@agent-native/core 0.7.83 → 0.8.0

package/dist/tools/slots/store.js

@@ -1,227 +0,0 @@
-import { randomUUID } from "node:crypto";
-import { and, eq, inArray, sql } from "drizzle-orm";
-import { getDbExec, isPostgres } from "../../db/client.js";
-import { createGetDb } from "../../db/create-get-db.js";
-import { accessFilter, assertAccess } from "../../sharing/access.js";
-import { getRequestUserEmail, getRequestOrgId, } from "../../server/request-context.js";
-import { tools, toolShares } from "../schema.js";
-import { toolSlots, toolSlotInstalls, TOOL_SLOTS_CREATE_SQL, TOOL_SLOTS_CREATE_SQL_PG, TOOL_SLOTS_BY_SLOT_INDEX_SQL, TOOL_SLOTS_BY_TOOL_INDEX_SQL, TOOL_SLOTS_UNIQUE_INDEX_SQL, TOOL_SLOT_INSTALLS_CREATE_SQL, TOOL_SLOT_INSTALLS_CREATE_SQL_PG, TOOL_SLOT_INSTALLS_BY_USER_SLOT_INDEX_SQL, TOOL_SLOT_INSTALLS_UNIQUE_INDEX_SQL, } from "./schema.js";
-const getDb = createGetDb({ tools, toolShares, toolSlots, toolSlotInstalls });
-let _initPromise;
-export async function ensureSlotTables() {
-    if (!_initPromise) {
-        _initPromise = (async () => {
-            const client = getDbExec();
-            const pg = isPostgres();
-            await client.execute(pg ? TOOL_SLOTS_CREATE_SQL_PG : TOOL_SLOTS_CREATE_SQL);
-            await client.execute(TOOL_SLOTS_BY_SLOT_INDEX_SQL);
-            await client.execute(TOOL_SLOTS_BY_TOOL_INDEX_SQL);
-            await client.execute(TOOL_SLOTS_UNIQUE_INDEX_SQL);
-            await client.execute(pg ? TOOL_SLOT_INSTALLS_CREATE_SQL_PG : TOOL_SLOT_INSTALLS_CREATE_SQL);
-            await client.execute(TOOL_SLOT_INSTALLS_BY_USER_SLOT_INDEX_SQL);
-            await client.execute(TOOL_SLOT_INSTALLS_UNIQUE_INDEX_SQL);
-        })();
-    }
-    return _initPromise;
-}
-/**
- * Declare that a tool can render in a slot. Caller must have editor access on
- * the tool (only people who can edit a tool can change its slot targets).
- */
-export async function addToolSlotTarget(toolId, slotId, config) {
-    await ensureSlotTables();
-    await assertAccess("tool", toolId, "editor");
-    const db = getDb();
-    const id = randomUUID();
-    const createdAt = new Date().toISOString();
-    const row = {
-        id,
-        toolId,
-        slotId,
-        config: config ?? null,
-        createdAt,
-    };
-    try {
-        await db.insert(toolSlots).values(row);
-    }
-    catch (err) {
-        // Unique index hit — already declared. Treat as idempotent: return existing.
-        if (String(err?.message ?? err)
-            .toLowerCase()
-            .includes("unique")) {
-            const existing = await db
-                .select()
-                .from(toolSlots)
-                .where(and(eq(toolSlots.toolId, toolId), eq(toolSlots.slotId, slotId)));
-            if (existing[0])
-                return existing[0];
-        }
-        throw err;
-    }
-    return row;
-}
-export async function removeToolSlotTarget(toolId, slotId) {
-    await ensureSlotTables();
-    await assertAccess("tool", toolId, "editor");
-    const db = getDb();
-    await db
-        .delete(toolSlots)
-        .where(and(eq(toolSlots.toolId, toolId), eq(toolSlots.slotId, slotId)));
-    return true;
-}
-export async function listSlotsForTool(toolId) {
-    await ensureSlotTables();
-    await assertAccess("tool", toolId, "viewer");
-    const db = getDb();
-    const rows = await db
-        .select()
-        .from(toolSlots)
-        .where(eq(toolSlots.toolId, toolId));
-    return rows;
-}
-/**
- * List tools that declare a slot — but only tools the current user has access
- * to. Joins through the tools access filter.
- */
-export async function listToolsForSlot(slotId) {
-    await ensureSlotTables();
-    const db = getDb();
-    // Pull tools the user can see, then narrow to ones declaring this slot.
-    const accessible = await db
-        .select({
-        id: tools.id,
-        name: tools.name,
-        description: tools.description,
-        icon: tools.icon,
-    })
-        .from(tools)
-        .where(accessFilter(tools, toolShares));
-    if (accessible.length === 0)
-        return [];
-    const ids = accessible.map((t) => t.id);
-    const declarations = await db
-        .select()
-        .from(toolSlots)
-        .where(and(eq(toolSlots.slotId, slotId), inArray(toolSlots.toolId, ids)));
-    const byId = new Map(accessible.map((t) => [t.id, t]));
-    return declarations.map((d) => {
-        const t = byId.get(d.toolId);
-        return {
-            toolId: d.toolId,
-            name: t.name,
-            description: t.description,
-            icon: t.icon,
-            config: d.config,
-        };
-    });
-}
-/**
- * Install a tool into a slot for the current user. Verifies the user has at
- * least viewer access to the tool. Idempotent — re-installing returns the
- * existing row.
- */
-export async function installToolSlot(toolId, slotId, opts) {
-    await ensureSlotTables();
-    await assertAccess("tool", toolId, "viewer");
-    const userEmail = requireUserEmail();
-    const orgId = getRequestOrgId();
-    const db = getDb();
-    const existing = await db
-        .select()
-        .from(toolSlotInstalls)
-        .where(and(eq(toolSlotInstalls.ownerEmail, userEmail), eq(toolSlotInstalls.toolId, toolId), eq(toolSlotInstalls.slotId, slotId)));
-    if (existing[0])
-        return existing[0];
-    const id = randomUUID();
-    const now = new Date().toISOString();
-    let position = opts?.position;
-    if (position === undefined) {
-        const rows = await db
-            .select({ pos: sql `MAX(${toolSlotInstalls.position})` })
-            .from(toolSlotInstalls)
-            .where(and(eq(toolSlotInstalls.ownerEmail, userEmail), eq(toolSlotInstalls.slotId, slotId)));
-        const maxPos = Number(rows[0]?.pos ?? -1);
-        position = Number.isFinite(maxPos) ? maxPos + 1 : 0;
-    }
-    const row = {
-        id,
-        toolId,
-        slotId,
-        ownerEmail: userEmail,
-        orgId: orgId ?? null,
-        position,
-        config: opts?.config ?? null,
-        createdAt: now,
-        updatedAt: now,
-    };
-    await db.insert(toolSlotInstalls).values(row);
-    return row;
-}
-export async function uninstallToolSlot(toolId, slotId) {
-    await ensureSlotTables();
-    const userEmail = requireUserEmail();
-    const db = getDb();
-    await db
-        .delete(toolSlotInstalls)
-        .where(and(eq(toolSlotInstalls.ownerEmail, userEmail), eq(toolSlotInstalls.toolId, toolId), eq(toolSlotInstalls.slotId, slotId)));
-    return true;
-}
-/**
- * List the current user's installs for a slot. Joins with `tools` so the
- * caller gets tool name/description/icon/updatedAt without a second query.
- * Tools the user has lost access to are silently skipped (lazy garbage
- * collection).
