@agent-native/core 0.7.23 → 0.7.25

package/src/templates/workspace-core/src/index.ts

@@ -1,21 +1 @@
-/**
- * @{{APP_NAME}}/core-module — enterprise-wide workspace core.
- *
- * Every agent-native app in this workspace inherits from this package:
- *   - Server plugins (auth, org, agent-chat) — see src/server
- *   - Shared React components and hooks — see src/client
- *   - Shared agent actions — see actions/
- *   - Shared agent skills — see skills/
- *   - Enterprise-wide agent instructions — see AGENTS.md
- *   - Shared Tailwind v4 design tokens — see styles/tokens.css
- *
- * Apps don't import from this root entry directly — they import from
- * the specific sub-path they need:
- *
- *   import { authPlugin } from "@{{APP_NAME}}/core-module/server";
- *   import { AuthenticatedLayout } from "@{{APP_NAME}}/core-module/client";
- *   import { resolveCompanyCredential } from "@{{APP_NAME}}/core-module/credentials";
- *
- * This root file is for package metadata only.
- */
-export const WORKSPACE_CORE_NAME = "@{{APP_NAME}}/core-module";
+export const WORKSPACE_SHARED_NAME = "@{{APP_NAME}}/shared";

package/src/templates/workspace-core/src/server/index.ts

@@ -1,22 +1,3 @@
-/**
- * Server-side entry for @{{APP_NAME}}/core-module.
- *
- * Exports plugin overrides for any framework slot you want to customize
- * across every app in this workspace. The agent-native framework looks for
- * these exports by name when deciding what to auto-mount — see the "three
- * layer inheritance" section in the root README.
- *
- * Supported export names (any subset):
- *   - authPlugin            → overrides @agent-native/core's auth
- *   - orgPlugin             → overrides @agent-native/core's org
- *   - agentChatPlugin       → overrides @agent-native/core's agent-chat
- *   - coreRoutesPlugin      → overrides @agent-native/core's core-routes
- *   - integrationsPlugin    → overrides @agent-native/core's integrations
- *   - resourcesPlugin       → overrides @agent-native/core's resources
- *   - terminalPlugin        → overrides @agent-native/core's terminal
- *
- * Anything you don't export falls through to the framework default.
- */
-
-export { authPlugin } from "./auth-plugin.js";
-export { agentChatPlugin } from "./agent-chat-plugin.js";
+// Export workspace-wide server plugin overrides here when you need them.
+// Anything not exported falls through to @agent-native/core defaults.
+export {};

package/src/templates/workspace-root/README.md

@@ -1,23 +1,21 @@
 # {{APP_TITLE}} — Agent-Native Workspace
 
 A monorepo hosting multiple agent-native apps that all inherit from a single
-private **workspace core** package. The core module provides shared auth,
-agent instructions, skills, components, and plugins; each app just ships its
-own screens and template-specific actions.
+private **shared** package. The framework provides the defaults; this package
+is only for code, instructions, and policies that are genuinely shared by more
+than one app.
 
 ## Layout
 
 ```
 {{APP_NAME}}/
 ├── packages/
-│   └── core-module/          # @{{APP_NAME}}/core-module — the shared mid-layer
-│       ├── src/server/       # Auth / org / agent-chat plugin overrides
-│       ├── src/client/       # Shared React components (org switcher, layouts…)
-│       ├── actions/          # Shared agent-callable actions
-│       ├── skills/           # Shared .agents skills baked into every app
-│       └── AGENTS.md         # Enterprise-wide agent instructions
+│   └── shared/               # @{{APP_NAME}}/shared — optional shared code
+│       ├── src/server/       # Add plugin overrides only when needed
+│       ├── src/client/       # Add shared React code only when needed
+│       └── AGENTS.md         # Workspace-wide agent instructions
 └── apps/
-    └── example/              # Sample app demonstrating inheritance
+    └── example/              # App-specific routes, actions, and state
 ```
 
 ## Three-layer inheritance
@@ -26,14 +24,14 @@ Every app in this workspace inherits cross-cutting behavior automatically:
 
 1. **App local** (highest priority) — anything under `apps/<name>/server/plugins/`,
    `apps/<name>/actions/`, `apps/<name>/.agents/skills/`, `apps/<name>/AGENTS.md`.
-2. **Workspace core** (middle) — `packages/core-module/src/server/`,
-   `packages/core-module/actions/`, `packages/core-module/skills/`,
-   `packages/core-module/AGENTS.md`.
+2. **Workspace shared** (middle) — `packages/shared/src/server/`,
+   `packages/shared/src/client/`, `packages/shared/actions/`,
+   `packages/shared/.agents/skills/`, `packages/shared/AGENTS.md`.
 3. **Framework** (lowest) — `@agent-native/core` defaults.
 
