npm - @agentstep/agent-sdk - Versions diffs - 0.5.28 → 0.5.33 - Mend

@agentstep/agent-sdk 0.5.28 → 0.5.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (205) hide show

package/dist/auth/middleware.js +8 -8
package/dist/backends/claude/args.js +6 -6
package/dist/backends/claude/index.js +11 -11
package/dist/backends/codex/auth.js +6 -6
package/dist/backends/codex/index.js +10 -10
package/dist/backends/factory/auth.js +6 -6
package/dist/backends/factory/index.js +12 -12
package/dist/backends/gemini/auth.js +6 -6
package/dist/backends/gemini/index.js +13 -13
package/dist/backends/opencode/args.js +1 -1
package/dist/backends/opencode/auth.js +6 -6
package/dist/backends/opencode/index.js +14 -14
package/dist/backends/pi/args.js +1 -1
package/dist/backends/pi/auth.js +6 -6
package/dist/backends/pi/index.js +11 -11
package/dist/backends/registry.js +29 -29
package/dist/{chunk-PZKWZKRP.js → chunk-2KF2TIEY.js} +5 -5
package/dist/{chunk-33QZ6KIY.js → chunk-3B4JRSYA.js} +5 -5
package/dist/{chunk-LJNLU5PQ.js → chunk-3NUTTKE5.js} +2 -2
package/dist/{chunk-MZ6HBYGV.js → chunk-65XY7HRS.js} +7 -7
package/dist/{chunk-US26CY2Y.js → chunk-6EIONZ7F.js} +2 -2
package/dist/{chunk-TV6QMCDS.js → chunk-6RRK27I3.js} +3 -3
package/dist/chunk-6SD6MC2B.js +29 -0
package/dist/{chunk-ENFWZ2QM.js → chunk-6U6HEVSN.js} +7 -3
package/dist/{chunk-CXIP6H55.js → chunk-7JA6HCMK.js} +2 -2
package/dist/{chunk-ZM33GAEB.js → chunk-7PFDF5PN.js} +7 -7
package/dist/{chunk-UB7GS7XT.js → chunk-A3FQHVUG.js} +7 -7
package/dist/{chunk-ZP5QO5BR.js → chunk-ABUNDZCE.js} +1 -1
package/dist/{chunk-Q62QJXGO.js → chunk-AGIXZFHQ.js} +1 -1
package/dist/{chunk-QCP37SCU.js → chunk-AK6HMO7I.js} +8 -8
package/dist/{chunk-BYUIOMPX.js → chunk-AKGWEACL.js} +23 -23
package/dist/{chunk-NKOGWVP3.js → chunk-AUEKXYNE.js} +4 -4
package/dist/{chunk-RKPT6O7I.js → chunk-B24Q4CUC.js} +5 -5
package/dist/{chunk-SKVAM5H2.js → chunk-B3W3E5CS.js} +1 -1
package/dist/{chunk-5AV732JY.js → chunk-BKMY6TSV.js} +2 -2
package/dist/{chunk-WLCI57J6.js → chunk-C3UXUDZS.js} +4 -4
package/dist/{chunk-QQGXM2OQ.js → chunk-C7P2TYOG.js} +1 -1
package/dist/{chunk-HVCY7DET.js → chunk-CHNJK2KW.js} +2 -2
package/dist/{chunk-MAN6OCOP.js → chunk-CJIGDJIJ.js} +3 -3
package/dist/{chunk-CVYNMYIE.js → chunk-CWB2DQN5.js} +3 -3
package/dist/{chunk-QBZMVYDV.js → chunk-CWVYFBZF.js} +4 -4
package/dist/{chunk-4ENK7S24.js → chunk-CXYMVLYK.js} +4 -0
package/dist/{chunk-4BJTLMHV.js → chunk-DAOKOXGY.js} +17 -17
package/dist/{chunk-R37QM2U4.js → chunk-DF34ESOO.js} +1 -1
package/dist/{chunk-GKNBECPD.js → chunk-DZKBUOYU.js} +2 -2
package/dist/{chunk-Z25QQE5Z.js → chunk-EUMA5Q4U.js} +4 -4
package/dist/{chunk-FC3UAHXM.js → chunk-FDLQ3IUB.js} +1 -1
package/dist/{chunk-FDL2JHXO.js → chunk-GCT7A5KR.js} +2 -2
package/dist/{chunk-Z5XQQN7H.js → chunk-HWWFRSAX.js} +4 -4
package/dist/{chunk-KWG7NGYF.js → chunk-I2RVN7CP.js} +4 -4
package/dist/{chunk-JCIAIJFF.js → chunk-IC2ETYU5.js} +3 -3
package/dist/{chunk-3FLQ7KZP.js → chunk-IMJTHYN3.js} +1 -1
package/dist/{chunk-ISGA4AOC.js → chunk-J6ESQUW6.js} +2 -2
package/dist/{chunk-Y3V4COP7.js → chunk-J7F2OFWQ.js} +5 -5
package/dist/chunk-J7VBHBXL.js +210 -0
package/dist/{chunk-A4GJADRQ.js → chunk-JF777FWD.js} +2 -2
package/dist/{chunk-IDQKHWWN.js → chunk-JFHYXFAL.js} +1 -1
package/dist/{chunk-ANTKOI3K.js → chunk-JMDV55BV.js} +2 -2
package/dist/{chunk-WG3N6VUA.js → chunk-JN3DHH7Z.js} +11 -11