- */
-export async function listSlotInstallsForUser(slotId) {
-    await ensureSlotTables();
-    const userEmail = requireUserEmail();
-    const db = getDb();
-    const installs = await db
-        .select()
-        .from(toolSlotInstalls)
-        .where(and(eq(toolSlotInstalls.ownerEmail, userEmail), eq(toolSlotInstalls.slotId, slotId)));
-    if (installs.length === 0)
-        return [];
-    const accessible = await db
-        .select({
-        id: tools.id,
-        name: tools.name,
-        description: tools.description,
-        icon: tools.icon,
-        updatedAt: tools.updatedAt,
-    })
-        .from(tools)
-        .where(accessFilter(tools, toolShares));
-    const byId = new Map(accessible.map((t) => [t.id, t]));
-    return installs
-        .filter((i) => byId.has(i.toolId))
-        .sort((a, b) => a.position - b.position)
-        .map((i) => {
-        const t = byId.get(i.toolId);
-        return {
-            installId: i.id,
-            toolId: i.toolId,
-            name: t.name,
-            description: t.description,
-            icon: t.icon,
-            updatedAt: t.updatedAt,
-            position: i.position,
-            config: i.config,
-        };
-    });
-}
-/** Delete every slot/install row referencing a tool. Called from deleteTool. */
-export async function cascadeDeleteToolSlots(toolId) {
-    await ensureSlotTables();
-    const db = getDb();
-    await db.delete(toolSlots).where(eq(toolSlots.toolId, toolId));
-    await db.delete(toolSlotInstalls).where(eq(toolSlotInstalls.toolId, toolId));
-}
-function requireUserEmail() {
-    const email = getRequestUserEmail();
-    if (!email) {
-        throw new Error("Slot operations require an authenticated user.");
-    }
-    return email;
-}
-//# sourceMappingURL=store.js.map

package/dist/tools/slots/store.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"store.js","sourceRoot":"","sources":["../../../src/tools/slots/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EACL,mBAAmB,EACnB,eAAe,GAChB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EACL,SAAS,EACT,gBAAgB,EAChB,qBAAqB,EACrB,wBAAwB,EACxB,4BAA4B,EAC5B,4BAA4B,EAC5B,2BAA2B,EAC3B,6BAA6B,EAC7B,gCAAgC,EAChC,yCAAyC,EACzC,mCAAmC,GACpC,MAAM,aAAa,CAAC;AAErB,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC,CAAC;AAE9E,IAAI,YAAuC,CAAC;AAE5C,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;YACxB,MAAM,MAAM,CAAC,OAAO,CAClB,EAAE,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,qBAAqB,CACtD,CAAC;YACF,MAAM,MAAM,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;YACnD,MAAM,MAAM,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;YACnD,MAAM,MAAM,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;YAClD,MAAM,MAAM,CAAC,OAAO,CAClB,EAAE,CAAC,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC,6BAA6B,CACtE,CAAC;YACF,MAAM,MAAM,CAAC,OAAO,CAAC,yCAAyC,CAAC,CAAC;YAChE,MAAM,MAAM,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC;QAC5D,CAAC,CAAC,EAAE,CAAC;IACP,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAsBD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,MAAc,EACd,MAAe;IAEf,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,MAAM,GAAG,GAAgB;QACvB,EAAE;QACF,MAAM;QACN,MAAM;QACN,MAAM,EAAE,MAAM,IAAI,IAAI;QACtB,SAAS;KACV,CAAC;IACF,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,6EAA6E;QAC7E,IACE,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC;aACxB,WAAW,EAAE;aACb,QAAQ,CAAC,QAAQ,CAAC,EACrB,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,EAAE;iBACtB,MAAM,EAAE;iBACR,IAAI,CAAC,SAAS,CAAC;iBACf,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1E,IAAI,QAAQ,CAAC,CAAC,CAAC;gBAAE,OAAO,QAAQ,CAAC,CAAC,CAAgB,CAAC;QACrD,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAc,EACd,MAAc;IAEd,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,EAAE;SACL,MAAM,CAAC,SAAS,CAAC;SACjB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAAc;IACnD,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,MAAM,EAAE;SACR,IAAI,CAAC,SAAS,CAAC;SACf,KAAK,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACvC,OAAO,IAAqB,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAAc;IASnD,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,wEAAwE;IACxE,MAAM,UAAU,GAAG,MAAM,EAAE;SACxB,MAAM,CAAC;QACN,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAC;SACD,IAAI,CAAC,KAAK,CAAC;SACX,KAAK,CAAC,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IAC1C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7C,MAAM,YAAY,GAAG,MAAM,EAAE;SAC1B,MAAM,EAAE;SACR,IAAI,CAAC,SAAS,CAAC;SACf,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5D,OAAQ,YAA8B,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/C,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC;QAC9B,OAAO;YACL,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAc,EACd,MAAc,EACd,IAA6C;IAE7C,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,gBAAgB,CAAC;SACtB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,gBAAgB,CAAC,UAAU,EAAE,SAAS,CAAC,EAC1C,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,EACnC,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CACpC,CACF,CAAC;IACJ,IAAI,QAAQ,CAAC,CAAC,CAAC;QAAE,OAAO,QAAQ,CAAC,CAAC,CAAuB,CAAC;IAE1D,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;IAC9B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,EAAE;aAClB,MAAM,CAAC,EAAE,GAAG,EAAE,GAAG,CAAQ,OAAO,gBAAgB,CAAC,QAAQ,GAAG,EAAE,CAAC;aAC/D,IAAI,CAAC,gBAAgB,CAAC;aACtB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,gBAAgB,CAAC,UAAU,EAAE,SAAS,CAAC,EAC1C,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CACpC,CACF,CAAC;QACJ,MAAM,MAAM,GAAG,MAAM,CAAE,IAAI,CAAC,CAAC,CAAS,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACnD,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,GAAG,GAAuB;QAC9B,EAAE;QACF,MAAM;QACN,MAAM;QACN,UAAU,EAAE,SAAS;QACrB,KAAK,EAAE,KAAK,IAAI,IAAI;QACpB,QAAQ;QACR,MAAM,EAAE,IAAI,EAAE,MAAM,IAAI,IAAI;QAC5B,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;KACf,CAAC;IACF,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,MAAc;IAEd,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,EAAE;SACL,MAAM,CAAC,gBAAgB,CAAC;SACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,gBAAgB,CAAC,UAAU,EAAE,SAAS,CAAC,EAC1C,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,EACnC,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CACpC,CACF,CAAC;IACJ,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,MAAc;IAY1D,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IAEnB,MAAM,QAAQ,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,gBAAgB,CAAC;SACtB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,gBAAgB,CAAC,UAAU,EAAE,SAAS,CAAC,EAC1C,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CACpC,CACF,CAAC;IACJ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErC,MAAM,UAAU,GAAG,MAAM,EAAE;SACxB,MAAM,CAAC;QACN,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,SAAS,EAAE,KAAK,CAAC,SAAS;KAC3B,CAAC;SACD,IAAI,CAAC,KAAK,CAAC;SACX,KAAK,CAAC,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5D,OAAQ,QAAiC;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;SACjC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC;SACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACT,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC;QAC9B,OAAO;YACL,SAAS,EAAE,CAAC,CAAC,EAAE;YACf,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC;AAED,gFAAgF;AAChF,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAAc;IACzD,MAAM,gBAAgB,EAAE,CAAC;IACzB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/D,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport { and, eq, inArray, sql } from \"drizzle-orm\";\nimport { getDbExec, isPostgres } from \"../../db/client.js\";\nimport { createGetDb } from \"../../db/create-get-db.js\";\nimport { accessFilter, assertAccess } from \"../../sharing/access.js\";\nimport {\n  getRequestUserEmail,\n  getRequestOrgId,\n} from \"../../server/request-context.js\";\nimport { tools, toolShares } from \"../schema.js\";\nimport {\n  toolSlots,\n  toolSlotInstalls,\n  TOOL_SLOTS_CREATE_SQL,\n  TOOL_SLOTS_CREATE_SQL_PG,\n  TOOL_SLOTS_BY_SLOT_INDEX_SQL,\n  TOOL_SLOTS_BY_TOOL_INDEX_SQL,\n  TOOL_SLOTS_UNIQUE_INDEX_SQL,\n  TOOL_SLOT_INSTALLS_CREATE_SQL,\n  TOOL_SLOT_INSTALLS_CREATE_SQL_PG,\n  TOOL_SLOT_INSTALLS_BY_USER_SLOT_INDEX_SQL,\n  TOOL_SLOT_INSTALLS_UNIQUE_INDEX_SQL,\n} from \"./schema.js\";\n\nconst getDb = createGetDb({ tools, toolShares, toolSlots, toolSlotInstalls });\n\nlet _initPromise: Promise<void> | undefined;\n\nexport async function ensureSlotTables(): Promise<void> {\n  if (!