@promptbook/cli 0.103.0-52 → 0.103.0-53

package/apps/agents-server/src/middleware.ts

@@ -75,114 +75,167 @@ export async function middleware(req: NextRequest) {
     const allowedIps =
         allowedIpsMetadata !== null && allowedIpsMetadata !== undefined ? allowedIpsMetadata : allowedIpsEnv;
 
-    if (isIpAllowed(ip, allowedIps)) {
-        // Handle OPTIONS (preflight) requests before any redirects
-        // to avoid CORS issues ("Redirect is not allowed for a preflight request")
-        if (req.method === 'OPTIONS') {
-            return new NextResponse(null, {
-                status: 200,
-                headers: {
-                    'Access-Control-Allow-Origin': '*',
-                    'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-                    'Access-Control-Allow-Headers': 'Content-Type',
-                },
-            });
+    const isIpAllowedResult = isIpAllowed(ip, allowedIps);
+    const isLoggedIn = req.cookies.has('sessionToken');
+    const isAccessRestricted = !isIpAllowedResult && !isLoggedIn;
+
+    // Handle OPTIONS (preflight) requests globally
+    if (req.method === 'OPTIONS') {
+        return new NextResponse(null, {
+            status: 200,
+            headers: {
+                'Access-Control-Allow-Origin': '*',
+                'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+                'Access-Control-Allow-Headers': 'Content-Type',
+            },
+        });
+    }
+
+    if (isAccessRestricted) {
+        const path = req.nextUrl.pathname;
+
+        // Allow specific paths for restricted users
+        // - /: Homepage / Agent List
+        // - /agents: Agent List
+        // - /api/agents: Agent List API
+        // - /api/federated-agents: Federated Agent List API
+        // - /api/auth/*: Auth endpoints
+        // - /restricted: Restricted Access Page
+        // - /docs: Documentation
+        // - /manifest.webmanifest: Manifest
+        // - /sw.js: Service Worker
+        const isAllowedPath =
+            path === '/' ||
+            path === '/agents' ||
+            path.startsWith('/api/agents') ||
+            path.startsWith('/api/federated-agents') ||
+            path.startsWith('/api/auth') ||
+            path === '/restricted' ||
+            path.startsWith('/docs') ||
+            path === '/manifest.webmanifest' ||
+            path === '/sw.js';
+
+        if (isAllowedPath) {
+            return NextResponse.next();
         }
 
-        // 3. Redirect /:agentName/* to /agents/:agentName/*
-        //    This enables accessing agents from the root path
-        const pathParts = req.nextUrl.pathname.split('/');
-        const potentialAgentName = pathParts[1];
-
-        if (
-            potentialAgentName &&
-            !['agents', 'api', 'admin', 'embed', '_next', 'favicon.ico'].includes(potentialAgentName) &&
-            !potentialAgentName.startsWith('.') &&
-            // Note: Other static files are excluded by the matcher configuration below
-            true
-        ) {
+        // Block access to other paths (e.g. Chat)
+        if (req.headers.get('accept')?.includes('text/html')) {
             const url = req.nextUrl.clone();
-            url.pathname = `/agents${req.nextUrl.pathname}`;
-            const response = NextResponse.redirect(url);
+            url.pathname = '/restricted';
+            return NextResponse.rewrite(url);
+        }
+        return new NextResponse('Forbidden', { status: 403 });
+    }
 
-            // Enable CORS for the redirect
-            response.headers.set('Access-Control-Allow-Origin', '*');
-            response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-            response.headers.set('Access-Control-Allow-Headers', 'Content-Type');
+    // If we are here, the user is allowed (either by IP or session)
+    // Proceed with normal logic
+
+    // 3. Redirect /:agentName/* to /agents/:agentName/*
+    //    This enables accessing agents from the root path
+    const pathParts = req.nextUrl.pathname.split('/');
+    const potentialAgentName = pathParts[1];
+
+    if (
+        potentialAgentName &&
+        ![
+            'agents',
+            'api',
+            'admin',
+            'docs',
+            'manifest.webmanifest',
+            'sw.js',
+            'test',
+            'embed',
+            '_next',
+            'favicon.ico',
+        ].includes(potentialAgentName) &&
+        !potentialAgentName.startsWith('.') &&
+        // Note: Other static files are excluded by the matcher configuration below
+        true
+    ) {
+        const url = req.nextUrl.clone();
+        url.pathname = `/agents${req.nextUrl.pathname}`;
+        const response = NextResponse.redirect(url);
+
+        // Enable CORS for the redirect
+        response.headers.set('Access-Control-Allow-Origin', '*');
+        response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+        response.headers.set('Access-Control-Allow-Headers', 'Content-Type');
+
+        return response;
+    }
 
