@agent-native/core 0.8.2 → 0.10.0

package/dist/server/credential-provider.d.ts

@@ -17,6 +17,19 @@
  * shape is meant to grow to cover future managed credential integrations
  * (e.g. additional Builder-hosted services) without rewrites.
  */
+/**
+ * Decide which `app_secrets` scope a Builder/credential write should use.
+ *
+ * Org scope ("everyone in this org sees these credentials") wins when the
+ * connecting user is an owner or admin of an active org — the write
+ * privileges shared infra. A plain member or a user without an active
+ * org falls through to per-user scope so a teammate can't silently
+ * overwrite the org-shared connection.
+ */
+export declare function resolveCredentialWriteScope(email: string, orgId: string | null | undefined, role: string | null | undefined): {
+    scope: "user" | "org";
+    scopeId: string;
+};
 export declare class FeatureNotConfiguredError extends Error {
     readonly requiredCredential: string;
     readonly builderConnectUrl?: string;
@@ -71,7 +84,18 @@ export declare function resolveBuilderCredentials(): Promise<{
     orgKind: string | null;
 }>;
 /**
- * Write Builder credentials for the current user to per-user app_secrets.
+ * Write Builder credentials to `app_secrets`.
+ *
+ * Scope decision (see `resolveCredentialWriteScope`): when the connecting
+ * user is owner/admin of an active org we write at `scope: "org"` so every
+ * member of that org auto-resolves the credentials via
+ * `resolveBuilderCredential`'s org fallback — no per-user re-connect
+ * needed. A plain member or a user with no active org writes at
+ * `scope: "user"` (the safe default that doesn't trample the org's shared
+ * connection).
+ *
+ * Returns the actual scope/scopeId used so the caller can show "Connected
+ * for Builder.io" vs "Connected (personal)" in the UI.
  */
 export declare function writeBuilderCredentials(email: string, creds: {
     privateKey: string;
@@ -79,14 +103,33 @@ export declare function writeBuilderCredentials(email: string, creds: {
     userId?: string | null;
     orgName?: string | null;
     orgKind?: string | null;
-}): Promise<void>;
+}, options?: {
+    orgId?: string | null;
+    role?: string | null;
+}): Promise<{
+    scope: "user" | "org";
+    scopeId: string;
+}>;
 /**
- * Delete Builder credentials for the current user from app_secrets.
+ * Delete Builder credentials.
+ *
+ * Default behaviour: clears only this user's per-user override (so a
+ * member can disconnect their personal Builder identity without
+ * collapsing the org-wide connection for every teammate). To revoke the
+ * org's shared connection, pass `{ orgId, role }` for an owner/admin —
+ * matching the same authority gate `writeBuilderCredentials` uses on
+ * write. Plain members can never reach the org-scoped row.
  */
-export declare function deleteBuilderCredentials(email: string): Promise<void>;
+export declare function deleteBuilderCredentials(email: string, options?: {
+    orgId?: string | null;
+    role?: string | null;
+}): Promise<{
+    scope: "user" | "org";
+    scopeId: string;
+}>;
 /**
- * Resolve a per-user secret. Reads from `app_secrets` first (scoped by
- * the current request's authenticated user); falls back to `process.env`
+ * Resolve a request-scoped secret. Reads from `app_secrets` first (current
+ * user override, active org, then workspace row); falls back to `process.env`
  * only for unauthenticated/CLI/background contexts.
  */
 export declare function resolveSecret(key: string): Promise<string | null>;

package/dist/server/credential-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credential-provider.d.ts","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,IAAI,EAAE;QAChB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;CAUF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEvE;AAwBD,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAwBxB;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEvE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGvE;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,OAAO,CAAC,CAEpE;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC,CASD;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,KAAK,EAAE;IACL,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,GACA,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAc3E;AAcD;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAsBvE;AAOD;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAE9C;AAED,yEAAyE;AACzE,wBAAgB,qBAAqB,IAAI,MAAM,CAO9C;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAKjD;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,IAAI,CAGpD"}
+{"version":3,"file":"credential-provider.d.ts","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC9B;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAK5C;AAED,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;gBAElB,IAAI,EAAE;QAChB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;CAUF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEvE;AAwBD,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAyCxB;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C;AAED;;;;;GAKG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEvE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGvE;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,OAAO,CAAC,CAEpE;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAC,CASD;AAUD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,KAAK,EAAE;IACL,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,EACD,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAgCrD;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GACxD,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAiBrD;AAeD;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAoDvE;AAOD;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAE9C;AAED,yEAAyE;AACzE,wBAAgB,qBAAqB,IAAI,MAAM,CAO9C;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAKjD;AAED,uEAAuE;AACvE,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,IAAI,CAGpD"}

package/dist/server/credential-provider.js

@@ -17,7 +17,22 @@
  * shape is meant to grow to cover future managed credential integrations
  * (e.g. additional Builder-hosted services) without rewrites.
  */
-import { getRequestUserEmail } from "./request-context.js";
+import { getRequestUserEmail, getRequestOrgId } from "./request-context.js";
+/**
+ * Decide which `app_secrets` scope a Builder/credential write should use.
+ *
+ * Org scope ("everyone in this org sees these credentials") wins when the
+ * connecting user is an owner or admin of an active org — the write
+ * privileges shared infra. A plain member or a user without an active
+ * org falls through to per-user scope so a teammate can't silently
+ * overwrite the org-shared connection.
+ */
+export function resolveCredentialWriteScope(email, orgId, role) {
+    if (orgId && (role === "owner" || role === "admin")) {
+        return { scope: "org", scopeId: orgId };
+    }
+    return { scope: "user", scopeId: email };
+}
 export class FeatureNotConfiguredError extends Error {
     requiredCredential;
     builderConnectUrl;
@@ -67,23 +82,39 @@ export async function resolveBuilderCredential(key) {
     const envValue = readDeployCredentialEnv(key);
     if (envValue)
         return envValue;
-    // No env value: per-user OAuth fallback.
     const email = getRequestUserEmail();
-    if (email) {
-        try {
-            const { readAppSecret } = await import("../secrets/storage.js");
-            const secret = await readAppSecret({
+    if (!email)
+        return null;
+    try {
+        const { readAppSecret } = await import("../secrets/storage.js");
+        // 1. Per-user override: a user can paste their own key in settings to
+        //    overrule the org-shared one (handy for a personal sandbox).
+        const userSecret = await readAppSecret({
+            key,
+            scope: "user",
+            scopeId: email,
+        });
+        if (userSecret)
+            return userSecret.value;
+        // 2. Per-org shared credential: when one teammate connects Builder
+        //    as an owner/admin we write the OAuth result at org scope so
+        //    every member of that org gets the AI chat working without
+        //    re-running the connect flow. Resolution falls back here
+        //    silently — the caller never has to know which scope answered.
+        const orgId = getRequestOrgId();
+        if (orgId) {
+            const orgSecret = await readAppSecret({
                 key,
-                scope: "user",
-                scopeId: email,
+                scope: "org",
+                scopeId: orgId,
             });
-            if (secret)
-                return secret.value;
-        }
-        catch {
-            // Secrets table not ready — treat as missing.
+            if (orgSecret)
+                return orgSecret.value;
         }
     }
+    catch {
+        // Secrets table not ready — treat as missing.
+    }
     return null;
 }
 /**
@@ -134,11 +165,30 @@ export async function resolveBuilderCredentials() {
     ]);
     return { privateKey, publicKey, userId, orgName, orgKind };
 }
+const BUILDER_CREDENTIAL_KEYS = [
+    "BUILDER_PRIVATE_KEY",
+    "BUILDER_PUBLIC_KEY",
+    "BUILDER_USER_ID",
+    "BUILDER_ORG_NAME",
+    "BUILDER_ORG_KIND",
+];
 /**
- * Write Builder credentials for the current user to per-user app_secrets.