 Apps don't need any configuration to opt in. Discovery happens via the
 `agent-native.workspaceCore` field in this root `package.json`, which names
-the workspace core package (`@{{APP_NAME}}/core-module`).
+the shared package (`@{{APP_NAME}}/shared`).
 
 ## Getting started
 
@@ -54,12 +52,11 @@ pnpm exec agent-native create crm --template=starter
 ```
 
 The CLI detects the workspace root and scaffolds a minimal app that already
-depends on `@{{APP_NAME}}/core-module`. Edit only the routes you care about;
-auth, org switching, skills, and instructions come from the core module.
+depends on `@{{APP_NAME}}/shared`. Edit only the routes you care about;
+auth, org switching, skills, and instructions come from the shared package.
 
 ## Editing shared behavior
 
-Everything cross-cutting lives in `packages/core-module/`. A change to
-`packages/core-module/src/server/auth-plugin.ts`, for example, is picked up
-by every app in the workspace on the next dev reload — no need to touch any
-individual app.
+Put cross-cutting code in `packages/shared/` when more than one app needs it.
+For example, exporting an `authPlugin` from `packages/shared/src/server/index.ts`
+lets every app use the same auth customization on the next dev reload.

package/src/templates/workspace-root/_gitignore

@@ -6,6 +6,9 @@ apps/*/build/
 apps/*/.output/
 apps/*/.netlify/
 apps/*/.vercel/
+packages/*/node_modules/
+packages/*/dist/
+packages/*/build/
 .deploy-tmp/
 
 # Env files — never commit secrets

package/src/templates/workspace-root/package.json

@@ -3,29 +3,22 @@
   "private": true,
   "version": "0.0.0",
   "scripts": {
-    "dev": "tsx scripts/workspace-dev.ts",
+    "dev": "agent-native dev",
     "build": "pnpm -r build",
     "typecheck": "pnpm -r typecheck",
     "fmt:check": "prettier --check .",
     "lint": "pnpm fmt:check"
   },
   "agent-native": {
-    "workspaceCore": "@{{APP_NAME}}/core-module"
+    "workspaceCore": "@{{APP_NAME}}/shared"
+  },
+  "dependencies": {
+    "@agent-native/core": "latest"
   },
   "devDependencies": {
     "@types/node": "^24.2.1",
     "prettier": "^3.6.2",
-    "tsx": "catalog:",
     "typescript": "^6.0.3"
   },
-  "packageManager": "pnpm@10.14.0",
-  "pnpm": {
-    "onlyBuiltDependencies": [
-      "better-sqlite3",
-      "esbuild",
-      "lightningcss",
-      "node-pty",
-      "@swc/core"
-    ]
-  }
+  "packageManager": "pnpm@10.14.0"
 }

package/src/templates/workspace-root/pnpm-workspace.yaml

@@ -3,8 +3,10 @@ packages:
   - "apps/*"
 
 onlyBuiltDependencies:
-  - esbuild
+  - "@swc/core"
   - better-sqlite3
+  - canvas
+  - electron
+  - esbuild
   - lightningcss
   - node-pty
-  - "@swc/core"

package/dist/templates/default/.claude/settings.json

@@ -1,100 +0,0 @@
-{
-  "hooks": {
-    "UserPromptSubmit": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "pnpm action view-screen 2>/dev/null || echo '{\"view\": \"unknown\"}'",
-            "timeout": 10
-          }
-        ]
-      }
-    ]
-  },
-  "permissions": {
-    "allow": [
-      "Read",
-      "Edit",
-      "Write",
-      "Glob",
-      "Grep",
-      "NotebookEdit",
-      "WebFetch",
-      "WebSearch",
-      "Bash(ls *)",
-      "Bash(pwd)",
-      "Bash(echo *)",
-      "Bash(cat *)",
-      "Bash(head *)",
-      "Bash(tail *)",
-      "Bash(find *)",
-      "Bash(wc *)",
-      "Bash(sort *)",
-      "Bash(uniq *)",
-      "Bash(diff *)",
-      "Bash(which *)",
-      "Bash(env)",
-      "Bash(mkdir *)",
-      "Bash(cp *)",
-      "Bash(mv *)",
-      "Bash(touch *)",
-      "Bash(chmod *)",
-      "Bash(cd *)",
-      "Bash(node *)",
-      "Bash(npx *)",
-      "Bash(npm *)",
-      "Bash(pnpm *)",
-      "Bash(yarn *)",
-      "Bash(tsx *)",
-      "Bash(tsc *)",
-      "Bash(vitest *)",
-      "Bash(jest *)",
-      "Bash(eslint *)",
-      "Bash(prettier *)",
-      "Bash(git status*)",
-      "Bash(git log *)",
-      "Bash(git diff *)",
-      "Bash(git show *)",
-      "Bash(git branch*)",
-      "Bash(git add *)",
-      "Bash(git commit *)",
-      "Bash(git checkout *)",
