@agent-native/core 0.7.43 → 0.7.44

package/dist/a2a/agent-card.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"agent-card.d.ts","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,GACd,SAAS,CAoCX"}
+{"version":3,"file":"agent-card.d.ts","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,GACd,SAAS,CAqCX"}

package/dist/a2a/agent-card.js

@@ -1,8 +1,10 @@
+import { withConfiguredAppBasePath } from "../server/app-base-path.js";
 export function generateAgentCard(config, baseUrl) {
+    const scopedUrl = withConfiguredAppBasePath(baseUrl);
     const card = {
         name: config.name,
         description: config.description,
-        url: baseUrl,
+        url: scopedUrl,
         version: config.version ?? "1.0.0",
         protocolVersion: "0.3",
         capabilities: {

package/dist/a2a/agent-card.js.map

@@ -1 +1 @@
-{"version":3,"file":"agent-card.js","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,iBAAiB,CAC/B,MAAiB,EACjB,OAAe;IAEf,MAAM,IAAI,GAAc;QACtB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,GAAG,EAAE,OAAO;QACZ,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO;QAClC,eAAe,EAAE,KAAK;QACtB,YAAY,EAAE;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;YACpC,iBAAiB,EAAE,KAAK;YACxB,sBAAsB,EAAE,IAAI;SAC7B;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,iEAAiE;IACjE,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,eAAe,GAAG;YACrB,SAAS,EAAE;gBACT,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,QAAQ;gBAChB,YAAY,EAAE,KAAK;aACpB;SACF,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;IACtC,CAAC;SAAM,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG;YACrB,MAAM,EAAE;gBACN,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,QAAQ;aACjB;SACF,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import type { A2AConfig, AgentCard } from \"./types.js\";\n\nexport function generateAgentCard(\n  config: A2AConfig,\n  baseUrl: string,\n): AgentCard {\n  const card: AgentCard = {\n    name: config.name,\n    description: config.description,\n    url: baseUrl,\n    version: config.version ?? \"1.0.0\",\n    protocolVersion: \"0.3\",\n    capabilities: {\n      streaming: config.streaming ?? false,\n      pushNotifications: false,\n      stateTransitionHistory: true,\n    },\n    skills: config.skills,\n  };\n\n  // Advertise JWT-based A2A identity when A2A_SECRET is configured\n  if (process.env.A2A_SECRET) {\n    card.securitySchemes = {\n      jwtBearer: {\n        type: \"http\",\n        scheme: \"bearer\",\n        bearerFormat: \"JWT\",\n      },\n    };\n    card.security = [{ jwtBearer: [] }];\n  } else if (config.apiKeyEnv) {\n    card.securitySchemes = {\n      apiKey: {\n        type: \"http\",\n        scheme: \"bearer\",\n      },\n    };\n    card.security = [{ apiKey: [] }];\n  }\n\n  return card;\n}\n"]}
+{"version":3,"file":"agent-card.js","sourceRoot":"","sources":["../../src/a2a/agent-card.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAEvE,MAAM,UAAU,iBAAiB,CAC/B,MAAiB,EACjB,OAAe;IAEf,MAAM,SAAS,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,IAAI,GAAc;QACtB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO;QAClC,eAAe,EAAE,KAAK;QACtB,YAAY,EAAE;YACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;YACpC,iBAAiB,EAAE,KAAK;YACxB,sBAAsB,EAAE,IAAI;SAC7B;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,iEAAiE;IACjE,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,eAAe,GAAG;YACrB,SAAS,EAAE;gBACT,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,QAAQ;gBAChB,YAAY,EAAE,KAAK;aACpB;SACF,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;IACtC,CAAC;SAAM,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG;YACrB,MAAM,EAAE;gBACN,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,QAAQ;aACjB;SACF,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import type { A2AConfig, AgentCard } from \"./types.js\";\nimport { withConfiguredAppBasePath } from \"../server/app-base-path.js\";\n\nexport function generateAgentCard(\n  config: A2AConfig,\n  baseUrl: string,\n): AgentCard {\n  const scopedUrl = withConfiguredAppBasePath(baseUrl);\n  const card: AgentCard = {\n    name: config.name,\n    description: config.description,\n    url: scopedUrl,\n    version: config.version ?? \"1.0.0\",\n    protocolVersion: \"0.3\",\n    capabilities: {\n      streaming: config.streaming ?? false,\n      pushNotifications: false,\n      stateTransitionHistory: true,\n    },\n    skills: config.skills,\n  };\n\n  // Advertise JWT-based A2A identity when A2A_SECRET is configured\n  if (process.env.A2A_SECRET) {\n    card.securitySchemes = {\n      jwtBearer: {\n        type: \"http\",\n        scheme: \"bearer\",\n        bearerFormat: \"JWT\",\n      },\n    };\n    card.security = [{ jwtBearer: [] }];\n  } else if (config.apiKeyEnv) {\n    card.securitySchemes = {\n      apiKey: {\n        type: \"http\",\n        scheme: \"bearer\",\n      },\n    };\n    card.security = [{ apiKey: [] }];\n  }\n\n  return card;\n}\n"]}

