npm - @agent-native/core - Versions diffs - 0.7.14 → 0.7.16 - Mend

@agent-native/core 0.7.14 → 0.7.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (803) hide show

package/README.md +56 -6
package/dist/a2a/handlers.d.ts.map +1 -1
package/dist/a2a/handlers.js +149 -24
package/dist/a2a/handlers.js.map +1 -1
package/dist/a2a/server.d.ts.map +1 -1
package/dist/a2a/server.js +180 -51
package/dist/a2a/server.js.map +1 -1
package/dist/a2a/task-store.d.ts +10 -1
package/dist/a2a/task-store.d.ts.map +1 -1
package/dist/a2a/task-store.js +36 -2
package/dist/a2a/task-store.js.map +1 -1
package/dist/action.d.ts +16 -0
package/dist/action.d.ts.map +1 -1
package/dist/action.js +11 -0
package/dist/action.js.map +1 -1
package/dist/agent/default-model.d.ts +21 -0
package/dist/agent/default-model.d.ts.map +1 -0
package/dist/agent/default-model.js +21 -0
package/dist/agent/default-model.js.map +1 -0
package/dist/agent/engine/ai-sdk-engine.d.ts.map +1 -1
package/dist/agent/engine/ai-sdk-engine.js +7 -4
package/dist/agent/engine/ai-sdk-engine.js.map +1 -1
package/dist/agent/engine/anthropic-engine.d.ts +1 -1
package/dist/agent/engine/anthropic-engine.d.ts.map +1 -1
package/dist/agent/engine/anthropic-engine.js +10 -4
package/dist/agent/engine/anthropic-engine.js.map +1 -1
package/dist/agent/engine/builder-engine.d.ts.map +1 -1
package/dist/agent/engine/builder-engine.js +4 -1
package/dist/agent/engine/builder-engine.js.map +1 -1
package/dist/agent/engine/builtin.js +1 -1
package/dist/agent/engine/builtin.js.map +1 -1
package/dist/agent/engine/registry.d.ts +27 -7
package/dist/agent/engine/registry.d.ts.map +1 -1
package/dist/agent/engine/registry.js +101 -20
package/dist/agent/engine/registry.js.map +1 -1
package/dist/agent/index.d.ts +1 -0
package/dist/agent/index.d.ts.map +1 -1
package/dist/agent/index.js +1 -0
package/dist/agent/index.js.map +1 -1
package/dist/agent/production-agent.d.ts +32 -7
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +230 -70
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/run-manager.d.ts.map +1 -1
package/dist/agent/run-manager.js +0 -3
package/dist/agent/run-manager.js.map +1 -1
package/dist/agent/types.d.ts +0 -4
package/dist/agent/types.d.ts.map +1 -1
package/dist/application-state/handlers.d.ts.map +1 -1
package/dist/application-state/handlers.js +10 -6
package/dist/application-state/handlers.js.map +1 -1
package/dist/application-state/script-helpers.d.ts +1 -1
package/dist/application-state/script-helpers.d.ts.map +1 -1
package/dist/application-state/script-helpers.js +12 -8
package/dist/application-state/script-helpers.js.map +1 -1
package/dist/application-state/store.d.ts.map +1 -1
package/dist/application-state/store.js +19 -10
package/dist/application-state/store.js.map +1 -1
package/dist/chat-threads/store.d.ts.map +1 -1
package/dist/chat-threads/store.js +4 -1
package/dist/chat-threads/store.js.map +1 -1
package/dist/cli/create.d.ts +3 -1
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +106 -16
package/dist/cli/create.js.map +1 -1
package/dist/cli/index.js +97 -39
package/dist/cli/index.js.map +1 -1
package/dist/cli/templates-meta.d.ts +4 -0
package/dist/cli/templates-meta.d.ts.map +1 -1
package/dist/cli/templates-meta.js +56 -12
package/dist/cli/templates-meta.js.map +1 -1
package/dist/cli/workspacify.d.ts +2 -0
package/dist/cli/workspacify.d.ts.map +1 -1
package/dist/cli/workspacify.js +5 -4
package/dist/cli/workspacify.js.map +1 -1
package/dist/client/AgentPanel.d.ts +5 -2
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +64 -25
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/AgentTaskCard.d.ts.map +1 -1
package/dist/client/AgentTaskCard.js +3 -2
package/dist/client/AgentTaskCard.js.map +1 -1
package/dist/client/AssistantChat.d.ts +0 -6
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +98 -100
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ConnectBuilderCard.d.ts.map +1 -1
package/dist/client/ConnectBuilderCard.js +2 -1
package/dist/client/ConnectBuilderCard.js.map +1 -1
package/dist/client/DefaultSpinner.d.ts +1 -1
package/dist/client/DefaultSpinner.d.ts.map +1 -1
package/dist/client/DefaultSpinner.js +2 -9
package/dist/client/DefaultSpinner.js.map +1 -1
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +24 -22
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +4 -3
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-chat.d.ts.map +1 -1
package/dist/client/agent-chat.js +6 -4
package/dist/client/agent-chat.js.map +1 -1
package/dist/client/analytics.d.ts.map +1 -1
package/dist/client/analytics.js +70 -1
package/dist/client/analytics.js.map +1 -1
package/dist/client/api-path.d.ts +5 -0
package/dist/client/api-path.d.ts.map +1 -0
package/dist/client/api-path.js +48 -0
package/dist/client/api-path.js.map +1 -0
package/dist/client/components/ApiKeySettings.d.ts.map +1 -1
package/dist/client/components/ApiKeySettings.js +3 -2
package/dist/client/components/ApiKeySettings.js.map +1 -1
package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
package/dist/client/components/CodeRequiredDialog.js +3 -2
package/dist/client/components/CodeRequiredDialog.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts +3 -1
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +17 -9
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/composer/draft-key.d.ts +2 -0
package/dist/client/composer/draft-key.d.ts.map +1 -0
package/dist/client/composer/draft-key.js +8 -0
package/dist/client/composer/draft-key.js.map +1 -0
package/dist/client/composer/use-file-search.d.ts.map +1 -1
package/dist/client/composer/use-file-search.js +2 -1
package/dist/client/composer/use-file-search.js.map +1 -1
package/dist/client/composer/use-mention-search.d.ts.map +1 -1
package/dist/client/composer/use-mention-search.js +2 -1
package/dist/client/composer/use-mention-search.js.map +1 -1
package/dist/client/composer/use-skills.d.ts.map +1 -1
package/dist/client/composer/use-skills.js +2 -1
package/dist/client/composer/use-skills.js.map +1 -1
package/dist/client/composer/useVoiceDictation.d.ts +1 -1
package/dist/client/composer/useVoiceDictation.d.ts.map +1 -1
package/dist/client/composer/useVoiceDictation.js +16 -8
package/dist/client/composer/useVoiceDictation.js.map +1 -1
package/dist/client/dev-mode.d.ts +14 -0
package/dist/client/dev-mode.d.ts.map +1 -0
package/dist/client/dev-mode.js +14 -0
package/dist/client/dev-mode.js.map +1 -0
package/dist/client/dev-overlay/DevOverlay.d.ts +26 -0
package/dist/client/dev-overlay/DevOverlay.d.ts.map +1 -0
package/dist/client/dev-overlay/DevOverlay.js +315 -0
package/dist/client/dev-overlay/DevOverlay.js.map +1 -0
package/dist/client/dev-overlay/builtins.d.ts +6 -0
package/dist/client/dev-overlay/builtins.d.ts.map +1 -0
package/dist/client/dev-overlay/builtins.js +35 -0
package/dist/client/dev-overlay/builtins.js.map +1 -0
package/dist/client/dev-overlay/index.d.ts +6 -0
package/dist/client/dev-overlay/index.d.ts.map +1 -0
package/dist/client/dev-overlay/index.js +5 -0
package/dist/client/dev-overlay/index.js.map +1 -0
package/dist/client/dev-overlay/registry.d.ts +13 -0
package/dist/client/dev-overlay/registry.d.ts.map +1 -0
package/dist/client/dev-overlay/registry.js +63 -0
package/dist/client/dev-overlay/registry.js.map +1 -0
package/dist/client/dev-overlay/types.d.ts +56 -0
package/dist/client/dev-overlay/types.d.ts.map +1 -0
package/dist/client/dev-overlay/types.js +9 -0
package/dist/client/dev-overlay/types.js.map +1 -0
package/dist/client/dev-overlay/use-dev-option.d.ts +12 -0
package/dist/client/dev-overlay/use-dev-option.d.ts.map +1 -0
package/dist/client/dev-overlay/use-dev-option.js +73 -0
package/dist/client/dev-overlay/use-dev-option.js.map +1 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.d.ts +6 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.d.ts.map +1 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.js +29 -0
package/dist/client/dev-overlay/use-dev-overlay-shortcut.js.map +1 -0
package/dist/client/frame-protocol.d.ts +61 -10
package/dist/client/frame-protocol.d.ts.map +1 -1
package/dist/client/frame.d.ts +1 -0
package/dist/client/frame.d.ts.map +1 -1
package/dist/client/frame.js +37 -16
package/dist/client/frame.js.map +1 -1
package/dist/client/index.d.ts +5 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +5 -1
package/dist/client/index.js.map +1 -1
package/dist/client/integrations/IntegrationCard.d.ts.map +1 -1
package/dist/client/integrations/IntegrationCard.js +3 -2
package/dist/client/integrations/IntegrationCard.js.map +1 -1
package/dist/client/integrations/IntegrationsPanel.d.ts.map +1 -1
package/dist/client/integrations/IntegrationsPanel.js +3 -2
package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
package/dist/client/integrations/useIntegrationStatus.d.ts.map +1 -1
package/dist/client/integrations/useIntegrationStatus.js +2 -1
package/dist/client/integrations/useIntegrationStatus.js.map +1 -1
package/dist/client/notifications/NotificationsBell.d.ts.map +1 -1
package/dist/client/notifications/NotificationsBell.js +26 -8
package/dist/client/notifications/NotificationsBell.js.map +1 -1
package/dist/client/observability/ThumbsFeedback.d.ts.map +1 -1
package/dist/client/observability/ThumbsFeedback.js +2 -1
package/dist/client/observability/ThumbsFeedback.js.map +1 -1
package/dist/client/observability/useObservability.d.ts.map +1 -1
package/dist/client/observability/useObservability.js +2 -1
package/dist/client/observability/useObservability.js.map +1 -1
package/dist/client/onboarding/OnboardingPanel.d.ts +0 -7
package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -1
