@agentstep/agent-sdk 0.5.28 → 0.5.33

package/dist/{chunk-GKNBECPD.js → chunk-DZKBUOYU.js}

@@ -5,10 +5,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 
 // src/db/proxy.ts
 init_drizzle();

package/dist/{chunk-Z25QQE5Z.js → chunk-EUMA5Q4U.js}

@@ -1,17 +1,17 @@
 import {
   listTraces
-} from "./chunk-5BA36MSQ.js";
+} from "./chunk-UMXXZ6OX.js";
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   exportTrace
-} from "./chunk-PZKWZKRP.js";
+} from "./chunk-2KF2TIEY.js";
 import {
   listEventsByTrace,
   rowToManagedEvent
-} from "./chunk-IS6CQPAQ.js";
+} from "./chunk-OEFJPZYH.js";
 import {
   badRequest,
   notFound

package/dist/{chunk-FC3UAHXM.js → chunk-FDLQ3IUB.js}

@@ -14,7 +14,7 @@ import {
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 
 // src/db/audit.ts
 init_client();

package/dist/{chunk-FDL2JHXO.js → chunk-GCT7A5KR.js}

@@ -10,10 +10,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 import {
   __esm,
   __export

package/dist/{chunk-Z5XQQN7H.js → chunk-HWWFRSAX.js}

@@ -1,16 +1,16 @@
 import {
   disableUpstreamKey,
   selectNextUpstreamKey
-} from "./chunk-ZP5QO5BR.js";
+} from "./chunk-ABUNDZCE.js";
 import {
   listEntries
-} from "./chunk-IC5ZTBAW.js";
+} from "./chunk-MUARVVXF.js";
 import {
   getSession
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 
 // src/providers/upstream-keys.ts
 var CONSECUTIVE_FAIL_THRESHOLD = 3;

package/dist/{chunk-KWG7NGYF.js → chunk-I2RVN7CP.js}

@@ -1,20 +1,20 @@
 import {
   createSession
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   createEnvironment,
   deleteEnvironment,
   getEnvironment
-} from "./chunk-BRULBMRN.js";
+} from "./chunk-NSUVDKNC.js";
 import {
   archiveAgent,
   createAgent,
   getAgent
-} from "./chunk-ENFWZ2QM.js";
+} from "./chunk-6U6HEVSN.js";
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 
 // src/db/batch.ts
 init_drizzle();

package/dist/{chunk-JCIAIJFF.js → chunk-IC2ETYU5.js}

@@ -8,13 +8,13 @@ import {
   getMemoryByPath,
   getMemoryStore,
   listMemories
-} from "./chunk-GNXIA5WC.js";
+} from "./chunk-TVV7AE3G.js";
 import {
   listSessions
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   listEvents
-} from "./chunk-IS6CQPAQ.js";
+} from "./chunk-OEFJPZYH.js";
 import {
   init_clock,
   nowMs

package/dist/{chunk-3FLQ7KZP.js → chunk-IMJTHYN3.js}

@@ -1,6 +1,6 @@
 import {
   buildOpenApiDocument
-} from "./chunk-I2WVMCYN.js";
+} from "./chunk-PWLWDWRL.js";
 
 // src/handlers/openapi.ts
 function originFromRequest(request) {

package/dist/{chunk-ISGA4AOC.js → chunk-J6ESQUW6.js}

@@ -1,9 +1,9 @@
 import {
   listEntries
-} from "./chunk-IC5ZTBAW.js";
+} from "./chunk-MUARVVXF.js";
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 
 // src/observability/redactor.ts
 var REDACTED = "[REDACTED]";

package/dist/{chunk-Y3V4COP7.js → chunk-J7F2OFWQ.js}

@@ -1,16 +1,16 @@
+import {
+  createPiTranslator
+} from "./chunk-B6E6BVNK.js";
 import {
   buildPiArgs
-} from "./chunk-6KWJASEO.js";
+} from "./chunk-6SD6MC2B.js";
 import {
   buildPiAuthEnv,
   validatePiRuntime
-} from "./chunk-IITCQTBZ.js";
+} from "./chunk-T2PXAQND.js";
 import {
   preparePiOnSandbox
 } from "./chunk-CMOU2OFW.js";
-import {
-  createPiTranslator
-} from "./chunk-B6E6BVNK.js";
 import {
   PI_WRAPPER_PATH
 } from "./chunk-OGA7KDQZ.js";

