@agent-native/core 0.7.51 → 0.7.52

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/dist/a2a/artifact-response.d.ts.map +1 -1
  2. package/dist/a2a/artifact-response.js +109 -5
  3. package/dist/a2a/artifact-response.js.map +1 -1
  4. package/dist/a2a/server.d.ts.map +1 -1
  5. package/dist/a2a/server.js +11 -0
  6. package/dist/a2a/server.js.map +1 -1
  7. package/dist/deploy/workspace-deploy.js +32 -3
  8. package/dist/deploy/workspace-deploy.js.map +1 -1
  9. package/dist/integrations/plugin.d.ts.map +1 -1
  10. package/dist/integrations/plugin.js +2 -1
  11. package/dist/integrations/plugin.js.map +1 -1
  12. package/dist/integrations/webhook-handler.d.ts.map +1 -1
  13. package/dist/integrations/webhook-handler.js +10 -0
  14. package/dist/integrations/webhook-handler.js.map +1 -1
  15. package/dist/onboarding/plugin.d.ts.map +1 -1
  16. package/dist/onboarding/plugin.js +2 -1
  17. package/dist/onboarding/plugin.js.map +1 -1
  18. package/dist/org/plugin.d.ts.map +1 -1
  19. package/dist/org/plugin.js +2 -1
  20. package/dist/org/plugin.js.map +1 -1
  21. package/dist/scripts/call-agent.js +2 -2
  22. package/dist/scripts/call-agent.js.map +1 -1
  23. package/dist/server/action-routes.d.ts.map +1 -1
  24. package/dist/server/action-routes.js +5 -11
  25. package/dist/server/action-routes.js.map +1 -1
  26. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  27. package/dist/server/agent-chat-plugin.js +2 -1
  28. package/dist/server/agent-chat-plugin.js.map +1 -1
  29. package/dist/server/auth-plugin.d.ts.map +1 -1
  30. package/dist/server/auth-plugin.js +2 -1
  31. package/dist/server/auth-plugin.js.map +1 -1
  32. package/dist/server/auth.d.ts.map +1 -1
  33. package/dist/server/auth.js +7 -12
  34. package/dist/server/auth.js.map +1 -1
  35. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  36. package/dist/server/core-routes-plugin.js +9 -29
  37. package/dist/server/core-routes-plugin.js.map +1 -1
  38. package/dist/server/cors-origins.d.ts +10 -0
  39. package/dist/server/cors-origins.d.ts.map +1 -0
  40. package/dist/server/cors-origins.js +34 -0
  41. package/dist/server/cors-origins.js.map +1 -0
  42. package/dist/server/create-server.d.ts.map +1 -1
  43. package/dist/server/create-server.js +10 -29
  44. package/dist/server/create-server.js.map +1 -1
  45. package/dist/server/framework-request-handler.d.ts +11 -0
  46. package/dist/server/framework-request-handler.d.ts.map +1 -1
  47. package/dist/server/framework-request-handler.js +24 -1
  48. package/dist/server/framework-request-handler.js.map +1 -1
  49. package/dist/server/resources-plugin.d.ts.map +1 -1
  50. package/dist/server/resources-plugin.js +2 -1
  51. package/dist/server/resources-plugin.js.map +1 -1
  52. package/dist/terminal/terminal-plugin.d.ts.map +1 -1
  53. package/dist/terminal/terminal-plugin.js +2 -1
  54. package/dist/terminal/terminal-plugin.js.map +1 -1
  55. package/docs/content/a2a-protocol.md +75 -6
  56. package/docs/content/creating-templates.md +10 -0
  57. package/docs/content/dispatch.md +94 -0
  58. package/docs/content/getting-started.md +8 -0
  59. package/docs/content/key-concepts.md +16 -0
  60. package/docs/content/messaging.md +45 -13
  61. package/docs/content/multi-app-workspace.md +10 -2
  62. package/docs/content/notifications.md +1 -1
  63. package/docs/content/observability.md +184 -0
  64. package/docs/content/onboarding.md +7 -2
  65. package/docs/content/template-dispatch.md +3 -1
  66. package/docs/content/tools.md +95 -1
  67. package/docs/content/tracking.md +1 -1
  68. package/docs/content/what-is-agent-native.md +3 -1
  69. package/docs/content/workspace-management.md +5 -5
  70. package/docs/content/workspace.md +2 -0
  71. package/package.json +1 -1
package/dist/a2a/artifact-response.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"artifact-response.d.ts","sourceRoot":"","sources":["../../src/a2a/artifact-response.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,0BAA0B;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AA6KD,wBAAgB,sBAAsB,CACpC,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,oBAAoB,EAAE,EACnC,OAAO,GAAE,0BAA+B,GACvC,MAAM,CA0CR"}
1
+ {"version":3,"file":"artifact-response.d.ts","sourceRoot":"","sources":["../../src/a2a/artifact-response.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,0BAA0B;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAiTD,wBAAgB,sBAAsB,CACpC,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,oBAAoB,EAAE,EACnC,OAAO,GAAE,0BAA+B,GACvC,MAAM,CAyDR"}
package/dist/a2a/artifact-response.js CHANGED
@@ -46,6 +46,30 @@ function responseMentionsDesignShell(text, shell) {
46
46
  function responseAlreadyWarnsIncompleteDesign(text) {
47
47
  return /(?:not ready|still working|processing|no renderable|no files|failed|could not|cannot|can't)/i.test(text);
48
48
  }
49
+ function isRenderableDesignFile(value) {
50
+ const file = asRecord(value);
51
+ if (!file)
52
+ return false;
53
+ const filename = stringValue(file.filename);
54
+ const fileType = stringValue(file.fileType);
55
+ const hasRenderableType = fileType === "html" ||
56
+ fileType === "jsx" ||
57
+ filename?.endsWith(".html") ||
58
+ filename?.endsWith(".jsx");
59
+ if (!hasRenderableType)
60
+ return false;
61
+ return typeof file.content !== "string" || file.content.trim().length > 0;
62
+ }
63
+ function countRenderableDesignFiles(files) {
64
+ if (!Array.isArray(files))
65
+ return 0;
66
+ return files.filter(isRenderableDesignFile).length;
67
+ }
68
+ function numberValue(value) {
69
+ return typeof value === "number" && Number.isFinite(value)
70
+ ? value
71
+ : undefined;
72
+ }
49
73
  function collectArtifacts(results) {
50
74
  const documents = new Map();
51
75
  const designShells = new Map();
@@ -54,7 +78,9 @@ function collectArtifacts(results) {
54
78
  const parsed = parseToolResultJson(toolResult.result);
55
79
  if (!parsed)
56
80
  continue;
57
- if (toolResult.tool === "create-document") {
81
+ if (toolResult.tool === "create-document" ||
82
+ toolResult.tool === "get-document" ||
83
+ toolResult.tool === "update-document") {
58
84
  const id = stringValue(parsed.id);
59
85
  if (id) {
60
86
  documents.set(id, { id, title: stringValue(parsed.title) });
@@ -68,6 +94,24 @@ function collectArtifacts(results) {
68
94
  }
69
95
  continue;
70
96
  }
97
+ if (toolResult.tool === "get-design") {
98
+ const id = stringValue(parsed.id);
99
+ if (!id)
100
+ continue;
101
+ const renderableFileCount = countRenderableDesignFiles(parsed.files);
102
+ if (renderableFileCount > 0) {
103
+ generatedDesigns.set(id, {
104
+ id,
105
+ fileCount: Array.isArray(parsed.files)
106
+ ? parsed.files.length
107
+ : renderableFileCount,
108
+ });
109
+ }
110
+ else {
111
+ designShells.set(id, { id, title: stringValue(parsed.title) });
112
+ }
113
+ continue;
114
+ }
71
115
  if (toolResult.tool === "generate-design") {
72
116
  const id = stringValue(parsed.designId);
73
117
  if (!id)
@@ -75,10 +119,7 @@ function collectArtifacts(results) {
75
119
  const savedFiles = Array.isArray(parsed.savedFiles)
76
120
  ? parsed.savedFiles
77
121
  : [];
78
- const rawFileCount = parsed.fileCount;
79
- const fileCount = typeof rawFileCount === "number" && Number.isFinite(rawFileCount)
80
- ? rawFileCount
81
- : savedFiles.length;
122
+ const fileCount = numberValue(parsed.fileCount) ?? savedFiles.length;
82
123
  if (fileCount > 0) {
83
124
  generatedDesigns.set(id, { id, fileCount });
84
125
  }
@@ -99,6 +140,13 @@ function collectArtifacts(results) {
99
140
  });
100
141
  }
101
142
  }
143
+ if (toolResult.tool === "duplicate-design") {
144
+ const id = stringValue(parsed.id);
145
+ const fileCount = numberValue(parsed.fileCount);
146
+ if (id && fileCount && fileCount > 0) {
147
+ generatedDesigns.set(id, { id, fileCount });
148
+ }
149
+ }
102
150
  }
103
151
  return {
104
152
  documents: [...documents.values()],
@@ -120,6 +168,58 @@ function formatIncompleteDesignMessage(shells) {
120
168
  return (`The design is not ready yet. Design ${noun} ${ids} ` +
121
169
  "exists, but no renderable files were saved, so I cannot return it as a completed artifact.");
122
170
  }
171
+ function collectReferencedArtifacts(text, baseUrl) {
172
+ const refs = new Map();
173
+ const baseOrigin = safeOrigin(baseUrl);
174
+ const artifactUrlPattern = /(?:(https?:\/\/[^/\s<>()]+))?(?:\/[^\s<>()]*)?\/(design|page)\/([A-Za-z0-9_-]+)/g;
175
+ for (const match of text.matchAll(artifactUrlPattern)) {
176
+ const origin = safeOrigin(match[1]);
177
+ if (origin && baseOrigin && origin !== baseOrigin)
178
+ continue;
179
+ const route = match[2];
180
+ const id = match[3];
181
+ const kind = route === "design" ? "design" : "document";
182
+ refs.set(`${kind}:${id}`, { kind, id });
183
+ }
184
+ return [...refs.values()];
185
+ }
186
+ function safeOrigin(url) {
187
+ if (!url)
188
+ return undefined;
189
+ try {
190
+ return new URL(url).origin;
191
+ }
192
+ catch {
193
+ return undefined;
194
+ }
195
+ }
196
+ function findUnverifiedArtifactReferences(text, baseUrl, documents, generatedDesigns) {
197
+ const documentIds = new Set(documents.map((document) => document.id));
198
+ const designIds = new Set(generatedDesigns.map((design) => design.id));
199
+ return collectReferencedArtifacts(text, baseUrl).filter((ref) => {
200
+ if (ref.kind === "document")
201
+ return !documentIds.has(ref.id);
202
+ return !designIds.has(ref.id);
203
+ });
204
+ }
205
+ function formatUnverifiedArtifactMessage(refs, documents, generatedDesigns, baseUrl) {
206
+ const hasOnlyDesigns = refs.every((ref) => ref.kind === "design");
207
+ const hasOnlyDocuments = refs.every((ref) => ref.kind === "document");
208
+ const label = hasOnlyDesigns
209
+ ? "design URL"
210
+ : hasOnlyDocuments
211
+ ? "document URL"
212
+ : "artifact URL";
213
