@alexkroman1/aai 1.0.6 → 1.2.0

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @alexkroman1/aai@1.0.6 build /home/runner/work/agent/agent/packages/aai
+> @alexkroman1/aai@1.2.0 build /home/runner/work/agent/agent/packages/aai
 > tsdown && tsc -p tsconfig.build.json
 
 ℹ tsdown v0.21.7 powered by rolldown v1.0.0-rc.12
@@ -8,13 +8,13 @@
 ℹ target: node22
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/host/runtime-barrel.js     47.10 kB │ gzip: 14.49 kB
-ℹ dist/sdk/protocol.js             4.83 kB │ gzip:  1.77 kB
-ℹ dist/index.js                    2.49 kB │ gzip:  1.04 kB
-ℹ dist/sdk/manifest-barrel.js      2.19 kB │ gzip:  0.99 kB
-ℹ dist/system-prompt-nik_iavo.js   4.77 kB │ gzip:  2.09 kB
-ℹ dist/constants-VTFoymJ-.js       2.75 kB │ gzip:  1.23 kB
-ℹ dist/types-Cfx_4QDK.js           1.74 kB │ gzip:  0.93 kB
-ℹ dist/ws-upgrade-BeOQ7fXL.js      1.14 kB │ gzip:  0.54 kB
-ℹ 8 files, total: 67.02 kB
-✔ Build complete in 46ms
+ℹ dist/host/runtime-barrel.js       50.02 kB │ gzip: 15.70 kB
+ℹ dist/index.js                      6.38 kB │ gzip:  2.49 kB
+ℹ dist/sdk/protocol.js               4.75 kB │ gzip:  1.76 kB
+ℹ dist/sdk/manifest-barrel.js        0.26 kB │ gzip:  0.17 kB
+ℹ dist/constants-VTFoymJ-.js         2.75 kB │ gzip:  1.23 kB
+ℹ dist/_internal-types-CoDTiBd1.js   2.33 kB │ gzip:  0.99 kB
+ℹ dist/types-Cfx_4QDK.js             1.74 kB │ gzip:  0.93 kB
+ℹ dist/ws-upgrade-BeOQ7fXL.js        1.14 kB │ gzip:  0.54 kB
+ℹ 8 files, total: 69.36 kB
+✔ Build complete in 34ms

package/CHANGELOG.md

@@ -1,5 +1,27 @@
 # @alexkroman1/aai
 
+## 1.2.0
+
+### Minor Changes
+
+- ed0dfbb: Add allowedHosts manifest field and host-proxied fetch for sandbox agents
+
+### Patch Changes
+
+- 231ebc1: Fix Docker build (missing unzip, CI=true for pnpm) and add test:adversarial command with CI integration
+
+## 1.1.0
+
+### Minor Changes
+
+- 5cda7c5: Add ctx.send for real-time tool-to-client events
+
+  Tools can now push arbitrary events to the browser client via `ctx.send(event, data)`. Events flow over the existing WebSocket as `custom_event` messages. The new `useEvent` React hook subscribes to named events. Migrated solo-rpg, pizza-ordering, dispatch-center, and night-owl templates from `useToolResult` to `ctx.send` + `useEvent`.
+
+### Patch Changes
+
+- 41fab1a: Remove dead code: unused exports, wrappers, and test hooks
+
 ## 1.0.6
 
