate-user-api-keys.d.ts.map +1 -1
package/dist/scripts/db/migrate-user-api-keys.js +10 -0
package/dist/scripts/db/migrate-user-api-keys.js.map +1 -1
package/dist/scripts/db/query.d.ts +1 -1
package/dist/scripts/db/query.d.ts.map +1 -1
package/dist/scripts/db/query.js +104 -4
package/dist/scripts/db/query.js.map +1 -1
package/dist/scripts/db/scoping.d.ts.map +1 -1
package/dist/scripts/db/scoping.js +35 -10
package/dist/scripts/db/scoping.js.map +1 -1
package/dist/scripts/dev/shell.d.ts.map +1 -1
package/dist/scripts/dev/shell.js +3 -1
package/dist/scripts/dev/shell.js.map +1 -1
package/dist/scripts/resources/delete-memory.d.ts.map +1 -1
package/dist/scripts/resources/delete-memory.js +2 -1
package/dist/scripts/resources/delete-memory.js.map +1 -1
package/dist/scripts/resources/delete.d.ts.map +1 -1
package/dist/scripts/resources/delete.js +2 -1
package/dist/scripts/resources/delete.js.map +1 -1
package/dist/scripts/resources/list.d.ts.map +1 -1
package/dist/scripts/resources/list.js +2 -1
package/dist/scripts/resources/list.js.map +1 -1
package/dist/scripts/resources/migrate-learnings.d.ts.map +1 -1
package/dist/scripts/resources/migrate-learnings.js +2 -1
package/dist/scripts/resources/migrate-learnings.js.map +1 -1
package/dist/scripts/resources/read.d.ts.map +1 -1
package/dist/scripts/resources/read.js +2 -1
package/dist/scripts/resources/read.js.map +1 -1
package/dist/scripts/resources/save-memory.d.ts.map +1 -1
package/dist/scripts/resources/save-memory.js +2 -1
package/dist/scripts/resources/save-memory.js.map +1 -1
package/dist/scripts/resources/write.d.ts.map +1 -1
package/dist/scripts/resources/write.js +2 -1
package/dist/scripts/resources/write.js.map +1 -1
package/dist/secrets/onboarding.d.ts.map +1 -1
package/dist/secrets/onboarding.js +24 -16
package/dist/secrets/onboarding.js.map +1 -1
package/dist/secrets/routes.d.ts.map +1 -1
package/dist/secrets/routes.js +139 -37
package/dist/secrets/routes.js.map +1 -1
package/dist/secrets/storage.d.ts.map +1 -1
package/dist/secrets/storage.js +23 -12
package/dist/secrets/storage.js.map +1 -1
package/dist/secrets/substitution.d.ts +24 -2
package/dist/secrets/substitution.d.ts.map +1 -1
package/dist/secrets/substitution.js +44 -6
package/dist/secrets/substitution.js.map +1 -1
package/dist/server/action-discovery.d.ts.map +1 -1
package/dist/server/action-discovery.js +19 -51
package/dist/server/action-discovery.js.map +1 -1
package/dist/server/action-routes.d.ts.map +1 -1
package/dist/server/action-routes.js +61 -15
package/dist/server/action-routes.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +449 -338
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.d.ts +8 -0
package/dist/server/agent-discovery.d.ts.map +1 -1
package/dist/server/agent-discovery.js +39 -12
package/dist/server/agent-discovery.js.map +1 -1
package/dist/server/agent-teams.d.ts.map +1 -1
package/dist/server/agent-teams.js +4 -1
package/dist/server/agent-teams.js.map +1 -1
package/dist/server/analytics.d.ts +0 -1
package/dist/server/analytics.d.ts.map +1 -1
package/dist/server/analytics.js +0 -1
package/dist/server/analytics.js.map +1 -1
package/dist/server/app-base-path.d.ts +4 -0
package/dist/server/app-base-path.d.ts.map +1 -0
package/dist/server/app-base-path.js +33 -0
package/dist/server/app-base-path.js.map +1 -0
package/dist/server/app-url.d.ts +4 -1
package/dist/server/app-url.d.ts.map +1 -1
package/dist/server/app-url.js +16 -1
package/dist/server/app-url.js.map +1 -1
package/dist/server/auth.d.ts +15 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +400 -68
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts +1 -0
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +67 -15
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts +15 -0
package/dist/server/builder-browser.d.ts.map +1 -1
package/dist/server/builder-browser.js +90 -4
package/dist/server/builder-browser.js.map +1 -1
package/dist/server/cli-capture.d.ts +31 -0
package/dist/server/cli-capture.d.ts.map +1 -0
package/dist/server/cli-capture.js +120 -0
package/dist/server/cli-capture.js.map +1 -0
package/dist/server/collab-plugin.d.ts +12 -0
package/dist/server/collab-plugin.d.ts.map +1 -1
package/dist/server/collab-plugin.js +63 -21
package/dist/server/collab-plugin.js.map +1 -1
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +467 -130
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/create-server.d.ts +2 -0
package/dist/server/create-server.d.ts.map +1 -1
package/dist/server/create-server.js +82 -11
package/dist/server/create-server.js.map +1 -1
package/dist/server/credential-provider.d.ts +11 -0
package/dist/server/credential-provider.d.ts.map +1 -1
package/dist/server/credential-provider.js +51 -2
package/dist/server/credential-provider.js.map +1 -1
package/dist/server/csrf.d.ts +58 -0
package/dist/server/csrf.d.ts.map +1 -0
package/dist/server/csrf.js +165 -0
package/dist/server/csrf.js.map +1 -0
package/dist/server/framework-request-handler.d.ts +20 -0
package/dist/server/framework-request-handler.d.ts.map +1 -1
package/dist/server/framework-request-handler.js +115 -34
