@copilotkitnext/runtime 0.0.18 → 0.0.19-threads-and-attachements.1

package/dist/index.js

@@ -25,14 +25,21 @@ __export(index_exports, {
   InMemoryAgentRunner: () => InMemoryAgentRunner,
   VERSION: () => VERSION,
   createCopilotEndpoint: () => createCopilotEndpoint,
-  finalizeRunEvents: () => import_shared4.finalizeRunEvents
+  createFilteringThreadScopeResolver: () => createFilteringThreadScopeResolver,
+  createStrictThreadScopeResolver: () => createStrictThreadScopeResolver,
+  filterAuthorizedResourceIds: () => filterAuthorizedResourceIds,
+  finalizeRunEvents: () => import_shared5.finalizeRunEvents,
+  validateResourceIdMatch: () => validateResourceIdMatch
 });
 module.exports = __toCommonJS(index_exports);
 
+// src/runtime.ts
+var import_shared2 = require("@copilotkitnext/shared");
+
 // package.json
 var package_default = {
   name: "@copilotkitnext/runtime",
-  version: "0.0.18",
+  version: "0.0.19-threads-and-attachements.1",
   description: "Server-side runtime package for CopilotKit2",
   main: "dist/index.js",
   types: "dist/index.d.ts",
@@ -68,9 +75,9 @@ var package_default = {
     vitest: "^3.0.5"
   },
   dependencies: {
-    "@ag-ui/client": "0.0.40-alpha.6",
-    "@ag-ui/core": "0.0.40-alpha.6",
-    "@ag-ui/encoder": "0.0.40-alpha.6",
+    "@ag-ui/client": "0.0.40-alpha.7",
+    "@ag-ui/core": "0.0.40-alpha.7",
+    "@ag-ui/encoder": "0.0.40-alpha.7",
     "@copilotkitnext/shared": "workspace:*",
     hono: "^4.6.13",
     rxjs: "7.8.1"
@@ -93,8 +100,10 @@ var import_rxjs = require("rxjs");
 var import_client = require("@ag-ui/client");
 var import_shared = require("@copilotkitnext/shared");
 var InMemoryEventStore = class {
-  constructor(threadId) {
+  constructor(threadId, resourceIds, properties) {
     this.threadId = threadId;
+    this.resourceIds = resourceIds;
+    this.properties = properties;
   }
   /** The subject that current consumers subscribe to. */
   subject = null;
@@ -114,11 +123,41 @@ var InMemoryEventStore = class {
   currentEvents = null;
 };
 var GLOBAL_STORE = /* @__PURE__ */ new Map();
+function matchesScope(store, scope) {
+  if (scope === void 0 || scope === null) {
+    return true;
+  }
+  const scopeIds = Array.isArray(scope.resourceId) ? scope.resourceId : [scope.resourceId];
+  return scopeIds.some((scopeId) => store.resourceIds.includes(scopeId));
+}
 var InMemoryAgentRunner = class extends AgentRunner {
   run(request) {
     let existingStore = GLOBAL_STORE.get(request.threadId);
-    if (!existingStore) {
-      existingStore = new InMemoryEventStore(request.threadId);
+    if (!existingStore && request.scope === null) {
+      throw new Error(
+        "Cannot create thread with null scope. Admin users must specify an explicit resourceId for the thread owner."
