@agent-native/core 0.7.14 → 0.7.16

package/dist/server/core-routes-plugin.js

@@ -5,10 +5,12 @@ import { createPollHandler } from "./poll.js";
 import { createSSEHandler } from "./sse.js";
 import { upsertEnvFile } from "./create-server.js";
 import { readBody } from "./h3-helpers.js";
-import { BUILDER_ENV_KEYS, BUILDER_STATE_PARAM, buildBuilderCliAuthUrl, createBuilderBrowserCallbackPage, getBuilderBrowserStatusForEvent, resolveSafePreviewUrl, runBuilderAgent, signBuilderCallbackState, verifyBuilderCallbackState, } from "./builder-browser.js";
+import { BUILDER_ENV_KEYS, BUILDER_STATE_PARAM, buildBuilderCliAuthUrl, createBuilderBrowserCallbackErrorPage, createBuilderBrowserCallbackPage, getBuilderBrowserStatusForEvent, resolveSafePreviewUrl, runBuilderAgent, signBuilderCallbackState, verifyBuilderCallbackState, } from "./builder-browser.js";
 import { getState, putState, deleteState, listComposeDrafts, getComposeDraft, putComposeDraft, deleteComposeDraft, deleteAllComposeDrafts, } from "../application-state/handlers.js";
 import { getSetting, putSetting, deleteSetting } from "../settings/store.js";
-import { getSession } from "./auth.js";
+import { getUserSetting, putUserSetting, deleteUserSetting, } from "../settings/user-settings.js";
+import { getSession, isDevEnvironment, DEV_MODE_USER_EMAIL } from "./auth.js";
+import { isLocalDatabase } from "../db/client.js";
 import { getOrigin } from "./google-oauth.js";
 import { findWorkspaceRoot } from "../scripts/utils.js";
 import { listOnboardingSteps } from "../onboarding/registry.js";
@@ -21,14 +23,63 @@ import { registerBuiltinNotificationChannels } from "../notifications/channels.j
 import { createNotificationsHandler } from "../notifications/routes.js";
 import { createProgressHandler } from "../progress/routes.js";
 import { createTranscribeVoiceHandler } from "./transcribe-voice.js";
+import { runWithRequestContext } from "./request-context.js";
+import { createVoiceProvidersStatusHandler } from "./voice-providers-status.js";
 import { PROVIDER_ENV_META } from "../agent/engine/provider-env-vars.js";
-import { isAgentEngineSettingConfigured, getAgentEngineEntry, detectEngineFromEnv, isStoredEngineUsable, } from "../agent/engine/registry.js";
+import { isAgentEngineSettingConfigured, getAgentEngineEntry, detectEngineFromEnv, detectEngineFromUserSecrets, isStoredEngineUsable, } from "../agent/engine/registry.js";
 /**
  * The base path prefix for all framework-level routes.
  * All agent-native core routes live under this namespace to avoid
  * collisions with template-specific `/api/*` routes.
  */
 export const FRAMEWORK_ROUTE_PREFIX = "/_agent-native";
+/**
+ * Whether deployment-wide `process.env` writes (and rehydration from the
+ * unscoped `persisted-env-vars` settings row) are safe on this deployment.
+ *
+ * Allowed only when:
+ *   - we're running against a local SQLite-only database in a development
+ *     environment (no shared-tenant exposure), OR
+ *   - the operator has explicitly opted in via
+ *     `AGENT_NATIVE_ALLOW_ENV_VAR_WRITES=1` (single-tenant self-hosted).
+ *
+ * On any hosted multi-tenant deploy this returns false: env vars are
+ * deployment-wide globals and one tenant could otherwise overwrite Stripe /
+ * OpenAI / Sentry keys for every other tenant. Per-org credentials must use
+ * the per-user/org `app_secrets` store via `saveCredential()` instead.
+ */
+function isEnvVarWriteAllowed() {
+    if (process.env.AGENT_NATIVE_ALLOW_ENV_VAR_WRITES === "1")
+        return true;
+    return isDevEnvironment() && isLocalDatabase();
+}
+function normalizeAppBasePath(value) {
+    if (!value || value === "/")
+        return "";
+    const trimmed = value.trim();
+    if (!trimmed || trimmed === "/")
+        return "";
+    return `/${trimmed.replace(/^\/+/, "").replace(/\/+$/, "")}`;
+}
+function stripAppBasePath(pathname) {
+    const basePath = normalizeAppBasePath(process.env.VITE_APP_BASE_PATH || process.env.APP_BASE_PATH);
+    if (!basePath)
+        return pathname;
+    if (pathname === basePath)
+        return "/";
+    if (pathname.startsWith(`${basePath}/`)) {
+        return pathname.slice(basePath.length) || "/";
+    }
+    return pathname;
+}
+function redactValues(text, values) {
+    let out = text;
+    for (const value of values) {
+        if (value)
+            out = out.split(value).join("[redacted]");
+    }
+    return out;
+}
 /**
  * Creates a Nitro plugin that mounts all standard agent-native framework routes.