_initPromise) {\n    _initPromise = (async () => {\n      const client = getDbExec();\n      const pg = isPostgres();\n      await client.execute(\n        pg ? TOOL_SLOTS_CREATE_SQL_PG : TOOL_SLOTS_CREATE_SQL,\n      );\n      await client.execute(TOOL_SLOTS_BY_SLOT_INDEX_SQL);\n      await client.execute(TOOL_SLOTS_BY_TOOL_INDEX_SQL);\n      await client.execute(TOOL_SLOTS_UNIQUE_INDEX_SQL);\n      await client.execute(\n        pg ? TOOL_SLOT_INSTALLS_CREATE_SQL_PG : TOOL_SLOT_INSTALLS_CREATE_SQL,\n      );\n      await client.execute(TOOL_SLOT_INSTALLS_BY_USER_SLOT_INDEX_SQL);\n      await client.execute(TOOL_SLOT_INSTALLS_UNIQUE_INDEX_SQL);\n    })();\n  }\n  return _initPromise;\n}\n\nexport interface ToolSlotRow {\n  id: string;\n  toolId: string;\n  slotId: string;\n  config: string | null;\n  createdAt: string;\n}\n\nexport interface ToolSlotInstallRow {\n  id: string;\n  toolId: string;\n  slotId: string;\n  ownerEmail: string;\n  orgId: string | null;\n  position: number;\n  config: string | null;\n  createdAt: string;\n  updatedAt: string;\n}\n\n/**\n * Declare that a tool can render in a slot. Caller must have editor access on\n * the tool (only people who can edit a tool can change its slot targets).\n */\nexport async function addToolSlotTarget(\n  toolId: string,\n  slotId: string,\n  config?: string,\n): Promise<ToolSlotRow> {\n  await ensureSlotTables();\n  await assertAccess(\"tool\", toolId, \"editor\");\n  const db = getDb();\n  const id = randomUUID();\n  const createdAt = new Date().toISOString();\n  const row: ToolSlotRow = {\n    id,\n    toolId,\n    slotId,\n    config: config ?? null,\n    createdAt,\n  };\n  try {\n    await db.insert(toolSlots).values(row);\n  } catch (err: any) {\n    // Unique index hit — already declared. Treat as idempotent: return existing.\n    if (\n      String(err?.message ?? err)\n        .toLowerCase()\n        .includes(\"unique\")\n    ) {\n      const existing = await db\n        .select()\n        .from(toolSlots)\n        .where(and(eq(toolSlots.toolId, toolId), eq(toolSlots.slotId, slotId)));\n      if (existing[0]) return existing[0] as ToolSlotRow;\n    }\n    throw err;\n  }\n  return row;\n}\n\nexport async function removeToolSlotTarget(\n  toolId: string,\n  slotId: string,\n): Promise<boolean> {\n  await ensureSlotTables();\n  await assertAccess(\"tool\", toolId, \"editor\");\n  const db = getDb();\n  await db\n    .delete(toolSlots)\n    .where(and(eq(toolSlots.toolId, toolId), eq(toolSlots.slotId, slotId)));\n  return true;\n}\n\nexport async function listSlotsForTool(toolId: string): Promise<ToolSlotRow[]> {\n  await ensureSlotTables();\n  await assertAccess(\"tool\", toolId, \"viewer\");\n  const db = getDb();\n  const rows = await db\n    .select()\n    .from(toolSlots)\n    .where(eq(toolSlots.toolId, toolId));\n  return rows as ToolSlotRow[];\n}\n\n/**\n * List tools that declare a slot — but only tools the current user has access\n * to. Joins through the tools access filter.\n */\nexport async function listToolsForSlot(slotId: string): Promise<\n  Array<{\n    toolId: string;\n    name: string;\n    description: string;\n    icon: string | null;\n    config: string | null;\n  }>\n> {\n  await ensureSlotTables();\n  const db = getDb();\n  // Pull tools the user can see, then narrow to ones declaring this slot.\n  const accessible = await db\n    .select({\n      id: tools.id,\n      name: tools.name,\n      description: tools.description,\n      icon: tools.icon,\n    })\n    .from(tools)\n    .where(accessFilter(tools, toolShares));\n  if (accessible.length === 0) return [];\n  const ids = accessible.map((t: any) => t.id);\n  const declarations = await db\n    .select()\n    .from(toolSlots)\n    .where(and(eq(toolSlots.slotId, slotId), inArray(toolSlots.toolId, ids)));\n  const byId = new Map(accessible.map((t: any) => [t.id, t]));\n  return (declarations as ToolSlotRow[]).map((d) => {\n    const t = byId.get(d.toolId)!;\n    return {\n      toolId: d.toolId,\n      name: t.name,\n      description: t.description,\n      icon: t.icon,\n      config: d.config,\n    };\n  });\n}\n\n/**\n * Install a tool into a slot for the current user. Verifies the user has at\n * least viewer access to the tool. Idempotent — re-installing returns the\n * existing row.\n */\nexport async function installToolSlot(\n  toolId: string,\n  slotId: string,\n  opts?: { position?: number; config?: string },\n): Promise<ToolSlotInstallRow> {\n  await ensureSlotTables();\n  await assertAccess(\"tool\", toolId, \"viewer\");\n  const userEmail = requireUserEmail();\n  const orgId = getRequestOrgId();\n  const db = getDb();\n  const existing = await db\n    .select()\n    .from(toolSlotInstalls)\n    .where(\n      and(\n        eq(toolSlotInstalls.ownerEmail, userEmail),\n        eq(toolSlotInstalls.toolId, toolId),\n        eq(toolSlotInstalls.slotId, slotId),\n      ),\n    );\n  if (existing[0]) return existing[0] as ToolSlotInstallRow;\n\n  const id = randomUUID();\n  const now = new Date().toISOString();\n  let position = opts?.position;\n  if (position === undefined) {\n    const rows = await db\n      .select({ pos: sql<number>`MAX(${toolSlotInstalls.position})` })\n      .from(toolSlotInstalls)\n      .where(\n        and(\n          eq(toolSlotInstalls.ownerEmail, userEmail),\n          eq(toolSlotInstalls.slotId, slotId),\n        ),\n      );\n    const maxPos = Number((rows[0] as any)?.pos ?? -1);\n    position = Number.isFinite(maxPos) ? maxPos + 1 : 0;\n  }\n  const row: ToolSlotInstallRow = {\n    id,\n    toolId,\n    slotId,\n    ownerEmail: userEmail,\n    orgId: orgId ?? null,\n    position,\n    config: opts?.config ?? null,\n    createdAt: now,\n    updatedAt: now,\n  };\n  await db.insert(toolSlotInstalls).values(row);\n  return row;\n}\n\nexport async function uninstallToolSlot(\n  toolId: string,\n  slotId: string,\n): Promise<boolean> {\n  await ensureSlotTables();\n  const userEmail = requireUserEmail();\n  const db = getDb();\n  await db\n    .delete(toolSlotInstalls)\n    .where(\n      and(\n        eq(toolSlotInstalls.ownerEmail, userEmail),\n        eq(toolSlotInstalls.toolId, toolId),\n        eq(toolSlotInstalls.slotId, slotId),\n      ),\n    );\n  return true;\n}\n\n/**\n * List the current user's installs for a slot. Joins with `tools` so the\n * caller gets tool name/description/icon/updatedAt without a second query.\n * Tools the user has lost access to are silently skipped (lazy garbage\n * collection).\n */\nexport async function listSlotInstallsForUser(slotId: string): Promise<\n  Array<{\n    installId: string;\n    toolId: string;\n    name: string;\n    description: string;\n    icon: string | null;\n    updatedAt: string;\n    position: number;\n    config: string | null;\n  }>\n> {\n  await ensureSlotTables();\n  const userEmail = requireUserEmail();\n  const db = getDb();\n\n  const installs = await db\n    .select()\n    .from(toolSlotInstalls)\n    .where(\n      and(\n        eq(toolSlotInstalls.ownerEmail, userEmail),\n        eq(toolSlotInstalls.slotId, slotId),\n      ),\n    );\n  if (installs.length === 0) return [];\n\n  const accessible = await db\n    .select({\n      id: tools.id,\n      name: tools.name,\n      description: tools.description,\n      icon: tools.icon,\n      updatedAt: tools.updatedAt,\n    })\n    .from(tools)\n    .where(accessFilter(tools, toolShares));\n  const byId = new Map(accessible.map((t: any) => [t.id, t]));\n\n  return (installs as ToolSlotInstallRow[])\n    .filter((i) => byId.has(i.toolId))\n    .sort((a, b) => a.position - b.position)\n    .map((i) => {\n      const t = byId.get(i.toolId)!;\n      return {\n        installId: i.id,\n        toolId: i.toolId,\n        name: t.name,\n        description: t.description,\n        icon: t.icon,\n        updatedAt: t.updatedAt,\n        position: i.position,\n        config: i.config,\n      };\n    });\n}\n\n/** Delete every slot/install row referencing a tool. Called from deleteTool. */\nexport async function cascadeDeleteToolSlots(toolId: string): Promise<void> {\n  await ensureSlotTables();\n  const db = getDb();\n  await db.delete(toolSlots).where(eq(toolSlots.toolId, toolId));\n  await db.delete(toolSlotInstalls).where(eq(toolSlotInstalls.toolId, toolId));\n}\n\nfunction requireUserEmail(): string {\n  const email = getRequestUserEmail();\n  if (!email) {\n    throw new Error(\"Slot operations require an authenticated user.\");\n  }\n  return email;\n}\n"]}

package/dist/tools/store.d.ts

@@ -1,40 +0,0 @@
-export declare function ensureToolsTables(): Promise<void>;
-export declare function registerToolsShareable(): void;
-export interface ToolRow {
-    id: string;
-    name: string;
-    description: string;
-    content: string;
-    icon: string | null;
-    createdAt: string;
-    updatedAt: string;
-    ownerEmail: string;
-    orgId: string | null;
-    visibility: "private" | "org" | "public";
-}