+ const plural = refs.length === 1 ? label : `${label}s`;
214
+ const message = `I could not verify the ${plural} in the final answer against a successful artifact action, so I cannot return it.`;
215
+ const verifiedLines = [
216
+ ...documents.map((document) => formatDocumentLine(document, baseUrl)),
217
+ ...generatedDesigns.map((design) => formatDesignLine(design, baseUrl)),
218
+ ];
219
+ return verifiedLines.length > 0
220
+ ? `${message}\n\nArtifacts:\n${verifiedLines.join("\n")}`
221
+ : message;
222
+ }
123
223
  export function appendA2AArtifactLinks(responseText, toolResults, options = {}) {
124
224
  const baseUrl = normalizeBaseUrl(options.baseUrl);
125
225
  const { documents, designShells, generatedDesigns } = collectArtifacts(toolResults);
@@ -133,6 +233,10 @@ export function appendA2AArtifactLinks(responseText, toolResults, options = {})
133
233
  /\b(?:done|created|ready|here(?:'s| is)|complete|finished)\b/i.test(text))) {
134
234
  return formatIncompleteDesignMessage(incompleteShells);
135
235
  }
236
+ const unverifiedRefs = findUnverifiedArtifactReferences(text, baseUrl, documents, generatedDesigns);
237
+ if (unverifiedRefs.length > 0) {
238
+ return formatUnverifiedArtifactMessage(unverifiedRefs, documents, generatedDesigns, baseUrl);
239
+ }
136
240
  const missingLines = [];
137
241
  for (const document of documents) {
138
242
  const path = `/page/${document.id}`;
package/dist/a2a/artifact-response.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"artifact-response.js","sourceRoot":"","sources":["../../src/a2a/artifact-response.ts"],"names":[],"mappings":"AAwBA,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAChE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9E,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc;IACzC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7D,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;QAC1E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,UAAU,GAAG,CAAC,IAAI,SAAS,IAAI,UAAU;YAAE,OAAO,IAAI,CAAC;QAC3D,IAAI,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,OAA2B;IACnD,MAAM,OAAO,GAAG,OAAO,EAAE,IAAI,EAAE,CAAC;IAChC,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,SAAS,WAAW,CAAC,OAA2B,EAAE,IAAY;IAC5D,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACxC,CAAC;AAED,SAAS,2BAA2B,CAAC,IAAY,EAAE,IAAY;IAC7D,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,2BAA2B,CAClC,IAAY,EACZ,KAAyB;IAEzB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,oCAAoC,CAAC,IAAY;IACxD,OAAO,8FAA8F,CAAC,IAAI,CACxG,IAAI,CACL,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,OAA+B;IAKvD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC7D,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8B,CAAC;IAC3D,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAmC,CAAC;IAEpE,KAAK,MAAM,UAAU,IAAI,OAAO,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM;YAAE,SAAS;QAEtB,IAAI,UAAU,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YAC1C,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,EAAE,EAAE,CAAC;gBACP,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YACxC,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,EAAE,EAAE,CAAC;gBACP,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACjE,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YAC1C,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,EAAE;gBAAE,SAAS;YAElB,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC;gBACjD,CAAC,CAAC,MAAM,CAAC,UAAU;gBACnB,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,YAAY,GAAG,MAAM,CAAC,SAAS,CAAC;YACtC,MAAM,SAAS,GACb,OAAO,YAAY,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAC/D,CAAC,CAAC,YAAY;gBACd,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC;YAExB,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBAClB,gBAAgB,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC9C,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACtC,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,EAAE;gBAAE,SAAS;YAClB,MAAM,UAAU,GACd,MAAM,CAAC,UAAU,KAAK,IAAI;gBAC1B,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,MAAM;gBACvC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,KAAK,CAAC;YAEzC,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC1C,gBAAgB,CAAC,GAAG,CAAC,EAAE,EAAE;oBACvB,EAAE;oBACF,SAAS,EAAE,CAAC,QAAQ,EAAE,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC;iBAC1C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC;QAClC,YAAY,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC;QACxC,gBAAgB,EAAE,CAAC,GAAG,gBAAgB,CAAC,MAAM,EAAE,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,QAAiC,EACjC,OAA2B;IAE3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,aAAa,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC;IAC3E,OAAO,KAAK,KAAK,KAAK,WAAW,CAAC,OAAO,EAAE,SAAS,QAAQ,CAAC,EAAE,EAAE,CAAC,SAAS,QAAQ,CAAC,EAAE,GAAG,CAAC;AAC5F,CAAC;AAED,SAAS,gBAAgB,CACvB,MAA+B,EAC/B,OAA2B;IAE3B,MAAM,SAAS,GACb,MAAM,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,SAAS,QAAQ,CAAC;IAClE,OAAO,aAAa,WAAW,CAAC,OAAO,EAAE,WAAW,MAAM,CAAC,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,EAAE,KAAK,SAAS,GAAG,CAAC;AACtG,CAAC;AAED,SAAS,6BAA6B,CAAC,MAA4B;IACjE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,gBAAgB,CAAC;IACtE,OAAO,CACL,uCAAuC,IAAI,IAAI,GAAG,GAAG;QACrD,4FAA4F,CAC7F,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,YAAoB,EACpB,WAAmC,EACnC,UAAsC,EAAE;IAExC,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,gBAAgB,EAAE,GACjD,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAChC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAChC,gBAAgB,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAC5C,CAAC;IACF,MAAM,gBAAgB,GAAG,YAAY,CAAC,MAAM,CAC1C,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAC7C,CAAC;IAEF,IAAI,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAE9E,IACE,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAC7B,gBAAgB,CAAC,MAAM,GAAG,CAAC;QAC3B,CAAC,oCAAoC,CAAC,IAAI,CAAC;QAC3C,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC/B,2BAA2B,CAAC,IAAI,EAAE,KAAK,CAAC,CACzC;YACC,8DAA8D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAC5E,CAAC;QACD,OAAO,6BAA6B,CAAC,gBAAgB,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,SAAS,QAAQ,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,2BAA2B,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YAC7C,YAAY,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,WAAW,MAAM,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,2BAA2B,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YAC7C,YAAY,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,aAAa,GAAG,eAAe,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAC/D,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,OAAO,aAAa,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;AAC9D,CAAC","sourcesContent":["export interface A2AToolResultSummary {\n tool: string;\n result: string;\n}\n\nexport interface A2AArtifactResponseOptions {\n baseUrl?: string;\n}\n\ninterface CreatedDocumentArtifact {\n id: string;\n title?: string;\n}\n\ninterface CreatedDesignShell {\n id: string;\n title?: string;\n}\n\ninterface GeneratedDesignArtifact {\n id: string;\n fileCount: number;\n}\n\nfunction asRecord(value: unknown): Record<string, unknown> | null {\n return value && typeof value === \"object\" && !Array.isArray(value)\n ? (value as Record<string, unknown>)\n : null;\n}\n\nfunction stringValue(value: unknown): string | undefined {\n return typeof value === \"string\" && value.trim() ? value.trim() : undefined;\n}\n\nfunction parseToolResultJson(result: string): Record<string, unknown> | null {\n const trimmed = result.trim();\n if (!trimmed || /^Error(?:\\s|:)/i.test(trimmed)) return null;\n\n try {\n return asRecord(JSON.parse(trimmed));\n } catch {\n // Dev shell wrappers may include console output before the returned JSON.\n const firstBrace = trimmed.indexOf(\"{\");\n const lastBrace = trimmed.lastIndexOf(\"}\");\n if (firstBrace < 0 || lastBrace <= firstBrace) return null;\n try {\n return asRecord(JSON.parse(trimmed.slice(firstBrace, lastBrace + 1)));\n } catch {\n return null;\n }\n }\n}\n\nfunction normalizeBaseUrl(baseUrl: string | undefined): string | undefined {\n const trimmed = baseUrl?.trim();\n return trimmed ? trimmed.replace(/\\/+$/, \"\") : undefined;\n}\n\nfunction artifactUrl(baseUrl: string | undefined, path: string): string {\n const base = normalizeBaseUrl(baseUrl);\n return base ? `${base}${path}` : path;\n}\n\nfunction responseAlreadyMentionsPath(text: string, path: string): boolean {\n return text.includes(path);\n}\n\nfunction responseMentionsDesignShell(\n text: string,\n shell: CreatedDesignShell,\n): boolean {\n if (!text.trim()) return true;\n return text.includes(shell.id) || text.includes(`/design/${shell.id}`);\n}\n\nfunction responseAlreadyWarnsIncompleteDesign(text: string): boolean {\n return /(?:not ready|still working|processing|no renderable|no files|failed|could not|cannot|can't)/i.test(\n text,\n );\n}\n\nfunction collectArtifacts(results: A2AToolResultSummary[]): {\n documents: CreatedDocumentArtifact[];\n designShells: CreatedDesignShell[];\n generatedDesigns: GeneratedDesignArtifact[];\n} {\n const documents = new Map<string, CreatedDocumentArtifact>();\n const designShells = new Map<string, CreatedDesignShell>();\n const generatedDesigns = new Map<string, GeneratedDesignArtifact>();\n\n for (const toolResult of results) {\n const parsed = parseToolResultJson(toolResult.result);\n if (!parsed) continue;\n\n if (toolResult.tool === \"create-document\") {\n const id = stringValue(parsed.id);\n if (id) {\n documents.set(id, { id, title: stringValue(parsed.title) });\n }\n continue;\n }\n\n if (toolResult.tool === \"create-design\") {\n const id = stringValue(parsed.id);\n if (id) {\n designShells.set(id, { id, title: stringValue(parsed.title) });\n }\n continue;\n }\n\n if (toolResult.tool === \"generate-design\") {\n const id = stringValue(parsed.designId);\n if (!id) continue;\n\n const savedFiles = Array.isArray(parsed.savedFiles)\n ? parsed.savedFiles\n : [];\n const rawFileCount = parsed.fileCount;\n const fileCount =\n typeof rawFileCount === \"number\" && Number.isFinite(rawFileCount)\n ? rawFileCount\n : savedFiles.length;\n\n if (fileCount > 0) {\n generatedDesigns.set(id, { id, fileCount });\n }\n continue;\n }\n\n if (toolResult.tool === \"create-file\") {\n const id = stringValue(parsed.designId);\n if (!id) continue;\n const renderable =\n parsed.renderable === true ||\n stringValue(parsed.fileType) === \"html\" ||\n stringValue(parsed.fileType) === \"jsx\";\n\n if (renderable) {\n const previous = generatedDesigns.get(id);\n generatedDesigns.set(id, {\n id,\n fileCount: (previous?.fileCount ?? 