@agentstep/agent-sdk 0.5.28 → 0.5.34

package/dist/{chunk-N627DRI6.js → chunk-3EI7IPMI.js}

@@ -1,13 +1,13 @@
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-4EKHW6VS.js";
 import {
   resolveContainerProvider
-} from "./chunk-QQGXM2OQ.js";
+} from "./chunk-XLMNSDUJ.js";
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 
 // src/handlers/providers.ts
 var LOCAL_PROVIDERS = ["docker", "apple-container", "podman"];

package/dist/{chunk-Z25QQE5Z.js → chunk-3EWEKBVC.js}

@@ -1,17 +1,17 @@
 import {
   listTraces
-} from "./chunk-5BA36MSQ.js";
+} from "./chunk-UMXXZ6OX.js";
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-4EKHW6VS.js";
 import {
   exportTrace
-} from "./chunk-PZKWZKRP.js";
+} from "./chunk-2KF2TIEY.js";
 import {
   listEventsByTrace,
   rowToManagedEvent
-} from "./chunk-IS6CQPAQ.js";
+} from "./chunk-OEFJPZYH.js";
 import {
   badRequest,
   notFound

package/dist/{chunk-V4DEOZFK.js → chunk-3LYNN5VT.js}

@@ -6,7 +6,7 @@ import {
 } from "./chunk-23UKWXJH.js";
 import {
   recordAudit
-} from "./chunk-FC3UAHXM.js";
+} from "./chunk-FDLQ3IUB.js";
 import {
   COMMUNITY_LIMITS,
   hasFeature,
@@ -15,7 +15,7 @@ import {
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-4EKHW6VS.js";
 import {
   createApiKey,
   getApiKeyById,
@@ -23,14 +23,14 @@ import {
   listApiKeys,
   revokeApiKey,
   updateApiKeyPermissions
-} from "./chunk-LJNLU5PQ.js";
+} from "./chunk-3NUTTKE5.js";
 import {
   listSessionsByApiKey
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 import {
   badRequest,
   forbidden,

package/dist/{chunk-LJNLU5PQ.js → chunk-3NUTTKE5.js}

@@ -9,10 +9,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 
 // src/db/api_keys.ts
 init_drizzle();

package/dist/{chunk-DI5WC2SQ.js → chunk-4EKHW6VS.js}

@@ -4,13 +4,13 @@ import {
 } from "./chunk-D2XITRN6.js";
 import {
   authenticateAndIntercept
-} from "./chunk-CVYNMYIE.js";
+} from "./chunk-CWB2DQN5.js";
 import {
   checkAndBump
 } from "./chunk-HVUWXUUI.js";
 import {
   ensureInitialized
-} from "./chunk-G6XFFNCQ.js";
+} from "./chunk-P7V3S2T3.js";
 import {
   captureException
 } from "./chunk-3MQ2FWXS.js";

package/dist/{chunk-MZ6HBYGV.js → chunk-65XY7HRS.js}

@@ -1,3 +1,10 @@
+import {
+  buildFactoryArgs
+} from "./chunk-TPMZO6S2.js";
+import {
+  buildFactoryAuthEnv,
+  validateFactoryRuntime
+} from "./chunk-M72ERPMT.js";
 import {
   prepareFactoryOnSandbox
 } from "./chunk-AQHYCRTO.js";
@@ -7,13 +14,6 @@ import {
 import {
   FACTORY_WRAPPER_PATH
 } from "./chunk-KJ2GJLPQ.js";
-import {
-  buildFactoryArgs
-} from "./chunk-TPMZO6S2.js";
-import {
-  buildFactoryAuthEnv,
-  validateFactoryRuntime
-} from "./chunk-MNW6D7T4.js";
 import {
   wrapPromptWithSystem
 } from "./chunk-YE2RMJY7.js";

package/dist/{chunk-KHTLT44I.js → chunk-6CODFATQ.js}

@@ -7,16 +7,16 @@ import {
   pollWorkItem,
   stopWorkItem,
   updateWorkItemMetadata
-} from "./chunk-A4GJADRQ.js";
+} from "./chunk-JF777FWD.js";
 import {
   decodeCursor,
   jsonOk,
   paginatedOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-4EKHW6VS.js";
 import {
   getEnvironment
-} from "./chunk-BRULBMRN.js";
+} from "./chunk-NSUVDKNC.js";
 import {
   badRequest,
   notFound