-            return response;
-        }
+    // 4. Custom Domain Routing
+    //    If the host is not one of the configured SERVERS, try to find an agent with a matching META LINK
 
-        // 4. Custom Domain Routing
-        //    If the host is not one of the configured SERVERS, try to find an agent with a matching META LINK
+    if (host && SERVERS && !SERVERS.some((server) => server === host)) {
+        const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+        const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
 
-        if (host && SERVERS && !SERVERS.some((server) => server === host)) {
-            const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
-            const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+        if (supabaseUrl && supabaseKey) {
+            const supabase = createClient(supabaseUrl, supabaseKey, {
+                auth: {
+                    persistSession: false,
+                    autoRefreshToken: false,
+                },
+            });
 
-            if (supabaseUrl && supabaseKey) {
-                const supabase = createClient(supabaseUrl, supabaseKey, {
-                    auth: {
-                        persistSession: false,
-                        autoRefreshToken: false,
-                    },
-                });
+            // Determine prefixes to check
+            // We check all configured servers because the custom domain could point to any of them
+            // (or if they share the database, we need to check the relevant tables)
+            const serversToCheck = SERVERS;
 
-                // Determine prefixes to check
-                // We check all configured servers because the custom domain could point to any of them
-                // (or if they share the database, we need to check the relevant tables)
-                const serversToCheck = SERVERS;
-
-                // TODO: [🧠] If there are many servers, this loop might be slow. Optimize if needed.
-                for (const serverHost of serversToCheck) {
-                    let serverName = serverHost;
-                    serverName = serverName.replace(/\.ptbk\.io$/, '');
-                    serverName = normalizeTo_PascalCase(serverName);
-                    const prefix = `server_${serverName}_`;
-
-                    // Search for agent with matching META LINK
-                    // agentProfile->links is an array of strings
-                    // We check if it contains the host, or https://host, or http://host
-
-                    const searchLinks = [host, `https://${host}`, `http://${host}`];
-
-                    // Construct OR filter: agentProfile.cs.{"links":["link1"]},agentProfile.cs.{"links":["link2"]},...
-                    const orFilter = searchLinks.map((link) => `agentProfile.cs.{"links":["${link}"]}`).join(',');
-
-                    try {
-                        const { data } = await supabase
-                            .from(`${prefix}Agent`)
-                            .select('agentName')
-                            .or(orFilter)
-                            .limit(1)
-                            .single();
-
-                        if (data && data.agentName) {
-                            // Found the agent!
-                            const url = req.nextUrl.clone();
-                            url.pathname = `/${data.agentName}`;
-
-                            // Pass the server context to the app via header
-                            const requestHeaders = new Headers(req.headers);
-                            requestHeaders.set('x-promptbook-server', serverHost);
-
-                            return NextResponse.rewrite(url, {
-                                request: {
-                                    headers: requestHeaders,
-                                },
-                            });
-                        }
-                    } catch (error) {
-                        // Ignore error (e.g. table not found, or agent not found) and continue to next server
-                        // console.error(`Error checking server ${serverHost} for custom domain ${host}:`, error);
+            // TODO: [🧠] If there are many servers, this loop might be slow. Optimize if needed.
+            for (const serverHost of serversToCheck) {
+                let serverName = serverHost;
+                serverName = serverName.replace(/\.ptbk\.io$/, '');
+                serverName = normalizeTo_PascalCase(serverName);
+                const prefix = `server_${serverName}_`;
+
+                // Search for agent with matching META LINK
+                // agentProfile->links is an array of strings
+                // We check if it contains the host, or https://host, or http://host
+
+                const searchLinks = [host, `https://${host}`, `http://${host}`];
+
+                // Construct OR filter: agentProfile.cs.{"links":["link1"]},agentProfile.cs.{"links":["link2"]},...
+                const orFilter = searchLinks.map((link) => `agentProfile.cs.{"links":["${link}"]}`).join(',');
+
+                try {
+                    const { data } = await supabase
+                        .from(`${prefix}Agent`)
+                        .select('agentName')
+                        .or(orFilter)
+                        .limit(1)
+                        .single();
+
+                    if (data && data.agentName) {
+                        // Found the agent!
+                        const url = req.nextUrl.clone();
+                        url.pathname = `/${data.agentName}`;
+
+                        // Pass the server context to the app via header
+                        const requestHeaders = new Headers(req.headers);
+                        requestHeaders.set('x-promptbook-server', serverHost);
+
+                        return NextResponse.rewrite(url, {
+                            request: {
+                                headers: requestHeaders,
+                            },
+                        });
                     }
+                } catch (error) {
+                    // Ignore error (e.g. table not found, or agent not found) and continue to next server
+                    // console.error(`Error checking server ${serverHost} for custom domain ${host}:`, error);
                 }
             }
         }
-
-        return NextResponse.next();
     }
 