0) + 1,\n });\n }\n }\n }\n\n return {\n documents: [...documents.values()],\n designShells: [...designShells.values()],\n generatedDesigns: [...generatedDesigns.values()],\n };\n}\n\nfunction formatDocumentLine(\n document: CreatedDocumentArtifact,\n baseUrl: string | undefined,\n): string {\n const label = document.title ? `Document \"${document.title}\"` : \"Document\";\n return `- ${label}: ${artifactUrl(baseUrl, `/page/${document.id}`)} (ID: ${document.id})`;\n}\n\nfunction formatDesignLine(\n design: GeneratedDesignArtifact,\n baseUrl: string | undefined,\n): string {\n const fileLabel =\n design.fileCount === 1 ? \"1 file\" : `${design.fileCount} files`;\n return `- Design: ${artifactUrl(baseUrl, `/design/${design.id}`)} (ID: ${design.id}, ${fileLabel})`;\n}\n\nfunction formatIncompleteDesignMessage(shells: CreatedDesignShell[]): string {\n const ids = shells.map((shell) => shell.id).join(\", \");\n const noun = shells.length === 1 ? \"project shell\" : \"project shells\";\n return (\n `The design is not ready yet. Design ${noun} ${ids} ` +\n \"exists, but no renderable files were saved, so I cannot return it as a completed artifact.\"\n );\n}\n\nexport function appendA2AArtifactLinks(\n responseText: string,\n toolResults: A2AToolResultSummary[],\n options: A2AArtifactResponseOptions = {},\n): string {\n const baseUrl = normalizeBaseUrl(options.baseUrl);\n const { documents, designShells, generatedDesigns } =\n collectArtifacts(toolResults);\n const generatedDesignIds = new Set(\n generatedDesigns.map((design) => design.id),\n );\n const incompleteShells = designShells.filter(\n (shell) => !generatedDesignIds.has(shell.id),\n );\n\n let text = responseText.trim() === \"(no response)\" ? \"\" : responseText.trim();\n\n if (\n generatedDesigns.length === 0 &&\n incompleteShells.length > 0 &&\n !responseAlreadyWarnsIncompleteDesign(text) &&\n (incompleteShells.some((shell) =>\n responseMentionsDesignShell(text, shell),\n ) ||\n /\\b(?:done|created|ready|here(?:'s| is)|complete|finished)\\b/i.test(text))\n ) {\n return formatIncompleteDesignMessage(incompleteShells);\n }\n\n const missingLines: string[] = [];\n for (const document of documents) {\n const path = `/page/${document.id}`;\n if (!responseAlreadyMentionsPath(text, path)) {\n missingLines.push(formatDocumentLine(document, baseUrl));\n }\n }\n for (const design of generatedDesigns) {\n const path = `/design/${design.id}`;\n if (!responseAlreadyMentionsPath(text, path)) {\n missingLines.push(formatDesignLine(design, baseUrl));\n }\n }\n\n if (missingLines.length === 0) return text;\n const artifactBlock = `Artifacts:\\n${missingLines.join(\"\\n\")}`;\n return text ? `${text}\\n\\n${artifactBlock}` : artifactBlock;\n}\n"]}
1
+ {"version":3,"file":"artifact-response.js","sourceRoot":"","sources":["../../src/a2a/artifact-response.ts"],"names":[],"mappings":"AA+BA,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAChE,CAAC,CAAE,KAAiC;QACpC,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9E,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc;IACzC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,OAAO,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7D,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;QAC1E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,UAAU,GAAG,CAAC,IAAI,SAAS,IAAI,UAAU;YAAE,OAAO,IAAI,CAAC;QAC3D,IAAI,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,OAA2B;IACnD,MAAM,OAAO,GAAG,OAAO,EAAE,IAAI,EAAE,CAAC;IAChC,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,SAAS,WAAW,CAAC,OAA2B,EAAE,IAAY;IAC5D,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACxC,CAAC;AAED,SAAS,2BAA2B,CAAC,IAAY,EAAE,IAAY;IAC7D,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,2BAA2B,CAClC,IAAY,EACZ,KAAyB;IAEzB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,oCAAoC,CAAC,IAAY;IACxD,OAAO,8FAA8F,CAAC,IAAI,CACxG,IAAI,CACL,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7B,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAExB,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,iBAAiB,GACrB,QAAQ,KAAK,MAAM;QACnB,QAAQ,KAAK,KAAK;QAClB,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC;QAC3B,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC7B,IAAI,CAAC,iBAAiB;QAAE,OAAO,KAAK,CAAC;IAErC,OAAO,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACpC,OAAO,KAAK,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC,MAAM,CAAC;AACrD,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QACxD,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,OAA+B;IAKvD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC7D,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8B,CAAC;IAC3D,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAmC,CAAC;IAEpE,KAAK,MAAM,UAAU,IAAI,OAAO,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM;YAAE,SAAS;QAEtB,IACE,UAAU,CAAC,IAAI,KAAK,iBAAiB;YACrC,UAAU,CAAC,IAAI,KAAK,cAAc;YAClC,UAAU,CAAC,IAAI,KAAK,iBAAiB,EACrC,CAAC;YACD,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,EAAE,EAAE,CAAC;gBACP,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YACxC,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,EAAE,EAAE,CAAC;gBACP,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACjE,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACrC,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,CAAC,EAAE;gBAAE,SAAS;YAElB,MAAM,mBAAmB,GAAG,0BAA0B,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACrE,IAAI,mBAAmB,GAAG,CAAC,EAAE,CAAC;gBAC5B,gBAAgB,CAAC,GAAG,CAAC,EAAE,EAAE;oBACvB,EAAE;oBACF,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;wBACpC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM;wBACrB,CAAC,CAAC,mBAAmB;iBACxB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACjE,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YAC1C,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,EAAE;gBAAE,SAAS;YAElB,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC;gBACjD,CAAC,CAAC,MAAM,CAAC,UAAU;gBACnB,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC;YAErE,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBAClB,gBAAgB,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC9C,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACtC,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,EAAE;gBAAE,SAAS;YAClB,MAAM,UAAU,GACd,MAAM,CAAC,UAAU,KAAK,IAAI;gBAC1B,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,MAAM;gBACvC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,KAAK,CAAC;YAEzC,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC1C,gBAAgB,CAAC,GAAG,CAAC,EAAE,EAAE;oBACvB,EAAE;oBACF,SAAS,EAAE,CAAC,QAAQ,EAAE,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC;iBAC1C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;YAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAClC,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChD,IAAI,EAAE,IAAI,SAAS,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBACrC,gBAAgB,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC;QAClC,YAAY,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC;QACxC,gBAAgB,EAAE,CAAC,GAAG,gBAAgB,CAAC,MAAM,EAAE,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,QAAiC,EACjC,OAA2B;IAE3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,aAAa,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC;IAC3E,OAAO,KAAK,KAAK,KAAK,WAAW,CAAC,OAAO,EAAE,SAAS,QAAQ,CAAC,EAAE,EAAE,CAAC,SAAS,QAAQ,CAAC,EAAE,GAAG,CAAC;AAC5F,CAAC;AAED,SAAS,gBAAgB,CACvB,MAA+B,EAC/B,OAA2B;IAE3B,MAAM,SAAS,GACb,MAAM,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,SAAS,QAAQ,CAAC;IAClE,OAAO,aAAa,WAAW,CAAC,OAAO,EAAE,WAAW,MAAM,CAAC,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,EAAE,KAAK,SAAS,GAAG,CAAC;AACtG,CAAC;AAED,SAAS,6BAA6B,CAAC,MAA4B;IACjE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,gBAAgB,CAAC;IACtE,OAAO,CACL,uCAAuC,IAAI,IAAI,GAAG,GAAG;QACrD,4FAA4F,CAC7F,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CACjC,IAAY,EACZ,OAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,GAAG,EAA8B,CAAC;IACnD,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,kBAAkB,GACtB,kFAAkF,CAAC;IAErF,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACtD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,IAAI,MAAM,IAAI,UAAU,IAAI,MAAM,KAAK,UAAU;YAAE,SAAS;QAE5D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACpB,MAAM,IAAI,GACR,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7C,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,UAAU,CAAC,GAAuB;IACzC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,gCAAgC,CACvC,IAAY,EACZ,OAA2B,EAC3B,SAAoC,EACpC,gBAA2C;IAE3C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAEvE,OAAO,0BAA0B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QAC9D,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU;YAAE,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,+BAA+B,CACtC,IAA0B,EAC1B,SAAoC,EACpC,gBAA2C,EAC3C,OAA2B;IAE3B,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAClE,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IACtE,MAAM,KAAK,GAAG,cAAc;QAC1B,CAAC,CAAC,YAAY;QACd,CAAC,CAAC,gBAAgB;YAChB,CAAC,CAAC,cAAc;YAChB,CAAC,CAAC,cAAc,CAAC;IACrB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC;IACvD,MAAM,OAAO,GAAG,0BAA0B,MAAM,mFAAmF,CAAC;IACpI,MAAM,aAAa,GAAG;QACpB,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,kBAAkB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACrE,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACvE,CAAC;IAEF,OAAO,aAAa,CAAC,MAAM,GAAG,CAAC;QAC7B,CAAC,CAAC,GAAG,OAAO,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACzD,CAAC,CAAC,OAAO,CAAC;AACd,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,YAAoB,EACpB,WAAmC,EACnC,UAAsC,EAAE;IAExC,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,gBAAgB,EAAE,GACjD,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAChC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAChC,gBAAgB,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAC5C,CAAC;IACF,MAAM,gBAAgB,GAAG,YAAY,CAAC,MAAM,CAC1C,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAC7C,CAAC;IAEF,IAAI,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAE9E,IACE,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAC7B,gBAAgB,CAAC,MAAM,GAAG,CAAC;QAC3B,CAAC,oCAAoC,CAAC,IAAI,CAAC;QAC3C,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC/B,2BAA2B,CAAC,IAAI,EAAE,KAAK,CAAC,CACzC;YACC,8DAA8D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAC5E,CAAC;QACD,OAAO,6BAA6B,CAAC,gBAAgB,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,cAAc,GAAG,gCAAgC,CACrD,IAAI,EACJ,OAAO,EACP,SAAS,EACT,gBAAgB,CACjB,CAAC;IACF,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,+BAA+B,CACpC,cAAc,EACd,SAAS,EACT,gBAAgB,EAChB,OAAO,CACR,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,SAAS,QAAQ,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,2BAA2B,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YAC7C,YAAY,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,WAAW,MAAM,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,2BAA2B,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YAC7C,YAAY,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,aAAa,GAAG,eAAe,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAC/D,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,OAAO,aAAa,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;AAC9D,CAAC","sourcesContent":["export interface A2AToolResultSummary {\n tool: string;\n result: string;\n}\n\nexport interface A2AArtifactResponseOptions {\n baseUrl?: string;\n}\n\ninterface CreatedDocumentArtifact {\n id: string;\n title?: string;\n}\n\ninterface CreatedDesignShell {\n id: string;\n title?: string;\n}\n\ninterface GeneratedDesignArtifact {\n id: string;\n fileCount: number;\n}\n\ntype ReferencedArtifactKind = \"design\" | \"document\";\n\ninterface ReferencedArtifact {\n kind: ReferencedArtifactKind;\n id: string;\n}\n\nfunction asRecord(value: unknown): Record<string, unknown> | null {\n return value && typeof value === \"object\" && !Array.isArray(value)\n ? (value as Record<string, unknown>)\n : null;\n}\n\nfunction stringValue(value: unknown): string | undefined {\n return typeof value === \"string\" && value.trim() ? value.trim() : undefined;\n}\n\nfunction parseToolResultJson(result: string): Record<string, unknown> | null {\n const trimmed = result.trim();\n if (!trimmed || /^Error(?:\\s|:)/i.test(trimmed)) return null;\n\n try {\n return asRecord(JSON.parse(trimmed));\n } catch {\n // Dev shell wrappers may include console output before the returned JSON.\n const firstBrace = trimmed.indexOf(\"{\");\n const lastBrace = trimmed.lastIndexOf(\"}\");\n if (firstBrace < 0 || lastBrace <= firstBrace) return null;\n try {\n return asRecord(JSON.parse(trimmed.slice(firstBrace, lastBrace + 1)));\n } catch {\n return null;\n }\n }\n}\n\nfunction normalizeBaseUrl(baseUrl: string | undefined): string | undefined {\n const trimmed = baseUrl?.trim();\n return trimmed ? trimmed.replace(/\\/+$/, \"\") : undefined;\n}\n\nfunction artifactUrl(baseUrl: string | undefined, path: string): string {\n const base = normalizeBaseUrl(baseUrl);\n return base ? `${base}${path}` : path;\n}\n\nfunction responseAlreadyMentionsPath(text: string, path: string): boolean {\n return text.includes(path);\n}\n\nfunction responseMentionsDesignShell(\n text: string,\n shell: CreatedDesignShell,\n): boolean {\n if (!text.trim()) return true;\n return text.includes(shell.id) || text.includes(`/design/${shell.id}`);\n}\n\nfunction responseAlreadyWarnsIncompleteDesign(text: string): boolean {\n return /(?:not ready|still working|processing|no renderable|no files|failed|could not|cannot|can't)/i.test(\n text,\n );\n}\n\nfunction isRenderableDesignFile(value: unknown): boolean {\n const file = asRecord(value);\n if (!file) return false;\n\n const filename = stringValue(file.filename);\n const fileType = stringValue(file.fileType);\n const hasRenderableType =\n fileType === \"html\" ||\n fileType === \"jsx\" ||\n filename?.endsWith(\".html\") ||\n filename?.endsWith(\".jsx\");\n if (!hasRenderableType) return false;\n\n return typeof file.content !== \"string\" || file.content.trim().length > 0;\n}\n\nfunction countRenderableDesignFiles(files: unknown): number {\n if (!Array.isArray(files)) return 0;\n return files.filter(isRenderableDesignFile).length;\n}\n\nfunction numberValue(value: unknown): number | undefined {\n return typeof value === \"number\" && Number.isFinite(value)\n ? value\n : undefined;\n}\n\nfunction collectArtifacts(results: A2AToolResultSummary[]): {\n documents: CreatedDocumentArtifact[];\n designShells: CreatedDesignShell[];\n generatedDesigns: GeneratedDesignArtifact[];\n} {\n const documents = new Map<string, CreatedDocumentArtifact>();\n const designShells = new Map<string, CreatedDesignShell>();\n const generatedDesigns = new Map<string, GeneratedDesignArtifact>();\n\n for (const toolResult of results) {\n const parsed = parseToolResultJson(toolResult.result);\n if (!parsed) continue;\n\n if (\n toolResult.tool === \"create-document\" ||\n toolResult.tool === \"get-document\" ||\n toolResult.tool === \"update-document\"\n ) {\n const id = stringValue(parsed.id);\n if (id) {\n documents.set(id, { id, title: stringValue(parsed.title) });\n }\n continue;\n }\n\n if (toolResult.tool === \"create-design\") {\n const id = stringValue(parsed.id);\n if (id) {\n designShells.set(id, { id, title: stringValue(parsed.title) });\n }\n continue;\n }\n\n if (toolResult.tool === \"get-design\") {\n const id = stringValue(parsed.id);\n if (!id) continue;\n\n const renderableFileCount = countRenderableDesignFiles(parsed.files);\n if (renderableFileCount > 0) {\n generatedDesigns.set(id, {\n id,\n fileCount: Array.isArray(parsed.files)\n ? parsed.files.length\n : renderableFileCount,\n });\n } else {\n designShells.set(id, { id, title: stringValue(parsed.title) });\n }\n continue;\n }\n\n if (toolResult.tool === \"generate-design\") {\n const id = stringValue(parsed.designId);\n if (!id) continue;\n\n const savedFiles = Array.isArray(parsed.savedFiles)\n ? parsed.savedFiles\n : [];\n const fileCount = numberValue(parsed.fileCount) ?? savedFiles.length;\n\n if (fileCount > 0) {\n generatedDesigns.set(id, { id, fileCount });\n }\n continue;\n }\n\n if (toolResult.tool === \"create-file\") {\n const id = stringValue(parsed.designId);\n if (!id) continue;\n const renderable =\n parsed.renderable === true ||\n stringValue(parsed.fileType) === \"html\" ||\n stringValue(parsed.fileType) === \"jsx\";\n\n if (renderable) {\n const previous = generatedDesigns.get(id);\n generatedDesigns.set(id, {\n id,\n fileCount: (previous?.fileCount ?? 0) + 1,\n });\n }\n }\n\n if (toolResult.tool === \"duplicate-design\") {\n const id = stringValue(parsed.id);\n const fileCount = numberValue(parsed.fileCount);\n if (id && fileCount && fileCount > 0) {\n generatedDesigns.set(id, { id, fileCount });\n }\n }\n }\n\n return {\n documents: [...documents.values()],\n designShells: [...designShells.values()],\n generatedDesigns: [...generatedDesigns.values()],\n };\n}\n\nfunction formatDocumentLine(\n document: CreatedDocumentArtifact,\n baseUrl: string | undefined,\n): string {\n const label = document.title ? `Document \"${document.title}\"` : \"Document\";\n return `- ${label}: ${artifactUrl(baseUrl, `/page/${document.id}`)} (ID: ${document.id})`;\n}\n\nfunction formatDesignLine(\n design: GeneratedDesignArtifact,\n baseUrl: string | undefined,\n): string {\n const fileLabel =\n design.fileCount === 1 ? \"1 file\" : `${design.fileCount} files`;\n return `- Design: ${artifactUrl(baseUrl, `/design/${design.id}`)} (ID: ${design.id}, ${fileLabel})`;\n}\n\nfunction formatIncompleteDesignMessage(shells: CreatedDesignShell[]): string {\n const ids = shells.map((shell) => shell.id).join(\", \");\n const noun = shells.length === 1 ? \"project shell\" : \"project shells\";\n return (\n `The design is not ready yet. Design ${noun} ${ids} ` +\n \"exists, but no renderable files were saved, so I cannot return it as a completed artifact.\"\n );\n}\n\nfunction collectReferencedArtifacts(\n text: string,\n baseUrl: string | undefined,\n): ReferencedArtifact[] {\n const refs = new Map<string, ReferencedArtifact>();\n const baseOrigin = safeOrigin(baseUrl);\n const artifactUrlPattern =\n /(?:(https?:\\/\\/[^/\\s<>()]+))?(?:\\/[^\\s<>()]*)?\\/(design|page)\\/([A-Za-z0-9_-]+)/g;\n\n for (const match of text.matchAll(artifactUrlPattern)) {\n const origin = safeOrigin(match[1]);\n if (origin && baseOrigin && origin !