-      "Bash(git switch *)",
-      "Bash(git stash *)",
-      "Bash(git merge *)",
-      "Bash(git rebase *)",
-      "Bash(git pull *)",
-      "Bash(git blame *)",
-      "Bash(git rev-parse *)",
-      "Bash(git worktree *)",
-      "Bash(git remote -v)",
-      "Bash(gh *)",
-      "Bash(curl *)",
-      "Bash(grep *)",
-      "Bash(rg *)",
-      "Bash(sed *)",
-      "Bash(awk *)",
-      "Bash(jq *)",
-      "Bash(rm *)"
-    ],
-    "deny": [
-      "Bash(rm -rf /)",
-      "Bash(rm -rf /*)",
-      "Bash(rm -rf ~)",
-      "Bash(rm -rf ~/*)",
-      "Bash(sudo *)",
-      "Bash(git push --force *)",
-      "Bash(git push -f *)",
-      "Bash(git reset --hard *)",
-      "Bash(git clean -f *)",
-      "Bash(dd *)",
-      "Bash(mkfs *)",
-      "Bash(kill -9 *)",
-      "Bash(killall *)",
-      "Bash(pkill *)",
-      "Bash(shutdown *)",
-      "Bash(reboot *)"
-    ]
-  }
-}

package/dist/templates/workspace-core/.agents/skills/company-policies/SKILL.md

@@ -1,42 +0,0 @@
----
-name: company-policies
-description: {{APP_TITLE}}-wide policies the agent must enforce for every app — data handling, PII, approval flows, compliance rules.
----
-
-# {{APP_TITLE}} Company Policies
-
-Every app in the workspace shares these policies. Read this skill before
-taking any action that touches customer data, external services, or
-deployed state.
-
-## Data handling
-
-- **PII minimization.** Only load the fields you actually need. Never
-  `SELECT *` on a table that contains customer records.
-- **No raw customer email in logs.** Hash or redact before logging.
-- **Retention.** Deleted records are soft-deleted first and purged by a
-  scheduled job. Do not write actions that hard-delete customer data.
-
-## Third-party calls
-
-- **Allowlist only.** Only call domains on the approved allowlist
-  (documented in the root `README.md`). If an integration needs a new
-  domain, surface a warning and wait for human approval before making
-  the call.
-- **Secrets come from `resolveCompanyCredential`.** Never hardcode.
-  Never check secrets into git. Rotating a key in the central store
-  updates every app on the next request.
-
-## Approval flows
-
-- **Destructive operations need a confirmation preview.** Any action
-  that modifies production data must first return a preview of the
-  change (what will be created / updated / deleted) and wait for
-  explicit user confirmation before executing.
-
-## Apply across apps
-
-This skill is loaded automatically in every workspace app. If an
-individual app needs different behavior, it can add a same-named skill
-under its own `.agents/skills/company-policies/SKILL.md` and that copy
-will win for that app only.

package/dist/templates/workspace-core/actions/company-directory.ts

@@ -1,38 +0,0 @@
-/**
- * Shared action: look up an employee in the company directory.
- *
- * Every app in the workspace inherits this action automatically — no
- * wiring required. From the agent's perspective it behaves exactly like
- * a template action: the tool shows up in every app's agent, and calling
- * it from the UI via `useActionQuery("company-directory", { ... })` Just
- * Works.
- *
- * Replace the stub implementation with a real call to your company
- * directory (SCIM, Okta Users API, internal /people endpoint, etc.).
- */
-import { z } from "zod";
-import { defineAction } from "@agent-native/core";
-
-export default defineAction({
-  description:
-    "Look up a person in the {{APP_TITLE}} company directory by name or email. Returns role, team, and manager.",
-  schema: z.object({
-    query: z.string().describe("Name, email, or partial match to search for"),
-  }),
-  run: async (args) => {
-    // TODO: replace with a real lookup. This stub just echoes the query
-    // so the agent has a reasonable no-op while you wire up the real
-    // directory integration.
-    return {
-      results: [
-        {
-          query: args.query,
-          name: "(stub) " + args.query,
-          role: "Unknown",
-          team: "Unknown",
-          manager: null,
-        },
-      ],