package/dist/client/onboarding/OnboardingPanel.js +20 -10
package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
package/dist/client/onboarding/index.d.ts +1 -0
package/dist/client/onboarding/index.d.ts.map +1 -1
package/dist/client/onboarding/index.js +1 -0
package/dist/client/onboarding/index.js.map +1 -1
package/dist/client/onboarding/use-onboarding.d.ts +1 -7
package/dist/client/onboarding/use-onboarding.d.ts.map +1 -1
package/dist/client/onboarding/use-onboarding.js +27 -13
package/dist/client/onboarding/use-onboarding.js.map +1 -1
package/dist/client/onboarding/use-preview-mode.d.ts +10 -0
package/dist/client/onboarding/use-preview-mode.d.ts.map +1 -0
package/dist/client/onboarding/use-preview-mode.js +35 -0
package/dist/client/onboarding/use-preview-mode.js.map +1 -0
package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
package/dist/client/org/OrgSwitcher.js +2 -1
package/dist/client/org/OrgSwitcher.js.map +1 -1
package/dist/client/org/TeamPage.d.ts.map +1 -1
package/dist/client/org/TeamPage.js +7 -5
package/dist/client/org/TeamPage.js.map +1 -1
package/dist/client/org/hooks.d.ts.map +1 -1
package/dist/client/org/hooks.js +2 -1
package/dist/client/org/hooks.js.map +1 -1
package/dist/client/progress/RunsTray.d.ts.map +1 -1
package/dist/client/progress/RunsTray.js +2 -1
package/dist/client/progress/RunsTray.js.map +1 -1
package/dist/client/resources/McpServerDetail.d.ts +0 -8
package/dist/client/resources/McpServerDetail.d.ts.map +1 -1
package/dist/client/resources/McpServerDetail.js +6 -1
package/dist/client/resources/McpServerDetail.js.map +1 -1
package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
package/dist/client/resources/ResourceEditor.js +2 -1
package/dist/client/resources/ResourceEditor.js.map +1 -1
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
package/dist/client/resources/ResourcesPanel.js +2 -1
package/dist/client/resources/ResourcesPanel.js.map +1 -1
package/dist/client/resources/use-mcp-servers.d.ts.map +1 -1
package/dist/client/resources/use-mcp-servers.js +7 -2
package/dist/client/resources/use-mcp-servers.js.map +1 -1
package/dist/client/resources/use-resources.d.ts.map +1 -1
package/dist/client/resources/use-resources.js +9 -7
package/dist/client/resources/use-resources.js.map +1 -1
package/dist/client/settings/AgentsSection.d.ts.map +1 -1
package/dist/client/settings/AgentsSection.js +7 -5
package/dist/client/settings/AgentsSection.js.map +1 -1
package/dist/client/settings/AutomationsSection.d.ts.map +1 -1
package/dist/client/settings/AutomationsSection.js +9 -5
package/dist/client/settings/AutomationsSection.js.map +1 -1
package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -1
package/dist/client/settings/BackgroundAgentSection.js +2 -1
package/dist/client/settings/BackgroundAgentSection.js.map +1 -1
package/dist/client/settings/SecretsSection.d.ts.map +1 -1
package/dist/client/settings/SecretsSection.js +12 -4
package/dist/client/settings/SecretsSection.js.map +1 -1
package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
package/dist/client/settings/SettingsPanel.js +15 -23
package/dist/client/settings/SettingsPanel.js.map +1 -1
package/dist/client/settings/UsageSection.d.ts.map +1 -1
package/dist/client/settings/UsageSection.js +2 -1
package/dist/client/settings/UsageSection.js.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.d.ts +2 -4
package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.js +66 -23
package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
package/dist/client/settings/useBuilderStatus.d.ts +9 -0
package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
package/dist/client/settings/useBuilderStatus.js +31 -3
package/dist/client/settings/useBuilderStatus.js.map +1 -1
package/dist/client/sharing/ShareButton.d.ts.map +1 -1
package/dist/client/sharing/ShareButton.js +7 -2
package/dist/client/sharing/ShareButton.js.map +1 -1
package/dist/client/sharing/ShareDialog.d.ts.map +1 -1
package/dist/client/sharing/ShareDialog.js +4 -3
package/dist/client/sharing/ShareDialog.js.map +1 -1
package/dist/client/sse-event-processor.d.ts +1 -3
package/dist/client/sse-event-processor.d.ts.map +1 -1
package/dist/client/sse-event-processor.js +3 -24
package/dist/client/sse-event-processor.js.map +1 -1
package/dist/client/terminal/AgentTerminal.d.ts +1 -0
package/dist/client/terminal/AgentTerminal.d.ts.map +1 -1
package/dist/client/terminal/AgentTerminal.js +14 -10
package/dist/client/terminal/AgentTerminal.js.map +1 -1
package/dist/client/tools/EmbeddedTool.d.ts +20 -0
package/dist/client/tools/EmbeddedTool.d.ts.map +1 -0
package/dist/client/tools/EmbeddedTool.js +154 -0
package/dist/client/tools/EmbeddedTool.js.map +1 -0
package/dist/client/tools/ExtensionSlot.d.ts +27 -0
package/dist/client/tools/ExtensionSlot.d.ts.map +1 -0
package/dist/client/tools/ExtensionSlot.js +96 -0
package/dist/client/tools/ExtensionSlot.js.map +1 -0
package/dist/client/tools/ToolEditor.d.ts.map +1 -1
package/dist/client/tools/ToolEditor.js +5 -4
package/dist/client/tools/ToolEditor.js.map +1 -1
package/dist/client/tools/ToolViewer.d.ts.map +1 -1
package/dist/client/tools/ToolViewer.js +75 -44
package/dist/client/tools/ToolViewer.js.map +1 -1
package/dist/client/tools/ToolViewerPage.d.ts.map +1 -1
package/dist/client/tools/ToolViewerPage.js +2 -1
package/dist/client/tools/ToolViewerPage.js.map +1 -1
package/dist/client/tools/ToolsListPage.d.ts.map +1 -1
package/dist/client/tools/ToolsListPage.js +3 -2
package/dist/client/tools/ToolsListPage.js.map +1 -1
package/dist/client/tools/ToolsSidebarSection.d.ts.map +1 -1
package/dist/client/tools/ToolsSidebarSection.js +4 -3
package/dist/client/tools/ToolsSidebarSection.js.map +1 -1
package/dist/client/tools/iframe-bridge.d.ts +38 -0
package/dist/client/tools/iframe-bridge.d.ts.map +1 -0
package/dist/client/tools/iframe-bridge.js +207 -0
package/dist/client/tools/iframe-bridge.js.map +1 -0
package/dist/client/tools/index.d.ts +2 -0
package/dist/client/tools/index.d.ts.map +1 -1
package/dist/client/tools/index.js +2 -0
package/dist/client/tools/index.js.map +1 -1
package/dist/client/use-action.d.ts.map +1 -1
package/dist/client/use-action.js +2 -1
package/dist/client/use-action.js.map +1 -1
package/dist/client/use-agent-chat.js +2 -2
package/dist/client/use-agent-chat.js.map +1 -1
package/dist/client/use-avatar.d.ts.map +1 -1
package/dist/client/use-avatar.js +3 -2
package/dist/client/use-avatar.js.map +1 -1
package/dist/client/use-builder-enabled.d.ts.map +1 -1
package/dist/client/use-builder-enabled.js +2 -1
package/dist/client/use-builder-enabled.js.map +1 -1
package/dist/client/use-chat-threads.d.ts.map +1 -1
package/dist/client/use-chat-threads.js +2 -1
package/dist/client/use-chat-threads.js.map +1 -1
package/dist/client/use-db-sync.d.ts.map +1 -1
package/dist/client/use-db-sync.js +3 -2
package/dist/client/use-db-sync.js.map +1 -1
package/dist/client/use-dev-mode.d.ts.map +1 -1
package/dist/client/use-dev-mode.js +2 -1
package/dist/client/use-dev-mode.js.map +1 -1
package/dist/client/use-send-to-agent-chat.d.ts.map +1 -1
package/dist/client/use-send-to-agent-chat.js +5 -3
package/dist/client/use-send-to-agent-chat.js.map +1 -1
package/dist/client/use-session.d.ts.map +1 -1
package/dist/client/use-session.js +2 -1
package/dist/client/use-session.js.map +1 -1
package/dist/client/useProductionAgent.d.ts.map +1 -1
package/dist/client/useProductionAgent.js +4 -3
package/dist/client/useProductionAgent.js.map +1 -1
package/dist/collab/client.d.ts.map +1 -1
package/dist/collab/client.js +3 -2
package/dist/collab/client.js.map +1 -1
package/dist/credentials/index.d.ts +27 -10
package/dist/credentials/index.d.ts.map +1 -1
package/dist/credentials/index.js +61 -19
package/dist/credentials/index.js.map +1 -1
package/dist/db/client.d.ts.map +1 -1
package/dist/db/client.js +10 -1
package/dist/db/client.js.map +1 -1
package/dist/db/migrations.d.ts +13 -5
package/dist/db/migrations.d.ts.map +1 -1
package/dist/db/migrations.js +9 -2
package/dist/db/migrations.js.map +1 -1
package/dist/deploy/build.d.ts +12 -1
package/dist/deploy/build.d.ts.map +1 -1
package/dist/deploy/build.js +195 -23
package/dist/deploy/build.js.map +1 -1
package/dist/file-upload/registry.d.ts.map +1 -1
package/dist/file-upload/registry.js +25 -1
package/dist/file-upload/registry.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -2
package/dist/index.js.map +1 -1
package/dist/integrations/adapters/email.d.ts.map +1 -1
package/dist/integrations/adapters/email.js +152 -32
package/dist/integrations/adapters/email.js.map +1 -1
package/dist/integrations/adapters/slack.d.ts +13 -0
package/dist/integrations/adapters/slack.d.ts.map +1 -1
package/dist/integrations/adapters/slack.js +302 -32
package/dist/integrations/adapters/slack.js.map +1 -1
package/dist/integrations/adapters/telegram.d.ts.map +1 -1
package/dist/integrations/adapters/telegram.js +37 -2
package/dist/integrations/adapters/telegram.js.map +1 -1
package/dist/integrations/adapters/whatsapp.d.ts.map +1 -1
package/dist/integrations/adapters/whatsapp.js +91 -12
package/dist/integrations/adapters/whatsapp.js.map +1 -1
package/dist/integrations/google-docs-poller.d.ts.map +1 -1
package/dist/integrations/google-docs-poller.js +5 -2
package/dist/integrations/google-docs-poller.js.map +1 -1
package/dist/integrations/internal-token.d.ts.map +1 -1
package/dist/integrations/internal-token.js +17 -1
package/dist/integrations/internal-token.js.map +1 -1
package/dist/integrations/pending-tasks-retry-job.d.ts.map +1 -1
package/dist/integrations/pending-tasks-retry-job.js +23 -9
package/dist/integrations/pending-tasks-retry-job.js.map +1 -1