== baseOrigin) continue;\n\n const route = match[2];\n const id = match[3];\n const kind: ReferencedArtifactKind =\n route === \"design\" ? \"design\" : \"document\";\n refs.set(`${kind}:${id}`, { kind, id });\n }\n\n return [...refs.values()];\n}\n\nfunction safeOrigin(url: string | undefined): string | undefined {\n if (!url) return undefined;\n try {\n return new URL(url).origin;\n } catch {\n return undefined;\n }\n}\n\nfunction findUnverifiedArtifactReferences(\n text: string,\n baseUrl: string | undefined,\n documents: CreatedDocumentArtifact[],\n generatedDesigns: GeneratedDesignArtifact[],\n): ReferencedArtifact[] {\n const documentIds = new Set(documents.map((document) => document.id));\n const designIds = new Set(generatedDesigns.map((design) => design.id));\n\n return collectReferencedArtifacts(text, baseUrl).filter((ref) => {\n if (ref.kind === \"document\") return !documentIds.has(ref.id);\n return !designIds.has(ref.id);\n });\n}\n\nfunction formatUnverifiedArtifactMessage(\n refs: ReferencedArtifact[],\n documents: CreatedDocumentArtifact[],\n generatedDesigns: GeneratedDesignArtifact[],\n baseUrl: string | undefined,\n): string {\n const hasOnlyDesigns = refs.every((ref) => ref.kind === \"design\");\n const hasOnlyDocuments = refs.every((ref) => ref.kind === \"document\");\n const label = hasOnlyDesigns\n ? \"design URL\"\n : hasOnlyDocuments\n ? \"document URL\"\n : \"artifact URL\";\n const plural = refs.length === 1 ? label : `${label}s`;\n const message = `I could not verify the ${plural} in the final answer against a successful artifact action, so I cannot return it.`;\n const verifiedLines = [\n ...documents.map((document) => formatDocumentLine(document, baseUrl)),\n ...generatedDesigns.map((design) => formatDesignLine(design, baseUrl)),\n ];\n\n return verifiedLines.length > 0\n ? `${message}\\n\\nArtifacts:\\n${verifiedLines.join(\"\\n\")}`\n : message;\n}\n\nexport function appendA2AArtifactLinks(\n responseText: string,\n toolResults: A2AToolResultSummary[],\n options: A2AArtifactResponseOptions = {},\n): string {\n const baseUrl = normalizeBaseUrl(options.baseUrl);\n const { documents, designShells, generatedDesigns } =\n collectArtifacts(toolResults);\n const generatedDesignIds = new Set(\n generatedDesigns.map((design) => design.id),\n );\n const incompleteShells = designShells.filter(\n (shell) => !generatedDesignIds.has(shell.id),\n );\n\n let text = responseText.trim() === \"(no response)\" ? \"\" : responseText.trim();\n\n if (\n generatedDesigns.length === 0 &&\n incompleteShells.length > 0 &&\n !responseAlreadyWarnsIncompleteDesign(text) &&\n (incompleteShells.some((shell) =>\n responseMentionsDesignShell(text, shell),\n ) ||\n /\\b(?:done|created|ready|here(?:'s| is)|complete|finished)\\b/i.test(text))\n ) {\n return formatIncompleteDesignMessage(incompleteShells);\n }\n\n const unverifiedRefs = findUnverifiedArtifactReferences(\n text,\n baseUrl,\n documents,\n generatedDesigns,\n );\n if (unverifiedRefs.length > 0) {\n return formatUnverifiedArtifactMessage(\n unverifiedRefs,\n documents,\n generatedDesigns,\n baseUrl,\n );\n }\n\n const missingLines: string[] = [];\n for (const document of documents) {\n const path = `/page/${document.id}`;\n if (!responseAlreadyMentionsPath(text, path)) {\n missingLines.push(formatDocumentLine(document, baseUrl));\n }\n }\n for (const design of generatedDesigns) {\n const path = `/design/${design.id}`;\n if (!responseAlreadyMentionsPath(text, path)) {\n missingLines.push(formatDesignLine(design, baseUrl));\n }\n }\n\n if (missingLines.length === 0) return text;\n const artifactBlock = `Artifacts:\\n${missingLines.join(\"\\n\")}`;\n return text ? `${text}\\n\\n${artifactBlock}` : artifactBlock;\n}\n"]}
package/dist/a2a/server.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CAoNN"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AA4J5C;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,GAAG,EACb,MAAM,EAAE,SAAS,EACjB,WAAW,SAAmB,GAC7B,IAAI,CA8NN"}
package/dist/a2a/server.js CHANGED
@@ -316,6 +316,17 @@ export function mountA2A(nitroApp, config, routePrefix = "/_agent-native") {
316
316
  }
317
317
  warnA2AUnauthOnce();
318
318
  }
319
+ else if (isA2AProductionRuntime()) {
320
+ setResponseStatus(event, 401);
321
+ return {
322
+ jsonrpc: "2.0",
323
+ id: null,
324
+ error: {
325
+ code: -32001,
326
+ message: "Authentication required",
327
+ },
328
+ };
329
+ }
319
330
  }
320
331
  // Store verified caller identity on the event context so the handler
321
332
  // can set request context from a trusted source instead of metadata
package/dist/a2a/server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAElB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,KAAsB;IAEtB,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,sEAAsE;QACtE,mBAAmB;QACnB,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC5D,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;gBAC3C,KAA2B,CAAC,IAAI;gBACjC,EAAE,CAAC;YACL,IAAI,OAAO,EAAE,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACxC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,OAAO,iBAAiB,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,sBAAsB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBACtC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC9D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;oBAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qCAAqC;YACrC,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,sBAAsB,EAAE,EAAE,CAAC;oBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseHeader,\n setResponseStatus,\n getMethod,\n getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n extractBearerToken,\n verifyInternalToken,\n} from \"../integrations/internal-token.js\";\nimport {\n hasConfiguredA2ASecret,\n isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n if (_warnedUnauthA2A) return;\n _warnedUnauthA2A = true;\n // eslint-disable-next-line no-console\n console.warn(\n \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n email: string | null;\n orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return String(fromEnv);\n // Best-effort: derive from the inbound request host. This is forgeable\n // (Host-header attack), but only useful as a hint when env-derived URL\n // is unset; the rest of the JWT verification still uses the secret.\n try {\n const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n const host = getRequestHeader(event, \"host\");\n if (host) return `${proto}://${host}`;\n } catch {}\n return undefined;\n}\n\nasync function verifyA2AToken(\n token: string,\n event: any | undefined,\n): Promise<A2ATokenPayload> {\n // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n // This is safe because we only use org_domain to look up the secret,\n // then verify the full JWT with that secret. If someone forges a JWT\n // with a fake org_domain, verification will fail because they don't\n // have the real secret.\n let orgDomainHint: string | undefined;\n let unverifiedPayload: jose.JWTPayload | undefined;\n try {\n unverifiedPayload = jose.decodeJwt(token);\n orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n } catch {\n // Malformed token — fall through to global secret attempt\n }\n\n // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n // current callers prefer the shared A2A_SECRET; older callers may still use\n // an org-level secret. Try both without logging or reflecting secret details.\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n if (orgDomainHint) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n addSecretCandidate(candidateSecrets, orgSecret);\n } catch {\n // DB not ready or column doesn't exist yet — fall through\n }\n }\n if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n // Step 3: Verify JWT with the candidate secrets.\n //\n // - `audience`: passed only when the token carries an `aud` claim\n // (backward-compat: tokens minted by older `signA2AToken` versions\n // don't include one).\n // - `issuer`: enforced when the token carries an `iss` claim. The\n // sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n // own app URL, so a verified token must self-identify a non-empty\n // string issuer. We accept any string the token claims (we don't pin\n // a specific expected issuer because dispatchers may legitimately\n // mint tokens from many sender URLs — dev tunnels, multi-deploy\n // setups). The pin is \"issuer must match the value the token says\n // it was minted from\", which `jose.jwtVerify` validates exactly when\n // `issuer` is supplied as a string. Backward-compat: when the token\n // has no `iss`, we skip the check.\n try {\n const verifyOptions: jose.JWTVerifyOptions = {};\n if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n const aud = expectedJwtAudience(event);\n if (aud) verifyOptions.audience = aud;\n }\n if (\n unverifiedPayload &&\n typeof unverifiedPayload.iss === \"string\" &&\n unverifiedPayload.iss.length > 0\n ) {\n verifyOptions.issuer = unverifiedPayload.iss;\n }\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n verifyOptions,\n );\n return {\n email: (payload.sub as string) ?? null,\n orgDomain: (payload.org_domain as string) ?? null,\n };\n } catch {\n // Try the next candidate without leaking which secret failed.\n }\n }\n } catch {\n // Keep malformed option construction indistinguishable from auth failure.\n }\n return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n nitroApp: any,\n config: A2AConfig,\n routePrefix = \"/_agent-native\",\n): void {\n // Public agent card endpoint (no auth required).\n //\n // SECURITY: per-user / per-org MCP tools are filtered out of the public\n // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n // attached, and (b) what those integrations are — fingerprinting the\n // tenant. Template- and framework-defined skills stay; only the dynamic\n // per-tenant MCP entries are dropped. See finding #7 in\n // /tmp/security-audit/12-mcp-a2a-agent.md.\n getH3App(nitroApp).use(\n \"/.well-known/agent-card.json\",\n defineEventHandler((event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const protocol =\n getRequestHeader(event, \"x-forwarded-proto\") ||\n (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n const baseUrl = `${protocol}://${host}`;\n\n // Filter out per-user/per-org MCP tools to avoid tenant disclosure.