+      );
+    }
+    let resourceIds;
+    if (request.scope === void 0) {
+      resourceIds = ["global"];
+    } else if (request.scope === null) {
+      resourceIds = [];
+    } else if (Array.isArray(request.scope.resourceId)) {
+      if (request.scope.resourceId.length === 0) {
+        throw new Error("Invalid scope: resourceId array cannot be empty");
+      }
+      resourceIds = request.scope.resourceId;
+    } else {
+      resourceIds = [request.scope.resourceId];
+    }
+    if (existingStore) {
+      if (request.scope !== null && !matchesScope(existingStore, request.scope)) {
+        throw new Error("Unauthorized: Cannot run on thread owned by different resource");
+      }
+      resourceIds = existingStore.resourceIds;
+    } else {
+      existingStore = new InMemoryEventStore(request.threadId, resourceIds, request.scope?.properties);
       GLOBAL_STORE.set(request.threadId, existingStore);
     }
     const store = existingStore;
@@ -162,9 +201,7 @@ var InMemoryAgentRunner = class extends AgentRunner {
             if (event.type === import_client.EventType.RUN_STARTED) {
               const runStartedEvent = event;
               if (!runStartedEvent.input) {
-                const sanitizedMessages = request.input.messages ? request.input.messages.filter(
-                  (message) => !historicMessageIds.has(message.id)
-                ) : void 0;
+                const sanitizedMessages = request.input.messages ? request.input.messages.filter((message) => !historicMessageIds.has(message.id)) : void 0;
                 const updatedInput = {
                   ...request.input,
                   ...sanitizedMessages !== void 0 ? { messages: sanitizedMessages } : {}
@@ -261,7 +298,7 @@ var InMemoryAgentRunner = class extends AgentRunner {
   connect(request) {
     const store = GLOBAL_STORE.get(request.threadId);
     const connectionSubject = new import_rxjs.ReplaySubject(Infinity);
-    if (!store) {
+    if (!store || !matchesScope(store, request.scope)) {
       connectionSubject.complete();
       return connectionSubject.asObservable();
     }
@@ -297,54 +334,256 @@ var InMemoryAgentRunner = class extends AgentRunner {
     const store = GLOBAL_STORE.get(request.threadId);
     return Promise.resolve(store?.isRunning ?? false);
   }
-  stop(request) {
+  async stop(request) {
     const store = GLOBAL_STORE.get(request.threadId);
-    if (!store || !store.isRunning) {
-      return Promise.resolve(false);
-    }
-    if (store.stopRequested) {
-      return Promise.resolve(false);
+    if (!store) {
+      return false;
     }
-    store.stopRequested = true;
-    store.isRunning = false;
-    const agent = store.agent;
-    if (!agent) {
-      store.stopRequested = false;
+    if (store.isRunning) {
+      store.stopRequested = true;
       store.isRunning = false;
-      return Promise.resolve(false);
+      const agent = store.agent;
+      try {
+        if (agent) {
+          agent.abortRun();
+          return true;
+        }
+        return false;
+      } catch (error) {
+        console.warn("Failed to abort in-memory runner:", error);
+        store.stopRequested = false;
+        store.isRunning = true;
+        return false;
+      }
     }
-    try {
-      agent.abortRun();
-      return Promise.resolve(true);
-    } catch (error) {
-      console.error("Failed to abort agent run", error);
-      store.stopRequested = false;
-      store.isRunning = true;
-      return Promise.resolve(false);
+    return false;
+  }
+  async listThreads(request) {
+    const limit = request.limit ?? 50;
+    const offset = request.offset ?? 0;
+    if (request.scope !== void 0 && request.scope !== null) {
+      const scopeIds = Array.isArray(request.scope.resourceId) ? request.scope.resourceId : [request.scope.resourceId];
+      if (scopeIds.length === 0) {
+        return { threads: [], total: 0 };
+      }
+    }
+    const threadInfos = [];
+    for (const [threadId, store] of GLOBAL_STORE.entries()) {
+      if (threadId.includes("-suggestions-")) {
+        continue;
+      }
+      if (!matchesScope(store, request.scope)) {
+        continue;
+      }
+      if (store.historicRuns.length === 0) {
+        continue;
+      }
+      const firstRun = store.historicRuns[0];
+      const lastRun = store.historicRuns[store.historicRuns.length - 1];
+      if (!firstRun || !lastRun) {
+        continue;
+      }
+      threadInfos.push({
+        threadId,
+        createdAt: firstRun.createdAt,
+        lastActivityAt: lastRun.createdAt,