package/dist/integrations/pending-tasks-store.d.ts +16 -0
package/dist/integrations/pending-tasks-store.d.ts.map +1 -1
package/dist/integrations/pending-tasks-store.js +58 -5
package/dist/integrations/pending-tasks-store.js.map +1 -1
package/dist/integrations/plugin.d.ts.map +1 -1
package/dist/integrations/plugin.js +198 -15
package/dist/integrations/plugin.js.map +1 -1
package/dist/integrations/types.d.ts +33 -2
package/dist/integrations/types.d.ts.map +1 -1
package/dist/integrations/webhook-handler.d.ts +6 -0
package/dist/integrations/webhook-handler.d.ts.map +1 -1
package/dist/integrations/webhook-handler.js +141 -61
package/dist/integrations/webhook-handler.js.map +1 -1
package/dist/jobs/cron.d.ts.map +1 -1
package/dist/jobs/cron.js +12 -4
package/dist/jobs/cron.js.map +1 -1
package/dist/jobs/scheduler.d.ts.map +1 -1
package/dist/jobs/scheduler.js +141 -16
package/dist/jobs/scheduler.js.map +1 -1
package/dist/jobs/tools.d.ts.map +1 -1
package/dist/jobs/tools.js +94 -3
package/dist/jobs/tools.js.map +1 -1
package/dist/mcp/server.d.ts.map +1 -1
package/dist/mcp/server.js +128 -62
package/dist/mcp/server.js.map +1 -1
package/dist/mcp-client/hub-routes.d.ts +14 -0
package/dist/mcp-client/hub-routes.d.ts.map +1 -1
package/dist/mcp-client/hub-routes.js +42 -2
package/dist/mcp-client/hub-routes.js.map +1 -1
package/dist/mcp-client/index.d.ts +1 -1
package/dist/mcp-client/index.d.ts.map +1 -1
package/dist/mcp-client/index.js +1 -1
package/dist/mcp-client/index.js.map +1 -1
package/dist/mcp-client/manager.d.ts.map +1 -1
package/dist/mcp-client/manager.js +28 -3
package/dist/mcp-client/manager.js.map +1 -1
package/dist/mcp-client/remote-store.d.ts +49 -1
package/dist/mcp-client/remote-store.d.ts.map +1 -1
package/dist/mcp-client/remote-store.js +253 -6
package/dist/mcp-client/remote-store.js.map +1 -1
package/dist/mcp-client/routes.d.ts.map +1 -1
package/dist/mcp-client/routes.js +11 -9
package/dist/mcp-client/routes.js.map +1 -1
package/dist/mcp-client/visibility.d.ts +7 -3
package/dist/mcp-client/visibility.d.ts.map +1 -1
package/dist/mcp-client/visibility.js +16 -7
package/dist/mcp-client/visibility.js.map +1 -1
package/dist/notifications/actions.d.ts.map +1 -1
package/dist/notifications/actions.js +7 -1
package/dist/notifications/actions.js.map +1 -1
package/dist/notifications/routes.d.ts +1 -1
package/dist/notifications/routes.d.ts.map +1 -1
package/dist/notifications/routes.js +20 -3
package/dist/notifications/routes.js.map +1 -1
package/dist/notifications/store.d.ts.map +1 -1
package/dist/notifications/store.js +6 -1
package/dist/notifications/store.js.map +1 -1
package/dist/oauth-tokens/store.d.ts +43 -2
package/dist/oauth-tokens/store.d.ts.map +1 -1
package/dist/oauth-tokens/store.js +83 -14
package/dist/oauth-tokens/store.js.map +1 -1
package/dist/observability/cleanup-job.d.ts +38 -0
package/dist/observability/cleanup-job.d.ts.map +1 -0
package/dist/observability/cleanup-job.js +107 -0
package/dist/observability/cleanup-job.js.map +1 -0
package/dist/observability/experiments.js +5 -5
package/dist/observability/experiments.js.map +1 -1
package/dist/observability/index.d.ts +2 -1
package/dist/observability/index.d.ts.map +1 -1
package/dist/observability/index.js +2 -1
package/dist/observability/index.js.map +1 -1
package/dist/observability/plugin.d.ts.map +1 -1
package/dist/observability/plugin.js +11 -0
package/dist/observability/plugin.js.map +1 -1
package/dist/observability/routes.d.ts.map +1 -1
package/dist/observability/routes.js +37 -8
package/dist/observability/routes.js.map +1 -1
package/dist/observability/store.d.ts +16 -0
package/dist/observability/store.d.ts.map +1 -1
package/dist/observability/store.js +54 -3
package/dist/observability/store.js.map +1 -1
package/dist/observability/traces.d.ts +5 -0
package/dist/observability/traces.d.ts.map +1 -1
package/dist/observability/traces.js +44 -1
package/dist/observability/traces.js.map +1 -1
package/dist/observability/types.d.ts +7 -0
package/dist/observability/types.d.ts.map +1 -1
package/dist/observability/types.js.map +1 -1
package/dist/onboarding/default-steps.d.ts.map +1 -1
package/dist/onboarding/default-steps.js +1 -2
package/dist/onboarding/default-steps.js.map +1 -1
package/dist/onboarding/plugin.d.ts.map +1 -1
package/dist/onboarding/plugin.js +63 -32
package/dist/onboarding/plugin.js.map +1 -1
package/dist/onboarding/types.d.ts +6 -1
package/dist/onboarding/types.d.ts.map +1 -1
package/dist/org/accept-pending.d.ts.map +1 -1
package/dist/org/accept-pending.js +2 -1
package/dist/org/accept-pending.js.map +1 -1
package/dist/progress/actions.d.ts.map +1 -1
package/dist/progress/actions.js +10 -1
package/dist/progress/actions.js.map +1 -1
package/dist/progress/routes.d.ts +1 -1
package/dist/progress/routes.d.ts.map +1 -1
package/dist/progress/routes.js +20 -3
package/dist/progress/routes.js.map +1 -1
package/dist/progress/store.d.ts.map +1 -1
package/dist/progress/store.js +6 -1
package/dist/progress/store.js.map +1 -1
package/dist/resources/handlers.d.ts.map +1 -1
package/dist/resources/handlers.js +35 -7
package/dist/resources/handlers.js.map +1 -1
package/dist/resources/script-helpers.d.ts.map +1 -1
package/dist/resources/script-helpers.js +15 -3
package/dist/resources/script-helpers.js.map +1 -1
package/dist/resources/store.d.ts.map +1 -1
package/dist/resources/store.js +12 -4
package/dist/resources/store.js.map +1 -1
package/dist/scripts/call-agent.d.ts +1 -0
package/dist/scripts/call-agent.d.ts.map +1 -1
package/dist/scripts/call-agent.js +78 -40
package/dist/scripts/call-agent.js.map +1 -1
package/dist/scripts/chat/search-chats.d.ts.map +1 -1
package/dist/scripts/chat/search-chats.js +3 -2
package/dist/scripts/chat/search-chats.js.map +1 -1
package/dist/scripts/db/exec.d.ts +1 -1
package/dist/scripts/db/exec.d.ts.map +1 -1
package/dist/scripts/db/exec.js +171 -5
package/dist/scripts/db/exec.js.map +1 -1
package/dist/scripts/db/migrate-user-api-keys.d.ts.map +1 -1
package/dist/scripts/db/migrate-user-api-keys.js +10 -0
package/dist/scripts/db/migrate-user-api-keys.js.map +1 -1
package/dist/scripts/db/query.d.ts +1 -1
package/dist/scripts/db/query.d.ts.map +1 -1
package/dist/scripts/db/query.js +104 -4
package/dist/scripts/db/query.js.map +1 -1
package/dist/scripts/db/scoping.d.ts.map +1 -1
package/dist/scripts/db/scoping.js +35 -10
package/dist/scripts/db/scoping.js.map +1 -1
package/dist/scripts/dev/shell.d.ts.map +1 -1
package/dist/scripts/dev/shell.js +3 -1
package/dist/scripts/dev/shell.js.map +1 -1
package/dist/scripts/resources/delete-memory.d.ts.map +1 -1
package/dist/scripts/resources/delete-memory.js +2 -1
package/dist/scripts/resources/delete-memory.js.map +1 -1
package/dist/scripts/resources/delete.d.ts.map +1 -1
package/dist/scripts/resources/delete.js +2 -1
package/dist/scripts/resources/delete.js.map +1 -1
package/dist/scripts/resources/list.d.ts.map +1 -1
package/dist/scripts/resources/list.js +2 -1
package/dist/scripts/resources/list.js.map +1 -1
package/dist/scripts/resources/migrate-learnings.d.ts.map +1 -1
package/dist/scripts/resources/migrate-learnings.js +2 -1
package/dist/scripts/resources/migrate-learnings.js.map +1 -1
package/dist/scripts/resources/read.d.ts.map +1 -1
package/dist/scripts/resources/read.js +2 -1
package/dist/scripts/resources/read.js.map +1 -1
package/dist/scripts/resources/save-memory.d.ts.map +1 -1
package/dist/scripts/resources/save-memory.js +2 -1
package/dist/scripts/resources/save-memory.js.map +1 -1
package/dist/scripts/resources/write.d.ts.map +1 -1
package/dist/scripts/resources/write.js +2 -1
package/dist/scripts/resources/write.js.map +1 -1
package/dist/secrets/onboarding.d.ts.map +1 -1
package/dist/secrets/onboarding.js +24 -16
package/dist/secrets/onboarding.js.map +1 -1
package/dist/secrets/routes.d.ts.map +1 -1
package/dist/secrets/routes.js +139 -37
package/dist/secrets/routes.js.map +1 -1
package/dist/secrets/storage.d.ts.map +1 -1
package/dist/secrets/storage.js +23 -12
package/dist/secrets/storage.js.map +1 -1
package/dist/secrets/substitution.d.ts +24 -2
package/dist/secrets/substitution.d.ts.map +1 -1
package/dist/secrets/substitution.js +44 -6
package/dist/secrets/substitution.js.map +1 -1
package/dist/server/action-discovery.d.ts.map +1 -1
package/dist/server/action-discovery.js +19 -51
package/dist/server/action-discovery.js.map +1 -1
package/dist/server/action-routes.d.ts.map +1 -1
package/dist/server/action-routes.js +61 -15
package/dist/server/action-routes.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +449 -338
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.d.ts +8 -0
package/dist/server/agent-discovery.d.ts.map +1 -1
package/dist/server/agent-discovery.js +39 -12
package/dist/server/agent-discovery.js.map +1 -1
package/dist/server/agent-teams.d.ts.map +1 -1
package/dist/server/agent-teams.js +4 -1
package/dist/server/agent-teams.js.map +1 -1
package/dist/server/analytics.d.ts +0 -1
package/dist/server/analytics.d.ts.map +1 -1
package/dist/server/analytics.js +0 -1
package/dist/server/analytics.js.map +1 -1
package/dist/server/app-base-path.d.ts +4 -0
package/dist/server/app-base-path.d.ts.map +1 -0
package/dist/server/app-base-path.js +33 -0
package/dist/server/app-base-path.js.map +1 -0
package/dist/server/app-url.d.ts +4 -1
package/dist/server/app-url.d.ts.map +1 -1
package/dist/server/app-url.js +16 -1
package/dist/server/app-url.js.map +1 -1
package/dist/server/auth.d.ts +15 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +400 -68
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts +1 -0