package/dist/server/framework-request-handler.js.map +1 -1
package/dist/server/google-auth-plugin.d.ts.map +1 -1
package/dist/server/google-auth-plugin.js +10 -2
package/dist/server/google-auth-plugin.js.map +1 -1
package/dist/server/google-oauth.d.ts +84 -2
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +248 -45
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +5 -4
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +5 -4
package/dist/server/index.js.map +1 -1
package/dist/server/oauth-helpers.d.ts +8 -3
package/dist/server/oauth-helpers.d.ts.map +1 -1
package/dist/server/oauth-helpers.js +12 -8
package/dist/server/oauth-helpers.js.map +1 -1
package/dist/server/onboarding-html.d.ts.map +1 -1
package/dist/server/onboarding-html.js +37 -9
package/dist/server/onboarding-html.js.map +1 -1
package/dist/server/poll.d.ts +33 -0
package/dist/server/poll.d.ts.map +1 -1
package/dist/server/poll.js +43 -2
package/dist/server/poll.js.map +1 -1
package/dist/server/request-context.d.ts +102 -3
package/dist/server/request-context.d.ts.map +1 -1
package/dist/server/request-context.js +100 -7
package/dist/server/request-context.js.map +1 -1
package/dist/server/security-headers.d.ts +51 -0
package/dist/server/security-headers.d.ts.map +1 -0
package/dist/server/security-headers.js +90 -0
package/dist/server/security-headers.js.map +1 -0
package/dist/server/short-lived-token.d.ts +62 -0
package/dist/server/short-lived-token.d.ts.map +1 -0
package/dist/server/short-lived-token.js +118 -0
package/dist/server/short-lived-token.js.map +1 -0
package/dist/server/ssr-handler.d.ts.map +1 -1
package/dist/server/ssr-handler.js +96 -2
package/dist/server/ssr-handler.js.map +1 -1
package/dist/server/transcribe-voice.d.ts.map +1 -1
package/dist/server/transcribe-voice.js +307 -56
package/dist/server/transcribe-voice.js.map +1 -1
package/dist/server/voice-providers-status.d.ts +12 -0
package/dist/server/voice-providers-status.d.ts.map +1 -0
package/dist/server/voice-providers-status.js +71 -0
package/dist/server/voice-providers-status.js.map +1 -0
package/dist/shared/agent-chat.js +1 -1
package/dist/shared/agent-chat.js.map +1 -1
package/dist/shared/agent-env.js +1 -1
package/dist/shared/agent-env.js.map +1 -1
package/dist/sharing/access.d.ts.map +1 -1
package/dist/sharing/access.js +16 -13
package/dist/sharing/access.js.map +1 -1
package/dist/sharing/actions/set-resource-visibility.d.ts.map +1 -1
package/dist/sharing/actions/set-resource-visibility.js +3 -0
package/dist/sharing/actions/set-resource-visibility.js.map +1 -1
package/dist/sharing/actions/share-resource.d.ts +1 -0
package/dist/sharing/actions/share-resource.d.ts.map +1 -1
package/dist/sharing/actions/share-resource.js +50 -0
package/dist/sharing/actions/share-resource.js.map +1 -1
package/dist/sharing/actions/unshare-resource.d.ts.map +1 -1
package/dist/sharing/actions/unshare-resource.js +2 -0
package/dist/sharing/actions/unshare-resource.js.map +1 -1
package/dist/templates/default/.agents/skills/delegate-to-agent/SKILL.md +54 -0
package/dist/templates/default/app/root.tsx +1 -1
package/dist/templates/default/app/routes/_index.tsx +6 -1
package/dist/templates/default/package.json +1 -1
package/dist/templates/default/public/favicon.svg +13 -0
package/dist/templates/default/public/icon-180.svg +12 -3
package/dist/templates/default/public/icon-192.svg +12 -3
package/dist/templates/default/public/icon-512.svg +12 -3
package/dist/templates/workspace-core/package.json +23 -5
package/dist/templates/workspace-core/src/credentials.ts +32 -5
package/dist/templates/workspace-core/tsconfig.json +4 -1
package/dist/terminal/pty-server.d.ts.map +1 -1
package/dist/terminal/pty-server.js +8 -2
package/dist/terminal/pty-server.js.map +1 -1
package/dist/terminal/terminal-plugin.js +3 -3
package/dist/terminal/terminal-plugin.js.map +1 -1
package/dist/tools/actions.d.ts.map +1 -1
package/dist/tools/actions.js +130 -0
package/dist/tools/actions.js.map +1 -1
package/dist/tools/fetch-tool.d.ts +1 -0
package/dist/tools/fetch-tool.d.ts.map +1 -1
package/dist/tools/fetch-tool.js +38 -16
package/dist/tools/fetch-tool.js.map +1 -1
package/dist/tools/html-shell.d.ts +44 -1
package/dist/tools/html-shell.d.ts.map +1 -1
package/dist/tools/html-shell.js +119 -4
package/dist/tools/html-shell.js.map +1 -1
package/dist/tools/proxy-security.d.ts +12 -0
package/dist/tools/proxy-security.d.ts.map +1 -0
package/dist/tools/proxy-security.js +158 -0
package/dist/tools/proxy-security.js.map +1 -0
package/dist/tools/routes.d.ts.map +1 -1
package/dist/tools/routes.js +156 -105
package/dist/tools/routes.js.map +1 -1
package/dist/tools/schema.d.ts +89 -0
package/dist/tools/schema.d.ts.map +1 -1
package/dist/tools/schema.js +34 -0
package/dist/tools/schema.js.map +1 -1
package/dist/tools/slots/routes.d.ts +15 -0
package/dist/tools/slots/routes.d.ts.map +1 -0
package/dist/tools/slots/routes.js +94 -0
package/dist/tools/slots/routes.js.map +1 -0
package/dist/tools/slots/schema.d.ts +303 -0
package/dist/tools/slots/schema.d.ts.map +1 -0
package/dist/tools/slots/schema.js +76 -0
package/dist/tools/slots/schema.js.map +1 -0
package/dist/tools/slots/store.d.ts +66 -0
