npm - @agent-native/core - Versions diffs - 0.7.19 → 0.7.20 - Mend

@agent-native/core 0.7.19 → 0.7.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/README.md +1 -1
package/dist/agent/engine/builder-engine.d.ts.map +1 -1
package/dist/agent/engine/builder-engine.js +45 -2
package/dist/agent/engine/builder-engine.js.map +1 -1
package/dist/agent/loop-settings.d.ts +37 -0
package/dist/agent/loop-settings.d.ts.map +1 -0
package/dist/agent/loop-settings.js +127 -0
package/dist/agent/loop-settings.js.map +1 -0
package/dist/agent/production-agent.d.ts +8 -0
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +268 -29
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/run-manager.d.ts.map +1 -1
package/dist/agent/run-manager.js +76 -3
package/dist/agent/run-manager.js.map +1 -1
package/dist/agent/run-store.d.ts +1 -1
package/dist/agent/run-store.d.ts.map +1 -1
package/dist/agent/run-store.js +65 -2
package/dist/agent/run-store.js.map +1 -1
package/dist/agent/thread-data-builder.d.ts +3 -0
package/dist/agent/thread-data-builder.d.ts.map +1 -1
package/dist/agent/thread-data-builder.js +52 -10
package/dist/agent/thread-data-builder.js.map +1 -1
package/dist/agent/tool-search.d.ts +37 -0
package/dist/agent/tool-search.d.ts.map +1 -0
package/dist/agent/tool-search.js +201 -0
package/dist/agent/tool-search.js.map +1 -0
package/dist/agent/types.d.ts +8 -1
package/dist/agent/types.d.ts.map +1 -1
package/dist/agent/types.js.map +1 -1
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +44 -9
package/dist/cli/create.js.map +1 -1
package/dist/cli/workspacify.d.ts +2 -0
package/dist/cli/workspacify.d.ts.map +1 -1
package/dist/cli/workspacify.js +34 -1
package/dist/cli/workspacify.js.map +1 -1
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +277 -18
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ConnectBuilderCard.d.ts.map +1 -1
package/dist/client/ConnectBuilderCard.js +1 -1
package/dist/client/ConnectBuilderCard.js.map +1 -1
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +14 -6
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/NewWorkspaceAppFlow.d.ts +14 -0
package/dist/client/NewWorkspaceAppFlow.d.ts.map +1 -0
package/dist/client/NewWorkspaceAppFlow.js +200 -0
package/dist/client/NewWorkspaceAppFlow.js.map +1 -0
package/dist/client/PoweredByBadge.d.ts +10 -1
package/dist/client/PoweredByBadge.d.ts.map +1 -1
package/dist/client/PoweredByBadge.js +120 -8
package/dist/client/PoweredByBadge.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts +3 -5
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +26 -19
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-chat.d.ts.map +1 -1
package/dist/client/agent-chat.js +15 -3
package/dist/client/agent-chat.js.map +1 -1
package/dist/client/analytics.d.ts +1 -1
package/dist/client/analytics.d.ts.map +1 -1
package/dist/client/analytics.js +141 -1
package/dist/client/analytics.js.map +1 -1
package/dist/client/builder-frame.d.ts +10 -0
package/dist/client/builder-frame.d.ts.map +1 -0
package/dist/client/builder-frame.js +94 -0
package/dist/client/builder-frame.js.map +1 -0
package/dist/client/composer/MentionPopover.d.ts.map +1 -1
package/dist/client/composer/MentionPopover.js +5 -1
package/dist/client/composer/MentionPopover.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +11 -6
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/error-format.d.ts +20 -1
package/dist/client/error-format.d.ts.map +1 -1
package/dist/client/error-format.js +53 -5
package/dist/client/error-format.js.map +1 -1
package/dist/client/index.d.ts +3 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +3 -1
package/dist/client/index.js.map +1 -1
package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -1
package/dist/client/onboarding/OnboardingPanel.js +88 -6
package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
package/dist/client/settings/SettingsPanel.js +145 -9
package/dist/client/settings/SettingsPanel.js.map +1 -1
package/dist/client/settings/useBuilderStatus.d.ts +13 -0
package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
package/dist/client/settings/useBuilderStatus.js +50 -9
package/dist/client/settings/useBuilderStatus.js.map +1 -1
package/dist/client/sse-event-processor.d.ts +3 -0
package/dist/client/sse-event-processor.d.ts.map +1 -1
package/dist/client/sse-event-processor.js +88 -7
package/dist/client/sse-event-processor.js.map +1 -1
package/dist/client/tools/ToolsListPage.d.ts.map +1 -1
package/dist/client/tools/ToolsListPage.js +16 -1
package/dist/client/tools/ToolsListPage.js.map +1 -1
package/dist/client/tools/ToolsSidebarSection.d.ts.map +1 -1
package/dist/client/tools/ToolsSidebarSection.js +63 -8