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +67 -15
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts +15 -0
package/dist/server/builder-browser.d.ts.map +1 -1
package/dist/server/builder-browser.js +90 -4
package/dist/server/builder-browser.js.map +1 -1
package/dist/server/cli-capture.d.ts +31 -0
package/dist/server/cli-capture.d.ts.map +1 -0
package/dist/server/cli-capture.js +120 -0
package/dist/server/cli-capture.js.map +1 -0
package/dist/server/collab-plugin.d.ts +12 -0
package/dist/server/collab-plugin.d.ts.map +1 -1
package/dist/server/collab-plugin.js +63 -21
package/dist/server/collab-plugin.js.map +1 -1
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +467 -130
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/create-server.d.ts +2 -0
package/dist/server/create-server.d.ts.map +1 -1
package/dist/server/create-server.js +82 -11
package/dist/server/create-server.js.map +1 -1
package/dist/server/credential-provider.d.ts +11 -0
package/dist/server/credential-provider.d.ts.map +1 -1
package/dist/server/credential-provider.js +51 -2
package/dist/server/credential-provider.js.map +1 -1
package/dist/server/csrf.d.ts +58 -0
package/dist/server/csrf.d.ts.map +1 -0
package/dist/server/csrf.js +165 -0
package/dist/server/csrf.js.map +1 -0
package/dist/server/framework-request-handler.d.ts +20 -0
package/dist/server/framework-request-handler.d.ts.map +1 -1
package/dist/server/framework-request-handler.js +115 -34
package/dist/server/framework-request-handler.js.map +1 -1
package/dist/server/google-auth-plugin.d.ts.map +1 -1
package/dist/server/google-auth-plugin.js +10 -2
package/dist/server/google-auth-plugin.js.map +1 -1
package/dist/server/google-oauth.d.ts +84 -2
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +248 -45
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +5 -4
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +5 -4
package/dist/server/index.js.map +1 -1
package/dist/server/oauth-helpers.d.ts +8 -3
package/dist/server/oauth-helpers.d.ts.map +1 -1
package/dist/server/oauth-helpers.js +12 -8
package/dist/server/oauth-helpers.js.map +1 -1
package/dist/server/onboarding-html.d.ts.map +1 -1
package/dist/server/onboarding-html.js +37 -9
package/dist/server/onboarding-html.js.map +1 -1
package/dist/server/poll.d.ts +33 -0
package/dist/server/poll.d.ts.map +1 -1
package/dist/server/poll.js +43 -2
package/dist/server/poll.js.map +1 -1
package/dist/server/request-context.d.ts +102 -3
package/dist/server/request-context.d.ts.map +1 -1
package/dist/server/request-context.js +100 -7
package/dist/server/request-context.js.map +1 -1
package/dist/server/security-headers.d.ts +51 -0
package/dist/server/security-headers.d.ts.map +1 -0
package/dist/server/security-headers.js +90 -0
package/dist/server/security-headers.js.map +1 -0
package/dist/server/short-lived-token.d.ts +62 -0
package/dist/server/short-lived-token.d.ts.map +1 -0
package/dist/server/short-lived-token.js +118 -0
package/dist/server/short-lived-token.js.map +1 -0
package/dist/server/ssr-handler.d.ts.map +1 -1
package/dist/server/ssr-handler.js +96 -2
package/dist/server/ssr-handler.js.map +1 -1
package/dist/server/transcribe-voice.d.ts.map +1 -1
package/dist/server/transcribe-voice.js +307 -56
package/dist/server/transcribe-voice.js.map +1 -1
package/dist/server/voice-providers-status.d.ts +12 -0
package/dist/server/voice-providers-status.d.ts.map +1 -0
package/dist/server/voice-providers-status.js +71 -0
package/dist/server/voice-providers-status.js.map +1 -0
package/dist/shared/agent-chat.js +1 -1
package/dist/shared/agent-chat.js.map +1 -1
package/dist/shared/agent-env.js +1 -1
package/dist/shared/agent-env.js.map +1 -1
package/dist/sharing/access.d.ts.map +1 -1
package/dist/sharing/access.js +16 -13
package/dist/sharing/access.js.map +1 -1
package/dist/sharing/actions/set-resource-visibility.d.ts.map +1 -1
package/dist/sharing/actions/set-resource-visibility.js +3 -0
package/dist/sharing/actions/set-resource-visibility.js.map +1 -1
package/dist/sharing/actions/share-resource.d.ts +1 -0
package/dist/sharing/actions/share-resource.d.ts.map +1 -1
package/dist/sharing/actions/share-resource.js +50 -0
package/dist/sharing/actions/share-resource.js.map +1 -1
package/dist/sharing/actions/unshare-resource.d.ts.map +1 -1
package/dist/sharing/actions/unshare-resource.js +2 -0
package/dist/sharing/actions/unshare-resource.js.map +1 -1
package/dist/templates/default/.agents/skills/delegate-to-agent/SKILL.md +54 -0
package/dist/templates/default/app/root.tsx +1 -1
package/dist/templates/default/app/routes/_index.tsx +6 -1
package/dist/templates/default/package.json +1 -1
package/dist/templates/default/public/favicon.svg +13 -0
package/dist/templates/default/public/icon-180.svg +12 -3
package/dist/templates/default/public/icon-192.svg +12 -3
package/dist/templates/default/public/icon-512.svg +12 -3
package/dist/templates/workspace-core/package.json +23 -5
package/dist/templates/workspace-core/src/credentials.ts +32 -5
package/dist/templates/workspace-core/tsconfig.json +4 -1
package/dist/terminal/pty-server.d.ts.map +1 -1
package/dist/terminal/pty-server.js +8 -2
package/dist/terminal/pty-server.js.map +1 -1
package/dist/terminal/terminal-plugin.js +3 -3
package/dist/terminal/terminal-plugin.js.map +1 -1
package/dist/tools/actions.d.ts.map +1 -1
package/dist/tools/actions.js +130 -0
package/dist/tools/actions.js.map +1 -1
package/dist/tools/fetch-tool.d.ts +1 -0
package/dist/tools/fetch-tool.d.ts.map +1 -1
package/dist/tools/fetch-tool.js +38 -16
package/dist/tools/fetch-tool.js.map +1 -1
package/dist/tools/html-shell.d.ts +44 -1
package/dist/tools/html-shell.d.ts.map +1 -1
package/dist/tools/html-shell.js +119 -4
package/dist/tools/html-shell.js.map +1 -1
package/dist/tools/proxy-security.d.ts +12 -0
package/dist/tools/proxy-security.d.ts.map +1 -0
package/dist/tools/proxy-security.js +158 -0
package/dist/tools/proxy-security.js.map +1 -0
package/dist/tools/routes.d.ts.map +1 -1
package/dist/tools/routes.js +156 -105
package/dist/tools/routes.js.map +1 -1
package/dist/tools/schema.d.ts +89 -0
package/dist/tools/schema.d.ts.map +1 -1
package/dist/tools/schema.js +34 -0
package/dist/tools/schema.js.map +1 -1
package/dist/tools/slots/routes.d.ts +15 -0
package/dist/tools/slots/routes.d.ts.map +1 -0
package/dist/tools/slots/routes.js +94 -0
package/dist/tools/slots/routes.js.map +1 -0
package/dist/tools/slots/schema.d.ts +303 -0
package/dist/tools/slots/schema.d.ts.map +1 -0
package/dist/tools/slots/schema.js +76 -0
package/dist/tools/slots/schema.js.map +1 -0
package/dist/tools/slots/store.d.ts +66 -0
package/dist/tools/slots/store.d.ts.map +1 -0
package/dist/tools/slots/store.js +227 -0
package/dist/tools/slots/store.js.map +1 -0
package/dist/tools/store.d.ts.map +1 -1
package/dist/tools/store.js +35 -37
package/dist/tools/store.js.map +1 -1
package/dist/tools/url-safety.d.ts +24 -0
package/dist/tools/url-safety.d.ts.map +1 -0
package/dist/tools/url-safety.js +224 -0
package/dist/tools/url-safety.js.map +1 -0
package/dist/tracking/providers.d.ts.map +1 -1
package/dist/tracking/providers.js +28 -11
package/dist/tracking/providers.js.map +1 -1
package/dist/tracking/registry.d.ts.map +1 -1
package/dist/tracking/registry.js +7 -3
package/dist/tracking/registry.js.map +1 -1
package/dist/triggers/actions.d.ts.map +1 -1
package/dist/triggers/actions.js +11 -6
package/dist/triggers/actions.js.map +1 -1
package/dist/triggers/condition-evaluator.d.ts +8 -0
package/dist/triggers/condition-evaluator.d.ts.map +1 -1
package/dist/triggers/condition-evaluator.js +39 -4
package/dist/triggers/condition-evaluator.js.map +1 -1
package/dist/triggers/dispatcher.d.ts.map +1 -1
package/dist/triggers/dispatcher.js +67 -4
package/dist/triggers/dispatcher.js.map +1 -1
package/dist/usage/store.d.ts +0 -11
package/dist/usage/store.d.ts.map +1 -1
package/dist/usage/store.js +0 -11
package/dist/usage/store.js.map +1 -1
package/dist/vite/action-types-plugin.d.ts.map +1 -1
package/dist/vite/action-types-plugin.js +8 -5
package/dist/vite/action-types-plugin.js.map +1 -1
package/dist/vite/client.d.ts +2 -0
package/dist/vite/client.d.ts.map +1 -1
package/dist/vite/client.js +216 -4
package/dist/vite/client.js.map +1 -1
package/docs/content/actions.md +32 -0
package/docs/content/authentication.md +39 -12
package/docs/content/cloneable-saas.md +13 -15
package/docs/content/deployment.md +84 -9
package/docs/content/drop-in-agent.md +2 -2
package/docs/content/faq.md +4 -1
package/docs/content/getting-started.md +2 -0
package/docs/content/messaging.md +195 -155
package/docs/content/onboarding.md +82 -12
package/docs/content/security.md +59 -8
package/docs/content/template-analytics.md +65 -59
package/docs/content/template-clips.md +7 -9
package/docs/content/template-design.md +55 -0
package/docs/content/template-dispatch.md +13 -0
package/docs/content/template-forms.md +7 -6
package/docs/content/template-mail.md +78 -80
package/package.json +4 -3
package/src/templates/default/.agents/skills/delegate-to-agent/SKILL.md +54 -0
package/src/templates/default/app/root.tsx +1 -1
package/src/templates/default/app/routes/_index.tsx +6 -1
package/src/templates/default/package.json +1 -1
package/src/templates/default/public/favicon.svg +13 -0
package/src/templates/default/public/icon-180.svg +12 -3
package/src/templates/default/public/icon-192.svg +12 -3
package/src/templates/default/public/icon-512.svg +12 -3
package/src/templates/workspace-core/package.json +23 -5
package/src/templates/workspace-core/src/credentials.ts +32 -5
package/src/templates/workspace-core/tsconfig.json +4 -1