+ * Write Builder credentials to `app_secrets`.
+ *
+ * Scope decision (see `resolveCredentialWriteScope`): when the connecting
+ * user is owner/admin of an active org we write at `scope: "org"` so every
+ * member of that org auto-resolves the credentials via
+ * `resolveBuilderCredential`'s org fallback — no per-user re-connect
+ * needed. A plain member or a user with no active org writes at
+ * `scope: "user"` (the safe default that doesn't trample the org's shared
+ * connection).
+ *
+ * Returns the actual scope/scopeId used so the caller can show "Connected
+ * for Builder.io" vs "Connected (personal)" in the UI.
  */
-export async function writeBuilderCredentials(email, creds) {
+export async function writeBuilderCredentials(email, creds, options) {
     const { writeAppSecret } = await import("../secrets/storage.js");
+    const target = resolveCredentialWriteScope(email, options?.orgId ?? null, options?.role ?? null);
     const entries = [
         { key: "BUILDER_PRIVATE_KEY", value: creds.privateKey },
         { key: "BUILDER_PUBLIC_KEY", value: creds.publicKey },
@@ -152,36 +202,49 @@ export async function writeBuilderCredentials(email, creds) {
     if (creds.orgKind) {
         entries.push({ key: "BUILDER_ORG_KIND", value: creds.orgKind });
     }
-    await Promise.all(entries.map(({ key, value }) => writeAppSecret({ key, value, scope: "user", scopeId: email })));
+    await Promise.all(entries.map(({ key, value }) => writeAppSecret({
+        key,
+        value,
+        scope: target.scope,
+        scopeId: target.scopeId,
+    })));
+    return target;
 }
 /**
- * Delete Builder credentials for the current user from app_secrets.
+ * Delete Builder credentials.
+ *
+ * Default behaviour: clears only this user's per-user override (so a
+ * member can disconnect their personal Builder identity without
+ * collapsing the org-wide connection for every teammate). To revoke the
+ * org's shared connection, pass `{ orgId, role }` for an owner/admin —
+ * matching the same authority gate `writeBuilderCredentials` uses on
+ * write. Plain members can never reach the org-scoped row.
  */
-export async function deleteBuilderCredentials(email) {
+export async function deleteBuilderCredentials(email, options) {
     const { deleteAppSecret } = await import("../secrets/storage.js");
-    const keys = [
-        "BUILDER_PRIVATE_KEY",
-        "BUILDER_PUBLIC_KEY",
-        "BUILDER_USER_ID",
-        "BUILDER_ORG_NAME",
-        "BUILDER_ORG_KIND",
-    ];
-    await Promise.all(keys.map((key) => deleteAppSecret({ key, scope: "user", scopeId: email }).catch(() => { })));
+    const target = resolveCredentialWriteScope(email, options?.orgId ?? null, options?.role ?? null);
+    await Promise.all(BUILDER_CREDENTIAL_KEYS.map((key) => deleteAppSecret({
+        key,
+        scope: target.scope,
+        scopeId: target.scopeId,
+    }).catch(() => { })));
+    return target;
 }
 // ---------------------------------------------------------------------------
-// Generic per-user secret resolution
+// Generic request-scoped secret resolution
 //
 // New consumers should prefer this over reading `process.env.X` directly.
-// User-pasted secrets live in `app_secrets` (encrypted, scope=user); the
-// settings UI / onboarding panels write here. Deploy-level env vars are
-// the fallback for unauthenticated/CLI/background contexts where there's
-// no user to scope by — never the silent fallback for an authenticated
-// request, since on a multi-tenant deploy that would silently identify
-// every user as whoever set the deploy-level key (KVesta Space, 2026-04).
+// User-pasted and shared secrets live in `app_secrets` (encrypted). The
+// settings UI / onboarding panels can write user, org, or workspace rows.
+// Deploy-level env vars are the fallback for unauthenticated/CLI/background
+// contexts where there's no user to scope by — never the silent fallback
+// for an authenticated request, since on a multi-tenant deploy that would
+// silently identify every user as whoever set the deploy-level key
+// (KVesta Space, 2026-04).
 // ---------------------------------------------------------------------------
 /**
- * Resolve a per-user secret. Reads from `app_secrets` first (scoped by
- * the current request's authenticated user); falls back to `process.env`
+ * Resolve a request-scoped secret. Reads from `app_secrets` first (current
+ * user override, active org, then workspace row); falls back to `process.env`
  * only for unauthenticated/CLI/background contexts.
  */
 export async function resolveSecret(key) {
@@ -189,13 +252,45 @@ export async function resolveSecret(key) {
     if (email) {
         try {
             const { readAppSecret } = await import("../secrets/storage.js");
-            const secret = await readAppSecret({
+            // Per-user override first.
+            const userSecret = await readAppSecret({
                 key,
                 scope: "user",
                 scopeId: email,
             });
-            if (secret?.value)
-                return secret.value;
+            if (userSecret?.value)
+                return userSecret.value;
+            const orgId = getRequestOrgId();
+            if (orgId) {
+                // Fall back to the active org's shared row, when present. Builder
+                // Connect uses this first-class org scope.
+                const orgSecret = await readAppSecret({
+                    key,
+                    scope: "org",
+                    scopeId: orgId,
+                });
+                if (orgSecret?.value)
+                    return orgSecret.value;
+                // Registered secrets historically used "workspace" scope for
+                // org-shared configuration. Keep reading it so Settings status and
+                // runtime resolution agree.
+                const workspaceSecret = await readAppSecret({
+                    key,
+                    scope: "workspace",
+                    scopeId: orgId,
+                });
+                if (workspaceSecret?.value)
+                    return workspaceSecret.value;
+            }
+            else {
+                const soloWorkspaceSecret = await readAppSecret({
+                    key,
+                    scope: "workspace",
+                    scopeId: `solo:${email}`,
+                });
+                if (soloWorkspaceSecret?.value)
+                    return soloWorkspaceSecret.value;
+            }
         }
         catch {
             // Secrets table not ready — treat as missing.