package/dist/{chunk-US26CY2Y.js → chunk-6EIONZ7F.js}

@@ -5,10 +5,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 
 // src/config/index.ts
 init_drizzle();

package/dist/chunk-6NEWWPL4.js

@@ -0,0 +1,210 @@
+import {
+  tenantFilter
+} from "./chunk-23UKWXJH.js";
+import {
+  jsonOk,
+  routeWrap
+} from "./chunk-4EKHW6VS.js";
+import {
+  getUserProfile,
+  updateUserProfile
+} from "./chunk-YOZ6WDP3.js";
+import {
+  createCredential,
+  getCredential,
+  updateCredential
+} from "./chunk-WK33IBKY.js";
+import {
+  badRequest,
+  notFound
+} from "./chunk-EZYKRG4W.js";
+
+// src/handlers/enrollment.ts
+import { z } from "zod";
+import { randomBytes } from "crypto";
+var pendingEnrollments = /* @__PURE__ */ new Map();
+setInterval(() => {
+  const cutoff = Date.now() - 10 * 6e4;
+  for (const [state, enrollment] of pendingEnrollments) {
+    if (enrollment.createdAt < cutoff) pendingEnrollments.delete(state);
+  }
+}, 6e4);
+var EnrollmentSchema = z.object({
+  vault_id: z.string().min(1),
+  credential_id: z.string().optional(),
+  // update existing credential, or omit to create new
+  display_name: z.string().min(1).optional(),
+  // required when creating new
+  authorize_url: z.string().url(),
+  token_endpoint: z.string().url(),
+  client_id: z.string().min(1),
+  client_secret: z.string().optional(),
+  scope: z.string().optional(),
+  redirect_uri: z.string().url().optional()
+});
+function handleEnrollmentUrl(request, profileId) {
+  return routeWrap(request, async ({ auth }) => {
+    const profile = getUserProfile(profileId);
+    if (!profile) throw notFound(`user profile not found: ${profileId}`);
+    const filter = tenantFilter(auth);
+    if (filter && profile.tenant_id !== filter) {
+      throw notFound(`user profile not found: ${profileId}`);
+    }
+    const body = await request.json().catch(() => null);
+    const parsed = EnrollmentSchema.safeParse(body);
+    if (!parsed.success) {
+      throw badRequest(`invalid body: ${parsed.error.issues.map((i) => i.message).join("; ")}`);
+    }
+    const data = parsed.data;
+    if (data.credential_id) {
+      const cred = getCredential(data.credential_id);
+      if (!cred || cred.vault_id !== data.vault_id) {
+        throw badRequest(`credential not found: ${data.credential_id}`);
+      }
+    } else if (!data.display_name) {
+      throw badRequest("display_name is required when creating a new credential");
+    }
+    const state = randomBytes(32).toString("hex");
+    const reqUrl = new URL(request.url);
+    const redirectUri = data.redirect_uri || `${reqUrl.origin}/v1/oauth/callback`;
+    pendingEnrollments.set(state, {
+      profileId,
+      vaultId: data.vault_id,
+      credentialId: data.credential_id ?? null,
+      tokenEndpoint: data.token_endpoint,
+      clientId: data.client_id,
+      clientSecret: data.client_secret,
+      scope: data.scope,
+      redirectUri,
+      createdAt: Date.now()
+    });
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: data.client_id,
+      redirect_uri: redirectUri,
+      state,
+      ...data.scope ? { scope: data.scope } : {}
+    });
+    const url = `${data.authorize_url}?${params.toString()}`;
+    return jsonOk({
+      type: "enrollment_url",
+      url,
+      state,
+      redirect_uri: redirectUri,
+      expires_in: 600
+      // 10 minutes
+    });
+  });
+}
+async function handleOAuthCallback(request) {
+  const { ensureInitialized } = await import("./init.js");
+  await ensureInitialized();
+  try {
+    const url = new URL(request.url);
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    if (error) {
+      return new Response(
+        `<html><body><h2>Authorization failed</h2><p>${error}</p></body></html>`,