package/dist/{chunk-NOHH2ZH7.js → chunk-JNLVQGSH.js} +6 -6
package/dist/{chunk-FQQ2R6FA.js → chunk-JNSJKHYX.js} +1 -1
package/dist/{chunk-TJORQTH6.js → chunk-KGOOCFQY.js} +1 -1
package/dist/chunk-KLGAE7V4.js +108 -0
package/dist/{chunk-KHTLT44I.js → chunk-KSL2D4AD.js} +3 -3
package/dist/{chunk-MNW6D7T4.js → chunk-M72ERPMT.js} +1 -1
package/dist/{chunk-IC5ZTBAW.js → chunk-MUARVVXF.js} +3 -3
package/dist/{chunk-G6XFFNCQ.js → chunk-N7XSXI5O.js} +18 -18
package/dist/{chunk-N627DRI6.js → chunk-NLJK7FEN.js} +3 -3
package/dist/{chunk-BRULBMRN.js → chunk-NSUVDKNC.js} +3 -3
package/dist/{chunk-IS6CQPAQ.js → chunk-OEFJPZYH.js} +3 -3
package/dist/{chunk-P56WU3UT.js → chunk-PDWLVL34.js} +8 -5
package/dist/{chunk-I2WVMCYN.js → chunk-PWLWDWRL.js} +1 -1
package/dist/{chunk-JTGISCYV.js → chunk-QCGIYXN4.js} +1 -1
package/dist/{chunk-3V4BPIBU.js → chunk-QGPHATO3.js} +2 -2
package/dist/{chunk-YS3W5AQA.js → chunk-REHIJQUD.js} +9 -9
package/dist/{chunk-2K3UO6TC.js → chunk-RES4BCTF.js} +4 -4
package/dist/{chunk-HDLPEXWS.js → chunk-S5CMAWEC.js} +20 -0
package/dist/{chunk-KD5Y4XSU.js → chunk-S6HILC3F.js} +2 -2
package/dist/{chunk-CBPO2P4I.js → chunk-SAI6LBXW.js} +2 -2
package/dist/{chunk-IWI74DWW.js → chunk-SDTRWSGF.js} +51 -14
package/dist/{chunk-CXXL77ER.js → chunk-SHUFUWAB.js} +61 -4
package/dist/{chunk-YMKQJY5F.js → chunk-SIO4LO2M.js} +1 -1
package/dist/{chunk-IITCQTBZ.js → chunk-T2PXAQND.js} +1 -1
package/dist/{chunk-HPL2MQGY.js → chunk-T3TNJHED.js} +6 -6
package/dist/{chunk-MNZB2OWP.js → chunk-TKFAWQD7.js} +2 -2
package/dist/{chunk-D3LKWVPA.js → chunk-TTDMQ54U.js} +2 -2
package/dist/{chunk-CACVB5PH.js → chunk-TTZGQIQS.js} +1 -1
package/dist/{chunk-GNXIA5WC.js → chunk-TVV7AE3G.js} +2 -2
package/dist/{chunk-2REGK4VO.js → chunk-U4SVWPLC.js} +11 -11
package/dist/{chunk-5BA36MSQ.js → chunk-UMXXZ6OX.js} +1 -1
package/dist/{chunk-QSRH4XUG.js → chunk-UNO3TSAT.js} +1 -1
package/dist/{chunk-V4DEOZFK.js → chunk-USSUE7J2.js} +5 -5
package/dist/{chunk-WHTGWLGJ.js → chunk-UTGP4X74.js} +1 -1
package/dist/{chunk-XMZQW5G5.js → chunk-V5RHOS43.js} +8 -8
package/dist/{chunk-Z2AVP3QL.js → chunk-VB6GGRIA.js} +16 -3
package/dist/{chunk-RSXTLOY3.js → chunk-VY5XWTW7.js} +1 -1
package/dist/{chunk-VVCRJ46V.js → chunk-WEUPM3IN.js} +4 -4
package/dist/{chunk-RZHIYTI3.js → chunk-WK33IBKY.js} +10 -1
package/dist/{chunk-DI5WC2SQ.js → chunk-XOWRUT4X.js} +2 -2
package/dist/{chunk-AZLZOG5N.js → chunk-XYNEAJDF.js} +1 -1
package/dist/{chunk-TFTJ734B.js → chunk-Y5RNFM44.js} +2 -2
package/dist/{chunk-GSDVHR43.js → chunk-YJCH35J4.js} +5 -3
package/dist/{chunk-T77N7C3M.js → chunk-YKPRNV6J.js} +2 -2
package/dist/chunk-YOZ6WDP3.js +103 -0
package/dist/{chunk-7DPZMROX.js → chunk-YRFWPBGX.js} +2 -2
package/dist/{chunk-F5SHFZUA.js → chunk-YTBVILAH.js} +1 -1
package/dist/{chunk-IPTEXVQG.js → chunk-Z5IENUYV.js} +3 -3
package/dist/{chunk-MQSTE4WH.js → chunk-ZBWKJ42J.js} +3 -3
package/dist/{chunk-GBJ3OT4D.js → chunk-ZC7OR65K.js} +7 -5
package/dist/{chunk-7U62OZSD.js → chunk-ZDDMPGN4.js} +2 -2
package/dist/{chunk-RRP4F6XC.js → chunk-ZPKQT6X2.js} +16 -6
package/dist/{chunk-LSMTQBMW.js → chunk-ZV5Y5JBE.js} +2 -2
package/dist/config/index.js +5 -5
package/dist/containers/client.js +6 -6
package/dist/containers/exec.js +6 -6
package/dist/containers/lifecycle.js +41 -41
package/dist/containers/setup.js +9 -9
package/dist/db/agents.js +6 -6