package/dist/client/tools/ToolsSidebarSection.js.map +1 -1
package/dist/client/tools/tool-order.d.ts +7 -0
package/dist/client/tools/tool-order.d.ts.map +1 -0
package/dist/client/tools/tool-order.js +47 -0
package/dist/client/tools/tool-order.js.map +1 -0
package/dist/client/transcription/BuilderTranscriptionCta.d.ts.map +1 -1
package/dist/client/transcription/BuilderTranscriptionCta.js +71 -6
package/dist/client/transcription/BuilderTranscriptionCta.js.map +1 -1
package/dist/client/use-send-to-agent-chat.d.ts.map +1 -1
package/dist/client/use-send-to-agent-chat.js +11 -3
package/dist/client/use-send-to-agent-chat.js.map +1 -1
package/dist/client/useProductionAgent.d.ts.map +1 -1
package/dist/client/useProductionAgent.js +1 -1
package/dist/client/useProductionAgent.js.map +1 -1
package/dist/db/client.d.ts.map +1 -1
package/dist/db/client.js +5 -1
package/dist/db/client.js.map +1 -1
package/dist/deploy/build.d.ts +1 -0
package/dist/deploy/build.d.ts.map +1 -1
package/dist/deploy/build.js +4 -1
package/dist/deploy/build.js.map +1 -1
package/dist/oauth-tokens/index.d.ts +1 -1
package/dist/oauth-tokens/index.d.ts.map +1 -1
package/dist/oauth-tokens/index.js +1 -1
package/dist/oauth-tokens/index.js.map +1 -1
package/dist/oauth-tokens/store.d.ts.map +1 -1
package/dist/oauth-tokens/store.js +6 -0
package/dist/oauth-tokens/store.js.map +1 -1
package/dist/observability/store.d.ts.map +1 -1
package/dist/observability/store.js +19 -19
package/dist/observability/store.js.map +1 -1
package/dist/onboarding/default-steps.d.ts.map +1 -1
package/dist/onboarding/default-steps.js +95 -61
package/dist/onboarding/default-steps.js.map +1 -1
package/dist/onboarding/plugin.d.ts.map +1 -1
package/dist/onboarding/plugin.js +17 -8
package/dist/onboarding/plugin.js.map +1 -1
package/dist/org/migrations.js +2 -2
package/dist/org/migrations.js.map +1 -1
package/dist/scripts/agent-engines/list-agent-engines.d.ts.map +1 -1
package/dist/scripts/agent-engines/list-agent-engines.js +2 -3
package/dist/scripts/agent-engines/list-agent-engines.js.map +1 -1
package/dist/scripts/db/exec.d.ts +2 -1
package/dist/scripts/db/exec.d.ts.map +1 -1
package/dist/scripts/db/exec.js +264 -61
package/dist/scripts/db/exec.js.map +1 -1
package/dist/scripts/db/schema.d.ts.map +1 -1
package/dist/scripts/db/schema.js +16 -4
package/dist/scripts/db/schema.js.map +1 -1
package/dist/scripts/dev/index.d.ts.map +1 -1
package/dist/scripts/dev/index.js +36 -11
package/dist/scripts/dev/index.js.map +1 -1
package/dist/scripts/manage-agent-loop-settings.d.ts +7 -0
package/dist/scripts/manage-agent-loop-settings.d.ts.map +1 -0
package/dist/scripts/manage-agent-loop-settings.js +63 -0
package/dist/scripts/manage-agent-loop-settings.js.map +1 -0
package/dist/scripts/runner.d.ts.map +1 -1
package/dist/scripts/runner.js +11 -0
package/dist/scripts/runner.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +60 -18
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/app-url.d.ts +5 -4
package/dist/server/app-url.d.ts.map +1 -1
package/dist/server/app-url.js +8 -4
package/dist/server/app-url.js.map +1 -1
package/dist/server/auth.d.ts +8 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +82 -29
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +16 -5
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts +12 -0
package/dist/server/builder-browser.d.ts.map +1 -1
package/dist/server/builder-browser.js +36 -4
package/dist/server/builder-browser.js.map +1 -1
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +350 -53
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/credential-provider.d.ts +21 -3
package/dist/server/credential-provider.d.ts.map +1 -1
package/dist/server/credential-provider.js +51 -21
package/dist/server/credential-provider.js.map +1 -1
package/dist/server/google-oauth.d.ts +3 -0
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +27 -3
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +4 -3
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +4 -3
package/dist/server/index.js.map +1 -1
package/dist/server/schema-prompt.d.ts.map +1 -1
package/dist/server/schema-prompt.js +2 -1
package/dist/server/schema-prompt.js.map +1 -1
package/dist/server/security-headers.d.ts +3 -0
package/dist/server/security-headers.d.ts.map +1 -1
package/dist/server/security-headers.js +7 -1
package/dist/server/security-headers.js.map +1 -1
package/dist/server/ssr-handler.d.ts.map +1 -1
package/dist/server/ssr-handler.js +24 -4
package/dist/server/ssr-handler.js.map +1 -1
package/dist/templates/default/_gitignore +5 -1
package/dist/templates/default/app/root.tsx +1 -0
package/dist/templates/default/public/favicon.svg +3 -3
