@standardagents/builder 0.17.3 → 0.18.1

package/dist/built-in-routes.js

@@ -3672,13 +3672,13 @@ var init_ToolExecutor = __esm({
             };
           }
           const reader = result.stream.getReader();
-          const decoder = new TextDecoder();
+          const decoder2 = new TextDecoder();
           let textContent = "";
           try {
             while (true) {
               const { done, value } = await reader.read();
               if (done) break;
-              textContent += decoder.decode(value, { stream: true });
+              textContent += decoder2.decode(value, { stream: true });
             }
           } finally {
             reader.releaseLock();
@@ -11628,8 +11628,8 @@ var init_ThreadStateImpl = __esm({
         } else {
           let base64Data;
           if (typeof data === "string") {
-            const encoder = new TextEncoder();
-            const bytes = encoder.encode(data);
+            const encoder2 = new TextEncoder();
+            const bytes = encoder2.encode(data);
             let binary = "";
             for (let i = 0; i < bytes.length; i++) {
               binary += String.fromCharCode(bytes[i]);
@@ -13703,12 +13703,12 @@ function parseToolArguments(argumentsJson) {
 }
 async function* parseChatSSEStream(stream, state) {
   const reader = stream.getReader();
-  const decoder = new TextDecoder();
+  const decoder2 = new TextDecoder();
   let buffer = "";
   while (true) {
     const { value, done } = await reader.read();
     if (done) break;
-    buffer += decoder.decode(value, { stream: true });
+    buffer += decoder2.decode(value, { stream: true });
     while (true) {
       const separatorIndex = buffer.indexOf("\n\n");
       if (separatorIndex === -1) break;
@@ -15086,13 +15086,13 @@ async function* parseChatSSEStream2(response, state) {
   if (!reader) {
     throw new Error("No response body");
   }
-  const decoder = new TextDecoder();
+  const decoder2 = new TextDecoder();
   let buffer = "";
   try {
     while (true) {
       const { done, value } = await reader.read();
       if (done) break;
-      buffer += decoder.decode(value, { stream: true });
+      buffer += decoder2.decode(value, { stream: true });
       const lines = buffer.split("\n");
       buffer = lines.pop() || "";
       for (const line of lines) {
@@ -25381,12 +25381,12 @@ function concatBytes(buffers) {
   return output;
 }
 function encodeUTF8(str) {
-  let encoder;
-  return (encodeUTF8_ !== null && encodeUTF8_ !== void 0 ? encodeUTF8_ : (encoder = new globalThis.TextEncoder(), encodeUTF8_ = encoder.encode.bind(encoder)))(str);
+  let encoder2;
+  return (encodeUTF8_ !== null && encodeUTF8_ !== void 0 ? encodeUTF8_ : (encoder2 = new globalThis.TextEncoder(), encodeUTF8_ = encoder2.encode.bind(encoder2)))(str);
 }
 function decodeUTF8(bytes) {
-  let decoder;
-  return (decodeUTF8_ !== null && decodeUTF8_ !== void 0 ? decodeUTF8_ : (decoder = new globalThis.TextDecoder(), decodeUTF8_ = decoder.decode.bind(decoder)))(bytes);
+  let decoder2;
+  return (decodeUTF8_ !== null && decodeUTF8_ !== void 0 ? decodeUTF8_ : (decoder2 = new globalThis.TextDecoder(), decodeUTF8_ = decoder2.decode.bind(decoder2)))(bytes);
 }
 function findNewlineIndex(buffer, startIndex) {
   const newline = 10;
@@ -29093,7 +29093,7 @@ var init_web = __esm({
         return __asyncGenerator(this, arguments, function* processStreamResponse_1() {
           var _a16;
           const reader = (_a16 = response === null || response === void 0 ? void 0 : response.body) === null || _a16 === void 0 ? void 0 : _a16.getReader();
-          const decoder = new TextDecoder("utf-8");
+          const decoder2 = new TextDecoder("utf-8");
           if (!reader) {
             throw new Error("Response body is empty");
           }
@@ -29109,7 +29109,7 @@ var init_web = __esm({
                 }
                 break;
               }
