@dainprotocol/service-sdk 2.0.93 → 2.0.95

package/dist/service/server.js

@@ -98,6 +98,123 @@ async function safeParseBody(c) {
         return {};
     }
 }
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+const DAIN_RUNTIME_CONTEXT_KEYS = new Set([
+    "dainAccountId",
+    "dainGroupId",
+    "smartAccountPDA",
+    "account",
+    "group",
+    "auth",
+    "grants",
+    "dataPermissions",
+    "registryPolicy",
+]);
+function stripRuntimeContextFields(value) {
+    return Object.fromEntries(Object.entries(value).filter(([key]) => !DAIN_RUNTIME_CONTEXT_KEYS.has(key)));
+}
+function getStringClaim(payload, ...keys) {
+    if (!payload)
+        return undefined;
+    for (const key of keys) {
+        const value = payload[key];
+        if (typeof value === "string" && value.length > 0) {
+            return value;
+        }
+    }
+    return undefined;
+}
+function getObjectClaim(payload, key) {
+    if (!payload)
+        return undefined;
+    const value = payload[key];
+    return isRecord(value) ? value : undefined;
+}
+function getArrayClaim(payload, key) {
+    if (!payload)
+        return undefined;
+    const value = payload[key];
+    return Array.isArray(value) ? value : undefined;
+}
+function getRuntimeContextFromJwtPayload(payload, options = {}) {
+    const account = getObjectClaim(payload, "account_context");
+    const group = getObjectClaim(payload, "group_context");
+    const auth = getObjectClaim(payload, "auth_context");
+    const dainAccountId = getStringClaim(payload, "dain_account_id", "account_id") ??
+        account?.id;
+    const dainGroupId = getStringClaim(payload, "dain_group_id", "group_id") ??
+        group?.id;
+    const smartAccountPDA = getStringClaim(payload, "smart_account_pda") ??
+        options.fallbackSmartAccountPDA;
+    if (account?.id && dainAccountId && account.id !== dainAccountId) {
+        throw new http_exception_1.HTTPException(401, { message: "JWT DAIN context mismatch: dain_account_id does not match account_context.id" });
+    }
+    if (group?.id && dainGroupId && group.id !== dainGroupId) {
+        throw new http_exception_1.HTTPException(401, { message: "JWT DAIN context mismatch: dain_group_id does not match group_context.id" });
+    }
+    if (account?.smartAccount?.pda && smartAccountPDA && account.smartAccount.pda !== smartAccountPDA) {
+        throw new http_exception_1.HTTPException(401, { message: "JWT DAIN context mismatch: smart_account_pda does not match account_context.smartAccount.pda" });
+    }
+    const grants = getArrayClaim(payload, "action_grants");
+    const dataPermissions = getArrayClaim(payload, "data_permissions");
+    const registryPolicy = getObjectClaim(payload, "registry_policy");
+    const subject = getStringClaim(payload, "sub") ??
+        options.smartAccountId ??
+        dainAccountId ??
+        dainGroupId ??
+        smartAccountPDA;
+    return {
+        ...(dainAccountId ? { dainAccountId } : {}),
+        ...(dainGroupId ? { dainGroupId } : {}),
+        ...(smartAccountPDA ? { smartAccountPDA } : {}),
+        ...(account ? { account } : {}),
+        ...(group ? { group } : {}),
+        auth: auth ?? {
+            subject: subject ?? "unknown",
+            issuer: getStringClaim(payload, "iss"),
+            scopes: options.scopes,
+            source: "dain_id",
+        },
+        ...(grants ? { grants } : {}),
+        ...(dataPermissions ? { dataPermissions } : {}),
+        ...(registryPolicy ? { registryPolicy } : {}),
+    };
+}
+function getRuntimeContextFromAgentInfo(agentInfo) {
+    return {
+        ...(agentInfo.dainAccountId ? { dainAccountId: agentInfo.dainAccountId } : {}),
+        ...(agentInfo.dainGroupId ? { dainGroupId: agentInfo.dainGroupId } : {}),
+        ...(agentInfo.smartAccountPDA ? { smartAccountPDA: agentInfo.smartAccountPDA } : {}),
+        ...(agentInfo.account ? { account: agentInfo.account } : {}),
+        ...(agentInfo.group ? { group: agentInfo.group } : {}),
+        ...(agentInfo.auth ? { auth: agentInfo.auth } : {}),
+        ...(agentInfo.grants ? { grants: agentInfo.grants } : {}),
+        ...(agentInfo.dataPermissions ? { dataPermissions: agentInfo.dataPermissions } : {}),
+        ...(agentInfo.registryPolicy ? { registryPolicy: agentInfo.registryPolicy } : {}),
+    };
+}
+function getRequestExtraData(request) {
+    if (!isRecord(request))
+        return {};
+    return isRecord(request.DAIN_EXTRA_DATA)
+        ? stripRuntimeContextFields(request.DAIN_EXTRA_DATA)
+        : {};
+}
+function buildServiceExtraData(agentInfo, options = {}) {
+    const requestExtra = getRequestExtraData(options.request);
+    const runtimeContext = getRuntimeContextFromAgentInfo(agentInfo);
+    return {
+        ...requestExtra,
+        ...(options.extra ?? {}),
+        ...runtimeContext,
+        ...(options.plugins ? { plugins: options.plugins } : {}),
+        ...(Object.prototype.hasOwnProperty.call(options, "oauth2Client")
+            ? { oauth2Client: options.oauth2Client }
+            : {}),
+    };
+}
 /**
  * Middleware factory to require specific OAuth scopes.