package/dist/templates/default/public/icon-180.svg +3 -3
package/dist/templates/default/public/icon-192.svg +3 -3
package/dist/templates/default/public/icon-512.svg +3 -3
package/dist/templates/workspace-core/AGENTS.md +23 -7
package/dist/templates/workspace-core/package.json +2 -1
package/dist/templates/workspace-core/src/credentials.ts +22 -11
package/dist/templates/workspace-root/.env.example +7 -0
package/dist/templates/workspace-root/README.md +6 -3
package/dist/templates/workspace-root/_gitignore +3 -0
package/dist/templates/workspace-root/package.json +3 -1
package/dist/templates/workspace-root/scripts/workspace-dev.ts +410 -0
package/dist/tools/actions.d.ts.map +1 -1
package/dist/tools/actions.js +2 -0
package/dist/tools/actions.js.map +1 -1
package/dist/tools/html-shell.d.ts.map +1 -1
package/dist/tools/html-shell.js +13 -1
package/dist/tools/html-shell.js.map +1 -1
package/dist/tools/store.d.ts.map +1 -1
package/dist/tools/store.js +10 -10
package/dist/tools/store.js.map +1 -1
package/dist/tracking/providers.d.ts +1 -0
package/dist/tracking/providers.d.ts.map +1 -1
package/dist/tracking/providers.js +72 -0
package/dist/tracking/providers.js.map +1 -1
package/dist/vite/action-types-plugin.d.ts.map +1 -1
package/dist/vite/action-types-plugin.js +106 -9
package/dist/vite/action-types-plugin.js.map +1 -1
package/dist/vite/client.d.ts.map +1 -1
package/dist/vite/client.js +67 -2
package/dist/vite/client.js.map +1 -1
package/docs/content/authentication.md +17 -13
package/docs/content/deployment.md +11 -11
package/docs/content/mcp-clients.md +2 -2
package/docs/content/onboarding.md +32 -30
package/docs/content/security.md +1 -1
package/docs/content/tools.md +4 -0
package/package.json +2 -2
package/src/templates/default/_gitignore +5 -1
package/src/templates/default/app/root.tsx +1 -0
package/src/templates/default/public/favicon.svg +3 -3
package/src/templates/default/public/icon-180.svg +3 -3
package/src/templates/default/public/icon-192.svg +3 -3
package/src/templates/default/public/icon-512.svg +3 -3
package/src/templates/workspace-core/AGENTS.md +23 -7
package/src/templates/workspace-core/package.json +2 -1
package/src/templates/workspace-core/src/credentials.ts +22 -11
package/src/templates/workspace-root/.env.example +7 -0
package/src/templates/workspace-root/README.md +6 -3
package/src/templates/workspace-root/_gitignore +3 -0
package/src/templates/workspace-root/package.json +3 -1
package/src/templates/workspace-root/scripts/workspace-dev.ts +410 -0

package/dist/server/core-routes-plugin.js CHANGED Viewed

@@ -1,11 +1,11 @@
 import { getH3App, awaitBootstrap } from "./framework-request-handler.js";
-import { defineEventHandler, setResponseStatus, setResponseHeader, getMethod, } from "h3";
+import { defineEventHandler, setResponseStatus, setResponseHeader, getMethod, getHeader, } from "h3";
 import path from "node:path";
 import { createPollHandler } from "./poll.js";
 import { createSSEHandler } from "./sse.js";
 import { upsertEnvFile } from "./create-server.js";
 import { readBody } from "./h3-helpers.js";
-import { BUILDER_ENV_KEYS, BUILDER_STATE_PARAM, buildBuilderCliAuthUrl, createBuilderBrowserCallbackErrorPage, createBuilderBrowserCallbackPage, getBuilderBrowserStatusForEvent, resolveSafePreviewUrl, runBuilderAgent, signBuilderCallbackState, verifyBuilderCallbackState, } from "./builder-browser.js";
+import { BUILDER_ENV_KEYS, buildBuilderCliAuthUrl, createBuilderBrowserCallbackErrorPage, createBuilderBrowserCallbackPage, getBuilderBranchProjectId, getBuilderBrowserStatusForEvent, isBuilderBranchingEnabled, resolveSafePreviewUrl, runBuilderAgent, } from "./builder-browser.js";
 import { getState, putState, deleteState, listComposeDrafts, getComposeDraft, putComposeDraft, deleteComposeDraft, deleteAllComposeDrafts, } from "../application-state/handlers.js";
 import { getSetting, putSetting, deleteSetting } from "../settings/store.js";
 import { getUserSetting, putUserSetting, deleteUserSetting, } from "../settings/user-settings.js";
@@ -19,6 +19,7 @@ import { readMultipartFormData } from "h3";
 import { createListSecretsHandler, createWriteSecretHandler, createTestSecretHandler, createAdHocSecretHandler, } from "../secrets/routes.js";
 import { registerFrameworkSecrets } from "../secrets/register-framework-secrets.js";
 import { registerBuiltinProviders } from "../tracking/providers.js";
+import { track } from "../tracking/index.js";
 import { registerBuiltinNotificationChannels } from "../notifications/channels.js";
 import { createNotificationsHandler } from "../notifications/routes.js";
 import { createProgressHandler } from "../progress/routes.js";