package/dist/server/credential-provider.js.map

@@ -1 +1 @@
-{"version":3,"file":"credential-provider.js","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAE3D,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,kBAAkB,CAAS;IAC3B,iBAAiB,CAAU;IAC3B,WAAW,CAAU;IAE9B,YAAY,IAKX;QACC,KAAK,CACH,IAAI,CAAC,OAAO;YACV,gCAAgC,IAAI,CAAC,kBAAkB,yCAAyC,CACnG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IACtC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,2EAA2E;AAC3E,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,uEAAuE;AACvE,2EAA2E;AAC3E,wEAAwE;AACxE,0DAA0D;AAC1D,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,0EAA0E;AAC1E,4DAA4D;AAC5D,EAAE;AACF,6EAA6E;AAC7E,wEAAwE;AACxE,2EAA2E;AAC3E,uEAAuE;AACvE,8BAA8B;AAC9B,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAW;IAEX,oEAAoE;IACpE,oEAAoE;IACpE,+DAA+D;IAC/D,mDAAmD;IACnD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,yCAAyC;IACzC,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAChE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;gBACjC,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,MAAM;gBAAE,OAAO,MAAM,CAAC,KAAK,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,OAAO,wBAAwB,CAAC,qBAAqB,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,GAAG,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,OAAO,CAAC,CAAC,CAAC,MAAM,wBAAwB,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAO7C,MAAM,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC1E,wBAAwB,CAAC,qBAAqB,CAAC;QAC/C,wBAAwB,CAAC,oBAAoB,CAAC;QAC9C,wBAAwB,CAAC,iBAAiB,CAAC;QAC3C,wBAAwB,CAAC,kBAAkB,CAAC;QAC5C,wBAAwB,CAAC,kBAAkB,CAAC;KAC7C,CAAC,CAAC;IACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,KAMC;IAED,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACjE,MAAM,OAAO,GAA0C;QACrD,EAAE,GAAG,EAAE,qBAAqB,EAAE,KAAK,EAAE,KAAK,CAAC,UAAU,EAAE;QACvD,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,CAAC,SAAS,EAAE;KACtD,CAAC;IACF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAC7B,cAAc,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAC9D,CACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,KAAa;IAC1D,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG;QACX,qBAAqB;QACrB,oBAAoB;QACpB,iBAAiB;QACjB,kBAAkB;QAClB,kBAAkB;KACnB,CAAC;IACF,MAAM,OAAO,CAAC,GAAG,CACf,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CACf,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACxE,CACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,qCAAqC;AACrC,EAAE;AACF,0EAA0E;AAC1E,yEAAyE;AACzE,wEAAwE;AACxE,yEAAyE;AACzE,uEAAuE;AACvE,uEAAuE;AACvE,0EAA0E;AAC1E,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAChE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;gBACjC,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK;gBAAE,OAAO,MAAM,CAAC,KAAK,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;QACD,sEAAsE;QACtE,mEAAmE;QACnE,6BAA6B;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,uEAAuE;IACvE,mDAAmD;IACnD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAClC,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,iEAAiE;AACjE,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,qBAAqB;IACnC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,gCAAgC,CACjC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,2CAA2C,CAC5C,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,oBAAoB;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * Credential provider abstraction.\n *\n * Every feature that needs an external credential (Anthropic API key,\n * Google OAuth tokens, OpenAI key, Slack bot token, etc.) should go through\n * one of the resolve*() helpers here instead of reading `process.env`\n * directly. That way the same feature can work in three modes:\n *\n *   1. User set their own key in .env              → use it directly\n *   2. User connected Builder via `/cli-auth`      → route through Builder proxy\n *   3. Neither                                      → throw FeatureNotConfigured\n *\n * Templates catch FeatureNotConfigured and show a \"Connect Builder (1 click) /\n * set up your own key (guide)\" card.\n *\n * Today these helpers are used by the Builder-hosted LLM gateway, and the\n * shape is meant to grow to cover future managed credential integrations\n * (e.g. additional Builder-hosted services) without rewrites.\n */\n\nimport { getRequestUserEmail } from \"./request-context.js\";\n\nexport class FeatureNotConfiguredError extends Error {\n  readonly requiredCredential: string;\n  readonly builderConnectUrl?: string;\n  readonly byokDocsUrl?: string;\n\n  constructor(opts: {\n    requiredCredential: string;\n    message?: string;\n    builderConnectUrl?: string;\n    byokDocsUrl?: string;\n  }) {\n    super(\n      opts.message ??\n        `Feature requires credential \"${opts.requiredCredential}\". Connect Builder or set your own key.`,\n    );\n    this.name = \"FeatureNotConfiguredError\";\n    this.requiredCredential = opts.requiredCredential;\n    this.builderConnectUrl = opts.builderConnectUrl;\n    this.byokDocsUrl = opts.byokDocsUrl;\n  }\n}\n\n/**\n * Deployment-level credential fallback for single-tenant/local operation.\n * Multi-tenant call sites must gate this explicitly before calling.\n */\nexport function readDeployCredentialEnv(key: string): string | undefined {\n  return process.env[key] || undefined;\n}\n\n// ---------------------------------------------------------------------------\n// Builder credential resolution — two mutually-exclusive deployment modes:\n//\n//   1. **Single-tenant / env-managed.** When BUILDER_PRIVATE_KEY is set at\n//      the deployment level, it is THE Builder identity for every user of\n//      this deploy. The operator setting the env explicitly opts in to\n//      \"everyone shares one Builder space\" — same shape as DATABASE_URL or\n//      BETTER_AUTH_SECRET. The UI hides the per-user connect/disconnect\n//      flow when env-managed (see `isBuilderEnvManaged`).\n//\n//   2. **Multi-tenant / per-user OAuth.** When the env is unset, each user\n//      OAuth-connects their own Builder via the cli-auth flow. Their keys\n//      land in `app_secrets` (scope=user, scopeId=email) via the callback\n//      handler. They can disconnect via the settings panel.\n//\n// To run multi-tenant SaaS: leave the env unset. Setting BUILDER_PRIVATE_KEY\n// on a multi-tenant deploy will silently route every authenticated user\n// through the env-key owner's Builder identity — that was the KVesta Space\n// cross-tenant attribution leak (2026-04). The mode is binary: env-set\n// means single-tenant intent.\n// ---------------------------------------------------------------------------\n\nexport async function resolveBuilderCredential(\n  key: string,\n): Promise<string | null> {\n  // Env-managed mode wins when set: deploy-level Builder identity for\n  // every user. Per-user app_secrets (left over from a previous OAuth\n  // connection or a mode switch) are intentionally ignored — the\n  // operator's deploy-level config is authoritative.\n  const envValue = readDeployCredentialEnv(key);\n  if (envValue) return envValue;\n\n  // No env value: per-user OAuth fallback.\n  const email = getRequestUserEmail();\n  if (email) {\n    try {\n      const { readAppSecret } = await import(\"../secrets/storage.js\");\n      const secret = await readAppSecret({\n        key,\n        scope: \"user\",\n        scopeId: email,\n      });\n      if (secret) return secret.value;\n    } catch {\n      // Secrets table not ready — treat as missing.\n    }\n  }\n  return null;\n}\n\n/**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level — every\n * user of this deploy shares the operator's Builder identity, and per-user\n * connect/disconnect is disabled. UIs read this via `/builder/status` to\n * swap the \"Connect Builder\" prompts for a read-only \"managed by deployment\"\n * chip and to suppress the disconnect button.