\n // Note: stdio MCP tools loaded from a file-based mcp.config.json are\n // process-wide and don't carry a per-user/per-org prefix, so they\n // remain visible. That's intentional — they're an operator-controlled\n // capability list.\n const filteredSkills = (config.skills ?? []).filter((skill) => {\n const id =\n (skill as { id?: string; name?: string }).id ??\n (skill as { name?: string }).name ??\n \"\";\n if (typeof id !== \"string\") return true;\n return !id.startsWith(\"mcp__user_\") && !id.startsWith(\"mcp__org_\");\n });\n\n return generateAgentCard({ ...config, skills: filteredSkills }, baseUrl);\n }),\n );\n\n // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n // (the JSON-RPC handler doesn't know about taskId-only bodies).\n //\n // When `message/send` is called with `async: true`, the JSON-RPC handler\n // enqueues the task and self-fires a POST to this route on the same\n // deployment so the actual handler runs in a fresh function execution (its\n // own full timeout). Authenticated with an HMAC token bound to the task id\n // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n // integration webhook queue).\n getH3App(nitroApp).use(\n `${routePrefix}/a2a/_process-task`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = (await readBody(event)) as { taskId?: unknown } | null;\n const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n if (!taskId) {\n setResponseStatus(event, 400);\n return { error: \"taskId required\" };\n }\n\n // When A2A_SECRET is set, require a valid HMAC token bound to this\n // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n // dispatches are never accepted (an attacker who fishes a taskId out\n // of logs / a share link could otherwise force-replay it). In\n // development, a missing secret is permitted so local templates work\n // out of the box, but we log a one-time warning so operators notice.\n if (hasConfiguredA2ASecret()) {\n const auth = getRequestHeader(event, \"authorization\");\n const tok = extractBearerToken(auth);\n if (!verifyInternalToken(taskId, tok)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid or expired processor token\" };\n }\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n error:\n \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n };\n } else {\n warnA2AUnauthOnce();\n }\n\n try {\n await processA2ATaskFromQueue(taskId, config, event);\n return { ok: true };\n } catch (err: any) {\n console.error(\"[a2a] process-task failed:\", err);\n setResponseStatus(event, 500);\n return { error: err?.message ?? \"process-task failed\" };\n }\n }),\n );\n\n // JSON-RPC A2A endpoint (with optional auth)\n getH3App(nitroApp).use(\n `${routePrefix}/a2a`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n // reaches this handler too. The dedicated mount above runs first and\n // takes the request, but if that returns `undefined` (or h3 ever\n // changes ordering semantics) defensively bail here. event.path is\n // stripped to the remainder after the mount prefix.\n const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n if (sub.startsWith(\"_process-task\")) return;\n\n const authHeader = getRequestHeader(event, \"authorization\");\n const bearerToken = extractBearerToken(authHeader);\n let verifiedCallerEmail: string | null = null;\n let verifiedOrgDomain: string | null = null;\n let legacyApiKeyAuthenticated = false;\n let bearerTokenRejectedByJwt = false;\n\n // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n // there's no way to authenticate the caller. Default to \"auth required\"\n // in production — return 503 with a clear message instead of running\n // the agent loop unauthenticated. In development, log a one-time\n // warning but allow so local templates work out of the box.\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n if (bearerToken) {\n const tokenPayload = await verifyA2AToken(bearerToken, event);\n verifiedCallerEmail = tokenPayload.email;\n verifiedOrgDomain = tokenPayload.orgDomain;\n bearerTokenRejectedByJwt = !verifiedCallerEmail;\n }\n\n // Fall back to legacy API key check (exact string match)\n if (!verifiedCallerEmail && config.apiKeyEnv) {\n const expectedKey = process.env[config.apiKeyEnv];\n if (expectedKey) {\n if (!bearerToken) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Authentication required\" },\n };\n }\n if (bearerToken !== expectedKey) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Invalid API key\" },\n };\n }\n legacyApiKeyAuthenticated = true;\n }\n }\n\n if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n // Any supplied bearer token that failed JWT verification is an auth\n // failure after the legacy exact-match apiKeyEnv path has had a\n // chance to succeed. Do not let bad tokens fall through to tasks/get\n // and get reported as lookup misses.\n if (bearerTokenRejectedByJwt) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Invalid or expired A2A token\",\n },\n };\n }\n\n if (!hasA2ASecret && !hasApiKey) {\n if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message:\n \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n },\n };\n }\n warnA2AUnauthOnce();\n }\n }\n\n // Store verified caller identity on the event context so the handler\n // can set request context from a trusted source instead of metadata\n if (verifiedCallerEmail) {\n event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n }\n if (verifiedOrgDomain) {\n event.context.__a2aOrgDomain = verifiedOrgDomain;\n }\n\n const body = await readBody(event);\n return handleJsonRpcH3(body, event, config);\n }),\n );\n}\n"]}
1
+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/a2a/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAElB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B;;;;;GAKG;AACH,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAC7B,SAAS,iBAAiB;IACxB,IAAI,gBAAgB;QAAE,OAAO;IAC7B,gBAAgB,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,mFAAmF;QACjF,4FAA4F,CAC/F,CAAC;AACJ,CAAC;AAWD,SAAS,kBAAkB,CACzB,UAAoB,EACpB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO;IACrD,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAsB;IACjD,MAAM,OAAO,GACX,OAAO,CAAC,GAAG,CAAC,OAAO;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG;QACf,OAAO,CAAC,GAAG,CAAC,UAAU;QACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC9B,IAAI,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,uEAAuE;IACvE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,OAAO,CAAC;QACtE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,IAAI;YAAE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,KAAa,EACb,KAAsB;IAEtB,qEAAqE;IACrE,qEAAqE;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,wBAAwB;IACxB,IAAI,aAAiC,CAAC;IACtC,IAAI,iBAA8C,CAAC;IACnD,IAAI,CAAC;QACH,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1C,aAAa,GAAG,iBAAiB,CAAC,UAAgC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,kBAAkB,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACnE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAC5D,kBAAkB,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAE3E,iDAAiD;IACjD,EAAE;IACF,kEAAkE;IAClE,qEAAqE;IACrE,wBAAwB;IACxB,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,oEAAoE;IACpE,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,sEAAsE;IACtE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,aAAa,GAA0B,EAAE,CAAC;QAChD,IAAI,iBAAiB,IAAI,OAAO,iBAAiB,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YACtE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,GAAG;gBAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC;QACxC,CAAC;QACD,IACE,iBAAiB;YACjB,OAAO,iBAAiB,CAAC,GAAG,KAAK,QAAQ;YACzC,iBAAiB,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAChC,CAAC;YACD,aAAa,CAAC,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC;QAC/C,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,aAAa,CACd,CAAC;gBACF,OAAO;oBACL,KAAK,EAAG,OAAO,CAAC,GAAc,IAAI,IAAI;oBACtC,SAAS,EAAG,OAAO,CAAC,UAAqB,IAAI,IAAI;iBAClD,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,8DAA8D;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;IAC5E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,2CAA2C;IAC3C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,8BAA8B,EAC9B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,QAAQ,GACZ,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC;YAC5C,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,WAAW,CAAC;QAC5D,MAAM,OAAO,GAAG,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC;QAExC,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,sEAAsE;QACtE,mBAAmB;QACnB,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC5D,MAAM,EAAE,GACL,KAAwC,CAAC,EAAE;gBAC3C,KAA2B,CAAC,IAAI;gBACjC,EAAE,CAAC;YACL,IAAI,OAAO,EAAE,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACxC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,OAAO,iBAAiB,CAAC,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,EAAE,OAAO,CAAC,CAAC;IAC3E,CAAC,CAAC,CACH,CAAC;IAEF,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,gEAAgE;IAChE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,2EAA2E;IAC3E,2EAA2E;IAC3E,kEAAkE;IAClE,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,oBAAoB,EAClC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAgC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QAED,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,IAAI,sBAAsB,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACrC,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBACtC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;YACzD,CAAC;QACH,CAAC;aAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,uFAAuF;aAC1F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,iBAAiB,EAAE,CAAC;QACtB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,iEAAiE;QACjE,qEAAqE;QACrE,iEAAiE;QACjE,mEAAmE;QACnE,