@agent-native/core 0.7.19 → 0.7.20

package/dist/server/app-url.d.ts

@@ -6,15 +6,16 @@
  * Resolution order:
  *   1. `APP_URL` env var — explicit override
  *   2. `BETTER_AUTH_URL` env var — Better Auth's canonical URL
- *   3. First-party template `prodUrl` from the registry (matched by
+ *   3. `WORKSPACE_GATEWAY_URL` — local multi-app workspace gateway
+ *   4. First-party template `prodUrl` from the registry (matched by
  *      package.json name) — lets deployed first-party apps (mail,
  *      calendar, analytics, …) use e.g. `analytics.agent-native.com`
  *      instead of their Netlify preview hostname.
- *   4. Incoming request's origin (when an H3Event is available)
- *   5. Platform-injected URL (Netlify `URL`, Vercel `VERCEL_URL`) —
+ *   5. Incoming request's origin (when an H3Event is available)
+ *   6. Platform-injected URL (Netlify `URL`, Vercel `VERCEL_URL`) —
  *      automatically set by the hosting platform, so user-deployed apps
  *      get a real hostname in emails without needing to set `APP_URL`.
- *   6. `http://localhost:3000`
+ *   7. `http://localhost:3000`
  */
 import { type H3Event } from "h3";
 /**

package/dist/server/app-url.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app-url.d.ts","sourceRoot":"","sources":["../../src/server/app-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAiB,KAAK,OAAO,EAAE,MAAM,IAAI,CAAC;AAkCjD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,SAAS,CAKzD;AAED,wBAAgB,mBAAmB,CAAC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,CAwC3D"}
+{"version":3,"file":"app-url.d.ts","sourceRoot":"","sources":["../../src/server/app-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAiB,KAAK,OAAO,EAAE,MAAM,IAAI,CAAC;AAkCjD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,SAAS,CAKzD;AAED,wBAAgB,mBAAmB,CAAC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,CA4C3D"}

package/dist/server/app-url.js

@@ -6,15 +6,16 @@
  * Resolution order:
  *   1. `APP_URL` env var — explicit override
  *   2. `BETTER_AUTH_URL` env var — Better Auth's canonical URL
- *   3. First-party template `prodUrl` from the registry (matched by
+ *   3. `WORKSPACE_GATEWAY_URL` — local multi-app workspace gateway
+ *   4. First-party template `prodUrl` from the registry (matched by
  *      package.json name) — lets deployed first-party apps (mail,
  *      calendar, analytics, …) use e.g. `analytics.agent-native.com`
  *      instead of their Netlify preview hostname.
- *   4. Incoming request's origin (when an H3Event is available)
- *   5. Platform-injected URL (Netlify `URL`, Vercel `VERCEL_URL`) —
+ *   5. Incoming request's origin (when an H3Event is available)
+ *   6. Platform-injected URL (Netlify `URL`, Vercel `VERCEL_URL`) —
  *      automatically set by the hosting platform, so user-deployed apps
  *      get a real hostname in emails without needing to set `APP_URL`.
- *   6. `http://localhost:3000`
+ *   7. `http://localhost:3000`
  */
 import { getRequestURL } from "h3";
 import path from "node:path";
@@ -64,6 +65,9 @@ export function getAppProductionUrl(event) {
     const envUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL;
     if (envUrl)
         return stripTrailingSlash(envUrl);
+    if (process.env.WORKSPACE_GATEWAY_URL) {
+        return stripTrailingSlash(process.env.WORKSPACE_GATEWAY_URL);
+    }
     // Prefer the incoming request's origin when we have one — for local dev
     // this is `http://localhost:3000`, which keeps Better Auth from setting
     // `Secure` cookies on plain-HTTP dev servers.