 ## 1.0.5

package/dist/_internal-types-CoDTiBd1.js

@@ -0,0 +1,61 @@
+import { i as ToolChoiceSchema, t as BuiltinToolSchema } from "./types-Cfx_4QDK.js";
+import { z } from "zod";
+//#region sdk/_internal-types.ts
+/**
+* Zod schema for serializable agent configuration sent over the wire.
+*
+* This is the JSON-safe subset of the agent definition that can be
+* transmitted between the worker and the host process via structured clone.
+*/
+const AgentConfigSchema = z.object({
+	name: z.string().min(1),
+	systemPrompt: z.string(),
+	greeting: z.string(),
+	sttPrompt: z.string().optional(),
+	maxSteps: z.number().int().positive().optional(),
+	toolChoice: ToolChoiceSchema.optional(),
+	builtinTools: z.array(BuiltinToolSchema).readonly().optional(),
+	idleTimeoutMs: z.number().nonnegative().optional()
+});
+/** Extract the serializable {@link AgentConfig} subset from a source object. */
+function toAgentConfig(src) {
+	const config = {
+		name: src.name,
+		systemPrompt: src.systemPrompt,
+		greeting: src.greeting
+	};
+	if (src.sttPrompt !== void 0) config.sttPrompt = src.sttPrompt;
+	if (src.maxSteps !== void 0) config.maxSteps = src.maxSteps;
+	if (src.toolChoice !== void 0) config.toolChoice = src.toolChoice;
+	if (src.builtinTools) config.builtinTools = [...src.builtinTools];
+	if (src.idleTimeoutMs !== void 0) config.idleTimeoutMs = src.idleTimeoutMs;
+	return config;
+}
+/**
+* Zod schema for serialized tool definitions sent over the wire.
+*
+* `parameters` must be a valid JSON Schema object (with `type`, `properties`,
+* etc.) — the Vercel AI SDK wraps it via `jsonSchema()`.
+*/
+const ToolSchemaSchema = z.object({
+	name: z.string().min(1),
+	description: z.string().min(1),
+	parameters: z.record(z.string(), z.unknown())
+});
+/** Empty Zod object schema used as default when tools have no parameters. */
+const EMPTY_PARAMS = z.object({});
+/**
+* Convert agent tool definitions to JSON Schema format for wire transport.
+*
+* Transforms the Zod-based `parameters` of each tool into a plain JSON Schema
+* object suitable for structured clone / JSON serialization.
+*/
+function agentToolsToSchemas(tools) {
+	return Object.entries(tools).map(([name, def]) => ({
+		name,
+		description: def.description,
+		parameters: z.toJSONSchema(def.parameters ?? EMPTY_PARAMS)
+	}));
+}
+//#endregion
+export { toAgentConfig as a, agentToolsToSchemas as i, EMPTY_PARAMS as n, ToolSchemaSchema as r, AgentConfigSchema as t };

package/dist/host/_mock-ws.d.ts

@@ -89,27 +89,3 @@ export declare class MockWebSocket extends EventTarget {
      */
     sentJson(): Record<string, unknown>[];
 }
-/**
- * Replace `globalThis.WebSocket` with {@link MockWebSocket} for testing.
- *
- * Returns a handle that tracks all created mock sockets and can restore the
- * original `WebSocket` constructor. Supports the `using` declaration via
- * `Symbol.dispose` for automatic cleanup.
- *
- * @returns An object with `created` array, `lastWs` getter, `restore()`, and `[Symbol.dispose]()`.
- *
- * @example
- * ```ts
- * using mock = installMockWebSocket();
- * const session = new Session("wss://example.com");
- * const ws = mock.lastWs!;
- * ws.simulateMessage(JSON.stringify({ type: "ready" }));
- * // mock automatically restores WebSocket when disposed
- * ```
- */
-export declare function installMockWebSocket(): {
-    restore: () => void;
-    created: MockWebSocket[];
-    get lastWs(): MockWebSocket | null;
-    [Symbol.dispose]: () => void;
-};

package/dist/host/runtime-barrel.d.ts

@@ -6,7 +6,6 @@
 export * from "./builtin-tools.ts";
 export * from "./runtime.ts";
 export * from "./runtime-config.ts";
-export * from "./s2s.ts";
 export * from "./server.ts";
 export * from "./session.ts";
 export * from "./session-ctx.ts";