oDAAoD;QACpD,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO;QAE5C,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACnD,IAAI,mBAAmB,GAAkB,IAAI,CAAC;QAC9C,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,yBAAyB,GAAG,KAAK,CAAC;QACtC,IAAI,wBAAwB,GAAG,KAAK,CAAC;QAErC,oEAAoE;QACpE,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,4DAA4D;QAC5D,MAAM,YAAY,GAAG,sBAAsB,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QAExE,6EAA6E;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAC9D,mBAAmB,GAAG,YAAY,CAAC,KAAK,CAAC;YACzC,iBAAiB,GAAG,YAAY,CAAC,SAAS,CAAC;YAC3C,wBAAwB,GAAG,CAAC,mBAAmB,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC;gBACJ,CAAC;gBACD,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;oBAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE;qBACpD,CAAC;gBACJ,CAAC;gBACD,yBAAyB,GAAG,IAAI,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACvD,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qCAAqC;YACrC,IAAI,wBAAwB,EAAE,CAAC;gBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,8BAA8B;qBACxC;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,IAAI,sBAAsB,EAAE,EAAE,CAAC;oBAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EACL,qHAAqH;yBACxH;qBACF,CAAC;gBACJ,CAAC;gBACD,iBAAiB,EAAE,CAAC;YACtB,CAAC;iBAAM,IAAI,sBAAsB,EAAE,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,yBAAyB;qBACnC;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,oEAAoE;QACpE,IAAI,mBAAmB,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,mBAAmB,CAAC;QACzD,CAAC;QACD,IAAI,iBAAiB,EAAE,CAAC;YACtB,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,iBAAiB,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CACH,CAAC;AACJ,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseHeader,\n setResponseStatus,\n getMethod,\n getRequestHeader,\n} from \"h3\";\nimport type { A2AConfig } from \"./types.js\";\nimport { generateAgentCard } from \"./agent-card.js\";\nimport { handleJsonRpcH3, processA2ATaskFromQueue } from \"./handlers.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n extractBearerToken,\n verifyInternalToken,\n} from \"../integrations/internal-token.js\";\nimport {\n hasConfiguredA2ASecret,\n isA2AProductionRuntime,\n} from \"./auth-policy.js\";\n\n/**\n * One-time warning when A2A is running unauthenticated in development. We\n * don't refuse the request (local templates need to work out of the box),\n * but we log a single noisy line so operators notice if they accidentally\n * deploy with no auth configured.\n */\nlet _warnedUnauthA2A = false;\nfunction warnA2AUnauthOnce(): void {\n if (_warnedUnauthA2A) return;\n _warnedUnauthA2A = true;\n // eslint-disable-next-line no-console\n console.warn(\n \"[a2a] No A2A_SECRET or apiKeyEnv configured — A2A endpoint runs unauthenticated. \" +\n \"This is allowed in development but blocked in production. Set A2A_SECRET before deploying.\",\n );\n}\n\n/**\n * Verify an inbound A2A JWT signed with the shared A2A_SECRET.\n * Returns the caller's email (from `sub` claim) if valid, null otherwise.\n */\ninterface A2ATokenPayload {\n email: string | null;\n orgDomain: string | null;\n}\n\nfunction addSecretCandidate(\n candidates: string[],\n secret: string | undefined,\n): void {\n const trimmed = secret?.trim();\n if (!trimmed || candidates.includes(trimmed)) return;\n candidates.push(trimmed);\n}\n\n/**\n * Resolve the audience (`aud`) value to expect in an inbound JWT. We use the\n * receiver's app URL — it's the natural identifier of \"who this token was\n * minted for\". Falls back to undefined when no app URL is configured, in\n * which case the audience check is skipped (backward-compat with tokens\n * minted before the audience claim shipped).\n */\nfunction expectedJwtAudience(event: any | undefined): string | undefined {\n const fromEnv =\n process.env.APP_URL ||\n process.env.URL ||\n process.env.DEPLOY_URL ||\n process.env.BETTER_AUTH_URL;\n if (fromEnv) return String(fromEnv);\n // Best-effort: derive from the inbound request host. This is forgeable\n // (Host-header attack), but only useful as a hint when env-derived URL\n // is unset; the rest of the JWT verification still uses the secret.\n try {\n const proto = getRequestHeader(event, \"x-forwarded-proto\") || \"https\";\n const host = getRequestHeader(event, \"host\");\n if (host) return `${proto}://${host}`;\n } catch {}\n return undefined;\n}\n\nasync function verifyA2AToken(\n token: string,\n event: any | undefined,\n): Promise<A2ATokenPayload> {\n // Step 1: Peek at JWT claims WITHOUT verification to get org_domain.\n // This is safe because we only use org_domain to look up the secret,\n // then verify the full JWT with that secret. If someone forges a JWT\n // with a fake org_domain, verification will fail because they don't\n // have the real secret.\n let orgDomainHint: string | undefined;\n let unverifiedPayload: jose.JWTPayload | undefined;\n try {\n unverifiedPayload = jose.decodeJwt(token);\n orgDomainHint = unverifiedPayload.org_domain as string | undefined;\n } catch {\n // Malformed token — fall through to global secret attempt\n }\n\n // Step 2: Build a small, ordered set of candidate secrets. Tokens minted by\n // current callers prefer the shared A2A_SECRET; older callers may still use\n // an org-level secret. Try both without logging or reflecting secret details.\n const candidateSecrets: string[] = [];\n addSecretCandidate(candidateSecrets, process.env.A2A_SECRET);\n if (orgDomainHint) {\n try {\n const { getA2ASecretByDomain } = await import(\"../org/context.js\");\n const orgSecret = await getA2ASecretByDomain(orgDomainHint);\n addSecretCandidate(candidateSecrets, orgSecret);\n } catch {\n // DB not ready or column doesn't exist yet — fall through\n }\n }\n if (candidateSecrets.length === 0) return { email: null, orgDomain: null };\n\n // Step 3: Verify JWT with the candidate secrets.\n //\n // - `audience`: passed only when the token carries an `aud` claim\n // (backward-compat: tokens minted by older `signA2AToken` versions\n // don't include one).\n // - `issuer`: enforced when the token carries an `iss` claim. The\n // sender's `signA2AToken` (`a2a/client.ts:42`) sets the issuer to its\n // own app URL, so a verified token must self-identify a non-empty\n // string issuer. We accept any string the token claims (we don't pin\n // a specific expected issuer because dispatchers may legitimately\n // mint tokens from many sender URLs — dev tunnels, multi-deploy\n // setups). The pin is \"issuer must match the value the token says\n // it was minted from\", which `jose.jwtVerify` validates exactly when\n // `issuer` is supplied as a string. Backward-compat: when the token\n // has no `iss`, we skip the check.\n try {\n const verifyOptions: jose.JWTVerifyOptions = {};\n if (unverifiedPayload && typeof unverifiedPayload.aud !== \"undefined\") {\n const aud = expectedJwtAudience(event);\n if (aud) verifyOptions.audience = aud;\n }\n if (\n unverifiedPayload &&\n typeof unverifiedPayload.iss === \"string\" &&\n unverifiedPayload.iss.length > 0\n ) {\n verifyOptions.issuer = unverifiedPayload.iss;\n }\n for (const secret of candidateSecrets) {\n try {\n const { payload } = await jose.jwtVerify(\n token,\n new TextEncoder().encode(secret),\n verifyOptions,\n );\n return {\n email: (payload.sub as string) ?? null,\n orgDomain: (payload.org_domain as string) ?? null,\n };\n } catch {\n // Try the next candidate without leaking which secret failed.\n }\n }\n } catch {\n // Keep malformed option construction indistinguishable from auth failure.\n }\n return { email: null, orgDomain: null };\n}\n\n/**\n * Mount A2A protocol endpoints on an H3/Nitro app.\n *\n * - GET /.well-known/agent-card.json — public agent card (no auth)\n * - POST /_agent-native/a2a — JSON-RPC endpoint (with optional auth)\n *\n * When A2A_SECRET is set, inbound Bearer tokens are verified as JWTs\n * and the caller's email is extracted from the `sub` claim. This provides\n * cryptographic identity verification for cross-app A2A calls.\n */\nexport function mountA2A(\n nitroApp: any,\n config: A2AConfig,\n routePrefix = \"/_agent-native\",\n): void {\n // Public agent card endpoint (no auth required).\n //\n // SECURITY: per-user / per-org MCP tools are filtered out of the public\n // skills list. Their merged-key prefix (`mcp__user_<emailhash>_…` or\n // `mcp__org_<orgid>_…`) discloses (a) which users have integrations\n // attached, and (b) what those integrations are — fingerprinting the\n // tenant. Template- and framework-defined skills stay; only the dynamic\n // per-tenant MCP entries are dropped. See finding #7 in\n // /tmp/security-audit/12-mcp-a2a-agent.md.\n getH3App(nitroApp).use(\n \"/.well-known/agent-card.json\",\n defineEventHandler((event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const protocol =\n getRequestHeader(event, \"x-forwarded-proto\") ||\n (event.url?.protocol?.replace(\":\", \"\") ?? \"http\");\n const host = getRequestHeader(event, \"host\") ?? \"localhost\";\n const baseUrl = `${protocol}://${host}`;\n\n // Filter out per-user/per-org MCP tools to avoid tenant disclosure.\n // Note: stdio MCP tools loaded from a file-based mcp.config.json are\n // process-wide and don't carry a per-user/per-org prefix, so they\n // remain visible. That's intentional — they're an operator-controlled\n // capability list.\n const filteredSkills = (config.skills ?? []).filter((skill) => {\n const id =\n (skill as { id?: string; name?: string }).id ??\n (skill as { name?: string }).name ??\n \"\";\n if (typeof id !== \"string\") return true;\n return !id.startsWith(\"mcp__user_\") && !id.startsWith(\"mcp__org_\");\n });\n\n return generateAgentCard({ ...config, skills: filteredSkills }, baseUrl);\n }),\n );\n\n // Async-mode processor route. MUST be mounted BEFORE the `/a2a` catch-all\n // below, since h3's `.use()` matches by prefix and `/a2a` would otherwise\n // swallow `/a2a/_process-task` and return a JSON-RPC \"Invalid token\" error\n // (the JSON-RPC handler doesn't know about taskId-only bodies).