@agent-native/core 0.7.56 → 0.7.58

package/dist/templates/workspace-root/scripts/repair-workspace-org.ts

@@ -0,0 +1,283 @@
+#!/usr/bin/env tsx
+
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+
+interface Options {
+  name?: string;
+  domain?: string;
+  ownerEmail?: string;
+  a2aSecret?: string;
+  envPath: string;
+  force: boolean;
+  dryRun: boolean;
+  setDispatchDefaultOwner: boolean;
+}
+
+const HELP = `Usage:
+  pnpm repair:workspace-org -- --name "Example Co" --domain example.com --owner-email owner@example.com
+
+Options:
+  --name <value>                 Sets WORKSPACE_ORG_NAME
+  --domain <value>               Sets WORKSPACE_ORG_DOMAIN
+  --owner-email <value>          Sets WORKSPACE_OWNER_EMAIL
+  --a2a-secret <value>           Sets A2A_SECRET (generated when omitted)
+  --env <path>                   Env file to update (default: .env)
+  --force                        Overwrite existing non-empty values
+  --dry-run                      Print the changes without writing
+  --set-dispatch-default-owner   Also set DISPATCH_DEFAULT_OWNER_EMAIL
+`;
+
+const REQUIRED_KEYS = [
+  "WORKSPACE_ORG_NAME",
+  "WORKSPACE_ORG_DOMAIN",
+  "WORKSPACE_OWNER_EMAIL",
+  "A2A_SECRET",
+] as const;
+
+type RequiredKey = (typeof REQUIRED_KEYS)[number];
+
+function parseArgs(argv: string[]): Options {
+  const opts: Options = {
+    envPath: ".env",
+    force: false,
+    dryRun: false,
+    setDispatchDefaultOwner: false,
+  };
+
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    const [flag, inline] = arg.includes("=")
+      ? arg.split(/=(.*)/s, 2)
+      : [arg, undefined];
+    const value = (): string => {
+      const next = inline ?? argv[++i];
+      if (!next) fail(`Missing value for ${flag}.`);
+      return next;
+    };
+
+    switch (flag) {
+      case "--help":
+      case "-h":
+        console.log(HELP);
+        process.exit(0);
+      case "--name":
+        opts.name = value();
+        break;
+      case "--domain":
+        opts.domain = value();
+        break;
+      case "--owner-email":
+        opts.ownerEmail = value();
+        break;
+      case "--a2a-secret":
+        opts.a2aSecret = value();
+        break;
+      case "--env":
+        opts.envPath = value();
+        break;
+      case "--force":
+        opts.force = true;
+        break;
+      case "--dry-run":
+        opts.dryRun = true;
+        break;
+      case "--set-dispatch-default-owner":
+        opts.setDispatchDefaultOwner = true;
+        break;
+      default:
+        fail(`Unknown option: ${arg}\n\n${HELP}`);
+    }
+  }
+
+  return opts;
+}
+
+function fail(message: string): never {
+  console.error(message);
+  process.exit(1);
+}
+
+function readEnvFile(envPath: string): string {
+  if (fs.existsSync(envPath)) return fs.readFileSync(envPath, "utf-8");
+  const examplePath = path.join(path.dirname(envPath), ".env.example");
+  if (fs.existsSync(examplePath)) return fs.readFileSync(examplePath, "utf-8");
+  return "";
+}
+
+function parseEnv(content: string): Record<string, string> {
+  const values: Record<string, string> = {};
+  for (const line of content.split(/\r?\n/)) {
+    const match = line.match(/^\s*([A-Z0-9_]+)\s*=\s*(.*)\s*$/);
+    if (!match) continue;
+    values[match[1]] = unquote(match[2]);
+  }
+  return values;
+}
+
+function unquote(value: string): string {
+  const trimmed = value.trim();
+  if (
+    (trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+    (trimmed.startsWith("'") && trimmed.endsWith("'"))
+  ) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+
+function normalizeDomain(domain: string): string {
+  return domain
+    .trim()
+    .toLowerCase()
+    .replace(/^https?:\/\//, "")
+    .replace(/\/.*$/, "");
+}
+
+function validateDomain(domain: string): void {
+  if (!/^([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z]{2,}$/.test(domain)) {
+    fail(`Invalid --domain "${domain}". Use a bare domain like example.com.`);
+  }
+}
+
+function validateEmail(email: string): void {
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    fail(`Invalid --owner-email "${email}".`);
+  }
+}
+
+function formatEnvValue(value: string): string {
+  if (/^[A-Za-z0-9_@./:+-]+$/.test(value)) return value;