package/dist/server/security-headers.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+/**
+ * Security response headers middleware.
+ *
+ * Sets a baseline set of "no-brainer" security headers on every framework HTTP
+ * response. These headers are layered defenses: each one mitigates a specific
+ * class of attack, and together they harden the surface against clickjacking,
+ * MIME-sniffing, referrer leakage, mixed-content downgrades, and cross-origin
+ * window/embed access.
+ *
+ * The headers we emit:
+ *
+ *   - `Strict-Transport-Security` — forces HTTPS for the browser's lifetime
+ *     of the cached value, preventing SSL-strip MITM. Only emitted when the
+ *     request scheme is `https` (we don't want to break local-dev HTTP, and
+ *     emitting HSTS over HTTP is a no-op per the spec but causes confusion).
+ *   - `X-Content-Type-Options: nosniff` — disables browser MIME sniffing so
+ *     a tool /render route serving user-authored HTML can't be misinterpreted
+ *     as some other content type by a clever Accept header.
+ *   - `X-Frame-Options: DENY` — prevents the entire app from being iframed by
+ *     other origins (clickjacking the agent chat, booking pages, etc.). The
+ *     tool /render endpoint and any other route that legitimately needs to be
+ *     embedded in the same-origin app shell can opt out by setting its own
+ *     header inside the route handler — h3's `setResponseHeader` overwrites,
+ *     so a route emitting `SAMEORIGIN` wins over our middleware default.
+ *   - `Referrer-Policy: strict-origin-when-cross-origin` — strips path/query
+ *     from outbound Referer headers when the request crosses origin, so a
+ *     public-share viewer's outbound link clicks never leak the share token.
+ *   - `Permissions-Policy: camera=(), microphone=(), geolocation=(),
+ *     screen-wake-lock=()` — blocks iframed children from inheriting camera
+ *     / mic / location grants. Templates that need camera/mic for recording
+ *     UI override this on their own routes.
+ *   - `Cross-Origin-Opener-Policy: same-origin` — isolates window.opener so
+ *     a popup-window opener reference can't read or modify our document.
+ *   - `Cross-Origin-Resource-Policy: same-site` — prevents other origins from
+ *     embedding our endpoints as `<img>` / `<script>` / `<audio>`, blocking
+ *     the simplest data-leak chain when combined with auth cookies.
+ *
+ * NOTE: We don't set `Cross-Origin-Embedder-Policy` because it requires every
+ * embedded subresource to opt in via CORP/CORS, which would break Builder's
+ * iframe editor and template embed use cases. COOP + CORP without COEP gives
+ * us most of the protection.
+ */
+/**
+ * Create the security-headers h3 middleware. Mount this BEFORE other route
+ * handlers so the headers are present on every response (including 4xx/5xx
+ * error pages). Route handlers that need to relax a specific header (e.g.
+ * `X-Frame-Options: SAMEORIGIN` on the tool render route) can call
+ * `setResponseHeader` after this runs — the latest write wins.
+ */
+export declare function createSecurityHeadersMiddleware(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, any>;
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/server/security-headers.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AA6BH;;;;;;GAMG;AACH,wBAAgB,+BAA+B,8EAkB9C"}