package/dist/db/api_keys.js +5 -5
package/dist/db/audit.js +3 -3
package/dist/db/batch.js +10 -10
package/dist/db/client.js +2 -2
package/dist/db/credentials.js +5 -3
package/dist/db/drizzle.js +4 -4
package/dist/db/environments.js +6 -6
package/dist/db/events.js +5 -5
package/dist/db/files.js +5 -5
package/dist/db/memory.js +5 -5
package/dist/db/migrations.js +1 -1
package/dist/db/proxy.js +5 -5
package/dist/db/schema.js +1 -1
package/dist/db/session-resources.js +5 -5
package/dist/db/sessions.js +8 -8
package/dist/db/skills.js +5 -5
package/dist/db/sync.js +5 -5
package/dist/db/tenants.js +3 -3
package/dist/db/threads.js +7 -7
package/dist/db/traces.js +5 -5
package/dist/db/upstream_keys.js +3 -3
package/dist/db/user-profiles.js +17 -0
package/dist/db/vaults.js +6 -6
package/dist/db/work.js +5 -5
package/dist/dreaming/review.js +11 -11
package/dist/handlers/agents.js +58 -57
package/dist/handlers/api_keys.js +59 -58
package/dist/handlers/audit.js +59 -58
package/dist/handlers/batch.js +59 -58
package/dist/handlers/credentials.js +61 -58
package/dist/handlers/enrollment.js +103 -0
package/dist/handlers/environments.js +59 -58
package/dist/handlers/events.js +62 -61
package/dist/handlers/files.js +59 -58
package/dist/handlers/index.js +145 -126
package/dist/handlers/license.js +58 -57
package/dist/handlers/memory.js +60 -59
package/dist/handlers/metrics.js +58 -57
package/dist/handlers/models.js +59 -58
package/dist/handlers/openapi.js +3 -3
package/dist/handlers/providers.js +58 -57
package/dist/handlers/resources.js +58 -57
package/dist/handlers/sessions.js +62 -61
package/dist/handlers/settings.js +58 -57
package/dist/handlers/skills-write.js +59 -58
package/dist/handlers/skills.js +59 -58
package/dist/handlers/stream.js +58 -57
package/dist/handlers/tenants.js +59 -58
package/dist/handlers/threads.js +59 -58
package/dist/handlers/traces.js +59 -58
package/dist/handlers/upstream_keys.js +61 -60
package/dist/handlers/user-profiles.js +107 -0
package/dist/handlers/vaults.js +58 -57
package/dist/handlers/whoami.js +58 -57
package/dist/handlers/work.js +59 -58
package/dist/http.js +57 -56
package/dist/index.js +68 -67
package/dist/init.js +54 -53
package/dist/lib/model-registry.js +6 -6
package/dist/lib/skills-cache.js +6 -6
package/dist/observability/otlp.js +12 -12
package/dist/observability/redactor.js +8 -8
package/dist/openapi/schemas.js +1 -1
package/dist/openapi/spec.js +2 -2
package/dist/providers/fly.js +5 -5
package/dist/providers/modal.js +5 -5
package/dist/providers/registry.js +6 -6
package/dist/providers/resolve-secrets.js +7 -7
package/dist/providers/sprites.js +7 -7
package/dist/providers/upstream-keys.js +12 -12
package/dist/providers/vercel.js +6 -6
package/dist/proxy/forward.js +6 -6
package/dist/queue/index.js +6 -6
package/dist/sessions/bus.js +10 -10
package/dist/sessions/driver.js +47 -46
package/dist/sessions/grader.js +5 -5
package/dist/sessions/secrets.js +9 -8
package/dist/sessions/sweeper.js +42 -42
package/dist/sessions/threads.js +55 -47
package/dist/shutdown.js +43 -43
package/dist/sync/anthropic.js +10 -10
package/dist/sync/container-file-sync.js +6 -6
package/dist/sync/file-sync.js +17 -17
package/dist/workers/runner.js +49 -48
package/package.json +1 -1
package/dist/chunk-6KWJASEO.js +0 -21
package/dist/{dist-EY25RQ2S.js → dist-3ZD3ELTH.js} +3 -3