package/dist/server/app-url.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-url.js","sourceRoot":"","sources":["../../src/server/app-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,aAAa,EAAgB,MAAM,IAAI,CAAC;AACjD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,IAAI,aAAa,GAA8B,IAAI,CAAC;AAEpD;;;;;;GAMG;AACH,SAAS,eAAe;IACtB,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,IAAI,SAAS,CAAC;IAC9D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,OAAO,GAAG,EAAE,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAClE,MAAM,OAAO,GAAG,IAAI,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAC/D,aAAa,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;IACD,OAAO,aAAa,IAAI,SAAS,CAAC;AACpC,CAAC;AAED,+DAA+D;AAC/D,SAAS,kBAAkB,CAAC,CAAS;IACnC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACjD,OAAO,CAAC,EAAE,OAAO,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAe;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClE,IAAI,MAAM;QAAE,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAE9C,wEAAwE;IACxE,wEAAwE;IACxE,8CAA8C;IAC9C,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;YACjC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,qEAAqE;IACrE,wEAAwE;IACxE,oEAAoE;IACpE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;QAChE,MAAM,UAAU,GAAG,oBAAoB,EAAE,CAAC;QAC1C,IAAI,UAAU;YAAE,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAEtD,uEAAuE;QACvE,mEAAmE;QACnE,mDAAmD;QACnD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAC7D,IAAI,UAAU;YAAE,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAEtD,yEAAyE;QACzE,wEAAwE;QACxE,sEAAsE;QACtE,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,6BAA6B,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QACtE,IAAI,SAAS;YAAE,OAAO,WAAW,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;IACnE,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC","sourcesContent":["/**\n * Resolve the canonical URL of this app — used in transactional emails,\n * invite links, and anywhere we need an absolute URL that remains valid\n * outside the current request context.\n *\n * Resolution order:\n *   1. `APP_URL` env var — explicit override\n *   2. `BETTER_AUTH_URL` env var — Better Auth's canonical URL\n *   3. First-party template `prodUrl` from the registry (matched by\n *      package.json name) — lets deployed first-party apps (mail,\n *      calendar, analytics, …) use e.g. `analytics.agent-native.com`\n *      instead of their Netlify preview hostname.\n *   4. Incoming request's origin (when an H3Event is available)\n *   5. Platform-injected URL (Netlify `URL`, Vercel `VERCEL_URL`) —\n *      automatically set by the hosting platform, so user-deployed apps\n *      get a real hostname in emails without needing to set `APP_URL`.\n *   6. `http://localhost:3000`\n */\nimport { getRequestURL, type H3Event } from \"h3\";\nimport path from \"node:path\";\nimport fs from \"node:fs\";\nimport { TEMPLATES } from \"../cli/templates-meta.js\";\nimport { isLocalDatabase } from \"../db/client.js\";\n\nlet cachedPkgName: string | undefined | null = null;\n\n/**\n * Read the app's package name, validated against the first-party template\n * registry. On serverless runtimes (Netlify Functions, Cloudflare Workers),\n * `process.cwd()` may point at a bundler-generated package.json with a\n * bogus name (e.g. Nitro's \"traced-node-modules\"). Only trust the name if\n * it matches a known template.\n */\nfunction readPackageName(): string | undefined {\n  if (cachedPkgName !== null) return cachedPkgName ?? undefined;\n  try {\n    const pkgPath = path.join(process.cwd(), \"package.json\");\n    const pkg = JSON.parse(fs.readFileSync(pkgPath, \"utf8\"));\n    const name = typeof pkg?.name === \"string\" ? pkg.name : undefined;\n    const isKnown = name && TEMPLATES.some((t) => t.name === name);\n    cachedPkgName = isKnown ? name : undefined;\n  } catch {\n    cachedPkgName = undefined;\n  }\n  return cachedPkgName ?? undefined;\n}\n\n/** Strip trailing slashes for consistent URL concatenation. */\nfunction stripTrailingSlash(u: string): string {\n  return u.replace(/\\/+$/, \"\");\n}\n\n/**\n * Look up the first-party template `prodUrl` for the current app based on\n * its `package.json` name. Returns undefined if the app isn't a known\n * first-party template or the template has no `prodUrl`.