+  return JSON.stringify(value);
+}
+
+function upsertEnvValue(
+  content: string,
+  key: string,
+  value: string,
+  force: boolean,
+): { content: string; changed: boolean; skipped: boolean } {
+  const lines = content.length > 0 ? content.split(/\r?\n/) : [];
+  let found = false;
+  let changed = false;
+  let skipped = false;
+
+  const next = lines.map((line) => {
+    const match = line.match(/^(\s*)([A-Z0-9_]+)(\s*=\s*)(.*)$/);
+    if (!match || match[2] !== key) return line;
+
+    found = true;
+    const existing = unquote(match[4]);
+    if (existing && !force) {
+      skipped = true;
+      return line;
+    }
+
+    const replacement = `${match[1]}${key}${match[3]}${formatEnvValue(value)}`;
+    if (replacement !== line) changed = true;
+    return replacement;
+  });
+
+  if (!found) {
+    if (next.length > 0 && next[next.length - 1] !== "") next.push("");
+    next.push(`${key}=${formatEnvValue(value)}`);
+    changed = true;
+  }
+
+  return { content: next.join("\n"), changed, skipped };
+}
+
+function firstValue(...values: Array<string | undefined>): string | undefined {
+  return values.map((v) => v?.trim()).find(Boolean);
+}
+
+function main(): void {
+  const opts = parseArgs(process.argv.slice(2));
+  const envPath = path.resolve(opts.envPath);
+  const original = readEnvFile(envPath);
+  const current = parseEnv(original);
+
+  const name = firstValue(
+    opts.name,
+    process.env.WORKSPACE_ORG_NAME,
+    current.WORKSPACE_ORG_NAME,
+  );
+  const rawDomain = firstValue(
+    opts.domain,
+    process.env.WORKSPACE_ORG_DOMAIN,
+    current.WORKSPACE_ORG_DOMAIN,
+  );
+  const ownerEmail = firstValue(
+    opts.ownerEmail,
+    process.env.WORKSPACE_OWNER_EMAIL,
+    current.WORKSPACE_OWNER_EMAIL,
+  )?.toLowerCase();
+  const a2aSecret =
+    firstValue(opts.a2aSecret, process.env.A2A_SECRET, current.A2A_SECRET) ??
+    crypto.randomBytes(32).toString("hex");
+
+  if (!name) fail("--name or WORKSPACE_ORG_NAME is required.");
+  if (!rawDomain) fail("--domain or WORKSPACE_ORG_DOMAIN is required.");
+  if (!ownerEmail) fail("--owner-email or WORKSPACE_OWNER_EMAIL is required.");
+
+  const domain = normalizeDomain(rawDomain);
+  validateDomain(domain);
+  validateEmail(ownerEmail);
+
+  const desired: Record<RequiredKey, string> = {
+    WORKSPACE_ORG_NAME: name,
+    WORKSPACE_ORG_DOMAIN: domain,
+    WORKSPACE_OWNER_EMAIL: ownerEmail,
+    A2A_SECRET: a2aSecret,
+  };
+
+  let next = original.trimEnd();
+  const changed: string[] = [];
+  const skipped: string[] = [];
+
+  for (const key of REQUIRED_KEYS) {
+    const result = upsertEnvValue(next, key, desired[key], opts.force);
+    next = result.content;
+    if (result.changed) changed.push(key);
+    if (result.skipped) skipped.push(key);
+  }
+
+  if (opts.setDispatchDefaultOwner) {
+    const result = upsertEnvValue(
+      next,
+      "DISPATCH_DEFAULT_OWNER_EMAIL",
+      ownerEmail,
+      opts.force,
+    );
+    next = result.content;
+    if (result.changed) changed.push("DISPATCH_DEFAULT_OWNER_EMAIL");
+    if (result.skipped) skipped.push("DISPATCH_DEFAULT_OWNER_EMAIL");
+  }
+
+  next = next.trimEnd() + "\n";
+
+  if (opts.dryRun) {
+    console.log(next);
+  } else {
+    fs.writeFileSync(envPath, next);
+  }
+
+  console.log(
+    `${opts.dryRun ? "Validated" : "Updated"} ${path.relative(process.cwd(), envPath) || envPath}.`,
+  );
+  if (changed.length > 0) console.log(`Changed: ${changed.join(", ")}`);
+  if (skipped.length > 0) {
+    console.log(
+      `Kept existing values: ${skipped.join(", ")} (use --force to overwrite)`,
+    );
+  }
+  console.log("");
+  console.log("Next steps:");
+  console.log("1. Sign in as WORKSPACE_OWNER_EMAIL.");
+  console.log("2. Create or select the org named by WORKSPACE_ORG_NAME.");
+  console.log("3. Set the org allowed domain to WORKSPACE_ORG_DOMAIN.");
+  console.log("4. Set or sync the org A2A secret from A2A_SECRET across apps.");
+}
+
+main();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agent-native/core",
-  "version": "0.7.56",
+  "version": "0.7.58",
   "type": "module",
   "description": "Framework for agent-native application development — where AI agents and UI share state via files",
   "license": "MIT",