package/dist/chunk-J7VBHBXL.js

@@ -0,0 +1,210 @@
+import {
+  tenantFilter
+} from "./chunk-23UKWXJH.js";
+import {
+  jsonOk,
+  routeWrap
+} from "./chunk-XOWRUT4X.js";
+import {
+  getUserProfile,
+  updateUserProfile
+} from "./chunk-YOZ6WDP3.js";
+import {
+  createCredential,
+  getCredential,
+  updateCredential
+} from "./chunk-WK33IBKY.js";
+import {
+  badRequest,
+  notFound
+} from "./chunk-EZYKRG4W.js";
+
+// src/handlers/enrollment.ts
+import { z } from "zod";
+import { randomBytes } from "crypto";
+var pendingEnrollments = /* @__PURE__ */ new Map();
+setInterval(() => {
+  const cutoff = Date.now() - 10 * 6e4;
+  for (const [state, enrollment] of pendingEnrollments) {
+    if (enrollment.createdAt < cutoff) pendingEnrollments.delete(state);
+  }
+}, 6e4);
+var EnrollmentSchema = z.object({
+  vault_id: z.string().min(1),
+  credential_id: z.string().optional(),
+  // update existing credential, or omit to create new
+  display_name: z.string().min(1).optional(),
+  // required when creating new
+  authorize_url: z.string().url(),
+  token_endpoint: z.string().url(),
+  client_id: z.string().min(1),
+  client_secret: z.string().optional(),
+  scope: z.string().optional(),
+  redirect_uri: z.string().url().optional()
+});
+function handleEnrollmentUrl(request, profileId) {
+  return routeWrap(request, async ({ auth }) => {
+    const profile = getUserProfile(profileId);
+    if (!profile) throw notFound(`user profile not found: ${profileId}`);
+    const filter = tenantFilter(auth);
+    if (filter && profile.tenant_id !== filter) {
+      throw notFound(`user profile not found: ${profileId}`);
+    }
+    const body = await request.json().catch(() => null);
+    const parsed = EnrollmentSchema.safeParse(body);
+    if (!parsed.success) {
+      throw badRequest(`invalid body: ${parsed.error.issues.map((i) => i.message).join("; ")}`);
+    }
+    const data = parsed.data;
+    if (data.credential_id) {
+      const cred = getCredential(data.credential_id);
+      if (!cred || cred.vault_id !== data.vault_id) {
+        throw badRequest(`credential not found: ${data.credential_id}`);
+      }
+    } else if (!data.display_name) {
+      throw badRequest("display_name is required when creating a new credential");
+    }
+    const state = randomBytes(32).toString("hex");
+    const reqUrl = new URL(request.url);
+    const redirectUri = data.redirect_uri || `${reqUrl.origin}/v1/oauth/callback`;
+    pendingEnrollments.set(state, {
+      profileId,
+      vaultId: data.vault_id,
+      credentialId: data.credential_id ?? null,
+      tokenEndpoint: data.token_endpoint,
+      clientId: data.client_id,
+      clientSecret: data.client_secret,
+      scope: data.scope,
+      redirectUri,
+      createdAt: Date.now()
+    });
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: data.client_id,
+      redirect_uri: redirectUri,
+      state,
+      ...data.scope ? { scope: data.scope } : {}
+    });
+    const url = `${data.authorize_url}?${params.toString()}`;
+    return jsonOk({
+      type: "enrollment_url",
+      url,
+      state,
+      redirect_uri: redirectUri,
+      expires_in: 600
+      // 10 minutes
+    });
+  });
+}
+async function handleOAuthCallback(request) {
+  const { ensureInitialized } = await import("./init.js");
+  await ensureInitialized();
+  try {
+    const url = new URL(request.url);
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    if (error) {
+      return new Response(
+        `<html><body><h2>Authorization failed</h2><p>${error}</p></body></html>`,
+        { status: 400, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    if (!code || !state) {