\n */\nexport function getFirstPartyProdUrl(): string | undefined {\n  const name = readPackageName();\n  if (!name) return undefined;\n  const t = TEMPLATES.find((t) => t.name === name);\n  return t?.prodUrl;\n}\n\nexport function getAppProductionUrl(event?: H3Event): string {\n  const envUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL;\n  if (envUrl) return stripTrailingSlash(envUrl);\n\n  // Prefer the incoming request's origin when we have one — for local dev\n  // this is `http://localhost:3000`, which keeps Better Auth from setting\n  // `Secure` cookies on plain-HTTP dev servers.\n  if (event) {\n    try {\n      const url = getRequestURL(event);\n      return `${url.protocol}//${url.host}`;\n    } catch {\n      // fall through\n    }\n  }\n\n  // Fall back to a first-party template's hard-coded prod URL when we're\n  // running in production OR on a remote database (Neon/Postgres/Turso).\n  // A remote DB means we're deployed even if NODE_ENV isn't explicitly\n  // \"production\" (e.g. Netlify Functions). In local dev with SQLite, skip\n  // this — the hard-coded URL breaks auth via Secure cookies on HTTP.\n  if (process.env.NODE_ENV === \"production\" || !isLocalDatabase()) {\n    const firstParty = getFirstPartyProdUrl();\n    if (firstParty) return stripTrailingSlash(firstParty);\n\n    // Netlify injects `URL` (main site URL, always https) and `DEPLOY_URL`\n    // (deploy-specific URL). Prefer `URL` so emails always link to the\n    // primary domain rather than a preview branch URL.\n    const netlifyUrl = process.env.URL || process.env.DEPLOY_URL;\n    if (netlifyUrl) return stripTrailingSlash(netlifyUrl);\n\n    // Vercel injects `VERCEL_PROJECT_PRODUCTION_URL` (custom/primary domain,\n    // no protocol) and `VERCEL_URL` (ephemeral deployment hostname). Prefer\n    // the production URL so emails use the real domain, not *.vercel.app.\n    const vercelUrl =\n      process.env.VERCEL_PROJECT_PRODUCTION_URL || process.env.VERCEL_URL;\n    if (vercelUrl) return `https://${stripTrailingSlash(vercelUrl)}`;\n  }\n\n  return \"http://localhost:3000\";\n}\n"]}
+{"version":3,"file":"app-url.js","sourceRoot":"","sources":["../../src/server/app-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,aAAa,EAAgB,MAAM,IAAI,CAAC;AACjD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,IAAI,aAAa,GAA8B,IAAI,CAAC;AAEpD;;;;;;GAMG;AACH,SAAS,eAAe;IACtB,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,IAAI,SAAS,CAAC;IAC9D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,OAAO,GAAG,EAAE,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QAClE,MAAM,OAAO,GAAG,IAAI,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAC/D,aAAa,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;IACD,OAAO,aAAa,IAAI,SAAS,CAAC;AACpC,CAAC;AAED,+DAA+D;AAC/D,SAAS,kBAAkB,CAAC,CAAS;IACnC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACjD,OAAO,CAAC,EAAE,OAAO,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAe;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClE,IAAI,MAAM;QAAE,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAE9C,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;QACtC,OAAO,kBAAkB,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC/D,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,8CAA8C;IAC9C,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;YACjC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,qEAAqE;IACrE,wEAAwE;IACxE,oEAAoE;IACpE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,eAAe,EAAE,EAAE,CAAC;QAChE,MAAM,UAAU,GAAG,oBAAoB,EAAE,CAAC;QAC1C,IAAI,UAAU;YAAE,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAEtD,uEAAuE;QACvE,mEAAmE;QACnE,mDAAmD;QACnD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAC7D,IAAI,UAAU;YAAE,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAEtD,yEAAyE;QACzE,wEAAwE;QACxE,sEAAsE;QACtE,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,6BAA6B,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QACtE,IAAI,SAAS;YAAE,OAAO,WAAW,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;IACnE,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC","sourcesContent":["/**\n * Resolve the canonical URL of this app — used in transactional emails,\n * invite links, and anywhere we need an absolute URL that remains valid\n * outside the current request context.