+        store
+      });
+    }
+    threadInfos.sort((a, b) => b.lastActivityAt - a.lastActivityAt);
+    const total = threadInfos.length;
+    const paginatedInfos = threadInfos.slice(offset, offset + limit);
+    const threads = paginatedInfos.map((info) => {
+      let firstMessage;
+      const firstRun = info.store.historicRuns[0];
+      if (firstRun) {
+        const textContent = firstRun.events.find((e) => e.type === import_client.EventType.TEXT_MESSAGE_CONTENT);
+        if (textContent?.delta) {
+          firstMessage = textContent.delta.substring(0, 100);
+        }
+      }
+      const messageIds = /* @__PURE__ */ new Set();
+      for (const run of info.store.historicRuns) {
+        for (const event of run.events) {
+          if ("messageId" in event && typeof event.messageId === "string") {
+            messageIds.add(event.messageId);
+          }
+        }
+      }
+      return {
+        threadId: info.threadId,
+        createdAt: info.createdAt,
+        lastActivityAt: info.lastActivityAt,
+        isRunning: info.store.isRunning,
+        messageCount: messageIds.size,
+        firstMessage,
+        resourceId: info.store.resourceIds[0] || "unknown",
+        // Return first for backward compatibility
+        properties: info.store.properties
+      };
+    });
+    return { threads, total };
+  }
+  async getThreadMetadata(threadId, scope) {
+    const store = GLOBAL_STORE.get(threadId);
+    if (!store || !matchesScope(store, scope) || store.historicRuns.length === 0) {
+      return null;
+    }
+    const firstRun = store.historicRuns[0];
+    const lastRun = store.historicRuns[store.historicRuns.length - 1];
+    if (!firstRun || !lastRun) {
+      return null;
+    }
+    let firstMessage;
+    const textContent = firstRun.events.find((e) => e.type === import_client.EventType.TEXT_MESSAGE_CONTENT);
+    if (textContent?.delta) {
+      firstMessage = textContent.delta.substring(0, 100);
+    }
+    const messageIds = /* @__PURE__ */ new Set();
+    for (const run of store.historicRuns) {
+      for (const event of run.events) {
+        if ("messageId" in event && typeof event.messageId === "string") {
+          messageIds.add(event.messageId);
+        }
+      }
+    }
+    return {
+      threadId,
+      createdAt: firstRun.createdAt,
+      lastActivityAt: lastRun.createdAt,
+      isRunning: store.isRunning,
+      messageCount: messageIds.size,
+      firstMessage,
+      resourceId: store.resourceIds[0] || "unknown",
+      // Return first for backward compatibility
+      properties: store.properties
+    };
+  }
+  async deleteThread(threadId, scope) {
+    const store = GLOBAL_STORE.get(threadId);
+    if (!store || !matchesScope(store, scope)) {
+      return;
+    }
+    if (store.agent) {
+      try {
+        store.agent.abortRun();
+      } catch (error) {
+        console.warn("Failed to abort agent during thread deletion:", error);
+      }
+    }
+    store.subject?.complete();
+    GLOBAL_STORE.delete(threadId);
+  }
+  /**
+   * Clear all threads from the global store (for testing purposes only)
+   * @internal
+   */
+  clearAllThreads() {
+    for (const [threadId, store] of GLOBAL_STORE.entries()) {
+      if (store.agent) {
+        try {
+          store.agent.abortRun();
+        } catch (error) {
+          console.warn("Failed to abort agent during clearAllThreads:", error);
+        }
+      }
+      store.subject?.complete();
+      GLOBAL_STORE.delete(threadId);
     }
   }
 };
 
 // src/runtime.ts
 var VERSION = package_default.version;
-var CopilotRuntime = class {
+var CopilotRuntime = class _CopilotRuntime {
+  /**
+   * Built-in global scope for single-user apps or demos.
+   *
+   * All threads are globally accessible when using this scope.
+   *
+   * @example
+   * ```typescript
+   * new CopilotRuntime({
+   *   agents: { myAgent },
+   *   resolveThreadsScope: CopilotRuntime.GLOBAL_SCOPE,
+   *   suppressResourceIdWarning: true
+   * });
+   * ```
+   */
+  static GLOBAL_SCOPE = async (context) => ({
+    resourceId: "global"
+  });
+  /**
+   * Parses the client-declared resource ID(s) from the request header.
+   *
+   * This is a utility method used internally by handlers to extract the
+   * `X-CopilotKit-Resource-ID` header sent by the client via `CopilotKitProvider`.
+   *
+   * **You typically don't need to call this directly** - it's automatically called
+   * by the runtime handlers and passed to your `resolveThreadsScope` function as
+   * the `clientDeclared` parameter.
