@agent-native/core 0.7.81 → 0.7.82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (241) hide show
  1. package/dist/action.d.ts +8 -0
  2. package/dist/action.d.ts.map +1 -1
  3. package/dist/action.js +4 -0
  4. package/dist/action.js.map +1 -1
  5. package/dist/agent/production-agent.d.ts +12 -2
  6. package/dist/agent/production-agent.d.ts.map +1 -1
  7. package/dist/agent/production-agent.js +58 -20
  8. package/dist/agent/production-agent.js.map +1 -1
  9. package/dist/agent/run-manager.d.ts +8 -1
  10. package/dist/agent/run-manager.d.ts.map +1 -1
  11. package/dist/agent/run-manager.js +11 -12
  12. package/dist/agent/run-manager.js.map +1 -1
  13. package/dist/agent/thread-data-builder.d.ts.map +1 -1
  14. package/dist/agent/thread-data-builder.js +13 -17
  15. package/dist/agent/thread-data-builder.js.map +1 -1
  16. package/dist/agent/types.d.ts +4 -0
  17. package/dist/agent/types.d.ts.map +1 -1
  18. package/dist/agent/types.js.map +1 -1
  19. package/dist/application-state/handlers.d.ts.map +1 -1
  20. package/dist/application-state/handlers.js +3 -8
  21. package/dist/application-state/handlers.js.map +1 -1
  22. package/dist/application-state/script-helpers.d.ts +2 -4
  23. package/dist/application-state/script-helpers.d.ts.map +1 -1
  24. package/dist/application-state/script-helpers.js +10 -47
  25. package/dist/application-state/script-helpers.js.map +1 -1
  26. package/dist/cli/workspace-dev.js +78 -15
  27. package/dist/cli/workspace-dev.js.map +1 -1
  28. package/dist/client/AgentPanel.d.ts.map +1 -1
  29. package/dist/client/AgentPanel.js +6 -2
  30. package/dist/client/AgentPanel.js.map +1 -1
  31. package/dist/client/AssistantChat.d.ts +0 -15
  32. package/dist/client/AssistantChat.d.ts.map +1 -1
  33. package/dist/client/AssistantChat.js +69 -57
  34. package/dist/client/AssistantChat.js.map +1 -1
  35. package/dist/client/ConnectBuilderCard.d.ts +7 -1
  36. package/dist/client/ConnectBuilderCard.d.ts.map +1 -1
  37. package/dist/client/ConnectBuilderCard.js +46 -5
  38. package/dist/client/ConnectBuilderCard.js.map +1 -1
  39. package/dist/client/ErrorBoundary.d.ts.map +1 -1
  40. package/dist/client/ErrorBoundary.js +20 -5
  41. package/dist/client/ErrorBoundary.js.map +1 -1
  42. package/dist/client/FeedbackButton.d.ts.map +1 -1
  43. package/dist/client/FeedbackButton.js +5 -1
  44. package/dist/client/FeedbackButton.js.map +1 -1
  45. package/dist/client/agent-chat-adapter.d.ts.map +1 -1
  46. package/dist/client/agent-chat-adapter.js +303 -169
  47. package/dist/client/agent-chat-adapter.js.map +1 -1
  48. package/dist/client/builder-frame.d.ts +25 -0
  49. package/dist/client/builder-frame.d.ts.map +1 -1
  50. package/dist/client/builder-frame.js +40 -0
  51. package/dist/client/builder-frame.js.map +1 -1
  52. package/dist/client/composer/ComposerPlusMenu.d.ts.map +1 -1
  53. package/dist/client/composer/ComposerPlusMenu.js +7 -2
  54. package/dist/client/composer/ComposerPlusMenu.js.map +1 -1
  55. package/dist/client/composer/PastedTextChip.d.ts +9 -0
  56. package/dist/client/composer/PastedTextChip.d.ts.map +1 -0
  57. package/dist/client/composer/PastedTextChip.js +47 -0
  58. package/dist/client/composer/PastedTextChip.js.map +1 -0
  59. package/dist/client/composer/PromptComposer.d.ts +2 -2
  60. package/dist/client/composer/PromptComposer.d.ts.map +1 -1
  61. package/dist/client/composer/PromptComposer.js +32 -4
  62. package/dist/client/composer/PromptComposer.js.map +1 -1
  63. package/dist/client/composer/TiptapComposer.d.ts +11 -1
  64. package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
  65. package/dist/client/composer/TiptapComposer.js +49 -16
  66. package/dist/client/composer/TiptapComposer.js.map +1 -1
  67. package/dist/client/composer/VoiceButton.d.ts.map +1 -1
  68. package/dist/client/composer/VoiceButton.js +5 -1
  69. package/dist/client/composer/VoiceButton.js.map +1 -1
  70. package/dist/client/composer/pasted-text.d.ts +6 -0
  71. package/dist/client/composer/pasted-text.d.ts.map +1 -0
  72. package/dist/client/composer/pasted-text.js +49 -0
  73. package/dist/client/composer/pasted-text.js.map +1 -0
  74. package/dist/client/composer/useVoiceDictation.d.ts +1 -0
  75. package/dist/client/composer/useVoiceDictation.d.ts.map +1 -1
  76. package/dist/client/composer/useVoiceDictation.js +18 -0
  77. package/dist/client/composer/useVoiceDictation.js.map +1 -1
  78. package/dist/client/index.d.ts +0 -1
  79. package/dist/client/index.d.ts.map +1 -1
  80. package/dist/client/index.js +0 -1
  81. package/dist/client/index.js.map +1 -1
  82. package/dist/client/integrations/IntegrationCard.d.ts.map +1 -1
  83. package/dist/client/integrations/IntegrationCard.js +14 -2
  84. package/dist/client/integrations/IntegrationCard.js.map +1 -1
  85. package/dist/client/integrations/IntegrationsPanel.d.ts.map +1 -1
  86. package/dist/client/integrations/IntegrationsPanel.js +19 -3
  87. package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
  88. package/dist/client/notifications/NotificationsBell.d.ts.map +1 -1
  89. package/dist/client/notifications/NotificationsBell.js +4 -42
  90. package/dist/client/notifications/NotificationsBell.js.map +1 -1
  91. package/dist/client/org/OrgSwitcher.d.ts +4 -6
  92. package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
  93. package/dist/client/org/OrgSwitcher.js +84 -74
  94. package/dist/client/org/OrgSwitcher.js.map +1 -1
  95. package/dist/client/org/TeamPage.d.ts.map +1 -1
  96. package/dist/client/org/TeamPage.js +3 -154
  97. package/dist/client/org/TeamPage.js.map +1 -1
  98. package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
  99. package/dist/client/resources/ResourcesPanel.js +13 -35
  100. package/dist/client/resources/ResourcesPanel.js.map +1 -1
  101. package/dist/client/settings/SettingsPanel.js +1 -1
  102. package/dist/client/settings/SettingsPanel.js.map +1 -1
  103. package/dist/client/settings/useBuilderStatus.d.ts +6 -0
  104. package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
  105. package/dist/client/settings/useBuilderStatus.js +3 -0
  106. package/dist/client/settings/useBuilderStatus.js.map +1 -1
  107. package/dist/client/sse-event-processor.d.ts +15 -1
  108. package/dist/client/sse-event-processor.d.ts.map +1 -1
  109. package/dist/client/sse-event-processor.js +58 -54
  110. package/dist/client/sse-event-processor.js.map +1 -1
  111. package/dist/client/tools/ToolEditor.d.ts.map +1 -1
  112. package/dist/client/tools/ToolEditor.js +34 -4
  113. package/dist/client/tools/ToolEditor.js.map +1 -1
  114. package/dist/client/tools/ToolViewer.d.ts.map +1 -1
  115. package/dist/client/tools/ToolViewer.js +20 -1
  116. package/dist/client/tools/ToolViewer.js.map +1 -1
  117. package/dist/client/tools/ToolsListPage.d.ts.map +1 -1
  118. package/dist/client/tools/ToolsListPage.js +2 -1
  119. package/dist/client/tools/ToolsListPage.js.map +1 -1
  120. package/dist/client/transcription/BuilderTranscriptionCta.js +1 -1
  121. package/dist/client/transcription/BuilderTranscriptionCta.js.map +1 -1
  122. package/dist/client/use-chat-threads.d.ts.map +1 -1
  123. package/dist/client/use-chat-threads.js +7 -2
  124. package/dist/client/use-chat-threads.js.map +1 -1
  125. package/dist/collab/client.d.ts.map +1 -1
  126. package/dist/collab/client.js +26 -7
  127. package/dist/collab/client.js.map +1 -1
  128. package/dist/jobs/scheduler.js +0 -4
  129. package/dist/jobs/scheduler.js.map +1 -1
  130. package/dist/oauth-tokens/store.d.ts +0 -4
  131. package/dist/oauth-tokens/store.d.ts.map +1 -1
  132. package/dist/oauth-tokens/store.js +3 -24
  133. package/dist/oauth-tokens/store.js.map +1 -1
  134. package/dist/observability/routes.d.ts.map +1 -1
  135. package/dist/observability/routes.js +1 -9
  136. package/dist/observability/routes.js.map +1 -1
  137. package/dist/onboarding/default-steps.js +1 -1
  138. package/dist/onboarding/default-steps.js.map +1 -1
  139. package/dist/onboarding/plugin.d.ts.map +1 -1
  140. package/dist/onboarding/plugin.js +1 -8
  141. package/dist/onboarding/plugin.js.map +1 -1
  142. package/dist/org/accept-pending.d.ts.map +1 -1
  143. package/dist/org/accept-pending.js +1 -2
  144. package/dist/org/accept-pending.js.map +1 -1
  145. package/dist/org/context.d.ts +0 -2
  146. package/dist/org/context.d.ts.map +1 -1
  147. package/dist/org/context.js +0 -5
  148. package/dist/org/context.js.map +1 -1
  149. package/dist/resources/script-helpers.d.ts +3 -4
  150. package/dist/resources/script-helpers.d.ts.map +1 -1
  151. package/dist/resources/script-helpers.js +8 -15
  152. package/dist/resources/script-helpers.js.map +1 -1
  153. package/dist/scripts/chat/search-chats.d.ts.map +1 -1
  154. package/dist/scripts/chat/search-chats.js +4 -4
  155. package/dist/scripts/chat/search-chats.js.map +1 -1
  156. package/dist/scripts/manage-agent-loop-settings.js +2 -2
  157. package/dist/scripts/manage-agent-loop-settings.js.map +1 -1
  158. package/dist/scripts/resources/delete-memory.d.ts.map +1 -1
  159. package/dist/scripts/resources/delete-memory.js +4 -2
  160. package/dist/scripts/resources/delete-memory.js.map +1 -1
  161. package/dist/scripts/resources/delete.d.ts.map +1 -1
  162. package/dist/scripts/resources/delete.js +11 -4
  163. package/dist/scripts/resources/delete.js.map +1 -1
  164. package/dist/scripts/resources/list.d.ts.map +1 -1
  165. package/dist/scripts/resources/list.js +5 -3
  166. package/dist/scripts/resources/list.js.map +1 -1
  167. package/dist/scripts/resources/migrate-learnings.d.ts.map +1 -1
  168. package/dist/scripts/resources/migrate-learnings.js +5 -2
  169. package/dist/scripts/resources/migrate-learnings.js.map +1 -1
  170. package/dist/scripts/resources/read.d.ts.map +1 -1
  171. package/dist/scripts/resources/read.js +4 -2
  172. package/dist/scripts/resources/read.js.map +1 -1
  173. package/dist/scripts/resources/save-memory.d.ts.map +1 -1
  174. package/dist/scripts/resources/save-memory.js +4 -2
  175. package/dist/scripts/resources/save-memory.js.map +1 -1
  176. package/dist/scripts/resources/write.d.ts.map +1 -1
  177. package/dist/scripts/resources/write.js +11 -4
  178. package/dist/scripts/resources/write.js.map +1 -1
  179. package/dist/secrets/onboarding.d.ts.map +1 -1
  180. package/dist/secrets/onboarding.js +1 -9
  181. package/dist/secrets/onboarding.js.map +1 -1
  182. package/dist/secrets/routes.d.ts.map +1 -1
  183. package/dist/secrets/routes.js +2 -7
  184. package/dist/secrets/routes.js.map +1 -1
  185. package/dist/server/action-discovery.d.ts.map +1 -1
  186. package/dist/server/action-discovery.js +4 -0
  187. package/dist/server/action-discovery.js.map +1 -1
  188. package/dist/server/agent-chat-plugin.d.ts +5 -0
  189. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  190. package/dist/server/agent-chat-plugin.js +81 -20
  191. package/dist/server/agent-chat-plugin.js.map +1 -1
  192. package/dist/server/agent-discovery.d.ts.map +1 -1
  193. package/dist/server/agent-discovery.js +5 -7
  194. package/dist/server/agent-discovery.js.map +1 -1
  195. package/dist/server/auth.d.ts +16 -21
  196. package/dist/server/auth.d.ts.map +1 -1
  197. package/dist/server/auth.js +45 -315
  198. package/dist/server/auth.js.map +1 -1
  199. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  200. package/dist/server/core-routes-plugin.js +22 -13
  201. package/dist/server/core-routes-plugin.js.map +1 -1
  202. package/dist/server/credential-provider.d.ts.map +1 -1
  203. package/dist/server/credential-provider.js +1 -2
  204. package/dist/server/credential-provider.js.map +1 -1
  205. package/dist/server/google-oauth.d.ts +14 -2
  206. package/dist/server/google-oauth.d.ts.map +1 -1
  207. package/dist/server/google-oauth.js +17 -7
  208. package/dist/server/google-oauth.js.map +1 -1
  209. package/dist/server/index.d.ts +1 -1
  210. package/dist/server/index.d.ts.map +1 -1
  211. package/dist/server/index.js +1 -1
  212. package/dist/server/index.js.map +1 -1
  213. package/dist/server/oauth-helpers.d.ts +2 -4
  214. package/dist/server/oauth-helpers.d.ts.map +1 -1
  215. package/dist/server/oauth-helpers.js +2 -4
  216. package/dist/server/oauth-helpers.js.map +1 -1
  217. package/dist/server/transcribe-voice.d.ts.map +1 -1
  218. package/dist/server/transcribe-voice.js +2 -4
  219. package/dist/server/transcribe-voice.js.map +1 -1
  220. package/dist/triggers/dispatcher.d.ts.map +1 -1
  221. package/dist/triggers/dispatcher.js +0 -3
  222. package/dist/triggers/dispatcher.js.map +1 -1
  223. package/dist/vite/client.d.ts.map +1 -1
  224. package/dist/vite/client.js +6 -0
  225. package/dist/vite/client.js.map +1 -1
  226. package/docs/content/actions.md +1 -0
  227. package/docs/content/authentication.md +3 -20
  228. package/docs/content/creating-templates.md +1 -1
  229. package/docs/content/deployment.md +0 -1
  230. package/docs/content/security.md +0 -1
  231. package/docs/content/template-content.md +1 -1
  232. package/docs/content/template-starter.md +1 -1
  233. package/package.json +1 -1
  234. package/dist/client/dev-mode.d.ts +0 -14
  235. package/dist/client/dev-mode.d.ts.map +0 -1
  236. package/dist/client/dev-mode.js +0 -14
  237. package/dist/client/dev-mode.js.map +0 -1
  238. package/dist/server/local-migration.d.ts +0 -41
  239. package/dist/server/local-migration.d.ts.map +0 -1
  240. package/dist/server/local-migration.js +0 -235
  241. package/dist/server/local-migration.js.map +0 -1
package/dist/secrets/routes.js CHANGED
@@ -7,7 +7,7 @@
7
7
  */
8
8
  import { defineEventHandler, getMethod, setResponseStatus, } from "h3";
9
9
  import { readBody } from "../server/h3-helpers.js";
10
- import { DEV_MODE_USER_EMAIL, getSession } from "../server/auth.js";
10
+ import { getSession } from "../server/auth.js";
11
11
  import { getOrgContext } from "../org/context.js";
12
12
  /**
13
13
  * Workspace-scoped secret writes/deletes are deployment-wide for every
@@ -33,7 +33,7 @@ async function canMutateWorkspaceScope(event, scopeId) {
33
33
  return true;
34
34
  return ctx.role === "owner" || ctx.role === "admin";
35
35
  }
36
- import { hasOAuthTokens, listOAuthAccountsByOwner, } from "../oauth-tokens/store.js";
36
+ import { listOAuthAccountsByOwner } from "../oauth-tokens/store.js";
37
37
  import { listRequiredSecrets, getRequiredSecret, } from "./register.js";
38
38
  import { writeAppSecret, deleteAppSecret, getAppSecretMeta, readAppSecret, listAppSecretsForScope, } from "./storage.js";
39
39
  function redactSecretFromMessage(message, secretValue) {
@@ -47,11 +47,6 @@ async function hasOAuthSecretForEvent(event, secret) {
47
47
  const session = await getSession(event).catch(() => null);
48
48
  if (!session?.email)
49
49
  return false;
50
- // hasOAuthTokens now requires an explicit owner — passing the dev sentinel
51
- // preserves the "any row exists" wildcard behaviour for local-dev only.