package/src/templates/workspace-root/.env.example

@@ -23,6 +23,12 @@ ANTHROPIC_API_KEY=
 # Optional: OpenAI key if any app uses OpenAI engines.
 OPENAI_API_KEY=
 
+# Workspace organization identity. Use operator-owned values; do not use
+# company-specific examples or copied production credentials.
+WORKSPACE_ORG_NAME=
+WORKSPACE_ORG_DOMAIN=
+WORKSPACE_OWNER_EMAIL=
+
 # Builder browser integration (run `agent-native dev` and visit any app,
 # then click "Connect Builder" — these are written automatically by the
 # callback handler to this workspace-level .env).

package/src/templates/workspace-root/AGENTS.md

@@ -0,0 +1,50 @@
+# {{APP_TITLE}} Workspace Instructions
+
+These instructions apply at the workspace root. App-specific behavior belongs
+in `apps/<app>/AGENTS.md`; shared cross-app behavior belongs in
+`packages/shared/AGENTS.md` or `packages/shared/.agents/skills/`.
+
+## Workspace Scope
+
+- Keep root changes focused on workspace orchestration, shared configuration,
+  deploy settings, and monorepo tooling.
+- Keep application routes, actions, server plugins, and app state inside the
+  relevant `apps/<app>` directory unless multiple apps need the same behavior.
+- Put reusable code in `packages/shared` only after at least two apps need it.
+- Never copy live credentials, personal email addresses, customer data, or
+  company-specific placeholder values into source files.
+
+## Workspace Identity
+
+Use the workspace root `.env` for shared identity and cross-app trust settings:
+
+- `WORKSPACE_ORG_NAME` — human-readable organization name.
+- `WORKSPACE_ORG_DOMAIN` — bare domain owned by the workspace, with no protocol
+  or path.
+- `WORKSPACE_OWNER_EMAIL` — initial owner/admin email for repairs and
+  integration defaults.
+- `A2A_SECRET` — shared secret for cross-app A2A signing. Generate with
+  `openssl rand -hex 32` or `pnpm repair:workspace-org -- --name ...`.
+
+`DISPATCH_DEFAULT_OWNER_EMAIL` is optional. Set it only for trusted,
+single-workspace deployments where unlinked integration requests should run as
+the workspace owner, and prefer the same value as `WORKSPACE_OWNER_EMAIL`.
+
+## Org Repair
+
+When asked to repair workspace org or A2A configuration:
+
+1. Read `.env` first. Do not infer the organization, domain, owner email, or
+   secret from old examples.
+2. Run `pnpm repair:workspace-org -- --name "<org>" --domain example.com --owner-email owner@example.com`
+   to create or update generic workspace identity values.
+3. Prefer the app's organization settings UI or authenticated org routes for
+   changing `allowed_domain` and `a2a_secret`.
+4. If direct SQL is unavoidable, inspect the live schema first and use only
+   parameterized `INSERT` or `UPDATE` statements. Ensure the target org has
+   `organizations.name`, `organizations.allowed_domain`,
+   `organizations.a2a_secret`, and an `org_members` owner row for
+   `WORKSPACE_OWNER_EMAIL`.
+5. Never use `DROP`, `TRUNCATE`, destructive `ALTER`, or an unscoped
+   `DELETE`. Do not rotate `A2A_SECRET` without updating every app that trusts
+   it.