  *
@@ -60,24 +111,27 @@ export function createCoreRoutesPlugin(options = {}) {
         // store. Only set keys that are currently empty so explicit env
         // vars (Netlify dashboard, process-level) always win.
         //
-        // BUILDER_* keys are explicitly skipped and scrubbed from the row.
-        // The pre-migration OAuth callback wrote one user's Builder creds
-        // into this unscoped row, which then rehydrated into process.env on
-        // every cold start and leaked across tenants on shared-DB hosted
-        // templates. Per-user Builder creds now live in app_secrets; this
-        // global row must never carry them again. The scrub below is a
-        // one-shot self-heal: idempotent, no-op once the row is clean.
+        // GATED: only rehydrate into `process.env` on local-dev SQLite (or
+        // with the explicit single-tenant opt-in). On a shared-DB hosted
+        // multi-tenant deploy the `persisted-env-vars` row is deployment-wide
+        // global state — pushing user-supplied values into `process.env` from
+        // it would let any one tenant's writes (or a stale dev seed) leak
+        // into every other tenant's process. The opt-out scrub of legacy
+        // BUILDER_* values still runs unconditionally so existing rows on
+        // multi-tenant deploys self-heal, but new env-var writes never land
+        // in `process.env` outside the allowed contexts.
         try {
             const persisted = (await getSetting("persisted-env-vars"));
             if (persisted) {
                 const builderKeys = new Set(BUILDER_ENV_KEYS);
+                const writesAllowed = isEnvVarWriteAllowed();
                 let scrubbed = 0;
                 for (const [k, v] of Object.entries(persisted)) {
                     if (builderKeys.has(k)) {
                         scrubbed++;
                         continue;
                     }
-                    if (typeof v === "string" && !process.env[k]) {
+                    if (writesAllowed && typeof v === "string" && !process.env[k]) {
                         process.env[k] = v;
                     }
                 }
@@ -136,6 +190,12 @@ export function createCoreRoutesPlugin(options = {}) {
             // Observability module not available — skip
         }
         const P = FRAMEWORK_ROUTE_PREFIX;
+        // Security response headers — emitted on every framework response.
+        // Mounted before route handlers so 4xx/5xx error pages also carry the
+        // headers. Routes that need to relax a specific header (e.g. the tools
+        // /render route allowing same-origin framing) override via setResponseHeader.
+        const { createSecurityHeadersMiddleware } = await import("./security-headers.js");
+        getH3App(nitroApp).use(createSecurityHeadersMiddleware());
         // CORS for framework routes. Desktop tray apps (Tauri/Electron) run on
         // their own dev origin (e.g. localhost:1420) and make credentialed
         // requests against the template's server at a different port. We echo
@@ -145,32 +205,81 @@ export function createCoreRoutesPlugin(options = {}) {
             .split(",")
             .map((s) => s.trim())
             .filter(Boolean);
+        const isProduction = process.env.NODE_ENV === "production";
+        const LOCALHOST_RE = /^https?:\/\/(localhost|127\.0\.0\.1|tauri\.localhost)(:\d+)?$/;
         getH3App(nitroApp).use(defineEventHandler((event) => {
-            const url = event.node?.req?.url ?? event.path ?? "/";
-            if (!url.startsWith(P) && !url.startsWith("/api/"))
+            const pathname = stripAppBasePath(event.url?.pathname ??
+                String(event.node?.req?.url ?? event.path ?? "/").split("?")[0]);
+            if (!pathname.startsWith(P) && !pathname.startsWith("/api/"))
                 return;
             const reqHeaders = (event.node?.req?.headers ?? {});
             const originRaw = reqHeaders["origin"];
             const origin = Array.isArray(originRaw) ? originRaw[0] : originRaw;
-            if (!origin)
-                return;
-            const allowed = allowlist.length === 0 ||
-                allowlist.includes(origin) ||
-                // Dev convenience: allow any localhost origin (tray windows,
-                // frame, docs) without requiring an explicit allowlist.
