@standardagents/builder 0.17.2 → 0.17.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/dist/built-in-routes.js +191 -14
  2. package/dist/built-in-routes.js.map +1 -1
  3. package/dist/client/ApiKeysView.js +1 -1
  4. package/dist/client/CenteredContentView.js +1 -1
  5. package/dist/client/CompositionView.js +1 -1
  6. package/dist/client/ConfirmDialog.vue_vue_type_script_setup_true_lang.js +1 -1
  7. package/dist/client/CopyButton.vue_vue_type_script_setup_true_lang.js +1 -1
  8. package/dist/client/DataTable.vue_vue_type_script_setup_true_lang.js +1 -1
  9. package/dist/client/JsonViewer.js +1 -1
  10. package/dist/client/LoginView.js +1 -1
  11. package/dist/client/MarketplaceView.js +1 -1
  12. package/dist/client/Modal.vue_vue_type_script_setup_true_lang.js +1 -1
  13. package/dist/client/ModelModal.vue_vue_type_script_setup_true_lang.js +1 -1
  14. package/dist/client/ModelsView.js +1 -1
  15. package/dist/client/PromptEditView.js +1 -1
  16. package/dist/client/PromptModal.js +1 -1
  17. package/dist/client/PromptsView.js +1 -1
  18. package/dist/client/ProvidersView.js +2 -2
  19. package/dist/client/ThreadInspectorPane.vue_vue_type_script_setup_true_lang.js +1 -1
  20. package/dist/client/ToolsView.js +1 -1
  21. package/dist/client/UsersView.js +1 -1
  22. package/dist/client/VariablesView.js +1 -1
  23. package/dist/client/assets/index.css +1 -1
  24. package/dist/client/index.js +3 -3
  25. package/dist/index.js +39 -5
  26. package/dist/index.js.map +1 -1
  27. package/dist/plugin.js +22 -5
  28. package/dist/plugin.js.map +1 -1
  29. package/dist/runtime.js +17 -0
  30. package/dist/runtime.js.map +1 -1
  31. package/package.json +4 -4
package/dist/plugin.js CHANGED
@@ -7205,8 +7205,9 @@ import { isThreadEndpoint } from "@standardagents/spec";
7205
7205
  const PUBLIC_ROUTES = [
7206
7206
  '/api/auth/bootstrap',
7207
7207
  '/api/auth/login',
7208
- '/api/auth/bootstrap',
7209
7208
  '/api/auth/config',
7209
+ '/api/auth/sa/start', // Login with Standard Agents (OAuth) \u2014 unauthenticated entry
7210
+ '/api/auth/sa/callback', // OAuth callback (sets the session cookie)
7210
7211
  '/api/config',
7211
7212
  '/api/auth/oauth/github',
7212
7213
  '/api/auth/oauth/google',
@@ -7219,15 +7220,31 @@ const PUBLIC_ROUTES = [
7219
7220
  '/api/hooks' // Hook metadata is safe to expose publicly
7220
7221
  ];
7221
7222
 
7223
+ // True when the platform deployed this instance (injects STANDARD_AGENTS_HOSTED).
7224
+ // Hosted instances are internet-reachable and multi-tenant, so the thread data
7225
+ // API and event/stream WebSockets must NOT be anonymously public the way they
7226
+ // are in single-user local dev \u2014 they require a session (admin) or API key (SDK).
7227
+ function isHostedInstance(env) {
7228
+ const value = env && env.STANDARD_AGENTS_HOSTED;
7229
+ if (typeof value === 'string') {
7230
+ const trimmed = value.trim().toLowerCase();
7231
+ return trimmed !== '' && trimmed !== '0' && trimmed !== 'false';
7232
+ }
7233
+ return Boolean(value);
7234
+ }
7235
+
7222
7236
  // Check if a route is public (no auth required)
7223
- function isPublicRoute(routePath) {
7237
+ function isPublicRoute(routePath, hosted) {
7224
7238
  // Exact match for auth routes
7225
7239
  if (PUBLIC_ROUTES.includes(routePath)) {
7226
7240
  return true;
7227
7241
  }
7228
7242
 
7229
- // Thread routes are always public
7230
- if (routePath.startsWith('/api/threads/') || routePath === '/api/threads') {
7243
+ // Thread routes (REST + message/log stream WebSockets) are public in local
7244
+ // single-user dev, but on a hosted deployment they require auth \u2014 requireAuth
7245
+ // accepts the admin's session (cookie or token) or the SDK's API key, so this
7246
+ // only blocks anonymous access to another tenant's threads/messages/files.
7247
+ if (!hosted && (routePath.startsWith('/api/threads/') || routePath === '/api/threads')) {
7231
7248
  return true;
7232
7249
  }
7233
7250
 
@@ -7329,7 +7346,7 @@ ${packedThreadRouteCode}
7329
7346
 
7330
7347
  if (routeMatch) {
7331
7348
  // Check if authentication is required for this route
7332
- const publicRoute = isPublicRoute(routePath);
7349
+ const publicRoute = isPublicRoute(routePath, isHostedInstance(env));
7333
7350
  const isApiRoute = routePath.startsWith('/api/');
7334
7351
 
7335
7352
  let authContext = null;