package/src/templates/workspace-root/README.md

@@ -37,7 +37,8 @@ the shared package (`@{{APP_NAME}}/shared`).
 
 ```bash
 pnpm install
-cp .env.example .env   # fill in DATABASE_URL, BETTER_AUTH_SECRET, ANTHROPIC_API_KEY
+cp .env.example .env   # fill in DATABASE_URL, BETTER_AUTH_SECRET, and an LLM provider key
+pnpm repair:workspace-org -- --name "Example Co" --domain example.com --owner-email owner@example.com
 pnpm dev               # starts the workspace gateway and opens Dispatch
 ```
 
@@ -45,6 +46,22 @@ The dev gateway serves Dispatch at `/dispatch` and every app at its own path
 such as `/starter`. It watches `apps/`, so newly-created apps are detected and
 started without restarting `pnpm dev`.
 
+## Workspace org identity
+
+Set these root `.env` values before production deploys or when repairing
+cross-app trust:
+
+- `WORKSPACE_ORG_NAME` — the organization name users should see.
+- `WORKSPACE_ORG_DOMAIN` — the bare email/domain claim used for org matching.
+- `WORKSPACE_OWNER_EMAIL` — the owner/admin email to use for bootstrap or
+  integration fallback.
+- `A2A_SECRET` — shared signing secret for cross-app A2A calls.
+
+Run `pnpm repair:workspace-org -- --name "<org>" --domain example.com --owner-email owner@example.com`
+to fill or validate those values without committing secrets. Existing
+organization rows should still be repaired through the app's org settings UI or
+authenticated org routes whenever possible.
+
 ## Adding a new app
 
 ```bash

package/src/templates/workspace-root/package.json

@@ -6,6 +6,7 @@
     "dev": "agent-native dev",
     "build": "pnpm -r build",
     "typecheck": "pnpm -r typecheck",
+    "repair:workspace-org": "tsx scripts/repair-workspace-org.ts",
     "fmt:check": "prettier --check .",
     "lint": "pnpm fmt:check"
   },
@@ -19,6 +20,7 @@
   "devDependencies": {
     "@types/node": "^24.2.1",
     "prettier": "^3.6.2",
+    "tsx": "catalog:",
     "typescript": "^6.0.3"
   },
   "packageManager": "pnpm@10.14.0"

package/src/templates/workspace-root/scripts/repair-workspace-org.ts

@@ -0,0 +1,283 @@
+#!/usr/bin/env tsx
+
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+
+interface Options {
+  name?: string;
+  domain?: string;
+  ownerEmail?: string;
+  a2aSecret?: string;
+  envPath: string;
+  force: boolean;
+  dryRun: boolean;
+  setDispatchDefaultOwner: boolean;
+}
+
+const HELP = `Usage:
+  pnpm repair:workspace-org -- --name "Example Co" --domain example.com --owner-email owner@example.com
+
+Options:
+  --name <value>                 Sets WORKSPACE_ORG_NAME
+  --domain <value>               Sets WORKSPACE_ORG_DOMAIN
+  --owner-email <value>          Sets WORKSPACE_OWNER_EMAIL
+  --a2a-secret <value>           Sets A2A_SECRET (generated when omitted)
+  --env <path>                   Env file to update (default: .env)
+  --force                        Overwrite existing non-empty values
+  --dry-run                      Print the changes without writing
+  --set-dispatch-default-owner   Also set DISPATCH_DEFAULT_OWNER_EMAIL
+`;
+
+const REQUIRED_KEYS = [
+  "WORKSPACE_ORG_NAME",
+  "WORKSPACE_ORG_DOMAIN",
+  "WORKSPACE_OWNER_EMAIL",
+  "A2A_SECRET",
+] as const;
+
+type RequiredKey = (typeof REQUIRED_KEYS)[number];
+
+function parseArgs(argv: string[]): Options {
+  const opts: Options = {
+    envPath: ".env",
+    force: false,
+    dryRun: false,