+      return new Response(
+        `<html><body><h2>Missing code or state parameter</h2></body></html>`,
+        { status: 400, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    const enrollment = pendingEnrollments.get(state);
+    if (!enrollment) {
+      return new Response(
+        `<html><body><h2>Invalid or expired enrollment state</h2><p>Please restart the enrollment process.</p></body></html>`,
+        { status: 400, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    pendingEnrollments.delete(state);
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      client_id: enrollment.clientId,
+      redirect_uri: enrollment.redirectUri,
+      ...enrollment.scope ? { scope: enrollment.scope } : {}
+    });
+    if (enrollment.clientSecret) {
+      body.set("client_secret", enrollment.clientSecret);
+    }
+    const tokenRes = await fetch(enrollment.tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString(),
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (!tokenRes.ok) {
+      const errText = await tokenRes.text().catch(() => "");
+      return new Response(
+        `<html><body><h2>Token exchange failed</h2><p>${tokenRes.status}: ${errText.slice(0, 200)}</p></body></html>`,
+        { status: 502, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    const tokens = await tokenRes.json();
+    let credentialId;
+    const expiresAt = tokens.expires_in ? new Date(Date.now() + tokens.expires_in * 1e3).toISOString() : null;
+    const refreshConfig = tokens.refresh_token ? {
+      token_endpoint: enrollment.tokenEndpoint,
+      client_id: enrollment.clientId,
+      scope: enrollment.scope ?? tokens.scope,
+      refresh_token: tokens.refresh_token,
+      ...enrollment.clientSecret ? { token_endpoint_auth: { type: "client_secret_post", client_secret: enrollment.clientSecret } } : {}
+    } : null;
+    if (enrollment.credentialId) {
+      updateCredential(enrollment.credentialId, {
+        auth_type: "mcp_oauth",
+        token: tokens.access_token,
+        expires_at: expiresAt,
+        refresh_config: refreshConfig
+      });
+      credentialId = enrollment.credentialId;
+    } else {
+      const profile2 = getUserProfile(enrollment.profileId);
+      const displayName = `oauth-${enrollment.clientId}-${Date.now()}`;
+      const cred = createCredential({
+        vault_id: enrollment.vaultId,
+        display_name: displayName,
+        auth_type: "mcp_oauth",
+        token: tokens.access_token,
+        expires_at: expiresAt,
+        refresh_config: refreshConfig
+      });
+      credentialId = cred.id;
+    }
+    const profile = getUserProfile(enrollment.profileId);
+    if (profile) {
+      const existingGrant = profile.trust_grants.find(
+        (g) => g.vault_id === enrollment.vaultId && g.credential_id === credentialId
+      );
+      if (!existingGrant) {
+        const newGrants = [
+          ...profile.trust_grants,
+          { type: "vault_credential", vault_id: enrollment.vaultId, credential_id: credentialId }
+        ];
+        updateUserProfile(enrollment.profileId, { trust_grants: newGrants });
+      }
+    }
+    return new Response(
+      `<html><body><h2>Enrollment complete</h2><p>Credential ${credentialId} has been linked to your profile. You can close this window.</p></body></html>`,
+      { status: 200, headers: { "Content-Type": "text/html" } }
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return new Response(
+      `<html><body><h2>Enrollment error</h2><p>${msg}</p></body></html>`,
+      { status: 500, headers: { "Content-Type": "text/html" } }
+    );
+  }
+}
+
+export {
+  handleEnrollmentUrl,
+  handleOAuthCallback
+};