package/dist/host/runtime-barrel.js

@@ -1,7 +1,8 @@
 import { a as DEFAULT_SHUTDOWN_TIMEOUT_MS, c as FETCH_TIMEOUT_MS, d as MAX_PAGE_CHARS, f as MAX_TOOL_RESULT_CHARS, g as TOOL_EXECUTION_TIMEOUT_MS, h as RUN_CODE_TIMEOUT_MS, l as MAX_HTML_BYTES, m as MAX_WS_PAYLOAD_BYTES, o as DEFAULT_STT_SAMPLE_RATE, p as MAX_VALUE_SIZE, s as DEFAULT_TTS_SAMPLE_RATE, t as AGENT_CSP } from "../constants-VTFoymJ-.js";
+import { r as DEFAULT_SYSTEM_PROMPT } from "../types-Cfx_4QDK.js";
 import { i as toolError, n as errorDetail, r as errorMessage, t as parseWsUpgradeParams } from "../ws-upgrade-BeOQ7fXL.js";
 import { ClientMessageSchema, buildReadyConfig, lenientParse } from "../sdk/protocol.js";
-import { a as agentToolsToSchemas, o as toAgentConfig, r as EMPTY_PARAMS, t as buildSystemPrompt } from "../system-prompt-nik_iavo.js";
+import { a as toAgentConfig, i as agentToolsToSchemas, n as EMPTY_PARAMS } from "../_internal-types-CoDTiBd1.js";
 import { z } from "zod";
 import { convert } from "html-to-text";
 import vm from "node:vm";
@@ -384,6 +385,37 @@ const DEFAULT_S2S_CONFIG = {
 	outputSampleRate: DEFAULT_TTS_SAMPLE_RATE
 };
 //#endregion
+//#region sdk/system-prompt.ts
+function getFormattedDate() {
+	return (/* @__PURE__ */ new Date()).toLocaleDateString("en-US", {
+		weekday: "long",
+		year: "numeric",
+		month: "long",
+		day: "numeric"
+	});
+}
+const VOICE_RULES = "\n\nCRITICAL OUTPUT RULES — you MUST follow these for EVERY response:\nYour response will be spoken aloud by a TTS system and displayed as plain text.\n- NEVER use markdown: no **, no *, no _, no #, no `, no [](), no ---\n- NEVER use bullet points (-, *, •) or numbered lists (1., 2.)\n- NEVER use code blocks or inline code\n- NEVER mention tools, search, APIs, or technical failures to the user. If a tool returns no results, just answer naturally without explaining why.\n- Write exactly as you would say it out loud to a friend\n- Use short conversational sentences. To list things, say \"First,\" \"Next,\" \"Finally,\"\n- Keep responses concise — 1 to 3 sentences max";
+/**
+* Build the system prompt sent to the LLM from the agent configuration.
+*
+* Assembles the default system prompt, today's date, agent-specific instructions,
+* and optional sections for tool usage preamble and voice output rules.
+*
+* @param config - The serializable agent configuration (name, systemPrompt, etc.).
+* @param opts.hasTools - When `true`, appends a preamble instructing the LLM to
+*   speak a brief phrase before each tool call to fill silence.
+* @param opts.voice - When `true`, appends strict voice-specific output rules
+*   (no markdown, no bullet points, conversational tone, concise responses).
+* @returns The assembled system prompt string.
+*/
+function buildSystemPrompt(config, opts) {
+	const { hasTools } = opts;
+	const agentInstructions = config.systemPrompt && config.systemPrompt !== DEFAULT_SYSTEM_PROMPT ? `\n\nAgent-Specific Instructions:\n${config.systemPrompt}` : "";
+	const toolPreamble = hasTools ? "\n\nWhen you decide to use a tool, ALWAYS say a brief natural phrase BEFORE the tool call (e.g. \"Let me look that up\" or \"One moment while I check\"). This fills silence while the tool executes. Keep preambles to one short sentence." : "";
+	const guidance = opts.toolGuidance && opts.toolGuidance.length > 0 ? `\n\nBuilt-in Tool Usage:\n${opts.toolGuidance.join("\n")}` : "";
+	return DEFAULT_SYSTEM_PROMPT + `\n\nToday's date is ${getFormattedDate()}.` + agentInstructions + toolPreamble + guidance + (opts.voice ? VOICE_RULES : "");
+}
+//#endregion
 //#region host/s2s.ts
 const uint8ToBase64 = (bytes) => Buffer.from(bytes).toString("base64");
 const base64ToUint8 = (base64) => new Uint8Array(Buffer.from(base64, "base64"));
@@ -976,7 +1008,10 @@ function buildToolContext(opts) {
 			return kv;
 		},
 		messages: messages ?? [],
-		sessionId: sessionId ?? ""
+		sessionId: sessionId ?? "",
+		send(event, data) {
+			opts.send?.(event, data);
+		}
 	};
 }
 async function executeToolCall(name, args, options) {
@@ -1173,6 +1208,7 @@ function wireSessionSocket(ws, opts) {
 		const client = createClientSink(ws, log);
 		session = opts.createSession(sessionId, client);
 		sessions.set(sessionId, session);
+		opts.onSinkCreated?.(sessionId, client);
 		ws.send(JSON.stringify({
 			type: "config",
 			...opts.readyConfig,
@@ -1267,6 +1303,7 @@ function createRuntime(opts) {
 	const { agent, env, kv = createLocalKv(), createWebSocket, logger = consoleLogger, s2sConfig = DEFAULT_S2S_CONFIG, sessionStartTimeoutMs, shutdownTimeoutMs = DEFAULT_SHUTDOWN_TIMEOUT_MS } = opts;
 	const agentConfig = toAgentConfig(agent);
 	const sessions = /* @__PURE__ */ new Map();
+	const sinkMap = /* @__PURE__ */ new Map();
 	const readyConfig = buildReadyConfig(s2sConfig);
 	let executeTool;
 	let toolSchemas;
@@ -1309,6 +1346,7 @@ function createRuntime(opts) {
 		executeTool = async (name, args, sessionId, messages) => {
 			const tool = allTools[name];
 			if (!tool) return toolError(`Unknown tool: ${name}`);
+			const sink = sinkMap.get(sessionId ?? "");
 			return executeToolCall(name, args, {
 				tool,
 				env: frozenEnv,
@@ -1316,11 +1354,17 @@ function createRuntime(opts) {
 				sessionId: sessionId ?? "",
 				kv,
 				messages,
-				logger
+				logger,
+				send: sink ? (event, data) => sink.event({
+					type: "custom_event",
+					event,
+					data
+				}) : void 0
 			});
 		};
 	}
 	function createSession(sessionOpts) {
+		sinkMap.set(sessionOpts.id, sessionOpts.client);
 		const apiKey = env.ASSEMBLYAI_API_KEY ?? "";
 		return createS2sSession({
 			id: sessionOpts.id,
@@ -1340,6 +1384,7 @@ function createRuntime(opts) {
 	}
 	function startSession(ws, startOpts) {
 		const resumeFrom = startOpts?.resumeFrom;
+		const userOnSessionEnd = startOpts?.onSessionEnd;
 		wireSessionSocket(ws, {
 			sessions,
 			createSession: (sid, client) => createSession({
@@ -1354,7 +1399,11 @@ function createRuntime(opts) {
 			...startOpts?.logContext ? { logContext: startOpts.logContext } : {},
 			...startOpts?.onOpen ? { onOpen: startOpts.onOpen } : {},
 			...startOpts?.onClose ? { onClose: startOpts.onClose } : {},
-			...startOpts?.onSessionEnd ? { onSessionEnd: startOpts.onSessionEnd } : {},
+			...startOpts?.onSinkCreated ? { onSinkCreated: startOpts.onSinkCreated } : {},
+			onSessionEnd: (sid) => {
+				sinkMap.delete(sid);
+				userOnSessionEnd?.(sid);
+			},
 			...sessionStartTimeoutMs !== void 0 ? { sessionStartTimeoutMs } : {},
 			...resumeFrom ? { resumeFrom } : {}
 		});
@@ -1368,6 +1417,7 @@ function createRuntime(opts) {
 			logger.warn(`Shutdown timeout (${shutdownTimeoutMs}ms) exceeded — force-closing ${sessions.size} remaining session(s)`);
 		}
 		sessions.clear();
+		sinkMap.clear();
 	}
 	return {
 		executeTool,
@@ -1515,4 +1565,4 @@ function createServer(options) {
 	};
 }
 //#endregion
-export { DEFAULT_S2S_CONFIG, _internals, buildCtx, connectS2s, consoleLogger, createRuntime, createS2sSession, createServer, createUnstorageKv, defaultCreateS2sWebSocket, executeInIsolate, executeToolCall, jsonLogger, resolveAllBuiltins, wireSessionSocket };
+export { DEFAULT_S2S_CONFIG, _internals, buildCtx, consoleLogger, createRuntime, createS2sSession, createServer, createUnstorageKv, executeInIsolate, executeToolCall, jsonLogger, resolveAllBuiltins, wireSessionSocket };

