@standardagents/builder 0.17.2 → 0.18.0

package/dist/index.js

@@ -19696,8 +19696,10 @@ import { isThreadEndpoint } from "@standardagents/spec";
 const PUBLIC_ROUTES = [
   '/api/auth/bootstrap',
   '/api/auth/login',
-  '/api/auth/bootstrap',
   '/api/auth/config',
+  '/api/auth/platform-replica',
+  '/api/auth/sa/start',     // Login with Standard Agents (OAuth) \u2014 unauthenticated entry
+  '/api/auth/sa/callback',  // OAuth callback (sets the session cookie)
   '/api/config',
   '/api/auth/oauth/github',
   '/api/auth/oauth/google',
@@ -19710,15 +19712,31 @@ const PUBLIC_ROUTES = [
   '/api/hooks'  // Hook metadata is safe to expose publicly
 ];
 
+// True when the platform deployed this instance (injects STANDARD_AGENTS_HOSTED).
+// Hosted instances are internet-reachable and multi-tenant, so the thread data
+// API and event/stream WebSockets must NOT be anonymously public the way they
+// are in single-user local dev \u2014 they require a session (admin) or API key (SDK).
+function isHostedInstance(env) {
+  const value = env && env.STANDARD_AGENTS_HOSTED;
+  if (typeof value === 'string') {
+    const trimmed = value.trim().toLowerCase();
+    return trimmed !== '' && trimmed !== '0' && trimmed !== 'false';
+  }
+  return Boolean(value);
+}
+
 // Check if a route is public (no auth required)
-function isPublicRoute(routePath) {
+function isPublicRoute(routePath, hosted) {
   // Exact match for auth routes
   if (PUBLIC_ROUTES.includes(routePath)) {
     return true;
   }
 
-  // Thread routes are always public
-  if (routePath.startsWith('/api/threads/') || routePath === '/api/threads') {
+  // Thread routes (REST + message/log stream WebSockets) are public in local
+  // single-user dev, but on a hosted deployment they require auth \u2014 requireAuth
+  // accepts the admin's session (cookie or token) or the SDK's API key, so this
+  // only blocks anonymous access to another tenant's threads/messages/files.
+  if (!hosted && (routePath.startsWith('/api/threads/') || routePath === '/api/threads')) {
     return true;
   }
 
@@ -19727,16 +19745,25 @@ function isPublicRoute(routePath) {
     return true;
   }
 
-  // Platform proxy routes handle their own auth.
+  // Platform proxy routes handle their own auth in local dev only.
+  if (hosted && (routePath.startsWith('/api/platform/') || routePath === '/api/platform')) {
+    return false;
+  }
   if (routePath.startsWith('/api/platform/') || routePath === '/api/platform') {
     return true;
   }
 
-  // Platform session proxy and auth bridge handle auth via platform cookies.
+  // Platform session proxy and auth bridge are local-dev helpers only.
+  if (hosted && (routePath.startsWith('/api/platform-session/') || routePath === '/api/platform-session')) {
+    return false;
+  }
   if (routePath.startsWith('/api/platform-session/') || routePath === '/api/platform-session') {
     return true;
   }
 
+  if (hosted && (routePath.startsWith('/api/platform-auth/') || routePath === '/api/platform-auth')) {
+    return false;
+  }
   if (routePath.startsWith('/api/platform-auth/') || routePath === '/api/platform-auth') {
     return true;
   }
@@ -19744,6 +19771,36 @@ function isPublicRoute(routePath) {
   return false;
 }
 
+function platformEndpoint(env) {
+  const configured =
+    env && (env.PLATFORM_ENDPOINT || env.STANDARD_AGENTS_PLATFORM_URL || env.PLATFORM_URL || env.STANDARD_AGENTS_PUBLIC_URL);
+  if (typeof configured === 'string' && configured.trim()) {
+    return configured.trim().replace(/\\/+$/, '');
+  }
+  return 'https://platform.standardagents.ai';
+}
+
+function hostedInstanceRedirectId(request, env) {
+  const configured = env && (env.STANDARD_AGENTS_PROJECT_ID || env.STANDARD_AGENTS_INSTANCE_ID || env.STANDARD_AGENTS_INSTANCE_SUBDOMAIN);
+  if (typeof configured === 'string' && configured.trim()) {
+    return configured.trim();
+  }
+  return new URL(request.url).hostname;
+}
+
+function platformLoginUrl(request, env) {
+  const requestUrl = new URL(request.url);
+  const url = new URL('/login', platformEndpoint(env));
+  url.searchParams.set('redirect', hostedInstanceRedirectId(request, env));
+  url.searchParams.set('return_to', requestUrl.pathname + requestUrl.search || '/');
+  return url.toString();
+}
+
+function isHtmlNavigationRequest(request) {
+  if (request.method !== 'GET' && request.method !== 'HEAD') return false;
+  return (request.headers.get('Accept') || '').includes('text/html');
+}
+
 // CORS headers for API responses
 const CORS_HEADERS = {
   "Access-Control-Allow-Origin": "*",
@@ -19820,7 +19877,7 @@ ${packedThreadRouteCode}
 