52
- if (session.email === DEV_MODE_USER_EMAIL) {
53
- return hasOAuthTokens(secret.oauthProvider, DEV_MODE_USER_EMAIL);
54
- }
55
50
  const accounts = await listOAuthAccountsByOwner(secret.oauthProvider, session.email);
56
51
  return accounts.length > 0;
57
52
  }
package/dist/secrets/routes.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAc,EACd,OAAe;IAEf,kEAAkE;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,6CAA6C;IAC7C,IAAI,CAAC,GAAG,EAAE,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AACD,OAAO,EACL,cAAc,EACd,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,sBAAsB,GAEvB,MAAM,cAAc,CAAC;AAwBtB,SAAS,uBAAuB,CAAC,OAAe,EAAE,WAAmB;IACnE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC;IAC7C,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc,EACd,MAAwB;IAExB,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,EAAE,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,2EAA2E;IAC3E,wEAAwE;IACxE,IAAI,OAAO,CAAC,KAAK,KAAK,mBAAmB,EAAE,CAAC;QAC1C,OAAO,cAAc,CAAC,MAAM,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC;IACnE,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,MAAM,CAAC,aAAa,EACpB,OAAO,CAAC,KAAK,CACd,CAAC;IACF,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,cAAc,CAC3B,KAAc,EACd,KAAkB;IAElB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,YAAY;IACZ,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC9C,4EAA4E;IAC5E,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;AACtE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAA0B,EAAE,CAAC;QAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAwB;gBAChC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;gBAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;gBAC9C,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;wBACxD,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;oBACtC,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;oBACxB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC;gBAClC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO;aACR,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAc,EAAE,MAAwB;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,2CAA2C,MAAM,CAAC,eAAe,IAAI,gBAAgB,UAAU;SACrH,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEpD,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;aAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oDAAoD;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAc,EAAE,MAAwB;IAClE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,mEAAmE;SACzF,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,yEAAyE;SAC5E,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,iDAAiD;YACjD,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,KAAK,CAC3D,GAAG,EAAE,CAAC,KAAK,CACZ,CAAC;YACF,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;iBAClD,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;aACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAiBD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,IAAgB;IACrC,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG;QACd,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;YAChC,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAc;IAC3C,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO;QAC5C,CAAC,CAAC,MAAM,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC;QACrE,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,aAAa,CAAC,EAAE,CAAC;QAClD,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACtC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAMpD,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,IAAI,CAAC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,gFAAgF;SACnF,CAAC;IACJ,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,8DAA8D,IAAI,UAAU;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7E,MAAM,WAAW,GACf,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QAC7D,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QACzB,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,gBAAoC,CAAC;IACzC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QAClE,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;YAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,KAAK,KAAK,WAAW;QACrB,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,IAAI;YACT,KAAK;YACL,KAAK;YACL,OAAO;YACP,WAAW;YACX,YAAY,EAAE,gBAAgB;SAC/B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,KAAc,EAAE,IAAY;IAC3D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,oEAAoE;SACpF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACtE,kEAAkE;gBAClE,gEAAgE;gBAChE,sDAAsD;gBACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC;gBAC7C,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,gBAAgB,CAAC,OAAO;aAClC,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,sBAAsB;aAC1D,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC1D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,0BAA0B;aAC9D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,sFAAsF;AACtF,SAAS,mBAAmB,CAC1B,KAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * H3 event handlers for the framework secrets registry.\n *\n * Mounted under `/_agent-native/secrets/*` by `core-routes-plugin`.\n *\n * NEVER return a secret's plain-text value from any of these handlers.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { DEV_MODE_USER_EMAIL, getSession } from \"../server/auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\n\n/**\n * Workspace-scoped secret writes/deletes are deployment-wide for every\n * org member who shares the resolved scopeId — a curious or malicious\n * member could otherwise overwrite `OPENAI_API_KEY` (or any unregistered\n * key) with their own value, redirecting every other member's automations\n * through their key for skimming, billing abuse, or DoS by deletion.\n *\n * Allow workspace-scope writes only for org owners/admins. The \"solo\"\n * fallback scopeId (`solo:<email>`) is single-user, so it bypasses the\n * check. A normal session with no active org also passes — there's no\n * privilege gradient to enforce in that case.\n *\n * Returns true if the request is allowed to write/delete this scope.\n */\nasync function canMutateWorkspaceScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n // Solo / dev fallback scope — single user, no privilege gradient.\n if (scopeId.startsWith(\"solo:\")) return true;\n const ctx = await getOrgContext(event).catch(() => null);\n // No active org — single-tenant flow, allow.\n if (!ctx?.orgId) return true;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\nimport {\n hasOAuthTokens,\n listOAuthAccountsByOwner,\n} from \"../oauth-tokens/store.js\";\nimport {\n listRequiredSecrets,\n getRequiredSecret,\n type RegisteredSecret,\n type SecretScope,\n} from \"./register.js\";\nimport {\n writeAppSecret,\n deleteAppSecret,\n getAppSecretMeta,\n readAppSecret,\n listAppSecretsForScope,\n type SecretMeta,\n} from \"./storage.js\";\n\nexport interface SecretStatusPayload {\n key: string;\n label: string;\n description?: string;\n docsUrl?: string;\n scope: SecretScope;\n kind: \"api-key\" | \"oauth\";\n required: boolean;\n /** \"set\" = value present; \"unset\" = not configured; \"invalid\" = validator failed. */\n status: \"set\" | \"unset\" | \"invalid\";\n /** Last 4 chars — only populated when status === \"set\" for api-key kind. */\n last4?: string;\n /** Timestamp (ms) of the last write — only populated when status === \"set\". */\n updatedAt?: number;\n /** OAuth-kind: the provider id backing this secret. */\n oauthProvider?: string;\n /** OAuth-kind: url the Connect button should point at. */\n oauthConnectUrl?: string;\n /** Validator error message if status === \"invalid\". */\n error?: string;\n}\n\nfunction redactSecretFromMessage(message: string, secretValue: string): string {\n if (!message || !secretValue) return message;\n return message.split(secretValue).join(\"[redacted]\");\n}\n\nasync function hasOAuthSecretForEvent(\n event: H3Event,\n secret: RegisteredSecret,\n): Promise<boolean> {\n if (!secret.oauthProvider) return false;\n const session = await getSession(event).catch(() => null);\n if (!session?.email) return false;\n // hasOAuthTokens now requires an explicit owner — passing the dev sentinel\n // preserves the \"any row exists\" wildcard behaviour for local-dev only.\n if (session.email === DEV_MODE_USER_EMAIL) {\n return hasOAuthTokens(secret.oauthProvider, DEV_MODE_USER_EMAIL);\n }\n const accounts = await listOAuthAccountsByOwner(\n secret.oauthProvider,\n session.email,\n );\n return accounts.length > 0;\n}\n\n/** Resolve the scopeId for a given scope, given the current session. */\nasync function resolveScopeId(\n event: H3Event,\n scope: SecretScope,\n): Promise<{ scopeId: string | null; reason?: string }> {\n if (scope === \"user\") {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n return { scopeId: null, reason: \"Authentication required\" };\n }\n return { scopeId: session.email };\n }\n // workspace\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n // Fall back to session email in solo/dev mode so secrets still work without\n // an active organisation.\n const session = await getSession(event).catch(() => null);\n if (session?.email) return { scopeId: `solo:${session.email}` };\n return { scopeId: null, reason: \"No workspace or session context\" };\n}\n\n/** GET /_agent-native/secrets — list registered secrets with status. */\nexport function createListSecretsHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const secrets = listRequiredSecrets();\n const payload: SecretStatusPayload[] = [];\n\n for (const secret of secrets) {\n const base: SecretStatusPayload = {\n key: secret.key,\n label: secret.label,\n description: secret.description,\n docsUrl: secret.docsUrl,\n scope: secret.scope,\n kind: secret.kind,\n required: !!secret.required,\n status: \"unset\",\n };\n\n if (secret.kind === \"oauth\") {\n base.oauthProvider = secret.oauthProvider;\n base.oauthConnectUrl = secret.oauthConnectUrl;\n if (secret.oauthProvider) {\n try {\n const has = await hasOAuthSecretForEvent(event, secret);\n base.status = has ? \"set\" : \"unset\";\n } catch {\n base.status = \"unset\";\n }\n }\n payload.push(base);\n continue;\n }\n\n // api-key: look up the stored row in app_secrets.\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n payload.push(base);\n continue;\n }\n const meta = await getAppSecretMeta({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n }).catch(() => null);\n if (meta) {\n base.status = \"set\";\n base.last4 = meta.last4;\n base.updatedAt = meta.updatedAt;\n }\n payload.push(base);\n }\n\n return payload;\n });\n}\n\n/** POST /_agent-native/secrets/:key — write a secret. */\nexport function createWriteSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const key = extractKeyFromEvent(event);\n\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n\n if (method === \"POST\" || method === \"PUT\") {\n return handleWrite(event, secret);\n }\n if (method === \"DELETE\") {\n return handleDelete(event, secret);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleWrite(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — connect via ${secret.oauthConnectUrl ?? \"the OAuth flow\"} instead`,\n };\n }\n const body = (await readBody(event).catch(() => ({}))) as {\n value?: unknown;\n };\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n // Run validator if registered — return the validator's error on failure.\n if (secret.validator) {\n try {\n const result = await secret.validator(value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n setResponseStatus(event, 400);\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return { error: redactSecretFromMessage(err, value) };\n }\n } catch (err) {\n setResponseStatus(event, 400);\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n }\n\n try {\n await writeAppSecret({\n key: secret.key,\n value,\n scope: secret.scope,\n scopeId,\n });\n } catch (err) {\n // Scrub: never surface the value in any error path.\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, status: \"set\" };\n}\n\nasync function handleDelete(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — disconnect via the OAuth flow instead`,\n };\n }\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete workspace-scoped secrets\",\n };\n }\n const removed = await deleteAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n return { ok: true, removed };\n}\n\n/**\n * POST /_agent-native/secrets/:key/test — re-run the validator against the\n * current stored value without changing anything. Useful for the \"Test\" button.\n */\nexport function createTestSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const key = extractKeyFromEvent(event, { suffix: \"/test\" });\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n if (secret.kind === \"oauth\") {\n // For OAuth we just report whether tokens exist.\n const has = await hasOAuthSecretForEvent(event, secret).catch(\n () => false,\n );\n return { ok: has };\n }\n if (!secret.validator) {\n return { ok: true, note: \"No validator registered\" };\n }\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: \"Unable to resolve scope\" };\n }\n const stored = await readAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n if (!stored) {\n setResponseStatus(event, 404);\n return { error: \"No value stored\" };\n }\n try {\n const result = await secret.validator(stored.value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return {\n ok: false,\n error: redactSecretFromMessage(err, stored.value),\n };\n }\n return { ok: true };\n } catch (err) {\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n ok: false,\n error: redactSecretFromMessage(message, stored.value),\n };\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Ad-hoc secrets — user-/agent-created keys not in the registry\n// ---------------------------------------------------------------------------\n\nexport interface AdHocSecretPayload {\n name: string;\n scope: SecretScope;\n scopeId: string;\n description: string | null;\n last4: string;\n urlAllowlist: string[] | null;\n createdAt: number;\n updatedAt: number;\n}\n\nconst AD_HOC_NAME_REGEX = /^[A-Za-z0-9_-]+$/;\n\nfunction metaToPayload(meta: SecretMeta): AdHocSecretPayload {\n return {\n name: meta.key,\n scope: meta.scope,\n scopeId: meta.scopeId,\n description: meta.description,\n last4: meta.last4,\n urlAllowlist: meta.urlAllowlist,\n createdAt: meta.createdAt,\n updatedAt: meta.updatedAt,\n };\n}\n\n/**\n * Handler for `/_agent-native/secrets/adhoc[/:name]`.\n *\n * - GET (no name) — list all ad-hoc keys for the user's scope\n * - POST (no name) — create or update an ad-hoc key\n * - DELETE (with name) — delete an ad-hoc key\n *\n * Ad-hoc keys are arbitrary named secrets users or the agent create at\n * runtime for automation use (e.g. \"SLACK_WEBHOOK\", \"HUBSPOT_API_KEY\").