\n */\nexport function isBuilderEnvManaged(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/**\n * Resolve the Builder private key for the current request. In env-managed\n * mode (deploy-level `BUILDER_PRIVATE_KEY` set) returns the env value for\n * every caller. Otherwise reads the current user's per-user OAuth-stored\n * key from `app_secrets`.\n */\nexport async function resolveBuilderPrivateKey(): Promise<string | null> {\n  return resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\");\n}\n\n/**\n * Resolve the current user's Builder auth header.\n * Returns `\"Bearer <key>\"` or null.\n */\nexport async function resolveBuilderAuthHeader(): Promise<string | null> {\n  const key = await resolveBuilderPrivateKey();\n  return key ? `Bearer ${key}` : null;\n}\n\n/**\n * Check whether the current user has a Builder private key configured\n * (per-user or deployment-level).\n */\nexport async function resolveHasBuilderPrivateKey(): Promise<boolean> {\n  return !!(await resolveBuilderPrivateKey());\n}\n\n/**\n * Resolve all per-user Builder credentials. Used by the status endpoint\n * and agent-chat-plugin to get orgName, userId, etc.\n */\nexport async function resolveBuilderCredentials(): Promise<{\n  privateKey: string | null;\n  publicKey: string | null;\n  userId: string | null;\n  orgName: string | null;\n  orgKind: string | null;\n}> {\n  const [privateKey, publicKey, userId, orgName, orgKind] = await Promise.all([\n    resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\"),\n    resolveBuilderCredential(\"BUILDER_PUBLIC_KEY\"),\n    resolveBuilderCredential(\"BUILDER_USER_ID\"),\n    resolveBuilderCredential(\"BUILDER_ORG_NAME\"),\n    resolveBuilderCredential(\"BUILDER_ORG_KIND\"),\n  ]);\n  return { privateKey, publicKey, userId, orgName, orgKind };\n}\n\n/**\n * Write Builder credentials for the current user to per-user app_secrets.\n */\nexport async function writeBuilderCredentials(\n  email: string,\n  creds: {\n    privateKey: string;\n    publicKey: string;\n    userId?: string | null;\n    orgName?: string | null;\n    orgKind?: string | null;\n  },\n): Promise<void> {\n  const { writeAppSecret } = await import(\"../secrets/storage.js\");\n  const entries: Array<{ key: string; value: string }> = [\n    { key: \"BUILDER_PRIVATE_KEY\", value: creds.privateKey },\n    { key: \"BUILDER_PUBLIC_KEY\", value: creds.publicKey },\n  ];\n  if (creds.userId) {\n    entries.push({ key: \"BUILDER_USER_ID\", value: creds.userId });\n  }\n  if (creds.orgName) {\n    entries.push({ key: \"BUILDER_ORG_NAME\", value: creds.orgName });\n  }\n  if (creds.orgKind) {\n    entries.push({ key: \"BUILDER_ORG_KIND\", value: creds.orgKind });\n  }\n  await Promise.all(\n    entries.map(({ key, value }) =>\n      writeAppSecret({ key, value, scope: \"user\", scopeId: email }),\n    ),\n  );\n}\n\n/**\n * Delete Builder credentials for the current user from app_secrets.\n */\nexport async function deleteBuilderCredentials(email: string): Promise<void> {\n  const { deleteAppSecret } = await import(\"../secrets/storage.js\");\n  const keys = [\n    \"BUILDER_PRIVATE_KEY\",\n    \"BUILDER_PUBLIC_KEY\",\n    \"BUILDER_USER_ID\",\n    \"BUILDER_ORG_NAME\",\n    \"BUILDER_ORG_KIND\",\n  ];\n  await Promise.all(\n    keys.map((key) =>\n      deleteAppSecret({ key, scope: \"user\", scopeId: email }).catch(() => {}),\n    ),\n  );\n}\n\n// ---------------------------------------------------------------------------\n// Generic per-user secret resolution\n//\n// New consumers should prefer this over reading `process.env.X` directly.\n// User-pasted secrets live in `app_secrets` (encrypted, scope=user); the\n// settings UI / onboarding panels write here. Deploy-level env vars are\n// the fallback for unauthenticated/CLI/background contexts where there's\n// no user to scope by — never the silent fallback for an authenticated\n// request, since on a multi-tenant deploy that would silently identify\n// every user as whoever set the deploy-level key (KVesta Space, 2026-04).\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a per-user secret. Reads from `app_secrets` first (scoped by\n * the current request's authenticated user); falls back to `process.env`\n * only for unauthenticated/CLI/background contexts.\n */\nexport async function resolveSecret(key: string): Promise<string | null> {\n  const email = getRequestUserEmail();\n  if (email) {\n    try {\n      const { readAppSecret } = await import(\"../secrets/storage.js\");\n      const secret = await readAppSecret({\n        key,\n        scope: \"user\",\n        scopeId: email,\n      });\n      if (secret?.value) return secret.value;\n    } catch {\n      // Secrets table not ready — treat as missing.\n    }\n    // Authenticated multi-tenant context: never fall back to process.env.\n    // The deploy-level value would silently impersonate the actual key\n    // owner across every tenant.\n    return null;\n  }\n  // Unauthenticated / local-dev / CLI / background context: env fallback\n  // is safe because there's no user to mis-identify.\n  return process.env[key] || null;\n}\n\n// ---------------------------------------------------------------------------\n// Synchronous helpers — env-only fallbacks for contexts where per-user\n// lookup isn't possible (sync isConfigured checks, CLI scripts).\n// ---------------------------------------------------------------------------\n\n/**\n * True when a Builder private key is configured at the deployment level.\n *\n * This is the same check as `isBuilderEnvManaged()` (env-managed mode is\n * defined as \"deploy-level BUILDER_PRIVATE_KEY is set\"). Prefer\n * `isBuilderEnvManaged()` for new call sites — its name reflects what the\n * boolean means semantically. For \"does this user have access to Builder\n * (env or per-user)?\" use the async `resolveHasBuilderPrivateKey()`.\n */\nexport function hasBuilderPrivateKey(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/** The origin for Builder-proxied API calls. Overridable for testing. */\nexport function getBuilderProxyOrigin(): string {\n  return (\n    process.env.BUILDER_PROXY_ORIGIN ||\n    process.env.AIR_HOST ||\n    process.env.BUILDER_API_HOST ||\n    \"https://ai-services.builder.io\"\n  );\n}\n\n/**\n * Base URL for the public Builder LLM gateway (distinct from the internal\n * proxy origin above — the public gateway lives at api.builder.io/codegen,\n * while the internal origin is ai-services.builder.io).\n * Override via BUILDER_GATEWAY_BASE_URL for staging / testing.\n */\nexport function getBuilderGatewayBaseUrl(): string {\n  return (\n    process.env.BUILDER_GATEWAY_BASE_URL ||\n    \"https://api.builder.io/codegen/gateway/v1\"\n  );\n}\n\n/** Authorization header value for Builder-proxied calls (env-only). */\nexport function getBuilderAuthHeader(): string | null {\n  const key = process.env.BUILDER_PRIVATE_KEY;\n  return key ? `Bearer ${key}` : null;\n}\n"]}