package/dist/tools/slots/store.d.ts.map +1 -0
package/dist/tools/slots/store.js +227 -0
package/dist/tools/slots/store.js.map +1 -0
package/dist/tools/store.d.ts.map +1 -1
package/dist/tools/store.js +35 -37
package/dist/tools/store.js.map +1 -1
package/dist/tools/url-safety.d.ts +24 -0
package/dist/tools/url-safety.d.ts.map +1 -0
package/dist/tools/url-safety.js +224 -0
package/dist/tools/url-safety.js.map +1 -0
package/dist/tracking/providers.d.ts.map +1 -1
package/dist/tracking/providers.js +28 -11
package/dist/tracking/providers.js.map +1 -1
package/dist/tracking/registry.d.ts.map +1 -1
package/dist/tracking/registry.js +7 -3
package/dist/tracking/registry.js.map +1 -1
package/dist/triggers/actions.d.ts.map +1 -1
package/dist/triggers/actions.js +11 -6
package/dist/triggers/actions.js.map +1 -1
package/dist/triggers/condition-evaluator.d.ts +8 -0
package/dist/triggers/condition-evaluator.d.ts.map +1 -1
package/dist/triggers/condition-evaluator.js +39 -4
package/dist/triggers/condition-evaluator.js.map +1 -1
package/dist/triggers/dispatcher.d.ts.map +1 -1
package/dist/triggers/dispatcher.js +67 -4
package/dist/triggers/dispatcher.js.map +1 -1
package/dist/usage/store.d.ts +0 -11
package/dist/usage/store.d.ts.map +1 -1
package/dist/usage/store.js +0 -11
package/dist/usage/store.js.map +1 -1
package/dist/vite/action-types-plugin.d.ts.map +1 -1
package/dist/vite/action-types-plugin.js +8 -5
package/dist/vite/action-types-plugin.js.map +1 -1
package/dist/vite/client.d.ts +2 -0
package/dist/vite/client.d.ts.map +1 -1
package/dist/vite/client.js +216 -4
package/dist/vite/client.js.map +1 -1
package/docs/content/actions.md +32 -0
package/docs/content/authentication.md +39 -12
package/docs/content/cloneable-saas.md +13 -15
package/docs/content/deployment.md +84 -9
package/docs/content/drop-in-agent.md +2 -2
package/docs/content/faq.md +4 -1
package/docs/content/getting-started.md +2 -0
package/docs/content/messaging.md +195 -155
package/docs/content/onboarding.md +82 -12
package/docs/content/security.md +59 -8
package/docs/content/template-analytics.md +65 -59
package/docs/content/template-clips.md +7 -9
package/docs/content/template-design.md +55 -0
package/docs/content/template-dispatch.md +13 -0
package/docs/content/template-forms.md +7 -6
package/docs/content/template-mail.md +78 -80
package/package.json +4 -3
package/src/templates/default/.agents/skills/delegate-to-agent/SKILL.md +54 -0
package/src/templates/default/app/root.tsx +1 -1
package/src/templates/default/app/routes/_index.tsx +6 -1
package/src/templates/default/package.json +1 -1
package/src/templates/default/public/favicon.svg +13 -0
package/src/templates/default/public/icon-180.svg +12 -3
package/src/templates/default/public/icon-192.svg +12 -3
package/src/templates/default/public/icon-512.svg +12 -3
package/src/templates/workspace-core/package.json +23 -5
package/src/templates/workspace-core/src/credentials.ts +32 -5
package/src/templates/workspace-core/tsconfig.json +4 -1

package/dist/server/auth.js CHANGED Viewed

@@ -9,10 +9,40 @@ async function getFs() {
     }
     return _fs;
 }
-import { defineEventHandler, getMethod, getQuery, sendRedirect, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, } from "h3";
-// In h3 v2, `event.req` IS the web Request — no conversion needed.
+import { defineEventHandler, getMethod, getQuery, getRequestIP, sendRedirect, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, } from "h3";
+// In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx
+// runtime), event.url and event.req share the same underlying URL object.
+// When registerMiddleware strips the mount prefix from event.url.pathname, it
+// also mutates event.req.url (NodeRequestURL setter updates nodeReq.url).
+// Better Auth's router uses new URL(request.url).pathname to extract the
+// sub-route, so it must receive the original full URL — not the stripped one.
+// registerMiddleware saves the original pathname in event.context so we can
+// reconstruct a fresh Request with the correct URL here.
 function toWebRequest(event) {
-    return event.req;
+    const req = event.req;
+    const ctx = event.context;
+    if (ctx?._mountedPathname && ctx._mountPrefix) {
+        try {
+            const url = new URL(req.url);
+            const mountedPathname = stripAppBasePath(ctx._mountedPathname);
+            if (url.pathname !== mountedPathname) {
+                url.pathname = mountedPathname;
+                const method = req.method.toUpperCase();
+                const hasBody = method !== "GET" && method !== "HEAD";
+                return new Request(url.href, {
+                    method: req.method,
+                    headers: req.headers,
+                    // Body may already be partially consumed; pass through as-is.
+                    // GET/HEAD cannot have a body — omit to avoid spec errors.
+                    ...(hasBody ? { body: req.body, duplex: "half" } : {}),
+                });
+            }
+        }
+        catch {
+            // URL reconstruction failed — fall through and use original req.