+        { status: 400, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    if (!code || !state) {
+      return new Response(
+        `<html><body><h2>Missing code or state parameter</h2></body></html>`,
+        { status: 400, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    const enrollment = pendingEnrollments.get(state);
+    if (!enrollment) {
+      return new Response(
+        `<html><body><h2>Invalid or expired enrollment state</h2><p>Please restart the enrollment process.</p></body></html>`,
+        { status: 400, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    pendingEnrollments.delete(state);
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      client_id: enrollment.clientId,
+      redirect_uri: enrollment.redirectUri,
+      ...enrollment.scope ? { scope: enrollment.scope } : {}
+    });
+    if (enrollment.clientSecret) {
+      body.set("client_secret", enrollment.clientSecret);
+    }
+    const tokenRes = await fetch(enrollment.tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString(),
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (!tokenRes.ok) {
+      const errText = await tokenRes.text().catch(() => "");
+      return new Response(
+        `<html><body><h2>Token exchange failed</h2><p>${tokenRes.status}: ${errText.slice(0, 200)}</p></body></html>`,
+        { status: 502, headers: { "Content-Type": "text/html" } }
+      );
+    }
+    const tokens = await tokenRes.json();
+    let credentialId;
+    const expiresAt = tokens.expires_in ? new Date(Date.now() + tokens.expires_in * 1e3).toISOString() : null;
+    const refreshConfig = tokens.refresh_token ? {
+      token_endpoint: enrollment.tokenEndpoint,
+      client_id: enrollment.clientId,
+      scope: enrollment.scope ?? tokens.scope,
+      refresh_token: tokens.refresh_token,
+      ...enrollment.clientSecret ? { token_endpoint_auth: { type: "client_secret_post", client_secret: enrollment.clientSecret } } : {}
+    } : null;
+    if (enrollment.credentialId) {
+      updateCredential(enrollment.credentialId, {
+        auth_type: "mcp_oauth",
+        token: tokens.access_token,
+        expires_at: expiresAt,
+        refresh_config: refreshConfig
+      });
+      credentialId = enrollment.credentialId;
+    } else {
+      const profile2 = getUserProfile(enrollment.profileId);
+      const displayName = `oauth-${enrollment.clientId}-${Date.now()}`;
+      const cred = createCredential({
+        vault_id: enrollment.vaultId,
+        display_name: displayName,
+        auth_type: "mcp_oauth",
+        token: tokens.access_token,
+        expires_at: expiresAt,
+        refresh_config: refreshConfig
+      });
+      credentialId = cred.id;
+    }
+    const profile = getUserProfile(enrollment.profileId);
+    if (profile) {
+      const existingGrant = profile.trust_grants.find(
+        (g) => g.vault_id === enrollment.vaultId && g.credential_id === credentialId
+      );
+      if (!existingGrant) {
+        const newGrants = [
+          ...profile.trust_grants,
+          { type: "vault_credential", vault_id: enrollment.vaultId, credential_id: credentialId }
+        ];
+        updateUserProfile(enrollment.profileId, { trust_grants: newGrants });
+      }
+    }
+    return new Response(
+      `<html><body><h2>Enrollment complete</h2><p>Credential ${credentialId} has been linked to your profile. You can close this window.</p></body></html>`,
+      { status: 200, headers: { "Content-Type": "text/html" } }
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return new Response(
+      `<html><body><h2>Enrollment error</h2><p>${msg}</p></body></html>`,
+      { status: 500, headers: { "Content-Type": "text/html" } }
+    );
+  }
+}
+
+export {
+  handleEnrollmentUrl,
+  handleOAuthCallback
+};