-              const chunkString = decoder.decode(value, { stream: true });
+              const chunkString = decoder2.decode(value, { stream: true });
               try {
                 const chunkJson = JSON.parse(chunkString);
                 if ("error" in chunkJson) {
@@ -35732,12 +35732,12 @@ function concatBytes2(buffers) {
   return output;
 }
 function encodeUTF82(str) {
-  let encoder;
-  return (encodeUTF8_2 ?? (encoder = new globalThis.TextEncoder(), encodeUTF8_2 = encoder.encode.bind(encoder)))(str);
+  let encoder2;
+  return (encodeUTF8_2 ?? (encoder2 = new globalThis.TextEncoder(), encodeUTF8_2 = encoder2.encode.bind(encoder2)))(str);
 }
 function decodeUTF82(bytes) {
-  let decoder;
-  return (decodeUTF8_2 ?? (decoder = new globalThis.TextDecoder(), decodeUTF8_2 = decoder.decode.bind(decoder)))(bytes);
+  let decoder2;
+  return (decodeUTF8_2 ?? (decoder2 = new globalThis.TextDecoder(), decodeUTF8_2 = decoder2.decode.bind(decoder2)))(bytes);
 }
 var encodeUTF8_2, decodeUTF8_2;
 var init_bytes = __esm({
@@ -50030,8 +50030,8 @@ async function oAuthCreateSHA256CodeChallenge(params = {}) {
     };
   }
   const { codeVerifier = generateCodeVerifier() } = parsedParams.data;
-  const encoder = new TextEncoder();
-  const data = encoder.encode(codeVerifier);
+  const encoder2 = new TextEncoder();
+  const data = encoder2.encode(codeVerifier);
   const hash = await crypto.subtle.digest("SHA-256", data);
   const hashArray = new Uint8Array(hash);
   const codeChallenge = arrayBufferToBase64Url(hashArray);
@@ -51840,13 +51840,13 @@ async function* parseChatSSEStream3(response, state) {
   if (!reader) {
     throw new Error("No response body");
   }
-  const decoder = new TextDecoder();
+  const decoder2 = new TextDecoder();
   let buffer = "";
   try {
     while (true) {
       const { done, value } = await reader.read();
       if (done) break;
-      buffer += decoder.decode(value, { stream: true });
+      buffer += decoder2.decode(value, { stream: true });
       const lines = buffer.split("\n");
       buffer = lines.pop() || "";
       for (const line of lines) {
@@ -52782,13 +52782,13 @@ async function* parseSSEStream(response, state) {
   if (!reader) {
     throw new Error("No response body");
   }
-  const decoder = new TextDecoder();
+  const decoder2 = new TextDecoder();
   let buffer = "";
   try {
     while (true) {
       const { done, value } = await reader.read();
       if (done) break;
-      buffer += decoder.decode(value, { stream: true });
+      buffer += decoder2.decode(value, { stream: true });
       const lines = buffer.split("\n");
       buffer = lines.pop() || "";
       for (const line of lines) {
@@ -63020,8 +63020,8 @@ function generateApiKey() {
   return `agtbldr_${generateSecureToken(32)}`;
 }
 async function hashPassword(password) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(password);
+  const encoder2 = new TextEncoder();
+  const data = encoder2.encode(password);
   const salt = crypto.getRandomValues(new Uint8Array(16));
   const keyMaterial = await crypto.subtle.importKey(
     "raw",
@@ -63051,8 +63051,8 @@ async function verifyPassword(password, hash) {
     const combined = base64ToBuffer(hash);
     const salt = combined.slice(0, 16);
     const storedHash = combined.slice(16);
-    const encoder = new TextEncoder();
-    const data = encoder.encode(password);
+    const encoder2 = new TextEncoder();
+    const data = encoder2.encode(password);
     const keyMaterial = await crypto.subtle.importKey(
       "raw",
       data,
@@ -63087,8 +63087,8 @@ async function verifyPassword(password, hash) {
   }
 }
 async function hashToken(token) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(token);
+  const encoder2 = new TextEncoder();
+  const data = encoder2.encode(token);
   const hashBuffer = await crypto.subtle.digest("SHA-256", data);
   const hashArray = new Uint8Array(hashBuffer);