-    };
-  },
-});

package/dist/templates/workspace-core/src/client/AuthenticatedLayout.tsx

@@ -1,37 +0,0 @@
-/**
- * Shared authenticated layout for every app in the @{{APP_NAME}} workspace.
- *
- * Provides the common chrome (brand header, user menu, agent chat sidebar)
- * so individual apps only have to render their own content. Replace this
- * with a real component that pulls in your design system. Every app
- * imports it the same way:
- *
- *   import { AuthenticatedLayout } from "@{{APP_NAME}}/core-module/client";
- *
- *   export default function Home() {
- *     return (
- *       <AuthenticatedLayout>
- *         <h1>My app's screen</h1>
- *       </AuthenticatedLayout>
- *     );
- *   }
- */
-import type { ReactNode } from "react";
-
-export interface AuthenticatedLayoutProps {
-  children: ReactNode;
-}
-
-// Workspace title — replaced at scaffold time by the create-workspace CLI.
-const WORKSPACE_TITLE = "{{APP_TITLE}}";
-
-export function AuthenticatedLayout({ children }: AuthenticatedLayoutProps) {
-  return (
-    <div className="min-h-screen flex flex-col">
-      <header className="border-b px-6 py-3">
-        <strong>{WORKSPACE_TITLE}</strong>
-      </header>
-      <main className="flex-1 p-6">{children}</main>
-    </div>
-  );
-}

package/dist/templates/workspace-core/src/credentials.ts

@@ -1,67 +0,0 @@
-/**
- * Centralized credential helpers for the @{{APP_NAME}} workspace.
- *
- * Every enterprise has a few API keys that multiple apps need to share:
- * a Slack bot token, a Sentry DSN, an OpenAI key, internal service
- * credentials. Instead of each app reading them separately, we namespace
- * them here so there's a single place to update when a key rotates.
- *
- * Under the hood this is a thin wrapper over @agent-native/core's
- * `resolveCredential()`, which reads per-user / per-org rows in the
- * shared SQL settings table. Apps inside the workspace share the same
- * DATABASE_URL by default, so storing a credential once makes it
- * available everywhere.
- *
- * A request/action context is required so credentials stay scoped to the
- * correct user and organization. This helper can read that context
- * automatically inside agent-native actions; otherwise pass it explicitly.
- */
-import { resolveCredential } from "@agent-native/core/credentials";
-import {
-  getRequestOrgId,
-  getRequestUserEmail,
-} from "@agent-native/core/server";
-
-/**
- * Optional context for scoping a credential lookup to a specific user or org.
- */
-export interface CompanyCredentialContext {
-  userEmail?: string;
-  orgId?: string | null;
-}
-
-type ResolveCredentialFn = (
-  key: string,
-  ctx: CompanyCredentialContext,
-) => Promise<string | undefined>;
-
-/**
- * Resolve a company-wide credential. Prefer this over `resolveCredential()`
- * directly — it keeps your keys organized under a workspace namespace and
- * makes "where does this secret come from" greppable.
- *
- * Inside an agent-native action:
- *   const slackToken = await resolveCompanyCredential("SLACK_BOT_TOKEN");
- *
- * Outside request context:
- *   const slackToken = await resolveCompanyCredential("SLACK_BOT_TOKEN", {
- *     userEmail: session.email,
- *     orgId: session.orgId ?? null,
- *   });
- */
-export async function resolveCompanyCredential(
-  key: string,
-  ctx?: CompanyCredentialContext,
-): Promise<string | undefined> {
-  const effectiveCtx: CompanyCredentialContext = ctx?.userEmail
-    ? ctx
-    : {
-        userEmail: getRequestUserEmail() ?? undefined,
-        orgId: getRequestOrgId(),
-      };
-  if (!effectiveCtx.userEmail) return undefined;
-  return await (resolveCredential as ResolveCredentialFn)(key, {
-    userEmail: effectiveCtx.userEmail,
-    orgId: effectiveCtx.orgId ?? null,
-  });
-}

package/dist/templates/workspace-core/src/server/agent-chat-plugin.ts

@@ -1,30 +0,0 @@
-/**
- * Workspace-wide agent-chat plugin for @{{APP_NAME}}/core-module.
- *
- * This mounts the framework's default agent-chat plugin so every app in
- * the workspace gets the same chat endpoint, mention providers, and