\n *\n * Resolution order:\n *   1. `APP_URL` env var — explicit override\n *   2. `BETTER_AUTH_URL` env var — Better Auth's canonical URL\n *   3. `WORKSPACE_GATEWAY_URL` — local multi-app workspace gateway\n *   4. First-party template `prodUrl` from the registry (matched by\n *      package.json name) — lets deployed first-party apps (mail,\n *      calendar, analytics, …) use e.g. `analytics.agent-native.com`\n *      instead of their Netlify preview hostname.\n *   5. Incoming request's origin (when an H3Event is available)\n *   6. Platform-injected URL (Netlify `URL`, Vercel `VERCEL_URL`) —\n *      automatically set by the hosting platform, so user-deployed apps\n *      get a real hostname in emails without needing to set `APP_URL`.\n *   7. `http://localhost:3000`\n */\nimport { getRequestURL, type H3Event } from \"h3\";\nimport path from \"node:path\";\nimport fs from \"node:fs\";\nimport { TEMPLATES } from \"../cli/templates-meta.js\";\nimport { isLocalDatabase } from \"../db/client.js\";\n\nlet cachedPkgName: string | undefined | null = null;\n\n/**\n * Read the app's package name, validated against the first-party template\n * registry. On serverless runtimes (Netlify Functions, Cloudflare Workers),\n * `process.cwd()` may point at a bundler-generated package.json with a\n * bogus name (e.g. Nitro's \"traced-node-modules\"). Only trust the name if\n * it matches a known template.\n */\nfunction readPackageName(): string | undefined {\n  if (cachedPkgName !== null) return cachedPkgName ?? undefined;\n  try {\n    const pkgPath = path.join(process.cwd(), \"package.json\");\n    const pkg = JSON.parse(fs.readFileSync(pkgPath, \"utf8\"));\n    const name = typeof pkg?.name === \"string\" ? pkg.name : undefined;\n    const isKnown = name && TEMPLATES.some((t) => t.name === name);\n    cachedPkgName = isKnown ? name : undefined;\n  } catch {\n    cachedPkgName = undefined;\n  }\n  return cachedPkgName ?? undefined;\n}\n\n/** Strip trailing slashes for consistent URL concatenation. */\nfunction stripTrailingSlash(u: string): string {\n  return u.replace(/\\/+$/, \"\");\n}\n\n/**\n * Look up the first-party template `prodUrl` for the current app based on\n * its `package.json` name. Returns undefined if the app isn't a known\n * first-party template or the template has no `prodUrl`.\n */\nexport function getFirstPartyProdUrl(): string | undefined {\n  const name = readPackageName();\n  if (!name) return undefined;\n  const t = TEMPLATES.find((t) => t.name === name);\n  return t?.prodUrl;\n}\n\nexport function getAppProductionUrl(event?: H3Event): string {\n  const envUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL;\n  if (envUrl) return stripTrailingSlash(envUrl);\n\n  if (process.env.WORKSPACE_GATEWAY_URL) {\n    return stripTrailingSlash(process.env.WORKSPACE_GATEWAY_URL);\n  }\n\n  // Prefer the incoming request's origin when we have one — for local dev\n  // this is `http://localhost:3000`, which keeps Better Auth from setting\n  // `Secure` cookies on plain-HTTP dev servers.\n  if (event) {\n    try {\n      const url = getRequestURL(event);\n      return `${url.protocol}//${url.host}`;\n    } catch {\n      // fall through\n    }\n  }\n\n  // Fall back to a first-party template's hard-coded prod URL when we're\n  // running in production OR on a remote database (Neon/Postgres/Turso).\n  // A remote DB means we're deployed even if NODE_ENV isn't explicitly\n  // \"production\" (e.g. Netlify Functions). In local dev with SQLite, skip\n  // this — the hard-coded URL breaks auth via Secure cookies on HTTP.\n  if (process.env.NODE_ENV === \"production\" || !isLocalDatabase()) {\n    const firstParty = getFirstPartyProdUrl();\n    if (firstParty) return stripTrailingSlash(firstParty);\n\n    // Netlify injects `URL` (main site URL, always https) and `DEPLOY_URL`\n    // (deploy-specific URL). Prefer `URL` so emails always link to the\n    // primary domain rather than a preview branch URL.\n    const netlifyUrl = process.env.URL || process.env.DEPLOY_URL;\n    if (netlifyUrl) return stripTrailingSlash(netlifyUrl);\n\n    // Vercel injects `VERCEL_PROJECT_PRODUCTION_URL` (custom/primary domain,\n    // no protocol) and `VERCEL_URL` (ephemeral deployment hostname). Prefer\n    // the production URL so emails use the real domain, not *.vercel.app.\n    const vercelUrl =\n      process.env.VERCEL_PROJECT_PRODUCTION_URL || process.env.VERCEL_URL;\n    if (vercelUrl) return `https://${stripTrailingSlash(vercelUrl)}`;\n  }\n\n  return \"http://localhost:3000\";\n}\n"]}