+   *
+   * @param request - The incoming HTTP request
+   * @returns The parsed resource ID(s), or undefined if header is missing
+   *          - Returns a string if single ID
+   *          - Returns an array if multiple comma-separated IDs
+   *          - Returns undefined if header not present
+   *
+   * @example
+   * ```typescript
+   * // Automatically used internally:
+   * const clientDeclared = CopilotRuntime.parseClientDeclaredResourceId(request);
+   * const scope = await runtime.resolveThreadsScope({ request, clientDeclared });
+   * ```
+   */
+  static parseClientDeclaredResourceId(request) {
+    const header = request.headers.get("X-CopilotKit-Resource-ID");
+    if (!header) {
+      return void 0;
+    }
+    const values = header.split(",").map((v) => decodeURIComponent(v.trim()));
+    return values.length === 1 ? values[0] : values;
+  }
   agents;
   transcriptionService;
   beforeRequestMiddleware;
   afterRequestMiddleware;
   runner;
+  resolveThreadsScope;
+  suppressResourceIdWarning;
   constructor({
     agents,
     transcriptionService,
     beforeRequestMiddleware,
     afterRequestMiddleware,
-    runner
+    runner,
+    resolveThreadsScope,
+    suppressResourceIdWarning = false
   }) {
     this.agents = agents;
     this.transcriptionService = transcriptionService;
     this.beforeRequestMiddleware = beforeRequestMiddleware;
     this.afterRequestMiddleware = afterRequestMiddleware;
     this.runner = runner ?? new InMemoryAgentRunner();
+    this.resolveThreadsScope = resolveThreadsScope ?? _CopilotRuntime.GLOBAL_SCOPE;
+    this.suppressResourceIdWarning = suppressResourceIdWarning;
+    if (!resolveThreadsScope && !suppressResourceIdWarning) {
+      this.logGlobalScopeWarning();
+    }
+  }
+  logGlobalScopeWarning() {
+    const isProduction = process.env.NODE_ENV === "production";
+    if (isProduction) {
+      import_shared2.logger.error({
+        msg: "CopilotKit Security Warning: GLOBAL_SCOPE in production",
+        details: "No resolveThreadsScope configured. All threads are globally accessible to all users. Configure authentication for production: https://docs.copilotkit.ai/security/thread-scoping To suppress this warning (if intentional), set suppressResourceIdWarning: true"
+      });
+    } else {
+      import_shared2.logger.warn({
+        msg: "CopilotKit: Using GLOBAL_SCOPE",
+        details: "No resolveThreadsScope configured. All threads are globally accessible. This is fine for development, but add authentication for production: https://docs.copilotkit.ai/security/thread-scoping"
+      });
+    }
   }
 };
 
@@ -355,11 +594,7 @@ var import_cors = require("hono/cors");
 // src/handlers/handle-run.ts
 var import_client2 = require("@ag-ui/client");
 var import_encoder = require("@ag-ui/encoder");
-async function handleRunAgent({
-  runtime,
-  request,
-  agentId
-}) {
+async function handleRunAgent({ runtime, request, agentId }) {
   try {
     const agents = await runtime.agents;
     if (!agents[agentId]) {
@@ -396,6 +631,23 @@ async function handleRunAgent({
     const writer = stream.writable.getWriter();
     const encoder = new import_encoder.EventEncoder();
     let streamClosed = false;
+    let subscription;
+    let abortListener;
+    const cleanupAbortListener = () => {
+      if (abortListener) {
+        request.signal.removeEventListener("abort", abortListener);
+        abortListener = void 0;
+      }
+    };
+    const closeStream = async () => {
+      if (!streamClosed) {
+        try {
+          await writer.close();
+        } catch {
+        }
+        streamClosed = true;
+      }
+    };
     (async () => {
       let input;
       try {
@@ -409,13 +661,26 @@ async function handleRunAgent({
           { status: 400 }
         );
       }
+      const clientDeclared = CopilotRuntime["parseClientDeclaredResourceId"](request);
+      const scope = await runtime.resolveThreadsScope({ request, clientDeclared });
+      if (scope === void 0) {
+        throw new Error("Unauthorized: No resource scope provided");
+      }
       agent.setMessages(input.messages);
       agent.setState(input.state);
       agent.threadId = input.threadId;
-      runtime.runner.run({
+      const stopRunner = async () => {
+        try {
+          await runtime.runner.stop({ threadId: input.threadId });
+        } catch (stopError) {
+          console.error("Error stopping runner:", stopError);
+        }
+      };
+      subscription = runtime.runner.run({
         threadId: input.threadId,
         agent,
-        input
+        input,
+        scope
       }).subscribe({