-                /^https?:\/\/(localhost|127\.0\.0\.1|tauri\.localhost)(:\d+)?$/.test(origin);
-            if (!allowed)
-                return;
-            setResponseHeader(event, "Access-Control-Allow-Origin", origin);
-            setResponseHeader(event, "Vary", "Origin");
-            setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
-            setResponseHeader(event, "Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS");
-            setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With");
-            if (getMethod(event) === "OPTIONS") {
+            const method = getMethod(event);
+            // Decide whether this origin is allowed. We never fall back to the
+            // first allowlist entry — that previously echoed `Access-Control-
+            // Allow-Origin: <unrelated-allowed-origin>` for disallowed callers,
+            // which is permissive enough that some clients followed through.
+            let allowedOrigin = null;
+            if (origin) {
+                if (allowlist.length > 0) {
+                    if (allowlist.includes(origin))
+                        allowedOrigin = origin;
+                }
+                else {
+                    // No allowlist configured. In production we only allow
+                    // localhost-style origins (desktop tray dev usage); in dev we
+                    // allow any origin echo. This prevents a fresh deploy without
+                    // CORS_ALLOWED_ORIGINS from accepting credentialed requests
+                    // from any origin.
+                    if (isProduction) {
+                        if (LOCALHOST_RE.test(origin))
+                            allowedOrigin = origin;
+                    }
+                    else {
+                        if (LOCALHOST_RE.test(origin))
+                            allowedOrigin = origin;
+                    }
+                }
+            }
+            // Reject preflights from disallowed cross-origin callers BEFORE
+            // returning 204. Previously the OPTIONS short-circuit returned 204
+            // with no ACAO header, which the browser then treats as a CORS
+            // failure — but also short-circuited any further checks. Now we
+            // explicitly 403 disallowed cross-origin preflights.
+            if (method === "OPTIONS") {
+                if (origin && !allowedOrigin) {
+                    setResponseStatus(event, 403);
+                    return "";
+                }
+                if (allowedOrigin) {
+                    setResponseHeader(event, "Access-Control-Allow-Origin", allowedOrigin);
+                    setResponseHeader(event, "Vary", "Origin");
+                    setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
+                    setResponseHeader(event, "Access-Control-Allow-Methods", "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS");
+                    setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF");
+                }
                 setResponseStatus(event, 204);
                 return "";
             }
+            // Non-preflight requests: only set CORS response headers when we
+            // have an allowed origin. Same-origin / no-origin requests fall
+            // through without explicit CORS headers (browser treats them as
+            // same-origin by default).
+            if (!allowedOrigin)
+                return;
+            setResponseHeader(event, "Access-Control-Allow-Origin", allowedOrigin);
+            setResponseHeader(event, "Vary", "Origin");
+            setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
+            setResponseHeader(event, "Access-Control-Allow-Methods", "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS");
+            setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF");
         }));
+        // Defense-in-depth CSRF check for state-changing /_agent-native/* routes.
+        // Mounted AFTER the CORS layer so disallowed-origin OPTIONS preflights
+        // 403 first (rather than being rejected on a stale cookie heuristic).
+        // See `csrf.ts` for the threat model and allowlist.
+        const { createCsrfMiddleware } = await import("./csrf.js");
+        getH3App(nitroApp).use(createCsrfMiddleware(P));
         // Polling
         getH3App(nitroApp).use(`${P}/poll`, createPollHandler());
         // SSE
@@ -186,29 +295,89 @@ export function createCoreRoutesPlugin(options = {}) {
         }
         getH3App(nitroApp).use(`${P}/builder/status`, defineEventHandler(async (event) => {
             const envStatus = getBuilderBrowserStatusForEvent(event);
-            // Check per-user credentials first (stored in app_secrets).
-            try {
-                const { resolveBuilderCredentials } = await import("./credential-provider.js");
-                const creds = await resolveBuilderCredentials();
-                if (creds.privateKey) {
-                    return {
-                        ...envStatus,
-                        configured: true,
-                        privateKeyConfigured: true,
-                        publicKeyConfigured: !!creds.publicKey,
-                        userId: creds.userId || envStatus.userId,
-                        orgName: creds.orgName || envStatus.orgName,
-                        orgKind: creds.orgKind || envStatus.orgKind,
-                    };
+            // Read session once so we can establish per-user request context for
+            // credential resolution. Without this, resolveBuilderCredentials()
+            // calls getRequestUserEmail() on an empty AsyncLocalStorage store and
+            // falls through to process.env — causing the connection state to
+            // flicker between requests depending on stale env values.