\n * They differ from registered secrets (`registerRequiredSecret`) in that\n * they have no template-defined metadata, validator, or onboarding step.\n */\nexport function createAdHocSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const name = extractAdHocName(event);\n\n if (method === \"GET\" && !name) {\n return handleAdHocList(event);\n }\n if (method === \"POST\" && !name) {\n return handleAdHocWrite(event);\n }\n if (method === \"DELETE\" && name) {\n return handleAdHocDelete(event, name);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleAdHocList(event: H3Event) {\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n const registered = new Set(listRequiredSecrets().map((s) => s.key));\n const userRows = await listAppSecretsForScope(\"user\", scopeId);\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n const workspaceRows = workspaceContext.scopeId\n ? await listAppSecretsForScope(\"workspace\", workspaceContext.scopeId)\n : [];\n\n const payload: AdHocSecretPayload[] = [];\n for (const row of [...userRows, ...workspaceRows]) {\n if (registered.has(row.key)) continue;\n payload.push(metaToPayload(row));\n }\n return payload;\n}\n\nasync function handleAdHocWrite(event: H3Event) {\n const body = (await readBody(event).catch(() => ({}))) as {\n name?: unknown;\n value?: unknown;\n description?: unknown;\n scope?: unknown;\n urlAllowlist?: unknown;\n };\n\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name || !AD_HOC_NAME_REGEX.test(name)) {\n setResponseStatus(event, 400);\n return {\n error:\n \"name is required and may only contain letters, digits, underscores, and dashes\",\n };\n }\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — use POST /_agent-native/secrets/${name} instead`,\n };\n }\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const scope: SecretScope = body.scope === \"workspace\" ? \"workspace\" : \"user\";\n\n const description =\n typeof body.description === \"string\" && body.description.trim()\n ? body.description.trim()\n : undefined;\n\n let urlAllowlistJson: string | undefined;\n if (body.urlAllowlist !== undefined && body.urlAllowlist !== null) {\n const normalized = normalizeUrlAllowlist(body.urlAllowlist);\n if (normalized.ok === false) {\n setResponseStatus(event, 400);\n return { error: normalized.error };\n }\n urlAllowlistJson = JSON.stringify(normalized.origins);\n }\n\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n try {\n await writeAppSecret({\n key: name,\n value,\n scope,\n scopeId,\n description,\n urlAllowlist: urlAllowlistJson,\n });\n } catch (err) {\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, key: name };\n}\n\nasync function handleAdHocDelete(event: H3Event, name: string) {\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — delete via the registered route instead`,\n };\n }\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n const removed = await deleteAppSecret({ key: name, scope, scopeId });\n if (!removed) {\n // Fall back to workspace scope so the agent / UI can clean up shared keys.\n // Gate the fallback behind the org-admin check so a regular member can't\n // DoS every other member's automations by deleting shared workspace keys.\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n if (workspaceContext.scopeId) {\n if (!(await canMutateWorkspaceScope(event, workspaceContext.scopeId))) {\n // No-op silently for non-admins — the user-scope row didn't exist\n // and they don't have permission to touch the workspace row, so\n // there's nothing to remove from their point of view.\n return { ok: true, removed: false };\n }\n const removedWorkspace = await deleteAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: workspaceContext.scopeId,\n });\n return { ok: true, removed: removedWorkspace };\n }\n }\n return { ok: true, removed };\n}\n\nfunction extractAdHocName(event: H3Event): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n // The router strips the `/secrets/adhoc` prefix, so `parts[0]` (if present)\n // is the name. When the request is the bare `/adhoc` listing, parts is empty.\n const candidate = parts[0];\n if (!candidate) return null;\n return AD_HOC_NAME_REGEX.test(candidate) ? candidate : null;\n}\n\nfunction normalizeUrlAllowlist(\n input: unknown,\n): { ok: true; origins: string[] } | { ok: false; error: string } {\n if (!Array.isArray(input) || !input.every((v) => typeof v === \"string\")) {\n return { ok: false, error: \"urlAllowlist must be an array of strings\" };\n }\n\n const origins: string[] = [];\n for (const raw of input) {\n const value = raw.trim();\n if (!value) continue;\n let url: URL;\n try {\n url = new URL(value);\n } catch {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" is not a valid URL`,\n };\n }\n if (url.protocol !== \"https:\" && url.protocol !== \"http:\") {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" must use http or https`,\n };\n }\n if (!origins.includes(url.origin)) origins.push(url.origin);\n }\n return { ok: true, origins };\n}\n\n/** Extract the key from `/:key` or `/:key/test` after the `/secrets` prefix strip. */\nfunction extractKeyFromEvent(\n event: H3Event,\n opts: { suffix?: string } = {},\n): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n if (opts.suffix === \"/test\") {\n if (parts.length < 2 || parts[parts.length - 1] !== \"test\") return null;\n return parts[0];\n }\n return parts[0];\n}\n"]}
1
+ {"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,uBAAuB,CACpC,KAAc,EACd,OAAe;IAEf,kEAAkE;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,6CAA6C;IAC7C,IAAI,CAAC,GAAG,EAAE,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,CAAC;AACtD,CAAC;AACD,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,sBAAsB,GAEvB,MAAM,cAAc,CAAC;AAwBtB,SAAS,uBAAuB,CAAC,OAAe,EAAE,WAAmB;IACnE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC;IAC7C,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc,EACd,MAAwB;IAExB,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,EAAE,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAC7C,MAAM,CAAC,aAAa,EACpB,OAAO,CAAC,KAAK,CACd,CAAC;IACF,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,cAAc,CAC3B,KAAc,EACd,KAAkB;IAElB,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,YAAY;IACZ,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC9C,4EAA4E;IAC5E,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;AACtE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAA0B,EAAE,CAAC;QAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAwB;gBAChC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;gBAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;gBAC9C,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;wBACxD,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;oBACtC,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;oBACxB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC;gBAClC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO;aACR,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAc,EAAE,MAAwB;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,2CAA2C,MAAM,CAAC,eAAe,IAAI,gBAAgB,UAAU;SACrH,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEpD,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;aAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oDAAoD;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAc,EAAE,MAAwB;IAClE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,mEAAmE;SACzF,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,IACE,MAAM,CAAC,KAAK,KAAK,WAAW;QAC5B,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,yEAAyE;SAC5E,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,iDAAiD;YACjD,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,KAAK,CAC3D,GAAG,EAAE,CAAC,KAAK,CACZ,CAAC;YACF,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC;iBAClD,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;gBACnC,CAAC,CAAC,iBAAiB,CAAC;YACxB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;aACtD,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAiBD,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,IAAgB;IACrC,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG;QACd,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;YAChC,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAc;IAC3C,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,gBAAgB,CAAC,OAAO;QAC5C,CAAC,CAAC,MAAM,sBAAsB,CAAC,WAAW,EAAE,gBAAgB,CAAC,OAAO,CAAC;QACrE,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAyB,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,aAAa,CAAC,EAAE,CAAC;QAClD,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACtC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAMpD,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,IAAI,CAAC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,gFAAgF;SACnF,CAAC;IACJ,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,8DAA8D,IAAI,UAAU;SAC5F,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GAAgB,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7E,MAAM,WAAW,GACf,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QAC7D,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE;QACzB,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,gBAAoC,CAAC;IACzC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QAClE,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;YAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,IACE,KAAK,KAAK,WAAW;QACrB,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAChD,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,IAAI;YACT,KAAK;YACL,KAAK;YACL,OAAO;YACP,WAAW;YACX,YAAY,EAAE,gBAAgB;SAC/B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,MAAM,OAAO,GACX,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;YACzC,CAAC,CAAC,uBAAuB,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,KAAc,EAAE,IAAY;IAC3D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,IAAI,oEAAoE;SACpF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAgB,MAAM,CAAC;IAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAClE,IAAI,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,MAAM,uBAAuB,CAAC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACtE,kEAAkE;gBAClE,gEAAgE;gBAChE,sDAAsD;gBACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YACtC,CAAC;YACD,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC;gBAC7C,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,gBAAgB,CAAC,OAAO;aAClC,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,sBAAsB;aAC1D,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC1D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,uBAAuB,KAAK,0BAA0B;aAC9D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,sFAAsF;AACtF,SAAS,mBAAmB,CAC1B,KAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC","sourcesContent":["/**\n * H3 event handlers for the framework secrets registry.\n *\n * Mounted under `/_agent-native/secrets/*` by `core-routes-plugin`.\n *\n * NEVER return a secret's plain-text value from any of these handlers.\n */\n\nimport {\n defineEventHandler,\n getMethod,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { getSession } from \"../server/auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\n\n/**\n * Workspace-scoped secret writes/deletes are deployment-wide for every\n * org member who shares the resolved scopeId — a curious or malicious\n * member could otherwise overwrite `OPENAI_API_KEY` (or any unregistered\n * key) with their own value, redirecting every other member's automations\n * through their key for skimming, billing abuse, or DoS by deletion.\n *\n * Allow workspace-scope writes only for org owners/admins. The \"solo\"\n * fallback scopeId (`solo:<email>`) is single-user, so it bypasses the\n * check. A normal session with no active org also passes — there's no\n * privilege gradient to enforce in that case.\n *\n * Returns true if the request is allowed to write/delete this scope.\n */\nasync function canMutateWorkspaceScope(\n event: H3Event,\n scopeId: string,\n): Promise<boolean> {\n // Solo / dev fallback scope — single user, no privilege gradient.\n if (scopeId.startsWith(\"solo:\")) return true;\n const ctx = await getOrgContext(event).catch(() => null);\n // No active org — single-tenant flow, allow.\n if (!ctx?.orgId) return true;\n return ctx.role === \"owner\" || ctx.role === \"admin\";\n}\nimport { listOAuthAccountsByOwner } from \"../oauth-tokens/store.js\";\nimport {\n listRequiredSecrets,\n getRequiredSecret,\n type RegisteredSecret,\n type SecretScope,\n} from \"./register.js\";\nimport {\n writeAppSecret,\n deleteAppSecret,\n getAppSecretMeta,\n readAppSecret,\n listAppSecretsForScope,\n type SecretMeta,\n} from \"./storage.js\";\n\nexport interface SecretStatusPayload {\n key: string;\n label: string;\n description?: string;\n docsUrl?: string;\n scope: SecretScope;\n kind: \"api-key\" | \"oauth\";\n required: boolean;\n /** \"set\" = value present; \"unset\" = not configured; \"invalid\" = validator failed. */\n status: \"set\" | \"unset\" | \"invalid\";\n /** Last 4 chars — only populated when status === \"set\" for api-key kind. */\n last4?: string;\n /** Timestamp (ms) of the last write — only populated when status === \"set\". */\n updatedAt?: number;\n /** OAuth-kind: the provider id backing this secret. */\n oauthProvider?: string;\n /** OAuth-kind: url the Connect button should point at. */\n oauthConnectUrl?: string;\n /** Validator error message if status === \"invalid\". */\n error?: string;\n}\n\nfunction redactSecretFromMessage(message: string, secretValue: string): string {\n if (!message || !secretValue) return message;\n return message.split(secretValue).join(\"[redacted]\");\n}\n\nasync function hasOAuthSecretForEvent(\n event: H3Event,\n secret: RegisteredSecret,\n): Promise<boolean> {\n if (!secret.oauthProvider) return false;\n const session = await getSession(event).catch(() => null);\n if (!session?.email) return false;\n const accounts = await listOAuthAccountsByOwner(\n secret.oauthProvider,\n session.email,\n );\n return accounts.length > 0;\n}\n\n/** Resolve the scopeId for a given scope, given the current session. */\nasync function resolveScopeId(\n event: H3Event,\n scope: SecretScope,\n): Promise<{ scopeId: string | null; reason?: string }> {\n if (scope === \"user\") {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n return { scopeId: null, reason: \"Authentication required\" };\n }\n return { scopeId: session.email };\n }\n // workspace\n const ctx = await getOrgContext(event).catch(() => null);\n if (ctx?.orgId) return { scopeId: ctx.orgId };\n // Fall back to session email in solo/dev mode so secrets still work without\n // an active organisation.