  * Defense-in-depth: Validates scopes even though JWT middleware already checked them.
@@ -120,6 +237,17 @@ function signedStreamSSE(c, privateKey, config, handler) {
     return (0, streaming_1.streamSSE)(c, async (stream) => {
         const requestSignal = c.req.raw?.signal;
         const isAborted = () => stream.aborted || stream.closed || requestSignal?.aborted === true;
+        const abortStream = () => {
+            if (!stream.closed) {
+                stream.abort();
+            }
+        };
+        if (requestSignal?.aborted) {
+            abortStream();
+        }
+        else {
+            requestSignal?.addEventListener("abort", abortStream, { once: true });
+        }
         const signedStream = {
             writeSSE: async (event) => {
                 if (isAborted())
@@ -140,12 +268,19 @@ function signedStreamSSE(c, privateKey, config, handler) {
                 await stream.writeSSE({ event: event.event, data: dataWithSignature, id: event.id });
             },
             isAborted,
+            onAbort: (listener) => stream.onAbort(listener),
         };
-        await handler(signedStream);
+        try {
+            await handler(signedStream);
+        }
+        finally {
+            requestSignal?.removeEventListener("abort", abortStream);
+        }
     });
 }
 function setupHttpServer(config, tools, services, toolboxes, metadata, privateKey, contexts, widgets, datasources = [], agents = []) {
     const app = new hono_1.Hono();
+    const datasourceStreamAbortControllers = new Map();
     const processHandler = new processes_1.ProcessHandler({
         serviceId: "service_" + config.identity.orgId + "_" + config.identity.agentId,
         privateKey,
@@ -160,6 +295,8 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         allowHeaders: [
             "X-DAIN-SIGNATURE",
             "X-DAIN-SMART-ACCOUNT-PDA",
+            "X-DAIN-ACCOUNT-ID",
+            "X-DAIN-GROUP-ID",
             "X-DAIN-AGENT-ID",
             "X-DAIN-ORG-ID",
             "X-DAIN-ADDRESS",
@@ -177,7 +314,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         return c.text("Enabling CORS Pre-Flight", 200, {
             "Access-Control-Allow-Origin": "*",
             "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-            "Access-Control-Allow-Headers": "X-DAIN-SIGNATURE, X-DAIN-SMART-ACCOUNT-PDA, X-DAIN-AGENT-ID, X-DAIN-ORG-ID, X-DAIN-ADDRESS, X-DAIN-TIMESTAMP, Content-Type, Authorization, Accept, Origin, X-Requested-With",
+            "Access-Control-Allow-Headers": "X-DAIN-SIGNATURE, X-DAIN-SMART-ACCOUNT-PDA, X-DAIN-ACCOUNT-ID, X-DAIN-GROUP-ID, X-DAIN-AGENT-ID, X-DAIN-ORG-ID, X-DAIN-ADDRESS, X-DAIN-TIMESTAMP, Content-Type, Authorization, Accept, Origin, X-Requested-With",
             "Access-Control-Max-Age": "86400",
         });
     });
@@ -277,7 +414,13 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             c.set('address', result.smartAccountId); // Use smartAccountId as address for JWT auth
             c.set('scope', result.scope);
             c.set('jwtPayload', result.payload);
-            c.set('smartAccountPDA', c.req.header("X-DAIN-SMART-ACCOUNT-PDA"));
+            const jwtRuntimeContext = getRuntimeContextFromJwtPayload(result.payload, {
+                scopes: result.scope,
+                smartAccountId: result.smartAccountId,
+                fallbackSmartAccountPDA: c.req.header("X-DAIN-SMART-ACCOUNT-PDA"),
+            });
+            c.set('dainRuntimeContext', jwtRuntimeContext);
+            c.set('smartAccountPDA', jwtRuntimeContext.smartAccountPDA);
             debugLog(`[Auth Middleware] JWT auth SUCCESS - smartAccountId: ${result.smartAccountId}`);
         }
         else if (apiKey) {
@@ -300,6 +443,11 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             c.set('orgId', parsed.orgId);
             c.set('address', parsed.agentId); // Use agentId as address for API key auth
             c.set('smartAccountPDA', c.req.header("X-DAIN-SMART-ACCOUNT-PDA"));
+            c.set('dainRuntimeContext', {
+                ...(c.req.header("X-DAIN-ACCOUNT-ID") ? { dainAccountId: c.req.header("X-DAIN-ACCOUNT-ID") } : {}),
+                ...(c.req.header("X-DAIN-GROUP-ID") ? { dainGroupId: c.req.header("X-DAIN-GROUP-ID") } : {}),
+                ...(c.req.header("X-DAIN-SMART-ACCOUNT-PDA") ? { smartAccountPDA: c.req.header("X-DAIN-SMART-ACCOUNT-PDA") } : {}),
+            });
             debugLog(`[Auth Middleware] API Key auth SUCCESS - agentId: ${parsed.agentId}, orgId: ${parsed.orgId}`);
         }
         else {
@@ -311,7 +459,8 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
     async function getAgentInfo(c) {
         debugLog("[getAgentInfo] START");
         debugLog("[getAgentInfo] Auth method:", c.get('authMethod'));
-        const smartAccountPDA = c.get('smartAccountPDA') || c.req.header("X-DAIN-SMART-ACCOUNT-PDA");
+        const runtimeContext = (c.get('dainRuntimeContext') || {});
+        const smartAccountPDA = runtimeContext.smartAccountPDA || c.get('smartAccountPDA') || c.req.header("X-DAIN-SMART-ACCOUNT-PDA");
         const webhookUrl = c.req.header("X-DAIN-WEBHOOK-URL");
         debugLog("[getAgentInfo] smartAccountPDA:", smartAccountPDA);
         debugLog("[getAgentInfo] webhookUrl:", webhookUrl);
@@ -322,7 +471,17 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                 agentId: smartAccountId,
                 address: smartAccountId,
                 smartAccountPDA,
-                id: smartAccountPDA ? `dain_id_${smartAccountPDA}` : `smart_account_${smartAccountId}`,
+                dainAccountId: runtimeContext.dainAccountId,
+                dainGroupId: runtimeContext.dainGroupId,
+                account: runtimeContext.account,
+                group: runtimeContext.group,