+            const session = await getSession(event).catch(() => null);
+            const userEmail = session?.email;
+            return runWithRequestContext({ userEmail }, async () => {
+                // Check per-user credentials first (stored in app_secrets).
+                try {
+                    const { resolveBuilderCredentials } = await import("./credential-provider.js");
+                    const creds = await resolveBuilderCredentials();
+                    if (creds.privateKey) {
+                        return {
+                            ...envStatus,
+                            configured: true,
+                            privateKeyConfigured: true,
+                            publicKeyConfigured: !!creds.publicKey,
+                            userId: creds.userId || envStatus.userId,
+                            orgName: creds.orgName || envStatus.orgName,
+                            orgKind: creds.orgKind || envStatus.orgKind,
+                        };
+                    }
                 }
-            }
-            catch {
-                // Secrets table not ready — fall through to env status
-            }
-            // Honor legacy disconnect flag for existing deployments.
-            try {
-                const disconnected = await getSetting("builder-disconnected");
-                if (disconnected) {
+                catch {
+                    // Secrets table not ready — fall through to env status
+                }
+                // Surface a recent OAuth callback failure so the parent's polling
+                // stops with a clear message instead of timing out at 5min. The
+                // callback handler writes a `builder-connect-error:<email>` row
+                // when `writeBuilderCredentials` throws; this read self-clears so
+                // the message only fires once.
+                try {
+                    if (userEmail) {
+                        const errKey = `builder-connect-error:${userEmail}`;
+                        const errRow = await getSetting(errKey);
+                        if (errRow && typeof errRow.message === "string") {
+                            await deleteSetting(errKey).catch(() => { });
+                            return {
+                                ...envStatus,
+                                configured: false,
+                                privateKeyConfigured: false,
+                                publicKeyConfigured: false,
+                                userId: undefined,
+                                orgName: undefined,
+                                orgKind: undefined,
+                                connectError: {
+                                    message: errRow.message,
+                                    at: typeof errRow.at === "number"
+                                        ? errRow.at
+                                        : Date.now(),
+                                },
+                            };
+                        }
+                    }
+                }
+                catch {
+                    // settings store unavailable — fall through to legacy/env status
+                }
+                // Honor legacy disconnect flag for existing deployments.
+                try {
+                    const disconnected = await getSetting("builder-disconnected");
+                    if (disconnected) {
+                        return {
+                            ...envStatus,
+                            configured: false,
+                            privateKeyConfigured: false,
+                            publicKeyConfigured: false,
+                            userId: undefined,
+                            orgName: undefined,
+                            orgKind: undefined,
+                        };
+                    }
+                }
+                catch {
+                    // DB not reachable — fall back to env-only status.
+                }
+                // For authenticated non-local users who have no per-user credentials,
+                // explicitly return not-configured rather than deploy-level env keys.
+                // This is consistent with resolveBuilderCredential()'s design which
+                // refuses the env fallback for authenticated users to prevent
+                // cross-tenant credential leakage in shared-DB deployments.
+                if (userEmail && userEmail !== DEV_MODE_USER_EMAIL) {
                     return {
                         ...envStatus,
                         configured: false,
@@ -219,11 +388,8 @@ export function createCoreRoutesPlugin(options = {}) {
                         orgKind: undefined,
                     };
                 }
-            }
-            catch {
-                // DB not reachable — fall back to env-only status.
-            }
-            return envStatus;
+                return envStatus;
+            });
         }));
         // Lightweight 302 to the Builder CLI-auth URL. Lets clients do
         // `window.open('/_agent-native/builder/connect', '_blank')` synchronously
@@ -269,37 +435,45 @@ export function createCoreRoutesPlugin(options = {}) {
             // caller isn't a named user we should spend a Builder private key
             // on. Allow it only when the environment explicitly opts into
             // local mode (dev, tests, or AUTH_MODE=local).
-            if (session.email === "local@localhost" &&
+            if (session.email === DEV_MODE_USER_EMAIL &&
                 process.env.NODE_ENV === "production" &&
                 process.env.AUTH_MODE !== "local") {
                 setResponseStatus(event, 401);
                 return { error: "A signed-in user is required to run Builder" };
             }
             const userEmail = session.email;
-            const { resolveBuilderCredential: resolveBuilderCred } = await import("./credential-provider.js");
-            const builderUserId = (await resolveBuilderCred("BUILDER_USER_ID")) || undefined;
-            // Server-controlled projectId — don't let clients target arbitrary
-            // Builder projects with our private key. When this feature graduates
-            // past the hardcoded preview, the projectId will come from
-            // workspace/org config, still resolved server-side.