@@ -26,7 +27,9 @@ import { createTranscribeVoiceHandler } from "./transcribe-voice.js";
 import { runWithRequestContext } from "./request-context.js";
 import { createVoiceProvidersStatusHandler } from "./voice-providers-status.js";
 import { PROVIDER_ENV_META } from "../agent/engine/provider-env-vars.js";
+import { canUpdateAgentLoopSettings, readAgentLoopSettings, resetAgentLoopSettings, validateMaxIterationsInput, writeAgentLoopSettings, } from "../agent/loop-settings.js";
 import { isAgentEngineSettingConfigured, getAgentEngineEntry, detectEngineFromEnv, detectEngineFromUserSecrets, isStoredEngineUsable, } from "../agent/engine/registry.js";
+import { getOrgContext } from "../org/context.js";
 /**
  * The base path prefix for all framework-level routes.
  * All agent-native core routes live under this namespace to avoid
@@ -53,6 +56,14 @@ function isEnvVarWriteAllowed() {
         return true;
     return isDevEnvironment() && isLocalDatabase();
 }
+function trackBuilderLifecycle(name, userEmail, properties = {}) {
+    if (!userEmail)
+        return;
+    track(name, {
+        feature: "builder",
+        ...properties,
+    }, { userId: userEmail });
+}
 function normalizeAppBasePath(value) {
     if (!value || value === "/")
         return "";
@@ -295,15 +306,17 @@ export function createCoreRoutesPlugin(options = {}) {
         }
         getH3App(nitroApp).use(`${P}/builder/status`, defineEventHandler(async (event) => {
             const envStatus = getBuilderBrowserStatusForEvent(event);
-            // Read session once so we can establish per-user request context for
-            // credential resolution. Without this, resolveBuilderCredentials()
-            // calls getRequestUserEmail() on an empty AsyncLocalStorage store and
-            // falls through to process.env — causing the connection state to
-            // flicker between requests depending on stale env values.
             const session = await getSession(event).catch(() => null);
             const userEmail = session?.email;
+            // Env-managed mode: BUILDER_PRIVATE_KEY is set at the deployment
+            // level, so every user shares the operator's Builder identity.
+            // Skip per-user lookups entirely — the env key is authoritative
+            // and the UI must hide the connect/disconnect controls.
+            if (envStatus.envManaged) {
+                return envStatus;
+            }
             return runWithRequestContext({ userEmail }, async () => {
-                // Check per-user credentials first (stored in app_secrets).
+                // Per-user OAuth mode: read the user's app_secrets-stored creds.
                 try {
                     const { resolveBuilderCredentials } = await import("./credential-provider.js");
                     const creds = await resolveBuilderCredentials();
@@ -352,7 +365,7 @@ export function createCoreRoutesPlugin(options = {}) {
                     }
                 }
                 catch {
-                    // settings store unavailable — fall through to legacy/env status
+                    // settings store unavailable — fall through
                 }
                 // Honor legacy disconnect flag for existing deployments.
                 try {
@@ -370,49 +383,160 @@ export function createCoreRoutesPlugin(options = {}) {
                     }
                 }
                 catch {
-                    // DB not reachable — fall back to env-only status.
+                    // DB not reachable
                 }
-                // For authenticated non-local users who have no per-user credentials,
-                // explicitly return not-configured rather than deploy-level env keys.
-                // This is consistent with resolveBuilderCredential()'s design which
-                // refuses the env fallback for authenticated users to prevent
-                // cross-tenant credential leakage in shared-DB deployments.
-                if (userEmail && userEmail !== DEV_MODE_USER_EMAIL) {
-                    return {
-                        ...envStatus,
-                        configured: false,
-                        privateKeyConfigured: false,
-                        publicKeyConfigured: false,
-                        userId: undefined,
-                        orgName: undefined,
-                        orgKind: undefined,
-                    };
-                }
-                return envStatus;
+                // No env, no per-user creds → not configured. Both authenticated
+                // and unauthenticated callers see "not connected" so they can
+                // run through the OAuth flow.