   if (routeMatch) {
     // Check if authentication is required for this route
-    const publicRoute = isPublicRoute(routePath);
+    const publicRoute = isPublicRoute(routePath, isHostedInstance(env));
     const isApiRoute = routePath.startsWith('/api/');
 
     let authContext = null;
@@ -19835,6 +19892,21 @@ ${packedThreadRouteCode}
       }
 
       authContext = authResult;
+
+      if (routePath.startsWith('/api/threads/')) {
+        const threadId = routeMatch.params?.id || routeMatch.params?.threadId;
+        if (threadId) {
+          const agentBuilderId = env.AGENT_BUILDER.idFromName('singleton');
+          const agentBuilder = env.AGENT_BUILDER.get(agentBuilderId);
+          const thread = await agentBuilder.getThread(threadId);
+          if (!thread) {
+            return addCorsHeaders(Response.json({ error: \`Thread not found: \${threadId}\` }, { status: 404 }));
+          }
+          if (authContext.user.role !== 'admin' && (thread.user_id === null || thread.user_id !== authContext.user.id)) {
+            return addCorsHeaders(Response.json({ error: "Forbidden: You don't have access to this thread" }, { status: 403 }));
+          }
+        }
+      }
     }
 
     let controller = await routeMatch.data();
@@ -19870,6 +19942,19 @@ ${packedThreadRouteCode}
     });
   }
 
+  // Hosted browser navigations do not render a local login page. Redirect
+  // anonymous users directly to the platform, where the instance membership is
+  // resolved and returned as a signed handoff token.
+  if (isHostedInstance(env) && isHtmlNavigationRequest(request)) {
+    const authResult = await requireAuth(request, env);
+    if (authResult instanceof Response) {
+      return new Response(null, {
+        status: 302,
+        headers: { Location: platformLoginUrl(request, env) },
+      });
+    }
+  }
+
   // Serve UI for all other routes (SPA fallback)
   return serveUI(routePath, env);
 }
@@ -20573,11 +20658,24 @@ async function hashToken(token) {
   const hashArray = new Uint8Array(hashBuffer);
   return Array.from(hashArray, (byte) => byte.toString(16).padStart(2, "0")).join("");
 }
+var SESSION_COOKIE_NAME = "agtuser_session";
+function readSessionCookie(request) {
+  const header = request.headers.get("Cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1) continue;
+    if (part.slice(0, eq).trim() === SESSION_COOKIE_NAME) {
+      return decodeURIComponent(part.slice(eq + 1).trim()) || null;
+    }
+  }
+  return null;
+}
 function isValidUserToken(token) {
   return token.startsWith("agtuser_") && token.length > 10;
 }
 function isValidApiKey(key) {
-  return key.startsWith("agtbldr_") && key.length > 10;
+  return key.startsWith("agtbldr_") && key.length > 10 || key.startsWith("sak_live_") && key.length > 10;
 }
 async function verifySignedToken(signedToken, encryptionKey) {
   try {
@@ -20646,6 +20744,10 @@ function extractBearerToken(request) {
   if (authHeader && authHeader.startsWith("Bearer ")) {
     return authHeader.substring(7);
   }
+  const cookieToken = readSessionCookie(request);
+  if (cookieToken) {
+    return cookieToken;
+  }
   const isWebSocket = request.headers.get("upgrade")?.toLowerCase() === "websocket";
   if (isWebSocket) {
     try {
@@ -20697,7 +20799,11 @@ async function authenticate(request, env) {
           user: {
             id: user.id,
             username: user.username,
-            role: user.role
+            role: user.role,
+            platform_user_id: user.platform_user_id ?? null,
+            email: user.email ?? null,
+            display_name: user.display_name ?? null,
+            avatar_url: user.avatar_url ?? null
           },
           authType: "session"
         };
@@ -20715,7 +20821,11 @@ async function authenticate(request, env) {
           user: {
             id: user.id,
             username: user.username,
-            role: user.role
+            role: user.role,
+            platform_user_id: user.platform_user_id ?? null,
+            email: user.email ?? null,
+            display_name: user.display_name ?? null,
+            avatar_url: user.avatar_url ?? null
           },
           authType: "api_key"
         };
@@ -23505,9 +23615,9 @@ var DurableThread = class extends DurableObject {
    * Each migration is run in order, starting from the current version + 1.
    */
   async runMigrations(fromVersion) {
-    for (const migration37 of migrations) {
-      if (migration37.version > fromVersion) {
-        await migration37.up(this.ctx.storage.sql);
+    for (const migration38 of migrations) {
+      if (migration38.version > fromVersion) {
+        await migration38.up(this.ctx.storage.sql);
       }
     }
   }
@@ -26942,9 +27052,38 @@ var migration36 = {
   }
 };
 