-export declare function listTools(): Promise<ToolRow[]>;
-export declare function getTool(id: string): Promise<ToolRow | null>;
-export interface CreateToolData {
-    name: string;
-    description?: string;
-    content?: string;
-    icon?: string;
-}
-export declare function createTool(data: CreateToolData): Promise<ToolRow>;
-export interface UpdateToolData {
-    name?: string;
-    description?: string;
-    icon?: string;
-    visibility?: "private" | "org" | "public";
-}
-export declare function updateTool(id: string, data: UpdateToolData): Promise<ToolRow | null>;
-export interface UpdateToolContentOpts {
-    content?: string;
-    patches?: Array<{
-        find: string;
-        replace: string;
-    }>;
-}
-export declare function updateToolContent(id: string, opts: UpdateToolContentOpts): Promise<ToolRow | null>;
-export declare function deleteTool(id: string): Promise<boolean>;
-//# sourceMappingURL=store.d.ts.map

package/dist/tools/store.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/tools/store.ts"],"names":[],"mappings":"AAuCA,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CA6CvD;AA4DD,wBAAgB,sBAAsB,SASrC;AAED,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,EAAE,SAAS,GAAG,KAAK,GAAG,QAAQ,CAAC;CAC1C;AAED,wBAAsB,SAAS,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,CAOpD;AAED,wBAAsB,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAIjE;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,wBAAsB,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CA2BvE;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,SAAS,GAAG,KAAK,GAAG,QAAQ,CAAC;CAC3C;AAED,wBAAsB,UAAU,CAC9B,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAczB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpD;AAED,wBAAsB,iBAAiB,CACrC,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,qBAAqB,GAC1B,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAyBzB;AAED,wBAAsB,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAe7D"}

package/dist/tools/store.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/tools/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,aAAa,GACd,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,mBAAmB,EACnB,eAAe,GAChB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AACnE,OAAO,EACL,KAAK,EACL,UAAU,EACV,gBAAgB,EAChB,mBAAmB,EACnB,sBAAsB,EACtB,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,wBAAwB,EACxB,2BAA2B,EAC3B,4BAA4B,EAC5B,+BAA+B,EAC/B,qBAAqB,EACrB,mBAAmB,EACnB,8BAA8B,EAC9B,wBAAwB,EACxB,2BAA2B,EAC3B,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AAErB,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;AAEjD,IAAI,YAAuC,CAAC;AAE5C,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;YACxB,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAC5D,CAAC;YACF,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,sBAAsB,CAAC,CACxE,CAAC;YACF,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,oBAAoB,CAAC,CACpE,CAAC;YACF,MAAM,oBAAoB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACvC,MAAM,mBAAmB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACtC,MAAM,MAAM,CAAC,OAAO,CAClB,EAAE,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,4BAA4B,CACpE,CAAC;YACF,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CACZ,EAAE,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,wBAAwB,CAC5D,CACF,CAAC;YACF,MAAM,cAAc,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC,CAAC;YAClE,MAAM,cAAc,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC;YAChE,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAC/C,CAAC;YACF,kEAAkE;YAClE,iEAAiE;YACjE,iEAAiE;YACjE,iEAAiE;YACjE,8DAA8D;YAC9D,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CACZ,EAAE,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,wBAAwB,CAC5D,CACF,CAAC;YACF,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAC/C,CAAC;QACJ,CAAC,CAAC,EAAE,CAAC;IACP,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,MAAoC,EACpC,EAAW;IAEX,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,MAAM,CAAC,OAAO,CAClB,6DAA6D,CAC9D,CAAC;QACF,OAAO;IACT,CAAC;IAED,2EAA2E;IAC3E,6EAA6E;IAC7E,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC;IACxE,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IACE,CAAC,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC;aACzB,WAAW,EAAE;aACb,QAAQ,CAAC,WAAW,CAAC,EACxB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,MAAoC,EACpC,EAAW;IAEX,MAAM,MAAM,GAAG,CAAC,IAAY,EAAE,GAAW,EAAE,EAAE;QAC3C,IAAI,EAAE,EAAE,CAAC;YACP,OAAO,MAAM,CAAC,OAAO,CACnB,kDAAkD,IAAI,IAAI,GAAG,EAAE,CAChE,CAAC;QACJ,CAAC;QACD,OAAO,MAAM;aACV,OAAO,CAAC,oCAAoC,IAAI,IAAI,GAAG,EAAE,CAAC;aAC1D,KAAK,CAAC,CAAC,GAAQ,EAAE,EAAE;YAClB,IACE,CAAC,MAAM,CAAC,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC;iBACzB,WAAW,EAAE;iBACb,QAAQ,CAAC,WAAW,CAAC;gBAExB,MAAM,GAAG,CAAC;QACd,CAAC,CAAC,CAAC;IACP,CAAC,CAAC;IACF,MAAM,MAAM,CAAC,OAAO,EAAE,8BAA8B,CAAC,CAAC;IACtD,MAAM,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC/B,MAAM,MAAM,CAAC,WAAW,EAAE,yCAAyC,CAAC,CAAC;IACrE,uEAAuE;IACvE,gEAAgE;IAChE,MAAM,MAAM,CAAC,OAAO;IAClB,oIAAoI;IACpI,uHAAuH,CACxH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,yBAAyB,CAAC;QACxB,IAAI,EAAE,MAAM;QACZ,aAAa,EAAE,KAAK;QACpB,WAAW,EAAE,UAAU;QACvB,WAAW,EAAE,MAAM;QACnB,WAAW,EAAE,MAAM;QACnB,KAAK,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE;KACrB,CAAC,CAAC;AACL,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,iBAAiB,EAAE,CAAC;IAC1B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,EAAE;SACN,MAAM,EAAE;SACR,IAAI,CAAC,KAAK,CAAC;SACX,KAAK,CAAC,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC,CAAuB,CAAC;AAClE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,EAAU;IACtC,MAAM,iBAAiB,EAAE,CAAC;IAC1B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC/C,OAAQ,MAAM,EAAE,QAAgC,IAAI,IAAI,CAAC;AAC3D,CAAC;AASD,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAoB;IACnD,MAAM,iBAAiB,EAAE,CAAC;IAC1B,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACzD,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,GAAG,GAAY;QACnB,EAAE;QACF,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;QACnC,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;QAC3B,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI;QACvB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,UAAU,EAAE,SAAS;QACrB,KAAK,EAAE,KAAK,IAAI,IAAI;QACpB,wEAAwE;QACxE,mEAAmE;QACnE,mEAAmE;QACnE,iEAAiE;QACjE,kEAAkE;QAClE,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACtC,CAAC;IACF,MAAM,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACnC,OAAO,GAAG,CAAC;AACb,CAAC;AASD,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,EAAU,EACV,IAAoB;IAEpB,MAAM,iBAAiB,EAAE,CAAC;IAC1B,MAAM,YAAY,CAAC,MAAM,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,OAAO,GAA4B;QACvC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IACF,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IACtD,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;QAAE,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IAC3E,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IACtD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS;QAAE,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACxE,MAAM,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACnE,OAAQ,IAAI,CAAC,CAAC,CAAa,IAAI,IAAI,CAAC;AACtC,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,EAAU,EACV,IAA2B;IAE3B,MAAM,iBAAiB,EAAE,CAAC;IAC1B,MAAM,YAAY,CAAC,MAAM,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IAEnB,IAAI,UAAkB,CAAC;IACvB,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC/B,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC;IAC5B,CAAC;SAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;QACnE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1B,UAAU,GAAI,IAAI,CAAC,CAAC,CAAa,CAAC,OAAO,CAAC;QAC1C,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE;SACL,MAAM,CAAC,KAAK,CAAC;SACb,GAAG,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;SACjE,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACnE,OAAQ,IAAI,CAAC,CAAC,CAAa,IAAI,IAAI,CAAC;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,EAAU;IACzC,MAAM,iBAAiB,EAAE,CAAC;IAC1B,MAAM,YAAY,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IACxC,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACnE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACxB,GAAG,EAAE,yCAAyC;QAC9C,IAAI,EAAE,CAAC,EAAE,CAAC;KACX,CAAC,CAAC;IACH,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACpE,MAAM,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/C,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport { eq } from \"drizzle-orm\";\nimport { getDbExec, isPostgres, retryOnDdlRace } from \"../db/client.js\";\nimport { createGetDb } from \"../db/create-get-db.js\";\nimport {\n  accessFilter,\n  assertAccess,\n  resolveAccess,\n} from \"../sharing/access.js\";\nimport {\n  getRequestUserEmail,\n  getRequestOrgId,\n} from \"../server/request-context.js\";\nimport { registerShareableResource } from \"../sharing/registry.js\";\nimport {\n  tools,\n  toolShares,\n  TOOLS_CREATE_SQL,\n  TOOLS_CREATE_SQL_PG,\n  TOOL_SHARES_CREATE_SQL,\n  TOOL_SHARES_CREATE_SQL_PG,\n  TOOL_DATA_CREATE_SQL,\n  TOOL_DATA_CREATE_SQL_PG,\n  TOOL_DATA_ITEM_INDEX_SQL,\n  TOOL_DATA_ITEM_INDEX_SQL_PG,\n  TOOL_DATA_DROP_OLD_INDEX_SQL,\n  TOOL_DATA_DROP_OLD_INDEX_SQL_PG,\n  TOOLS_OWNER_INDEX_SQL,\n  TOOLS_ORG_INDEX_SQL,\n  TOOL_SHARES_RESOURCE_INDEX_SQL,\n  TOOL_CONSENTS_CREATE_SQL,\n  TOOL_CONSENTS_CREATE_SQL_PG,\n  TOOL_CONSENTS_VIEWER_INDEX_SQL,\n} from \"./schema.js\";\n\nconst getDb = createGetDb({ tools, toolShares });\n\nlet _initPromise: Promise<void> | undefined;\n\nexport async function ensureToolsTables(): Promise<void> {\n  if (!