+{"version":3,"file":"credential-provider.js","sourceRoot":"","sources":["../../src/server/credential-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE5E;;;;;;;;GAQG;AACH,MAAM,UAAU,2BAA2B,CACzC,KAAa,EACb,KAAgC,EAChC,IAA+B;IAE/B,IAAI,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,CAAC,EAAE,CAAC;QACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,kBAAkB,CAAS;IAC3B,iBAAiB,CAAU;IAC3B,WAAW,CAAU;IAE9B,YAAY,IAKX;QACC,KAAK,CACH,IAAI,CAAC,OAAO;YACV,gCAAgC,IAAI,CAAC,kBAAkB,yCAAyC,CACnG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IACtC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,2EAA2E;AAC3E,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,uEAAuE;AACvE,2EAA2E;AAC3E,wEAAwE;AACxE,0DAA0D;AAC1D,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,0EAA0E;AAC1E,4DAA4D;AAC5D,EAAE;AACF,6EAA6E;AAC7E,wEAAwE;AACxE,2EAA2E;AAC3E,uEAAuE;AACvE,8BAA8B;AAC9B,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAW;IAEX,oEAAoE;IACpE,oEAAoE;IACpE,+DAA+D;IAC/D,mDAAmD;IACnD,MAAM,QAAQ,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAEhE,sEAAsE;QACtE,iEAAiE;QACjE,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;YACrC,GAAG;YACH,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,IAAI,UAAU;YAAE,OAAO,UAAU,CAAC,KAAK,CAAC;QAExC,mEAAmE;QACnE,iEAAiE;QACjE,+DAA+D;QAC/D,6DAA6D;QAC7D,mEAAmE;QACnE,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;gBACpC,GAAG;gBACH,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,SAAS;gBAAE,OAAO,SAAS,CAAC,KAAK,CAAC;QACxC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,OAAO,wBAAwB,CAAC,qBAAqB,CAAC,CAAC;AACzD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,GAAG,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,OAAO,CAAC,CAAC,CAAC,MAAM,wBAAwB,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAO7C,MAAM,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC1E,wBAAwB,CAAC,qBAAqB,CAAC;QAC/C,wBAAwB,CAAC,oBAAoB,CAAC;QAC9C,wBAAwB,CAAC,iBAAiB,CAAC;QAC3C,wBAAwB,CAAC,kBAAkB,CAAC;QAC5C,wBAAwB,CAAC,kBAAkB,CAAC;KAC7C,CAAC,CAAC;IACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAC7D,CAAC;AAED,MAAM,uBAAuB,GAAG;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAEX;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,KAMC,EACD,OAAyD;IAEzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACjE,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IAEF,MAAM,OAAO,GAA0C;QACrD,EAAE,GAAG,EAAE,qBAAqB,EAAE,KAAK,EAAE,KAAK,CAAC,UAAU,EAAE;QACvD,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,CAAC,SAAS,EAAE;KACtD,CAAC;IACF,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,iBAAiB,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAC7B,cAAc,CAAC;QACb,GAAG;QACH,KAAK;QACL,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CACH,CACF,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,OAAyD;IAEzD,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,2BAA2B,CACxC,KAAK,EACL,OAAO,EAAE,KAAK,IAAI,IAAI,EACtB,OAAO,EAAE,IAAI,IAAI,IAAI,CACtB,CAAC;IACF,MAAM,OAAO,CAAC,GAAG,CACf,uBAAuB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAClC,eAAe,CAAC;QACd,GAAG;QACH,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CACnB,CACF,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,2CAA2C;AAC3C,EAAE;AACF,0EAA0E;AAC1E,wEAAwE;AACxE,0EAA0E;AAC1E,4EAA4E;AAC5E,yEAAyE;AACzE,0EAA0E;AAC1E,mEAAmE;AACnE,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAChE,2BAA2B;YAC3B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC;gBACrC,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,IAAI,UAAU,EAAE,KAAK;gBAAE,OAAO,UAAU,CAAC,KAAK,CAAC;YAE/C,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;YAChC,IAAI,KAAK,EAAE,CAAC;gBACV,kEAAkE;gBAClE,2CAA2C;gBAC3C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC;oBACpC,GAAG;oBACH,KAAK,EAAE,KAAK;oBACZ,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,KAAK;oBAAE,OAAO,SAAS,CAAC,KAAK,CAAC;gBAE7C,6DAA6D;gBAC7D,mEAAmE;gBACnE,4BAA4B;gBAC5B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC;oBAC1C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,IAAI,eAAe,EAAE,KAAK;oBAAE,OAAO,eAAe,CAAC,KAAK,CAAC;YAC3D,CAAC;iBAAM,CAAC;gBACN,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC;oBAC9C,GAAG;oBACH,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,QAAQ,KAAK,EAAE;iBACzB,CAAC,CAAC;gBACH,IAAI,mBAAmB,EAAE,KAAK;oBAAE,OAAO,mBAAmB,CAAC,KAAK,CAAC;YACnE,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;QACD,sEAAsE;QACtE,mEAAmE;QACnE,6BAA6B;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,uEAAuE;IACvE,mDAAmD;IACnD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAClC,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,iEAAiE;AACjE,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AAC3C,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,qBAAqB;IACnC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACpB,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,gCAAgC,CACjC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,wBAAwB;QACpC,2CAA2C,CAC5C,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,oBAAoB;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC","sourcesContent":["/**\n * Credential provider abstraction.\n *\n * Every feature that needs an external credential (Anthropic API key,\n * Google OAuth tokens, OpenAI key, Slack bot token, etc.) should go through\n * one of the resolve*() helpers here instead of reading `process.env`\n * directly. That way the same feature can work in three modes:\n *\n *   1. User set their own key in .env              → use it directly\n *   2. User connected Builder via `/cli-auth`      → route through Builder proxy\n *   3. Neither                                      → throw FeatureNotConfigured\n *\n * Templates catch FeatureNotConfigured and show a \"Connect Builder (1 click) /\n * set up your own key (guide)\" card.\n *\n * Today these helpers are used by the Builder-hosted LLM gateway, and the\n * shape is meant to grow to cover future managed credential integrations\n * (e.g. additional Builder-hosted services) without rewrites.\n */\n\nimport { getRequestUserEmail, getRequestOrgId } from \"./request-context.js\";\n\n/**\n * Decide which `app_secrets` scope a Builder/credential write should use.\n *\n * Org scope (\"everyone in this org sees these credentials\") wins when the\n * connecting user is an owner or admin of an active org — the write\n * privileges shared infra. A plain member or a user without an active\n * org falls through to per-user scope so a teammate can't silently\n * overwrite the org-shared connection.\n */\nexport function resolveCredentialWriteScope(\n  email: string,\n  orgId: string | null | undefined,\n  role: string | null | undefined,\n): { scope: \"user\" | \"org\"; scopeId: string } {\n  if (orgId && (role === \"owner\" || role === \"admin\")) {\n    return { scope: \"org\", scopeId: orgId };\n  }\n  return { scope: \"user\", scopeId: email };\n}\n\nexport class FeatureNotConfiguredError extends Error {\n  readonly requiredCredential: string;\n  readonly builderConnectUrl?: string;\n  readonly byokDocsUrl?: string;\n\n  constructor(opts: {\n    requiredCredential: string;\n    message?: string;\n    builderConnectUrl?: string;\n    byokDocsUrl?: string;\n  }) {\n    super(\n      opts.message ??\n        `Feature requires credential \"${opts.requiredCredential}\". Connect Builder or set your own key.`,\n    );\n    this.name = \"FeatureNotConfiguredError\";\n    this.requiredCredential = opts.requiredCredential;\n    this.builderConnectUrl = opts.builderConnectUrl;\n    this.byokDocsUrl = opts.byokDocsUrl;\n  }\n}\n\n/**\n * Deployment-level credential fallback for single-tenant/local operation.\n * Multi-tenant call sites must gate this explicitly before calling.\n */\nexport function readDeployCredentialEnv(key: string): string | undefined {\n  return process.env[key] || undefined;\n}\n\n// ---------------------------------------------------------------------------\n// Builder credential resolution — two mutually-exclusive deployment modes:\n//\n//   1. **Single-tenant / env-managed.** When BUILDER_PRIVATE_KEY is set at\n//      the deployment level, it is THE Builder identity for every user of\n//      this deploy. The operator setting the env explicitly opts in to\n//      \"everyone shares one Builder space\" — same shape as DATABASE_URL or\n//      BETTER_AUTH_SECRET. The UI hides the per-user connect/disconnect\n//      flow when env-managed (see `isBuilderEnvManaged`).\n//\n//   2. **Multi-tenant / per-user OAuth.** When the env is unset, each user\n//      OAuth-connects their own Builder via the cli-auth flow. Their keys\n//      land in `app_secrets` (scope=user, scopeId=email) via the callback\n//      handler. They can disconnect via the settings panel.\n//\n// To run multi-tenant SaaS: leave the env unset. Setting BUILDER_PRIVATE_KEY\n// on a multi-tenant deploy will silently route every authenticated user\n// through the env-key owner's Builder identity — that was the KVesta Space\n// cross-tenant attribution leak (2026-04). The mode is binary: env-set\n// means single-tenant intent.