package/dist/host/runtime.d.ts

@@ -24,6 +24,8 @@ export type SessionStartOptions = {
     onClose?: () => void;
     /** Called with session ID after session cleanup, for guest state cleanup. */
     onSessionEnd?: (sessionId: string) => void;
+    /** Called with session ID and client sink after session setup. Used by sandbox to route custom events. */
+    onSinkCreated?: (sessionId: string, sink: ClientSink) => void;
 };
 /**
  * Common interface for agent runtimes.

package/dist/host/tool-executor.d.ts

@@ -16,5 +16,6 @@ export type ExecuteToolCallOptions = {
     kv?: Kv | undefined;
     messages?: readonly Message[] | undefined;
     logger?: Logger | undefined;
+    send?: ((event: string, data: unknown) => void) | undefined;
 };
 export declare function executeToolCall(name: string, args: Readonly<Record<string, unknown>>, options: ExecuteToolCallOptions): Promise<string>;

package/dist/host/ws-handler.d.ts

@@ -38,6 +38,8 @@ export type WsSessionOptions = {
     onClose?: () => void;
     /** Callback invoked with the session ID after session cleanup. */
     onSessionEnd?: (sessionId: string) => void;
+    /** Callback invoked with the session ID and client sink after session setup. */
+    onSinkCreated?: (sessionId: string, sink: ClientSink) => void;
     /** Logger instance. Defaults to console. */
     logger?: Logger;
     /** Timeout in ms for session.start(). Defaults to 10 000 (10s). */