package/dist/server/security-headers.js ADDED Viewed

@@ -0,0 +1,90 @@
+/**
+ * Security response headers middleware.
+ *
+ * Sets a baseline set of "no-brainer" security headers on every framework HTTP
+ * response. These headers are layered defenses: each one mitigates a specific
+ * class of attack, and together they harden the surface against clickjacking,
+ * MIME-sniffing, referrer leakage, mixed-content downgrades, and cross-origin
+ * window/embed access.
+ *
+ * The headers we emit:
+ *
+ *   - `Strict-Transport-Security` — forces HTTPS for the browser's lifetime
+ *     of the cached value, preventing SSL-strip MITM. Only emitted when the
+ *     request scheme is `https` (we don't want to break local-dev HTTP, and
+ *     emitting HSTS over HTTP is a no-op per the spec but causes confusion).
+ *   - `X-Content-Type-Options: nosniff` — disables browser MIME sniffing so
+ *     a tool /render route serving user-authored HTML can't be misinterpreted
+ *     as some other content type by a clever Accept header.
+ *   - `X-Frame-Options: DENY` — prevents the entire app from being iframed by
+ *     other origins (clickjacking the agent chat, booking pages, etc.). The
+ *     tool /render endpoint and any other route that legitimately needs to be
+ *     embedded in the same-origin app shell can opt out by setting its own
+ *     header inside the route handler — h3's `setResponseHeader` overwrites,
+ *     so a route emitting `SAMEORIGIN` wins over our middleware default.
+ *   - `Referrer-Policy: strict-origin-when-cross-origin` — strips path/query
+ *     from outbound Referer headers when the request crosses origin, so a
+ *     public-share viewer's outbound link clicks never leak the share token.
+ *   - `Permissions-Policy: camera=(), microphone=(), geolocation=(),
+ *     screen-wake-lock=()` — blocks iframed children from inheriting camera
+ *     / mic / location grants. Templates that need camera/mic for recording
+ *     UI override this on their own routes.
+ *   - `Cross-Origin-Opener-Policy: same-origin` — isolates window.opener so
+ *     a popup-window opener reference can't read or modify our document.
+ *   - `Cross-Origin-Resource-Policy: same-site` — prevents other origins from
+ *     embedding our endpoints as `<img>` / `<script>` / `<audio>`, blocking
+ *     the simplest data-leak chain when combined with auth cookies.
+ *
+ * NOTE: We don't set `Cross-Origin-Embedder-Policy` because it requires every
+ * embedded subresource to opt in via CORP/CORS, which would break Builder's
+ * iframe editor and template embed use cases. COOP + CORP without COEP gives
+ * us most of the protection.
+ */
+import { defineEventHandler, setResponseHeader } from "h3";
+const HSTS = "max-age=31536000; includeSubDomains; preload";
+const PERMISSIONS_POLICY = "camera=(), microphone=(), geolocation=(), screen-wake-lock=()";
+/**
+ * Returns true when the request was received over HTTPS. We trust both the
+ * underlying connection (when the server is terminating TLS itself) and the
+ * `x-forwarded-proto` header (set by Netlify, Vercel, Cloudflare, and any
+ * other reverse proxy that fronts the framework).
+ */
+function isHttpsRequest(event) {
+    const xfp = event?.node?.req?.headers?.["x-forwarded-proto"] ??
+        event?.headers?.get?.("x-forwarded-proto");
+    if (typeof xfp === "string" && xfp.split(",")[0].trim() === "https")
+        return true;
+    if (Array.isArray(xfp) && xfp[0] === "https")
+        return true;
+    // h3 sets `event.url.protocol` to "http:" or "https:".
+    const proto = event?.url?.protocol;
+    if (proto === "https:")
+        return true;
+    // Direct Node `req.connection.encrypted` (older runtimes).
+    if (event?.node?.req?.connection?.encrypted)
+        return true;
+    return false;
+}
+/**
+ * Create the security-headers h3 middleware. Mount this BEFORE other route
+ * handlers so the headers are present on every response (including 4xx/5xx
+ * error pages). Route handlers that need to relax a specific header (e.g.
+ * `X-Frame-Options: SAMEORIGIN` on the tool render route) can call
+ * `setResponseHeader` after this runs — the latest write wins.
+ */
+export function createSecurityHeadersMiddleware() {
+    return defineEventHandler((event) => {
+        setResponseHeader(event, "X-Content-Type-Options", "nosniff");
+        setResponseHeader(event, "X-Frame-Options", "DENY");
+        setResponseHeader(event, "Referrer-Policy", "strict-origin-when-cross-origin");
+        setResponseHeader(event, "Permissions-Policy", PERMISSIONS_POLICY);
+        setResponseHeader(event, "Cross-Origin-Opener-Policy", "same-origin");
+        setResponseHeader(event, "Cross-Origin-Resource-Policy", "same-site");
+        if (isHttpsRequest(event)) {
+            setResponseHeader(event, "Strict-Transport-Security", HSTS);
+        }
+        // Continue to the next handler — we only set headers, don't return a body.
+        return undefined;
+    });
+}
+//# sourceMappingURL=security-headers.js.map

package/dist/server/security-headers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAE3D,MAAM,IAAI,GAAG,8CAA8C,CAAC;AAC5D,MAAM,kBAAkB,GACtB,+DAA+D,CAAC;AAElE;;;;;GAKG;AACH,SAAS,cAAc,CAAC,KAAU;IAChC,MAAM,GAAG,GACP,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAChD,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO;QACjE,OAAO,IAAI,CAAC;IACd,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1D,uDAAuD;IACvD,MAAM,KAAK,GAAG,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC;IACnC,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACpC,2DAA2D;IAC3D,IAAI,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,+BAA+B;IAC7C,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,iBAAiB,CAAC,KAAK,EAAE,wBAAwB,EAAE,SAAS,CAAC,CAAC;QAC9D,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACpD,iBAAiB,CACf,KAAK,EACL,iBAAiB,EACjB,iCAAiC,CAClC,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QACnE,iBAAiB,CAAC,KAAK,EAAE,4BAA4B,EAAE,aAAa,CAAC,CAAC;QACtE,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,iBAAiB,CAAC,KAAK,EAAE,2BAA2B,EAAE,IAAI,CAAC,CAAC;QAC9D,CAAC;QACD,2EAA2E;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/server/short-lived-token.d.ts ADDED Viewed