+        }
+    }
+    return req;
 }
 import { getDbExec, isPostgres, intType, isLocalDatabase, retryOnDdlRace, } from "../db/client.js";
 import { getBetterAuth, getBetterAuthSync } from "./better-auth-instance.js";
@@ -20,7 +50,7 @@ import { getOnboardingHtml, getResetPasswordHtml } from "./onboarding-html.js";
 import { migrateLocalUserData } from "./local-migration.js";
 import { readBody } from "../server/h3-helpers.js";
 import { readDesktopSso, writeDesktopSso, clearDesktopSso, } from "./desktop-sso.js";
-import { isElectron as isElectronRequest, getOrigin, encodeOAuthState, decodeOAuthState, createOAuthSession, oauthCallbackResponse, oauthErrorPage, } from "./google-oauth.js";
+import { isElectron as isElectronRequest, getAppBasePath, getAppUrl, encodeOAuthState, decodeOAuthState, createOAuthSession, oauthCallbackResponse, oauthErrorPage, resolveOAuthRedirectUri, isAllowedOAuthRedirectUri, } from "./google-oauth.js";
 /**
  * Get the configured session max age. Desktop SSO broker writes from
  * OAuth flows read this so expiration stays consistent with the cookie.
@@ -95,7 +125,7 @@ async function isLocalModeEnabled() {
  * Check if we're in a development/test environment.
  * Used for cookie security settings, not for auth bypass.
  */
-function isDevEnvironment() {
+export function isDevEnvironment() {
     const env = process.env.NODE_ENV;
     return env === "development" || env === "test";
 }
@@ -126,6 +156,75 @@ export function safeReturnPath(raw) {
         return "/";
     }
 }
+/**
+ * Read the desktop-SSO broker file, but only if the request is plausibly
+ * from the Electron desktop app *and* coming from the local machine.
+ *
+ * The broker file lives in the user's home directory and trusts the local
+ * trust boundary — a non-loopback request that pretends to be Electron
+ * via User-Agent must NEVER be allowed to read it. We additionally refuse
+ * any read in production builds: the desktop app launches with
+ * `NODE_ENV=development` (or unset), and any web-hosted production deploy
+ * has no business consulting a per-user file on the server's homedir
+ * even if one exists.
+ *
+ * Returns null when the safety checks fail or the file isn't present.
+ */
+async function readDesktopSsoSafely(event) {
+    if (process.env.NODE_ENV === "production")
+        return null;
+    if (!isElectronRequest(event))
+        return null;
+    // Loopback-only: 127.0.0.1, ::1, and the IPv4-mapped form.
+    let ip;
+    try {
+        ip = getRequestIP(event) ?? undefined;
+    }
+    catch {
+        ip = undefined;
+    }
+    // Strip an optional zone id (e.g. "fe80::1%en0") before comparing.
+    const normalised = (ip ?? "").split("%")[0];
+    const isLoopback = normalised === "127.0.0.1" ||
+        normalised === "::1" ||
+        normalised === "::ffff:127.0.0.1" ||
+        normalised.startsWith("127.");
+    if (!isLoopback)
+        return null;
+    return await readDesktopSso();
+}
+/**
+ * Extract the framework session token from a Better Auth response's
+ * Set-Cookie headers, if any. Used by the password-reset path to skip
+ * the freshly-minted session when revoking sibling sessions for the
+ * user. Returns undefined if no session cookie was minted (the common
+ * case — Better Auth's reset doesn't auto-sign-in by default).
+ */
+function extractSessionTokenFromSetCookies(response) {
+    try {
+        // Headers may have multiple Set-Cookie entries; iterate via getSetCookie
+        // when available (Node 20+ / undici), else fall back to comma split.
+        const headers = response.headers;
+        const setCookies = typeof headers.getSetCookie === "function"
+            ? headers.getSetCookie()
+            : (headers.get("set-cookie") ?? "")
+                .split(/,(?=[^;]+=)/)
+                .map((s) => s.trim())
+                .filter(Boolean);
+        for (const sc of setCookies) {
+            // Better Auth's session cookie name is configurable but defaults to
+            // `<prefix>.session_token`. Match either the Better Auth default or
+            // our COOKIE_NAME (`an_session`) on the same line.
+            const match = sc.match(/(?:^|\s|;)(an_session|[\w.-]*session_token)=([^;]+)/i);
+            if (match)
+                return match[2];
+        }
+    }
+    catch {
+        // Best-effort; treat as no token.
+    }
+    return undefined;
+}
 // ---------------------------------------------------------------------------
 // ACCESS_TOKEN resolution
 // ---------------------------------------------------------------------------
@@ -364,7 +463,17 @@ export async function runAuthGuard(event) {
         return; // Auth not mounted (local mode, etc.)
     return _authGuardFn(event);
 }
-const LOCAL_SESSION = { email: "local@localhost" };
+/**
+ * The framework's dev-mode bypass identity. When `AUTH_MODE=local` (or
+ * dev-mode falls back), `getSession()` returns `{ email: DEV_MODE_USER_EMAIL }`.
+ * Production code that needs to check whether the current request is the
+ * dev-mode user (or filter it out of mailers, dashboards, etc.) should
+ * compare against this constant instead of inlining the literal —
+ * `guard-no-localhost-fallback.mjs` blocks the literal everywhere except
+ * `auth.ts` and a handful of dev-mode helpers.
+ */
+export const DEV_MODE_USER_EMAIL = "local@localhost";
+const LOCAL_SESSION = { email: DEV_MODE_USER_EMAIL };
 // ---------------------------------------------------------------------------
 // Auth guard factory
 // ---------------------------------------------------------------------------
@@ -387,7 +496,7 @@ function applyCorsHeaders(event) {
     const originRaw = reqHeaders["origin"];
     const origin = Array.isArray(originRaw) ? originRaw[0] : originRaw;
     if (!origin)
-        return;
+        return { hasOrigin: false, allowed: true };
     // Dev convenience: always allow localhost origins across ports (Tauri
     // tray apps, the frame, docs). In prod, the CORS_ALLOWED_ORIGINS env
     // var is the safe-list.