+                return {
+                    ...envStatus,
+                    configured: false,
+                    privateKeyConfigured: false,
+                    publicKeyConfigured: false,
+                    userId: undefined,
+                    orgName: undefined,
+                    orgKind: undefined,
+                };
             });
         }));
+        // How long a pending-connect row is valid. Must be long enough for
+        // the user to complete the Builder CLI-auth flow, but short enough
+        // that a stale row from an abandoned attempt doesn't accept a new
+        // callback minutes later.
+        const BUILDER_CONNECT_PENDING_TTL_MS = 10 * 60 * 1000; // 10 min
+        // Decide whether a /builder/connect navigation originated from this
+        // app's own UI (allowed) or from a foreign origin (cross-site CSRF
+        // attempt — rejected). Sec-Fetch-Site is the modern signal:
+        //   - "same-origin": user clicked Connect from our own pages — allow
+        //   - "none": typed in URL bar / bookmark / browser extension — allow
+        //   - "same-site" / "cross-site" / missing-but-with-foreign-Origin
+        //     all map to reject.
+        // For older browsers without Sec-Fetch-* we fall back to Origin and
+        // then Referer, comparing against the request's resolved origin.
+        function isSameOriginConnect(event) {
+            const fetchSite = getHeader(event, "sec-fetch-site");
+            if (fetchSite === "same-origin" || fetchSite === "none")
+                return true;
+            if (fetchSite)
+                return false; // browser told us it's cross-site/same-site
+            const expected = getOrigin(event).replace(/\/+$/, "");
+            const origin = getHeader(event, "origin");
+            if (origin)
+                return origin.replace(/\/+$/, "") === expected;
+            const referer = getHeader(event, "referer");
+            if (referer) {
+                try {
+                    return new URL(referer).origin === expected;
+                }
+                catch {
+                    return false;
+                }
+            }
+            // No Sec-Fetch-Site, no Origin, no Referer — pre-2020 browser
+            // making a top-level navigation. Allow; cookies are still
+            // session-bound so the worst case degrades to the prior behavior.
+            return true;
+        }
         // Lightweight 302 to the Builder CLI-auth URL. Lets clients do
         // `window.open('/_agent-native/builder/connect', '_blank')` synchronously
         // inside a click handler, avoiding the popup-blocker downgrade that
-        // happens when an await sits before window.open. We mint a signed
-        // CSRF state here and embed it in the callback URL we hand to
-        // Builder; the callback handler verifies it before accepting any
-        // keys. See `signBuilderCallbackState` for the threat model.
+        // happens when an await sits before window.open.
+        //
+        // CSRF protection here is two-layer because session cookies are
+        // SameSite=None;Secure (so the editor iframe can ride along) — that
+        // means a session cookie alone does NOT prevent cross-origin
+        // window.open from initiating a connect flow on the victim's behalf:
+        //   1. Sec-Fetch-Site header — modern browsers stamp every request
+        //      with the navigation context. We only allow `same-origin` or
+        //      `none` (typed/bookmark/extension); cross-site / same-site are
+        //      rejected. The previous "URL-embedded signed state" was dropped
+        //      because Builder's /cli-auth strips arbitrary query params; this
+        //      replaces that defense with a browser-native one.
+        //   2. Pending row keyed by session email + bound nonce — the callback
+        //      requires both a valid session and a one-time row that this
+        //      handler wrote during the same flow. Without the same-origin
+        //      check above, an attacker could prime the row from cross-site
+        //      and then trick the victim into hitting a callback URL with
+        //      attacker-controlled p-key/api-key, hijacking the victim's
+        //      account. With the check, the attacker can't prime the row.
         getH3App(nitroApp).use(`${P}/builder/connect`, defineEventHandler(async (event) => {
             const session = await getSession(event).catch(() => null);
             if (!session?.email) {
                 setResponseStatus(event, 401);
                 return { error: "Authentication required" };
             }
-            const state = signBuilderCallbackState(session.email);
-            const cliAuthUrl = buildBuilderCliAuthUrl(getOrigin(event), state);
+            // Env-managed mode: per-user OAuth is disabled because the operator
+            // already provided a deploy-level Builder identity. Reject the
+            // connect attempt — any per-user keys we wrote would be ignored
+            // by the resolver, so completing the OAuth flow would be a no-op
+            // that misleads the user about the resulting connection state.
+            const { isBuilderEnvManaged } = await import("./credential-provider.js");
+            if (isBuilderEnvManaged()) {
+                setResponseStatus(event, 409);
+                return {
+                    error: "Builder is managed by the deployment (BUILDER_PRIVATE_KEY is set). Per-user connect is disabled.",
+                    envManaged: true,
+                };
+            }
+            // Same-origin gate. Sec-Fetch-Site is the primary signal; fall
+            // back to Origin/Referer for older browsers. Reject any context
+            // that isn't this exact app's origin — including same-site
+            // subdomains, since a compromised subdomain shouldn't be able
+            // to mint Builder credential writes for users of the main app.