@@ -0,0 +1,62 @@
+/**
+ * Short-lived HMAC-signed access tokens for media URLs.
+ *
+ * Used by clips and calls to mint a single-use bearer token after a password
+ * gate passes, then bake `?t=<token>` into the video/blob URL handed to the
+ * `<video>` element — instead of `?password=<plaintext>` (which ends up in
+ * browser history, CDN logs, and Referer headers).
+ *
+ * Token shape: `<payloadB64Url>.<sigB64Url>`
+ *   payload = base64url(JSON.stringify({ resourceId, viewerEmail?, exp }))
+ *   sig     = base64url(HMAC-SHA256(payload, key))
+ *
+ * Key resolution mirrors `google-oauth.ts:getStateSigningKey`:
+ *   1. OAUTH_STATE_SECRET (preferred — dedicated to short-lived signing)
+ *   2. BETTER_AUTH_SECRET (already used as a server secret)
+ *   3. In dev only, an ephemeral random key (per-process)
+ *
+ * In production, throws if neither secret is set.
+ */
+/**
+ * Inputs for {@link signShortLivedToken}.
+ */
+export interface ShortLivedTokenClaims {
+    /** Resource id the token authorises (recording id, call id, snippet id, …). */
+    resourceId: string;
+    /** Optional viewer email for audit / analytics — not used for authorisation. */
+    viewerEmail?: string;
+    /** Override default TTL (seconds). */
+    ttlSeconds?: number;
+}
+/**
+ * Result of {@link verifyShortLivedToken}. Discriminated by the literal
+ * `ok` field so callers can `if (!result.ok) return …`.
+ */
+export type VerifyResult = {
+    ok: true;
+    viewerEmail?: string;
+} | {
+    ok: false;
+    reason: string;
+};
+/**
+ * Mint a signed token authorising read access to `claims.resourceId` until
+ * `exp = now + ttl`. The result is safe to drop into a query string —
+ * `?t=<token>` — and verified by {@link verifyShortLivedToken} on the
+ * downstream route.
+ */
+export declare function signShortLivedToken(claims: ShortLivedTokenClaims): string;
+/**
+ * Verify a token previously produced by {@link signShortLivedToken}.
+ *
+ * Returns `{ ok: true, viewerEmail? }` only when:
+ *  - the token has the expected shape (`<payload>.<sig>`),
+ *  - the signature matches via constant-time comparison,
+ *  - the token has not expired,
+ *  - the embedded `resourceId` matches `expectedResourceId`.
+ *
+ * Otherwise returns `{ ok: false, reason: <error string> }`. Callers should
+ * not surface the reason to viewers (it's useful for server-side logs only).
+ */
+export declare function verifyShortLivedToken(token: string, expectedResourceId: string): VerifyResult;
+//# sourceMappingURL=short-lived-token.d.ts.map

package/dist/server/short-lived-token.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"short-lived-token.d.ts","sourceRoot":"","sources":["../../src/server/short-lived-token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,+EAA+E;IAC/E,UAAU,EAAE,MAAM,CAAC;IACnB,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sCAAsC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAQD;;;GAGG;AACH,MAAM,MAAM,YAAY,GACpB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAClC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAqClC;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,qBAAqB,GAAG,MAAM,CAazE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,EACb,kBAAkB,EAAE,MAAM,GACzB,YAAY,CA0Cd"}

package/dist/server/short-lived-token.js ADDED Viewed

@@ -0,0 +1,118 @@
+/**
+ * Short-lived HMAC-signed access tokens for media URLs.
+ *
+ * Used by clips and calls to mint a single-use bearer token after a password
+ * gate passes, then bake `?t=<token>` into the video/blob URL handed to the
+ * `<video>` element — instead of `?password=<plaintext>` (which ends up in
+ * browser history, CDN logs, and Referer headers).
+ *
+ * Token shape: `<payloadB64Url>.<sigB64Url>`
+ *   payload = base64url(JSON.stringify({ resourceId, viewerEmail?, exp }))
+ *   sig     = base64url(HMAC-SHA256(payload, key))
+ *
+ * Key resolution mirrors `google-oauth.ts:getStateSigningKey`:
+ *   1. OAUTH_STATE_SECRET (preferred — dedicated to short-lived signing)
+ *   2. BETTER_AUTH_SECRET (already used as a server secret)
+ *   3. In dev only, an ephemeral random key (per-process)
+ *
+ * In production, throws if neither secret is set.
+ */
+import crypto from "node:crypto";
+/** Default token TTL, in seconds. 10 minutes covers a typical video session. */
+const DEFAULT_TTL_SECONDS = 600;
+let _devSigningKey;
+function getSigningKey() {
+    const secret = process.env.OAUTH_STATE_SECRET || process.env.BETTER_AUTH_SECRET;
+    if (secret)
+        return secret;
+    if (process.env.NODE_ENV === "production") {
+        throw new Error("Short-lived token signing requires a server secret. " +
+            "Set OAUTH_STATE_SECRET or BETTER_AUTH_SECRET in production.");
+    }
+    if (!_devSigningKey) {
+        _devSigningKey = crypto.randomBytes(32).toString("hex");
+    }
+    return _devSigningKey;
+}
+function base64UrlEncode(buf) {
+    const b = typeof buf === "string" ? Buffer.from(buf, "utf8") : buf;
+    return b
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/g, "");
+}
+function base64UrlDecode(s) {
+    // Re-pad to a multiple of 4 so Buffer.from('base64') decodes cleanly.
+    const padded = s + "=".repeat((4 - (s.length % 4)) % 4);
+    return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+/**
+ * Mint a signed token authorising read access to `claims.resourceId` until
+ * `exp = now + ttl`. The result is safe to drop into a query string —
+ * `?t=<token>` — and verified by {@link verifyShortLivedToken} on the
+ * downstream route.
+ */
+export function signShortLivedToken(claims) {
+    const ttl = claims.ttlSeconds ?? DEFAULT_TTL_SECONDS;
+    const payload = {
+        resourceId: claims.resourceId,
+        exp: Math.floor(Date.now() / 1000) + ttl,
+    };
+    if (claims.viewerEmail)
+        payload.viewerEmail = claims.viewerEmail;
+    const payloadStr = base64UrlEncode(JSON.stringify(payload));
+    const sig = base64UrlEncode(crypto.createHmac("sha256", getSigningKey()).update(payloadStr).digest());
+    return `${payloadStr}.${sig}`;
+}
+/**
+ * Verify a token previously produced by {@link signShortLivedToken}.
+ *
+ * Returns `{ ok: true, viewerEmail? }` only when:
+ *  - the token has the expected shape (`<payload>.<sig>`),
+ *  - the signature matches via constant-time comparison,
+ *  - the token has not expired,
+ *  - the embedded `resourceId` matches `expectedResourceId`.
+ *
+ * Otherwise returns `{ ok: false, reason: <error string> }`. Callers should
+ * not surface the reason to viewers (it's useful for server-side logs only).
+ */
+export function verifyShortLivedToken(token, expectedResourceId) {
+    if (typeof token !== "string" || !token.includes(".")) {
+        return { ok: false, reason: "malformed" };
+    }
+    const [payloadStr, sig] = token.split(".", 2);
+    if (!payloadStr || !sig)
+        return { ok: false, reason: "malformed" };
+    const expected = base64UrlEncode(crypto.createHmac("sha256", getSigningKey()).update(payloadStr).digest());
+    // Constant-time compare. Length-mismatched inputs would throw under
+    // `crypto.timingSafeEqual`, so we check length first and fall back to a
+    // dummy compare to keep timing roughly constant on the failure path.
+    const sigBuf = Buffer.from(sig, "utf8");
+    const expBuf = Buffer.from(expected, "utf8");
+    if (sigBuf.length !== expBuf.length) {
+        crypto.timingSafeEqual(expBuf, expBuf); // burn ~equal cycles
+        return { ok: false, reason: "bad_signature" };
+    }
+    if (!crypto.timingSafeEqual(sigBuf, expBuf)) {
+        return { ok: false, reason: "bad_signature" };
+    }
+    let claims;
+    try {
+        claims = JSON.parse(base64UrlDecode(payloadStr).toString("utf8"));
+    }
+    catch {
+        return { ok: false, reason: "bad_payload" };
+    }
+    if (typeof claims.exp !== "number") {
+        return { ok: false, reason: "bad_payload" };
+    }
+    if (claims.exp * 1000 < Date.now()) {
+        return { ok: false, reason: "expired" };
+    }
+    if (claims.resourceId !== expectedResourceId) {
+        return { ok: false, reason: "wrong_resource" };
+    }
+    return { ok: true, viewerEmail: claims.viewerEmail };
+}
+//# sourceMappingURL=short-lived-token.js.map

package/dist/server/short-lived-token.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"short-lived-token.js","sourceRoot":"","sources":["../../src/server/short-lived-token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,gFAAgF;AAChF,MAAM,mBAAmB,GAAG,GAAG,CAAC;AA4BhC,IAAI,cAAkC,CAAC;AAEvC,SAAS,aAAa;IACpB,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACnE,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,sDAAsD;YACpD,6DAA6D,CAChE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,GAAoB;IAC3C,MAAM,CAAC,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACnE,OAAO,CAAC;SACL,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,sEAAsE;IACtE,MAAM,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAA6B;IAC/D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,IAAI,mBAAmB,CAAC;IACrD,MAAM,OAAO,GAAkB;QAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG;KACzC,CAAC;IACF,IAAI,MAAM,CAAC,WAAW;QAAE,OAAO,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IAEjE,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,MAAM,GAAG,GAAG,eAAe,CACzB,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,CACzE,CAAC;IACF,OAAO,GAAG,UAAU,IAAI,GAAG,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CACnC,KAAa,EACb,kBAA0B;IAE1B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IACD,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAEnE,MAAM,QAAQ,GAAG,eAAe,CAC9B,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,CACzE,CAAC;IAEF,oEAAoE;IACpE,wEAAwE;IACxE,qEAAqE;IACrE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC7C,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,qBAAqB;QAC7D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;QAC5C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,MAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAC9C,CAAC;IAED,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAC9C,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,KAAK,kBAAkB,EAAE,CAAC;QAC7C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACjD,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;AACvD,CAAC"}