+// src/durable-objects/agentbuilder-migrations/0007_platform_identity_replica.ts
+var migration37 = {
+  version: 7,
+  async up(sql) {
+    sql.exec(`ALTER TABLE users ADD COLUMN platform_user_id TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN email TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN display_name TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN avatar_url TEXT`);
+    sql.exec(`ALTER TABLE users ADD COLUMN instance_role TEXT NOT NULL DEFAULT 'admin' CHECK (instance_role IN ('admin', 'user'))`);
+    sql.exec(`ALTER TABLE users ADD COLUMN source TEXT NOT NULL DEFAULT 'local' CHECK (source IN ('local', 'standard_agents'))`);
+    sql.exec(`ALTER TABLE users ADD COLUMN replica_active INTEGER NOT NULL DEFAULT 1`);
+    sql.exec(`ALTER TABLE users ADD COLUMN replica_updated_at INTEGER`);
+    sql.exec(`ALTER TABLE users ADD COLUMN deleted_at INTEGER`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_users_platform_user_id ON users(platform_user_id)`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_users_replica_active ON users(replica_active)`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_users_instance_role ON users(instance_role)`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN platform_key_id TEXT`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN scope TEXT`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN source TEXT NOT NULL DEFAULT 'local' CHECK (source IN ('local', 'standard_agents'))`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN replica_active INTEGER NOT NULL DEFAULT 1`);
+    sql.exec(`ALTER TABLE api_keys ADD COLUMN replica_updated_at INTEGER`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_api_keys_platform_key_id ON api_keys(platform_key_id)`);
+    sql.exec(`CREATE INDEX IF NOT EXISTS idx_api_keys_replica_active ON api_keys(replica_active)`);
+    sql.exec(`
+      INSERT OR REPLACE INTO _metadata (key, value) VALUES ('schema_version', '7')
+    `);
+  }
+};
+
 // src/durable-objects/agentbuilder-migrations/index.ts
-var migrations2 = [migration31, migration32, migration33, migration34, migration35, migration36];
-var LATEST_SCHEMA_VERSION2 = 6;
+var migrations2 = [migration31, migration32, migration33, migration34, migration35, migration36, migration37];
+var LATEST_SCHEMA_VERSION2 = 7;
 