+    return NextResponse.next();
+
+    // This part should be unreachable due to logic above, but keeping as fallback
     return new NextResponse('Forbidden', { status: 403 });
 }
 

package/apps/agents-server/src/tools/$provideServer.ts

@@ -1,11 +1,11 @@
-import { NEXT_PUBLIC_URL, SERVERS, SUPABASE_TABLE_PREFIX } from '@/config';
+import { NEXT_PUBLIC_SITE_URL, SERVERS, SUPABASE_TABLE_PREFIX } from '@/config';
 import { normalizeTo_PascalCase } from '@promptbook-local/utils';
 import { headers } from 'next/headers';
 
 export async function $provideServer() {
     if (!SERVERS) {
         return {
-            publicUrl: NEXT_PUBLIC_URL || new URL(`https://${(await headers()).get('host') || 'localhost:4440'}`),
+            publicUrl: NEXT_PUBLIC_SITE_URL || new URL(`https://${(await headers()).get('host') || 'localhost:4440'}`),
             tablePrefix: SUPABASE_TABLE_PREFIX,
         };
     }

package/apps/agents-server/src/utils/authenticateUser.ts

@@ -0,0 +1,42 @@
+import { $getTableName } from '../database/$getTableName';
+import { $provideSupabaseForServer } from '../database/$provideSupabaseForServer';
+import { AgentsServerDatabase } from '../database/schema';
+import { verifyPassword } from './auth';
+
+export type AuthenticatedUser = {
+    username: string;
+    isAdmin: boolean;
+};
+
+export async function authenticateUser(username: string, password: string): Promise<AuthenticatedUser | null> {
+    // 1. Check if it's the environment admin
+    if (username === 'admin' && process.env.ADMIN_PASSWORD && password === process.env.ADMIN_PASSWORD) {
+        return { username: 'admin', isAdmin: true };
+    }
+
+    // 2. Check DB users
+    try {
+        const supabase = $provideSupabaseForServer();
+        const { data: user, error } = await supabase
+            .from(await $getTableName('User'))
+            .select('*')
+            .eq('username', username)
+            .single();
+
+        if (error || !user) {
+            return null;
+        }
+
+        const userRow = user as AgentsServerDatabase['public']['Tables']['User']['Row'];
+        const isValid = await verifyPassword(password, userRow.passwordHash);
+
+        if (!isValid) {
+            return null;
+        }
+
+        return { username: userRow.username, isAdmin: userRow.isAdmin };
+    } catch (error) {
+        console.error('Authentication error:', error);
+        return null;
+    }
+}