_initPromise) {\n    _initPromise = (async () => {\n      const client = getDbExec();\n      const pg = isPostgres();\n      await retryOnDdlRace(() =>\n        client.execute(pg ? TOOLS_CREATE_SQL_PG : TOOLS_CREATE_SQL),\n      );\n      await retryOnDdlRace(() =>\n        client.execute(pg ? TOOL_SHARES_CREATE_SQL_PG : TOOL_SHARES_CREATE_SQL),\n      );\n      await retryOnDdlRace(() =>\n        client.execute(pg ? TOOL_DATA_CREATE_SQL_PG : TOOL_DATA_CREATE_SQL),\n      );\n      await ensureToolDataItemId(client, pg);\n      await ensureToolDataScope(client, pg);\n      await client.execute(\n        pg ? TOOL_DATA_DROP_OLD_INDEX_SQL_PG : TOOL_DATA_DROP_OLD_INDEX_SQL,\n      );\n      await retryOnDdlRace(() =>\n        client.execute(\n          pg ? TOOL_DATA_ITEM_INDEX_SQL_PG : TOOL_DATA_ITEM_INDEX_SQL,\n        ),\n      );\n      await retryOnDdlRace(() => client.execute(TOOLS_OWNER_INDEX_SQL));\n      await retryOnDdlRace(() => client.execute(TOOLS_ORG_INDEX_SQL));\n      await retryOnDdlRace(() =>\n        client.execute(TOOL_SHARES_RESOURCE_INDEX_SQL),\n      );\n      // tool_consents was introduced for an audit-C1 per-viewer consent\n      // gate that we removed once we settled on intra-org trust as the\n      // baseline. The table is kept (additive — never drop) so deploys\n      // that already created it stay healthy; the runtime consent code\n      // is gone. Idempotent CREATE IF NOT EXISTS for fresh schemas.\n      await retryOnDdlRace(() =>\n        client.execute(\n          pg ? TOOL_CONSENTS_CREATE_SQL_PG : TOOL_CONSENTS_CREATE_SQL,\n        ),\n      );\n      await retryOnDdlRace(() =>\n        client.execute(TOOL_CONSENTS_VIEWER_INDEX_SQL),\n      );\n    })();\n  }\n  return _initPromise;\n}\n\nasync function ensureToolDataItemId(\n  client: ReturnType<typeof getDbExec>,\n  pg: boolean,\n): Promise<void> {\n  if (pg) {\n    await client.execute(\n      `ALTER TABLE tool_data ADD COLUMN IF NOT EXISTS item_id TEXT`,\n    );\n    return;\n  }\n\n  // Keep this additive: legacy rows with item_id=id are still read correctly\n  // through COALESCE(item_id, id), so SQLite never needs a table rebuild here.\n  try {\n    await client.execute(`ALTER TABLE tool_data ADD COLUMN item_id TEXT`);\n  } catch (err: any) {\n    if (\n      !String(err?.message ?? err)\n        .toLowerCase()\n        .includes(\"duplicate\")\n    ) {\n      throw err;\n    }\n  }\n}\n\nasync function ensureToolDataScope(\n  client: ReturnType<typeof getDbExec>,\n  pg: boolean,\n): Promise<void> {\n  const addCol = (name: string, def: string) => {\n    if (pg) {\n      return client.execute(\n        `ALTER TABLE tool_data ADD COLUMN IF NOT EXISTS ${name} ${def}`,\n      );\n    }\n    return client\n      .execute(`ALTER TABLE tool_data ADD COLUMN ${name} ${def}`)\n      .catch((err: any) => {\n        if (\n          !String(err?.message ?? err)\n            .toLowerCase()\n            .includes(\"duplicate\")\n        )\n          throw err;\n      });\n  };\n  await addCol(\"scope\", \"TEXT NOT NULL DEFAULT 'user'\");\n  await addCol(\"org_id\", \"TEXT\");\n  await addCol(\"scope_key\", \"TEXT NOT NULL DEFAULT 'local@localhost'\");\n  // One-time backfill migration: replaces the dev-mode DEFAULT scope_key\n  // with each row's real owner_email. Not a per-request fallback.\n  await client.execute(\n    // guard:allow-localhost-fallback — one-time backfill migration replacing dev-mode default scope_key with the row's real owner_email\n    `UPDATE tool_data SET scope_key = owner_email WHERE scope_key = 'local@localhost' AND owner_email != 'local@localhost'`,\n  );\n}\n\nexport function registerToolsShareable() {\n  registerShareableResource({\n    type: \"tool\",\n    resourceTable: tools,\n    sharesTable: toolShares,\n    displayName: \"Tool\",\n    titleColumn: \"name\",\n    getDb: () => getDb(),\n  });\n}\n\nexport interface ToolRow {\n  id: string;\n  name: string;\n  description: string;\n  content: string;\n  icon: string | null;\n  createdAt: string;\n  updatedAt: string;\n  ownerEmail: string;\n  orgId: string | null;\n  visibility: \"private\" | \"org\" | \"public\";\n}\n\nexport async function listTools(): Promise<ToolRow[]> {\n  await ensureToolsTables();\n  const db = getDb();\n  return db\n    .select()\n    .from(tools)\n    .where(accessFilter(tools, toolShares)) as Promise<ToolRow[]>;\n}\n\nexport async function getTool(id: string): Promise<ToolRow | null> {\n  await ensureToolsTables();\n  const access = await resolveAccess(\"tool\", id);\n  return (access?.resource as ToolRow | undefined) ?? null;\n}\n\nexport interface CreateToolData {\n  name: string;\n  description?: string;\n  content?: string;\n  icon?: string;\n}\n\nexport async function createTool(data: CreateToolData): Promise<ToolRow> {\n  await ensureToolsTables();\n  const db = getDb();\n  const userEmail = getRequestUserEmail();\n  if (!userEmail) throw new Error(\"no authenticated user\");\n  const orgId = getRequestOrgId();\n  const id = randomUUID();\n  const now = new Date().toISOString();\n  const row: ToolRow = {\n    id,\n    name: data.name,\n    description: data.description ?? \"\",\n    content: data.content ?? \"\",\n    icon: data.icon ?? null,\n    createdAt: now,\n    updatedAt: now,\n    ownerEmail: userEmail,\n    orgId: orgId ?? null,\n    // Default to org-visibility when the user has an active organization so\n    // teammates see the tool in their sidebar — matching how analytics\n    // dashboards/analyses are scoped (`templates/analytics/server/lib/\n    // dashboards-store.ts:356`). Solo users (no org) get the private\n    // default. Owners can still flip back to private via update-tool.\n    visibility: orgId ? \"org\" : \"private\",\n  };\n  await db.insert(tools).values(row);\n  return row;\n}\n\nexport interface UpdateToolData {\n  name?: string;\n  description?: string;\n  icon?: string;\n  visibility?: \"private\" | \"org\" | \"public\";\n}\n\nexport async function updateTool(\n  id: string,\n  data: UpdateToolData,\n): Promise<ToolRow | null> {\n  await ensureToolsTables();\n  await assertAccess(\"tool\", id, \"editor\");\n  const db = getDb();\n  const updates: Record<string, unknown> = {\n    updatedAt: new Date().toISOString(),\n  };\n  if (data.name !== undefined) updates.name = data.name;\n  if (data.description !== undefined) updates.description = data.description;\n  if (data.icon !== undefined) updates.icon = data.icon;\n  if (data.visibility !== undefined) updates.visibility = data.visibility;\n  await db.update(tools).set(updates).where(eq(tools.id, id));\n  const rows = await db.select().from(tools).where(eq(tools.id, id));\n  return (rows[0] as ToolRow) ?? null;\n}\n\nexport interface UpdateToolContentOpts {\n  content?: string;\n  patches?: Array<{ find: string; replace: string }>;\n}\n\nexport async function updateToolContent(\n  id: string,\n  opts: UpdateToolContentOpts,\n): Promise<ToolRow | null> {\n  await ensureToolsTables();\n  await assertAccess(\"tool\", id, \"editor\");\n  const db = getDb();\n\n  let newContent: string;\n  if (opts.content !== undefined) {\n    newContent = opts.content;\n  } else if (opts.patches) {\n    const rows = await db.select().from(tools).where(eq(tools.id, id));\n    if (!rows[0]) return null;\n    newContent = (rows[0] as ToolRow).content;\n    for (const patch of opts.patches) {\n      newContent = newContent.replace(patch.find, patch.replace);\n    }\n  } else {\n    return null;\n  }\n\n  await db\n    .update(tools)\n    .set({ content: newContent, updatedAt: new Date().toISOString() })\n    .where(eq(tools.id, id));\n  const rows = await db.select().from(tools).where(eq(tools.id, id));\n  return (rows[0] as ToolRow) ?? null;\n}\n\nexport async function deleteTool(id: string): Promise<boolean> {\n  await ensureToolsTables();\n  await assertAccess(\"tool\", id, \"admin\");\n  const db = getDb();\n  const rows = await db.select().from(tools).where(eq(tools.id, id));\n  if (!rows[0]) return false;\n  await db.delete(toolShares).where(eq(toolShares.resourceId, id));\n  await getDbExec().execute({\n    sql: `DELETE FROM tool_data WHERE tool_id = ?`,\n    args: [id],\n  });\n  const { cascadeDeleteToolSlots } = await import(\"./slots/store.js\");\n  await cascadeDeleteToolSlots(id);\n  await db.delete(tools).where(eq(tools.id, id));\n  return true;\n}\n"]}