package/dist/{chunk-GNXIA5WC.js → chunk-TVV7AE3G.js} RENAMED Viewed

@@ -10,10 +10,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 // src/db/memory.ts
 init_drizzle();

package/dist/{chunk-2REGK4VO.js → chunk-U4SVWPLC.js} RENAMED Viewed

@@ -1,21 +1,21 @@
-import {
-  resolveVaultSecrets
-} from "./chunk-FQQ2R6FA.js";
 import {
   dockerProvider
 } from "./chunk-4XXQAVKE.js";
+import {
+  resolveVaultSecrets
+} from "./chunk-JNSJKHYX.js";
 import {
   appendEvent
-} from "./chunk-2K3UO6TC.js";
+} from "./chunk-RES4BCTF.js";
 import {
   getSession,
   getSessionRow,
   setSessionSandbox
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   deleteSprite,
   listSprites
-} from "./chunk-AZLZOG5N.js";
+} from "./chunk-XYNEAJDF.js";
 import {
   allSessionSandboxes,
   countInEnv,
@@ -25,12 +25,12 @@ import {
 import {
   resolveProvider,
   tryResolveProvider
-} from "./chunk-QQGXM2OQ.js";
+} from "./chunk-C7P2TYOG.js";
 import {
   getEnvironment,
   getEnvironmentRow,
   listEnvironments
-} from "./chunk-BRULBMRN.js";
+} from "./chunk-NSUVDKNC.js";
 import {
   addWarm,
   claimWarm,
@@ -41,13 +41,13 @@ import {
 } from "./chunk-G7KUVNDY.js";
 import {
   getAgent
-} from "./chunk-ENFWZ2QM.js";
+} from "./chunk-6U6HEVSN.js";
 import {
   resolveBackend
-} from "./chunk-XMZQW5G5.js";
+} from "./chunk-V5RHOS43.js";
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   init_clock,
   nowMs

package/dist/{chunk-5BA36MSQ.js → chunk-UMXXZ6OX.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 // src/db/traces.ts
 init_drizzle();

package/dist/{chunk-QSRH4XUG.js → chunk-UNO3TSAT.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 // src/handlers/whoami.ts
 function handleWhoami(request) {