\n const session = await getSession(event).catch(() => null);\n if (session?.email) return { scopeId: `solo:${session.email}` };\n return { scopeId: null, reason: \"No workspace or session context\" };\n}\n\n/** GET /_agent-native/secrets — list registered secrets with status. */\nexport function createListSecretsHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const secrets = listRequiredSecrets();\n const payload: SecretStatusPayload[] = [];\n\n for (const secret of secrets) {\n const base: SecretStatusPayload = {\n key: secret.key,\n label: secret.label,\n description: secret.description,\n docsUrl: secret.docsUrl,\n scope: secret.scope,\n kind: secret.kind,\n required: !!secret.required,\n status: \"unset\",\n };\n\n if (secret.kind === \"oauth\") {\n base.oauthProvider = secret.oauthProvider;\n base.oauthConnectUrl = secret.oauthConnectUrl;\n if (secret.oauthProvider) {\n try {\n const has = await hasOAuthSecretForEvent(event, secret);\n base.status = has ? \"set\" : \"unset\";\n } catch {\n base.status = \"unset\";\n }\n }\n payload.push(base);\n continue;\n }\n\n // api-key: look up the stored row in app_secrets.\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n payload.push(base);\n continue;\n }\n const meta = await getAppSecretMeta({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n }).catch(() => null);\n if (meta) {\n base.status = \"set\";\n base.last4 = meta.last4;\n base.updatedAt = meta.updatedAt;\n }\n payload.push(base);\n }\n\n return payload;\n });\n}\n\n/** POST /_agent-native/secrets/:key — write a secret. */\nexport function createWriteSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const key = extractKeyFromEvent(event);\n\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n\n if (method === \"POST\" || method === \"PUT\") {\n return handleWrite(event, secret);\n }\n if (method === \"DELETE\") {\n return handleDelete(event, secret);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleWrite(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — connect via ${secret.oauthConnectUrl ?? \"the OAuth flow\"} instead`,\n };\n }\n const body = (await readBody(event).catch(() => ({}))) as {\n value?: unknown;\n };\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n // Run validator if registered — return the validator's error on failure.\n if (secret.validator) {\n try {\n const result = await secret.validator(value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n setResponseStatus(event, 400);\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return { error: redactSecretFromMessage(err, value) };\n }\n } catch (err) {\n setResponseStatus(event, 400);\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n }\n\n try {\n await writeAppSecret({\n key: secret.key,\n value,\n scope: secret.scope,\n scopeId,\n });\n } catch (err) {\n // Scrub: never surface the value in any error path.\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, status: \"set\" };\n}\n\nasync function handleDelete(event: H3Event, secret: RegisteredSecret) {\n if (secret.kind === \"oauth\") {\n setResponseStatus(event, 400);\n return {\n error: `\"${secret.key}\" is an OAuth-kind secret — disconnect via the OAuth flow instead`,\n };\n }\n const { scopeId, reason } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n if (\n secret.scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can delete workspace-scoped secrets\",\n };\n }\n const removed = await deleteAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n return { ok: true, removed };\n}\n\n/**\n * POST /_agent-native/secrets/:key/test — re-run the validator against the\n * current stored value without changing anything. Useful for the \"Test\" button.\n */\nexport function createTestSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const key = extractKeyFromEvent(event, { suffix: \"/test\" });\n if (!key) {\n setResponseStatus(event, 400);\n return { error: \"Secret key required\" };\n }\n const secret = getRequiredSecret(key);\n if (!secret) {\n setResponseStatus(event, 404);\n return { error: `Secret \"${key}\" is not registered` };\n }\n if (secret.kind === \"oauth\") {\n // For OAuth we just report whether tokens exist.\n const has = await hasOAuthSecretForEvent(event, secret).catch(\n () => false,\n );\n return { ok: has };\n }\n if (!secret.validator) {\n return { ok: true, note: \"No validator registered\" };\n }\n const { scopeId } = await resolveScopeId(event, secret.scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: \"Unable to resolve scope\" };\n }\n const stored = await readAppSecret({\n key: secret.key,\n scope: secret.scope,\n scopeId,\n });\n if (!stored) {\n setResponseStatus(event, 404);\n return { error: \"No value stored\" };\n }\n try {\n const result = await secret.validator(stored.value);\n const ok = typeof result === \"boolean\" ? result : result?.ok === true;\n if (!ok) {\n const err =\n typeof result === \"object\" && result && result.error\n ? String(result.error)\n : \"Validator rejected the value\";\n return {\n ok: false,\n error: redactSecretFromMessage(err, stored.value),\n };\n }\n return { ok: true };\n } catch (err) {\n const message =\n err instanceof Error\n ? `Validator threw: ${err.message}`\n : \"Validator threw\";\n return {\n ok: false,\n error: redactSecretFromMessage(message, stored.value),\n };\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Ad-hoc secrets — user-/agent-created keys not in the registry\n// ---------------------------------------------------------------------------\n\nexport interface AdHocSecretPayload {\n name: string;\n scope: SecretScope;\n scopeId: string;\n description: string | null;\n last4: string;\n urlAllowlist: string[] | null;\n createdAt: number;\n updatedAt: number;\n}\n\nconst AD_HOC_NAME_REGEX = /^[A-Za-z0-9_-]+$/;\n\nfunction metaToPayload(meta: SecretMeta): AdHocSecretPayload {\n return {\n name: meta.key,\n scope: meta.scope,\n scopeId: meta.scopeId,\n description: meta.description,\n last4: meta.last4,\n urlAllowlist: meta.urlAllowlist,\n createdAt: meta.createdAt,\n updatedAt: meta.updatedAt,\n };\n}\n\n/**\n * Handler for `/_agent-native/secrets/adhoc[/:name]`.\n *\n * - GET (no name) — list all ad-hoc keys for the user's scope\n * - POST (no name) — create or update an ad-hoc key\n * - DELETE (with name) — delete an ad-hoc key\n *\n * Ad-hoc keys are arbitrary named secrets users or the agent create at\n * runtime for automation use (e.g. \"SLACK_WEBHOOK\", \"HUBSPOT_API_KEY\").\n * They differ from registered secrets (`registerRequiredSecret`) in that\n * they have no template-defined metadata, validator, or onboarding step.\n */\nexport function createAdHocSecretHandler() {\n return defineEventHandler(async (event: H3Event) => {\n const method = getMethod(event);\n const name = extractAdHocName(event);\n\n if (method === \"GET\" && !name) {\n return handleAdHocList(event);\n }\n if (method === \"POST\" && !name) {\n return handleAdHocWrite(event);\n }\n if (method === \"DELETE\" && name) {\n return handleAdHocDelete(event, name);\n }\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n });\n}\n\nasync function handleAdHocList(event: H3Event) {\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n const registered = new Set(listRequiredSecrets().map((s) => s.key));\n const userRows = await listAppSecretsForScope(\"user\", scopeId);\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n const workspaceRows = workspaceContext.scopeId\n ? await listAppSecretsForScope(\"workspace\", workspaceContext.scopeId)\n : [];\n\n const payload: AdHocSecretPayload[] = [];\n for (const row of [...userRows, ...workspaceRows]) {\n if (registered.has(row.key)) continue;\n payload.push(metaToPayload(row));\n }\n return payload;\n}\n\nasync function handleAdHocWrite(event: H3Event) {\n const body = (await readBody(event).catch(() => ({}))) as {\n name?: unknown;\n value?: unknown;\n description?: unknown;\n scope?: unknown;\n urlAllowlist?: unknown;\n };\n\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name || !AD_HOC_NAME_REGEX.test(name)) {\n setResponseStatus(event, 400);\n return {\n error:\n \"name is required and may only contain letters, digits, underscores, and dashes\",\n };\n }\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — use POST /_agent-native/secrets/${name} instead`,\n };\n }\n\n const value = typeof body.value === \"string\" ? body.value.trim() : \"\";\n if (!value) {\n setResponseStatus(event, 400);\n return { error: \"value is required\" };\n }\n\n const scope: SecretScope = body.scope === \"workspace\" ? \"workspace\" : \"user\";\n\n const description =\n typeof body.description === \"string\" && body.description.trim()\n ? body.description.trim()\n : undefined;\n\n let urlAllowlistJson: string | undefined;\n if (body.urlAllowlist !== undefined && body.urlAllowlist !== null) {\n const normalized = normalizeUrlAllowlist(body.urlAllowlist);\n if (normalized.ok === false) {\n setResponseStatus(event, 400);\n return { error: normalized.error };\n }\n urlAllowlistJson = JSON.stringify(normalized.origins);\n }\n\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n\n if (\n scope === \"workspace\" &&\n !(await canMutateWorkspaceScope(event, scopeId))\n ) {\n setResponseStatus(event, 403);\n return {\n error:\n \"Only organization owners and admins can set workspace-scoped secrets\",\n };\n }\n\n try {\n await writeAppSecret({\n key: name,\n value,\n scope,\n scopeId,\n description,\n urlAllowlist: urlAllowlistJson,\n });\n } catch (err) {\n setResponseStatus(event, 500);\n const message =\n err instanceof Error\n ? `Failed to save secret: ${err.message}`\n : \"Failed to save secret\";\n return {\n error: redactSecretFromMessage(message, value),\n };\n }\n\n return { ok: true, key: name };\n}\n\nasync function handleAdHocDelete(event: H3Event, name: string) {\n if (getRequiredSecret(name)) {\n setResponseStatus(event, 400);\n return {\n error: `\"${name}\" is a registered secret — delete via the registered route instead`,\n };\n }\n const scope: SecretScope = \"user\";\n const { scopeId, reason } = await resolveScopeId(event, scope);\n if (!scopeId) {\n setResponseStatus(event, 401);\n return { error: reason ?? \"Unable to resolve scope\" };\n }\n const removed = await deleteAppSecret({ key: name, scope, scopeId });\n if (!removed) {\n // Fall back to workspace scope so the agent / UI can clean up shared keys.\n // Gate the fallback behind the org-admin check so a regular member can't\n // DoS every other member's automations by deleting shared workspace keys.\n const workspaceContext = await resolveScopeId(event, \"workspace\");\n if (workspaceContext.scopeId) {\n if (!(await canMutateWorkspaceScope(event, workspaceContext.scopeId))) {\n // No-op silently for non-admins — the user-scope row didn't exist\n // and they don't have permission to touch the workspace row, so\n // there's nothing to remove from their point of view.\n return { ok: true, removed: false };\n }\n const removedWorkspace = await deleteAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: workspaceContext.scopeId,\n });\n return { ok: true, removed: removedWorkspace };\n }\n }\n return { ok: true, removed };\n}\n\nfunction extractAdHocName(event: H3Event): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n // The router strips the `/secrets/adhoc` prefix, so `parts[0]` (if present)\n // is the name. When the request is the bare `/adhoc` listing, parts is empty.\n const candidate = parts[0];\n if (!candidate) return null;\n return AD_HOC_NAME_REGEX.test(candidate) ? candidate : null;\n}\n\nfunction normalizeUrlAllowlist(\n input: unknown,\n): { ok: true; origins: string[] } | { ok: false; error: string } {\n if (!Array.isArray(input) || !input.every((v) => typeof v === \"string\")) {\n return { ok: false, error: \"urlAllowlist must be an array of strings\" };\n }\n\n const origins: string[] = [];\n for (const raw of input) {\n const value = raw.trim();\n if (!value) continue;\n let url: URL;\n try {\n url = new URL(value);\n } catch {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" is not a valid URL`,\n };\n }\n if (url.protocol !== \"https:\" && url.protocol !== \"http:\") {\n return {\n ok: false,\n error: `urlAllowlist entry \"${value}\" must use http or https`,\n };\n }\n if (!origins.includes(url.origin)) origins.push(url.origin);\n }\n return { ok: true, origins };\n}\n\n/** Extract the key from `/:key` or `/:key/test` after the `/secrets` prefix strip. */\nfunction extractKeyFromEvent(\n event: H3Event,\n opts: { suffix?: string } = {},\n): string | null {\n const pathname = (event.url?.pathname || \"\")\n .replace(/^\\/+/, \"\")\n .replace(/\\/+$/, \"\");\n if (!pathname) return null;\n const parts = pathname.split(\"/\");\n if (opts.suffix === \"/test\") {\n if (parts.length < 2 || parts[parts.length - 1] !== \"test\") return null;\n return parts[0];\n }\n return parts[0];\n}\n"]}
package/dist/server/action-discovery.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"action-discovery.d.ts","sourceRoot":"","sources":["../../src/server/action-discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAiOhE;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAqC7B;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAuFtC;AAED,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GACpC,OAAO,CAAC,IAAI,CAAC,CAiCf;AAED,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,4BAAsB,CAAC"}
1
+ {"version":3,"file":"action-discovery.d.ts","sourceRoot":"","sources":["../../src/server/action-discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAoOhE;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAqC7B;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAuFtC;AAED,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GACpC,OAAO,CAAC,IAAI,CAAC,CAkCf;AAED,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,4BAAsB,CAAC"}
package/dist/server/action-discovery.js CHANGED
@@ -96,6 +96,9 @@ function preserveActionFlags(entry) {
96
96
  const out = {};
97
97
  if (typeof entry.readOnly === "boolean")
98
98
  out.readOnly = entry.readOnly;
99
+ if (typeof entry.parallelSafe === "boolean") {
100
+ out.parallelSafe = entry.parallelSafe;
101
+ }
99
102
  if (typeof entry.toolCallable === "boolean") {
100
103
  out.toolCallable = entry.toolCallable;
101
104
  }
@@ -379,6 +382,7 @@ export async function mergeCoreSharingActions(registry) {
379
382
  run: def.run,
380
383
  ...(def.http !== undefined ? { http: def.http } : {}),
381
384
  ...(def.readOnly === true ? { readOnly: true } : {}),
385
+ ...(def.parallelSafe === true ? { parallelSafe: true } : {}),
382
386
  };
383
387
  }
384
388
  }