package/dist/tools/theme.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"theme.d.ts","sourceRoot":"","sources":["../../src/tools/theme.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAAC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,CAkErD"}

package/dist/tools/theme.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"theme.js","sourceRoot":"","sources":["../../src/tools/theme.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,YAAY,CAAC,MAAgB;IAC3C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8BT,CAAC;IACD,CAAC;IAED,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8BP,CAAC;AACH,CAAC","sourcesContent":["export function getThemeVars(isDark?: boolean): string {\n  if (isDark) {\n    return `\n:root {\n  --background: 240 10% 3.9%;\n  --foreground: 0 0% 98%;\n  --card: 240 10% 3.9%;\n  --card-foreground: 0 0% 98%;\n  --popover: 240 10% 3.9%;\n  --popover-foreground: 0 0% 98%;\n  --primary: 0 0% 98%;\n  --primary-foreground: 240 5.9% 10%;\n  --secondary: 240 3.7% 15.9%;\n  --secondary-foreground: 0 0% 98%;\n  --muted: 240 3.7% 15.9%;\n  --muted-foreground: 240 5% 64.9%;\n  --accent: 240 3.7% 15.9%;\n  --accent-foreground: 0 0% 98%;\n  --destructive: 0 62.8% 30.6%;\n  --destructive-foreground: 0 0% 98%;\n  --border: 240 3.7% 15.9%;\n  --input: 240 3.7% 15.9%;\n  --ring: 240 4.9% 83.9%;\n  --radius: 0.5rem;\n  --sidebar-background: 240 5.9% 10%;\n  --sidebar-foreground: 240 4.8% 95.9%;\n  --sidebar-primary: 224.3 76.3% 48%;\n  --sidebar-primary-foreground: 0 0% 100%;\n  --sidebar-accent: 240 3.7% 15.9%;\n  --sidebar-accent-foreground: 240 4.8% 95.9%;\n  --sidebar-border: 240 3.7% 15.9%;\n  --sidebar-ring: 240 4.9% 83.9%;\n}`;\n  }\n\n  return `\n:root {\n  --background: 0 0% 100%;\n  --foreground: 240 10% 3.9%;\n  --card: 0 0% 100%;\n  --card-foreground: 240 10% 3.9%;\n  --popover: 0 0% 100%;\n  --popover-foreground: 240 10% 3.9%;\n  --primary: 240 5.9% 10%;\n  --primary-foreground: 0 0% 98%;\n  --secondary: 240 4.8% 95.9%;\n  --secondary-foreground: 240 5.9% 10%;\n  --muted: 240 4.8% 95.9%;\n  --muted-foreground: 240 3.8% 46.1%;\n  --accent: 240 4.8% 95.9%;\n  --accent-foreground: 240 5.9% 10%;\n  --destructive: 0 84.2% 60.2%;\n  --destructive-foreground: 0 0% 98%;\n  --border: 240 5.9% 90%;\n  --input: 240 5.9% 90%;\n  --ring: 240 5.9% 10%;\n  --radius: 0.5rem;\n  --sidebar-background: 0 0% 98%;\n  --sidebar-foreground: 240 5.3% 26.1%;\n  --sidebar-primary: 240 5.9% 10%;\n  --sidebar-primary-foreground: 0 0% 98%;\n  --sidebar-accent: 240 4.8% 95.9%;\n  --sidebar-accent-foreground: 240 5.9% 10%;\n  --sidebar-border: 220 13% 91%;\n  --sidebar-ring: 240 5.9% 10%;\n}`;\n}\n"]}

package/dist/tools/url-safety.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"url-safety.d.ts","sourceRoot":"","sources":["../../src/tools/url-safety.ts"],"names":[],"mappings":"AA4FA,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAoBrD;AASD;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAoB3E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CA+DxE"}

package/dist/tools/url-safety.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"url-safety.js","sourceRoot":"","sources":["../../src/tools/url-safety.ts"],"names":[],"mappings":"AAAA,MAAM,cAAc,GAAG;IACrB,0BAA0B;IAC1B,2BAA2B;CAC5B,CAAC;AAEF,MAAM,mBAAmB,GAAG;IAC1B,SAAS;IACT,WAAW;IACX,SAAS;IACT,eAAe;IACf,SAAS;CACV,CAAC;AAEF,SAAS,aAAa,CAAC,CAAS,EAAE,CAAS,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC;IACvD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzE,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACpD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAC1B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;IACvE,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3C,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,MAAM;QAAE,OAAO,KAAK,CAAC;IACvE,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;IAC7B,MAAM,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;IACtB,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;IAC5B,MAAM,CAAC,GAAG,GAAG,GAAG,IAAI,CAAC;IACrB,OAAO,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC5D,IACE,IAAI,KAAK,WAAW;QACpB,IAAI,KAAK,KAAK;QACd,IAAI,KAAK,KAAK;QACd,IAAI,KAAK,IAAI,EACb,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,iCAAiC;IACjC,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnC,0EAA0E;IAC1E,oEAAoE;IACpE,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC9D,IAAI,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IACD,IAAI,sBAAsB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAE9C,wEAAwE;IACxE,6CAA6C;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IAED,wBAAwB;IACxB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QACzB,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,UAAU,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC;YAC7B,MAAM,CAAC,GAAG,GAAG,GAAG,IAAI,CAAC;YACrB,IAAI,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC3C,IAAI,aAAa,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACrC,IACE,mBAAmB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;YAClC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC7B,OAAO,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChD,CAAC,CAAC,EACF,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC5D,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,GAAW;IACvD,IAAI,gBAAgB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvC,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,QAAQ,IAAI,eAAe,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,sEAAsE;QACtE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,yEAAyE;IACzE,wEAAwE;IACxE,yEAAyE;IACzE,IAAI,MAAW,CAAC;IAChB,IAAI,SAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,MAAM,CAAC,QAAkB,CAAC,CAAC;QAC1C,SAAS,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;IAC7B,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEnC,OAAO,IAAI,KAAK,CAAC;QACf,OAAO,EAAE;YACP,oEAAoE;YACpE,oEAAoE;YACpE,gCAAgC;YAChC,MAAM,EAAE,CACN,QAAgB,EAChB,OAAY,EACZ,QAIS,EACT,EAAE;gBACF,MAAM,CACJ,QAAQ,EACR,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,EAC7B,CAAC,GAAiC,EAAE,SAAc,EAAE,EAAE;oBACpD,IAAI,GAAG;wBAAE,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;oBAC9B,MAAM,IAAI,GAA0C,KAAK,CAAC,OAAO,CAC/D,SAAS,CACV;wBACC,CAAC,CAAC,SAAS;wBACX,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;oBACxC,KAAK,MAAM,MAAM,IAAI,IAAI,EAAE,CAAC;wBAC1B,IAAI,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;4BAClC,MAAM,CAAC,GAAG,IAAI,KAAK,CACjB,oBAAoB,QAAQ,gCAAgC,MAAM,CAAC,OAAO,EAAE,CACpD,CAAC;4BAC3B,CAAC,CAAC,IAAI,GAAG,aAAa,CAAC;4BACvB,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;wBACrB,CAAC;oBACH,CAAC;oBACD,gEAAgE;oBAChE,4DAA4D;oBAC5D,iBAAiB;oBACjB,IAAI,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;wBAC3B,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAW,CAAC,CAAC;oBACrC,CAAC;oBACD,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;oBACtB,OAAO,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;gBACrD,CAAC,CACF,CAAC;YACJ,CAAC;SACF;KACF,CAAC,CAAC;AACL,CAAC","sourcesContent":["const METADATA_HOSTS = [\n  \"metadata.google.internal\",\n  \"metadata.google.internal.\",\n];\n\nconst DNS_REBIND_SUFFIXES = [\n  \".nip.io\",\n  \".sslip.io\",\n  \".xip.io\",\n  \".localtest.me\",\n  \".lvh.me\",\n];\n\nfunction isPrivateIpv4(a: number, b: number, c = 0, d = 0): boolean {\n  if (![a, b, c, d].every((part) => part >= 0 && part <= 255)) return true;\n  if (a === 127) return true;\n  if (a === 10) return true;\n  if (a === 172 && b >= 16 && b <= 31) return true;\n  if (a === 192 && b === 168) return true;\n  if (a === 169 && b === 254) return true;\n  if (a === 0) return true;\n  if (a === 100 && b >= 64 && b <= 127) return true;\n  if (a === 192 && b === 0) return true;\n  if (a === 198 && (b === 18 || b === 19)) return true;\n  if (a === 192 && b === 0 && c === 2) return true;\n  if (a === 198 && b === 51 && c === 100) return true;\n  if (a === 203 && b === 0 && c === 113) return true;\n  if (a >= 224) return true;\n  return false;\n}\n\nfunction isPrivateIpv4MappedHex(host: string): boolean {\n  const mapped = host.