-            try {
-                const result = await runBuilderAgent({
-                    prompt,
-                    projectId: DEFAULT_BUILDER_PROJECT_ID,
-                    branchName: typeof body?.branchName === "string"
-                        ? body.branchName
-                        : undefined,
-                    userEmail,
-                    userId: builderUserId,
-                });
-                return result;
-            }
-            catch (e) {
-                setResponseStatus(event, 500);
-                return {
-                    error: e instanceof Error ? e.message : "Builder run failed",
-                };
-            }
+            // Wrap in runWithRequestContext so resolveBuilderCredential() inside
+            // runBuilderAgent() resolves per-user app_secrets rather than falling
+            // through to process.env — the same pattern the /builder/status endpoint
+            // uses. Without this, per-user Builder keys stored in app_secrets are
+            // invisible to the run path and the call throws "Builder keys are not
+            // configured" even though the status endpoint correctly reports configured=true.
+            return runWithRequestContext({ userEmail }, async () => {
+                const { resolveBuilderCredential: resolveBuilderCred } = await import("./credential-provider.js");
+                const builderUserId = (await resolveBuilderCred("BUILDER_USER_ID")) || undefined;
+                // Server-controlled projectId — don't let clients target arbitrary
+                // Builder projects with our private key. When this feature graduates
+                // past the hardcoded preview, the projectId will come from
+                // workspace/org config, still resolved server-side.
+                try {
+                    const result = await runBuilderAgent({
+                        prompt,
+                        projectId: DEFAULT_BUILDER_PROJECT_ID,
+                        branchName: typeof body?.branchName === "string"
+                            ? body.branchName
+                            : undefined,
+                        userEmail,
+                        userId: builderUserId,
+                    });
+                    return result;
+                }
+                catch (e) {
+                    setResponseStatus(event, 500);
+                    return {
+                        error: e instanceof Error ? e.message : "Builder run failed",
+                    };
+                }
+            });
         }));
         getH3App(nitroApp).use(`${P}/builder/callback`, defineEventHandler(async (event) => {
             if (getMethod(event) !== "GET") {
@@ -334,6 +508,15 @@ export function createCoreRoutesPlugin(options = {}) {
             // Store per-user in app_secrets so each user's Builder connection
             // is independent. No more shared env vars that the last connector
             // overwrites.
+            //
+            // Failure handling: a silent catch here (returning the success page
+            // anyway) was Midhun's bug on 2026-04-28 — popup said "yay", parent
+            // window polled `/builder/status` for 5 minutes seeing
+            // configured:false, never got a real error. Now we surface the
+            // failure two ways: (a) a settings row that the next /builder/status
+            // poll picks up, and (b) postMessage from the error page itself,
+            // wired into the popup HTML, so the parent stops polling immediately.
+            let writeError = null;
             try {
                 const { writeBuilderCredentials } = await import("./credential-provider.js");
                 await writeBuilderCredentials(session.email, {
@@ -345,15 +528,40 @@ export function createCoreRoutesPlugin(options = {}) {
                 });
             }
             catch (err) {
-                console.warn("[builder] Failed to write per-user credentials:", err?.message ?? err);
+                writeError = err?.message ?? String(err);
+                console.error("[builder] Failed to persist per-user credentials:", writeError);
+            }
+            if (writeError) {
+                // Best-effort signal to /builder/status. If putSetting also fails
+                // (entire DB unreachable) the popup's postMessage still notifies
+                // the parent. If both fail the parent times out at 5min as today.
+                try {
+                    await putSetting(`builder-connect-error:${session.email}`, {
+                        message: writeError,
+                        at: Date.now(),
+                    });
+                }
+                catch (settingsErr) {
+                    console.error("[builder] Couldn't even record connect-error to settings:", settingsErr?.message ?? settingsErr);
+                }
+                setResponseStatus(event, 500);
+                setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+                return createBuilderBrowserCallbackErrorPage(writeError);
             }
-            // Clear any legacy disconnect flag.