package/dist/server/action-discovery.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"action-discovery.js","sourceRoot":"","sources":["../../src/server/action-discovery.ts"],"names":[],"mappings":"AA6BA,OAAO,QAAQ,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,sDAAsD;AACtD,yFAAyF;AACzF,IAAI,GAAoC,CAAC;AACzC,KAAK,UAAU,KAAK;IAClB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AACD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,0DAA0D;AAC1D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,SAAS;IACT,KAAK;IACL,YAAY;IACZ,WAAW;IACX,UAAU;CACX,CAAC,CAAC;AAEH;;;GAGG;AACH,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,QAAQ,GAAG,CAAC,QAAQ,CAAC;YACrB,SAAS,GAAG,IAAI,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,QAAQ,GAAG,CAAC,QAAQ,CAAC;YACrB,SAAS,GAAG,IAAI,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC1D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;gBACpC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvB,CAAC;YACD,OAAO,GAAG,EAAE,CAAC;YACb,SAAS,GAAG,KAAK,CAAC;YAClB,SAAS;QACX,CAAC;QACD,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CACxB,IAAY,EACZ,SAA4C;IAE5C,MAAM,IAAI,GAAe;QACvB,WAAW,EAAE,YAAY,IAAI,8CAA8C;QAC3E,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EACT,+DAA+D;iBAClE;aACF;SACF;KACF,CAAC;IAEF,OAAO;QACL,IAAI;QACJ,GAAG,EAAE,KAAK,EAAE,IAA4B,EAAmB,EAAE;YAC3D,MAAM,OAAO,GAAa,EAAE,CAAC;YAC7B,+DAA+D;YAC/D,IAAI,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1C,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YACD,OAAO,gBAAgB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACpD,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAA0B;IACrD,MAAM,GAAG,GAAyB,EAAE,CAAC;IACrC,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,SAAS;QAAE,GAAG,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;IACvE,IAAI,OAAO,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAC5C,GAAG,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,KAAK,UAAU,iBAAiB,CAAC,IAAY;IAC3C,MAAM,EAAE,GAAG,MAAM,KAAK,EAAE,CAAC;IACzB,MAAM,MAAM,GAAG,CAAC,CAAS,EAAE,EAAE;QAC3B,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC;IACF,qEAAqE;IACrE,8DAA8D;IAC9D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;QAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9D,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QACrE,IAAI,MAAM,CAAC,eAAe,CAAC;YAAE,OAAO,eAAe,CAAC;QACpD,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QACrE,IAAI,MAAM,CAAC,eAAe,CAAC;YAAE,OAAO,eAAe,CAAC;QACpD,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;QAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;QAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,uBAAuB,CACpC,UAAkB,EAClB,QAAqC,EACrC,YAAqB;IAErB,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO;QACvC,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACrC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3D,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAC5C,IAAI,YAAY,IAAI,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAE7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAEtD,IAAI,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG;oBACf,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrD,GAAG,mBAAmB,CAAC,GAAG,CAAC;iBAC5B,CAAC;YACJ,CAAC;iBAAM,IACL,GAAG,CAAC,OAAO;gBACX,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;gBAC/B,GAAG,CAAC,OAAO,CAAC,IAAI;gBAChB,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,UAAU,EACrC,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC,GAAG;oBACf,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,IAAI;oBACtB,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG;oBACpB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrE,GAAG,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAC;iBACpC,CAAC;YACJ,CAAC;iBAAM,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,UAAU,EAAE,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,yEAAyE;QAC3E,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,6BAA6B,CAC3C,OAAgC;IAEhC,MAAM,QAAQ,GAAgC,EAAE,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,GAA6C,CAAC;QAC1D,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,IAAI,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG;gBACf,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrD,GAAG,mBAAmB,CAAC,GAAG,CAAC;aAC5B,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;QACxB,IACE,GAAG;YACH,OAAO,GAAG,KAAK,QAAQ;YACvB,GAAG,CAAC,IAAI;YACR,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAC7B,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC,GAAG;gBACf,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrD,GAAG,mBAAmB,CAAC,GAAG,CAAC;aAC5B,CAAC;YACF,SAAS;QACX,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,UAAU,EAAE,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAY;IAEZ,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAgC,EAAE,CAAC;IAEjD,wEAAwE;IACxE,0EAA0E;IAC1E,WAAW;IACX,IAAI,CAAC;QACH,MAAM,uBAAuB,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CACV,2DAA2D,UAAU,MAAM,GAAG,EAAE,OAAO,EAAE,CAC1F,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,mEAAmE;IACnE,gEAAgE;IAChE,EAAE;IACF,0EAA0E;IAC1E,yEAAyE;IACzE,4EAA4E;IAC5E,sEAAsE;IACtE,oBAAoB;IACpB,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC;YACH,IAAI,YAAoB,CAAC;YACzB,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC9D,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;gBACxD,YAAY,GAAG,QAAQ,CAAC,OAAO,CAC7B,SAAS,EACT,sCAAsC,CACvC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,YAAY,GAAG,QAAQ,CAAC,OAAO,CAC7B,IAAI,EACJ,mCAAmC,CACpC,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;YAC1D,MAAM,aAAa,GAAG,6BAA6B,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC;YACxE,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YACvC,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,OAAO,CAAC,GAAG,CACT,kEAAkE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,gDAAgD;oBACjJ,kGAAkG,CACrG,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,OAAO,CAAC,IAAI,CACV,4DAA4D;YAC1D,kDAAkD;YAClD,sFAAsF;YACtF,4DAA4D,CAC/D,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,iCAAiC;IACjC,IAAI,CAAC;QACH,MAAM,EAAE,uBAAuB,EAAE,GAC/B,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC9C,MAAM,EAAE,GAAG,MAAM,uBAAuB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACxD,IAAI,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;YACxB,MAAM,uBAAuB,CAAC,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;IACrE,CAAC;IAED,wEAAwE;IACxE,sEAAsE;IACtE,4DAA4D;IAC5D,IAAI,CAAC;QACH,MAAM,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,iDAAiD;IACnD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAqC;IAErC,MAAM,OAAO,GAAwC;QACnD,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,sCAAsC,CAAC,CAAC;QACxE;YACE,kBAAkB;YAClB,GAAG,EAAE,CAAC,MAAM,CAAC,wCAAwC,CAAC;SACvD;QACD;YACE,sBAAsB;YACtB,GAAG,EAAE,CAAC,MAAM,CAAC,4CAA4C,CAAC;SAC3D;QACD;YACE,yBAAyB;YACzB,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC;SAC9D;KACF,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACrC,IAAI,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAC7B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;YACxB,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACrD,QAAQ,CAAC,IAAI,CAAC,GAAG;oBACf,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrD,GAAG,CAAC,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACrD,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;QAClD,CAAC;IACH,CAAC;AACH,CAAC;AAED,oDAAoD;AACpD,MAAM,CAAC,MAAM,mBAAmB,GAAG,mBAAmB,CAAC","sourcesContent":["/**\n * Auto-discover actions from a template's actions/ directory.\n *\n * Scans for .ts/.js files and builds an action registry suitable for\n * `createAgentChatPlugin({ actions })`.\n *\n * Supports two action conventions:\n *\n * 1. **Full interface** — exports `tool: ActionTool` and `run(args): Promise<string>`.\n * These are used directly.\n *\n * 2. **CLI-style** — exports only `default async function(args: string[])`.\n * These are wrapped: args are converted from `Record<string, string>` to\n * `[\"--key\", \"value\", ...]`, console output is captured, and a tool\n * definition is synthesized from the action name.\n *\n * 3. **defineAction** — exports `default` from `defineAction()`. Has `tool` and `run`.\n *\n * Usage in agent-chat plugins:\n * ```ts\n * import { autoDiscoverActions } from \"@agent-native/core/server\";\n *\n * export default createAgentChatPlugin({\n * actions: () => autoDiscoverActions(import.meta.url),\n * });\n * ```\n */\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport type { ActionTool } from \"../agent/types.js\";\nimport nodePath from \"node:path\";\nimport { captureCliOutput } from \"./cli-capture.js\";\n\n// Lazy fs — loaded via dynamic import() on first use.\n// Avoids require() which bundlers convert to createRequire() that crashes on CF Workers.\nlet _fs: typeof import(\"fs\") | undefined;\nasync function getFs(): Promise<typeof import(\"fs\")> {\n if (!_fs) {\n _fs = await import(\"node:fs\");\n }\n return _fs;\n}\nimport { fileURLToPath } from \"node:url\";\n\n/** Files to skip during auto-discovery (no extension). */\nconst SKIP_FILES = new Set([\n \"helpers\",\n \"run\",\n \"db-connect\",\n \"db-status\",\n \"registry\",\n]);\n\n/**\n * Split a string into shell-like tokens, handling double and single quotes.\n * `--title \"My Page\" --content \"\"` → `[\"--title\", \"My Page\", \"--content\", \"\"]`\n */\nfunction splitShellArgs(input: string): string[] {\n const tokens: string[] = [];\n let current = \"\";\n let inDouble = false;\n let inSingle = false;\n let wasQuoted = false;\n\n for (let i = 0; i < input.length; i++) {\n const ch = input[i];\n if (ch === '\"' && !inSingle) {\n inDouble = !inDouble;\n wasQuoted = true;\n continue;\n }\n if (ch === \"'\" && !inDouble) {\n inSingle = !inSingle;\n wasQuoted = true;\n continue;\n }\n if ((ch === \" \" || ch === \"\\t\") && !inDouble && !inSingle) {\n if (current.length > 0 || wasQuoted) {\n tokens.push(current);\n }\n current = \"\";\n wasQuoted = false;\n continue;\n }\n current += ch;\n }\n if (current.length > 0 || wasQuoted) {\n tokens.push(current);\n }\n return tokens;\n}\n\n/**\n * Wrap a CLI-style action (that writes to console.log) as an ActionEntry\n * by capturing stdout/stderr and intercepting process.exit. Uses the\n * shared AsyncLocalStorage-backed capture so concurrent invocations do\n * not corrupt the global `console.log` / `process.stdout.write` /\n * `process.exit` pointers (see `cli-capture.ts`).\n */\nfunction wrapDefaultExport(\n name: string,\n defaultFn: (args: string[]) => Promise<void>,\n): ActionEntry {\n const tool: ActionTool = {\n description: `Run the \"${name}\" action. Pass arguments as key-value pairs.`,\n parameters: {\n type: \"object\",\n properties: {\n args: {\n type: \"string\",\n description:\n \"Space-separated CLI arguments (e.g. '--id abc --title Hello')\",\n },\n },\n },\n };\n\n return {\n tool,\n run: async (args: Record<string, string>): Promise<string> => {\n const cliArgs: string[] = [];\n // If only an \"args\" key was provided, split it into CLI tokens\n if (args.args && Object.keys(args).length === 1) {\n cliArgs.push(...splitShellArgs(args.args));\n } else {\n for (const [k, v] of Object.entries(args)) {\n cliArgs.push(`--${k}`, v);\n }\n }\n return captureCliOutput(() => defaultFn(cliArgs));\n },\n };\n}\n\nfunction preserveActionFlags(entry: Record<string, any>): Partial<ActionEntry> {\n const out: Partial<ActionEntry> = {};\n if (typeof entry.readOnly === \"boolean\") out.readOnly = entry.readOnly;\n if (typeof entry.toolCallable === \"boolean\") {\n out.toolCallable = entry.toolCallable;\n }\n return out;\n}\n\n/**\n * Resolve the actions directory from the caller's context.\n *\n * @param from - Either an `import.meta.url` (file:// URL from a plugin file),\n * an absolute directory path, or \"auto\" to use `process.cwd() + \"/actions\"`.\n * When an import.meta.url is provided, the actions directory is resolved as\n * `../../actions/` relative to the caller (typically `server/plugins/agent-chat.ts`).\n * If the resolved directory doesn't exist, falls back to `../../scripts/` for\n * backwards compatibility, then to `process.cwd() + \"/actions\"`.\n */\nasync function resolveActionsDir(from: string): Promise<string> {\n const fs = await getFs();\n const exists = (p: string) => {\n try {\n return fs.existsSync(p);\n } catch {\n return false;\n }\n };\n // On edge runtimes (e.g. Cloudflare Workers), import.meta.url may be\n // undefined after bundling. Fall back to cwd-based discovery.\n if (!from) {\n const cwdActions = nodePath.join(process.cwd(), \"actions\");\n if (exists(cwdActions)) return cwdActions;\n return nodePath.join(process.cwd(), \"scripts\");\n }\n if (from.startsWith(\"file://\") || from.startsWith(\"file:///\")) {\n const callerPath = fileURLToPath(from);\n const callerDir = nodePath.dirname(callerPath);\n const actionsResolved = nodePath.resolve(callerDir, \"../../actions\");\n if (exists(actionsResolved)) return actionsResolved;\n const scriptsResolved = nodePath.resolve(callerDir, \"../../scripts\");\n if (exists(scriptsResolved)) return scriptsResolved;\n const cwdActions = nodePath.join(process.cwd(), \"actions\");\n if (exists(cwdActions)) return cwdActions;\n return nodePath.join(process.cwd(), \"scripts\");\n }\n if (from === \"auto\") {\n const cwdActions = nodePath.join(process.cwd(), \"actions\");\n if (exists(cwdActions)) return cwdActions;\n return nodePath.join(process.cwd(), \"scripts\");\n }\n return nodePath.resolve(from);\n}\n\n/**\n * Load actions from a single directory into the given registry. Shared by\n * both the template-actions discovery path and the workspace-core actions\n * layer. When `skipExisting` is true, an entry with the same name that's\n * already in the registry is left untouched (template-wins on collision).\n */\nasync function loadActionsIntoRegistry(\n actionsDir: string,\n registry: Record<string, ActionEntry>,\n skipExisting: boolean,\n): Promise<void> {\n let files: string[];\n try {\n const fs = await getFs();\n if (!fs.existsSync(actionsDir)) return;\n files = fs.readdirSync(actionsDir);\n } catch {\n return;\n }\n\n const actionFiles = files.filter((f) => {\n if (!f.endsWith(\".ts\") && !f.endsWith(\".js\")) return false;\n const name = f.replace(/\\.(ts|js)$/, \"\");\n if (name.startsWith(\"_\")) return false;\n if (SKIP_FILES.has(name)) return false;\n return true;\n });\n\n for (const file of actionFiles) {\n const name = file.replace(/\\.(ts|js)$/, \"\");\n if (skipExisting && registry[name]) continue;\n\n const filePath = nodePath.join(actionsDir, file);\n try {\n const mod = await import(/* @vite-ignore */ filePath);\n\n if (mod.tool && typeof mod.run === \"function\") {\n registry[name] = {\n tool: mod.tool,\n run: mod.run,\n ...(mod.http !