@@ -399,12 +508,13 @@ function applyCorsHeaders(event) {
         ? /^(https?|tauri):\/\/(localhost|127\.0\.0\.1|tauri\.localhost)(:\d+)?$/.test(origin)
         : allowlist.includes(origin);
     if (!allowed)
-        return;
+        return { hasOrigin: true, allowed: false };
     setResponseHeader(event, "Access-Control-Allow-Origin", origin);
     setResponseHeader(event, "Vary", "Origin");
     setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
-    setResponseHeader(event, "Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS");
-    setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With");
+    setResponseHeader(event, "Access-Control-Allow-Methods", "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS");
+    setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF");
+    return { hasOrigin: true, allowed: true };
 }
 function createAuthGuardFn() {
     return async (event) => {
@@ -413,13 +523,20 @@ function createAuthGuardFn() {
             return;
         const { loginHtml, publicPaths } = config;
         const url = event.node?.req?.url ?? event.path ?? "/";
-        const p = url.split("?")[0];
+        const queryStart = url.indexOf("?");
+        const rawPath = queryStart >= 0 ? url.slice(0, queryStart) : url;
+        const p = stripAppBasePath(rawPath);
+        const normalizedUrl = queryStart >= 0 ? `${p}${url.slice(queryStart)}` : p;
         // Emit CORS headers on every request the guard sees so that even
         // error responses (401) reach the browser.
-        applyCorsHeaders(event);
+        const cors = applyCorsHeaders(event);
         // Preflight short-circuit: the browser sends OPTIONS before the real
         // credentialed request. Must return success without invoking auth.
         if (getMethod(event) === "OPTIONS") {
+            if (cors.hasOrigin && !cors.allowed) {
+                setResponseStatus(event, 403);
+                return "";
+            }
             setResponseStatus(event, 204);
             return "";
         }
@@ -450,6 +567,15 @@ function createAuthGuardFn() {
         if (p === "/_agent-native/a2a") {
             return;
         }
+        // Internal processor endpoint for the A2A async-mode fanout. Mirrors the
+        // integration webhook fanout: when `message/send` is called with
+        // `async: true`, the JSON-RPC handler enqueues to a2a_tasks and self-
+        // fires a POST here so the handler runs in a fresh function execution.
+        // Authenticity is verified via an HMAC token signed with A2A_SECRET
+        // (same scheme as /_agent-native/integrations/process-task).
+        if (p === "/_agent-native/a2a/_process-task") {
+            return;
+        }
         // A2A secret receive endpoint — verifies authenticity via JWT signed
         // with the calling app's A2A secret, not via session cookies. Used to
         // sync the org A2A secret across connected apps.
@@ -473,7 +599,7 @@ function createAuthGuardFn() {
         // injection) are rejected up front.
         //
         if (p === "/_agent-native/sign-in") {
-            const queryStr = url.includes("?") ? url.slice(url.indexOf("?") + 1) : "";
+            const queryStr = queryStart >= 0 ? url.slice(queryStart + 1) : "";
             const safeReturn = safeReturnPath(new URLSearchParams(queryStr).get("return"));
             const session = await getSession(event);
             if (session) {
@@ -500,7 +626,7 @@ function createAuthGuardFn() {
             p.endsWith(".woff")) {
             return;
         }
-        if (isPublicPath(url, publicPaths))
+        if (isPublicPath(normalizedUrl, publicPaths))
             return;
         const session = await getSession(event);
         if (session)
@@ -589,12 +715,12 @@ export async function getSession(event) {
             return session;
         // Desktop SSO broker: even with BYOA auth, fall back to the broker
         // for Electron requests so cross-template SSO works for custom-auth
-        // templates too.
-        if (isElectronRequest(event)) {
-            const sso = await readDesktopSso();
-            if (sso?.email)
-                return { email: sso.email, token: sso.token };
-        }
+        // templates too. Gated on `readDesktopSsoSafely` so a non-loopback
+        // request that spoofs `User-Agent: ... Electron/...` cannot read the
+        // home-dir broker file (and so production builds never consult it).
+        const sso = await readDesktopSsoSafely(event);
+        if (sso?.email)
+            return { email: sso.email, token: sso.token };
         // Fall through to mobile _session check
     }
     else {
@@ -613,8 +739,8 @@ export async function getSession(event) {
                 }
             }
         }
-        catch {
-            // Better Auth not ready
+        catch (e) {
+            console.error("[auth] ba.api.getSession error:", e);
         }
         // 5. Legacy cookie fallback (for sessions created before migration)
         const cookie = getCookie(event, COOKIE_NAME);
@@ -630,14 +756,14 @@ export async function getSession(event) {
         // a session token created by one template doesn't resolve in another.
         // When an Electron request has no resolvable session, trust the
         // home-dir SSO record written by whichever template the user signed
-        // into. Gated on Electron user-agent so no non-desktop code path
-        // consults the file.
-        if (isElectronRequest(event)) {
-            const sso = await readDesktopSso();
-            if (sso?.email) {
-                clearUpgradePendingCookie(event);
-                return { email: sso.email, token: sso.token };
-            }
+        // into. Gated on `readDesktopSsoSafely`: requires Electron User-Agent,
+        // a loopback (127.0.0.1 / ::1) source IP, and a non-production NODE_ENV
+        // — anything else is rejected so a hostile network request cannot
+        // impersonate whichever email last signed into the desktop app.
+        const sso = await readDesktopSsoSafely(event);
+        if (sso?.email) {
+            clearUpgradePendingCookie(event);
+            return { email: sso.email, token: sso.token };
         }
     }
     // 6. Mobile WebView bridge — _session query param
@@ -664,11 +790,18 @@ export async function getSession(event) {
     // on a shared DB (Postgres, Turso, D1) this fallback would land every
     // developer on the same account and expose each other's data.
     //
+    // STRICT NODE_ENV check: this used to read `isDevEnvironment()` which
+    // also accepted `NODE_ENV=test`, meaning a misconfigured prod deploy
+    // started with `NODE_ENV=test` (or undefined NODE_ENV in some CI/build
+    // contexts) would silently bypass auth entirely. Limiting to the literal
+    // string "development" closes that footgun. Tests that need this branch
+    // to fire stub NODE_ENV explicitly to "development".