+                auth: runtimeContext.auth,
+                grants: runtimeContext.grants,
+                dataPermissions: runtimeContext.dataPermissions,
+                registryPolicy: runtimeContext.registryPolicy,
+                id: runtimeContext.dainAccountId ??
+                    runtimeContext.dainGroupId ??
+                    (smartAccountPDA ? `dain_id_${smartAccountPDA}` : `smart_account_${smartAccountId}`),
                 webhookUrl,
             };
             debugLog("[getAgentInfo] JWT - Returning agent info:", agentInfo);
@@ -335,7 +494,17 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             agentId,
             address,
             smartAccountPDA,
-            id: smartAccountPDA ? `dain_id_${smartAccountPDA}` : `address_${address}`,
+            dainAccountId: runtimeContext.dainAccountId,
+            dainGroupId: runtimeContext.dainGroupId,
+            account: runtimeContext.account,
+            group: runtimeContext.group,
+            auth: runtimeContext.auth,
+            grants: runtimeContext.grants,
+            dataPermissions: runtimeContext.dataPermissions,
+            registryPolicy: runtimeContext.registryPolicy,
+            id: runtimeContext.dainAccountId ??
+                runtimeContext.dainGroupId ??
+                (smartAccountPDA ? `dain_id_${smartAccountPDA}` : `address_${address}`),
             webhookUrl,
         };
         debugLog("[getAgentInfo] API Key - Returning agent info:", agentInfo);
@@ -378,6 +547,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             datasourcePolicy: true,
             widgetPolicy: true,
             toolSafety: true,
+            dainAccount: true,
+            registryDiscovery: true,
+            dataPermissions: true,
+            actionGrants: true,
+            smartAccountTransactions: true,
+            payments: true,
         };
         const compatibility = (() => {
             if (!requestedContract)
@@ -451,7 +626,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             description: context.description,
         }));
         // Process plugins for the response
-        const processedResponse = await processPluginsForResponse(contextInfo, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(contextInfo, body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     app.post("/contexts/:contextId", async (c) => {
@@ -465,17 +645,19 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             const body = await safeParseBody(c);
             const processedPluginData = await processPluginsForRequest(body, agentInfo);
             const oauth2Client = app.oauth2?.getClient();
-            const contextData = await context.getContextData(agentInfo, {
+            const extraData = buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
                 plugins: processedPluginData.plugins,
-                oauth2Client
+                oauth2Client,
             });
+            const contextData = await context.getContextData(agentInfo, extraData);
             const response = {
                 id: context.id,
                 name: context.name,
                 description: context.description,
                 data: contextData
             };
-            const processedResponse = await processPluginsForResponse(response, body, { extraData: { plugins: processedPluginData.plugins } });
+            const processedResponse = await processPluginsForResponse(response, body, { extraData });
             return c.json(processedResponse);
         }
         else {
@@ -487,6 +669,11 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
         const oauth2Client = app.oauth2?.getClient();
+        const extraData = buildServiceExtraData(agentInfo, {
+            request: processedPluginData,
+            plugins: processedPluginData.plugins,
+            oauth2Client,
+        });
         const autoContexts = app.oauth2?.getDirectProviderContexts?.() || [];
         const serviceSlug = (0, core_1.toSlug)(metadata.title);
         const skillsContext = config.skills?.getSkillsContext?.(serviceSlug);
@@ -495,22 +682,23 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             id: ctx.id,
             name: ctx.name,
             description: ctx.description,
-            data: await ctx.getContextData(agentInfo, {
-                plugins: processedPluginData.plugins,
-                oauth2Client
-            }),
+            data: await ctx.getContextData(agentInfo, extraData),
         })));
-        const processedResponse = await processPluginsForResponse(contextsFull, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(contextsFull, body, { extraData });
         return c.json(processedResponse);
     });
     app.post("/widgets", async (c) => {
         const agentInfo = await getAgentInfo(c);
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
+        const extraData = buildServiceExtraData(agentInfo, {
+            request: processedPluginData,
+            plugins: processedPluginData.plugins,
+        });
         const widgetIds = config.getUserWidgets
-            ? await config.getUserWidgets(agentInfo, { plugins: processedPluginData.plugins })
+            ? await config.getUserWidgets(agentInfo, extraData)
             : widgets.map(widget => widget.id);
-        const processedResponse = await processPluginsForResponse(widgetIds, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(widgetIds, body, { extraData });
         return c.json(processedResponse);
     });
     app.post("/widgets/all", async (c) => {
@@ -518,18 +706,23 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
         const widgetIds = config.getUserWidgets
-            ? await config.getUserWidgets(agentInfo, { plugins: processedPluginData.plugins })