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);\n  if (!mapped) return false;\n  const high = Number.parseInt(mapped[1], 16);\n  const low = Number.parseInt(mapped[2], 16);\n  if (high < 0 || high > 0xffff || low < 0 || low > 0xffff) return false;\n  const a = (high >> 8) & 0xff;\n  const b = high & 0xff;\n  const c = (low >> 8) & 0xff;\n  const d = low & 0xff;\n  return isPrivateIpv4(a, b, c, d);\n}\n\nfunction isPrivateHost(hostname: string): boolean {\n  const host = hostname.toLowerCase().replace(/^\\[|\\]$/g, \"\");\n  if (\n    host === \"localhost\" ||\n    host === \"::1\" ||\n    host === \"::0\" ||\n    host === \"::\"\n  ) {\n    return true;\n  }\n  if (METADATA_HOSTS.includes(host)) return true;\n\n  // IPv6 ULA/link-local/multicast.\n  if (/^f[cd]/.test(host) || /^fe[89ab]/.test(host)) return true;\n  if (/^ff/i.test(host)) return true;\n\n  // IPv4-mapped IPv6. URL parsing may preserve dotted form in some runtimes\n  // or normalize it to hex, e.g. [::ffff:127.0.0.1] -> ::ffff:7f00:1.\n  const v4mappedDotted = host.match(/^::ffff:(\\d+\\.\\d+\\.\\d+\\.\\d+)$/);\n  if (v4mappedDotted) {\n    const [a, b, c, d] = v4mappedDotted[1].split(\".\").map(Number);\n    if (isPrivateIpv4(a, b, c, d)) return true;\n  }\n  if (isPrivateIpv4MappedHex(host)) return true;\n\n  // Dotted IPv4. URL parsing normalizes shorthand/octal/hex IPv4 forms to\n  // dotted decimal before we reach this point.\n  const parts = host.split(\".\");\n  if (parts.length === 4 && parts.every((p) => /^\\d+$/.test(p))) {\n    const [a, b, c, d] = parts.map(Number);\n    if (isPrivateIpv4(a, b, c, d)) return true;\n  }\n\n  // Decimal integer IPv4.\n  if (/^\\d+$/.test(host)) {\n    const num = Number(host);\n    if (num >= 0 && num <= 0xffffffff) {\n      const a = (num >>> 24) & 0xff;\n      const b = (num >>> 16) & 0xff;\n      const c = (num >>> 8) & 0xff;\n      const d = num & 0xff;\n      if (isPrivateIpv4(a, b, c, d)) return true;\n    }\n  }\n\n  return false;\n}\n\nexport function isBlockedToolUrl(url: string): boolean {\n  try {\n    const parsed = new URL(url);\n    if (parsed.protocol !== \"http:\" && parsed.protocol !== \"https:\") {\n      return true;\n    }\n    const host = parsed.hostname.toLowerCase();\n    if (isPrivateHost(host)) return true;\n    if (\n      DNS_REBIND_SUFFIXES.some((suffix) => {\n        const bare = suffix.slice(1);\n        return host === bare || host.endsWith(suffix);\n      })\n    ) {\n      return true;\n    }\n  } catch {\n    return true;\n  }\n  return false;\n}\n\nfunction isIpLiteralHost(hostname: string): boolean {\n  const host = hostname.toLowerCase().replace(/^\\[|\\]$/g, \"\");\n  if (host.includes(\":\")) return true;\n  const parts = host.split(\".\");\n  return parts.length === 4 && parts.every((p) => /^\\d+$/.test(p));\n}\n\n/**\n * Async SSRF guard for environments that can resolve DNS. The synchronous\n * guard catches literals and known rebinding domains; this closes the common\n * \"public hostname resolves to a private address\" gap before dispatch.\n */\nexport async function isBlockedToolUrlWithDns(url: string): Promise<boolean> {\n  if (isBlockedToolUrl(url)) return true;\n\n  let hostname: string;\n  try {\n    hostname = new URL(url).hostname.toLowerCase();\n  } catch {\n    return true;\n  }\n  if (!hostname || isIpLiteralHost(hostname)) return false;\n\n  try {\n    const { lookup } = await import(\"node:dns/promises\");\n    const records = await lookup(hostname, { all: true, verbatim: true });\n    return records.some((record) => isPrivateHost(record.address));\n  } catch {\n    // Some edge runtimes do not expose DNS lookup. Keep the deterministic\n    // parser-based protections instead of failing every outbound request.\n    return false;\n  }\n}\n\n/**\n * Build an undici Dispatcher whose connect-time DNS lookup runs through a\n * private-IP guard. This closes the TOCTOU gap where:\n *   1. We resolve hostname → public IP and pass.\n *   2. Between that lookup and the actual connect, DNS rebinding flips the\n *      record to a private IP.\n *   3. fetch() resolves again and connects to the private IP.\n *\n * With a custom dispatcher, the same lookup that produces the IP also gates\n * the connect: if the IP is in the private set, the connect throws.\n *\n * Returns `null` if undici / node:dns are not available (e.g. some edge\n * runtimes); the caller should fall back to the regular `fetch` path —\n * `isBlockedToolUrlWithDns` will still have caught most rebinding cases.\n */\nexport async function createSsrfSafeDispatcher(): Promise<unknown | null> {\n  // Dynamic import + `any`: undici is not a direct dependency, so the type\n  // declarations may not resolve. The runtime path is still safe — if the\n  // import throws we return null and the caller falls back to plain fetch.\n  let undici: any;\n  let dnsModule: any;\n  try {\n    undici = await import(\"undici\" as string);\n    dnsModule = await import(\"node:dns\");\n  } catch {\n    return null;\n  }\n\n  const { Agent } = undici;\n  const { lookup } = dnsModule;\n  if (!Agent || !lookup) return null;\n\n  return new Agent({\n    connect: {\n      // Override DNS lookup at connect time so the IP we hand to undici's\n      // socket is the one we authorized. Reject any record in the private\n      // set BEFORE the TCP handshake.\n      lookup: (\n        hostname: string,\n        options: any,\n        callback: (\n          err: NodeJS.ErrnoException | null,\n          address?: string | { address: string; family: number }[],\n          family?: number,\n        ) => void,\n      ) => {\n        lookup(\n          hostname,\n          { all: true, verbatim: true },\n          (err: NodeJS.ErrnoException | null, addresses: any) => {\n            if (err) return callback(err);\n            const list: { address: string; family: number }[] = Array.isArray(\n              addresses,\n            )\n              ? addresses\n              : [{ address: addresses, family: 4 }];\n            for (const record of list) {\n              if (isPrivateHost(record.address)) {\n                const e = new Error(\n                  `Connect blocked: ${hostname} resolved to private address ${record.address}`,\n                ) as NodeJS.ErrnoException;\n                e.code = \"EAI_BLOCKED\";\n                return callback(e);\n              }\n            }\n            // Mirror Node's lookup behavior: when `all` is true, return the\n            // array; otherwise the first entry. undici's connect honors\n            // `options.all`.\n            if (options && options.all) {\n              return callback(null, list as any);\n            }\n            const first = list[0];\n            return callback(null, first.address, first.family);\n          },\n        );\n      },\n    },\n  });\n}\n"]}

package/docs/content/tools.md

@@ -1,205 +0,0 @@
----
-title: "Tools"
-description: "Lightweight interactive apps — dashboards, widgets, calculators, monitors — that the agent creates for you instantly, without changing your app's code."
----
-
-# Tools
-
-Tools are lightweight interactive apps that live inside your agent-native app. Think dashboards, widgets, calculators, API monitors, data lookups — anything you'd otherwise build by hand.
-
-The key difference from the rest of your app: **tools don't require code changes.** The agent creates and updates them at runtime, they're stored in the database, and they're ready to use immediately. No deploys, no builds, no pull requests.
-
-## Tools vs. editing the app {#tools-vs-code}
-
-Your agent-native app has a full codebase — React components, routes, actions, styles. When the agent edits that code, it's changing the app itself. That's powerful, but it requires a build step and a deploy.
-
-Tools are different:
-
-|                       | App code                                | Tools                                              |
-| --------------------- | --------------------------------------- | -------------------------------------------------- |
-| **Created by**        | Developer or agent editing source files | Agent or user, instantly from chat                 |
-| **Stored in**         | Git repository                          | Database                                           |
-| **Requires a build**  | Yes                                     | No                                                 |
-| **Requires a deploy** | Yes                                     | No                                                 |
-| **Scope**             | Part of the app for all users           | Private by default, shareable                      |
-| **Best for**          | Core app features                       | Personal dashboards, utilities, quick integrations |
-
-Use app code for features that are core to the product. Use tools for everything else — one-off utilities, personal dashboards, quick integrations, monitors, and things you want to spin up in seconds.