package/dist/index.d.ts

@@ -4,6 +4,7 @@
  * Types, KV interface, utils, and constants used across
  * aai-cli, aai-server, and aai-ui.
  */
+export * from "./sdk/allowed-hosts.ts";
 export * from "./sdk/constants.ts";
 export * from "./sdk/define.ts";
 export * from "./sdk/kv.ts";

package/dist/index.js

@@ -1,6 +1,95 @@
 import { _ as WS_OPEN, a as DEFAULT_SHUTDOWN_TIMEOUT_MS, c as FETCH_TIMEOUT_MS, d as MAX_PAGE_CHARS, f as MAX_TOOL_RESULT_CHARS, g as TOOL_EXECUTION_TIMEOUT_MS, h as RUN_CODE_TIMEOUT_MS, i as DEFAULT_SESSION_START_TIMEOUT_MS, l as MAX_HTML_BYTES, m as MAX_WS_PAYLOAD_BYTES, n as DEFAULT_IDLE_TIMEOUT_MS, o as DEFAULT_STT_SAMPLE_RATE, p as MAX_VALUE_SIZE, r as DEFAULT_MAX_HISTORY, s as DEFAULT_TTS_SAMPLE_RATE, t as AGENT_CSP, u as MAX_MESSAGE_BUFFER_SIZE } from "./constants-VTFoymJ-.js";
 import { i as ToolChoiceSchema, n as DEFAULT_GREETING, r as DEFAULT_SYSTEM_PROMPT, t as BuiltinToolSchema } from "./types-Cfx_4QDK.js";
 import { i as toolError, n as errorDetail, r as errorMessage, t as parseWsUpgradeParams } from "./ws-upgrade-BeOQ7fXL.js";
+//#region sdk/allowed-hosts.ts
+/**
+* Allowlist matching for outbound host validation.
+*
+* Used at deploy time (manifest validation) and at runtime (SSRF enforcement)
+* to restrict which external hosts an agent is permitted to contact.
+*
+* Lives in sdk/ because it has zero Node.js dependencies and can run in any
+* environment (browser, Deno, Node.js sandboxes).
+*/
+/** Private/special-use TLDs that must never appear in allowedHosts patterns. */
+const BLOCKED_TLDS = [
+	"local",
+	"internal",
+	"localhost"
+];
+/**
+* Regex that matches an IPv4 address (four decimal octets separated by dots).
+* Anchored so partial matches like "192.168.1.1.example.com" don't trigger it.
+*/
+const IPV4_RE = /^(\d{1,3}\.){3}\d{1,3}$/;
+function fail(reason) {
+	return {
+		valid: false,
+		reason
+	};
+}
+function checkStructural(pattern) {
+	if (pattern === "") return fail("Pattern must not be empty.");
+	if (pattern.includes("://")) return fail("Pattern must not include a protocol (e.g. remove 'https://').");
+	if (pattern.includes("/")) return fail("Pattern must not include a path component (remove '/').");
+	if (pattern.includes("?")) return fail("Pattern must not include a query string (remove '?').");
+	if (pattern.startsWith("[") || pattern.includes("::")) return fail("IP address literals are not allowed in allowedHosts patterns.");
+	if (pattern.includes(":")) return fail("Pattern must not include a port number (e.g. remove ':8080').");
+	return null;
+}
+function checkWildcard(pattern) {
+	if (!pattern.includes("*")) return null;
+	if (pattern === "*" || pattern === "**") return fail("Bare wildcard '*' is not allowed. Use '*.example.com' to allow all subdomains.");
+	if (pattern.indexOf("*") !== 0 || pattern[1] !== ".") return fail("Wildcard '*' may only appear as the leading segment (e.g. '*.example.com').");
+	if (pattern.lastIndexOf("*") !== 0) return fail("Only a single leading wildcard segment is supported.");
+	return null;
+}
+function checkHostPart(hostPart) {
+	if (IPV4_RE.test(hostPart)) return fail("IP address literals are not allowed in allowedHosts patterns.");
+	const tld = hostPart.split(".").at(-1)?.toLowerCase() ?? "";
+	if (BLOCKED_TLDS.includes(tld)) return fail(`Patterns ending in '.${tld}' are not allowed (private/special-use TLD).`);
+	return null;
+}
+/**
+* Validate a single `allowedHosts` pattern at deploy time.
+*
+* Returns `{ valid: true }` for acceptable patterns or
+* `{ valid: false; reason: string }` with a human-readable rejection reason.
+*/
+function validateAllowedHostPattern(pattern) {
+	const structural = checkStructural(pattern);
+	if (structural !== null) return structural;
+	const wildcard = checkWildcard(pattern);
+	if (wildcard !== null) return wildcard;
+	const hostCheck = checkHostPart(pattern.startsWith("*.") ? pattern.slice(2) : pattern);
+	if (hostCheck !== null) return hostCheck;
+	return { valid: true };
+}
+/**
+* Test whether `hostname` matches any pattern in `patterns`.
+*
+* - Exact match is case-insensitive; trailing dots on the hostname are stripped.
+* - Wildcard pattern `*.example.com` matches any hostname ending with
+*   `.example.com` (one or more labels), but does NOT match `example.com` itself.
+* - A port suffix on `hostname` (e.g. `api.example.com:8080`) is stripped before
+*   matching.
+* - Returns `false` when `patterns` is empty.
+*/
+function matchesAllowedHost(hostname, patterns) {
+	if (patterns.length === 0) return false;
+	const portIndex = hostname.lastIndexOf(":");
+	let host = portIndex !== -1 && !hostname.includes("[") ? hostname.slice(0, portIndex) : hostname;
+	host = host.toLowerCase().replace(/\.$/, "");
+	for (const pattern of patterns) {
+		const p = pattern.toLowerCase();
+		if (p.startsWith("*.")) {
+			const suffix = p.slice(1);
+			if (host.endsWith(suffix) && host.length > suffix.length) return true;
+		} else if (host === p) return true;
+	}
+	return false;
+}
+//#endregion
 //#region sdk/define.ts
 /**
 * Define a tool with typed parameters and execute function.
@@ -60,4 +149,4 @@ function agent(def) {
 	};
 }
 //#endregion
-export { AGENT_CSP, BuiltinToolSchema, DEFAULT_GREETING, DEFAULT_IDLE_TIMEOUT_MS, DEFAULT_MAX_HISTORY, DEFAULT_SESSION_START_TIMEOUT_MS, DEFAULT_SHUTDOWN_TIMEOUT_MS, DEFAULT_STT_SAMPLE_RATE, DEFAULT_SYSTEM_PROMPT, DEFAULT_TTS_SAMPLE_RATE, FETCH_TIMEOUT_MS, MAX_HTML_BYTES, MAX_MESSAGE_BUFFER_SIZE, MAX_PAGE_CHARS, MAX_TOOL_RESULT_CHARS, MAX_VALUE_SIZE, MAX_WS_PAYLOAD_BYTES, RUN_CODE_TIMEOUT_MS, TOOL_EXECUTION_TIMEOUT_MS, ToolChoiceSchema, WS_OPEN, agent, errorDetail, errorMessage, parseWsUpgradeParams, tool, toolError };
+export { AGENT_CSP, BuiltinToolSchema, DEFAULT_GREETING, DEFAULT_IDLE_TIMEOUT_MS, DEFAULT_MAX_HISTORY, DEFAULT_SESSION_START_TIMEOUT_MS, DEFAULT_SHUTDOWN_TIMEOUT_MS, DEFAULT_STT_SAMPLE_RATE, DEFAULT_SYSTEM_PROMPT, DEFAULT_TTS_SAMPLE_RATE, FETCH_TIMEOUT_MS, MAX_HTML_BYTES, MAX_MESSAGE_BUFFER_SIZE, MAX_PAGE_CHARS, MAX_TOOL_RESULT_CHARS, MAX_VALUE_SIZE, MAX_WS_PAYLOAD_BYTES, RUN_CODE_TIMEOUT_MS, TOOL_EXECUTION_TIMEOUT_MS, ToolChoiceSchema, WS_OPEN, agent, errorDetail, errorMessage, matchesAllowedHost, parseWsUpgradeParams, tool, toolError, validateAllowedHostPattern };