+    //
     // EXCEPTION: if the user has explicitly exited local mode (clicked "Upgrade
     // to real account"), they've signaled they want real auth. The upgrade
     // cookie suppresses this fallback so the onboarding/sign-in page is served
     // instead of silently re-authenticating them as local@localhost.
-    if (isDevEnvironment() &&
+    if (process.env.NODE_ENV === "development" &&
         isLocalDatabase() &&
         !isUpgradePending(event) &&
         !hasSignInFlag(event)) {
@@ -714,6 +847,10 @@ function hasSignInFlag(event) {
         return false;
     }
 }
+function isReadMethod(event) {
+    const method = getMethod(event);
+    return method === "GET" || method === "HEAD";
+}
 /**
  * Cookie attributes that work in both same-site and third-party iframe
  * contexts. Over HTTPS we emit `SameSite=None; Secure` (required by browsers
@@ -769,6 +906,17 @@ function isPublicPath(url, publicPaths) {
     const p = url.split("?")[0];
     return publicPaths.some((pp) => p === pp || p.startsWith(pp + "/"));
 }
+function stripAppBasePath(pathname) {
+    const basePath = getAppBasePath();
+    if (!basePath)
+        return pathname;
+    if (pathname === basePath)
+        return "/";
+    if (pathname.startsWith(`${basePath}/`)) {
+        return pathname.slice(basePath.length) || "/";
+    }
+    return pathname;
+}
 // ---------------------------------------------------------------------------
 // Login page HTML (ACCESS_TOKEN mode)
 // ---------------------------------------------------------------------------
@@ -838,10 +986,18 @@ const TOKEN_LOGIN_HTML = `<!DOCTYPE html>
   </form>
 </div>
 <script>
+  function __anBasePath() {
+    var marker = '/_agent-native';
+    var idx = window.location.pathname.indexOf(marker);
+    return idx > 0 ? window.location.pathname.slice(0, idx) : '';
+  }
+  function __anPath(path) {
+    return __anBasePath() + path;
+  }
   document.getElementById('form').addEventListener('submit', async (e) => {
     e.preventDefault();
     const token = document.getElementById('token').value;
-    const res = await fetch('/_agent-native/auth/login', {
+    const res = await fetch(__anPath('/_agent-native/auth/login'), {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ token }),
@@ -863,7 +1019,7 @@ async function setAuthModeLocal() {
         const fs = await getFs();
         fs.mkdirSync(path.dirname(LOCAL_MODE_MARKER_PATH), { recursive: true });
         fs.writeFileSync(LOCAL_MODE_MARKER_PATH, "local\n", "utf-8");
-        process.env.AUTH_MODE = "local";
+        process.env.AUTH_MODE = "local"; // guard:allow-env-mutation — escape-hatch writes the local-mode marker file; mirrored into env so the in-flight process honors the change without restart
         return true;
     }
     catch {
@@ -879,7 +1035,7 @@ async function removeAuthModeLocal() {
         catch {
             // Marker already absent
         }
-        delete process.env.AUTH_MODE;
+        delete process.env.AUTH_MODE; // guard:allow-env-mutation — escape-hatch removes the local-mode marker; mirrored into env so the in-flight process honors the change without restart
         return true;
     }
     catch {
@@ -914,7 +1070,11 @@ const migrateLocalDataHandler = defineEventHandler(async (event) => {
         setResponseStatus(event, 500);
         return {
             error: e?.message || "Migration failed",
-            stack: isDevEnvironment() ? e?.stack : undefined,
+            // Only surface the stack when explicitly enabled. `isDevEnvironment()`
+            // returns true on preview deploys and Lambda contexts that forget
+            // NODE_ENV=production, which leaked stack traces to clients. Use
+            // AGENT_NATIVE_DEBUG_ERRORS=1 for opt-in debug visibility.
+            stack: process.env.AGENT_NATIVE_DEBUG_ERRORS === "1" ? e?.stack : undefined,
         };
     }
 });
@@ -950,8 +1110,16 @@ async function mountBetterAuthRoutes(app, options) {
                 setResponseStatus(event, 405);
                 return { error: "Method not allowed" };
             }
-            const redirectUri = getQuery(event).redirect_uri ||
-                `${getOrigin(event)}/_agent-native/google/callback`;
+            // Validate the user-supplied `redirect_uri` against the framework's
+            // server-side allowlist (must be same-origin and under
+            // `/_agent-native/...`). Reject anything else so an attacker can't
+            // smuggle a different already-registered redirect URI past Google's
+            // host-prefix matching. See HIGH-1 in 09-oauth-session.md.
+            const redirectUri = resolveOAuthRedirectUri(event);
+            if (redirectUri === null) {
+                setResponseStatus(event, 400);
+                return { error: "Invalid redirect_uri" };
+            }
             const q = getQuery(event);
             const desktop = isElectronRequest(event) || q.desktop === "1" || q.desktop === "true";
             const flowId = desktop ? q.flow_id || undefined : undefined;
@@ -990,7 +1158,16 @@ async function mountBetterAuthRoutes(app, options) {
                     setResponseStatus(event, 400);
                     return { error: "Missing authorization code" };
                 }
-                const { redirectUri, desktop, returnUrl, flowId } = decodeOAuthState(query.state, `${getOrigin(event)}/_agent-native/google/callback`);
+                const { redirectUri, desktop, returnUrl, flowId } = decodeOAuthState(query.state, getAppUrl(event, "/_agent-native/google/callback"));
+                // Defence in depth: the state is HMAC-signed, but if the signing
+                // key ever leaked an attacker could mint state with their own
+                // redirect_uri. Re-validate against the same allowlist used at
+                // auth-url time so the token exchange is always sent to a URI we
+                // own.