-
-## When to build a tool vs. a template feature {#when-to-build}
-
-A quick decision rubric:
-
-**Build a tool when:**
-
-- It's for one user or one team, not the whole product.
-- It's a quick utility, dashboard, or widget you want now, not next sprint.
-- No new database schema is needed (or per-tool key-value storage is enough).
-- You want to ship it inside a single chat turn, no deploy.
-
-**Add a template feature when:**
-
-- Every user of the template should get it.
-- It needs new SQL tables, migrations, or shared schema changes.
-- The UI is complex enough to warrant React components, routes, and proper testing.
-- It's part of the product surface — something you'd advertise on a landing page.
-
-When in doubt, start as a tool. Promoting a tool to a template feature later is straightforward; rolling back a half-shipped product feature is not.
-
-## Creating a tool {#creating}
-
-### From the sidebar
-
-Click the **+** button in the Tools section of the sidebar. Describe what you want in plain language — "a dashboard that shows my open GitHub PRs" — and the agent builds it for you.
-
-### From chat
-
-Just ask: "Create a tool that monitors our API health" or "Make me a calculator for shipping costs." The agent handles the rest.
-
-### Updating a tool
-
-Ask the agent: "Update my PR dashboard to also show draft PRs" or "Add a dark mode toggle to the weather widget." The agent makes surgical edits without regenerating the whole thing.
-
-## What tools can do {#capabilities}
-
-Tools are fully capable despite being lightweight. They can:
-
-- **Call external APIs** — GitHub, Stripe, weather services, any REST API. Requests go through a secure server-side proxy that keeps your API keys safe.
-- **Call your app's actions** — anything your agent can do, a tool can trigger.
-- **Query your app's database** — read and write data directly.
-- **Store their own data** — each tool has built-in persistent storage, no setup required. Save notes, preferences, cached results — whatever the tool needs.
-- **Call any endpoint in your app** — hit custom API routes, webhooks, or internal services.
-
-All of this works out of the box. No configuration, no new files, no schema changes.
-
-## Layout defaults {#layout}
-
-Tools render with modest canvas padding by default so simple widgets and dashboards do not hug the iframe edge. For full-bleed experiences such as maps, canvases, or custom editors, set `data-tool-layout="full-bleed"` or `data-tool-padding="none"` on the outermost element.
-
-## Persistent storage {#persistent-storage}
-
-Every tool has access to a built-in key-value store via the `toolData` helper. Data is automatically scoped per tool and per user — your data stays yours.
-
-When you ask the agent to "add persistence" or "remember state" in a tool, it uses this built-in storage. No database tables to create, no migrations to run.
-
-### Scopes
-
-All `toolData` methods accept an optional `{ scope }` option:
-
-- `'user'` (default) — private to the current user.
-- `'org'` — shared across the user's organization.
-- `'all'` — list/get only; returns both user-scoped and org-scoped items.
-
-```html
-<script>
-  // Private to me
-  await toolData.set('notes', 'note-1', { title: 'My Note' });
-
-  // Shared with my org
-  await toolData.set('notes', 'team-note', { title: 'Team Note' }, { scope: 'org' });
-
-  // List my notes (default)
-  const mine = await toolData.list('notes');
-
-  // List both mine and the org's
-  const everything = await toolData.list('notes', { scope: 'all' });
-</script>
-```
-
-## API keys and secrets {#secrets}
-
-When a tool needs an API key (for GitHub, OpenAI, a weather service, etc.), the agent will tell you what's needed and where to get it. You add the key through the Settings UI in the agent sidebar.
-
-Keys are encrypted and stored securely. Each key is restricted to specific domains — a GitHub token can only be sent to `api.github.com`, never anywhere else.
-
-### Secrets in tools {#secrets-in-tools}
-
-Tools reference secrets in `toolFetch()` calls using the `${keys.NAME}` template pattern. The proxy substitutes the encrypted value server-side; the actual key never reaches the browser.
-
-```html
-<script>
-  const res = await toolFetch('https://api.github.com/user', {
-    headers: {
-      Authorization: 'Bearer ${keys.GITHUB_TOKEN}',
-    },
-  });
-</script>
-```
-
-When a tool needs a one-off key, the agent can register an ad-hoc secret via `POST /_agent-native/secrets/adhoc` with a `urlAllowlist` that pins which domains the secret may be sent to. A request to any other host is rejected before the proxy fires. Combined with SSRF and private-network protections, this means a leaked tool can't exfiltrate secrets to an attacker-controlled URL.
-
-## Sharing {#sharing}
-
-Tools are **private by default** — only you can see and use a tool you create.
-
-You can share tools with your team:
-
-- **Org-visible** — everyone in your organization can use it.
-- **Per-user sharing** — grant access to specific people as viewers, editors, or admins.
-
-Shared tools have their own URLs, so you can link to them directly.
-
-Under the hood, tools use the same ownable-resource model as the rest of the framework — `ownableColumns()` on the `tools` table and a standard `createSharesTable()` for grants. That means tools plug into the same share dialog, access checks, and audit surfaces as documents, decks, dashboards, and any other shareable resource. See [Security](/docs/security) for the full access model.
-
-## Security {#security}
-
-Tools run in a secure sandbox:
-
-- **Isolated** — tools can't access your app's cookies, session, or page content.
-- **API keys stay server-side** — secrets are injected by the server, never exposed to the browser.
-- **Domain-restricted secrets** — each API key can only be sent to its approved domains.
-- **Private network protection** — tools can't reach internal/private network addresses.
-- **Authentication required** — only logged-in users can use tools.
-
-## Tool API reference {#api-reference}
-
-Every tool runs inside a sandboxed iframe with the following helpers injected on `window`. They are the complete surface area — anything else a tool needs has to go through one of these.
-
-| Helper                                      | Purpose                | Example                                       |
-| ------------------------------------------- | ---------------------- | --------------------------------------------- |
-| `toolData.set(collection, id, data, opts?)` | Persist data per-tool  | `toolData.set('notes', id, { text: '...' })`  |
-| `toolData.list(collection, opts?)`          | List persisted items   | `toolData.list('notes', { scope: 'all' })`    |
-| `toolData.get(collection, id, opts?)`       | Get a single item      | `toolData.get('notes', 'note-1')`             |
-| `toolData.remove(collection, id, opts?)`    | Delete persisted item  | `toolData.remove('notes', 'note-1')`          |
-| `appAction(name, params)`                   | Call any app action    | `appAction('list-emails', { view: 'inbox' })` |
-| `dbQuery(sql, args)`                        | Read from SQL          | `dbQuery('SELECT * FROM tools')`              |
-| `dbExec(sql, args)`                         | Write to SQL           | `dbExec('INSERT INTO ...')`                   |
-| `appFetch(path, options)`                   | Call any app endpoint  | `appFetch('/api/settings')`                   |
-| `toolFetch(url, options)`                   | External API via proxy | `toolFetch('https://api.github.com/...')`     |
-
-`appAction` is the preferred way to trigger app behavior — it routes through the same actions the agent and the frontend use, so authorization and access scoping happen automatically. Drop down to `dbQuery`/`dbExec` only when there's no action that fits.
-
-### Routes {#routes}
-
-The framework mounts the following endpoints under `/_agent-native/tools/`. Tools themselves rarely call these directly — they're useful when integrating tools with external scripts or custom UI.
-
-| Method | Path                              | Purpose                                      |
-| ------ | --------------------------------- | -------------------------------------------- |
-| GET    | `/_agent-native/tools`            | List tools (filtered by ownership + sharing) |
-| POST   | `/_agent-native/tools`            | Create a tool                                |
-| GET    | `/_agent-native/tools/:id`        | Get a single tool                            |
-| PUT    | `/_agent-native/tools/:id`        | Update (supports `patches` for diffing)      |
-| DELETE | `/_agent-native/tools/:id`        | Delete a tool                                |
-| GET    | `/_agent-native/tools/:id/render` | Render the iframe HTML                       |
-| POST   | `/_agent-native/tools/proxy`      | Authenticated proxy with secret injection    |
-
-## Examples {#examples}
-
-Here are some things people build as tools:
-
-- **GitHub PR dashboard** — see open PRs, review status, and CI checks at a glance
-- **API health monitor** — check if your services are up with a single click
-- **Weather widget** — quick weather lookup for any city
-- **Stripe payment lookup** — search recent payments and refunds
-- **Database explorer** — browse and query your app's data
-- **Shipping cost calculator** — compute rates based on weight and destination
-- **Meeting notes summarizer** — paste notes, get action items
-- **Social media scheduler** — draft and schedule posts across platforms
-
-To create any of these, just describe what you want in the agent chat.
-
-## What's next
-
-- [**Actions**](/docs/actions) — the operations that tools (and the agent) can call
-- [**Workspace**](/docs/workspace) — the broader workspace system tools live alongside
-- [**Security**](/docs/security) — the framework's data scoping and access control