package/dist/{chunk-A4GJADRQ.js → chunk-JF777FWD.js}

@@ -10,10 +10,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 
 // src/db/work.ts
 init_drizzle();

package/dist/{chunk-IDQKHWWN.js → chunk-JFHYXFAL.js}

@@ -1,6 +1,6 @@
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   ApiError
 } from "./chunk-EZYKRG4W.js";

package/dist/{chunk-ANTKOI3K.js → chunk-JMDV55BV.js}

@@ -1,11 +1,11 @@
 import {
   BatchError,
   executeBatch
-} from "./chunk-KWG7NGYF.js";
+} from "./chunk-I2RVN7CP.js";
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   badRequest
 } from "./chunk-EZYKRG4W.js";

package/dist/{chunk-WG3N6VUA.js → chunk-JN3DHH7Z.js}

@@ -1,13 +1,3 @@
-import {
-  buildClaudeArgs,
-  buildClaudeAuthEnv
-} from "./chunk-GSDVHR43.js";
-import {
-  PERMISSION_BRIDGE_DIR,
-  PERMISSION_HOOK_SCRIPT_PATH,
-  buildPermissionHooksConfig,
-  generatePermissionHookScript
-} from "./chunk-CY6AWCC6.js";
 import {
   TOOL_BRIDGE_DIR,
   TOOL_BRIDGE_SCRIPT_PATH,
@@ -19,13 +9,23 @@ import {
 import {
   createClaudeTranslator
 } from "./chunk-D6RQPBRG.js";
+import {
+  buildClaudeArgs,
+  buildClaudeAuthEnv
+} from "./chunk-YJCH35J4.js";
+import {
+  PERMISSION_BRIDGE_DIR,
+  PERMISSION_HOOK_SCRIPT_PATH,
+  buildPermissionHooksConfig,
+  generatePermissionHookScript
+} from "./chunk-CY6AWCC6.js";
 import {
   CLAUDE_WRAPPER_PATH,
   installClaudeWrapper
 } from "./chunk-J6T3W6RY.js";
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 
 // src/backends/claude/index.ts
 function buildTurn(input) {

package/dist/{chunk-NOHH2ZH7.js → chunk-JNLVQGSH.js}

@@ -2,7 +2,7 @@ import {
   archiveThread,
   getThread,
   listThreads
-} from "./chunk-IPTEXVQG.js";
+} from "./chunk-Z5IENUYV.js";
 import {
   assertResourceTenant
 } from "./chunk-23UKWXJH.js";
@@ -10,21 +10,21 @@ import {
   jsonOk,
   paginatedOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   subscribe
-} from "./chunk-2K3UO6TC.js";
+} from "./chunk-RES4BCTF.js";
 import {
   getSession
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   listEvents,
   rowToManagedEvent
-} from "./chunk-IS6CQPAQ.js";
+} from "./chunk-OEFJPZYH.js";
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 import {
   badRequest,
   notFound

package/dist/{chunk-FQQ2R6FA.js → chunk-JNSJKHYX.js}

@@ -1,6 +1,6 @@
 import {
   listEntries
-} from "./chunk-IC5ZTBAW.js";
+} from "./chunk-MUARVVXF.js";
 
 // src/providers/resolve-secrets.ts
 var BLOCKED_ENV_KEYS = /* @__PURE__ */ new Set([

package/dist/{chunk-TJORQTH6.js → chunk-KGOOCFQY.js}

@@ -1,6 +1,6 @@
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 
 // src/backends/gemini/auth.ts
 function buildGeminiAuthEnv() {