package/dist/server/auth.d.ts

@@ -121,7 +121,15 @@ export declare function removeSession(token: string): Promise<void>;
  * Returns null if the session doesn't exist, is expired, or has no email.
  */
 export declare function getSessionEmail(token: string): Promise<string | null>;
+export interface DesktopExchangeErrorPayload {
+    message: string;
+    code?: string;
+    accountId?: string;
+    existingOwner?: string;
+    attemptedOwner?: string;
+}
 export declare function setDesktopExchange(flowId: string, token: string, email: string): void;
+export declare function setDesktopExchangeError(flowId: string, error: DesktopExchangeErrorPayload): void;
 /**
  * Run the auth guard on an event. Returns a Response/object to block the
  * request (login page or 401), or undefined to allow it through.

package/dist/server/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AASvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAuBlE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAqBD,eAAO,MAAM,WAAW,QAER,CAAC;AAqDjB;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAoKD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAsDD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AA8ED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AA+NrD;;;;;;;;;;;;GAYG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAiJ5E;AAswCD;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CA+KlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AASvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAuBlE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAqBD,eAAO,MAAM,WAAW,QAER,CAAC;AA8DjB;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAoKD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AA8CD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAeD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AA+NrD;;;;;;;;;;;;GAYG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAwI5E;AAqyCD;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CA+KlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}