== undefined ? { http: mod.http } : {}),\n ...preserveActionFlags(mod),\n };\n } else if (\n mod.default &&\n typeof mod.default === \"object\" &&\n mod.default.tool &&\n typeof mod.default.run === \"function\"\n ) {\n registry[name] = {\n tool: mod.default.tool,\n run: mod.default.run,\n ...(mod.default.http !== undefined ? { http: mod.default.http } : {}),\n ...preserveActionFlags(mod.default),\n };\n } else if (typeof mod.default === \"function\") {\n registry[name] = wrapDefaultExport(name, mod.default);\n }\n } catch {\n // CLI-style scripts (top-level execution) throw on import.\n // Expected — they're available via `pnpm action <name>` / shell instead.\n }\n }\n}\n\n/**\n * Normalize a pre-bundled static action registry (name → raw module) into\n * the `Record<string, ActionEntry>` shape the agent-chat plugin expects.\n *\n * Used by `autoDiscoverActions` when `.generated/actions-registry.ts` is\n * present so that Nitro-bundled serverless functions (Netlify, Vercel,\n * AWS-Lambda) can serve `/_agent-native/actions/*` routes without relying\n * on a filesystem scan that doesn't work in bundled output.\n */\nexport function loadActionsFromStaticRegistry(\n modules: Record<string, unknown>,\n): Record<string, ActionEntry> {\n const registry: Record<string, ActionEntry> = {};\n for (const [name, raw] of Object.entries(modules)) {\n const mod = raw as Record<string, any> | null | undefined;\n if (!mod) continue;\n\n if (mod.tool && typeof mod.run === \"function\") {\n registry[name] = {\n tool: mod.tool,\n run: mod.run,\n ...(mod.http !== undefined ? { http: mod.http } : {}),\n ...preserveActionFlags(mod),\n };\n continue;\n }\n\n const def = mod.default;\n if (\n def &&\n typeof def === \"object\" &&\n def.tool &&\n typeof def.run === \"function\"\n ) {\n registry[name] = {\n tool: def.tool,\n run: def.run,\n ...(def.http !== undefined ? { http: def.http } : {}),\n ...preserveActionFlags(def),\n };\n continue;\n }\n\n if (typeof def === \"function\") {\n registry[name] = wrapDefaultExport(name, def);\n }\n }\n return registry;\n}\n\n/**\n * Auto-discover actions from a directory.\n *\n * Merges in any actions from the enterprise workspace core (if present in\n * the ancestor chain). Template actions take precedence over workspace-core\n * actions on name collision, so an app can override an enterprise-wide\n * action by dropping a same-named file under its own `actions/`.\n *\n * Note: this helper uses a filesystem scan, which works in dev and in\n * non-bundled Node deployments. In bundled serverless functions (Nitro's\n * netlify / vercel / aws-lambda presets) the `actions/` directory is not\n * on disk at runtime; templates should pass the static registry generated\n * by the Vite plugin to `createAgentChatPlugin({ actions })` instead, so\n * the bundler sees static imports and pulls every action into the bundle.\n *\n * @param from - The caller's `import.meta.url` or an absolute path to the\n * actions directory.\n * @returns A record mapping action names to ActionEntry objects, suitable for\n * passing to `createAgentChatPlugin({ actions })`.\n */\nexport async function autoDiscoverActions(\n from: string,\n): Promise<Record<string, ActionEntry>> {\n const actionsDir = await resolveActionsDir(from);\n const registry: Record<string, ActionEntry> = {};\n\n // 1. Template actions first — these are the authoritative layer for the\n // current app and must override any workspace-core entry with the same\n // name.\n try {\n await loadActionsIntoRegistry(actionsDir, registry, false);\n } catch (err: any) {\n console.warn(\n `[autoDiscoverActions] Could not read actions directory: ${actionsDir} — ${err?.message}`,\n );\n }\n\n // 1b. Fallback: if filesystem discovery found no template actions (common\n // in bundled serverless environments like Netlify/Vercel where the\n // actions/ directory doesn't exist on disk), try importing the\n // generated static registry at .generated/actions-registry.\n //\n // This prevents the silent-empty-tools footgun where the agent has no\n // template actions and falls back to generic tools like web-request.\n // Prefer `loadActionsFromStaticRegistry` over `autoDiscoverActions` for\n // production reliability — this fallback is a safety net, not the\n // primary path.\n if (Object.keys(registry).length === 0 && from) {\n try {\n let registryPath: string;\n if (from.startsWith(\"file://\") || from.startsWith(\"file:///\")) {\n const callerDir = nodePath.dirname(fileURLToPath(from));\n registryPath = nodePath.resolve(\n callerDir,\n \"../../.generated/actions-registry.js\",\n );\n } else {\n registryPath = nodePath.resolve(\n from,\n \"../.generated/actions-registry.js\",\n );\n }\n const mod = await import(/* @vite-ignore */ registryPath);\n const staticEntries = loadActionsFromStaticRegistry(mod.default || mod);\n Object.assign(registry, staticEntries);\n if (Object.keys(staticEntries).length > 0) {\n console.log(\n `[autoDiscoverActions] Filesystem scan found 0 actions — loaded ${Object.keys(staticEntries).length} from .generated/actions-registry.ts instead. ` +\n `Consider switching to loadActionsFromStaticRegistry(actionsRegistry) for production reliability.`,\n );\n }\n } catch {\n // No generated registry available — registry stays empty.\n }\n }\n\n // If still empty after all fallbacks, warn loudly.\n if (Object.keys(registry).length === 0) {\n console.warn(\n `[autoDiscoverActions] WARNING: No template actions found! ` +\n `The agent will have no template-specific tools. ` +\n `If in production, switch from autoDiscoverActions to loadActionsFromStaticRegistry. ` +\n `See: https://docs.agent-native.com/actions#static-registry`,\n );\n }\n\n // 2. Workspace-core actions — merged in with skipExisting so they can't\n // overwrite template entries.\n try {\n const { getWorkspaceCoreExports } =\n await import(\"../deploy/workspace-core.js\");\n const ws = await getWorkspaceCoreExports(process.cwd());\n if (ws && ws.actionsDir) {\n await loadActionsIntoRegistry(ws.actionsDir, registry, true);\n }\n } catch {\n // workspace-core discovery unavailable (e.g. edge runtime) — skip.\n }\n\n // 3. Framework-level sharing actions — always available to any template\n // that registers a shareable resource. Merged with skipExisting so\n // templates can override by providing a same-named file.\n try {\n await mergeCoreSharingActions(registry);\n } catch {\n // Ignore — templates without sharing still work.\n }\n\n return registry;\n}\n\nexport async function mergeCoreSharingActions(\n registry: Record<string, ActionEntry>,\n): Promise<void> {\n const entries: Array<[string, () => Promise<any>]> = [\n [\"share-resource\", () => import(\"../sharing/actions/share-resource.js\")],\n [\n \"unshare-resource\",\n () => import(\"../sharing/actions/unshare-resource.js\"),\n ],\n [\n \"list-resource-shares\",\n () => import(\"../sharing/actions/list-resource-shares.js\"),\n ],\n [\n \"set-resource-visibility\",\n () => import(\"../sharing/actions/set-resource-visibility.js\"),\n ],\n ];\n for (const [name, loader] of entries) {\n if (registry[name]) continue;\n try {\n const mod = await loader();\n const def = mod.default;\n if (def && def.tool && typeof def.run === \"function\") {\n registry[name] = {\n tool: def.tool,\n run: def.run,\n ...(def.http !== undefined ? { http: def.http } : {}),\n ...(def.readOnly === true ? { readOnly: true } : {}),\n };\n }\n } catch {\n // Skip any sharing action that fails to import.\n }\n }\n}\n\n/** @deprecated Use `autoDiscoverActions` instead */\nexport const autoDiscoverScripts = autoDiscoverActions;\n"]}
1
+ {"version":3,"file":"action-discovery.js","sourceRoot":"","sources":["../../src/server/action-discovery.ts"],"names":[],"mappings":"AA6BA,OAAO,QAAQ,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,sDAAsD;AACtD,yFAAyF;AACzF,IAAI,GAAoC,CAAC;AACzC,KAAK,UAAU,KAAK;IAClB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,GAAG,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AACD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,0DAA0D;AAC1D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,SAAS;IACT,KAAK;IACL,YAAY;IACZ,WAAW;IACX,UAAU;CACX,CAAC,CAAC;AAEH;;;GAGG;AACH,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,QAAQ,GAAG,CAAC,QAAQ,CAAC;YACrB,SAAS,GAAG,IAAI,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,QAAQ,GAAG,CAAC,QAAQ,CAAC;YACrB,SAAS,GAAG,IAAI,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC1D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;gBACpC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvB,CAAC;YACD,OAAO,GAAG,EAAE,CAAC;YACb,SAAS,GAAG,KAAK,CAAC;YAClB,SAAS;QACX,CAAC;QACD,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CACxB,IAAY,EACZ,SAA4C;IAE5C,MAAM,IAAI,GAAe;QACvB,WAAW,EAAE,YAAY,IAAI,8CAA8C;QAC3E,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EACT,+DAA+D;iBAClE;aACF;SACF;KACF,CAAC;IAEF,OAAO;QACL,IAAI;QACJ,GAAG,EAAE,KAAK,EAAE,IAA4B,EAAmB,EAAE;YAC3D,MAAM,OAAO,GAAa,EAAE,CAAC;YAC7B,+DAA+D;YAC/D,IAAI,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1C,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YACD,OAAO,gBAAgB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACpD,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAA0B;IACrD,MAAM,GAAG,GAAyB,EAAE,CAAC;IACrC,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,SAAS;QAAE,GAAG,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;IACvE,IAAI,OAAO,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAC5C,GAAG,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAC5C,GAAG,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,KAAK,UAAU,iBAAiB,CAAC,IAAY;IAC3C,MAAM,EAAE,GAAG,MAAM,KAAK,EAAE,CAAC;IACzB,MAAM,MAAM,GAAG,CAAC,CAAS,EAAE,EAAE;QAC3B,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC;IACF,qEAAqE;IACrE,8DAA8D;IAC9D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;QAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9D,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QACrE,IAAI,MAAM,CAAC,eAAe,CAAC;YAAE,OAAO,eAAe,CAAC;QACpD,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QACrE,IAAI,MAAM,CAAC,eAAe,CAAC;YAAE,OAAO,eAAe,CAAC;QACpD,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;QAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,MAAM,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;QAC1C,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,uBAAuB,CACpC,UAAkB,EAClB,QAAqC,EACrC,YAAqB;IAErB,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO;QACvC,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACrC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3D,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAC5C,IAAI,YAAY,IAAI,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAE7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAEtD,IAAI,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG;oBACf,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrD,GAAG,mBAAmB,CAAC,GAAG,CAAC;iBAC5B,CAAC;YACJ,CAAC;iBAAM,IACL,GAAG,CAAC,OAAO;gBACX,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;gBAC/B,GAAG,CAAC,OAAO,CAAC,IAAI;gBAChB,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,UAAU,EACrC,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC,GAAG;oBACf,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,IAAI;oBACtB,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG;oBACpB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrE,GAAG,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAC;iBACpC,CAAC;YACJ,CAAC;iBAAM,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,UAAU,EAAE,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,yEAAyE;QAC3E,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,6BAA6B,CAC3C,OAAgC;IAEhC,MAAM,QAAQ,GAAgC,EAAE,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,GAA6C,CAAC;QAC1D,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,IAAI,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG;gBACf,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrD,GAAG,mBAAmB,CAAC,GAAG,CAAC;aAC5B,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;QACxB,IACE,GAAG;YACH,OAAO,GAAG,KAAK,QAAQ;YACvB,GAAG,CAAC,IAAI;YACR,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAC7B,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC,GAAG;gBACf,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrD,GAAG,mBAAmB,CAAC,GAAG,CAAC;aAC5B,CAAC;YACF,SAAS;QACX,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,UAAU,EAAE,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAY;IAEZ,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAgC,EAAE,CAAC;IAEjD,wEAAwE;IACxE,0EAA0E;IAC1E,WAAW;IACX,IAAI,CAAC;QACH,MAAM,uBAAuB,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CACV,2DAA2D,UAAU,MAAM,GAAG,EAAE,OAAO,EAAE,CAC1F,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,mEAAmE;IACnE,gEAAgE;IAChE,EAAE;IACF,0EAA0E;IAC1E,yEAAyE;IACzE,4EAA4E;IAC5E,sEAAsE;IACtE,oBAAoB;IACpB,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC;YACH,IAAI,YAAoB,CAAC;YACzB,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC9D,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;gBACxD,YAAY,GAAG,QAAQ,CAAC,OAAO,CAC7B,SAAS,EACT,sCAAsC,CACvC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,YAAY,GAAG,QAAQ,CAAC,OAAO,CAC7B,IAAI,EACJ,mCAAmC,CACpC,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;YAC1D,MAAM,aAAa,GAAG,6BAA6B,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC;YACxE,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YACvC,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,OAAO,CAAC,GAAG,CACT,kEAAkE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,gDAAgD;oBACjJ,kGAAkG,CACrG,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;IACH,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,OAAO,CAAC,IAAI,CACV,4DAA4D;YAC1D,kDAAkD;YAClD,sFAAsF;YACtF,4DAA4D,CAC/D,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,iCAAiC;IACjC,IAAI,CAAC;QACH,MAAM,EAAE,uBAAuB,EAAE,GAC/B,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC9C,MAAM,EAAE,GAAG,MAAM,uBAAuB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACxD,IAAI,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;YACxB,MAAM,uBAAuB,CAAC,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;IACrE,CAAC;IAED,wEAAwE;IACxE,sEAAsE;IACtE,4DAA4D;IAC5D,IAAI,CAAC;QACH,MAAM,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,iDAAiD;IACnD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAqC;IAErC,MAAM,OAAO,GAAwC;QACnD,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,sCAAsC,CAAC,CAAC;QACxE;YACE,kBAAkB;YAClB,GAAG,EAAE,CAAC,MAAM,CAAC,wCAAwC,CAAC;SACvD;QACD;YACE,sBAAsB;YACtB,GAAG,EAAE,CAAC,MAAM,CAAC,4CAA4C,CAAC;SAC3D;QACD;YACE,yBAAyB;YACzB,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC;SAC9D;KACF,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACrC,IAAI,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAC7B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;YACxB,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;gBACrD,QAAQ,CAAC,IAAI,CAAC,GAAG;oBACf,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrD,GAAG,CAAC,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC7D,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;QAClD,CAAC;IACH,CAAC;AACH,CAAC;AAED,oDAAoD;AACpD,MAAM,CAAC,MAAM,mBAAmB,GAAG,mBAAmB,CAAC","sourcesContent":["/**\n * Auto-discover actions from a template's actions/ directory.