\n// ---------------------------------------------------------------------------\n\nexport async function resolveBuilderCredential(\n  key: string,\n): Promise<string | null> {\n  // Env-managed mode wins when set: deploy-level Builder identity for\n  // every user. Per-user app_secrets (left over from a previous OAuth\n  // connection or a mode switch) are intentionally ignored — the\n  // operator's deploy-level config is authoritative.\n  const envValue = readDeployCredentialEnv(key);\n  if (envValue) return envValue;\n\n  const email = getRequestUserEmail();\n  if (!email) return null;\n\n  try {\n    const { readAppSecret } = await import(\"../secrets/storage.js\");\n\n    // 1. Per-user override: a user can paste their own key in settings to\n    //    overrule the org-shared one (handy for a personal sandbox).\n    const userSecret = await readAppSecret({\n      key,\n      scope: \"user\",\n      scopeId: email,\n    });\n    if (userSecret) return userSecret.value;\n\n    // 2. Per-org shared credential: when one teammate connects Builder\n    //    as an owner/admin we write the OAuth result at org scope so\n    //    every member of that org gets the AI chat working without\n    //    re-running the connect flow. Resolution falls back here\n    //    silently — the caller never has to know which scope answered.\n    const orgId = getRequestOrgId();\n    if (orgId) {\n      const orgSecret = await readAppSecret({\n        key,\n        scope: \"org\",\n        scopeId: orgId,\n      });\n      if (orgSecret) return orgSecret.value;\n    }\n  } catch {\n    // Secrets table not ready — treat as missing.\n  }\n  return null;\n}\n\n/**\n * True when `BUILDER_PRIVATE_KEY` is set at the deployment level — every\n * user of this deploy shares the operator's Builder identity, and per-user\n * connect/disconnect is disabled. UIs read this via `/builder/status` to\n * swap the \"Connect Builder\" prompts for a read-only \"managed by deployment\"\n * chip and to suppress the disconnect button.\n */\nexport function isBuilderEnvManaged(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/**\n * Resolve the Builder private key for the current request. In env-managed\n * mode (deploy-level `BUILDER_PRIVATE_KEY` set) returns the env value for\n * every caller. Otherwise reads the current user's per-user OAuth-stored\n * key from `app_secrets`.\n */\nexport async function resolveBuilderPrivateKey(): Promise<string | null> {\n  return resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\");\n}\n\n/**\n * Resolve the current user's Builder auth header.\n * Returns `\"Bearer <key>\"` or null.\n */\nexport async function resolveBuilderAuthHeader(): Promise<string | null> {\n  const key = await resolveBuilderPrivateKey();\n  return key ? `Bearer ${key}` : null;\n}\n\n/**\n * Check whether the current user has a Builder private key configured\n * (per-user or deployment-level).\n */\nexport async function resolveHasBuilderPrivateKey(): Promise<boolean> {\n  return !!(await resolveBuilderPrivateKey());\n}\n\n/**\n * Resolve all per-user Builder credentials. Used by the status endpoint\n * and agent-chat-plugin to get orgName, userId, etc.\n */\nexport async function resolveBuilderCredentials(): Promise<{\n  privateKey: string | null;\n  publicKey: string | null;\n  userId: string | null;\n  orgName: string | null;\n  orgKind: string | null;\n}> {\n  const [privateKey, publicKey, userId, orgName, orgKind] = await Promise.all([\n    resolveBuilderCredential(\"BUILDER_PRIVATE_KEY\"),\n    resolveBuilderCredential(\"BUILDER_PUBLIC_KEY\"),\n    resolveBuilderCredential(\"BUILDER_USER_ID\"),\n    resolveBuilderCredential(\"BUILDER_ORG_NAME\"),\n    resolveBuilderCredential(\"BUILDER_ORG_KIND\"),\n  ]);\n  return { privateKey, publicKey, userId, orgName, orgKind };\n}\n\nconst BUILDER_CREDENTIAL_KEYS = [\n  \"BUILDER_PRIVATE_KEY\",\n  \"BUILDER_PUBLIC_KEY\",\n  \"BUILDER_USER_ID\",\n  \"BUILDER_ORG_NAME\",\n  \"BUILDER_ORG_KIND\",\n] as const;\n\n/**\n * Write Builder credentials to `app_secrets`.\n *\n * Scope decision (see `resolveCredentialWriteScope`): when the connecting\n * user is owner/admin of an active org we write at `scope: \"org\"` so every\n * member of that org auto-resolves the credentials via\n * `resolveBuilderCredential`'s org fallback — no per-user re-connect\n * needed. A plain member or a user with no active org writes at\n * `scope: \"user\"` (the safe default that doesn't trample the org's shared\n * connection).\n *\n * Returns the actual scope/scopeId used so the caller can show \"Connected\n * for Builder.io\" vs \"Connected (personal)\" in the UI.\n */\nexport async function writeBuilderCredentials(\n  email: string,\n  creds: {\n    privateKey: string;\n    publicKey: string;\n    userId?: string | null;\n    orgName?: string | null;\n    orgKind?: string | null;\n  },\n  options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n  const { writeAppSecret } = await import(\"../secrets/storage.js\");\n  const target = resolveCredentialWriteScope(\n    email,\n    options?.orgId ?? null,\n    options?.role ?? null,\n  );\n\n  const entries: Array<{ key: string; value: string }> = [\n    { key: \"BUILDER_PRIVATE_KEY\", value: creds.privateKey },\n    { key: \"BUILDER_PUBLIC_KEY\", value: creds.publicKey },\n  ];\n  if (creds.userId) {\n    entries.push({ key: \"BUILDER_USER_ID\", value: creds.userId });\n  }\n  if (creds.orgName) {\n    entries.push({ key: \"BUILDER_ORG_NAME\", value: creds.orgName });\n  }\n  if (creds.orgKind) {\n    entries.push({ key: \"BUILDER_ORG_KIND\", value: creds.orgKind });\n  }\n  await Promise.all(\n    entries.map(({ key, value }) =>\n      writeAppSecret({\n        key,\n        value,\n        scope: target.scope,\n        scopeId: target.scopeId,\n      }),\n    ),\n  );\n  return target;\n}\n\n/**\n * Delete Builder credentials.\n *\n * Default behaviour: clears only this user's per-user override (so a\n * member can disconnect their personal Builder identity without\n * collapsing the org-wide connection for every teammate). To revoke the\n * org's shared connection, pass `{ orgId, role }` for an owner/admin —\n * matching the same authority gate `writeBuilderCredentials` uses on\n * write. Plain members can never reach the org-scoped row.\n */\nexport async function deleteBuilderCredentials(\n  email: string,\n  options?: { orgId?: string | null; role?: string | null },\n): Promise<{ scope: \"user\" | \"org\"; scopeId: string }> {\n  const { deleteAppSecret } = await import(\"../secrets/storage.js\");\n  const target = resolveCredentialWriteScope(\n    email,\n    options?.orgId ?? null,\n    options?.role ?? null,\n  );\n  await Promise.all(\n    BUILDER_CREDENTIAL_KEYS.map((key) =>\n      deleteAppSecret({\n        key,\n        scope: target.scope,\n        scopeId: target.scopeId,\n      }).catch(() => {}),\n    ),\n  );\n  return target;\n}\n\n// ---------------------------------------------------------------------------\n// Generic request-scoped secret resolution\n//\n// New consumers should prefer this over reading `process.env.X` directly.\n// User-pasted and shared secrets live in `app_secrets` (encrypted). The\n// settings UI / onboarding panels can write user, org, or workspace rows.\n// Deploy-level env vars are the fallback for unauthenticated/CLI/background\n// contexts where there's no user to scope by — never the silent fallback\n// for an authenticated request, since on a multi-tenant deploy that would\n// silently identify every user as whoever set the deploy-level key\n// (KVesta Space, 2026-04).\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a request-scoped secret. Reads from `app_secrets` first (current\n * user override, active org, then workspace row); falls back to `process.env`\n * only for unauthenticated/CLI/background contexts.\n */\nexport async function resolveSecret(key: string): Promise<string | null> {\n  const email = getRequestUserEmail();\n  if (email) {\n    try {\n      const { readAppSecret } = await import(\"../secrets/storage.js\");\n      // Per-user override first.