 // src/utils/crypto.ts
 var CryptoUtil = class {
@@ -27568,9 +27707,9 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
     }
   }
   async runMigrations(fromVersion) {
-    for (const migration37 of migrations2) {
-      if (migration37.version > fromVersion) {
-        await migration37.up(this.ctx.storage.sql);
+    for (const migration38 of migrations2) {
+      if (migration38.version > fromVersion) {
+        await migration38.up(this.ctx.storage.sql);
       }
     }
   }
@@ -28603,27 +28742,54 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
   // ============================================================
   // User Authentication Methods
   // ============================================================
+  normalizeReplicaUsername(input, fallback) {
+    const normalized = (input || fallback).trim().toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 50);
+    return normalized || fallback;
+  }
+  async availableReplicaUsername(candidate, platformUserId) {
+    const existing = await this.ctx.storage.sql.exec(
+      `SELECT id, platform_user_id FROM users WHERE username = ? LIMIT 1`,
+      candidate
+    );
+    const row = existing.toArray()[0];
+    if (!row || row.platform_user_id === platformUserId) {
+      return candidate;
+    }
+    const suffix = platformUserId.replace(/[^a-zA-Z0-9]/g, "").slice(0, 8) || "user";
+    const trimmed = candidate.slice(0, Math.max(1, 50 - suffix.length - 1)).replace(/-+$/g, "");
+    return `${trimmed || "sa"}-${suffix}`;
+  }
+  userFromRow(row) {
+    return {
+      id: row.id,
+      username: row.username,
+      password_hash: row.password_hash,
+      role: row.role === "user" ? "user" : "admin",
+      platform_user_id: row.platform_user_id ?? null,
+      email: row.email ?? null,
+      display_name: row.display_name ?? null,
+      avatar_url: row.avatar_url ?? null,
+      source: row.source ?? "local",
+      replica_active: row.replica_active ?? 1,
+      created_at: row.created_at,
+      updated_at: row.updated_at
+    };
+  }
   /**
    * Get a user by username.
    */
   async getUserByUsername(username) {
     await this.ensureMigrated();
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT id, username, password_hash, role, created_at, updated_at
-       FROM users WHERE username = ?`,
+      `SELECT id, username, password_hash, COALESCE(instance_role, role) AS role,
+        platform_user_id, email, display_name, avatar_url, source, replica_active,
+        created_at, updated_at
+       FROM users WHERE username = ? AND deleted_at IS NULL AND replica_active != 0`,
       username
     );
     const rows = cursor.toArray();
     if (rows.length === 0) return null;
-    const row = rows[0];
-    return {
-      id: row.id,
-      username: row.username,
-      password_hash: row.password_hash,
-      role: row.role,
-      created_at: row.created_at,
-      updated_at: row.updated_at
-    };
+    return this.userFromRow(rows[0]);
   }
   /**
    * Get a user by ID.
@@ -28631,21 +28797,15 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
   async getUserById(id) {
     await this.ensureMigrated();
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT id, username, password_hash, role, created_at, updated_at
-       FROM users WHERE id = ?`,
+      `SELECT id, username, password_hash, COALESCE(instance_role, role) AS role,
+        platform_user_id, email, display_name, avatar_url, source, replica_active,
+        created_at, updated_at
+       FROM users WHERE id = ? AND deleted_at IS NULL AND replica_active != 0`,
       id
     );
     const rows = cursor.toArray();
     if (rows.length === 0) return null;
-    const row = rows[0];
-    return {
-      id: row.id,
-      username: row.username,
-      password_hash: row.password_hash,
-      role: row.role,
-      created_at: row.created_at,
-      updated_at: row.updated_at
-    };
+    return this.userFromRow(rows[0]);
   }
   /**
    * Create a new user.
@@ -28655,12 +28815,23 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
     const id = crypto.randomUUID();
     const now = Math.floor(Date.now() / 1e3);
     await this.ctx.storage.sql.exec(
-      `INSERT INTO users (id, username, password_hash, role, created_at, updated_at)
-       VALUES (?, ?, ?, ?, ?, ?)`,
+      `INSERT INTO users (
+        id, username, password_hash, role, instance_role, platform_user_id,
+        email, display_name, avatar_url, source, replica_active,
+        replica_updated_at, created_at, updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