         next: async (event) => {
           if (!request.signal.aborted && !streamClosed) {
@@ -430,42 +695,39 @@ async function handleRunAgent({
         },
         error: async (error) => {
           console.error("Error running agent:", error);
-          if (!streamClosed) {
-            try {
-              await writer.close();
-              streamClosed = true;
-            } catch {
-            }
-          }
+          cleanupAbortListener();
+          await closeStream();
         },
         complete: async () => {
-          if (!streamClosed) {
-            try {
-              await writer.close();
-              streamClosed = true;
-            } catch {
-            }
-          }
+          cleanupAbortListener();
+          await closeStream();
         }
       });
+      const handleAbort = () => {
+        subscription?.unsubscribe();
+        subscription = void 0;
+        cleanupAbortListener();
+        void stopRunner();
+        void closeStream();
+      };
+      if (request.signal.aborted) {
+        handleAbort();
+      } else {
+        abortListener = handleAbort;
+        request.signal.addEventListener("abort", abortListener);
+      }
     })().catch((error) => {
       console.error("Error running agent:", error);
-      console.error(
-        "Error stack:",
-        error instanceof Error ? error.stack : "No stack trace"
-      );
+      console.error("Error stack:", error instanceof Error ? error.stack : "No stack trace");
       console.error("Error details:", {
         name: error instanceof Error ? error.name : "Unknown",
         message: error instanceof Error ? error.message : String(error),
         cause: error instanceof Error ? error.cause : void 0
       });
-      if (!streamClosed) {
-        try {
-          writer.close();
-          streamClosed = true;
-        } catch {
-        }
-      }
+      subscription?.unsubscribe();
+      subscription = void 0;
+      cleanupAbortListener();
+      void closeStream();
     });
     return new Response(stream.readable, {
       status: 200,
@@ -477,10 +739,7 @@ async function handleRunAgent({
     });
   } catch (error) {
     console.error("Error running agent:", error);
-    console.error(
-      "Error stack:",
-      error instanceof Error ? error.stack : "No stack trace"
-    );
+    console.error("Error stack:", error instanceof Error ? error.stack : "No stack trace");
     console.error("Error details:", {
       name: error instanceof Error ? error.name : "Unknown",
       message: error instanceof Error ? error.message : String(error),
@@ -638,10 +897,10 @@ async function handleTranscribe({
 }
 
 // src/endpoint.ts
-var import_shared3 = require("@copilotkitnext/shared");
+var import_shared4 = require("@copilotkitnext/shared");
 
 // src/middleware.ts
-var import_shared2 = require("@copilotkitnext/shared");
+var import_shared3 = require("@copilotkitnext/shared");
 async function callBeforeRequestMiddleware({
   runtime,
   request,
@@ -652,7 +911,7 @@ async function callBeforeRequestMiddleware({
   if (typeof mw === "function") {
     return mw({ runtime, request, path });
   }
-  import_shared2.logger.warn({ mw }, "Unsupported beforeRequestMiddleware value \u2013 skipped");
+  import_shared3.logger.warn({ mw }, "Unsupported beforeRequestMiddleware value \u2013 skipped");
   return;
 }
 async function callAfterRequestMiddleware({
@@ -665,17 +924,13 @@ async function callAfterRequestMiddleware({
   if (typeof mw === "function") {
     return mw({ runtime, response, path });
   }
-  import_shared2.logger.warn({ mw }, "Unsupported afterRequestMiddleware value \u2013 skipped");
+  import_shared3.logger.warn({ mw }, "Unsupported afterRequestMiddleware value \u2013 skipped");
 }
 
 // src/handlers/handle-connect.ts
 var import_client3 = require("@ag-ui/client");
 var import_encoder2 = require("@ag-ui/encoder");
-async function handleConnectAgent({
-  runtime,
-  request,
-  agentId
-}) {
+async function handleConnectAgent({ runtime, request, agentId }) {
   try {
     const agents = await runtime.agents;
     if (!agents[agentId]) {
@@ -694,6 +949,23 @@ async function handleConnectAgent({
     const writer = stream.writable.getWriter();
     const encoder = new import_encoder2.EventEncoder();
     let streamClosed = false;
+    let subscription;
+    let abortListener;
+    const cleanupAbortListener = () => {
+      if (abortListener) {
+        request.signal.removeEventListener("abort", abortListener);
+        abortListener = void 0;
+      }
+    };
+    const closeStream = async () => {
+      if (!streamClosed) {
+        try {
+          await writer.close();