+            // Clear any legacy disconnect flag and any prior connect-error row
+            // (so a successful retry doesn't surface the previous failure).
             try {
                 await deleteSetting("builder-disconnected");
             }
             catch {
                 // DB not ready — proceed
             }
+            try {
+                await deleteSetting(`builder-connect-error:${session.email}`);
+            }
+            catch {
+                // No prior error row — fine
+            }
             const previewUrl = resolveSafePreviewUrl(requestUrl.searchParams.get("preview-url"), event);
             setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
             return createBuilderBrowserCallbackPage(previewUrl);
@@ -395,47 +603,56 @@ export function createCoreRoutesPlugin(options = {}) {
                 setResponseStatus(event, 405);
                 return { error: "Method not allowed" };
             }
-            const { resolveBuilderCredentials: resolveCreds } = await import("./credential-provider.js");
-            const creds = await resolveCreds();
-            if (!creds.privateKey || !creds.publicKey) {
-                setResponseStatus(event, 400);
-                return {
-                    error: "Builder not connected. Connect Builder in Setup to use background agent.",
-                };
-            }
-            const body = (await readBody(event));
-            if (!body?.userMessage) {
-                setResponseStatus(event, 400);
-                return { error: "userMessage is required" };
+            const session = await getSession(event).catch(() => null);
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "unauthorized" };
             }
-            const apiHost = process.env.BUILDER_API_HOST || "https://ai-services.builder.io";
-            try {
-                const res = await fetch(`${apiHost}/agents/run?apiKey=${encodeURIComponent(creds.publicKey)}`, {
-                    method: "POST",
-                    headers: {
-                        "Content-Type": "application/json",
-                        Authorization: `Bearer ${creds.privateKey}`,
-                    },
-                    body: JSON.stringify({
-                        userMessage: {
-                            userPrompt: body.userMessage,
+            return runWithRequestContext({ userEmail: session.email, orgId: session.orgId ?? undefined }, async () => {
+                const { resolveBuilderCredentials: resolveCreds } = await import("./credential-provider.js");
+                const creds = await resolveCreds();
+                if (!creds.privateKey || !creds.publicKey) {
+                    setResponseStatus(event, 400);
+                    return {
+                        error: "Builder not connected. Connect Builder in Setup to use background agent.",
+                    };
+                }
+                const body = (await readBody(event));
+                if (!body?.userMessage) {
+                    setResponseStatus(event, 400);
+                    return { error: "userMessage is required" };
+                }
+                const apiHost = process.env.BUILDER_API_HOST || "https://ai-services.builder.io";
+                try {
+                    const res = await fetch(`${apiHost}/agents/run?apiKey=${encodeURIComponent(creds.publicKey)}`, {
+                        method: "POST",
+                        headers: {
+                            "Content-Type": "application/json",
+                            Authorization: `Bearer ${creds.privateKey}`,
                         },
-                        branchName: body.branchName,
-                    }),
-                });
-                if (!res.ok) {
-                    const err = await res.text().catch(() => "Unknown error");
-                    setResponseStatus(event, res.status);
-                    return { error: err };
+                        body: JSON.stringify({
+                            userMessage: {
+                                userPrompt: body.userMessage,
+                            },
+                            branchName: body.branchName,
+                        }),
+                    });
+                    if (!res.ok) {
+                        const err = await res.text().catch(() => "Unknown error");
+                        setResponseStatus(event, res.status);
+                        return {
+                            error: redactValues(err, [creds.privateKey, creds.publicKey]),
+                        };
+                    }
+                    return await res.json();
                 }
-                return await res.json();
-            }
-            catch (err) {
-                setResponseStatus(event, 500);
-                return {
-                    error: err?.message || "Failed to reach Builder agents-run API",
-                };
-            }
+                catch (err) {
+                    setResponseStatus(event, 500);
+                    return {
+                        error: redactValues(err?.message || "Failed to reach Builder agents-run API", [creds.privateKey, creds.publicKey]),
+                    };
+                }
+            });
         }));
         // Env key management — framework keys are always included
         const frameworkEnvKeys = [
@@ -476,12 +693,25 @@ export function createCoreRoutesPlugin(options = {}) {
                 label: cfg.label,
                 required: cfg.required ?? false,
                 configured: !!process.env[cfg.key],
+                ...(cfg.helpText ? { helpText: cfg.helpText } : {}),
             }))));
             getH3App(nitroApp).use(`${P}/env-vars`, defineEventHandler(async (event) => {
                 if (getMethod(event) !== "POST") {
                     setResponseStatus(event, 405);
                     return { error: "Method not allowed" };
                 }
+                // Env vars are deployment-wide globals, not per-tenant. On any
+                // shared-DB multi-tenant deploy, allowing authenticated users to
+                // write here lets one tenant overwrite Stripe / OpenAI / Sentry
+                // keys for every other tenant. Disable the endpoint outside of
+                // local-dev SQLite or an explicit single-tenant opt-in, and
+                // direct callers to the per-org credential store instead.