   return Array.from(hashArray, (byte) => byte.toString(16).padStart(2, "0")).join("");
@@ -63128,11 +63128,11 @@ function isValidUserToken(token) {
   return token.startsWith("agtuser_") && token.length > 10;
 }
 function isValidApiKey(key) {
-  return key.startsWith("agtbldr_") && key.length > 10;
+  return key.startsWith("agtbldr_") && key.length > 10 || key.startsWith("sak_live_") && key.length > 10;
 }
 async function signToken(payload, encryptionKey) {
-  const encoder = new TextEncoder();
-  const keyData = encoder.encode(encryptionKey);
+  const encoder2 = new TextEncoder();
+  const keyData = encoder2.encode(encryptionKey);
   const cryptoKey = await crypto.subtle.importKey(
     "raw",
     keyData,
@@ -63140,7 +63140,7 @@ async function signToken(payload, encryptionKey) {
     false,
     ["sign"]
   );
-  const payloadData = encoder.encode(payload);
+  const payloadData = encoder2.encode(payload);
   const signature = await crypto.subtle.sign("HMAC", cryptoKey, payloadData);
   const payloadB64 = bufferToBase64(new Uint8Array(payloadData));
   const signatureB64 = bufferToBase64(new Uint8Array(signature));
@@ -63153,8 +63153,8 @@ async function verifySignedToken(signedToken, encryptionKey) {
       return null;
     }
     const [payloadB64, signatureB64] = parts;
-    const encoder = new TextEncoder();
-    const keyData = encoder.encode(encryptionKey);
+    const encoder2 = new TextEncoder();
+    const keyData = encoder2.encode(encryptionKey);
     const cryptoKey = await crypto.subtle.importKey(
       "raw",
       keyData,
@@ -63168,8 +63168,8 @@ async function verifySignedToken(signedToken, encryptionKey) {
     if (!isValid) {
       return null;
     }
-    const decoder = new TextDecoder();
-    return decoder.decode(payloadData);
+    const decoder2 = new TextDecoder();
+    return decoder2.decode(payloadData);
   } catch (error) {
     console.error("Error verifying signed token:", error);
     return null;
@@ -63281,7 +63281,11 @@ async function authenticate(request, env2) {
           user: {
             id: user.id,
             username: user.username,
-            role: user.role
+            role: user.role,
+            platform_user_id: user.platform_user_id ?? null,
+            email: user.email ?? null,
+            display_name: user.display_name ?? null,
+            avatar_url: user.avatar_url ?? null
           },
           authType: "session"
         };
@@ -63299,7 +63303,11 @@ async function authenticate(request, env2) {
           user: {
             id: user.id,
             username: user.username,
-            role: user.role
+            role: user.role,
+            platform_user_id: user.platform_user_id ?? null,
+            email: user.email ?? null,
+            display_name: user.display_name ?? null,
+            avatar_url: user.avatar_url ?? null
           },
           authType: "api_key"
         };
@@ -63335,88 +63343,6 @@ async function requireAdmin(request, env2) {
   return result;
 }
 
-// src/api/api-keys/index.get.ts
-var index_get_default = defineController2(async ({ req, env: env2 }) => {
-  try {
-    const authResult = await requireAuth(req, env2);
-    if (authResult instanceof Response) {
-      return authResult;
-    }
-    if (authResult.authType === "super_admin") {
-      return Response.json({ keys: [], message: "Super admin has no API keys. Create a user account to manage API keys." });
-    }
-    const agentBuilderId = env2.AGENT_BUILDER.idFromName("singleton");
-    const agentBuilder = env2.AGENT_BUILDER.get(agentBuilderId);
-    const keys = await agentBuilder.listApiKeys(authResult.user.id);
-    return Response.json({ keys });
-  } catch (error) {
-    console.error("List API keys error:", error);
-    return Response.json(
-      { error: error.message || "Failed to list API keys" },
-      { status: 500 }
-    );
-  }
-});
-
-// src/api/api-keys/index.post.ts
-var index_post_default2 = defineController2(async ({ req, env: env2 }) => {