package/dist/server/auth.js

@@ -79,6 +79,16 @@ const APP_NAME_SLUG = (process.env.APP_NAME || "")
 export const COOKIE_NAME = APP_NAME_SLUG
     ? `an_session_${APP_NAME_SLUG}`
     : "an_session";
+function getOAuthStateAppId() {
+    const raw = process.env.APP_NAME || process.env.npm_package_name;
+    if (!raw)
+        return undefined;
+    const slug = raw
+        .toLowerCase()
+        .replace(/[^a-z0-9-]+/g, "-")
+        .replace(/^-+|-+$/g, "");
+    return slug || undefined;
+}
 const DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
 const LOCAL_MODE_MARKER_PATH = path.resolve(process.cwd(), ".agent-native", "auth-mode");
 // ---------------------------------------------------------------------------
@@ -368,16 +378,8 @@ function setGenericGoogleOAuthRoutesEnabled(app, enabled) {
 function areGenericGoogleOAuthRoutesEnabled(app) {
     return _genericGoogleOAuthRoutesEnabled.get(app) !== false;
 }
-// Desktop OAuth exchange store — holds session tokens keyed by a unique flow
-// ID so native apps (Tauri, Electron) that open OAuth in the system browser
-// can retrieve the token after the callback completes on the server.
-//
-// Primary: in-memory Map (fast, works for single-instance dev/preview builds).
-// Fallback: sessions table with a "dex:" prefixed key for cross-instance
-// durability (Cloudflare Workers, multi-region deployments). The value stored
-// in the `email` column is "{realToken}::{userEmail}" so both can be recovered
-// from a single DB lookup.
 const _desktopExchanges = new Map();
+const DESKTOP_EXCHANGE_ERROR_PREFIX = "__error__::";
 // 5-minute TTL for exchange entries (short — single-use tokens).
 const DESKTOP_EXCHANGE_TTL_MS = 5 * 60 * 1000;
 export function setDesktopExchange(flowId, token, email) {
@@ -391,6 +393,13 @@ export function setDesktopExchange(flowId, token, email) {
     // callback path).
     void persistDesktopExchangeToDB(flowId, token, email);
 }
+export function setDesktopExchangeError(flowId, error) {
+    _desktopExchanges.set(flowId, {
+        error,
+        expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,
+    });
+    void persistDesktopExchangeErrorToDB(flowId, error);
+}
 /**
  * Persist a desktop exchange entry to the sessions table so it survives
  * cross-instance routing (e.g. Cloudflare Workers). Stored under a synthetic
@@ -407,6 +416,15 @@ async function persistDesktopExchangeToDB(flowId, token, email) {
         // non-fatal — in-memory Map is the primary path
     }
 }
+async function persistDesktopExchangeErrorToDB(flowId, error) {
+    try {
+        const payload = Buffer.from(JSON.stringify(error)).toString("base64url");
+        await addSession(`dex:${flowId}`, `${DESKTOP_EXCHANGE_ERROR_PREFIX}${payload}`);
+    }
+    catch {
+        // non-fatal — in-memory Map is the primary path
+    }
+}
 /**
  * Retrieve and consume a desktop exchange entry from the DB fallback.
  * Returns null if not found or already consumed.
@@ -429,6 +447,12 @@ async function consumeDesktopExchangeFromDB(flowId) {
         const packed = (rows[0].email ?? rows[0][0]);
         if (!packed)
             return null;
+        if (packed.startsWith(DESKTOP_EXCHANGE_ERROR_PREFIX)) {
+            const raw = packed.slice(DESKTOP_EXCHANGE_ERROR_PREFIX.length);
+            return {
+                error: JSON.parse(Buffer.from(raw, "base64url").toString()),
+            };
+        }
         const sepIdx = packed.indexOf("::");
         if (sepIdx === -1)
             return null;
@@ -705,6 +729,9 @@ export async function getSession(event) {
         catch {
             // Better Auth not initialized yet
         }
+        const querySession = await promoteQuerySession(event);
+        if (querySession)
+            return querySession;
         return LOCAL_SESSION;
     }
     // 2. ACCESS_TOKEN check (programmatic/agent access)
@@ -776,20 +803,9 @@ export async function getSession(event) {
         }
     }
     // 6. Mobile WebView bridge — _session query param
-    const qToken = getQuery(event)?._session;
-    if (qToken) {
-        const email = await getSessionEmail(qToken);
-        if (email) {
-            setCookie(event, COOKIE_NAME, qToken, {
-                httpOnly: true,
-                ...crossSiteCookieAttrs(event),
-                path: "/",
-                maxAge: sessionMaxAge,
-            });
-            setResponseHeader(event, "Referrer-Policy", "no-referrer");
-            return { email, token: qToken };
-        }
-    }
+    const querySession = await promoteQuerySession(event);
+    if (querySession)
+        return querySession;
     // 7. Dev-mode safety net — in development on a local SQLite database, fall
     // back to local@localhost so the app is usable without any auth configuration.
     // This prevents 401 errors when Better Auth isn't configured, the marker file
@@ -818,6 +834,17 @@ export async function getSession(event) {
     }
     return null;
 }
+async function promoteQuerySession(event) {
+    const qToken = getQuery(event)?._session;
+    if (!qToken)
+        return null;
+    const email = await getSessionEmail(qToken);
+    if (!email)
+        return null;
+    setFrameworkSessionCookie(event, qToken);
+    setResponseHeader(event, "Referrer-Policy", "no-referrer");
+    return { email, token: qToken };
+}
 /**
  * Cookie set by POST /_agent-native/auth/exit-local-mode so we know the user
  * is in the middle of upgrading from local@localhost to a real account.
@@ -871,6 +898,14 @@ function crossSiteCookieAttrs(event) {
         ? { sameSite: "none", secure: true }
         : { sameSite: "lax", secure: false };
 }
+function setFrameworkSessionCookie(event, token) {
+    setCookie(event, COOKIE_NAME, token, {
+        httpOnly: true,
+        ...crossSiteCookieAttrs(event),
+        path: "/",
+        maxAge: sessionMaxAge,
+    });
+}
 function isHttpsRequest(event) {
     try {
         const req = event.req ?? event.node?.req;
@@ -1144,7 +1179,14 @@ async function mountBetterAuthRoutes(app, options) {
             const returnQuery = q.return;
             const validated = typeof returnQuery === "string" ? safeReturnPath(returnQuery) : "/";
             const returnUrl = validated !== "/" ? validated : undefined;
-            const state = encodeOAuthState(redirectUri, undefined, desktop, false, undefined, returnUrl, flowId);
+            const state = encodeOAuthState({
+                redirectUri,
+                desktop,
+                addAccount: false,
+                app: getOAuthStateAppId(),
+                returnUrl,
+                flowId,
+            });
             const params = new URLSearchParams({
                 client_id: process.env.GOOGLE_CLIENT_ID,
                 redirect_uri: redirectUri,
@@ -1269,16 +1311,27 @@ async function mountBetterAuthRoutes(app, options) {
             if (!fromDb) {
                 return { pending: true };
             }
-            entry = {
-                token: fromDb.token,
-                email: fromDb.email,
-                expiresAt: Date.now() + 1, // already consumed from DB
-            };
+            entry =
+                "error" in fromDb
+                    ? { error: fromDb.error, expiresAt: Date.now() + 1 }
+                    : {
+                        token: fromDb.token,
+                        email: fromDb.email,
+                        expiresAt: Date.now() + 1,
+                    };
         }
         _desktopExchanges.delete(flowId);
         // Also wipe the DB-persisted entry so it cannot be replayed via the
         // DB fallback path after in-memory consumption.
         void removeSession(`dex:${flowId}`);
+        if ("error" in entry) {
+            return { error: entry.error.message, ...entry.error };
+        }
+        // Make the exchange itself establish the app session. Older clients
+        // still make a follow-up /auth/session?_session=... request, but the
+        // OAuth handoff should not depend on that second request succeeding.
+        setFrameworkSessionCookie(event, entry.token);
+        setResponseHeader(event, "Referrer-Policy", "no-referrer");
         return { token: entry.token, email: entry.email };
     }));
     const accessTokens = getAccessTokens();