+            ? await config.getUserWidgets(agentInfo, buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }))
             : widgets.map(widget => widget.id);
         const oauth2Client = app.oauth2?.getClient();
+        const extraData = buildServiceExtraData(agentInfo, {
+            request: processedPluginData,
+            plugins: processedPluginData.plugins,
+            oauth2Client,
+            app,
+        });
         const widgetsFull = await Promise.all(widgetIds.map(async (widgetId) => {
             const widget = widgets.find(w => w.id === widgetId);
             if (!widget)
                 return null;
-            const widgetData = await widget.getWidget(agentInfo, {
-                plugins: processedPluginData.plugins,
-                oauth2Client,
-                app
-            });
+            const widgetData = await widget.getWidget(agentInfo, extraData);
             const response = {
                 id: widget.id,
                 name: widget.name,
@@ -552,7 +745,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             return response;
         }));
         const validWidgets = widgetsFull.filter(w => w !== null);
-        const processedResponse = await processPluginsForResponse(validWidgets, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(validWidgets, body, { extraData });
         return c.json(processedResponse);
     });
     app.post("/widgets/:widgetId", async (c) => {
@@ -565,25 +758,31 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
         if (config.getUserWidgets) {
+            const accessExtraData = buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            });
             const userWidgetIds = await config.getUserWidgets(agentInfo, {
-                plugins: processedPluginData.plugins
+                ...accessExtraData
             });
             let homeUIWidgetId = null;
             if (config.homeUI) {
                 homeUIWidgetId = typeof config.homeUI === 'string'
                     ? config.homeUI
-                    : await config.homeUI(agentInfo, { plugins: processedPluginData.plugins });
+                    : await config.homeUI(agentInfo, accessExtraData);
             }
             if (!userWidgetIds.includes(widgetId) && widgetId !== homeUIWidgetId) {
                 throw new http_exception_1.HTTPException(403, { message: "Access denied to this widget" });
             }
         }
         const oauth2Client = app.oauth2?.getClient();
-        const widgetData = await widget.getWidget(agentInfo, {
+        const extraData = buildServiceExtraData(agentInfo, {
+            request: processedPluginData,
             plugins: processedPluginData.plugins,
             oauth2Client,
-            app
+            app,
         });
+        const widgetData = await widget.getWidget(agentInfo, extraData);
         const response = {
             id: widget.id,
             name: widget.name,
@@ -603,7 +802,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                 scope: "account",
             };
         }
-        const processedResponse = await processPluginsForResponse(response, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(response, body, { extraData });
         return c.json(processedResponse);
     });
     app.post("/homeUI", async (c) => {
@@ -613,9 +812,13 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const agentInfo = await getAgentInfo(c);
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
+        const extraData = buildServiceExtraData(agentInfo, {
+            request: processedPluginData,
+            plugins: processedPluginData.plugins,
+        });
         const homeUIWidgetId = typeof config.homeUI === 'string'
             ? config.homeUI
-            : await config.homeUI(agentInfo, { plugins: processedPluginData.plugins });
+            : await config.homeUI(agentInfo, extraData);
         if (!homeUIWidgetId) {
             return c.json({ widgetId: null });
         }
@@ -623,7 +826,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         if (!widget) {
             return c.json({ widgetId: null });
         }
-        const processedResponse = await processPluginsForResponse({ widgetId: homeUIWidgetId }, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse({ widgetId: homeUIWidgetId }, body, { extraData });
         return c.json(processedResponse);
     });
     function mapDatasourceInfo(datasource) {
@@ -648,14 +851,24 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const agentInfo = await getAgentInfo(c);
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
-        const processedResponse = await processPluginsForResponse(datasources.map(mapDatasourceInfo), body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(datasources.map(mapDatasourceInfo), body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     app.post("/datasources/all", async (c) => {
         const agentInfo = await getAgentInfo(c);
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
-        const processedResponse = await processPluginsForResponse(datasources.map(mapDatasourceInfo), body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(datasources.map(mapDatasourceInfo), body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     app.post("/datasources/:datasourceId", async (c) => {
@@ -671,10 +884,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         try {
             const parsedParams = datasource.input.parse(params);
             const oauth2Client = app.oauth2?.getClient();
-            const data = await datasource.getDatasource(agentInfo, parsedParams, {
+            const extraData = buildServiceExtraData(agentInfo, {
+                request: params,
                 plugins: pluginsData,
-                oauth2Client
+                oauth2Client,
             });