+            if (!isSameOriginConnect(event)) {
+                trackBuilderLifecycle("builder connect failed", session.email, {
+                    reason: "cross_origin",
+                    stage: "connect",
+                });
+                setResponseStatus(event, 403);
+                return { error: "Cross-origin connect requests are not allowed" };
+            }
+            // Clear any prior failure row from a previous attempt — otherwise
+            // useBuilderStatus polling sees the stale error and aborts the
+            // new attempt before it can complete.
+            try {
+                await deleteSetting(`builder-connect-error:${session.email}`);
+            }
+            catch {
+                // No prior error row — fine
+            }
+            // Store a short-lived pending row. If the DB is unavailable we
+            // surface a popup-renderable error page that signals the parent
+            // via BroadcastChannel, rather than letting the popup show raw
+            // JSON and the parent poll for 5 minutes.
+            try {
+                await putSetting(`builder-pending-connect:${session.email}`, {
+                    expiresAt: Date.now() + BUILDER_CONNECT_PENDING_TTL_MS,
+                });
+            }
+            catch (err) {
+                trackBuilderLifecycle("builder connect failed", session.email, {
+                    reason: "pending_storage_unavailable",
+                    stage: "connect",
+                });
+                const msg = "Could not initiate Builder connect — storage unavailable. Try again.";
+                console.error("[builder] Could not store pending-connect state:", err?.message ?? err);
+                // Best-effort: also write the error row so the parent's
+                // /builder/status poll picks it up if BroadcastChannel doesn't.
+                await putSetting(`builder-connect-error:${session.email}`, {
+                    message: msg,
+                    at: Date.now(),
+                }).catch(() => { });
+                setResponseStatus(event, 503);
+                setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+                return createBuilderBrowserCallbackErrorPage(msg);
+            }
+            trackBuilderLifecycle("builder connect started", session.email, {
+                stage: "connect",
+            });
+            // Build the cli-auth URL without embedding state in redirect_url:
+            // Builder's /cli-auth appends params directly to redirect_url and
+            // does not preserve any pre-existing query string we put there.
+            const cliAuthUrl = buildBuilderCliAuthUrl(getOrigin(event), null);
             setResponseStatus(event, 302);
             setResponseHeader(event, "Location", cliAuthUrl);
             return "";
         }));
-        // Hardcoded for the early preview — later this will come from workspace/org
-        // config so each team can point at its own Builder project.
-        const DEFAULT_BUILDER_PROJECT_ID = "274d28fec94b48f2b2d68f2274d390eb";
         getH3App(nitroApp).use(`${P}/builder/run`, defineEventHandler(async (event) => {
             if (getMethod(event) !== "POST") {
                 setResponseStatus(event, 405);
@@ -442,6 +566,12 @@ export function createCoreRoutesPlugin(options = {}) {
                 return { error: "A signed-in user is required to run Builder" };
             }
             const userEmail = session.email;
+            if (!isBuilderBranchingEnabled()) {
+                setResponseStatus(event, 403);
+                return {
+                    error: "Builder branch creation is not enabled for this deployment. Set ENABLE_BUILDER=true or BUILDER_BRANCH_PROJECT_ID.",
+                };
+            }
             // Wrap in runWithRequestContext so resolveBuilderCredential() inside
             // runBuilderAgent() resolves per-user app_secrets rather than falling
             // through to process.env — the same pattern the /builder/status endpoint
@@ -458,7 +588,7 @@ export function createCoreRoutesPlugin(options = {}) {
                 try {
                     const result = await runBuilderAgent({
                         prompt,
-                        projectId: DEFAULT_BUILDER_PROJECT_ID,
+                        projectId: getBuilderBranchProjectId(),
                         branchName: typeof body?.branchName === "string"
                             ? body.branchName
                             : undefined,
@@ -480,27 +610,105 @@ export function createCoreRoutesPlugin(options = {}) {
                 setResponseStatus(event, 405);
                 return { error: "Method not allowed" };
             }
-            // Session blocks anonymous callers; the signed state below blocks
-            // CSRF (session cookies are SameSite=None;Secure for the iframe
-            // editor, so they ride along on attacker-crafted top-level links).
+            // Session blocks anonymous callers; the pending-row check below
+            // (combined with the same-origin gate on /builder/connect) blocks
+            // CSRF. Session cookies are SameSite=None;Secure for the iframe
+            // editor, so they ride along on attacker-crafted top-level links —
+            // the SameSite=None concession is exactly why the connect flow
+            // can't rely on session-cookie identity alone.
             const session = await getSession(event).catch(() => null);
             if (!session?.email) {
                 setResponseStatus(event, 401);
                 return { error: "Authentication required" };
             }
             const requestUrl = new URL(`${event.url?.pathname || "/"}${event.url?.search || ""}`, getOrigin(event));
-            const state = requestUrl.searchParams.get(BUILDER_STATE_PARAM);
-            if (!verifyBuilderCallbackState(state, session.email)) {
+            // Verify and consume the server-side pending-connect row that the
+            // /builder/connect route stored. This replaces the old URL-embedded
+            // signed CSRF state (_an_state) which Builder's /cli-auth page was
+            // stripping from the redirect_url query string.