- * built-in tools. The ENTERPRISE-WIDE system prompt additions — things
- * the agent should know across every app — live in the workspace's
- * AGENTS.md file, which is loaded automatically into the prompt as a
- * `<resource scope="workspace">` block.
- *
- * Customize this wrapper when you need agent behavior that can't be
- * expressed in AGENTS.md — e.g. injecting enterprise-specific mention
- * providers, pre-loading a custom set of MCP servers, or rewriting
- * model choice based on your company's allowlist.
- */
-import { defaultAgentChatPlugin } from "@agent-native/core/server";
-
-export const agentChatPlugin = async (nitroApp: any): Promise<void> => {
-  await defaultAgentChatPlugin(nitroApp);
-
-  // Hook for enterprise customization:
-  //
-  //   const chat = createAgentChatPlugin({
-  //     systemPrompt: (base) => `${base}\n\nCompany policy: …`,
-  //     mentionProviders: {
-  //       people: async (query) => searchCompanyDirectory(query),
-  //     },
-  //   });
-  //   await chat(nitroApp);
-};

package/dist/templates/workspace-core/src/server/auth-plugin.ts

@@ -1,35 +0,0 @@
-/**
- * Workspace-wide auth plugin for @{{APP_NAME}}/core-module.
- *
- * Today this just re-uses the framework default, which already does the
- * right thing for most enterprises (Better Auth with Google SSO when
- * GOOGLE_CLIENT_ID/SECRET are set, email/password otherwise, local dev
- * bypass via AUTH_MODE=local). Customize it here when your enterprise
- * needs specific behavior — e.g.:
- *
- *   - Wrap the default to force a specific SSO provider
- *   - Add a callback that provisions users into your directory
- *   - Pre-register organizations / role mappings from Okta groups
- *   - Fail closed on unauthenticated requests outside dev
- *
- * Every app in the workspace inherits this automatically (as long as the
- * root package.json has `"agent-native": { "workspaceCore": "@{{APP_NAME}}/core-module" }`).
- */
-import { defaultAuthPlugin } from "@agent-native/core/server";
-
-export const authPlugin = async (nitroApp: any): Promise<void> => {
-  // Run the framework default first so Better Auth, org tables, and session
-  // middleware are all set up.
-  await defaultAuthPlugin(nitroApp);
-
-  // Add enterprise-specific post-auth behavior here. Examples:
-  //
-  //   const h3 = getH3App(nitroApp);
-  //   h3.use(defineEventHandler(async (event) => {
-  //     const session = await getSession(event);
-  //     if (session?.email && !session.email.endsWith("@{{APP_NAME}}.com")) {
-  //       setResponseStatus(event, 403);
-  //       return { error: "Only @{{APP_NAME}}.com accounts allowed" };
-  //     }
-  //   }));
-};

package/dist/templates/workspace-core/styles/tokens.css

@@ -1,22 +0,0 @@
-/**
- * Workspace-wide Tailwind v4 design tokens for @{{APP_NAME}}/core-module.
- *
- * Every app in the workspace should import this from its own
- * `app/global.css` so brand updates in one place propagate to all apps:
- *
- *   @import "tailwindcss";
- *   @import "@{{APP_NAME}}/core-module/styles/tokens.css";
- *
- * Replace the values below with your real brand palette.
- */
-
-/* Re-export the framework's standard token mappings (color-background,
-   color-foreground, color-border, …) so apps don't need a second import. */
-@import "@agent-native/core/styles/agent-native.css";
-
-@theme {
-  /* Add enterprise brand colors here. They become utility classes:
-     `bg-brand`, `text-brand-foreground`, etc. */
-  --color-brand: #4f46e5;
-  --color-brand-foreground: #ffffff;
-}

package/dist/templates/workspace-root/.github/workflows/ci.yml

@@ -1,32 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-  push:
-    branches: [main]
-
-permissions:
-  contents: read
-
-jobs:
-  checks:
-    name: Lint, typecheck, build
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: pnpm/action-setup@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: "pnpm"
-
-      - run: pnpm install --no-frozen-lockfile
-
-      - run: pnpm lint
-
-      - run: pnpm typecheck
-
-      - run: pnpm build