+        } catch {
+        }
+        streamClosed = true;
+      }
+    };
     (async () => {
       let input;
       try {
@@ -707,8 +979,14 @@ async function handleConnectAgent({
           { status: 400 }
         );
       }
-      runtime.runner.connect({
-        threadId: input.threadId
+      const clientDeclared = CopilotRuntime["parseClientDeclaredResourceId"](request);
+      const scope = await runtime.resolveThreadsScope({ request, clientDeclared });
+      if (scope === void 0) {
+        throw new Error("Unauthorized: No resource scope provided");
+      }
+      subscription = runtime.runner.connect({
+        threadId: input.threadId,
+        scope
       }).subscribe({
         next: async (event) => {
           if (!request.signal.aborted && !streamClosed) {
@@ -723,42 +1001,38 @@ async function handleConnectAgent({
         },
         error: async (error) => {
           console.error("Error running agent:", error);
-          if (!streamClosed) {
-            try {
-              await writer.close();
-              streamClosed = true;
-            } catch {
-            }
-          }
+          cleanupAbortListener();
+          await closeStream();
         },
         complete: async () => {
-          if (!streamClosed) {
-            try {
-              await writer.close();
-              streamClosed = true;
-            } catch {
-            }
-          }
+          cleanupAbortListener();
+          await closeStream();
         }
       });
+      const handleAbort = () => {
+        subscription?.unsubscribe();
+        subscription = void 0;
+        cleanupAbortListener();
+        void closeStream();
+      };
+      if (request.signal.aborted) {
+        handleAbort();
+      } else {
+        abortListener = handleAbort;
+        request.signal.addEventListener("abort", abortListener);
+      }
     })().catch((error) => {
       console.error("Error running agent:", error);
-      console.error(
-        "Error stack:",
-        error instanceof Error ? error.stack : "No stack trace"
-      );
+      console.error("Error stack:", error instanceof Error ? error.stack : "No stack trace");
       console.error("Error details:", {
         name: error instanceof Error ? error.name : "Unknown",
         message: error instanceof Error ? error.message : String(error),
         cause: error instanceof Error ? error.cause : void 0
       });
-      if (!streamClosed) {
-        try {
-          writer.close();
-          streamClosed = true;
-        } catch {
-        }
-      }
+      subscription?.unsubscribe();
+      subscription = void 0;
+      cleanupAbortListener();
+      void closeStream();
     });
     return new Response(stream.readable, {
       status: 200,
@@ -770,10 +1044,7 @@ async function handleConnectAgent({
     });
   } catch (error) {
     console.error("Error running agent:", error);
-    console.error(
-      "Error stack:",
-      error instanceof Error ? error.stack : "No stack trace"
-    );
+    console.error("Error stack:", error instanceof Error ? error.stack : "No stack trace");
     console.error("Error details:", {
       name: error instanceof Error ? error.name : "Unknown",
       message: error instanceof Error ? error.message : String(error),
@@ -814,7 +1085,35 @@ async function handleStopAgent({
         }
       );
     }
-    const stopped = await runtime.runner.stop({ threadId });
+    const clientDeclared = CopilotRuntime["parseClientDeclaredResourceId"](request);
+    const scope = await runtime.resolveThreadsScope({ request, clientDeclared });
+    if (scope === void 0) {
+      return new Response(
+        JSON.stringify({
+          error: "Unauthorized",
+          message: "No resource scope provided"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const runner = await runtime.runner;
+    const metadata = await runner.getThreadMetadata(threadId, scope);
+    if (!metadata) {
+      return new Response(
+        JSON.stringify({
+          error: "Thread not found",
+          message: `Thread '${threadId}' does not exist or you don't have access`
+        }),
+        {
+          status: 404,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const stopped = await runner.stop({ threadId });
     if (!stopped) {
       return new Response(
         JSON.stringify({
@@ -856,6 +1155,141 @@ async function handleStopAgent({
   }
 }
 
+// src/handlers/handle-threads.ts
+async function handleListThreads({ runtime, request }) {
+  try {
+    const clientDeclared = CopilotRuntime["parseClientDeclaredResourceId"](request);