+                if (!isAllowedOAuthRedirectUri(redirectUri, event)) {
+                    setResponseStatus(event, 400);
+                    return { error: "Invalid redirect_uri in state" };
+                }
                 const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
                     method: "POST",
                     headers: {
@@ -1015,6 +1192,17 @@ async function mountBetterAuthRoutes(app, options) {
                 const email = user.email;
                 if (!email)
                     throw new Error("Could not get email from Google");
+                // Reject unverified Google addresses. Google returns
+                // `verified_email: false` for accounts where ownership of the
+                // address hasn't been proven (rare on consumer accounts but
+                // reachable on Workspace tenants that allow it). Without this
+                // check, an attacker could sign up as `victim@example.com` on
+                // Google without controlling the inbox and take over a local
+                // password account that already exists at that address (Better
+                // Auth's accountLinking auto-merges trusted-provider sign-ins).
+                if (user.verified_email !== true) {
+                    throw new Error("Google account email is not verified. Please verify your email with Google and try again.");
+                }
                 const { sessionToken } = await createOAuthSession(event, email, {
                     hasProductionSession: false,
                     desktop,
@@ -1084,24 +1272,55 @@ async function mountBetterAuthRoutes(app, options) {
     app.use("/_agent-native/auth/ba", defineEventHandler(async (event) => {
         const reqPath = event.url?.pathname ?? event.path ?? "";
         const isResetPassword = reqPath.includes("reset-password") && getMethod(event) === "POST";
-        // Pre-read the body for reset-password so we can extract the
-        // token after Better Auth consumes the stream.
+        // Pre-read the body for reset-password so we can auto-verify the
+        // user's email after they save the new password. CRUCIAL: clone
+        // the Request first — h3 v2 `event.req` is the live web Request,
+        // and `.text()`/`.json()` consume the stream. The same `event.req`
+        // is handed to Better Auth below; without the clone, Better Auth
+        // sees an empty body, fails Zod validation, and returns 400 —
+        // which the reset page renders as "the link may have expired".
         let resetToken;
+        let resetUserId;
         if (isResetPassword) {
             try {
-                const body = await readBody(event);
+                const cloned = event.req.clone();
+                const body = (await cloned.json().catch(() => undefined));
                 resetToken = body?.token;
             }
             catch {
                 // ignore — Better Auth will handle validation
             }
+            // Look up userId BEFORE calling auth.handler — Better Auth deletes
+            // the verification row as part of the reset, so by the time the
+            // handler returns 200 the row is gone and we can't recover the user.
+            if (resetToken) {
+                try {
+                    const { getDbExec } = await import("../db/client.js");
+                    const db = getDbExec();
+                    const rows = await db.execute({
+                        sql: "SELECT value FROM verification WHERE identifier = ?",
+                        args: [`reset-password:${resetToken}`],
+                    });
+                    resetUserId = rows.rows[0]?.value;
+                }
+                catch {
+                    // Best-effort — if we can't read the verification row we just
+                    // skip auto-verify; the user can verify normally.
+                }
+            }
         }
         const response = await auth.handler(toWebRequest(event));
         const isResponse = response != null &&
             typeof response.status === "number" &&
             typeof response.headers?.get === "function";
-        // After email verification, add ?verified to the redirect so the
-        // login page can show a "Email verified!" success message.
+        // After email verification, add ?verified=1 to the redirect so the
+        // login page can show "Email verified!". MUTATE the response in
+        // place — `new Response(null, { headers: new Headers(response.headers) })`
+        // collapses multiple Set-Cookie headers into one comma-joined value,
+        // which browsers reject. With `autoSignInAfterVerification: true`
+        // Better Auth emits 2–3 Set-Cookie headers (session token + cookie
+        // cache + dontRememberToken); losing them strands the user on the
+        // login page even though verification succeeded.
         if (reqPath.includes("verify-email") &&
             isResponse &&
             response.status >= 300 &&
@@ -1109,38 +1328,83 @@ async function mountBetterAuthRoutes(app, options) {
             const loc = response.headers.get("location");
             if (loc && !/[?&]verified=/.test(loc)) {
                 const sep = loc.includes("?") ? "&" : "?";
-                const newResponse = new Response(null, {
-                    status: response.status,
-                    headers: new Headers(response.headers),
-                });
-                newResponse.headers.set("location", loc + sep + "verified=1");
-                return newResponse;
+                response.headers.set("location", loc + sep + "verified=1");
             }
         }
         // Auto-verify email after a successful password reset. The user
-        // proved email ownership by receiving and using the reset link.
+        // proved email ownership by receiving and using the reset link, so
+        // we don't want them stuck behind `requireEmailVerification` after
+        // resetting — that's the exact escape hatch they just used.
         if (isResetPassword &&
-            resetToken &&
+            resetUserId &&
             isResponse &&
             response.status >= 200 &&
             response.status < 300) {
             try {
                 const { getDbExec } = await import("../db/client.js");
                 const db = getDbExec();
-                // Better Auth stores the reset token in its `verification`
-                // table with the user's identifier. Look up the user via the
-                // token and mark their email as verified — they proved
-                // ownership by receiving and using the email-delivered link.
-                const rows = await db.execute({
-                    sql: "SELECT identifier FROM verification WHERE value = ?",
-                    args: [resetToken],
+                // Use boolean literals for cross-dialect portability: Postgres
+                // stores `email_verified` as BOOLEAN and rejects integer 1/0,
+                // SQLite accepts TRUE/FALSE as aliases for 1/0 (since 3.23).
+                // Quote `"user"` because it's a reserved keyword in Postgres.