package/dist/{chunk-V4DEOZFK.js → chunk-USSUE7J2.js} RENAMED Viewed

@@ -6,7 +6,7 @@ import {
 } from "./chunk-23UKWXJH.js";
 import {
   recordAudit
-} from "./chunk-FC3UAHXM.js";
+} from "./chunk-FDLQ3IUB.js";
 import {
   COMMUNITY_LIMITS,
   hasFeature,
@@ -15,7 +15,7 @@ import {
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   createApiKey,
   getApiKeyById,
@@ -23,14 +23,14 @@ import {
   listApiKeys,
   revokeApiKey,
   updateApiKeyPermissions
-} from "./chunk-LJNLU5PQ.js";
+} from "./chunk-3NUTTKE5.js";
 import {
   listSessionsByApiKey
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 import {
   badRequest,
   forbidden,

package/dist/{chunk-WHTGWLGJ.js → chunk-UTGP4X74.js} RENAMED Viewed

@@ -4,7 +4,7 @@ import {
 import {
   getConfig,
   readSetting
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   __commonJS
 } from "./chunk-2ESYSVXG.js";

package/dist/{chunk-XMZQW5G5.js → chunk-V5RHOS43.js} RENAMED Viewed

@@ -1,21 +1,21 @@
 import {
   piBackend
-} from "./chunk-Y3V4COP7.js";
+} from "./chunk-J7F2OFWQ.js";
+import {
+  geminiBackend
+} from "./chunk-A3FQHVUG.js";
 import {
   opencodeBackend
-} from "./chunk-YS3W5AQA.js";
+} from "./chunk-REHIJQUD.js";
 import {
   factoryBackend
-} from "./chunk-MZ6HBYGV.js";
-import {
-  geminiBackend
-} from "./chunk-UB7GS7XT.js";
+} from "./chunk-65XY7HRS.js";
 import {
   codexBackend
-} from "./chunk-VVCRJ46V.js";
+} from "./chunk-WEUPM3IN.js";
 import {
   claudeBackend
-} from "./chunk-WG3N6VUA.js";
+} from "./chunk-JN3DHH7Z.js";
 // src/backends/registry.ts
 var BACKENDS = {

package/dist/{chunk-Z2AVP3QL.js → chunk-VB6GGRIA.js} RENAMED Viewed

@@ -1,18 +1,31 @@
+import {
+  getUserProfile
+} from "./chunk-YOZ6WDP3.js";
 import {
   listCredentialsWithTokens
-} from "./chunk-RZHIYTI3.js";
+} from "./chunk-WK33IBKY.js";
 import {
   listEntries
-} from "./chunk-IC5ZTBAW.js";
+} from "./chunk-MUARVVXF.js";
 // src/sessions/secrets.ts
-function loadSessionSecrets(vaultIds) {
+function loadSessionSecrets(vaultIds, userProfileId) {
+  let credentialAllowlist = null;
+  if (userProfileId) {
+    const profile = getUserProfile(userProfileId);
+    if (profile && profile.trust_grants.length > 0) {
+      credentialAllowlist = new Set(
+        profile.trust_grants.map((g) => `${g.vault_id}:${g.credential_id}`)
+      );
+    }
+  }
   const secrets = [];
   for (const vid of vaultIds) {
     for (const entry of listEntries(vid)) {
       secrets.push({ key: entry.key, value: entry.value });
     }
     for (const cred of listCredentialsWithTokens(vid)) {
+      if (credentialAllowlist && !credentialAllowlist.has(`${vid}:${cred.id}`)) continue;
       if (cred.auth.mcp_server_url) {
         const serverName = deriveServerName(cred.auth.mcp_server_url);
         if (serverName) {

package/dist/{chunk-RSXTLOY3.js → chunk-VY5XWTW7.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   ApiError
 } from "./chunk-EZYKRG4W.js";

package/dist/{chunk-VVCRJ46V.js → chunk-WEUPM3IN.js} RENAMED Viewed

@@ -4,16 +4,16 @@ import {
 import {
   buildCodexAuthEnv,
   validateCodexRuntime
-} from "./chunk-YMKQJY5F.js";
+} from "./chunk-SIO4LO2M.js";
 import {
   prepareCodexOnSandbox
 } from "./chunk-NMZMRH3E.js";
-import {
-  createCodexTranslator
-} from "./chunk-CULYZ3VA.js";
 import {
   CODEX_WRAPPER_PATH
 } from "./chunk-XJYR5HE3.js";
+import {
+  createCodexTranslator
+} from "./chunk-CULYZ3VA.js";
 import {
   wrapPromptWithSystem
 } from "./chunk-YE2RMJY7.js";