\n      const userSecret = await readAppSecret({\n        key,\n        scope: \"user\",\n        scopeId: email,\n      });\n      if (userSecret?.value) return userSecret.value;\n\n      const orgId = getRequestOrgId();\n      if (orgId) {\n        // Fall back to the active org's shared row, when present. Builder\n        // Connect uses this first-class org scope.\n        const orgSecret = await readAppSecret({\n          key,\n          scope: \"org\",\n          scopeId: orgId,\n        });\n        if (orgSecret?.value) return orgSecret.value;\n\n        // Registered secrets historically used \"workspace\" scope for\n        // org-shared configuration. Keep reading it so Settings status and\n        // runtime resolution agree.\n        const workspaceSecret = await readAppSecret({\n          key,\n          scope: \"workspace\",\n          scopeId: orgId,\n        });\n        if (workspaceSecret?.value) return workspaceSecret.value;\n      } else {\n        const soloWorkspaceSecret = await readAppSecret({\n          key,\n          scope: \"workspace\",\n          scopeId: `solo:${email}`,\n        });\n        if (soloWorkspaceSecret?.value) return soloWorkspaceSecret.value;\n      }\n    } catch {\n      // Secrets table not ready — treat as missing.\n    }\n    // Authenticated multi-tenant context: never fall back to process.env.\n    // The deploy-level value would silently impersonate the actual key\n    // owner across every tenant.\n    return null;\n  }\n  // Unauthenticated / local-dev / CLI / background context: env fallback\n  // is safe because there's no user to mis-identify.\n  return process.env[key] || null;\n}\n\n// ---------------------------------------------------------------------------\n// Synchronous helpers — env-only fallbacks for contexts where per-user\n// lookup isn't possible (sync isConfigured checks, CLI scripts).\n// ---------------------------------------------------------------------------\n\n/**\n * True when a Builder private key is configured at the deployment level.\n *\n * This is the same check as `isBuilderEnvManaged()` (env-managed mode is\n * defined as \"deploy-level BUILDER_PRIVATE_KEY is set\"). Prefer\n * `isBuilderEnvManaged()` for new call sites — its name reflects what the\n * boolean means semantically. For \"does this user have access to Builder\n * (env or per-user)?\" use the async `resolveHasBuilderPrivateKey()`.\n */\nexport function hasBuilderPrivateKey(): boolean {\n  return !!process.env.BUILDER_PRIVATE_KEY;\n}\n\n/** The origin for Builder-proxied API calls. Overridable for testing. */\nexport function getBuilderProxyOrigin(): string {\n  return (\n    process.env.BUILDER_PROXY_ORIGIN ||\n    process.env.AIR_HOST ||\n    process.env.BUILDER_API_HOST ||\n    \"https://ai-services.builder.io\"\n  );\n}\n\n/**\n * Base URL for the public Builder LLM gateway (distinct from the internal\n * proxy origin above — the public gateway lives at api.builder.io/codegen,\n * while the internal origin is ai-services.builder.io).\n * Override via BUILDER_GATEWAY_BASE_URL for staging / testing.\n */\nexport function getBuilderGatewayBaseUrl(): string {\n  return (\n    process.env.BUILDER_GATEWAY_BASE_URL ||\n    \"https://api.builder.io/codegen/gateway/v1\"\n  );\n}\n\n/** Authorization header value for Builder-proxied calls (env-only). */\nexport function getBuilderAuthHeader(): string | null {\n  const key = process.env.BUILDER_PRIVATE_KEY;\n  return key ? `Bearer ${key}` : null;\n}\n"]}

package/dist/server/design-token-utils.d.ts

@@ -78,6 +78,15 @@ export interface UrlExtractionResult {
     ogImage?: string;
     favicon?: string;
 }
+export interface GitHubFetchOptions {
+    token?: string | null;
+}
+export interface GitHubJsonResult<T = unknown> {
+    ok: boolean;
+    status: number;
+    data: T | null;
+    message?: string;
+}
 /** Validate a URL is safe to fetch (blocks localhost, private IPs, metadata endpoints). */
 export declare function validateUrl(url: string): void;
 /** Parse a GitHub URL or "org/repo" shorthand into owner + repo. */
@@ -85,10 +94,12 @@ export declare function parseOwnerRepo(raw: string): {
     owner: string;
     repo: string;
 };
+/** Fetch a path from the GitHub Contents API as JSON with status details. */
+export declare function fetchGitHubJsonResult<T = unknown>(owner: string, repo: string, path: string, options?: GitHubFetchOptions): Promise<GitHubJsonResult<T>>;
 /** Fetch a path from the GitHub Contents API as JSON. Returns null on error. */
-export declare function fetchGitHubJson(owner: string, repo: string, path: string): Promise<unknown>;
+export declare function fetchGitHubJson(owner: string, repo: string, path: string, options?: GitHubFetchOptions): Promise<unknown>;
 /** Fetch raw file content from the GitHub Contents API. Returns null on error or oversize. */
-export declare function fetchGitHubRaw(owner: string, repo: string, path: string): Promise<string | null>;
+export declare function fetchGitHubRaw(owner: string, repo: string, path: string, options?: GitHubFetchOptions): Promise<string | null>;
 /** Extract colors, fonts, spacing, borderRadius from a Tailwind config file string. */
 export declare function parseTailwindConfig(content: string): Record<string, unknown>;
 /** Extract CSS custom properties and @font-face / Google Fonts from CSS content. */

package/dist/server/design-token-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"design-token-utils.d.ts","sourceRoot":"","sources":["../../src/server/design-token-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,kEAAkE;AAClE,eAAO,MAAM,SAAS,KAAK,CAAC;AAE5B,6CAA6C;AAC7C,eAAO,MAAM,aAAa,QAAa,CAAC;AAExC,qDAAqD;AACrD,eAAO,MAAM,aAAa,QAAQ,CAAC;AAEnC,uDAAuD;AACvD,eAAO,MAAM,aAAa,EAAE,MAAM,EAOjC,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,EAAE,MAAM,EASnC,CAAC;AAEF,6CAA6C;AAC7C,eAAO,MAAM,cAAc,KAAK,CAAC;AAEjC,mDAAmD;AACnD,eAAO,MAAM,oBAAoB,QAAa,CAAC;AAE/C,yDAAyD;AACzD,eAAO,MAAM,YAAY,QAAkC,CAAC;AAE5D,6CAA6C;AAC7C,eAAO,MAAM,cAAc,QACoM,CAAC;AAEhO,iEAAiE;AACjE,eAAO,MAAM,YAAY,QACma,CAAC;AAE7b,uEAAuE;AACvE,eAAO,MAAM,iBAAiB,QAC0B,CAAC;AAEzD,mEAAmE;AACnE,eAAO,MAAM,mBAAmB,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EAgBhE,CAAC;AAMF,MAAM,MAAM,WAAW,GACnB,cAAc,GACd,UAAU,GACV,aAAa,GACb,KAAK,GACL,OAAO,CAAC;AAEZ,MAAM,WAAW,SAAS;IACxB,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;IACxD,KAAK,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,WAAW,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,EAAE,CAAC;IACjE,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAChD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD,2FAA2F;AAC3F,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CA2B7C;AAMD,oEAAoE;AACpE,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd,CAeA;AAED,gFAAgF;AAChF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED,8FAA8F;AAC9F,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAkBxB;AAMD,uFAAuF;AACvF,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgE5E;AAMD,oFAAoF;AACpF,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CA+BnD;AAMD,+DAA+D;AAC/D,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAmB1E;AAMD,0DAA0D;AAC1D,wBAAgB,uBAAuB,IAAI,iBAAiB,CAW3D;AAED,yDAAyD;AACzD,wBAAgB,OAAO,CACrB,KAAK,EAAE,iBAAiB,EACxB,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAKN;AAED,0FAA0F;AAC1F,wBAAgB,cAAc,CAC5B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,GACd,IAAI,CAoBN;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,GACd,IAAI,CAwBN;AAED,oFAAoF;AACpF,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CA0BN;AAED,wEAAwE;AACxE,wBAAgB,cAAc,CAC5B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CAKN;AAED,iDAAiD;AACjD,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CAmDN;AAED,qEAAqE;AACrE,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CA4CN;AAED,uDAAuD;AACvD,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CA8BN;AAED,2EAA2E;AAC3E,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CAgCN;AAED,8DAA8D;AAC9D,wBAAgB,eAAe,CAC7B,KAAK,EAAE,iBAAiB,EACxB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,IAAI,CA+CN;AAMD,gDAAgD;AAChD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAE9C;AAED,oDAAoD;AACpD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAI5D;AAED,uDAAuD;AACvD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAG3D;AAED,2DAA2D;AAC3D,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,CAyB1D;AAED,mFAAmF;AACnF,wBAAgB,kBAAkB,CAChC,WAAW,EAAE,WAAW,EACxB,OAAO,EAAE,OAAO,GACf,MAAM,EAAE,CAoDV;AAMD,yDAAyD;AACzD,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,mBAAmB,CAAC,CA8G9B"}