+            const data = await datasource.getDatasource(agentInfo, parsedParams, extraData);
             const requestedPolicy = {
                 refreshIntervalMs: datasource.refreshIntervalMs,
                 maxStalenessMs: datasource.maxStalenessMs,
@@ -702,7 +917,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                     scope: datasource.scope,
                 },
             };
-            const processedResponse = await processPluginsForResponse(response, { plugins: pluginsData }, { extraData: { plugins: pluginsData } });
+            const processedResponse = await processPluginsForResponse(response, { plugins: pluginsData }, { extraData });
             return c.json(processedResponse);
         }
         catch (error) {
@@ -718,6 +933,17 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             throw error;
         }
     });
+    app.delete("/datasources/:datasourceId/stream/:streamId", async (c) => {
+        const datasourceId = c.req.param("datasourceId");
+        const streamId = c.req.param("streamId");
+        const streamKey = `${datasourceId}:${streamId}`;
+        const abortController = datasourceStreamAbortControllers.get(streamKey);
+        if (abortController) {
+            abortController.abort();
+            datasourceStreamAbortControllers.delete(streamKey);
+        }
+        return c.json({ success: true });
+    });
     // Stream datasource updates over SSE. This is primarily used for "fresh" UIs
     // (positions/orders) where clients want stream-first updates with a poll fallback.
     //
@@ -735,6 +961,11 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             !Array.isArray(rawBody) &&
             "params" in rawBody;
         const requestedIntervalMsRaw = hasWrappedParams ? rawBody.intervalMs : undefined;
+        const requestedStreamIdRaw = hasWrappedParams ? rawBody.streamId : undefined;
+        const streamId = typeof requestedStreamIdRaw === "string" &&
+            /^[A-Za-z0-9._:-]{1,128}$/.test(requestedStreamIdRaw)
+            ? requestedStreamIdRaw
+            : null;
         const requestParamsRaw = hasWrappedParams ? rawBody.params : rawBody;
         let params = await processPluginsForRequest(requestParamsRaw && typeof requestParamsRaw === "object" ? requestParamsRaw : {}, agentInfo);
         const pluginsData = (params.plugins && typeof params.plugins === "object"
@@ -757,19 +988,26 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             }
             throw error;
         }
+        const oauth2Client = app.oauth2?.getClient();
+        const extraData = buildServiceExtraData(agentInfo, {
+            request: params,
+            plugins: pluginsData,
+            oauth2Client,
+        });
         const pluginRequestContext = hasWrappedParams
             ? {
                 params: parsedParams,
                 intervalMs: requestedIntervalMsRaw,
                 plugins: pluginsData,
+                DAIN_EXTRA_DATA: extraData,
             }
             : {
                 ...(typeof parsedParams === "object" && parsedParams !== null
                     ? parsedParams
                     : {}),
                 plugins: pluginsData,
+                DAIN_EXTRA_DATA: extraData,
             };
-        const oauth2Client = app.oauth2?.getClient();
         const requestedPolicy = {
             refreshIntervalMs: datasource.refreshIntervalMs,
             maxStalenessMs: datasource.maxStalenessMs,
@@ -786,15 +1024,22 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                 ? datasource.refreshIntervalMs
                 : 15_000);
         const intervalMs = Math.max(1_000, Math.floor(baseIntervalMs));
-        const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
         debugLog(`[SSE] Datasource ${datasource.id} stream start (${intervalMs}ms interval)`);
         return signedStreamSSE(c, privateKey, config, async (stream) => {
             let eventId = 0;
+            const signal = c.req.raw?.signal;
+            const streamAbortController = new AbortController();
+            const streamKey = streamId ? `${datasource.id}:${streamId}` : null;
+            if (streamKey) {
+                datasourceStreamAbortControllers.set(streamKey, streamAbortController);
+            }
+            const isCancelled = () => stream.isAborted() || signal?.aborted === true || streamAbortController.signal.aborted;
             const emitUpdate = async () => {
-                const data = await datasource.getDatasource(agentInfo, parsedParams, {
-                    plugins: pluginsData,
-                    oauth2Client,
-                });
+                if (isCancelled())
+                    return false;
+                const data = await datasource.getDatasource(agentInfo, parsedParams, extraData);
+                if (isCancelled())
+                    return false;
                 const response = {
                     id: datasource.id,
                     name: datasource.name,
@@ -814,51 +1059,77 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                         scope: datasource.scope,
                     },
                 };
-                const processedResponse = await processPluginsForResponse(response, pluginRequestContext, { extraData: { plugins: pluginsData } });
+                const processedResponse = await processPluginsForResponse(response, pluginRequestContext, { extraData });
+                if (isCancelled())
+                    return false;
                 await stream.writeSSE({
                     event: "datasource-update",
                     data: JSON.stringify(processedResponse),
                     id: String(eventId++),
                 });
+                return true;
             };
-            // Send initial snapshot immediately.