+    const scope = await runtime.resolveThreadsScope({ request, clientDeclared });
+    if (scope === void 0) {
+      return new Response(
+        JSON.stringify({
+          error: "Unauthorized",
+          message: "No resource scope provided"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const url = new URL(request.url);
+    const limitParam = url.searchParams.get("limit");
+    const offsetParam = url.searchParams.get("offset");
+    const parsedLimit = limitParam ? Number.parseInt(limitParam, 10) : NaN;
+    const parsedOffset = offsetParam ? Number.parseInt(offsetParam, 10) : NaN;
+    const limit = Math.max(1, Math.min(100, Number.isNaN(parsedLimit) ? 20 : parsedLimit));
+    const offset = Math.max(0, Number.isNaN(parsedOffset) ? 0 : parsedOffset);
+    const runner = await runtime.runner;
+    const result = await runner.listThreads({ scope, limit, offset });
+    return new Response(JSON.stringify(result), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error occurred";
+    return new Response(
+      JSON.stringify({
+        error: "Failed to list threads",
+        message: errorMessage
+      }),
+      {
+        status: 500,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+}
+async function handleGetThread({ runtime, threadId, request }) {
+  try {
+    const clientDeclared = CopilotRuntime["parseClientDeclaredResourceId"](request);
+    const scope = await runtime.resolveThreadsScope({ request, clientDeclared });
+    if (scope === void 0) {
+      return new Response(
+        JSON.stringify({
+          error: "Unauthorized",
+          message: "No resource scope provided"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const runner = await runtime.runner;
+    const metadata = await runner.getThreadMetadata(threadId, scope);
+    if (!metadata) {
+      return new Response(
+        JSON.stringify({
+          error: "Thread not found",
+          message: `Thread '${threadId}' does not exist`
+        }),
+        {
+          status: 404,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return new Response(JSON.stringify(metadata), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error occurred";
+    return new Response(
+      JSON.stringify({
+        error: "Failed to get thread",
+        message: errorMessage
+      }),
+      {
+        status: 500,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+}
+async function handleDeleteThread({ runtime, threadId, request }) {
+  if (!threadId) {
+    return new Response(JSON.stringify({ error: "Thread ID required" }), {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  try {
+    const clientDeclared = CopilotRuntime["parseClientDeclaredResourceId"](request);
+    const scope = await runtime.resolveThreadsScope({ request, clientDeclared });
+    if (scope === void 0) {
+      return new Response(
+        JSON.stringify({
+          error: "Unauthorized",
+          message: "No resource scope provided"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const runner = await runtime.runner;
+    await runner.deleteThread(threadId, scope);
+    return new Response(JSON.stringify({ success: true }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error occurred";
+    return new Response(
+      JSON.stringify({
+        error: "Failed to delete thread",
+        message: errorMessage
+      }),
+      {
+        status: 500,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+}
+
 // src/endpoint.ts
 function createCopilotEndpoint({ runtime, basePath }) {
   const app = new import_hono.Hono();
@@ -879,7 +1313,7 @@ function createCopilotEndpoint({ runtime, basePath }) {
         c.set("modifiedRequest", maybeModifiedRequest);
       }
     } catch (error) {
-      import_shared3.logger.error({ err: error, url: request.url, path }, "Error running before request middleware");
+      import_shared4.logger.error({ err: error, url: request.url, path }, "Error running before request middleware");
       if (error instanceof Response) {
         return error;
       }
@@ -895,7 +1329,7 @@ function createCopilotEndpoint({ runtime, basePath }) {
       response,
       path
     }).catch((error) => {
-      import_shared3.logger.error({ err: error, url: c.req.url, path }, "Error running after request middleware");
+      import_shared4.logger.error({ err: error, url: c.req.url, path }, "Error running after request middleware");
     });
   }).post("/agent/:agentId/run", async (c) => {
     const agentId = c.req.param("agentId");
@@ -907,7 +1341,7 @@ function createCopilotEndpoint({ runtime, basePath }) {
         agentId
       });
     } catch (error) {
-      import_shared3.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