+                if (!isEnvVarWriteAllowed()) {
+                    setResponseStatus(event, 403);
+                    return {
+                        error: "env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.",
+                    };
+                }
                 const body = await readBody(event);
                 const { vars } = body;
                 if (!Array.isArray(vars) || vars.length === 0) {
@@ -566,6 +796,19 @@ export function createCoreRoutesPlugin(options = {}) {
                         };
                     }
                 }
+                // Per-user app_secrets — a user who connected Builder (or pasted
+                // their own provider key) may not have any deploy-level env vars
+                // set, so check their per-user secret store before reporting "no
+                // engine configured" and re-showing the onboarding gate.
+                const detectedFromUser = await detectEngineFromUserSecrets();
+                if (detectedFromUser) {
+                    return {
+                        configured: true,
+                        engine: detectedFromUser.name,
+                        source: "app_secrets",
+                        envVar: detectedFromUser.requiredEnvVars[0],
+                    };
+                }
                 const detected = detectEngineFromEnv();
                 if (detected) {
                     return {
@@ -625,19 +868,45 @@ export function createCoreRoutesPlugin(options = {}) {
         // ─── File upload primitive ──────────────────────────────────────
         // GET  /_agent-native/file-upload/status — report active provider
         // POST /_agent-native/file-upload        — upload a file, return { url }
-        getH3App(nitroApp).use(`${P}/file-upload/status`, defineEventHandler(async () => {
+        getH3App(nitroApp).use(`${P}/file-upload/status`, defineEventHandler(async (event) => {
             const active = getActiveFileUploadProvider();
+            // resolveBuilderPrivateKey() reads per-user credentials from app_secrets
+            // (DB), which requires request context (AsyncLocalStorage) to know which
+            // user to scope by. Without runWithRequestContext() the ALS store is empty
+            // and it falls back to process.env only — missing OAuth-connected users.
+            const session = await getSession(event).catch(() => null);
+            const userEmail = session?.email;
             let builderConfigured = !!process.env.BUILDER_PRIVATE_KEY;
             try {
                 const { resolveBuilderPrivateKey } = await import("./credential-provider.js");
-                builderConfigured = !!(await resolveBuilderPrivateKey());
+                const resolve = () => resolveBuilderPrivateKey().then((k) => !!k);
+                builderConfigured = userEmail
+                    ? await runWithRequestContext({ userEmail }, resolve)
+                    : await resolve();
             }
             catch {
                 // fall back to env check above
             }
+            // When the builder builtin is selected via env var, its sync
+            // isConfigured() doesn't reflect per-user OAuth credentials. Use the
+            // async builderConfigured check so the status accurately represents
+            // whether this specific user can actually upload (thread 7 fix).
+            const isBuilderEnvActive = active?.id === "builder";
+            const configured = isBuilderEnvActive
+                ? builderConfigured
+                : !!active || builderConfigured;
+            const activeProvider = isBuilderEnvActive
+                ? builderConfigured
+                    ? { id: "builder", name: "Builder.io" }
+                    : null
+                : active
+                    ? { id: active.id, name: active.name }
+                    : builderConfigured
+                        ? { id: "builder", name: "Builder.io" }
+                        : null;
             return {
-                configured: !!active,
-                activeProvider: active ? { id: active.id, name: active.name } : null,
+                configured,
+                activeProvider,
                 providers: listFileUploadProviders().map((p) => ({
                     id: p.id,
                     name: p.name,
@@ -658,12 +927,17 @@ export function createCoreRoutesPlugin(options = {}) {
                 return { error: "No file uploaded" };
             }
             const session = await getSession(event);
-            const result = await uploadFile({
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "Unauthorized" };
+            }
+            const userEmail = session.email;
+            const result = await runWithRequestContext({ userEmail }, () => uploadFile({
                 data: filePart.data,
                 filename: filePart.filename,
                 mimeType: filePart.type,
-                ownerEmail: session?.email,
-            });
+                ownerEmail: userEmail,
+            }));
             if (result) {
                 setResponseStatus(event, 201);
                 return result;
@@ -676,6 +950,10 @@ export function createCoreRoutesPlugin(options = {}) {
         // ─── Voice transcription (Whisper) ───────────────────────────────
         // POST /_agent-native/transcribe-voice — multipart audio → text
         getH3App(nitroApp).use(`${P}/transcribe-voice`, createTranscribeVoiceHandler());
+        // ─── Voice provider status ───────────────────────────────────────
+        // GET /_agent-native/voice-providers/status — which providers are
+        // configured for the current user (powers the Settings UI pills).