             try {
-                await emitUpdate();
-            }
-            catch (error) {
-                console.error(`[SSE] Datasource ${datasource.id} initial update failed:`, error);
-                if (!stream.isAborted()) {
-                    await stream.writeSSE({
-                        event: "error",
-                        data: JSON.stringify({ message: error?.message || "Datasource stream error" }),
-                    });
-                }
-                return;
-            }
-            // Continue sending updates until client disconnects.
-            // Hono exposes the underlying Request via c.req.raw, which includes an AbortSignal.
-            const signal = c.req.raw?.signal;
-            while (!stream.isAborted() && !signal?.aborted) {
-                await sleep(intervalMs);
-                if (stream.isAborted() || signal?.aborted)
-                    break;
+                // Send initial snapshot immediately.
                 try {
-                    await emitUpdate();
+                    const didEmitInitialUpdate = await emitUpdate();
+                    if (!didEmitInitialUpdate)
+                        return;
                 }
                 catch (error) {
-                    if (stream.isAborted() || signal?.aborted)
-                        break;
-                    console.error(`[SSE] Datasource ${datasource.id} update failed:`, error);
-                    // Keep the stream alive; clients should rely on poll fallback if needed.
-                    if (!stream.isAborted()) {
+                    console.error(`[SSE] Datasource ${datasource.id} initial update failed:`, error);
+                    if (!isCancelled()) {
                         await stream.writeSSE({
                             event: "error",
                             data: JSON.stringify({ message: error?.message || "Datasource stream error" }),
                         });
                     }
+                    return;
+                }
+                // Continue sending updates until client disconnects.
+                // Hono exposes the underlying Request via c.req.raw, which includes an AbortSignal.
+                const abortPromise = new Promise((resolve) => {
+                    if (isCancelled()) {
+                        resolve();
+                        return;
+                    }
+                    stream.onAbort(() => resolve());
+                    signal?.addEventListener("abort", () => resolve(), { once: true });
+                    streamAbortController.signal.addEventListener("abort", () => resolve(), { once: true });
+                });
+                const sleepUntilNextUpdate = (ms) => Promise.race([
+                    new Promise((resolve) => setTimeout(resolve, ms)),
+                    abortPromise,
+                ]);
+                while (!isCancelled()) {
+                    await sleepUntilNextUpdate(intervalMs);
+                    if (isCancelled())
+                        break;
+                    try {
+                        const didEmitUpdate = await emitUpdate();
+                        if (!didEmitUpdate)
+                            break;
+                    }
+                    catch (error) {
+                        if (isCancelled())
+                            break;
+                        console.error(`[SSE] Datasource ${datasource.id} update failed:`, error);
+                        // Keep the stream alive; clients should rely on poll fallback if needed.