package/dist/sdk/allowed-hosts.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Allowlist matching for outbound host validation.
+ *
+ * Used at deploy time (manifest validation) and at runtime (SSRF enforcement)
+ * to restrict which external hosts an agent is permitted to contact.
+ *
+ * Lives in sdk/ because it has zero Node.js dependencies and can run in any
+ * environment (browser, Deno, Node.js sandboxes).
+ */
+type ValidationResult = {
+    valid: true;
+} | {
+    valid: false;
+    reason: string;
+};
+/**
+ * Validate a single `allowedHosts` pattern at deploy time.
+ *
+ * Returns `{ valid: true }` for acceptable patterns or
+ * `{ valid: false; reason: string }` with a human-readable rejection reason.
+ */
+export declare function validateAllowedHostPattern(pattern: string): ValidationResult;
+/**
+ * Test whether `hostname` matches any pattern in `patterns`.
+ *
+ * - Exact match is case-insensitive; trailing dots on the hostname are stripped.
+ * - Wildcard pattern `*.example.com` matches any hostname ending with
+ *   `.example.com` (one or more labels), but does NOT match `example.com` itself.
+ * - A port suffix on `hostname` (e.g. `api.example.com:8080`) is stripped before
+ *   matching.
+ * - Returns `false` when `patterns` is empty.
+ */
+export declare function matchesAllowedHost(hostname: string, patterns: string[]): boolean;
+export {};