package/apps/agents-server/src/utils/chatFeedbackAdmin.ts

@@ -0,0 +1,96 @@
+import type { AgentsServerDatabase } from '../database/schema';
+
+export type ChatFeedbackRow = AgentsServerDatabase['public']['Tables']['ChatFeedback']['Row'];
+export type ChatFeedbackSortField = 'createdAt' | 'agentName' | 'id';
+export type ChatFeedbackSortOrder = 'asc' | 'desc';
+
+export type ChatFeedbackListResponse = {
+    items: ChatFeedbackRow[];
+    total: number;
+    page: number;
+    pageSize: number;
+    sortBy: ChatFeedbackSortField;
+    sortOrder: ChatFeedbackSortOrder;
+};
+
+export type ChatFeedbackListParams = {
+    page?: number;
+    pageSize?: number;
+    agentName?: string;
+    search?: string;
+    sortBy?: ChatFeedbackSortField;
+    sortOrder?: ChatFeedbackSortOrder;
+};
+
+/**
+ * Build query string for chat feedback listing.
+ *
+ * Kept in a dedicated helper so it can be shared between the
+ * admin feedback page and other admin UIs (per-agent tools, etc.).
+ */
+function buildQuery(params: ChatFeedbackListParams): string {
+    const searchParams = new URLSearchParams();
+
+    if (params.page && params.page > 0) searchParams.set('page', String(params.page));
+    if (params.pageSize && params.pageSize > 0) searchParams.set('pageSize', String(params.pageSize));
+    if (params.agentName) searchParams.set('agentName', params.agentName);
+    if (params.search) searchParams.set('search', params.search);
+    if (params.sortBy) searchParams.set('sortBy', params.sortBy);
+    if (params.sortOrder) searchParams.set('sortOrder', params.sortOrder);
+
+    const qs = searchParams.toString();
+    return qs ? `?${qs}` : '';
+}
+
+/**
+ * Fetch chat feedback from the admin API.
+ */
+export async function $fetchChatFeedback(params: ChatFeedbackListParams = {}): Promise<ChatFeedbackListResponse> {
+    const qs = buildQuery(params);
+    const response = await fetch(`/api/chat-feedback${qs}`, {
+        method: 'GET',
+    });
+
+    if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Failed to load chat feedback');
+    }
+
+    return (await response.json()) as ChatFeedbackListResponse;
+}
+
+/**
+ * Clear chat feedback for a specific agent.
+ */
+export async function $clearAgentChatFeedback(agentName: string): Promise<void> {
+    if (!agentName) {
+        throw new Error('agentName is required to clear chat feedback');
+    }
+
+    const response = await fetch(`/api/chat-feedback?agentName=${encodeURIComponent(agentName)}`, {
+        method: 'DELETE',
+    });
+
+    if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Failed to clear chat feedback');
+    }
+}
+
+/**
+ * Delete a single chat feedback row by ID.
+ */
+export async function $deleteChatFeedbackRow(id: number): Promise<void> {
+    if (!id || id <= 0) {
+        throw new Error('Valid id is required to delete chat feedback row');
+    }
+
+    const response = await fetch(`/api/chat-feedback/${encodeURIComponent(String(id))}`, {
+        method: 'DELETE',
+    });
+
+    if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Failed to delete chat feedback row');
+    }
+}