-  try {
-    const authResult = await requireAuth(req, env2);
-    if (authResult instanceof Response) {
-      return authResult;
-    }
-    if (authResult.authType === "super_admin") {
-      return Response.json(
-        { error: "Super admin cannot create API keys. Please create a user account first." },
-        { status: 400 }
-      );
-    }
-    const body = await req.json();
-    const { name: name15 } = body;
-    if (!name15 || typeof name15 !== "string") {
-      return Response.json(
-        { error: "Name is required" },
-        { status: 400 }
-      );
-    }
-    if (name15.length < 1 || name15.length > 100) {
-      return Response.json(
-        { error: "Name must be between 1 and 100 characters" },
-        { status: 400 }
-      );
-    }
-    const apiKey = generateApiKey();
-    const keyHash = await hashToken(apiKey);
-    const keyPrefix = getTokenPrefix(apiKey);
-    const lastFive = getLastChars(apiKey, 5);
-    const agentBuilderId = env2.AGENT_BUILDER.idFromName("singleton");
-    const agentBuilder = env2.AGENT_BUILDER.get(agentBuilderId);
-    const id = await agentBuilder.createApiKey({
-      name: name15,
-      key_hash: keyHash,
-      key_prefix: keyPrefix,
-      last_five: lastFive,
-      user_id: authResult.user.id
-    });
-    const now = Math.floor(Date.now() / 1e3);
-    return Response.json({
-      key: apiKey,
-      // Only returned once on creation
-      id,
-      name: name15,
-      key_prefix: keyPrefix,
-      last_five: lastFive,
-      created_at: now
-    }, { status: 201 });
-  } catch (error) {
-    console.error("Create API key error:", error);
-    return Response.json(
-      { error: error.message || "Failed to create API key" },
-      { status: 500 }
-    );
-  }
-});
-
 // src/utils/platform-auth.ts
 var FALLBACK_PLATFORM_ORIGIN = "https://platform.standardagents.ai";
 var SESSION_TTL_SECONDS = 30 * 24 * 60 * 60;
@@ -63438,21 +63364,25 @@ function platformEndpoint(env2) {
   }
   return FALLBACK_PLATFORM_ORIGIN;
 }
+function hostedInstanceRedirectId(req, env2) {
+  const configured = env2.STANDARD_AGENTS_PROJECT_ID || env2.STANDARD_AGENTS_INSTANCE_ID || env2.STANDARD_AGENTS_INSTANCE_SUBDOMAIN;
+  if (typeof configured === "string" && configured.trim()) {
+    return configured.trim();
+  }
+  return new URL(req.url).hostname;
+}
+function platformLoginUrl(req, env2, returnTo) {
+  const url = new URL("/login", platformEndpoint(env2));
+  url.searchParams.set("redirect", hostedInstanceRedirectId(req, env2));
+  const reqUrl = new URL(req.url);
+  const next = returnTo && returnTo.startsWith("/") && !returnTo.startsWith("//") ? returnTo : `${reqUrl.pathname}${reqUrl.search}`;
+  url.searchParams.set("return_to", next || "/");
+  return url.toString();
+}
 function sanitizeUsername(input) {
   const normalized = input.trim().toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 50);
   return normalized || "standard-agents";
 }
-async function fallbackAccountForToken(token) {
-  const tokenHash = await hashToken(token);
-  const suffix = tokenHash.slice(0, 12);
-  return {
-    id: `platform-token-${suffix}`,
-    name: "Standard Agents",
-    slug: `standard-agents-${suffix}`,
-    tier: void 0,
-    status: "token-present"
-  };
-}
 function normalizeAccount(payload) {
   const account = payload.account;
   if (!account) return null;
@@ -63486,21 +63416,70 @@ async function fetchPlatformAccount(endpoint, token) {
     return null;
   }
 }
+function normalizeLocalBootstrap(payload, endpoint) {
+  const projectId = typeof payload.project?.id === "string" ? payload.project.id : null;
+  const platformUserId = typeof payload.user?.platform_user_id === "string" ? payload.user.platform_user_id : typeof payload.user?.id === "string" ? payload.user.id : null;
+  const role = payload.user?.role === "user" ? "user" : payload.user?.role === "admin" ? "admin" : null;