package/dist/{chunk-RZHIYTI3.js → chunk-WK33IBKY.js} RENAMED Viewed

@@ -14,7 +14,7 @@ import {
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 // src/db/credentials.ts
 init_client();
@@ -130,6 +130,14 @@ function archiveCredential(vaultId, credentialId) {
   db.prepare(`UPDATE vault_credentials SET archived_at = ?, updated_at = ? WHERE id = ?`).run(now, now, credentialId);
   return getCredential(credentialId);
 }
+function getRefreshConfig(id) {
+  const db = getDb();
+  const row = db.prepare(
+    `SELECT refresh_config_encrypted, auth_type FROM vault_credentials WHERE id = ?`
+  ).get(id);
+  if (!row || row.auth_type !== "mcp_oauth" || !row.refresh_config_encrypted) return null;
+  return JSON.parse(decryptValue(row.refresh_config_encrypted));
+}
 function deleteCredential(id) {
   const db = getDb();
   const res = db.prepare(`DELETE FROM vault_credentials WHERE id = ?`).run(id);
@@ -144,5 +152,6 @@ export {
   listCredentialsWithTokens,
   updateCredential,
   archiveCredential,
+  getRefreshConfig,
   deleteCredential
 };

package/dist/{chunk-DI5WC2SQ.js → chunk-XOWRUT4X.js} RENAMED Viewed

@@ -4,13 +4,13 @@ import {
 } from "./chunk-D2XITRN6.js";
 import {
   authenticateAndIntercept
-} from "./chunk-CVYNMYIE.js";
+} from "./chunk-CWB2DQN5.js";
 import {
   checkAndBump
 } from "./chunk-HVUWXUUI.js";
 import {
   ensureInitialized
-} from "./chunk-G6XFFNCQ.js";
+} from "./chunk-N7XSXI5O.js";
 import {
   captureException
 } from "./chunk-3MQ2FWXS.js";

package/dist/{chunk-AZLZOG5N.js → chunk-XYNEAJDF.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   ApiError
 } from "./chunk-EZYKRG4W.js";

package/dist/{chunk-TFTJ734B.js → chunk-Y5RNFM44.js} RENAMED Viewed

@@ -1,11 +1,11 @@
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   readSetting,
   writeSetting
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   badRequest
 } from "./chunk-EZYKRG4W.js";

package/dist/{chunk-GSDVHR43.js → chunk-YJCH35J4.js} RENAMED Viewed

@@ -6,12 +6,13 @@ import {
 } from "./chunk-FX2AEKOV.js";
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 // src/backends/claude/args.ts
 function buildClaudeArgs(input) {
   const cfg = getConfig();
-  const permissionMode = input.confirmationMode ? "default" : "bypassPermissions";
+  const policy = input.agent.permission_policy;
+  const permissionMode = input.confirmationMode ? "default" : policy ? "default" : "bypassPermissions";
   const argv = [
     "-p",
     "--output-format",
@@ -42,7 +43,8 @@ Your custom tools are: ${toolList}. Call them by these exact names \u2014 do not
   const mcpToolNames = Array.from(tools.customToolNames).map(
     (name) => `mcp__tool-bridge__${name}`
   );
-  const allAllowed = [...tools.allowedTools, ...mcpToolNames];
+  const policyAllowed = policy?.always_allow ?? [];
+  const allAllowed = [...tools.allowedTools, ...mcpToolNames, ...policyAllowed];
   if (allAllowed.length) {
     argv.push("--allowed-tools", allAllowed.join(","));
   }

package/dist/{chunk-T77N7C3M.js → chunk-YKPRNV6J.js} RENAMED Viewed

@@ -10,10 +10,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 // src/db/files.ts
 init_drizzle();