+            //
+            // The delete must succeed before we proceed — otherwise a DB blip
+            // leaves the row in place and the same callback URL can be
+            // replayed against the same session for up to 10 minutes (the
+            // TTL window). Treat a delete failure as a hard failure: the
+            // user retries, the next /builder/connect call rewrites the
+            // pending row.
+            let pendingValid = false;
+            let pendingError = null;
+            try {
+                const pending = (await getSetting(`builder-pending-connect:${session.email}`));
+                if (pending &&
+                    typeof pending.expiresAt === "number" &&
+                    Date.now() < pending.expiresAt) {
+                    try {
+                        await deleteSetting(`builder-pending-connect:${session.email}`);
+                        pendingValid = true;
+                    }
+                    catch (err) {
+                        pendingError =
+                            "Could not consume pending-connect token (storage error). Please retry.";
+                        console.error("[builder] deleteSetting failed for pending-connect — refusing to proceed (replay risk):", err?.message ?? err);
+                    }
+                }
+            }
+            catch {
+                // DB temporarily unavailable — treat as missing.
+            }
+            if (pendingError) {
+                trackBuilderLifecycle("builder connect failed", session.email, {
+                    reason: "pending_consume_storage_error",
+                    stage: "callback",
+                });
+                // Best-effort signal to the parent's poll loop, then render the
+                // popup-friendly error page so the BroadcastChannel notify fires.
+                await putSetting(`builder-connect-error:${session.email}`, {
+                    message: pendingError,
+                    at: Date.now(),
+                }).catch(() => { });
+                setResponseStatus(event, 503);
+                setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+                return createBuilderBrowserCallbackErrorPage(pendingError);
+            }
+            if (!pendingValid) {
+                trackBuilderLifecycle("builder connect failed", session.email, {
+                    reason: "missing_pending_connect",
+                    stage: "callback",
+                });
+                const msg = "No active connect flow found. Restart the Builder connect flow from Settings.";
+                // Write an error signal so the polling loop in the parent tab
+                // terminates quickly instead of waiting 5 minutes for the timeout.
+                try {
+                    await putSetting(`builder-connect-error:${session.email}`, {
+                        message: msg,
+                        at: Date.now(),
+                    });
+                }
+                catch {
+                    // DB unavailable — parent will time out naturally.
+                }
                 setResponseStatus(event, 403);
-                return {
-                    error: "Invalid or expired connect token. Restart the Builder connect flow from Settings.",
-                };
+                setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+                return createBuilderBrowserCallbackErrorPage(msg);
             }
             const privateKey = requestUrl.searchParams.get("p-key");
             const publicKey = requestUrl.searchParams.get("api-key");
             if (!privateKey || !publicKey) {
+                trackBuilderLifecycle("builder connect failed", session.email, {
+                    reason: "missing_credentials",
+                    stage: "callback",
+                });
+                // Render the popup-friendly error page (and write a status row)
+                // instead of bare JSON, so the parent tab's poll loop terminates
+                // immediately via BroadcastChannel rather than hanging until the
+                // 5-minute timeout.
+                const msg = "Builder didn't return credentials. Restart the connect flow from settings.";
+                await putSetting(`builder-connect-error:${session.email}`, {
+                    message: msg,
+                    at: Date.now(),
+                }).catch(() => { });
                 setResponseStatus(event, 400);
-                return { error: "Missing Builder credentials in callback" };
+                setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+                return createBuilderBrowserCallbackErrorPage(msg);
             }
             const userId = requestUrl.searchParams.get("user-id");
             const orgName = requestUrl.searchParams.get("org-name");
@@ -532,6 +740,10 @@ export function createCoreRoutesPlugin(options = {}) {
                 console.error("[builder] Failed to persist per-user credentials:", writeError);
             }
             if (writeError) {
+                trackBuilderLifecycle("builder connect failed", session.email, {
+                    reason: "credential_write_failed",
+                    stage: "callback",
+                });
                 // Best-effort signal to /builder/status. If putSetting also fails
                 // (entire DB unreachable) the popup's postMessage still notifies
                 // the parent. If both fail the parent times out at 5min as today.
@@ -563,15 +775,19 @@ export function createCoreRoutesPlugin(options = {}) {
                 // No prior error row — fine
             }
             const previewUrl = resolveSafePreviewUrl(requestUrl.searchParams.get("preview-url"), event);
+            trackBuilderLifecycle("builder connect succeeded", session.email, {
+                stage: "callback",
+                has_preview_url: Boolean(previewUrl),
+                org_kind: orgKind || undefined,
+            });
             setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
             return createBuilderBrowserCallbackPage(previewUrl);
         }));
-        // POST /_agent-native/builder/disconnect — revoke the stored Builder
-        // credentials so the next turn falls back to BYO / env detection. Mirrors
-        // the callback handler's three write locations: the template `.env` file,
-        // the in-process `process.env`, and the `persisted-env-vars` settings row
-        // (rehydrated on serverless cold starts). All three must be cleared to
-        // avoid a "still connected after disconnect" state on restart.