\n *\n * Scans for .ts/.js files and builds an action registry suitable for\n * `createAgentChatPlugin({ actions })`.\n *\n * Supports two action conventions:\n *\n * 1. **Full interface** — exports `tool: ActionTool` and `run(args): Promise<string>`.\n * These are used directly.\n *\n * 2. **CLI-style** — exports only `default async function(args: string[])`.\n * These are wrapped: args are converted from `Record<string, string>` to\n * `[\"--key\", \"value\", ...]`, console output is captured, and a tool\n * definition is synthesized from the action name.\n *\n * 3. **defineAction** — exports `default` from `defineAction()`. Has `tool` and `run`.\n *\n * Usage in agent-chat plugins:\n * ```ts\n * import { autoDiscoverActions } from \"@agent-native/core/server\";\n *\n * export default createAgentChatPlugin({\n * actions: () => autoDiscoverActions(import.meta.url),\n * });\n * ```\n */\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport type { ActionTool } from \"../agent/types.js\";\nimport nodePath from \"node:path\";\nimport { captureCliOutput } from \"./cli-capture.js\";\n\n// Lazy fs — loaded via dynamic import() on first use.\n// Avoids require() which bundlers convert to createRequire() that crashes on CF Workers.\nlet _fs: typeof import(\"fs\") | undefined;\nasync function getFs(): Promise<typeof import(\"fs\")> {\n if (!_fs) {\n _fs = await import(\"node:fs\");\n }\n return _fs;\n}\nimport { fileURLToPath } from \"node:url\";\n\n/** Files to skip during auto-discovery (no extension). */\nconst SKIP_FILES = new Set([\n \"helpers\",\n \"run\",\n \"db-connect\",\n \"db-status\",\n \"registry\",\n]);\n\n/**\n * Split a string into shell-like tokens, handling double and single quotes.\n * `--title \"My Page\" --content \"\"` → `[\"--title\", \"My Page\", \"--content\", \"\"]`\n */\nfunction splitShellArgs(input: string): string[] {\n const tokens: string[] = [];\n let current = \"\";\n let inDouble = false;\n let inSingle = false;\n let wasQuoted = false;\n\n for (let i = 0; i < input.length; i++) {\n const ch = input[i];\n if (ch === '\"' && !inSingle) {\n inDouble = !inDouble;\n wasQuoted = true;\n continue;\n }\n if (ch === \"'\" && !inDouble) {\n inSingle = !inSingle;\n wasQuoted = true;\n continue;\n }\n if ((ch === \" \" || ch === \"\\t\") && !inDouble && !inSingle) {\n if (current.length > 0 || wasQuoted) {\n tokens.push(current);\n }\n current = \"\";\n wasQuoted = false;\n continue;\n }\n current += ch;\n }\n if (current.length > 0 || wasQuoted) {\n tokens.push(current);\n }\n return tokens;\n}\n\n/**\n * Wrap a CLI-style action (that writes to console.log) as an ActionEntry\n * by capturing stdout/stderr and intercepting process.exit. Uses the\n * shared AsyncLocalStorage-backed capture so concurrent invocations do\n * not corrupt the global `console.log` / `process.stdout.write` /\n * `process.exit` pointers (see `cli-capture.ts`).\n */\nfunction wrapDefaultExport(\n name: string,\n defaultFn: (args: string[]) => Promise<void>,\n): ActionEntry {\n const tool: ActionTool = {\n description: `Run the \"${name}\" action. Pass arguments as key-value pairs.`,\n parameters: {\n type: \"object\",\n properties: {\n args: {\n type: \"string\",\n description:\n \"Space-separated CLI arguments (e.g. '--id abc --title Hello')\",\n },\n },\n },\n };\n\n return {\n tool,\n run: async (args: Record<string, string>): Promise<string> => {\n const cliArgs: string[] = [];\n // If only an \"args\" key was provided, split it into CLI tokens\n if (args.args && Object.keys(args).length === 1) {\n cliArgs.push(...splitShellArgs(args.args));\n } else {\n for (const [k, v] of Object.entries(args)) {\n cliArgs.push(`--${k}`, v);\n }\n }\n return captureCliOutput(() => defaultFn(cliArgs));\n },\n };\n}\n\nfunction preserveActionFlags(entry: Record<string, any>): Partial<ActionEntry> {\n const out: Partial<ActionEntry> = {};\n if (typeof entry.readOnly === \"boolean\") out.readOnly = entry.readOnly;\n if (typeof entry.parallelSafe === \"boolean\") {\n out.parallelSafe = entry.parallelSafe;\n }\n if (typeof entry.toolCallable === \"boolean\") {\n out.toolCallable = entry.toolCallable;\n }\n return out;\n}\n\n/**\n * Resolve the actions directory from the caller's context.\n *\n * @param from - Either an `import.meta.url` (file:// URL from a plugin file),\n * an absolute directory path, or \"auto\" to use `process.cwd() + \"/actions\"`.\n * When an import.meta.url is provided, the actions directory is resolved as\n * `../../actions/` relative to the caller (typically `server/plugins/agent-chat.ts`).\n * If the resolved directory doesn't exist, falls back to `../../scripts/` for\n * backwards compatibility, then to `process.cwd() + \"/actions\"`.\n */\nasync function resolveActionsDir(from: string): Promise<string> {\n const fs = await getFs();\n const exists = (p: string) => {\n try {\n return fs.existsSync(p);\n } catch {\n return false;\n }\n };\n // On edge runtimes (e.g. Cloudflare Workers), import.meta.url may be\n // undefined after bundling. Fall back to cwd-based discovery.\n if (!from) {\n const cwdActions = nodePath.join(process.cwd(), \"actions\");\n if (exists(cwdActions)) return cwdActions;\n return nodePath.join(process.cwd(), \"scripts\");\n }\n if (from.startsWith(\"file://\") || from.startsWith(\"file:///\")) {\n const callerPath = fileURLToPath(from);\n const callerDir = nodePath.dirname(callerPath);\n const actionsResolved = nodePath.resolve(callerDir, \"../../actions\");\n if (exists(actionsResolved)) return actionsResolved;\n const scriptsResolved = nodePath.resolve(callerDir, \"../../scripts\");\n if (exists(scriptsResolved)) return scriptsResolved;\n const cwdActions = nodePath.join(process.cwd(), \"actions\");\n if (exists(cwdActions)) return cwdActions;\n return nodePath.join(process.cwd(), \"scripts\");\n }\n if (from === \"auto\") {\n const cwdActions = nodePath.join(process.cwd(), \"actions\");\n if (exists(cwdActions)) return cwdActions;\n return nodePath.join(process.cwd(), \"scripts\");\n }\n return nodePath.resolve(from);\n}\n\n/**\n * Load actions from a single directory into the given registry. Shared by\n * both the template-actions discovery path and the workspace-core actions\n * layer. When `skipExisting` is true, an entry with the same name that's\n * already in the registry is left untouched (template-wins on collision).\n */\nasync function loadActionsIntoRegistry(\n actionsDir: string,\n registry: Record<string, ActionEntry>,\n skipExisting: boolean,\n): Promise<void> {\n let files: string[];\n try {\n const fs = await getFs();\n if (!fs.existsSync(actionsDir)) return;\n files = fs.readdirSync(actionsDir);\n } catch {\n return;\n }\n\n const actionFiles = files.filter((f) => {\n if (!f.endsWith(\".ts\") && !f.endsWith(\".js\")) return false;\n const name = f.replace(/\\.(ts|js)$/, \"\");\n if (name.startsWith(\"_\")) return false;\n if (SKIP_FILES.has(name)) return false;\n return true;\n });\n\n for (const file of actionFiles) {\n const name = file.replace(/\\.(ts|js)$/, \"\");\n if (skipExisting && registry[name]) continue;\n\n const filePath = nodePath.join(actionsDir, file);\n try {\n const mod = await import(/* @vite-ignore */ filePath);\n\n if (mod.tool && typeof mod.run === \"function\") {\n registry[name] = {\n tool: mod.tool,\n run: mod.run,\n ...(mod.http !== undefined ? { http: mod.http } : {}),\n ...preserveActionFlags(mod),\n };\n } else if (\n mod.default &&\n typeof mod.default === \"object\" &&\n mod.default.tool &&\n typeof mod.default.run === \"function\"\n ) {\n registry[name] = {\n tool: mod.default.tool,\n run: mod.default.run,\n ...(mod.default.http !== undefined ? { http: mod.default.http } : {}),\n ...preserveActionFlags(mod.default),\n };\n } else if (typeof mod.default === \"function\") {\n registry[name] = wrapDefaultExport(name, mod.default);\n }\n } catch {\n // CLI-style scripts (top-level execution) throw on import.\n // Expected — they're available via `pnpm action <name>` / shell instead.\n }\n }\n}\n\n/**\n * Normalize a pre-bundled static action registry (name → raw module) into\n * the `Record<string, ActionEntry>` shape the agent-chat plugin expects.\n *\n * Used by `autoDiscoverActions` when `.generated/actions-registry.ts` is\n * present so that Nitro-bundled serverless functions (Netlify, Vercel,\n * AWS-Lambda) can serve `/_agent-native/actions/*` routes without relying\n * on a filesystem scan that doesn't work in bundled output.\n */\nexport function loadActionsFromStaticRegistry(\n modules: Record<string, unknown>,\n): Record<string, ActionEntry> {\n const registry: Record<string, ActionEntry> = {};\n for (const [name, raw] of Object.entries(modules)) {\n const mod = raw as Record<string, any> | null | undefined;\n if (!mod) continue;\n\n if (mod.tool && typeof mod.run === \"function\") {\n registry[name] = {\n tool: mod.tool,\n run: mod.run,\n ...(mod.http !== undefined ? { http: mod.http } : {}),\n ...preserveActionFlags(mod),\n };\n continue;\n }\n\n const def = mod.default;\n if (\n def &&\n typeof def === \"object\" &&\n def.tool &&\n typeof def.run === \"function\"\n ) {\n registry[name] = {\n tool: def.tool,\n run: def.run,\n ...(def.http !== undefined ? { http: def.http } : {}),\n ...preserveActionFlags(def),\n };\n continue;\n }\n\n if (typeof def === \"function\") {\n registry[name] = wrapDefaultExport(name, def);\n }\n }\n return registry;\n}\n\n/**\n * Auto-discover actions from a directory.\n *\n * Merges in any actions from the enterprise workspace core (if present in\n * the ancestor chain). Template actions take precedence over workspace-core\n * actions on name collision, so an app can override an enterprise-wide\n * action by dropping a same-named file under its own `actions/`.\n *\n * Note: this helper uses a filesystem scan, which works in dev and in\n * non-bundled Node deployments. In bundled serverless functions (Nitro's\n * netlify / vercel / aws-lambda presets) the `actions/` directory is not\n * on disk at runtime; templates should pass the static registry generated\n * by the Vite plugin to `createAgentChatPlugin({ actions })` instead, so\n * the bundler sees static imports and pulls every action into the bundle.\n *\n * @param from - The caller's `import.meta.url` or an absolute path to the\n * actions directory.\n * @returns A record mapping action names to ActionEntry objects, suitable for\n * passing to `createAgentChatPlugin({ actions })`.\n */\nexport async function autoDiscoverActions(\n from: string,\n): Promise<Record<string, ActionEntry>> {\n const actionsDir = await resolveActionsDir(from);\n const registry: Record<string, ActionEntry> = {};\n\n // 1. Template actions first — these are the authoritative layer for the\n // current app and must override any workspace-core entry with the same\n // name.\n try {\n await loadActionsIntoRegistry(actionsDir, registry, false);\n } catch (err: any) {\n console.warn(\n `[autoDiscoverActions] Could not read actions directory: ${actionsDir} — ${err?.message}`,\n );\n }\n\n // 1b. Fallback: if filesystem discovery found no template actions (common\n // in bundled serverless environments like Netlify/Vercel where the\n // actions/ directory doesn't exist on disk), try importing the\n // generated static registry at .generated/actions-registry.\n //\n // This prevents the silent-empty-tools footgun where the agent has no\n // template actions and falls back to generic tools like web-request.\n // Prefer `loadActionsFromStaticRegistry` over `autoDiscoverActions` for\n // production reliability — this fallback is a safety net, not the\n // primary path.\n if (Object.keys(registry).length === 0 && from) {\n try {\n let registryPath: string;\n if (from.startsWith(\"file://\") || from.startsWith(\"file:///\")) {\n const callerDir = nodePath.dirname(fileURLToPath(from));\n registryPath = nodePath.resolve(\n callerDir,\n \"../../.generated/actions-registry.js\",\n );\n } else {\n registryPath = nodePath.resolve(\n from,\n \"../.generated/actions-registry.js\",\n );\n }\n const mod = await import(/* @vite-ignore */ registryPath);\n const staticEntries = loadActionsFromStaticRegistry(mod.default || mod);\n Object.assign(registry, staticEntries);\n if (Object.keys(staticEntries).length > 0) {\n console.log(\n `[autoDiscoverActions] Filesystem scan found 0 actions — loaded ${Object.keys(staticEntries).length} from .generated/actions-registry.ts instead. ` +\n `Consider switching to loadActionsFromStaticRegistry(actionsRegistry) for production reliability.`,\n );\n }\n } catch {\n // No generated registry available — registry stays empty.\n }\n }\n\n // If still empty after all fallbacks, warn loudly.\n if (Object.keys(registry).length === 0) {\n console.warn(\n `[autoDiscoverActions] WARNING: No template actions found! ` +\n `The agent will have no template-specific tools. ` +\n `If in production, switch from autoDiscoverActions to loadActionsFromStaticRegistry. ` +\n `See: https://docs.agent-native.com/actions#static-registry`,\n );\n }\n\n // 2. Workspace-core actions — merged in with skipExisting so they can't\n // overwrite template entries.\n try {\n const { getWorkspaceCoreExports } =\n await import(\"../deploy/workspace-core.js\");\n const ws = await getWorkspaceCoreExports(process.cwd());\n if (ws && ws.actionsDir) {\n await loadActionsIntoRegistry(ws.actionsDir, registry, true);\n }\n } catch {\n // workspace-core discovery unavailable (e.g. edge runtime) — skip.\n }\n\n // 3. Framework-level sharing actions — always available to any template\n // that registers a shareable resource. Merged with skipExisting so\n // templates can override by providing a same-named file.\n try {\n await mergeCoreSharingActions(registry);\n } catch {\n // Ignore — templates without sharing still work.\n }\n\n return registry;\n}\n\nexport async function mergeCoreSharingActions(\n registry: Record<string, ActionEntry>,\n): Promise<void> {\n const entries: Array<[string, () => Promise<any>]> = [\n [\"share-resource\", () => import(\"../sharing/actions/share-resource.js\")],\n [\n \"unshare-resource\",\n () => import(\"../sharing/actions/unshare-resource.js\"),\n ],\n [\n \"list-resource-shares\",\n () => import(\"../sharing/actions/list-resource-shares.js\"),\n ],\n [\n \"set-resource-visibility\",\n () => import(\"../sharing/actions/set-resource-visibility.js\"),\n ],\n ];\n for (const [name, loader] of entries) {\n if (registry[name]) continue;\n try {\n const mod = await loader();\n const def = mod.default;\n if (def && def.tool && typeof def.run === \"function\") {\n registry[name] = {\n tool: def.tool,\n run: def.run,\n ...(def.http !== undefined ? { http: def.http } : {}),\n ...(def.readOnly === true ? { readOnly: true } : {}),\n ...(def.parallelSafe === true ? { parallelSafe: true } : {}),\n };\n }\n } catch {\n // Skip any sharing action that fails to import.\n }\n }\n}\n\n/** @deprecated Use `autoDiscoverActions` instead */\nexport const autoDiscoverScripts = autoDiscoverActions;\n"]}