+        getH3App(nitroApp).use(`${P}/voice-providers/status`, createVoiceProvidersStatusHandler());
         // ─── Ad-hoc secrets (user-created keys) ────────────────────────────
         // Must mount before the generic /secrets handler to avoid shadowing.
         const adHocSecretHandler = createAdHocSecretHandler();
@@ -722,6 +1000,11 @@ export function createCoreRoutesPlugin(options = {}) {
             ensureToolsTables().catch(() => { });
             registerToolsShareable();
             getH3App(nitroApp).use(`${P}/tools`, createToolsHandler());
+            // Tool extension-point slots — sub-system of tools.
+            const { ensureSlotTables } = await import("../tools/slots/store.js");
+            const { createSlotsHandler } = await import("../tools/slots/routes.js");
+            ensureSlotTables().catch(() => { });
+            getH3App(nitroApp).use(`${P}/slots`, createSlotsHandler());
         }
         catch {
             // Tools module not available — skip
@@ -739,11 +1022,25 @@ export function createCoreRoutesPlugin(options = {}) {
             const pathname = (event.url?.pathname || "")
                 .replace(/^\/+/, "")
                 .replace(/\/+$/, "");
+            // Auth check applies to every method. Without this, any anonymous
+            // caller could `POST /fire-test` to emit unowned events that fan
+            // out across every tenant's matching trigger (the dispatcher
+            // short-circuits its owner check when `eventMeta.owner` is
+            // undefined). See audit 12 / fire-test finding.
+            const session = await getSession(event).catch(() => null);
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "Unauthenticated" };
+            }
             if (pathname === "fire-test" && method === "POST") {
                 try {
                     const { emit } = await import("../event-bus/index.js");
                     const body = (await readBody(event).catch(() => ({})));
-                    emit("test.event.fired", { data: body.data ?? {} });
+                    // Scope the test event to the current user so only their
+                    // automations fire, not those owned by other tenants.
+                    emit("test.event.fired", { data: body.data ?? {} }, {
+                        owner: session.email,
+                    });
                     return { ok: true };
                 }
                 catch (err) {
@@ -756,8 +1053,7 @@ export function createCoreRoutesPlugin(options = {}) {
                 return { error: "Method not allowed" };
             }
             try {
-                const session = await getSession(event).catch(() => null);
-                const owner = session?.email || "local@localhost";
+                const owner = session.email;
                 const { resourceListAllOwners, SHARED_OWNER } = await import("../resources/store.js");
                 const allResources = await resourceListAllOwners("jobs/");
                 const resources = allResources.filter((r) => r.owner === owner || r.owner === SHARED_OWNER);
@@ -819,6 +1115,47 @@ export function createCoreRoutesPlugin(options = {}) {
         }));
         // ─── Application State CRUD ──────────────────────────────────────
         // Auto-mounted so templates don't need boilerplate route files.
+        // ─── User-scoped settings store ────────────────────────────────────
+        // GET    /_agent-native/settings/:key   — read current user's value
+        // PUT    /_agent-native/settings/:key   — write current user's value
+        // DELETE /_agent-native/settings/:key   — clear current user's value
+        //
+        // Keys are auto-prefixed with `u:<email>:` so each user gets their
+        // own row — no leakage between sessions sharing the same DB.
+        getH3App(nitroApp).use(`${P}/settings`, defineEventHandler(async (event) => {
+            const rawKey = (event.url?.pathname || "").replace(/^\/+/, "").split("/")[0] || "";
+            const key = rawKey.replace(/[^a-zA-Z0-9_-]/g, "");
+            if (!key) {
+                setResponseStatus(event, 404);
+                return { error: "Settings key required" };
+            }
+            const session = await getSession(event);
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "unauthorized" };
+            }
+            const method = getMethod(event);
+            const requestSource = event.node?.req?.headers?.["x-request-source"] || undefined;
+            if (method === "GET") {
+                const value = await getUserSetting(session.email, key);
+                if (!value) {
+                    setResponseStatus(event, 404);
+                    return { error: `No setting for ${key}` };
+                }
+                return value;
+            }
+            if (method === "PUT") {
+                const body = await readBody(event);
+                await putUserSetting(session.email, key, body, { requestSource });
+                return body;
+            }
+            if (method === "DELETE") {
+                await deleteUserSetting(session.email, key, { requestSource });
+                return { ok: true };
+            }
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }));
         // ─── Avatar routes ──────────────────────────────────────────────────
         // GET /_agent-native/avatar/:email — fetch any user's avatar (public)
         // PUT /_agent-native/avatar       — update current user's avatar (auth required)