package/dist/server/agent-chat-plugin.js

@@ -985,7 +985,7 @@ const FRAMEWORK_CORE_COMPACT = `
 6. **Memory** — Use \`save-memory\` proactively when you learn preferences, corrections, or project context.
 7. **Security** — Always use parameterized queries. Never \`dangerouslySetInnerHTML\`, \`innerHTML\`, or \`eval()\`.
 8. **\`db-*\` tools are internal only** — \`db-query\`, \`db-exec\`, \`db-patch\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach BigQuery, HubSpot, GA4, Jira, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \`dbt_analytics.*\`, \`dbt_mart.*\`, or any fully-qualified \`project.dataset.table\`), use the appropriate template action instead — \`bigquery\` for warehouse tables, \`ga4-report\` for Google Analytics, \`hubspot-deals\` for HubSpot, etc. **Never use \`db-query\` for external data — it will fail.**
-9. **Never fabricate data** — Do NOT invent numbers, metrics, records, or query results. Do NOT present estimated or example data as if it were real. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly, note the gap, and work with whatever data you do have. If no data can be retrieved at all, say "I can't retrieve this data right now" and explain why. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
+9. **Never fabricate factual claims** — Do NOT invent numbers, metrics, records, query results, URLs, citations, source attributions, customer names, dates, or success rates. This applies inside generated artifacts too: decks, documents, reports, dashboards, Slack/email replies, and charts must not contain unsupported factual specifics. Only state factual numbers/claims when the user provided them or you retrieved them with an action/tool. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly and work with what you have. If a specific metric would be useful but is not known, use qualitative wording, placeholders like \`[metric TBD]\`, or clearly labeled draft assumptions instead of plausible-looking facts. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
 10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \`isError: true\`, contains "Command failed", "Error:", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative or describe what the action "would have" produced. Report the failure verbatim from the tool output. This applies especially to \`shell(command="pnpm action ...")\` calls: if the action threw, it did NOT succeed.
 11. **Find tools when unsure** — Use \`tool-search\` to find the exact action/tool for a capability. It searches the live registry, including connected MCP server tools.
 
@@ -1153,7 +1153,7 @@ const FRAMEWORK_CORE = `
 6. **Memory** — Use the structured memory system to persist knowledge across sessions. Use \`save-memory\` proactively when you learn preferences, corrections, or project context. Update shared AGENTS.md for instructions that should apply to all users.
 7. **Security** — Always use \`defineAction\` with a Zod \`schema:\` for input validation. Never construct SQL with string concatenation — use parameterized queries via db-query/db-exec. Never use \`dangerouslySetInnerHTML\`, \`innerHTML\`, or \`eval()\`. Never expose secrets in responses or source code. Every table with user data must have \`owner_email\`.
 8. **\`db-*\` tools are internal only** — \`db-query\`, \`db-exec\`, \`db-patch\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach BigQuery, HubSpot, GA4, Jira, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \`dbt_analytics.*\`, \`dbt_mart.*\`, or any fully-qualified \`project.dataset.table\`), use the appropriate template action instead — \`bigquery\` for warehouse tables, \`ga4-report\` for Google Analytics, \`hubspot-deals\` for HubSpot, etc. **Never use \`db-query\` for external data — it will fail.**
-9. **Never fabricate data** — Do NOT invent numbers, metrics, records, or query results. Do NOT present estimated or example data as if it were real. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly, note the gap, and work with whatever data you do have. If no data can be retrieved at all, say "I can't retrieve this data right now" and explain why. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
+9. **Never fabricate factual claims** — Do NOT invent numbers, metrics, records, query results, URLs, citations, source attributions, customer names, dates, or success rates. This applies inside generated artifacts too: decks, documents, reports, dashboards, Slack/email replies, and charts must not contain unsupported factual specifics. Only state factual numbers/claims when the user provided them or you retrieved them with an action/tool. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly and work with what you have. If a specific metric would be useful but is not known, use qualitative wording, placeholders like \`[metric TBD]\`, or clearly labeled draft assumptions instead of plausible-looking facts. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
 10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \`isError: true\`, contains "Command failed", "Error:", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative, format a result table, or describe what the action "would have" produced. Report the failure verbatim from the tool output. This applies especially to \`shell(command="pnpm action ...")\` calls: if the underlying action threw (visible in the error text), the action did NOT succeed — report the error, do not describe a successful outcome.
 11. **Find tools when unsure** — Use \`tool-search\` to find the exact action/tool for a capability. It searches the live registry, including connected MCP server tools added through config, settings, or the MCP hub.