package/dist/server/ssr-handler.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ssr-handler.d.ts","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"~~AAoBA~~;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,~~2FAgC5E~~"}
1	+ {"version":3,"file":"ssr-handler.d.ts","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"AAiHA;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,2FAkD5E"}

package/dist/server/ssr-handler.js CHANGED Viewed

@@ -17,6 +17,85 @@
  */
 import { createRequestHandler } from "react-router";
 import { defineEventHandler } from "h3";
+function normalizeAppBasePath(value) {
+    if (!value || value === "/")
+        return "";
+    const trimmed = value.trim();
+    if (!trimmed || trimmed === "/")
+        return "";
+    return `/${trimmed.replace(/^\/+/, "").replace(/\/+$/, "")}`;
+}
+function getAppBasePath() {
+    const metaEnv = import.meta.env;
+    return normalizeAppBasePath(process.env.VITE_APP_BASE_PATH ||
+        process.env.APP_BASE_PATH ||
+        metaEnv?.VITE_APP_BASE_PATH ||
+        metaEnv?.APP_BASE_PATH ||
+        metaEnv?.BASE_URL);
+}
+function stripAppBasePath(pathname) {
+    const basePath = getAppBasePath();
+    if (!basePath)
+        return pathname;
+    if (pathname === basePath)
+        return "/";
+    if (pathname.startsWith(`${basePath}/`)) {
+        return pathname.slice(basePath.length) || "/";
+    }
+    return pathname;
+}
+function requestWithPathname(request, pathname) {
+    const url = new URL(request.url);
+    if (url.pathname === pathname)
+        return request;
+    url.pathname = pathname;
+    return new Request(url, {
+        method: request.method,
+        headers: request.headers,
+        signal: request.signal,
+    });
+}
+function prefixMountedPath(path, basePath) {
+    if (!basePath || !path.startsWith("/") || path.startsWith("//"))
+        return path;
+    if (path === basePath || path.startsWith(`${basePath}/`))
+        return path;
+    return `${basePath}${path}`;
+}
+function prefixMountedHtml(html, basePath) {
+    if (!basePath)
+        return html;
+    return html
+        .replace(/\b(href|src|action|formaction|poster)=(["'])(\/(?!\/)[^"']*)\2/g, (_match, attr, quote, path) => `${attr}=${quote}${prefixMountedPath(path, basePath)}${quote}`)
+        .replace(/url\((["']?)(\/(?!\/)[^)'" ]+)\1\)/g, (_match, quote, path) => {
+        const q = quote || "";
+        return `url(${q}${prefixMountedPath(path, basePath)}${q})`;
+    });
+}
+async function rewriteMountedResponse(response, basePath) {
+    if (!basePath)
+        return response;
+    const headers = new Headers(response.headers);
+    const location = headers.get("location");
+    if (location?.startsWith("/") && !location.startsWith("//")) {
+        headers.set("location", prefixMountedPath(location, basePath));
+    }
+    const contentType = headers.get("content-type") ?? "";
+    if (!contentType.toLowerCase().includes("text/html") || !response.body) {
+        return new Response(response.body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers,
+        });
+    }
+    const html = await response.text();
+    headers.delete("content-length");
+    return new Response(prefixMountedHtml(html, basePath), {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
 /**
  * Create an h3 catch-all that hands page routes to React Router and
  * returns 404 for framework / asset paths that React Router doesn't own.
@@ -24,7 +103,8 @@ import { defineEventHandler } from "h3";
 export function createH3SSRHandler(getBuild) {
     const handler = createRequestHandler(getBuild);
     return defineEventHandler(async (event) => {
-        const p = event.url.pathname;
+        const basePath = getAppBasePath();
+        const p = stripAppBasePath(event.url.pathname);
         if (p.startsWith("/.well-known/") ||
             p.startsWith("/_agent-native/") ||
             p.startsWith("/api/") ||
@@ -34,7 +114,21 @@ export function createH3SSRHandler(getBuild) {
             return new Response(null, { status: 404 });
         }
         try {
-            return await handler(event.req);
+            const request = requestWithPathname(event.req, p);
+            if (request.method === "HEAD") {
+                const getRequest = new Request(request.url, {
+                    method: "GET",
+                    headers: request.headers,
+                    signal: request.signal,
+                });
+                const response = await handler(getRequest);
+                return await rewriteMountedResponse(new Response(null, {
+                    status: response.status,
+                    statusText: response.statusText,
+                    headers: response.headers,
+                }), basePath);
+            }
+            return await rewriteMountedResponse(await handler(request), basePath);
         }
         catch (err) {
             // Log the full stack server-side, but never leak it to the client.

package/dist/server/ssr-handler.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ssr-handler.js","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,IAAI,CAAC;AAExC;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA0C;IAC3E,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAe,CAAC,CAAC;IACtD,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACxC,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC;~~QAC7B~~,IACE,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC;YAC7B,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC;YAC/B,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC;YACrB,CAAC,KAAK,cAAc;YACpB,CAAC,KAAK,cAAc;YACpB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAC1C,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,OAAO,CAAC,KAAK,CAAC,~~GAAc~~,CAAC,CAAC;~~QAC7C~~,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,mEAAmE;YACnE,uEAAuE;YACvE,sEAAsE;YACtE,oEAAoE;YACpE,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;YACrD,MAAM,IAAI,GAAG,MAAM;gBACjB,CAAC,CAAC,uBAAuB;gBACzB,CAAC,CAAC,0BAA2B,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;YAC/D,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}
1	+ {"version":3,"file":"ssr-handler.js","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,IAAI,CAAC;AAExC,SAAS,oBAAoB,CAAC,KAAyB;IACrD,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IAC3C,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,cAAc;IACrB,MAAM,OAAO,GACX,MAAM,CAAC,IAGR,CAAC,GAAG,CAAC;IACN,OAAO,oBAAoB,CACzB,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC5B,OAAO,CAAC,GAAG,CAAC,aAAa;QACzB,OAAO,EAAE,kBAAkB;QAC3B,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,QAAQ,CACpB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC/B,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB,EAAE,QAAgB;IAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAC9C,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;IACxB,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE;QACtB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACtE,OAAO,GAAG,QAAQ,GAAG,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,OAAO,IAAI;SACR,OAAO,CACN,iEAAiE,EACjE,CAAC,MAAM,EAAE,IAAY,EAAE,KAAa,EAAE,IAAY,EAAE,EAAE,CACpD,GAAG,IAAI,IAAI,KAAK,GAAG,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,GAAG,KAAK,EAAE,CACjE;SACA,OAAO,CAAC,qCAAqC,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtE,MAAM,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,GAAG,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;IAC7D,CAAC,CAAC,CAAC;AACP,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,QAAkB,EAClB,QAAgB;IAEhB,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE/B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,QAAQ,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACtD,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACvE,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;YACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjC,OAAO,IAAI,QAAQ,CAAC,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE;QACrD,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA0C;IAC3E,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAe,CAAC,CAAC;IACtD,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IACE,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC;YAC7B,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC;YAC/B,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC;YACrB,CAAC,KAAK,cAAc;YACpB,CAAC,KAAK,cAAc;YACpB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAC1C,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,GAAc,EAAE,CAAC,CAAC,CAAC;YAC7D,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;oBAC1C,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC;gBAC3C,OAAO,MAAM,sBAAsB,CACjC,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;oBAC/B,OAAO,EAAE,QAAQ,CAAC,OAAO;iBAC1B,CAAC,EACF,QAAQ,CACT,CAAC;YACJ,CAAC;YACD,OAAO,MAAM,sBAAsB,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,mEAAmE;YACnE,uEAAuE;YACvE,sEAAsE;YACtE,oEAAoE;YACpE,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;YACrD,MAAM,IAAI,GAAG,MAAM;gBACjB,CAAC,CAAC,uBAAuB;gBACzB,CAAC,CAAC,0BAA2B,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;YAC/D,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/server/transcribe-voice.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"transcribe-voice.d.ts","sourceRoot":"","sources":["../../src/server/transcribe-voice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;~~AAwEH~~,wBAAgB,4BAA4B;;;;;;~~IAkL3C~~"}
1	+ {"version":3,"file":"transcribe-voice.d.ts","sourceRoot":"","sources":["../../src/server/transcribe-voice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAkFH,wBAAgB,4BAA4B;;;;;;IAqT3C"}