package/dist/server/agent-chat-plugin.d.ts CHANGED
@@ -20,6 +20,11 @@ export interface AgentChatPluginOptions {
20
20
  devSystemPrompt?: string;
21
21
  /** Claude model to use. Default: claude-sonnet-4-6 */
22
22
  model?: string;
23
+ /** Optional per-app agent run chunk budget in milliseconds. Defaults to
24
+ * AGENT_RUN_SOFT_TIMEOUT_MS when set, otherwise no framework-imposed
25
+ * timeout. When reached, long runs continue through the hidden continuation
26
+ * path instead of surfacing a timeout warning. */
27
+ runSoftTimeoutMs?: number;
23
28
  /** Anthropic API key. Falls back to ANTHROPIC_API_KEY env var */
24
29
  apiKey?: string;
25
30
  /**
package/dist/server/agent-chat-plugin.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"agent-chat-plugin.d.ts","sourceRoot":"","sources":["../../src/server/agent-chat-plugin.ts"],"names":[],"mappings":"AAaA,OAAO,EASL,KAAK,WAAW,EACjB,MAAM,8BAA8B,CAAC;AAItC,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAEhB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,gBAAgB,EAUjB,MAAM,wBAAwB,CAAC;AA0ChC,OAAO,EAGL,KAAK,0BAA0B,EAC/B,KAAK,oBAAoB,EAC1B,MAAM,6BAA6B,CAAC;AA8DrC,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,SAAS,cAAc,EAAE,EACjC,WAAW,EAAE,SAAS,oBAAoB,EAAE,EAC5C,OAAO,GAAE,0BAA0B,GAAG;IAAE,KAAK,CAAC,EAAE,GAAG,CAAA;CAAO,GACzD;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAO7C;AAkiCD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,wCAAwC;IACxC,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,MAAM,CAAC,EACH,OAAO,0BAA0B,EAAE,WAAW,GAC9C,MAAM,GACN;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IACtD,qDAAqD;IACrD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,gBAAgB,CAAC,EACb,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClD,kFAAkF;IAClF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;;;;;OASG;IACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtE;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,MAAM,KACV,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C;;;;;;;;;;;;;;OAcG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAkwBD,wBAAgB,qBAAqB,CACnC,OAAO,CAAC,EAAE,sBAAsB,GAC/B,cAAc,CA+/EhB;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,cAAwC,CAAC;AAa9E,yEAAyE;AACzE,wBAAgB,mBAAmB,IAAI,gBAAgB,GAAG,IAAI,CAE7D"}
1
+ {"version":3,"file":"agent-chat-plugin.d.ts","sourceRoot":"","sources":["../../src/server/agent-chat-plugin.ts"],"names":[],"mappings":"AAaA,OAAO,EAUL,KAAK,WAAW,EACjB,MAAM,8BAA8B,CAAC;AAKtC,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAEhB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,gBAAgB,EAUjB,MAAM,wBAAwB,CAAC;AA4ChC,OAAO,EAGL,KAAK,0BAA0B,EAC/B,KAAK,oBAAoB,EAC1B,MAAM,6BAA6B,CAAC;AAkIrC,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,SAAS,cAAc,EAAE,EACjC,WAAW,EAAE,SAAS,oBAAoB,EAAE,EAC5C,OAAO,GAAE,0BAA0B,GAAG;IAAE,KAAK,CAAC,EAAE,GAAG,CAAA;CAAO,GACzD;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAO7C;AAmiCD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,wCAAwC;IACxC,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;sDAGkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,MAAM,CAAC,EACH,OAAO,0BAA0B,EAAE,WAAW,GAC9C,MAAM,GACN;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IACtD,qDAAqD;IACrD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,gBAAgB,CAAC,EACb,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClD,kFAAkF;IAClF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;;;;;OASG;IACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtE;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,MAAM,KACV,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C;;;;;;;;;;;;;;OAcG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAkwBD,wBAAgB,qBAAqB,CACnC,OAAO,CAAC,EAAE,sBAAsB,GAC/B,cAAc,CAigFhB;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,cAAwC,CAAC;AAa9E,yEAAyE;AACzE,wBAAgB,mBAAmB,IAAI,gBAAgB,GAAG,IAAI,CAE7D"}
package/dist/server/agent-chat-plugin.js CHANGED
@@ -1,7 +1,8 @@
1
1
  import { runWithRequestContext, getRequestOrgId, getRequestUserEmail, getRequestRunContext, ensureRequestRunContext, } from "./request-context.js";
2
2
  import { getSetting, putSetting } from "../settings/store.js";
3
3
  import { getH3App, markDefaultPluginProvided, trackPluginInit, } from "./framework-request-handler.js";
4
- import { createProductionAgentHandler, runAgentLoop, actionsToEngineTools, getActiveRunForThreadAsync, abortRun, subscribeToRun, } from "../agent/production-agent.js";
4
+ import { createProductionAgentHandler, runAgentLoop, actionsToEngineTools, getActiveRunForThreadAsync, abortRun, subscribeToRun, appendAgentLoopContinuation, } from "../agent/production-agent.js";
5
+ import { resolveRunSoftTimeoutMs } from "../agent/run-manager.js";
5
6
  import { resolveEngine, createAnthropicEngine } from "../agent/engine/index.js";
6
7
  import { DEFAULT_MODEL } from "../agent/default-model.js";
7
8
  import { attachToolSearch } from "../agent/tool-search.js";
@@ -10,13 +11,13 @@ import { discoverAgents } from "./agent-discovery.js";
10
11
  import { loadSchemaPromptBlock } from "./schema-prompt.js";
11
12
  import { buildAssistantMessage, extractThreadMeta, } from "../agent/thread-data-builder.js";
12
13
  import { defineEventHandler, setResponseStatus, setResponseHeader, getMethod, getQuery, getHeader, } from "h3";
13
- import { getSession, DEV_MODE_USER_EMAIL } from "./auth.js";
14
+ import { getSession } from "./auth.js";
14
15
  import { getOrigin } from "./google-oauth.js";
15
16
  import { createThread, forkThread, getThread, listThreads, searchThreads, updateThreadData, withThreadDataLock, deleteThread, setThreadQueuedMessages, } from "../chat-threads/store.js";
16
- import { resourceListAccessible, resourceList, resourceGet, resourceGetByPath, ensurePersonalDefaults, SHARED_OWNER, } from "../resources/store.js";
17
+ import { resourceList, resourceGet, resourceGetByPath, ensurePersonalDefaults, SHARED_OWNER, } from "../resources/store.js";
17
18
  import nodePath from "node:path";
18
19
  import { readBody } from "./h3-helpers.js";
19
- import { getBuilderBrowserConnectUrl } from "./builder-browser.js";
20
+ import { getBuilderBrowserConnectUrl, isBuilderBranchingEnabled, } from "./builder-browser.js";
20
21
  import { captureCliOutput } from "./cli-capture.js";
21
22
  import { withConfiguredAppBasePath } from "./app-base-path.js";
22
23
  import { appendA2AArtifactLinks, buildA2ARecoverableArtifactMessage, } from "../a2a/artifact-response.js";
@@ -72,6 +73,69 @@ function resolveArtifactBaseUrl(event) {
72
73
  catch { }
73
74
  return undefined;
74
75
  }
76
+ async function runAgentLoopDirectWithSoftTimeout(opts, softTimeoutMs) {
77
+ const timeoutMs = resolveRunSoftTimeoutMs(softTimeoutMs);
78
+ if (timeoutMs <= 0)
79
+ return runAgentLoop(opts);
80
+ const upstreamSignal = opts.signal;
81
+ const usage = {
82
+ inputTokens: 0,
83
+ outputTokens: 0,
84
+ cacheReadTokens: 0,
85
+ cacheWriteTokens: 0,
86
+ model: opts.model,
87
+ };
88
+ const addUsage = (next) => {
89
+ usage.inputTokens += next.inputTokens;
90
+ usage.outputTokens += next.outputTokens;
91
+ usage.cacheReadTokens += next.cacheReadTokens;
92
+ usage.cacheWriteTokens += next.cacheWriteTokens;
93
+ usage.model = next.model;
94
+ };
95
+ while (!upstreamSignal.aborted) {
96
+ const controller = new AbortController();
97
+ const abortFromUpstream = () => controller.abort();
98
+ if (upstreamSignal.aborted) {
99
+ controller.abort();
100
+ }
101
+ else {
102
+ upstreamSignal.addEventListener("abort", abortFromUpstream, {
103
+ once: true,
104
+ });
105
+ }
106
+ let softTimedOut = false;
107
+ const timer = setTimeout(() => {
108
+ if (controller.signal.aborted)
109
+ return;
110
+ softTimedOut = true;
111
+ controller.abort();
112
+ }, timeoutMs);
113
+ try {
114
+ const nextUsage = await runAgentLoop({
115
+ ...opts,
116
+ signal: controller.signal,
117
+ });
118
+ addUsage(nextUsage);
119
+ if (softTimedOut && !upstreamSignal.aborted) {
120
+ appendAgentLoopContinuation(opts.messages, "run_timeout");
121
+ continue;
122
+ }
123
+ return usage;
124
+ }
125
+ catch (err) {
126
+ if (softTimedOut && !upstreamSignal.aborted) {
127
+ appendAgentLoopContinuation(opts.messages, "run_timeout");
128
+ continue;
129
+ }
130
+ throw err;
131
+ }
132
+ finally {
133
+ clearTimeout(timer);
134
+ upstreamSignal.removeEventListener("abort", abortFromUpstream);
135
+ }
136
+ }
137
+ return usage;
138
+ }
75
139
  export function assembleA2AFinalResponse(events, toolResults, options = {}) {
76
140
  const responseText = collectFinalResponseTextFromAgentEvents(events);
77
141
  const finalText = appendA2AArtifactLinks(responseText, [...toolResults], {
@@ -723,6 +787,7 @@ function createBuilderBrowserTool(deps) {
723
787
  return JSON.stringify({
724
788
  kind: "connect-builder-card",
725
789
  configured,
790
+ builderEnabled: isBuilderBranchingEnabled(),
726
791
  connectUrl: getBuilderBrowserConnectUrl(deps.getOrigin()),
727
792
  orgName: creds.orgName || null,
728
793
  prompt,
@@ -2281,7 +2346,7 @@ export function createAgentChatPlugin(options) {
2281
2346
  let lastRecoverableArtifactText = "";
2282
2347
  const controller = new AbortController();
2283
2348
  console.log(`[A2A] Starting agent loop: ${a2aTools.length} tools, prompt ${systemPrompt.length} chars`);
2284
- await runAgentLoop({
2349
+ await runAgentLoopDirectWithSoftTimeout({
2285
2350
  engine: a2aEngine,
2286
2351
  model,
2287
2352
  systemPrompt,
@@ -2326,7 +2391,7 @@ export function createAgentChatPlugin(options) {
2326
2391
  }
2327
2392
  },
2328
2393
  signal: controller.signal,
2329
- });
2394
+ }, options?.runSoftTimeoutMs);
2330
2395
  const { responseText, finalText } = assembleA2AFinalResponse(a2aEvents, a2aToolResults, { event: context.event });
2331
2396
  console.log(`[A2A] Loop complete. Text: ${responseText.slice(0, 100)}...`);
2332
2397
  // Yield the final accumulated text
@@ -2415,10 +2480,10 @@ export function createAgentChatPlugin(options) {
2415
2480
  ...toolActions,
2416
2481
  });
2417
2482
  const mcpTools = actionsToEngineTools(mcpActions);
2418
- const resources = await loadResourcesForPrompt(DEV_MODE_USER_EMAIL, lazyContext);
2483
+ const resources = await loadResourcesForPrompt(SHARED_OWNER, lazyContext);
2419
2484
  const schemaBlock = lazyContext
2420
2485
  ? ""
2421
- : await buildSchemaBlock(DEV_MODE_USER_EMAIL, devActiveMcp);
2486
+ : await buildSchemaBlock(SHARED_OWNER, devActiveMcp);
2422
2487
  // Build the MCP handler's own prompt — always use the shell-based
2423
2488
  // dev prompt in dev mode because mcpActions routes template actions
2424
2489
  // through shell (`devScriptsForA2A`), regardless of `nativeActionsInDev`.
@@ -2442,7 +2507,7 @@ export function createAgentChatPlugin(options) {
2442
2507
  schemaBlock;
2443
2508
  let accumulatedText = "";
2444
2509
  const controller = new AbortController();
2445
- await runAgentLoop({
2510
+ await runAgentLoopDirectWithSoftTimeout({
2446
2511
  engine: mcpEngine,
2447
2512
  model,
2448
2513
  systemPrompt,
@@ -2456,7 +2521,7 @@ export function createAgentChatPlugin(options) {
2456
2521
  accumulatedText += event.text;
2457
2522
  },
2458
2523
  signal: controller.signal,
2459
- });
2524
+ }, options?.runSoftTimeoutMs);
2460
2525
  return accumulatedText || "(no response)";
2461
2526
  },
2462
2527
  });
@@ -2818,6 +2883,7 @@ export function createAgentChatPlugin(options) {
2818
2883
  },
2819
2884
  model: options?.model ?? DEFAULT_MODEL,
2820
2885
  apiKey: options?.apiKey,
2886
+ runSoftTimeoutMs: options?.runSoftTimeoutMs,
2821
2887
  skipFilesContext: leanPrompt,
2822
2888
  onEngineResolved: (engine, model) => {
2823
2889
  const runCtx = ensureRequestRunContext();
@@ -2899,6 +2965,7 @@ export function createAgentChatPlugin(options) {
2899
2965
  },
2900
2966
  model: options?.model,
2901
2967
  apiKey: options?.apiKey,
2968
+ runSoftTimeoutMs: options?.runSoftTimeoutMs,
2902
2969
  skipFilesContext: leanPrompt,
2903
2970
  onEngineResolved: (engine, model) => {
2904
2971
  const runCtx = ensureRequestRunContext();
@@ -2978,7 +3045,7 @@ export function createAgentChatPlugin(options) {
2978
3045
  }
2979
3046
  const trimmedKey = key.trim();
2980
3047
  const ownerEmail = await getOwnerFromEvent(event);
2981
- if (!ownerEmail || ownerEmail === DEV_MODE_USER_EMAIL) {
3048
+ if (!ownerEmail) {
2982
3049
  setResponseStatus(event, 401);
2983
3050
  return { error: "Authentication required" };
2984
3051
  }
@@ -3042,9 +3109,7 @@ export function createAgentChatPlugin(options) {
3042
3109
  }
3043
3110
  // Query resources
3044
3111
  try {
3045
- const resources = currentDevMode
3046
- ? await resourceListAccessible(DEV_MODE_USER_EMAIL)
3047
- : await resourceList(SHARED_OWNER);
3112
+ const resources = await resourceList(SHARED_OWNER);
3048
3113
  for (const r of resources) {
3049
3114
  if (!seen.has(r.path)) {
3050
3115
  seen.add(r.path);
@@ -3127,9 +3192,7 @@ export function createAgentChatPlugin(options) {
3127
3192
  }
3128
3193
  // Query resources with skills/ prefix
3129
3194
  try {
3130
- const resourceSkills = currentDevMode
3131
- ? await resourceListAccessible(DEV_MODE_USER_EMAIL, "skills/")
3132
- : await resourceList(SHARED_OWNER, "skills/");
3195
+ const resourceSkills = await resourceList(SHARED_OWNER, "skills/");
3133
3196
  for (const r of resourceSkills) {
3134
3197
  // Try to get content to parse frontmatter
3135
3198
  let skillName = r.path.split("/").pop()?.replace(/\.md$/, "") || r.path;
@@ -3238,9 +3301,7 @@ export function createAgentChatPlugin(options) {
3238
3301
  // 1. Resources from SQL (fast — flush first)
3239
3302
  sources.push((async () => {
3240
3303
  try {
3241
- const resources = currentDevMode
3242
- ? await resourceListAccessible(DEV_MODE_USER_EMAIL)
3243
- : await resourceList(SHARED_OWNER);
3304
+ const resources = await resourceList(SHARED_OWNER);
3244
3305
  flush(resources.map((r) => {
3245
3306
  const isShared = r.owner === SHARED_OWNER;
3246
3307
  return {