+{"version":3,"file":"design-token-utils.d.ts","sourceRoot":"","sources":["../../src/server/design-token-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,kEAAkE;AAClE,eAAO,MAAM,SAAS,KAAK,CAAC;AAE5B,6CAA6C;AAC7C,eAAO,MAAM,aAAa,QAAa,CAAC;AAExC,qDAAqD;AACrD,eAAO,MAAM,aAAa,QAAQ,CAAC;AAEnC,uDAAuD;AACvD,eAAO,MAAM,aAAa,EAAE,MAAM,EAOjC,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,EAAE,MAAM,EASnC,CAAC;AAEF,6CAA6C;AAC7C,eAAO,MAAM,cAAc,KAAK,CAAC;AAEjC,mDAAmD;AACnD,eAAO,MAAM,oBAAoB,QAAa,CAAC;AAE/C,yDAAyD;AACzD,eAAO,MAAM,YAAY,QAAkC,CAAC;AAE5D,6CAA6C;AAC7C,eAAO,MAAM,cAAc,QACoM,CAAC;AAEhO,iEAAiE;AACjE,eAAO,MAAM,YAAY,QACma,CAAC;AAE7b,uEAAuE;AACvE,eAAO,MAAM,iBAAiB,QAC0B,CAAC;AAEzD,mEAAmE;AACnE,eAAO,MAAM,mBAAmB,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EAgBhE,CAAC;AAMF,MAAM,MAAM,WAAW,GACnB,cAAc,GACd,UAAU,GACV,aAAa,GACb,KAAK,GACL,OAAO,CAAC;AAEZ,MAAM,WAAW,SAAS;IACxB,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;IACxD,KAAK,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC7C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,WAAW,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,EAAE,CAAC;IACjE,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAChD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB,CAAC,CAAC,GAAG,OAAO;IAC3C,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD,2FAA2F;AAC3F,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CA2B7C;AAMD,oEAAoE;AACpE,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd,CA2BA;AAcD,6EAA6E;AAC7E,wBAAsB,qBAAqB,CAAC,CAAC,GAAG,OAAO,EACrD,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAuB9B;AAED,gFAAgF;AAChF,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,OAAO,CAAC,CAGlB;AAED,8FAA8F;AAC9F,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAexB;AAMD,uFAAuF;AACvF,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgE5E;AAMD,oFAAoF;AACpF,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CA+BnD;AAMD,+DAA+D;AAC/D,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAmB1E;AAMD,0DAA0D;AAC1D,wBAAgB,uBAAuB,IAAI,iBAAiB,CAW3D;AAED,yDAAyD;AACzD,wBAAgB,OAAO,CACrB,KAAK,EAAE,iBAAiB,EACxB,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAKN;AAED,0FAA0F;AAC1F,wBAAgB,cAAc,CAC5B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,GACd,IAAI,CAoBN;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,GACd,IAAI,CAwBN;AAED,oFAAoF;AACpF,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CA0BN;AAED,wEAAwE;AACxE,wBAAgB,cAAc,CAC5B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CAKN;AAED,iDAAiD;AACjD,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CAmDN;AAED,qEAAqE;AACrE,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CA4CN;AAED,uDAAuD;AACvD,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CA8BN;AAED,2EAA2E;AAC3E,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,IAAI,CAgCN;AAED,8DAA8D;AAC9D,wBAAgB,eAAe,CAC7B,KAAK,EAAE,iBAAiB,EACxB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,IAAI,CA+CN;AAMD,gDAAgD;AAChD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAE9C;AAED,oDAAoD;AACpD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAI5D;AAED,uDAAuD;AACvD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAG3D;AAED,2DAA2D;AAC3D,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,CAyB1D;AAED,mFAAmF;AACnF,wBAAgB,kBAAkB,CAChC,WAAW,EAAE,WAAW,EACxB,OAAO,EAAE,OAAO,GACf,MAAM,EAAE,CAoDV;AAMD,yDAAyD;AACzD,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,mBAAmB,CAAC,CA8G9B"}

package/dist/server/design-token-utils.js

@@ -102,41 +102,73 @@ export function validateUrl(url) {
 // ---------------------------------------------------------------------------
 /** Parse a GitHub URL or "org/repo" shorthand into owner + repo. */
 export function parseOwnerRepo(raw) {
-    const shorthand = raw.match(/^([^/]+)\/([^/]+)$/);
+    const cleaned = raw
+        .trim()
+        .replace(/[?#].*$/, "")
+        .replace(/\/+$/, "");
+    const sshMatch = cleaned.match(/^(?:ssh:\/\/)?git@github\.com[:/]([^/]+)\/([^/]+?)(?:\.git)?$/);
+    if (sshMatch) {
+        return { owner: sshMatch[1], repo: sshMatch[2] };
+    }
+    const shorthand = cleaned.match(/^([^/\s]+)\/([^/\s]+?)(?:\.git)?$/);
     if (shorthand) {
         return { owner: shorthand[1], repo: shorthand[2] };
     }
-    const urlMatch = raw.match(/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?(?:\/.*)?$/);
+    const urlMatch = cleaned.match(/github\.com[:/]([^/]+)\/([^/]+?)(?:\.git)?(?:\/.*)?$/);
     if (urlMatch) {
         return { owner: urlMatch[1], repo: urlMatch[2] };
     }
     throw new Error("Could not parse GitHub owner/repo from URL. " +
-        'Expected format: "https://github.com/org/repo" or "org/repo"');
+        'Expected format: "https://github.com/org/repo", "org/repo", or "git@github.com:org/repo.git"');
 }
 /** Fetch a path from the GitHub Contents API as JSON. Returns null on error. */
-export async function fetchGitHubJson(owner, repo, path) {
+function githubHeaders(accept, options = {}) {
+    return {
+        Accept: accept,
+        "User-Agent": "AgentNative/1.0",
+        ...(options.token ? { Authorization: `Bearer ${options.token}` } : {}),
+    };
+}
+/** Fetch a path from the GitHub Contents API as JSON with status details. */
+export async function fetchGitHubJsonResult(owner, repo, path, options = {}) {
     const url = `https://api.github.com/repos/${owner}/${repo}/contents/${path}`;
     validateUrl(url);
     const res = await fetch(url, {
-        headers: {
-            Accept: "application/vnd.github.v3+json",
-            "User-Agent": "AgentNative/1.0",
-        },
+        headers: githubHeaders("application/vnd.github.v3+json", options),
         signal: AbortSignal.timeout(FETCH_TIMEOUT),
     });
-    if (!res.ok)
-        return null;
-    return res.json();
+    if (!res.ok) {
+        let message;
+        try {
+            const body = (await res.json());
+            if (typeof body.message === "string")
+                message = body.message;
+        }
+        catch {
+            try {
+                const text = await res.text();
+                if (text)
+                    message = text.slice(0, 200);
+            }
+            catch {
+                // Keep the status-only result.
+            }
+        }
+        return { ok: false, status: res.status, data: null, message };
+    }
+    return { ok: true, status: res.status, data: (await res.json()) };
+}
+/** Fetch a path from the GitHub Contents API as JSON. Returns null on error. */
+export async function fetchGitHubJson(owner, repo, path, options = {}) {
+    const result = await fetchGitHubJsonResult(owner, repo, path, options);
+    return result.ok ? result.data : null;
 }
 /** Fetch raw file content from the GitHub Contents API. Returns null on error or oversize. */
-export async function fetchGitHubRaw(owner, repo, path) {
+export async function fetchGitHubRaw(owner, repo, path, options = {}) {
     const url = `https://api.github.com/repos/${owner}/${repo}/contents/${path}`;
     validateUrl(url);
     const res = await fetch(url, {
-        headers: {
-            Accept: "application/vnd.github.v3.raw",
-            "User-Agent": "AgentNative/1.0",
-        },
+        headers: githubHeaders("application/vnd.github.v3.raw", options),
         signal: AbortSignal.timeout(FETCH_TIMEOUT),
     });
     if (!res.ok)