package/dist/chunk-KLGAE7V4.js

@@ -0,0 +1,108 @@
+import {
+  resolveCreateTenant,
+  tenantFilter
+} from "./chunk-23UKWXJH.js";
+import {
+  jsonOk,
+  paginatedOk,
+  routeWrap
+} from "./chunk-XOWRUT4X.js";
+import {
+  createUserProfile,
+  getUserProfile,
+  listUserProfiles,
+  updateUserProfile
+} from "./chunk-YOZ6WDP3.js";
+import {
+  badRequest,
+  notFound
+} from "./chunk-EZYKRG4W.js";
+
+// src/handlers/user-profiles.ts
+import { z } from "zod";
+var TrustGrantSchema = z.object({
+  type: z.literal("vault_credential"),
+  vault_id: z.string().min(1),
+  credential_id: z.string().min(1)
+});
+var CreateSchema = z.object({
+  external_id: z.string().max(256).optional(),
+  display_name: z.string().max(256).optional(),
+  trust_grants: z.array(TrustGrantSchema).max(50).optional()
+});
+var UpdateSchema = z.object({
+  external_id: z.string().max(256).nullish(),
+  display_name: z.string().max(256).nullish(),
+  trust_grants: z.array(TrustGrantSchema).max(50).optional()
+});
+function handleCreateUserProfile(request) {
+  return routeWrap(request, async ({ auth }) => {
+    const body = await request.json().catch(() => null);
+    const parsed = CreateSchema.safeParse(body);
+    if (!parsed.success) {
+      throw badRequest(`invalid body: ${parsed.error.issues.map((i) => i.message).join("; ")}`);
+    }
+    const tenantId = resolveCreateTenant(auth, void 0);
+    const profile = createUserProfile({
+      external_id: parsed.data.external_id,
+      display_name: parsed.data.display_name,
+      trust_grants: parsed.data.trust_grants,
+      tenant_id: tenantId
+    });
+    return jsonOk(profile, 201);
+  });
+}
+function handleListUserProfiles(request) {
+  return routeWrap(request, async ({ auth }) => {
+    const url = new URL(request.url);
+    const limit = Math.min(Number(url.searchParams.get("limit") ?? 50), 100);
+    const afterId = url.searchParams.get("after_id") ?? void 0;
+    const filter = tenantFilter(auth);
+    const result = listUserProfiles({
+      tenant_id: filter ?? void 0,
+      limit,
+      after_id: afterId
+    });
+    return paginatedOk(result.data, limit);
+  });
+}
+function handleGetUserProfile(request, id) {
+  return routeWrap(request, async ({ auth }) => {
+    const profile = getUserProfile(id);
+    if (!profile) throw notFound(`user profile not found: ${id}`);
+    const filter = tenantFilter(auth);
+    if (filter && profile.tenant_id !== filter) {
+      throw notFound(`user profile not found: ${id}`);
+    }
+    return jsonOk(profile);
+  });
+}
+function handleUpdateUserProfile(request, id) {
+  return routeWrap(request, async ({ auth }) => {
+    const existing = getUserProfile(id);
+    if (!existing) throw notFound(`user profile not found: ${id}`);
+    const filter = tenantFilter(auth);
+    if (filter && existing.tenant_id !== filter) {
+      throw notFound(`user profile not found: ${id}`);
+    }
+    const body = await request.json().catch(() => null);
+    const parsed = UpdateSchema.safeParse(body);
+    if (!parsed.success) {
+      throw badRequest(`invalid body: ${parsed.error.issues.map((i) => i.message).join("; ")}`);
+    }
+    const updated = updateUserProfile(id, {
+      external_id: parsed.data.external_id,
+      display_name: parsed.data.display_name,
+      trust_grants: parsed.data.trust_grants
+    });
+    if (!updated) throw notFound(`user profile not found: ${id}`);
+    return jsonOk(updated);
+  });
+}
+
+export {
+  handleCreateUserProfile,
+  handleListUserProfiles,
+  handleGetUserProfile,
+  handleUpdateUserProfile
+};

package/dist/{chunk-KHTLT44I.js → chunk-KSL2D4AD.js}

@@ -7,16 +7,16 @@ import {
   pollWorkItem,
   stopWorkItem,
   updateWorkItemMetadata
-} from "./chunk-A4GJADRQ.js";
+} from "./chunk-JF777FWD.js";
 import {
   decodeCursor,
   jsonOk,
   paginatedOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   getEnvironment
-} from "./chunk-BRULBMRN.js";
+} from "./chunk-NSUVDKNC.js";
 import {
   badRequest,
   notFound

package/dist/{chunk-MNW6D7T4.js → chunk-M72ERPMT.js}

@@ -1,6 +1,6 @@
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 
 // src/backends/factory/auth.ts
 function buildFactoryAuthEnv() {

package/dist/{chunk-IC5ZTBAW.js → chunk-MUARVVXF.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-AIBH32FN.js";
 import {
   DEFAULT_TENANT_ID
-} from "./chunk-F5SHFZUA.js";
+} from "./chunk-YTBVILAH.js";
 import {
   init_ids,
   newId
@@ -17,10 +17,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 
 // src/db/vaults.ts
 init_drizzle();