+                await db.execute({
+                    sql: 'UPDATE "user" SET email_verified = TRUE WHERE id = ? AND (email_verified = FALSE OR email_verified IS NULL)',
+                    args: [resetUserId],
                 });
-                const email = rows.rows[0]?.identifier;
-                if (email) {
+                // Revoke every existing session for this user so a stolen
+                // cookie doesn't outlive the password it was paired with. We
+                // do this AFTER Better Auth's response has been generated so
+                // the freshly-minted post-reset session (if any) is captured
+                // by the response's Set-Cookie header — but `auth.handler` for
+                // reset-password does not auto-sign-in by default, so the
+                // common path is "wipe everything; user signs in with new
+                // password." The legacy `sessions` table is also wiped by
+                // joining through the `user.email` column.
+                //
+                // Skip the freshly-minted Better Auth session id when present
+                // (auto-sign-in plugins / future config). Reading it from the
+                // response avoids racing against Better Auth's own writes.
+                const newSessionToken = extractSessionTokenFromSetCookies(response);
+                // 1. Better Auth `session` table — keyed by user_id.
+                if (newSessionToken) {
                     await db.execute({
-                        sql: "UPDATE user SET email_verified = 1 WHERE email = ? AND (email_verified = 0 OR email_verified IS NULL)",
-                        args: [email],
+                        sql: 'DELETE FROM "session" WHERE user_id = ? AND token <> ?',
+                        args: [resetUserId, newSessionToken],
+                    });
+                }
+                else {
+                    await db.execute({
+                        sql: 'DELETE FROM "session" WHERE user_id = ?',
+                        args: [resetUserId],
+                    });
+                }
+                // 2. Legacy `sessions` table — keyed by `email` column. The
+                // reset-password verification row holds the user's id, not
+                // their email, so we look up the email first. Best-effort —
+                // skip silently if the lookup fails so the response still ships.
+                try {
+                    const { rows } = await db.execute({
+                        sql: 'SELECT email FROM "user" WHERE id = ?',
+                        args: [resetUserId],
                     });
+                    const userEmail = (rows[0]?.email ?? rows[0]?.[0]);
+                    if (userEmail) {
+                        if (newSessionToken) {
+                            await db.execute({
+                                sql: "DELETE FROM sessions WHERE email = ? AND token <> ?",
+                                args: [userEmail, newSessionToken],
+                            });
+                        }
+                        else {
+                            await db.execute({
+                                sql: "DELETE FROM sessions WHERE email = ?",
+                                args: [userEmail],
+                            });
+                        }
+                    }
+                }
+                catch {
+                    // Best-effort — don't block the response
                 }
             }
             catch {
@@ -1301,9 +1565,77 @@ async function mountBetterAuthRoutes(app, options) {
             await clearDesktopSso();
         return { ok: true };
     }));
+    // POST /_agent-native/auth/logout-all — revoke every session row for
+    // the authenticated user across both auth tables. Companion to the
+    // password-reset session-revocation logic; lets a user sign out
+    // everywhere from one device. Requires an authenticated session.
+    app.use("/_agent-native/auth/logout-all", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const session = await getSession(event);
+        if (!session?.email) {
+            setResponseStatus(event, 401);
+            return { error: "Not authenticated" };
+        }
+        try {
+            const db = getDbExec();
+            // 1. Resolve user_id from email so we can wipe Better Auth sessions
+            // by their FK column.
+            let userId;
+            try {
+                const { rows } = await db.execute({
+                    sql: 'SELECT id FROM "user" WHERE email = ?',
+                    args: [session.email],
+                });
+                userId = (rows[0]?.id ?? rows[0]?.[0]);
+            }
+            catch {
+                // User table may not exist on token-only deployments — skip.
+            }
+            if (userId) {
+                try {
+                    await db.execute({
+                        sql: 'DELETE FROM "session" WHERE user_id = ?',
+                        args: [userId],
+                    });
+                }
+                catch {
+                    // Best-effort.
+                }
+            }
+            // 2. Legacy `sessions` table — keyed by `email` column.
+            try {
+                await db.execute({
+                    sql: "DELETE FROM sessions WHERE email = ?",
+                    args: [session.email],
+                });
+            }
+            catch {
+                // Best-effort.
+            }
+            // 3. Drop the current request's cookie and best-effort sign out
+            // of Better Auth (so the response sets the proper expiry header).
+            deleteCookie(event, COOKIE_NAME, { path: "/" });
+            try {
+                await auth.api.signOut({ headers: event.headers });
+            }
+            catch {
+                // Ignore — sessions are already gone in DB.
+            }
+            if (isElectronRequest(event))
+                await clearDesktopSso();
+            return { ok: true };
+        }
+        catch (e) {
+            setResponseStatus(event, 500);
+            return { error: e?.message || "Failed to revoke sessions" };
+        }
+    }));
     // GET /_agent-native/auth/session
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "GET") {
+        if (!isReadMethod(event)) {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
@@ -1318,7 +1650,7 @@ async function mountBetterAuthRoutes(app, options) {
     // reset link in their email. Reads ?token=... and POSTs to Better Auth's
     // /reset-password endpoint on submit.
     app.use("/_agent-native/auth/reset", defineEventHandler((event) => {
-        if (getMethod(event) !== "GET") {
+        if (!isReadMethod(event)) {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
@@ -1374,7 +1706,7 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         return { ok: true };
     }));
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "GET") {
+        if (!isReadMethod(event)) {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
@@ -1392,7 +1724,7 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
 // ---------------------------------------------------------------------------
 function mountLocalModeRoutes(app) {
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "GET") {
+        if (!isReadMethod(event)) {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
@@ -1552,7 +1884,7 @@ function mountAuthFallbackRoutes(app) {
         return { ok: true };
     }));
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "GET") {
+        if (!isReadMethod(event)) {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
@@ -1655,7 +1987,7 @@ export async function autoMountAuth(app, options = {}) {
     // BYOA — custom getSession provider
     if (customGetSession) {
         app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
-            if (getMethod(event) !== "GET") {
+            if (!isReadMethod(event)) {
                 setResponseStatus(event, 405);
                 return { error: "Method not allowed" };
             }