+    setDispatchDefaultOwner: false,
+  };
+
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    const [flag, inline] = arg.includes("=")
+      ? arg.split(/=(.*)/s, 2)
+      : [arg, undefined];
+    const value = (): string => {
+      const next = inline ?? argv[++i];
+      if (!next) fail(`Missing value for ${flag}.`);
+      return next;
+    };
+
+    switch (flag) {
+      case "--help":
+      case "-h":
+        console.log(HELP);
+        process.exit(0);
+      case "--name":
+        opts.name = value();
+        break;
+      case "--domain":
+        opts.domain = value();
+        break;
+      case "--owner-email":
+        opts.ownerEmail = value();
+        break;
+      case "--a2a-secret":
+        opts.a2aSecret = value();
+        break;
+      case "--env":
+        opts.envPath = value();
+        break;
+      case "--force":
+        opts.force = true;
+        break;
+      case "--dry-run":
+        opts.dryRun = true;
+        break;
+      case "--set-dispatch-default-owner":
+        opts.setDispatchDefaultOwner = true;
+        break;
+      default:
+        fail(`Unknown option: ${arg}\n\n${HELP}`);
+    }
+  }
+
+  return opts;
+}
+
+function fail(message: string): never {
+  console.error(message);
+  process.exit(1);
+}
+
+function readEnvFile(envPath: string): string {
+  if (fs.existsSync(envPath)) return fs.readFileSync(envPath, "utf-8");
+  const examplePath = path.join(path.dirname(envPath), ".env.example");
+  if (fs.existsSync(examplePath)) return fs.readFileSync(examplePath, "utf-8");
+  return "";
+}
+
+function parseEnv(content: string): Record<string, string> {
+  const values: Record<string, string> = {};
+  for (const line of content.split(/\r?\n/)) {
+    const match = line.match(/^\s*([A-Z0-9_]+)\s*=\s*(.*)\s*$/);
+    if (!match) continue;
+    values[match[1]] = unquote(match[2]);
+  }
+  return values;
+}
+
+function unquote(value: string): string {
+  const trimmed = value.trim();
+  if (
+    (trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+    (trimmed.startsWith("'") && trimmed.endsWith("'"))
+  ) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+
+function normalizeDomain(domain: string): string {
+  return domain
+    .trim()
+    .toLowerCase()
+    .replace(/^https?:\/\//, "")
+    .replace(/\/.*$/, "");
+}
+
+function validateDomain(domain: string): void {
+  if (!/^([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z]{2,}$/.test(domain)) {
+    fail(`Invalid --domain "${domain}". Use a bare domain like example.com.`);
+  }
+}
+
+function validateEmail(email: string): void {
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    fail(`Invalid --owner-email "${email}".`);
+  }
+}
+
+function formatEnvValue(value: string): string {
+  if (/^[A-Za-z0-9_@./:+-]+$/.test(value)) return value;
+  return JSON.stringify(value);
+}
+
+function upsertEnvValue(
+  content: string,
+  key: string,
+  value: string,
+  force: boolean,
+): { content: string; changed: boolean; skipped: boolean } {
+  const lines = content.length > 0 ? content.split(/\r?\n/) : [];
+  let found = false;
+  let changed = false;
+  let skipped = false;
+
+  const next = lines.map((line) => {
+    const match = line.match(/^(\s*)([A-Z0-9_]+)(\s*=\s*)(.*)$/);
+    if (!match || match[2] !== key) return line;
+
+    found = true;
+    const existing = unquote(match[4]);
+    if (existing && !force) {