package/apps/agents-server/src/utils/chatHistoryAdmin.ts

@@ -0,0 +1,96 @@
+import type { AgentsServerDatabase } from '../database/schema';
+
+export type ChatHistoryRow = AgentsServerDatabase['public']['Tables']['ChatHistory']['Row'];
+export type ChatHistorySortField = 'createdAt' | 'agentName' | 'id';
+export type ChatHistorySortOrder = 'asc' | 'desc';
+
+export type ChatHistoryListResponse = {
+    items: ChatHistoryRow[];
+    total: number;
+    page: number;
+    pageSize: number;
+    sortBy: ChatHistorySortField;
+    sortOrder: ChatHistorySortOrder;
+};
+
+export type ChatHistoryListParams = {
+    page?: number;
+    pageSize?: number;
+    agentName?: string;
+    search?: string;
+    sortBy?: ChatHistorySortField;
+    sortOrder?: ChatHistorySortOrder;
+};
+
+/**
+ * Build query string for chat history listing.
+ */
+function buildQuery(params: ChatHistoryListParams): string {
+    const searchParams = new URLSearchParams();
+
+    if (params.page && params.page > 0) searchParams.set('page', String(params.page));
+    if (params.pageSize && params.pageSize > 0) searchParams.set('pageSize', String(params.pageSize));
+    if (params.agentName) searchParams.set('agentName', params.agentName);
+    if (params.search) searchParams.set('search', params.search);
+    if (params.sortBy) searchParams.set('sortBy', params.sortBy);
+    if (params.sortOrder) searchParams.set('sortOrder', params.sortOrder);
+
+    const qs = searchParams.toString();
+    return qs ? `?${qs}` : '';
+}
+
+/**
+ * Fetch chat history from the admin API.
+ *
+ * This is shared between the admin page and other admin UIs (e.g. per-agent tools)
+ * to keep the API surface DRY.
+ */
+export async function $fetchChatHistory(params: ChatHistoryListParams = {}): Promise<ChatHistoryListResponse> {
+    const qs = buildQuery(params);
+    const response = await fetch(`/api/chat-history${qs}`, {
+        method: 'GET',
+    });
+
+    if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Failed to load chat history');
+    }
+
+    return (await response.json()) as ChatHistoryListResponse;
+}
+
+/**
+ * Clear chat history for a specific agent.
+ */
+export async function $clearAgentChatHistory(agentName: string): Promise<void> {
+    if (!agentName) {
+        throw new Error('agentName is required to clear chat history');
+    }
+
+    const response = await fetch(`/api/chat-history?agentName=${encodeURIComponent(agentName)}`, {
+        method: 'DELETE',
+    });
+
+    if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Failed to clear chat history');
+    }
+}
+
+/**
+ * Delete a single chat history row by ID.
+ */
+export async function $deleteChatHistoryRow(id: number): Promise<void> {
+    if (!id || id <= 0) {
+        throw new Error('Valid id is required to delete chat history row');
+    }
+
+    const response = await fetch(`/api/chat-history/${encodeURIComponent(String(id))}`, {
+        method: 'DELETE',
+    });
+
+    if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Failed to delete chat history row');
+    }
+}

package/apps/agents-server/src/utils/getEffectiveFederatedServers.ts

@@ -0,0 +1,22 @@
+import type { string_promptbook_server_url } from '../../../../src/types/typeAliases';
+import { AUTO_FEDERATED_AGENT_SERVER_URLS } from '../../../../servers';
+
+/**
+ * Computes the effective list of federated servers for the current Agents Server.
+ *
+ * - Combines servers listed in the FEDERATED_SERVERS metadata (comma-separated)
+ *   with a set of auto-federated servers defined in the root servers.ts config.
+ * - Ensures uniqueness and trims whitespace.
+ */
+export function getEffectiveFederatedServers(federatedServersString: string): Array<string_promptbook_server_url> {
+    const manualFederatedServers = federatedServersString
+        .split(',')
+        .map((s) => s.trim())
+        .filter((s): s is string_promptbook_server_url => s !== '');
+
+    const merged = Array.from(
+        new Set<string_promptbook_server_url>([...manualFederatedServers, ...AUTO_FEDERATED_AGENT_SERVER_URLS]),
+    );
+
+    return merged;
+}

package/apps/agents-server/src/utils/getFederatedAgents.ts

@@ -11,13 +11,18 @@ type AgentsApiResponse = {
     federatedServers: string[];
 };
 
+export type AgentsByServer = {
+    serverUrl: string;
+    agents: AgentWithUrl[];
+};
+
 /**
  * Fetches agents from federated servers recursively
  */
-export async function getFederatedAgents(initialServers: string[]): Promise<AgentWithUrl[]> {
+export async function getFederatedAgents(initialServers: string[]): Promise<AgentsByServer[]> {
     const visited = new Set<string>();
     const queue = [...initialServers];
-    const externalAgentsMap = new Map<string, AgentWithUrl>();
+    const agentsByServer = new Map<string, AgentWithUrl[]>();
     const MAX_SERVERS = 20;
 
     while (queue.length > 0 && visited.size < MAX_SERVERS) {
@@ -30,10 +35,10 @@ export async function getFederatedAgents(initialServers: string[]): Promise<Agen
 