       throw error;
     }
   }).post("/agent/:agentId/connect", async (c) => {
@@ -920,7 +1354,7 @@ function createCopilotEndpoint({ runtime, basePath }) {
         agentId
       });
     } catch (error) {
-      import_shared3.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
       throw error;
     }
   }).post("/agent/:agentId/stop/:threadId", async (c) => {
@@ -935,7 +1369,7 @@ function createCopilotEndpoint({ runtime, basePath }) {
         threadId
       });
     } catch (error) {
-      import_shared3.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
       throw error;
     }
   }).get("/info", async (c) => {
@@ -946,7 +1380,7 @@ function createCopilotEndpoint({ runtime, basePath }) {
         request
       });
     } catch (error) {
-      import_shared3.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
       throw error;
     }
   }).post("/transcribe", async (c) => {
@@ -957,7 +1391,44 @@ function createCopilotEndpoint({ runtime, basePath }) {
         request
       });
     } catch (error) {
-      import_shared3.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      throw error;
+    }
+  }).get("/threads", async (c) => {
+    const request = c.get("modifiedRequest") || c.req.raw;
+    try {
+      return await handleListThreads({
+        runtime,
+        request
+      });
+    } catch (error) {
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      throw error;
+    }
+  }).get("/threads/:threadId", async (c) => {
+    const threadId = c.req.param("threadId");
+    const request = c.get("modifiedRequest") || c.req.raw;
+    try {
+      return await handleGetThread({
+        runtime,
+        request,
+        threadId
+      });
+    } catch (error) {
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
+      throw error;
+    }
+  }).delete("/threads/:threadId", async (c) => {
+    const threadId = c.req.param("threadId");
+    const request = c.get("modifiedRequest") || c.req.raw;
+    try {
+      return await handleDeleteThread({
+        runtime,
+        request,
+        threadId
+      });
+    } catch (error) {
+      import_shared4.logger.error({ err: error, url: request.url, path: c.req.path }, "Error running request handler");
       throw error;
     }
   }).notFound((c) => {
@@ -966,7 +1437,46 @@ function createCopilotEndpoint({ runtime, basePath }) {
 }
 
 // src/runner/index.ts
-var import_shared4 = require("@copilotkitnext/shared");
+var import_shared5 = require("@copilotkitnext/shared");
+
+// src/resource-id-helpers.ts
+function validateResourceIdMatch(clientDeclared, serverAuthorized) {
+  if (!clientDeclared) {
+    return;
+  }
+  const clientIds = Array.isArray(clientDeclared) ? clientDeclared : [clientDeclared];
+  const authorizedIds = Array.isArray(serverAuthorized) ? serverAuthorized : [serverAuthorized];
+  const hasMatch = clientIds.some((clientId) => authorizedIds.includes(clientId));
+  if (!hasMatch) {
+    throw new Error("Unauthorized: Client-declared resourceId does not match authenticated user");
+  }
+}
+function filterAuthorizedResourceIds(clientDeclared, serverAuthorized) {
+  const authorizedIds = Array.isArray(serverAuthorized) ? serverAuthorized : [serverAuthorized];
+  if (!clientDeclared) {
+    return serverAuthorized;
+  }
+  const clientIds = Array.isArray(clientDeclared) ? clientDeclared : [clientDeclared];
+  const filtered = clientIds.filter((id) => authorizedIds.includes(id));
+  if (filtered.length === 0) {
+    throw new Error("Unauthorized: None of the client-declared resourceIds are authorized");
+  }
+  return Array.isArray(clientDeclared) ? filtered : filtered[0];
+}
+function createStrictThreadScopeResolver(getUserId) {
+  return async ({ request, clientDeclared }) => {
+    const userId = await getUserId(request);
+    validateResourceIdMatch(clientDeclared, userId);
+    return { resourceId: userId };
+  };
+}
+function createFilteringThreadScopeResolver(getUserResourceIds) {
+  return async ({ request, clientDeclared }) => {
+    const userResourceIds = await getUserResourceIds(request);
+    const resourceId = filterAuthorizedResourceIds(clientDeclared, userResourceIds);
+    return { resourceId };
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AgentRunner,
@@ -974,6 +1484,10 @@ var import_shared4 = require("@copilotkitnext/shared");
   InMemoryAgentRunner,
   VERSION,
   createCopilotEndpoint,
-  finalizeRunEvents
+  createFilteringThreadScopeResolver,
+  createStrictThreadScopeResolver,
+  filterAuthorizedResourceIds,
+  finalizeRunEvents,
+  validateResourceIdMatch
 });
 //# sourceMappingURL=index.js.map