       id,
       params.username,
       params.password_hash,
+      "admin",
       params.role || "admin",
+      params.platform_user_id ?? null,
+      params.email ?? null,
+      params.display_name ?? null,
+      params.avatar_url ?? null,
+      params.source ?? "local",
+      1,
+      params.source === "standard_agents" ? now : null,
       now,
       now
     );
@@ -28669,6 +28840,12 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
       username: params.username,
       password_hash: params.password_hash,
       role: params.role || "admin",
+      platform_user_id: params.platform_user_id ?? null,
+      email: params.email ?? null,
+      display_name: params.display_name ?? null,
+      avatar_url: params.avatar_url ?? null,
+      source: params.source ?? "local",
+      replica_active: 1,
       created_at: now,
       updated_at: now
     };
@@ -28688,11 +28865,24 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
    */
   async listUsers() {
     await this.ensureMigrated();
-    const cursor = await this.ctx.storage.sql.exec(`SELECT id, username, role, created_at, updated_at FROM users ORDER BY created_at DESC`);
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT id, username, COALESCE(instance_role, role) AS role,
+        platform_user_id, email, display_name, avatar_url, source, replica_active,
+        created_at, updated_at
+       FROM users
+       WHERE deleted_at IS NULL
+       ORDER BY created_at DESC`
+    );
     return cursor.toArray().map((row) => ({
       id: row.id,
       username: row.username,
-      role: row.role,
+      role: row.role === "user" ? "user" : "admin",
+      platform_user_id: row.platform_user_id ?? null,
+      email: row.email ?? null,
+      display_name: row.display_name ?? null,
+      avatar_url: row.avatar_url ?? null,
+      source: row.source ?? "local",
+      replica_active: row.replica_active ?? 1,
       created_at: row.created_at,
       updated_at: row.updated_at
     }));
@@ -28716,14 +28906,42 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
       values.push(params.password_hash);
     }
     if (params.role !== void 0) {
-      updates.push("role = ?");
+      updates.push("instance_role = ?");
       values.push(params.role);
     }
+    if (params.platform_user_id !== void 0) {
+      updates.push("platform_user_id = ?");
+      values.push(params.platform_user_id);
+    }
+    if (params.email !== void 0) {
+      updates.push("email = ?");
+      values.push(params.email);
+    }
+    if (params.display_name !== void 0) {
+      updates.push("display_name = ?");
+      values.push(params.display_name);
+    }
+    if (params.avatar_url !== void 0) {
+      updates.push("avatar_url = ?");
+      values.push(params.avatar_url);
+    }
+    if (params.source !== void 0) {
+      updates.push("source = ?");
+      values.push(params.source);
+    }
+    if (params.replica_active !== void 0) {
+      updates.push("replica_active = ?");
+      values.push(params.replica_active);
+    }
     if (updates.length === 0) {
       return existing;
     }
     updates.push("updated_at = ?");
     values.push(now);
+    if (params.source === "standard_agents" || params.replica_active !== void 0) {
+      updates.push("replica_updated_at = ?");
+      values.push(now);
+    }
     values.push(id);
     await this.ctx.storage.sql.exec(
       `UPDATE users SET ${updates.join(", ")} WHERE id = ?`,
@@ -28744,9 +28962,223 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
       `DELETE FROM api_keys WHERE user_id = ?`,
       id
     );
-    await this.ctx.storage.sql.exec(`DELETE FROM users WHERE id = ?`, id);
+    await this.ctx.storage.sql.exec(
+      `UPDATE users SET deleted_at = ?, replica_active = 0 WHERE id = ?`,
+      Math.floor(Date.now() / 1e3),
+      id
+    );
     return true;
   }
+  /**
+   * Upsert a platform-replicated identity and return the local user row.
+   */
+  async upsertPlatformReplicaUser(replica) {
+    await this.ensureMigrated();
+    const now = Math.floor(Date.now() / 1e3);
+    const fallback = this.normalizeReplicaUsername(
+      replica.email?.split("@")[0] ?? null,
+      `sa-${replica.platform_user_id.slice(0, 12)}`
+    );
+    const username = this.normalizeReplicaUsername(
+      replica.username ?? replica.display_name ?? replica.email ?? null,
+      fallback
+    );
+    const existingCursor = await this.ctx.storage.sql.exec(
+      `SELECT id FROM users WHERE platform_user_id = ? LIMIT 1`,
+      replica.platform_user_id