+                        if (!isCancelled()) {
+                            await stream.writeSSE({
+                                event: "error",
+                                data: JSON.stringify({ message: error?.message || "Datasource stream error" }),
+                            });
+                        }
+                    }
                 }
             }
-            debugLog(`[SSE] Datasource ${datasource.id} stream end`);
+            finally {
+                if (streamKey) {
+                    datasourceStreamAbortControllers.delete(streamKey);
+                }
+                debugLog(`[SSE] Datasource ${datasource.id} stream end`);
+            }
         });
     });
     function mapAgentInfo(agent) {
@@ -880,7 +1151,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const agentInfo = await getAgentInfo(c);
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
-        const processedResponse = await processPluginsForResponse(agents.map(mapAgentInfo), body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(agents.map(mapAgentInfo), body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     app.get("/agents/:agentId", (c) => {
@@ -898,7 +1174,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const agentInfo = await getAgentInfo(c);
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
-        const processedResponse = await processPluginsForResponse(mapAgentInfo(agent), body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(mapAgentInfo(agent), body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     function fixEmptySchemas(schema) {
@@ -971,7 +1252,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                 reccomendedPrompts,
             }),
         };
-        const processedResponse = await processPluginsForResponse(response, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(response, body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     // Webhook triggers endpoint
@@ -1487,7 +1773,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         const agentInfo = await getAgentInfo(c);
         const body = await safeParseBody(c);
         const processedPluginData = await processPluginsForRequest(body, agentInfo);
-        const processedResponse = await processPluginsForResponse(config.exampleQueries || [], body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(config.exampleQueries || [], body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     // Services list endpoint
@@ -1625,7 +1916,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             count: cards.length,
             query,
         };
-        const processedResponse = await processPluginsForResponse(response, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(response, body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         return c.json(processedResponse);
     });
     const recommendationRenderSchema = zod_1.z.object({
@@ -1729,7 +2025,12 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
             renderedCount: renderedCards.length,
             requestedCount: requestedCards.length,
         };
-        const processedResponse = await processPluginsForResponse(response, body, { extraData: { plugins: processedPluginData.plugins } });
+        const processedResponse = await processPluginsForResponse(response, body, {
+            extraData: buildServiceExtraData(agentInfo, {
+                request: processedPluginData,
+                plugins: processedPluginData.plugins,
+            }),
+        });
         const statusCode = !continueOnError && renderErrors.length > 0 ? 400 : 200;
         return c.json(processedResponse, statusCode);
     });
@@ -1740,17 +2041,56 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         if (!processedRequest.plugins) {
             processedRequest.plugins = {};
         }
+        processedRequest.DAIN_EXTRA_DATA = buildServiceExtraData(agentInfo, {
+            request: processedRequest,
+            plugins: processedRequest.plugins,
+        });
         // Auto-inject smartAccountPDA into CryptoPlugin wallet context for automations
         // This allows automation wallets to work seamlessly without manual configuration
         if (agentInfo.smartAccountPDA) {
-            // Only inject if wallets aren't already provided (client can override)
-            if (!processedRequest.plugins['crypto-plugin']?.wallets) {
-                processedRequest.plugins['crypto-plugin'] = processedRequest.plugins['crypto-plugin'] || {};
-                processedRequest.plugins['crypto-plugin'].wallets = [
-                    { chain: 'sol', address: agentInfo.smartAccountPDA }
+            processedRequest.plugins['crypto-plugin'] = processedRequest.plugins['crypto-plugin'] || {};
+            const cryptoData = isRecord(processedRequest.plugins['crypto-plugin'])
+                ? stripRuntimeContextFields(processedRequest.plugins['crypto-plugin'])
+                : {};
+            processedRequest.plugins['crypto-plugin'] = cryptoData;
+            const smartAccountWallet = {
+                chain: 'sol',
+                address: agentInfo.smartAccountPDA,
+                accountId: agentInfo.dainAccountId ?? agentInfo.dainGroupId,
+                kind: 'smart_account_vault',
+                capabilities: ['solana-smart-account'],
+            };
+            if (Array.isArray(cryptoData.wallets)) {
+                const hasSmartAccountWallet = cryptoData.wallets.some((wallet) => isRecord(wallet) &&
+                    wallet.chain === 'sol' &&
+                    wallet.address === agentInfo.smartAccountPDA);
+                if (!hasSmartAccountWallet) {
+                    cryptoData.wallets = [smartAccountWallet, ...cryptoData.wallets];
+                }
+            }
+            else if (isRecord(cryptoData.wallets)) {
+                cryptoData.wallets = [
+                    smartAccountWallet,
+                    ...Object.entries(cryptoData.wallets).map(([chain, address]) => ({
+                        chain,
+                        address: String(address),
+                    })),
                 ];
             }
+            else {
+                cryptoData.wallets = [smartAccountWallet];
+            }
         }
+        if (processedRequest.plugins['crypto-plugin']) {
+            processedRequest.plugins['crypto-plugin'] = {
+                ...stripRuntimeContextFields(processedRequest.plugins['crypto-plugin']),
+                ...getRuntimeContextFromAgentInfo(agentInfo),
+            };
+        }
+        processedRequest.DAIN_EXTRA_DATA = buildServiceExtraData(agentInfo, {
+            request: processedRequest,
+            plugins: processedRequest.plugins,
+        });
         // Process plugins if configured
         if (!config.plugins || config.plugins.length === 0) {
             return processedRequest;
@@ -1760,6 +2100,10 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                 processedRequest = await plugin.processInputService(processedRequest);
             }
         }
+        processedRequest.DAIN_EXTRA_DATA = buildServiceExtraData(agentInfo, {
+            request: processedRequest,
+            plugins: processedRequest.plugins,
+        });
         return processedRequest;
     }