package/dist/chunk-YOZ6WDP3.js ADDED Viewed

@@ -0,0 +1,103 @@
+import {
+  init_ids,
+  newId
+} from "./chunk-F4WUVOLE.js";
+import {
+  init_clock,
+  nowMs,
+  toIso
+} from "./chunk-HFDLUBWN.js";
+import {
+  getDb,
+  init_client
+} from "./chunk-AGIXZFHQ.js";
+// src/db/user-profiles.ts
+init_client();
+init_ids();
+init_clock();
+function hydrate(row) {
+  return {
+    type: "user_profile",
+    id: row.id,
+    external_id: row.external_id,
+    display_name: row.display_name,
+    trust_grants: JSON.parse(row.trust_grants_json),
+    tenant_id: row.tenant_id,
+    created_at: toIso(row.created_at),
+    updated_at: toIso(row.updated_at)
+  };
+}
+function createUserProfile(input) {
+  const db = getDb();
+  const id = newId("uprof");
+  const now = nowMs();
+  db.prepare(
+    `INSERT INTO user_profiles (id, external_id, display_name, trust_grants_json, tenant_id, created_at, updated_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`
+  ).run(
+    id,
+    input.external_id ?? null,
+    input.display_name ?? null,
+    JSON.stringify(input.trust_grants ?? []),
+    input.tenant_id ?? null,
+    now,
+    now
+  );
+  return getUserProfile(id);
+}
+function getUserProfile(id) {
+  const db = getDb();
+  const row = db.prepare(`SELECT * FROM user_profiles WHERE id = ?`).get(id);
+  return row ? hydrate(row) : null;
+}
+function listUserProfiles(opts) {
+  const db = getDb();
+  const limit = Math.min(opts.limit ?? 50, 100);
+  const parts = [];
+  const args = [];
+  if (opts.tenant_id) {
+    parts.push("tenant_id = ?");
+    args.push(opts.tenant_id);
+  }
+  if (opts.after_id) {
+    parts.push("id > ?");
+    args.push(opts.after_id);
+  }
+  const where = parts.length > 0 ? `WHERE ${parts.join(" AND ")}` : "";
+  const rows = db.prepare(
+    `SELECT * FROM user_profiles ${where} ORDER BY id ASC LIMIT ?`
+  ).all(...args, limit + 1);
+  const hasMore = rows.length > limit;
+  if (hasMore) rows.pop();
+  return { data: rows.map(hydrate), has_more: hasMore };
+}
+function updateUserProfile(id, input) {
+  const db = getDb();
+  const existing = db.prepare(`SELECT * FROM user_profiles WHERE id = ?`).get(id);
+  if (!existing) return null;
+  const now = nowMs();
+  const parts = ["updated_at = ?"];
+  const args = [now];
+  if (input.external_id !== void 0) {
+    parts.push("external_id = ?");
+    args.push(input.external_id);
+  }
+  if (input.display_name !== void 0) {
+    parts.push("display_name = ?");
+    args.push(input.display_name);
+  }
+  if (input.trust_grants !== void 0) {
+    parts.push("trust_grants_json = ?");
+    args.push(JSON.stringify(input.trust_grants));
+  }
+  db.prepare(`UPDATE user_profiles SET ${parts.join(", ")} WHERE id = ?`).run(...args, id);
+  return getUserProfile(id);
+}
+export {
+  createUserProfile,
+  getUserProfile,
+  listUserProfiles,
+  updateUserProfile
+};

package/dist/{chunk-7DPZMROX.js → chunk-YRFWPBGX.js} RENAMED Viewed

@@ -1,11 +1,11 @@
 import {
   resolveContainerProvider,
   resolveProvider
-} from "./chunk-QQGXM2OQ.js";
+} from "./chunk-C7P2TYOG.js";
 import {
   getEnvironmentRow,
   updateEnvironmentState
-} from "./chunk-BRULBMRN.js";
+} from "./chunk-NSUVDKNC.js";
 import {
   installClaudeWrapper
 } from "./chunk-J6T3W6RY.js";

package/dist/{chunk-F5SHFZUA.js → chunk-YTBVILAH.js} RENAMED Viewed

@@ -10,7 +10,7 @@ import {
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 // src/db/tenants.ts
 init_client();

package/dist/{chunk-IPTEXVQG.js → chunk-Z5IENUYV.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   getAgent
-} from "./chunk-ENFWZ2QM.js";
+} from "./chunk-6U6HEVSN.js";
 import {
   init_ids,
   newId
@@ -13,10 +13,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 // src/db/threads.ts
 init_drizzle();

package/dist/{chunk-MQSTE4WH.js → chunk-ZBWKJ42J.js} RENAMED Viewed

@@ -5,14 +5,14 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 // src/db/sync.ts
 init_drizzle();