+    );
+    const existing = existingCursor.toArray()[0];
+    const availableUsername = await this.availableReplicaUsername(username, replica.platform_user_id);
+    if (existing) {
+      await this.ctx.storage.sql.exec(
+        `UPDATE users SET
+          username = ?,
+          instance_role = ?,
+          email = ?,
+          display_name = ?,
+          avatar_url = ?,
+          source = 'standard_agents',
+          replica_active = 1,
+          replica_updated_at = ?,
+          deleted_at = NULL,
+          updated_at = ?
+        WHERE id = ?`,
+        availableUsername,
+        replica.role,
+        replica.email ?? null,
+        replica.display_name ?? null,
+        replica.avatar_url ?? null,
+        now,
+        now,
+        existing.id
+      );
+      const updated = await this.getUserById(existing.id);
+      if (!updated) {
+        throw new Error("Failed to load replicated user after update");
+      }
+      return updated;
+    }
+    return this.createUser({
+      username: availableUsername,
+      password_hash: `platform-replica:${crypto.randomUUID()}`,
+      role: replica.role,
+      platform_user_id: replica.platform_user_id,
+      email: replica.email ?? null,
+      display_name: replica.display_name ?? null,
+      avatar_url: replica.avatar_url ?? null,
+      source: "standard_agents"
+    });
+  }
+  /**
+   * Apply a full platform read-replica snapshot for this instance.
+   */
+  async applyPlatformReplicaSnapshot(snapshot) {
+    await this.ensureMigrated();
+    const activeUserIds = /* @__PURE__ */ new Set();
+    for (const replicaUser of snapshot.users) {
+      const user = await this.upsertPlatformReplicaUser(replicaUser);
+      activeUserIds.add(user.id);
+    }
+    const activeList = Array.from(activeUserIds);
+    if (activeList.length > 0) {
+      const placeholders = activeList.map(() => "?").join(", ");
+      const inactive = await this.ctx.storage.sql.exec(
+        `SELECT id FROM users
+         WHERE source = 'standard_agents'
+           AND replica_active != 0
+           AND id NOT IN (${placeholders})`,
+        ...activeList
+      );
+      for (const row of inactive.toArray()) {
+        await this.ctx.storage.sql.exec(`DELETE FROM sessions WHERE user_id = ?`, row.id);
+        await this.ctx.storage.sql.exec(
+          `UPDATE users SET replica_active = 0, deleted_at = ?, replica_updated_at = ?, updated_at = ? WHERE id = ?`,
+          Math.floor(Date.now() / 1e3),
+          Math.floor(Date.now() / 1e3),
+          Math.floor(Date.now() / 1e3),
+          row.id
+        );
+      }
+    } else {
+      const inactive = await this.ctx.storage.sql.exec(
+        `SELECT id FROM users WHERE source = 'standard_agents' AND replica_active != 0`
+      );
+      for (const row of inactive.toArray()) {
+        await this.ctx.storage.sql.exec(`DELETE FROM sessions WHERE user_id = ?`, row.id);
+      }
+      const now2 = Math.floor(Date.now() / 1e3);
+      await this.ctx.storage.sql.exec(
+        `UPDATE users SET replica_active = 0, deleted_at = ?, replica_updated_at = ?, updated_at = ?
+         WHERE source = 'standard_agents'`,
+        now2,
+        now2,
+        now2
+      );
+    }
+    const activePlatformKeyIds = /* @__PURE__ */ new Set();
+    const keys = snapshot.api_keys ?? [];
+    for (const key of keys) {
+      const user = key.user_platform_id ? await this.getUserByPlatformUserId(key.user_platform_id) : await this.getFirstReplicaAdminUser();
+      const keyUser = user ?? await this.getFirstReplicaAdminUser();
+      if (!keyUser) continue;
+      activePlatformKeyIds.add(key.id);
+      await this.upsertPlatformReplicaApiKey(key, keyUser.id);
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (activePlatformKeyIds.size > 0) {
+      const ids = Array.from(activePlatformKeyIds);
+      const placeholders = ids.map(() => "?").join(", ");
+      await this.ctx.storage.sql.exec(
+        `UPDATE api_keys SET replica_active = 0, replica_updated_at = ?
+         WHERE source = 'standard_agents' AND platform_key_id NOT IN (${placeholders})`,
+        now,
+        ...ids
+      );
+    } else {
+      await this.ctx.storage.sql.exec(
+        `UPDATE api_keys SET replica_active = 0, replica_updated_at = ?
+         WHERE source = 'standard_agents'`,
+        now
+      );
+    }
+    return { users: activeUserIds.size, api_keys: activePlatformKeyIds.size };
+  }
+  async getUserByPlatformUserId(platformUserId) {
+    await this.ensureMigrated();