     // Process response with plugins
@@ -1769,6 +2113,9 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         }
         let processedResponse = { ...response };
         processedResponse.plugins = processedResponse.plugins || {};
+        const extraData = isRecord(context?.extraData)
+            ? context.extraData
+            : (isRecord(context) ? context : {});
         for (const plugin of config.plugins) {
             if (plugin.processOutputService) {
                 // Provide context to the plugin
@@ -1776,7 +2123,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                     ...processedResponse,
                     context: {
                         request,
-                        extraData: context
+                        extraData
                     }
                 });
                 if (pluginOutput) {
@@ -1787,6 +2134,31 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
         return processedResponse;
     }
     // Automatically create routes for each tool
+    function buildToolContext(agentInfo, request, pluginsData, hooks = {}) {
+        const oauth2Client = app.oauth2 ? app.oauth2.getClient() : undefined;
+        const extraData = buildServiceExtraData(agentInfo, {
+            request,
+            plugins: pluginsData,
+            oauth2Client,
+            app,
+        });
+        const runtimeContext = getRuntimeContextFromAgentInfo(agentInfo);
+        return {
+            app,
+            oauth2Client,
+            extraData,
+            dainAccountId: runtimeContext.dainAccountId ?? extraData.dainAccountId,
+            dainGroupId: runtimeContext.dainGroupId ?? extraData.dainGroupId,
+            smartAccountPDA: runtimeContext.smartAccountPDA ?? extraData.smartAccountPDA,
+            account: runtimeContext.account ?? extraData.account,
+            group: runtimeContext.group ?? extraData.group,
+            auth: runtimeContext.auth ?? extraData.auth,
+            grants: runtimeContext.grants ?? extraData.grants,
+            dataPermissions: runtimeContext.dataPermissions ?? extraData.dataPermissions,
+            registryPolicy: runtimeContext.registryPolicy ?? extraData.registryPolicy,
+            ...hooks,
+        };
+    }
     tools.forEach((tool) => {
         /**
          * Shared handler for tool execution with streaming support
@@ -1801,13 +2173,8 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                     try {
                         // Execute the tool first
                         debugLog(`[SSE] Executing tool ${tool.id} in streaming mode${withContext ? ' with context' : ''}`);
-                        const result = await tool.handler({ ...body, DAIN_EXTRA_DATA: undefined }, agentInfo, {
-                            app,
-                            oauth2Client: app.oauth2 ? app.oauth2.getClient() : undefined,
-                            extraData: {
-                                ...body.DAIN_EXTRA_DATA,
-                                plugins: pluginsData
-                            },
+                        const { DAIN_EXTRA_DATA: _dainExtraData, ...toolInput } = body;
+                        const result = await tool.handler(toolInput, agentInfo, buildToolContext(agentInfo, body, pluginsData, {
                             updateUI: async (update) => {
                                 try {
                                     // Check if this is a progress update
@@ -1841,7 +2208,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                                     console.error(`Error sending process update in ${tool.id}:`, error);
                                 }
                             }
-                        });
+                        }));
                         // If we need to include context data
                         let response = result;
                         if (withContext) {
@@ -1856,8 +2223,11 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                                             name: context.name,
                                             description: context.description,
                                             data: await context.getContextData(agentInfo, {
-                                                plugins: pluginsData,
-                                                oauth2Client: app.oauth2 ? app.oauth2.getClient() : undefined
+                                                ...buildServiceExtraData(agentInfo, {
+                                                    request: body,
+                                                    plugins: pluginsData,
+                                                    oauth2Client: app.oauth2 ? app.oauth2.getClient() : undefined,
+                                                }),
                                             }),
                                         };
                                     }
@@ -1957,13 +2327,8 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                     const uiUpdates = [];
                     const progressUpdates = [];
                     const processes = [];
-                    const result = await tool.handler({ ...body, DAIN_EXTRA_DATA: undefined }, agentInfo, {
-                        app,
-                        oauth2Client: app.oauth2 ? app.oauth2.getClient() : undefined,
-                        extraData: {
-                            ...body.DAIN_EXTRA_DATA,
-                            plugins: pluginsData
-                        },
+                    const { DAIN_EXTRA_DATA: _dainExtraData, ...toolInput } = body;
+                    const result = await tool.handler(toolInput, agentInfo, buildToolContext(agentInfo, body, pluginsData, {
                         updateUI: (update) => {
                             // Collect UI updates instead of streaming them (synchronous for performance)
                             if (update.type === 'progress') {
@@ -1979,7 +2344,7 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                             processes.push(processId);
                             return Promise.resolve();
                         }
-                    });
+                    }));
                     // If we need to include context data
                     let response = result;
                     if (withContext) {
@@ -1990,8 +2355,11 @@ function setupHttpServer(config, tools, services, toolboxes, metadata, privateKe
                                 name: context.name,
                                 description: context.description,
                                 data: await context.getContextData(agentInfo, {
-                                    plugins: pluginsData,
-                                    oauth2Client: app.oauth2 ? app.oauth2.getClient() : undefined
+                                    ...buildServiceExtraData(agentInfo, {
+                                        request: body,
+                                        plugins: pluginsData,
+                                        oauth2Client: app.oauth2 ? app.oauth2.getClient() : undefined,
+                                    }),
                                 }),
                             })));
                             // Create the complete response with context