package/dist/{chunk-GBJ3OT4D.js → chunk-ZC7OR65K.js} RENAMED Viewed

@@ -1,13 +1,13 @@
 import {
   init_session_resources,
   session_resources_exports
-} from "./chunk-FDL2JHXO.js";
+} from "./chunk-GCT7A5KR.js";
 import {
   getAgent
-} from "./chunk-ENFWZ2QM.js";
+} from "./chunk-6U6HEVSN.js";
 import {
   DEFAULT_TENANT_ID
-} from "./chunk-F5SHFZUA.js";
+} from "./chunk-YTBVILAH.js";
 import {
   init_ids,
   newId
@@ -20,10 +20,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 import {
   __toCommonJS
 } from "./chunk-2ESYSVXG.js";
@@ -111,6 +111,7 @@ function hydrateSession(row) {
     })) : [],
     resources,
     vault_ids: row.vault_ids_json ? JSON.parse(row.vault_ids_json) : [],
+    user_profile_id: row.user_profile_id ?? null,
     parent_session_id: row.parent_session_id ?? null,
     thread_depth: row.thread_depth ?? 0,
     stats: {
@@ -151,6 +152,7 @@ function createSession(input) {
     max_wall_duration_ms: input.max_wall_duration_ms ?? null,
     resources_json: input.resources ? JSON.stringify(input.resources) : null,
     vault_ids_json: input.vault_ids ? JSON.stringify(input.vault_ids) : null,
+    user_profile_id: input.user_profile_id ?? null,
     parent_session_id: input.parent_session_id ?? null,
     thread_depth: input.thread_depth ?? 0,
     api_key_id: input.api_key_id ?? null,

package/dist/{chunk-7U62OZSD.js → chunk-ZDDMPGN4.js} RENAMED Viewed

@@ -1,11 +1,11 @@
 import {
   init_schema,
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 import {
   __esm
 } from "./chunk-2ESYSVXG.js";

package/dist/{chunk-RRP4F6XC.js → chunk-ZPKQT6X2.js} RENAMED Viewed

@@ -8,17 +8,17 @@ import {
   jsonOk,
   paginatedOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   forwardToAnthropic,
   validateAnthropicProxy
-} from "./chunk-IDQKHWWN.js";
+} from "./chunk-JFHYXFAL.js";
 import {
   getProxiedTenantId,
   isProxied,
   markProxied,
   unmarkProxied
-} from "./chunk-GKNBECPD.js";
+} from "./chunk-DZKBUOYU.js";
 import {
   archiveAgent,
   createAgent,
@@ -26,14 +26,14 @@ import {
   listAgentVersions,
   listAgents,
   updateAgent
-} from "./chunk-ENFWZ2QM.js";
+} from "./chunk-6U6HEVSN.js";
 import {
   resolveBackend
-} from "./chunk-XMZQW5G5.js";
+} from "./chunk-V5RHOS43.js";
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 import {
   badRequest,
   conflict,
@@ -255,6 +255,10 @@ var CreateSchema = z.object({
       z.object({ type: z.literal("self") })
     ])).max(20)
   }).optional(),
+  permission_policy: z.object({
+    always_allow: z.array(z.string()).optional(),
+    always_ask: z.array(z.string()).optional()
+  }).optional(),
   skills: z.array(SkillSchema).max(20).optional(),
   model_config: ModelConfigSchema.optional(),
   /** v0.5: required for global admin, ignored for tenant users. */
@@ -301,6 +305,10 @@ var UpdateSchema = z.object({
       z.object({ type: z.literal("self") })
     ])).max(20)
   }).nullish(),
+  permission_policy: z.object({
+    always_allow: z.array(z.string()).optional(),
+    always_ask: z.array(z.string()).optional()
+  }).nullish(),
   skills: z.array(SkillSchema).max(20).optional(),
   model_config: ModelConfigSchema.optional()
 }).refine((data) => {
@@ -386,6 +394,7 @@ function handleCreateAgent(request) {
       confirmation_mode: parsed.data.confirmation_mode ?? false,
       callable_agents: parsed.data.callable_agents,
       multiagent: parsed.data.multiagent,
+      permission_policy: parsed.data.permission_policy,
       skills: await resolveSkillInputs(parsed.data.skills, nowIso),
       model_config: mergedModelConfig,
       tenant_id: createTenantId
@@ -466,6 +475,7 @@ function handleUpdateAgent(request, id) {
       confirmation_mode: parsed.data.confirmation_mode,
       callable_agents: parsed.data.callable_agents,
       multiagent: parsed.data.multiagent,
+      permission_policy: parsed.data.permission_policy,
       skills: await resolveSkillInputs(parsed.data.skills, nowIso),
       model_config: mergedModelConfig
     });

package/dist/{chunk-LSMTQBMW.js → chunk-ZV5Y5JBE.js} RENAMED Viewed

@@ -4,11 +4,11 @@ import {
 } from "./chunk-23UKWXJH.js";
 import {
   listAudit
-} from "./chunk-FC3UAHXM.js";
+} from "./chunk-FDLQ3IUB.js";
 import {
   paginatedOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-XOWRUT4X.js";
 import {
   badRequest
 } from "./chunk-EZYKRG4W.js";