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT id FROM users
+       WHERE platform_user_id = ? AND deleted_at IS NULL AND replica_active != 0
+       LIMIT 1`,
+      platformUserId
+    );
+    const row = cursor.toArray()[0];
+    return row ? this.getUserById(row.id) : null;
+  }
+  async getFirstReplicaAdminUser() {
+    await this.ensureMigrated();
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT id FROM users
+       WHERE source = 'standard_agents'
+         AND instance_role = 'admin'
+         AND deleted_at IS NULL
+         AND replica_active != 0
+       ORDER BY created_at ASC
+       LIMIT 1`
+    );
+    const row = cursor.toArray()[0];
+    return row ? this.getUserById(row.id) : null;
+  }
+  async upsertPlatformReplicaApiKey(key, userId) {
+    await this.ensureMigrated();
+    const now = Math.floor(Date.now() / 1e3);
+    const existing = await this.ctx.storage.sql.exec(
+      `SELECT id FROM api_keys WHERE platform_key_id = ? LIMIT 1`,
+      key.id
+    );
+    const row = existing.toArray()[0];
+    const name = key.name || `Standard Agents ${key.key_prefix}`;
+    const lastFive = key.last_five || key.key_prefix.slice(-5);
+    if (row) {
+      await this.ctx.storage.sql.exec(
+        `UPDATE api_keys SET
+          name = ?,
+          key_hash = ?,
+          key_prefix = ?,
+          last_five = ?,
+          user_id = ?,
+          scope = ?,
+          source = 'standard_agents',
+          replica_active = 1,
+          replica_updated_at = ?
+         WHERE id = ?`,
+        name,
+        key.key_hash,
+        key.key_prefix,
+        lastFive,
+        userId,
+        key.scope ?? null,
+        now,
+        row.id
+      );
+      return;
+    }
+    await this.ctx.storage.sql.exec(
+      `INSERT INTO api_keys (
+        id, name, key_hash, key_prefix, last_five, user_id, created_at,
+        platform_key_id, scope, source, replica_active, replica_updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 'standard_agents', 1, ?)`,
+      `platform:${key.id}`,
+      name,
+      key.key_hash,
+      key.key_prefix,
+      lastFive,
+      userId,
+      key.created_at ?? now,
+      key.id,
+      key.scope ?? null,
+      now
+    );
+  }
   // ============================================================
   // Session Methods
   // ============================================================
@@ -28775,8 +29207,13 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
     await this.ensureMigrated();
     const now = Math.floor(Date.now() / 1e3);
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT user_id, expires_at FROM sessions
-       WHERE token_hash = ? AND expires_at > ?`,
+      `SELECT sessions.user_id, sessions.expires_at
+       FROM sessions
+       JOIN users ON users.id = sessions.user_id
+       WHERE sessions.token_hash = ?
+         AND sessions.expires_at > ?
+         AND users.deleted_at IS NULL
+         AND users.replica_active != 0`,
       tokenHash,
       now
     );
@@ -28833,14 +29270,23 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
    */
   async validateApiKey(keyHash) {
     await this.ensureMigrated();
-    const cursor = await this.ctx.storage.sql.exec(`SELECT id, user_id FROM api_keys WHERE key_hash = ?`, keyHash);
+    const cursor = await this.ctx.storage.sql.exec(
+      `SELECT api_keys.id, api_keys.user_id
+       FROM api_keys
+       JOIN users ON users.id = api_keys.user_id
+       WHERE api_keys.key_hash = ?
+         AND api_keys.replica_active != 0
+         AND users.deleted_at IS NULL
+         AND users.replica_active != 0`,
+      keyHash
+    );
     const rows = cursor.toArray();
     if (rows.length === 0) {
       return null;
     }
     const now = Math.floor(Date.now() / 1e3);
     await this.ctx.storage.sql.exec(
-      `UPDATE api_keys SET last_used_at = ? WHERE key_hash = ?`,
+      `UPDATE api_keys SET last_used_at = ? WHERE key_hash = ? AND replica_active != 0`,
       now,
       keyHash
     );
@@ -28852,8 +29298,10 @@ ${result ?? error ?? "No result content."}${attachmentSummary}`;
   async listApiKeys(userId) {
     await this.ensureMigrated();
     const cursor = await this.ctx.storage.sql.exec(
-      `SELECT id, name, key_prefix, last_five, created_at, last_used_at
-       FROM api_keys WHERE user_id = ? ORDER BY created_at DESC`,
+      `SELECT id, name, key_prefix, last_five, source, created_at, last_used_at
+       FROM api_keys
+       WHERE user_id = ? AND replica_active != 0
+       ORDER BY created_at DESC`,
       userId
     );
     return cursor.toArray();