package/dist/sdk/manifest-barrel.d.ts

@@ -1,8 +1,6 @@
 /**
- * Manifest barrel — agent manifest parsing and tool schema conversion.
+ * Manifest barrel — agent config conversion and tool schema handling.
  *
- * Used by aai-cli (scanner, bundler) and aai-server (tests).
+ * Used by aai-cli (bundler) and aai-server (rpc-schemas).
  */
-export * from "./_internal-types.ts";
-export * from "./manifest.ts";
-export * from "./system-prompt.ts";
+export { type AgentConfig, AgentConfigSchema, type AgentConfigSource, agentToolsToSchemas, EMPTY_PARAMS, type ExecuteTool, type ToolSchema, ToolSchemaSchema, toAgentConfig, } from "./_internal-types.ts";

package/dist/sdk/manifest-barrel.js

@@ -1,52 +1,2 @@
-import { r as DEFAULT_SYSTEM_PROMPT, t as BuiltinToolSchema } from "../types-Cfx_4QDK.js";
-import { a as agentToolsToSchemas, i as ToolSchemaSchema, n as AgentConfigSchema, o as toAgentConfig, r as EMPTY_PARAMS, t as buildSystemPrompt } from "../system-prompt-nik_iavo.js";
-import { z } from "zod";
-//#region sdk/manifest.ts
-/**
-* Canonical manifest format for directory-based agents.
-*
-* Flows from build → host → sdk. Validated via Zod at the boundary,
-* then used as a plain typed object throughout the runtime.
-*/
-const ToolManifestSchema = z.object({
-	description: z.string(),
-	parameters: z.record(z.string(), z.unknown()).optional()
-});
-const ManifestSchema = z.object({
-	name: z.string().min(1),
-	systemPrompt: z.string().optional(),
-	greeting: z.string().optional(),
-	sttPrompt: z.string().optional(),
-	builtinTools: z.array(BuiltinToolSchema).optional(),
-	maxSteps: z.number().int().positive().optional(),
-	toolChoice: z.enum(["auto", "required"]).optional(),
-	idleTimeoutMs: z.number().int().positive().optional(),
-	theme: z.record(z.string(), z.string()).optional(),
-	tools: z.record(z.string(), ToolManifestSchema).optional()
-});
-/**
-* Parse and normalize a raw agent manifest, applying defaults for all
-* optional fields. Input is typically the JSON from a bundled agent.ts.
-*
-* Key defaults:
-* - `maxSteps`: 5 — prevents runaway tool-call loops in a single reply
-* - `toolChoice`: "auto" — LLM decides when to use tools vs respond directly
-* - `builtinTools`: [] — no built-in tools unless explicitly opted in
-*/
-function parseManifest(input) {
-	const parsed = ManifestSchema.parse(input);
-	return {
-		name: parsed.name,
-		systemPrompt: parsed.systemPrompt ?? DEFAULT_SYSTEM_PROMPT,
-		greeting: parsed.greeting ?? "Hey there. I'm a voice assistant. What can I help you with?",
-		sttPrompt: parsed.sttPrompt,
-		builtinTools: parsed.builtinTools ?? [],
-		maxSteps: parsed.maxSteps ?? 5,
-		toolChoice: parsed.toolChoice ?? "auto",
-		idleTimeoutMs: parsed.idleTimeoutMs,
-		theme: parsed.theme,
-		tools: parsed.tools ?? {}
-	};
-}
-//#endregion
-export { AgentConfigSchema, EMPTY_PARAMS, ToolSchemaSchema, agentToolsToSchemas, buildSystemPrompt, parseManifest, toAgentConfig };
+import { a as toAgentConfig, i as agentToolsToSchemas, n as EMPTY_PARAMS, r as ToolSchemaSchema, t as AgentConfigSchema } from "../_internal-types-CoDTiBd1.js";
+export { AgentConfigSchema, EMPTY_PARAMS, ToolSchemaSchema, agentToolsToSchemas, toAgentConfig };