+        // POST /_agent-native/builder/disconnect — revoke the user's per-user
+        // Builder credentials in app_secrets. In env-managed mode (deploy-level
+        // BUILDER_PRIVATE_KEY set) disconnection is operator-controlled — this
+        // endpoint refuses with 409 so a stale UI button can't pretend to
+        // disconnect a deploy-level identity it doesn't own.
         getH3App(nitroApp).use(`${P}/builder/disconnect`, defineEventHandler(async (event) => {
             if (getMethod(event) !== "POST") {
                 setResponseStatus(event, 405);
@@ -582,12 +798,23 @@ export function createCoreRoutesPlugin(options = {}) {
                 setResponseStatus(event, 401);
                 return { error: "unauthorized" };
             }
+            const { isBuilderEnvManaged, deleteBuilderCredentials } = await import("./credential-provider.js");
+            if (isBuilderEnvManaged()) {
+                setResponseStatus(event, 409);
+                return {
+                    ok: false,
+                    error: "Builder is managed by deploy-level BUILDER_PRIVATE_KEY. To disconnect, the operator must remove the env var.",
+                    envManaged: true,
+                };
+            }
             // Delete per-user Builder credentials from app_secrets.
             try {
-                const { deleteBuilderCredentials } = await import("./credential-provider.js");
                 await deleteBuilderCredentials(session.email);
             }
             catch (err) {
+                trackBuilderLifecycle("builder disconnect failed", session.email, {
+                    reason: "credential_delete_failed",
+                });
                 setResponseStatus(event, 500);
                 return {
                     ok: false,
@@ -595,6 +822,7 @@ export function createCoreRoutesPlugin(options = {}) {
                     cause: err instanceof Error ? err.message : String(err),
                 };
             }
+            trackBuilderLifecycle("builder disconnect succeeded", session.email);
             return { ok: true };
         }));
         // Proxy to Builder's agents-run API for background code changes.
@@ -847,6 +1075,75 @@ export function createCoreRoutesPlugin(options = {}) {
                 };
             }
         }));
+        // GET/PUT/DELETE /_agent-native/agent-loop-settings — org/user-scoped
+        // ceiling for tool-calling loop iterations before the agent asks whether
+        // it should keep going.
+        getH3App(nitroApp).use(`${P}/agent-loop-settings`, defineEventHandler(async (event) => {
+            const session = await getSession(event).catch(() => null);
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "unauthorized" };
+            }
+            const orgCtx = await getOrgContext(event).catch(() => null);
+            const orgId = orgCtx?.orgId ?? session.orgId ?? null;
+            const ctx = { userEmail: session.email, orgId };
+            const canUpdate = await canUpdateAgentLoopSettings(session.email, orgId);
+            const withContext = async () => ({
+                ...(await readAgentLoopSettings(ctx)),
+                canUpdate,
+                orgId,
+                orgName: orgCtx?.orgName ?? null,
+                role: orgCtx?.role ?? null,
+            });
+            const method = getMethod(event);
+            if (method === "GET") {
+                return withContext();
+            }
+            if (method === "PUT") {
+                if (!canUpdate) {
+                    setResponseStatus(event, 403);
+                    return {
+                        error: orgId
+                            ? "Only organization owners and admins can change the agent step limit."
+                            : "You cannot change the agent step limit.",
+                    };
+                }
+                const body = await readBody(event).catch(() => ({}));
+                const validation = validateMaxIterationsInput(body?.maxIterations);
+                if (validation.ok === false) {
+                    setResponseStatus(event, 400);
+                    return { error: validation.error };
+                }
+                const updated = await writeAgentLoopSettings(ctx, validation.value);
+                return {
+                    ...updated,
+                    canUpdate,
+                    orgId,
+                    orgName: orgCtx?.orgName ?? null,
+                    role: orgCtx?.role ?? null,
+                };
+            }
+            if (method === "DELETE") {
+                if (!canUpdate) {
+                    setResponseStatus(event, 403);
+                    return {
+                        error: orgId
+                            ? "Only organization owners and admins can reset the agent step limit."
+                            : "You cannot reset the agent step limit.",
+                    };
+                }
+                const updated = await resetAgentLoopSettings(ctx);
+                return {
+                    ...updated,
+                    canUpdate,
+                    orgId,
+                    orgName: orgCtx?.orgName ?? null,
+                    role: orgCtx?.role ?? null,
+                };
+            }
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }));
         // ─── Usage & cost summary ────────────────────────────────────────
         // GET /_agent-native/usage?sinceDays=30
         // Returns spend broken down by label, model, app, and day for the