package/dist/{chunk-TFTJ734B.js → chunk-6NFK5RJX.js}

@@ -1,11 +1,11 @@
 import {
   jsonOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-4EKHW6VS.js";
 import {
   readSetting,
   writeSetting
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   badRequest
 } from "./chunk-EZYKRG4W.js";

package/dist/chunk-6SD6MC2B.js

@@ -0,0 +1,29 @@
+// src/backends/pi/args.ts
+function normalizePiModel(model) {
+  if (model.includes("/")) return model;
+  if (model.startsWith("gemini-")) return `google/${model}`;
+  if (model.startsWith("claude-")) return `anthropic/${model}`;
+  if (model.startsWith("gpt-") || model.startsWith("o1-") || model.startsWith("o3-") || model.startsWith("o4-") || model.startsWith("chatgpt-")) return `openai/${model}`;
+  return model;
+}
+function buildPiArgs(input) {
+  const args = [
+    "-p",
+    "--mode",
+    "json",
+    "--no-extensions"
+  ];
+  if (input.backendSessionId) {
+    args.push("--session", input.backendSessionId);
+  }
+  if (input.agent.model) {
+    const modelId = typeof input.agent.model === "string" ? input.agent.model : input.agent.model.id;
+    if (modelId) args.push("--model", normalizePiModel(modelId));
+  }
+  args.push(input.prompt);
+  return args;
+}
+
+export {
+  buildPiArgs
+};

package/dist/{chunk-ENFWZ2QM.js → chunk-6U6HEVSN.js}

@@ -1,6 +1,6 @@
 import {
   DEFAULT_TENANT_ID
-} from "./chunk-F5SHFZUA.js";
+} from "./chunk-YTBVILAH.js";
 import {
   init_ids,
   newId
@@ -13,10 +13,10 @@ import {
 import {
   getDrizzle,
   init_drizzle
-} from "./chunk-7U62OZSD.js";
+} from "./chunk-ZDDMPGN4.js";
 import {
   schema_exports
-} from "./chunk-4ENK7S24.js";
+} from "./chunk-CXYMVLYK.js";
 
 // src/db/agents.ts
 init_drizzle();
@@ -38,6 +38,7 @@ function hydrate(row, ver) {
     threadsEnabled = true;
     callableAgents = multiagent.agents.filter((a) => a.type === "agent").map((a) => ({ type: "agent", id: a.id, version: a.version }));
   }
+  const permissionPolicy = ver.permission_policy_json ? JSON.parse(ver.permission_policy_json) : null;
   return {
     type: "agent",
     id: row.id,
@@ -57,6 +58,7 @@ function hydrate(row, ver) {
     confirmation_mode: Boolean(ver.confirmation_mode),
     callable_agents: callableAgents,
     multiagent,
+    permission_policy: permissionPolicy,
     skills: ver.skills_json ? JSON.parse(ver.skills_json) : [],
     model_config: modelConfig,
     fallback_json: row.fallback_json ?? null,
@@ -95,6 +97,7 @@ function createAgent(input) {
       confirmation_mode: input.confirmation_mode ? 1 : 0,
       callable_agents_json: input.callable_agents?.length ? JSON.stringify(input.callable_agents) : null,
       multiagent_json: input.multiagent ? JSON.stringify(input.multiagent) : null,
+      permission_policy_json: input.permission_policy ? JSON.stringify(input.permission_policy) : null,
       skills_json: JSON.stringify(input.skills ?? []),
       model_config_json: JSON.stringify(input.model_config ?? {}),
       created_at: now
@@ -148,6 +151,7 @@ function updateAgent(id, input) {
       confirmation_mode: input.confirmation_mode !== void 0 ? input.confirmation_mode ? 1 : 0 : existing.confirmation_mode ? 1 : 0,
       callable_agents_json: input.callable_agents !== void 0 ? input.callable_agents.length ? JSON.stringify(input.callable_agents) : null : existing.callable_agents.length ? JSON.stringify(existing.callable_agents) : null,
       multiagent_json: input.multiagent !== void 0 ? input.multiagent ? JSON.stringify(input.multiagent) : null : existing.multiagent ? JSON.stringify(existing.multiagent) : null,
+      permission_policy_json: input.permission_policy !== void 0 ? input.permission_policy ? JSON.stringify(input.permission_policy) : null : existing.permission_policy ? JSON.stringify(existing.permission_policy) : null,
       skills_json: JSON.stringify(input.skills ?? existing.skills),
       model_config_json: JSON.stringify(input.model_config !== void 0 ? input.model_config : existing.model_config),
       created_at: now

package/dist/{chunk-CXIP6H55.js → chunk-75US4UAE.js}

@@ -6,7 +6,7 @@ import {
   getSkill,
   getSkillVersion,
   listSkillVersions
-} from "./chunk-D3LKWVPA.js";
+} from "./chunk-TTDMQ54U.js";
 import {
   resolveCreateTenant
 } from "./chunk-23UKWXJH.js";
@@ -15,7 +15,7 @@ import {
   jsonOk,
   paginatedOk,
   routeWrap
-} from "./chunk-DI5WC2SQ.js";
+} from "./chunk-4EKHW6VS.js";
 import {
   badRequest,
   notFound