package/dist/sdk/manifest.d.ts

@@ -37,6 +37,8 @@ export type Manifest = {
     theme?: Record<string, string> | undefined;
     /** Custom tool definitions keyed by tool name. */
     tools: Record<string, ToolManifest>;
+    /** Hostnames the agent is allowed to fetch. Empty = no fetch access. */
+    allowedHosts: string[];
 };
 /**
  * Parse and normalize a raw agent manifest, applying defaults for all

package/dist/sdk/protocol.d.ts

@@ -4,23 +4,6 @@
  * Note: this module is for internal use only and should not be used directly.
  */
 import { z } from "zod";
-/**
- * Audio codec identifier used in the wire protocol.
- *
- * All audio frames are 16-bit signed PCM, little-endian, mono.
- */
-export declare const AUDIO_FORMAT = "pcm16";
-/**
- * Minimal envelope schema for two-phase message parsing.
- *
- * When a strict schema (ServerMessageSchema / ClientMessageSchema) rejects a
- * message, this schema determines whether the message is a valid but
- * *unrecognised* type (safe to ignore during rolling upgrades) or genuinely
- * malformed (should be warned about).
- */
-export declare const MessageEnvelopeSchema: z.ZodObject<{
-    type: z.ZodString;
-}, z.core.$loose>;
 /**
  * Two-phase message parse: tries the strict schema first, then falls back to
  * the envelope to distinguish unknown-but-valid types (safe to ignore during
@@ -77,6 +60,7 @@ export type KvRequest = z.infer<typeof KvRequestSchema>;
  * @public
  */
 export declare const SessionErrorCodeSchema: z.ZodEnum<{
+    internal: "internal";
     tool: "tool";
     connection: "connection";
     stt: "stt";
@@ -84,7 +68,6 @@ export declare const SessionErrorCodeSchema: z.ZodEnum<{
     tts: "tts";
     protocol: "protocol";
     audio: "audio";
-    internal: "internal";
 }>;
 /**
  * Error codes for categorizing session errors on the wire.
@@ -124,6 +107,7 @@ export declare const ClientEventSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
 }, z.core.$strip>, z.ZodObject<{
     type: z.ZodLiteral<"error">;
     code: z.ZodEnum<{
+        internal: "internal";
         tool: "tool";
         connection: "connection";
         stt: "stt";
@@ -131,9 +115,12 @@ export declare const ClientEventSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
         tts: "tts";
         protocol: "protocol";
         audio: "audio";
-        internal: "internal";
     }>;
     message: z.ZodString;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"custom_event">;
+    event: z.ZodString;
+    data: z.ZodUnknown;
 }, z.core.$strip>], "type">;
 /** Discriminated union of all server→client session events. */
 export type ClientEvent = z.infer<typeof ClientEventSchema>;
@@ -152,8 +139,6 @@ export interface ClientSink {
     /** Signal that TTS audio is complete. */
     playAudioDone(): void;
 }
-/** Supported audio formats for the wire protocol. */
-export type AudioFormatId = "pcm16";
 /** Zod schema for {@link ReadyConfig}. */
 export declare const ReadyConfigSchema: z.ZodObject<{
     audioFormat: z.ZodEnum<{
@@ -204,6 +189,7 @@ export declare const ServerMessageSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
 }, z.core.$strip>, z.ZodObject<{
     type: z.ZodLiteral<"error">;
     code: z.ZodEnum<{
+        internal: "internal";
         tool: "tool";
         connection: "connection";
         stt: "stt";
@@ -211,9 +197,12 @@ export declare const ServerMessageSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
         tts: "tts";
         protocol: "protocol";
         audio: "audio";
-        internal: "internal";
     }>;
     message: z.ZodString;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"custom_event">;
+    event: z.ZodString;
+    data: z.ZodUnknown;
 }, z.core.$strip>], "type">;
 /** Server→client text messages (binary frames carry raw PCM16 audio). */
 export type ServerMessage = z.infer<typeof ServerMessageSchema>;
@@ -241,9 +230,3 @@ export declare function buildReadyConfig(s2sConfig: {
     inputSampleRate: number;
     outputSampleRate: number;
 }): ReadyConfig;
-/** Zod schema for {@link TurnConfig}. */
-export declare const TurnConfigSchema: z.ZodObject<{
-    maxSteps: z.ZodOptional<z.ZodNumber>;
-}, z.core.$strip>;
-/** Combined turn configuration resolved from the worker before a turn starts. */
-export type TurnConfig = z.infer<typeof TurnConfigSchema>;