         try {
             // TODO: [🧠] Should we use some shorter timeout?
-            const response = await fetch(`${normalizedUrl}/api/agents`, { 
-                next: { revalidate: 600 } // Cache for 10 minutes
+            const response = await fetch(`${normalizedUrl}/api/agents`, {
+                next: { revalidate: 600 }, // Cache for 10 minutes
             });
-            
+
             if (!response.ok) {
                 console.warn(`Failed to fetch agents from ${normalizedUrl}: ${response.status} ${response.statusText}`);
                 continue;
@@ -42,11 +47,26 @@ export async function getFederatedAgents(initialServers: string[]): Promise<Agen
             const data: AgentsApiResponse = await response.json();
 
             if (data.agents && Array.isArray(data.agents)) {
+                const serverAgents: AgentWithUrl[] = [];
+                const existingAgentUrls = new Set<string>();
+
+                // Collect all existing agent URLs across all servers
+                for (const agents of agentsByServer.values()) {
+                    for (const agent of agents) {
+                        existingAgentUrls.add(agent.url);
+                    }
+                }
+
                 for (const agent of data.agents) {
-                    if (agent.url && !externalAgentsMap.has(agent.url)) {
-                        externalAgentsMap.set(agent.url, agent);
+                    if (agent.url && !existingAgentUrls.has(agent.url)) {
+                        serverAgents.push(agent);
+                        existingAgentUrls.add(agent.url);
                     }
                 }
+
+                if (serverAgents.length > 0) {
+                    agentsByServer.set(normalizedUrl, serverAgents);
+                }
             }
 
             if (data.federatedServers && Array.isArray(data.federatedServers)) {
@@ -62,5 +82,8 @@ export async function getFederatedAgents(initialServers: string[]): Promise<Agen
         }
     }
 
-    return Array.from(externalAgentsMap.values());
+    return Array.from(agentsByServer.entries()).map(([serverUrl, agents]) => ({
+        serverUrl,
+        agents,
+    }));
 }

package/apps/agents-server/src/utils/getFederatedServersFromMetadata.ts

@@ -0,0 +1,10 @@
+import { getMetadata } from '../database/getMetadata';
+import { getEffectiveFederatedServers } from './getEffectiveFederatedServers';
+
+/**
+ * Reads FEDERATED_SERVERS metadata and returns a normalized list of server URLs.
+ */
+export async function getFederatedServersFromMetadata(): Promise<string[]> {
+    const federatedServersString = (await getMetadata('FEDERATED_SERVERS')) || '';
+    return getEffectiveFederatedServers(federatedServersString);
+}

package/apps/agents-server/src/utils/getVisibleCommitmentDefinitions.ts

@@ -0,0 +1,12 @@
+import { getGroupedCommitmentDefinitions } from '../../../../src/commitments';
+import { NotYetImplementedCommitmentDefinition } from '../../../../src/commitments/_base/NotYetImplementedCommitmentDefinition';
+
+/**
+ * Gets visible commitment definitions for documentation
+ * Excluding those that are not yet implemented
+ */
+export function getVisibleCommitmentDefinitions() {
+    return getGroupedCommitmentDefinitions().filter(
+        (group) => !(group.primary instanceof NotYetImplementedCommitmentDefinition),
+    );
+}

package/apps/agents-server/src/utils/isUserAdmin.ts

@@ -4,13 +4,13 @@ import { getSession } from './session';
 /**
  * Checks if the current user is an admin
  * 
- * Note: If `process.env.ADMIN_PASSWORD` is not set, everyone is admin
+ * Note: If `process.env.ADMIN_PASSWORD` is not set, no one is admin
  * 
  * @returns true if the user is admin
  */
 export async function isUserAdmin(): Promise<boolean> {
     if (!process.env.ADMIN_PASSWORD) {
-        return true;
+        return false;
     }
 
     // Check legacy admin token

package/apps/agents-server/vercel.json

@@ -0,0 +1,7 @@
+{
+    "build": {
+        "env": {
+            "VERCEL_FORCE_NO_BUILD_CACHE": "1"
+        }
+    }
+}