+      skipped = true;
+      return line;
+    }
+
+    const replacement = `${match[1]}${key}${match[3]}${formatEnvValue(value)}`;
+    if (replacement !== line) changed = true;
+    return replacement;
+  });
+
+  if (!found) {
+    if (next.length > 0 && next[next.length - 1] !== "") next.push("");
+    next.push(`${key}=${formatEnvValue(value)}`);
+    changed = true;
+  }
+
+  return { content: next.join("\n"), changed, skipped };
+}
+
+function firstValue(...values: Array<string | undefined>): string | undefined {
+  return values.map((v) => v?.trim()).find(Boolean);
+}
+
+function main(): void {
+  const opts = parseArgs(process.argv.slice(2));
+  const envPath = path.resolve(opts.envPath);
+  const original = readEnvFile(envPath);
+  const current = parseEnv(original);
+
+  const name = firstValue(
+    opts.name,
+    process.env.WORKSPACE_ORG_NAME,
+    current.WORKSPACE_ORG_NAME,
+  );
+  const rawDomain = firstValue(
+    opts.domain,
+    process.env.WORKSPACE_ORG_DOMAIN,
+    current.WORKSPACE_ORG_DOMAIN,
+  );
+  const ownerEmail = firstValue(
+    opts.ownerEmail,
+    process.env.WORKSPACE_OWNER_EMAIL,
+    current.WORKSPACE_OWNER_EMAIL,
+  )?.toLowerCase();
+  const a2aSecret =
+    firstValue(opts.a2aSecret, process.env.A2A_SECRET, current.A2A_SECRET) ??
+    crypto.randomBytes(32).toString("hex");
+
+  if (!name) fail("--name or WORKSPACE_ORG_NAME is required.");
+  if (!rawDomain) fail("--domain or WORKSPACE_ORG_DOMAIN is required.");
+  if (!ownerEmail) fail("--owner-email or WORKSPACE_OWNER_EMAIL is required.");
+
+  const domain = normalizeDomain(rawDomain);
+  validateDomain(domain);
+  validateEmail(ownerEmail);
+
+  const desired: Record<RequiredKey, string> = {
+    WORKSPACE_ORG_NAME: name,
+    WORKSPACE_ORG_DOMAIN: domain,
+    WORKSPACE_OWNER_EMAIL: ownerEmail,
+    A2A_SECRET: a2aSecret,
+  };
+
+  let next = original.trimEnd();
+  const changed: string[] = [];
+  const skipped: string[] = [];
+
+  for (const key of REQUIRED_KEYS) {
+    const result = upsertEnvValue(next, key, desired[key], opts.force);
+    next = result.content;
+    if (result.changed) changed.push(key);
+    if (result.skipped) skipped.push(key);
+  }
+
+  if (opts.setDispatchDefaultOwner) {
+    const result = upsertEnvValue(
+      next,
+      "DISPATCH_DEFAULT_OWNER_EMAIL",
+      ownerEmail,
+      opts.force,
+    );
+    next = result.content;
+    if (result.changed) changed.push("DISPATCH_DEFAULT_OWNER_EMAIL");
+    if (result.skipped) skipped.push("DISPATCH_DEFAULT_OWNER_EMAIL");
+  }
+
+  next = next.trimEnd() + "\n";
+
+  if (opts.dryRun) {
+    console.log(next);
+  } else {
+    fs.writeFileSync(envPath, next);
+  }
+
+  console.log(
+    `${opts.dryRun ? "Validated" : "Updated"} ${path.relative(process.cwd(), envPath) || envPath}.`,
+  );
+  if (changed.length > 0) console.log(`Changed: ${changed.join(", ")}`);
+  if (skipped.length > 0) {
+    console.log(
+      `Kept existing values: ${skipped.join(", ")} (use --force to overwrite)`,
+    );
+  }
+  console.log("");
+  console.log("Next steps:");
+  console.log("1. Sign in as WORKSPACE_OWNER_EMAIL.");
+  console.log("2. Create or select the org named by WORKSPACE_ORG_NAME.");
+  console.log("3. Set the org allowed domain to WORKSPACE_ORG_DOMAIN.");
+  console.log("4. Set or sync the org A2A secret from A2A_SECRET across apps.");
+}
+
+main();