\n //\n // When `message/send` is called with `async: true`, the JSON-RPC handler\n // enqueues the task and self-fires a POST to this route on the same\n // deployment so the actual handler runs in a fresh function execution (its\n // own full timeout). Authenticated with an HMAC token bound to the task id\n // (5-minute lifetime, signed with A2A_SECRET — same scheme as the\n // integration webhook queue).\n getH3App(nitroApp).use(\n `${routePrefix}/a2a/_process-task`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = (await readBody(event)) as { taskId?: unknown } | null;\n const taskId = body && typeof body.taskId === \"string\" ? body.taskId : \"\";\n if (!taskId) {\n setResponseStatus(event, 400);\n return { error: \"taskId required\" };\n }\n\n // When A2A_SECRET is set, require a valid HMAC token bound to this\n // taskId. In production, we REQUIRE A2A_SECRET to be set so unsigned\n // dispatches are never accepted (an attacker who fishes a taskId out\n // of logs / a share link could otherwise force-replay it). In\n // development, a missing secret is permitted so local templates work\n // out of the box, but we log a one-time warning so operators notice.\n if (hasConfiguredA2ASecret()) {\n const auth = getRequestHeader(event, \"authorization\");\n const tok = extractBearerToken(auth);\n if (!verifyInternalToken(taskId, tok)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid or expired processor token\" };\n }\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n error:\n \"A2A processor not configured — set A2A_SECRET on this deployment to enable async A2A.\",\n };\n } else {\n warnA2AUnauthOnce();\n }\n\n try {\n await processA2ATaskFromQueue(taskId, config, event);\n return { ok: true };\n } catch (err: any) {\n console.error(\"[a2a] process-task failed:\", err);\n setResponseStatus(event, 500);\n return { error: err?.message ?? \"process-task failed\" };\n }\n }),\n );\n\n // JSON-RPC A2A endpoint (with optional auth)\n getH3App(nitroApp).use(\n `${routePrefix}/a2a`,\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n // h3 prefix-matches mounts, so a request to `/a2a/_process-task`\n // reaches this handler too. The dedicated mount above runs first and\n // takes the request, but if that returns `undefined` (or h3 ever\n // changes ordering semantics) defensively bail here. event.path is\n // stripped to the remainder after the mount prefix.\n const sub = (event.path || \"/\").split(\"?\")[0].replace(/^\\//, \"\");\n if (sub.startsWith(\"_process-task\")) return;\n\n const authHeader = getRequestHeader(event, \"authorization\");\n const bearerToken = extractBearerToken(authHeader);\n let verifiedCallerEmail: string | null = null;\n let verifiedOrgDomain: string | null = null;\n let legacyApiKeyAuthenticated = false;\n let bearerTokenRejectedByJwt = false;\n\n // SECURITY: when neither A2A_SECRET nor an apiKeyEnv is configured,\n // there's no way to authenticate the caller. Default to \"auth required\"\n // in production — return 503 with a clear message instead of running\n // the agent loop unauthenticated. In development, log a one-time\n // warning but allow so local templates work out of the box.\n const hasA2ASecret = hasConfiguredA2ASecret();\n const hasApiKey = !!(config.apiKeyEnv && process.env[config.apiKeyEnv]);\n\n // Try JWT verification first (org-level or global A2A_SECRET-based identity)\n if (bearerToken) {\n const tokenPayload = await verifyA2AToken(bearerToken, event);\n verifiedCallerEmail = tokenPayload.email;\n verifiedOrgDomain = tokenPayload.orgDomain;\n bearerTokenRejectedByJwt = !verifiedCallerEmail;\n }\n\n // Fall back to legacy API key check (exact string match)\n if (!verifiedCallerEmail && config.apiKeyEnv) {\n const expectedKey = process.env[config.apiKeyEnv];\n if (expectedKey) {\n if (!bearerToken) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Authentication required\" },\n };\n }\n if (bearerToken !== expectedKey) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: { code: -32001, message: \"Invalid API key\" },\n };\n }\n legacyApiKeyAuthenticated = true;\n }\n }\n\n if (!verifiedCallerEmail && !legacyApiKeyAuthenticated) {\n // Any supplied bearer token that failed JWT verification is an auth\n // failure after the legacy exact-match apiKeyEnv path has had a\n // chance to succeed. Do not let bad tokens fall through to tasks/get\n // and get reported as lookup misses.\n if (bearerTokenRejectedByJwt) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Invalid or expired A2A token\",\n },\n };\n }\n\n if (!hasA2ASecret && !hasApiKey) {\n if (isA2AProductionRuntime()) {\n setResponseStatus(event, 503);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message:\n \"A2A authentication not configured. Set A2A_SECRET (preferred) or configure apiKeyEnv to accept inbound A2A traffic.\",\n },\n };\n }\n warnA2AUnauthOnce();\n } else if (isA2AProductionRuntime()) {\n setResponseStatus(event, 401);\n return {\n jsonrpc: \"2.0\",\n id: null,\n error: {\n code: -32001,\n message: \"Authentication required\",\n },\n };\n }\n }\n\n // Store verified caller identity on the event context so the handler\n // can set request context from a trusted source instead of metadata\n if (verifiedCallerEmail) {\n event.context.__a2aVerifiedEmail = verifiedCallerEmail;\n }\n if (verifiedOrgDomain) {\n event.context.__a2aOrgDomain = verifiedOrgDomain;\n }\n\n const body = await readBody(event);\n return handleJsonRpcH3(body, event, config);\n }),\n );\n}\n"]}
package/dist/deploy/workspace-deploy.js CHANGED
@@ -158,12 +158,18 @@ function moveAppBuildIntoDist(workspaceRoot, app, distDir, preset, workspaceApps
158
158
  * the workspace dist root so each app is reachable under /<app>/*.
159
159
  */
160
160
  function writeCloudflareRoutingManifest(distDir, apps) {
161
+ const dispatchFaviconAsset = apps.includes("dispatch")
162
+ ? dispatchRootFaviconAsset(distDir)
163
+ : null;
161
164
  // _routes.json tells Cloudflare which paths are dynamic (Functions) vs
162
165
  // static. Mark /<app>/* as include so every app's worker handles its
163
166
  // subtree.
164
167
  const include = apps.map((a) => `/${a}/*`).concat(["/"]);
165
168
  if (apps.includes("dispatch")) {
166
169
  include.push("/_agent-native/*");
170
+ include.push("/.well-known/*");
171
+ if (dispatchFaviconAsset)
172
+ include.push("/favicon.ico");
167
173
  }
168
174
  const routes = {
169
175
  version: 1,
@@ -180,7 +186,11 @@ function writeCloudflareRoutingManifest(distDir, apps) {
180
186
  .map((a) => ` if (pathname === "/${a}" || pathname.startsWith("/${a}/")) return ${moduleIdent(a)}.fetch(request, env, ctx);`)
181
187
  .join("\n");
182
188
  const dispatchRootFrameworkRoutes = apps.includes("dispatch")
183
- ? ` if (pathname === "/_agent-native" || pathname.startsWith("/_agent-native/")) return ${moduleIdent("dispatch")}.fetch(request, env, ctx);
189
+ ? ` if (pathname === "/_agent-native" || pathname.startsWith("/_agent-native/") || pathname === "/.well-known" || pathname.startsWith("/.well-known/")) return ${moduleIdent("dispatch")}.fetch(request, env, ctx);
190
+ `
191
+ : "";
192
+ const dispatchRootFaviconRoute = dispatchFaviconAsset
193
+ ? ` if (pathname === "/favicon.ico") return Response.redirect(new URL("/dispatch/${dispatchFaviconAsset}", request.url).toString(), 302);
184
194
  `
185
195
  : "";
186
196
  const worker = `${imports}
@@ -188,7 +198,7 @@ function writeCloudflareRoutingManifest(distDir, apps) {
188
198
  export default {
189
199
  async fetch(request, env, ctx) {
190
200
  const { pathname } = new URL(request.url);
191
- ${dispatchRootFrameworkRoutes}${dispatch}
201
+ ${dispatchRootFrameworkRoutes}${dispatchRootFaviconRoute}${dispatch}
192
202
  if (pathname === "/") {
193
203
  return Response.redirect(new URL("${cloudflareRootRedirectPath(apps)}", request.url).toString(), 302);
194
204
  }
@@ -208,6 +218,11 @@ function writeNetlifyRedirects(distDir, apps) {
208
218
  ];
209
219
  if (apps.includes("dispatch")) {
210
220
  lines.push("/_agent-native/* /.netlify/functions/dispatch-server 200");
221
+ lines.push("/.well-known/* /.netlify/functions/dispatch-server 200");
222
+ const faviconAsset = dispatchRootFaviconAsset(distDir);
223
+ if (faviconAsset) {
224
+ lines.push(`/favicon.ico /dispatch/${faviconAsset} 302`);
225
+ }
211
226
  }
212
227
  for (const app of apps) {
213
228
  lines.push(...netlifyAssetRedirectsFor(app, distDir));
@@ -235,6 +250,20 @@ function netlifyAssetRedirectsFor(app, distDir) {
235
250
  }),
236
251
  ];
237
252
  }
253
+ function dispatchRootFaviconAsset(distDir) {
254
+ for (const asset of ["favicon.ico", "favicon.svg", "favicon.png"]) {
255
+ if (workspaceAppAssetExists(distDir, "dispatch", asset))
256
+ return asset;
257
+ }
258
+ return null;
259
+ }
260
+ function workspaceAppAssetExists(distDir, app, asset) {
261
+ return [
262
+ path.join(distDir, NETLIFY_WORKSPACE_STATIC_DIR, app, asset),
263
+ path.join(distDir, app, app, asset),
264
+ path.join(distDir, app, asset),
265
+ ].some((candidate) => fs.existsSync(candidate));
266
+ }
238
267
  const DISPATCH_WORKSPACE_ROOT_REDIRECTS = [
239
268
  ["overview", "overview"],
240
269
  ["login", "login"],
@@ -282,7 +311,7 @@ function patchNetlifyFunctionEntry(functionDir, app, workspaceApps, staticDir) {
282
311
  return;
283
312
  const basePath = `/${app}`;
284
313
  const pathConfig = app === "dispatch"
285
- ? ["/_agent-native/*", `${basePath}/*`]
314
+ ? ["/_agent-native/*", "/.well-known/*", `${basePath}/*`]
286
315
  : [basePath, `${basePath}/*`];
287
316
  const normalizeBasePathHelper = app === "dispatch"
288
317
  ? ""