package/dist/{chunk-UB7GS7XT.js → chunk-A3FQHVUG.js}

@@ -1,19 +1,19 @@
-import {
-  createGeminiTranslator
-} from "./chunk-S3JRZFF5.js";
-import {
-  buildGeminiArgs
-} from "./chunk-IBYOMAZ3.js";
 import {
   buildGeminiAuthEnv,
   validateGeminiRuntime
-} from "./chunk-TJORQTH6.js";
+} from "./chunk-KGOOCFQY.js";
 import {
   prepareGeminiOnSandbox
 } from "./chunk-PAQ2JFVD.js";
+import {
+  createGeminiTranslator
+} from "./chunk-S3JRZFF5.js";
 import {
   GEMINI_WRAPPER_PATH
 } from "./chunk-PZ5EGY64.js";
+import {
+  buildGeminiArgs
+} from "./chunk-IBYOMAZ3.js";
 import {
   wrapPromptWithSystem
 } from "./chunk-YE2RMJY7.js";

package/dist/{chunk-ZP5QO5BR.js → chunk-ABUNDZCE.js}

@@ -13,7 +13,7 @@ import {
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 
 // src/db/upstream_keys.ts
 init_client();

package/dist/{chunk-QCP37SCU.js → chunk-AD2WPGDN.js}

@@ -1,32 +1,32 @@
 import {
   resolveRemoteSessionId
-} from "./chunk-MQSTE4WH.js";
+} from "./chunk-ZBWKJ42J.js";
 import {
   assertResourceTenant
 } from "./chunk-23UKWXJH.js";
 import {
   authenticateAndIntercept
-} from "./chunk-CVYNMYIE.js";
+} from "./chunk-CWB2DQN5.js";
 import {
   forwardToAnthropic
-} from "./chunk-IDQKHWWN.js";
+} from "./chunk-JFHYXFAL.js";
 import {
   ensureInitialized
-} from "./chunk-G6XFFNCQ.js";
+} from "./chunk-P7V3S2T3.js";
 import {
   getProxiedTenantId,
   isProxied
-} from "./chunk-GKNBECPD.js";
+} from "./chunk-DZKBUOYU.js";
 import {
   subscribe
-} from "./chunk-2K3UO6TC.js";
+} from "./chunk-RES4BCTF.js";
 import {
   getSession
-} from "./chunk-GBJ3OT4D.js";
+} from "./chunk-ZC7OR65K.js";
 import {
   getDb,
   init_client
-} from "./chunk-Q62QJXGO.js";
+} from "./chunk-AGIXZFHQ.js";
 import {
   notFound,
   toResponse

package/dist/{chunk-Q62QJXGO.js → chunk-AGIXZFHQ.js}

@@ -1,7 +1,7 @@
 import {
   init_migrations,
   runMigrations
-} from "./chunk-HDLPEXWS.js";
+} from "./chunk-S5CMAWEC.js";
 import {
   __esm
 } from "./chunk-2ESYSVXG.js";

package/dist/{chunk-NKOGWVP3.js → chunk-AUEKXYNE.js}

@@ -2,19 +2,19 @@ import {
   getSyncRow,
   getSyncedRemoteId,
   upsertSync
-} from "./chunk-MQSTE4WH.js";
+} from "./chunk-ZBWKJ42J.js";
 import {
   injectMcpAuthHeaders
 } from "./chunk-DBFPJSOY.js";
 import {
   listEntries
-} from "./chunk-IC5ZTBAW.js";
+} from "./chunk-MUARVVXF.js";
 import {
   getEnvironment
-} from "./chunk-BRULBMRN.js";
+} from "./chunk-NSUVDKNC.js";
 import {
   getAgent
-} from "./chunk-ENFWZ2QM.js";
+} from "./chunk-6U6HEVSN.js";
 
 // src/sync/anthropic.ts
 import { createHash } from "crypto";

package/dist/{chunk-SKVAM5H2.js → chunk-B3W3E5CS.js}

@@ -1,6 +1,6 @@
 import {
   getConfig
-} from "./chunk-US26CY2Y.js";
+} from "./chunk-6EIONZ7F.js";
 import {
   serverBusy
 } from "./chunk-EZYKRG4W.js";