+  if (!projectId || !platformUserId || !role) return null;
+  const username = typeof payload.user?.username === "string" && payload.user.username.trim() ? sanitizeUsername(payload.user.username) : sanitizeUsername(
+    typeof payload.user?.email === "string" && payload.user.email.includes("@") ? payload.user.email.split("@")[0] : `sa-${platformUserId.slice(0, 12)}`
+  );
+  const accountId = typeof payload.project?.account_id === "string" ? payload.project.account_id : projectId;
+  const accountSlug = typeof payload.project?.subdomain === "string" && payload.project.subdomain.trim() ? payload.project.subdomain.trim() : projectId;
+  return {
+    connected: true,
+    verified: true,
+    account: {
+      id: accountId,
+      name: accountSlug,
+      slug: accountSlug,
+      status: "active"
+    },
+    user: {
+      id: platformUserId,
+      username,
+      role,
+      email: typeof payload.user?.email === "string" ? payload.user.email : null,
+      display_name: typeof payload.user?.display_name === "string" ? payload.user.display_name : null,
+      avatar_url: typeof payload.user?.avatar_url === "string" ? payload.user.avatar_url : null,
+      source: "standard_agents"
+    },
+    platformEndpoint: endpoint
+  };
+}
+async function fetchLocalBootstrapIdentity(endpoint, token) {
+  const response = await fetch(`${endpoint}/auth/local-bootstrap`, {
+    headers: {
+      Authorization: `Bearer ${token}`
+    }
+  });
+  if (!response.ok) {
+    return null;
+  }
+  const data = await response.json().catch(() => null);
+  return data ? normalizeLocalBootstrap(data, endpoint) : null;
+}
 async function getPlatformIdentity(env2) {
   const token = platformApiKey(env2);
   if (!token) {
     return null;
   }
   const endpoint = platformEndpoint(env2);
+  const bootstrapIdentity = await fetchLocalBootstrapIdentity(endpoint, token).catch(() => null);
+  if (bootstrapIdentity) {
+    return bootstrapIdentity;
+  }
   const verifiedAccount = await fetchPlatformAccount(endpoint, token);
-  const account = verifiedAccount ?? await fallbackAccountForToken(token);
-  const username = sanitizeUsername(account.slug);
+  if (!verifiedAccount) {
+    return null;
+  }
+  const username = sanitizeUsername(verifiedAccount.slug);
   return {
     connected: true,
     verified: verifiedAccount !== null,
-    account,
+    account: verifiedAccount,
     user: {
-      id: account.id,
+      id: verifiedAccount.id,
       username,
       role: "admin",
       source: "standard_agents"
@@ -63508,21 +63487,21 @@ async function getPlatformIdentity(env2) {
     platformEndpoint: endpoint
   };
 }
-async function mintLocalSessionForPlatformUser(env2, platformUserId) {
+async function mintLocalSessionForPlatformUser(env2, platformUser) {
   const namespace = env2.AGENT_BUILDER;
   if (!namespace || typeof namespace.idFromName !== "function" || typeof namespace.get !== "function") {
     throw new Error("Server misconfigured: AGENT_BUILDER Durable Object binding is required for platform auth");
   }
   const agentBuilder = namespace.get(namespace.idFromName("singleton"));
-  const username = sanitizeUsername(`sa-${platformUserId}`);
-  let user = await agentBuilder.getUserByUsername(username);
-  if (!user) {
-    user = await agentBuilder.createUser({
-      username,
-      password_hash: await hashPassword(crypto.randomUUID()),
-      role: "admin"
-    });
-  }
+  const profile = typeof platformUser === "string" ? { platform_user_id: platformUser, username: `sa-${platformUser.slice(0, 12)}`, role: "admin" } : platformUser;
+  const user = await agentBuilder.upsertPlatformReplicaUser({
+    platform_user_id: profile.platform_user_id,
+    username: profile.username ?? null,
+    display_name: profile.display_name ?? null,
+    email: profile.email ?? null,
+    avatar_url: profile.avatar_url ?? null,
+    role: profile.role ?? "admin"
+  });
   const token = generateUserToken();
   const tokenHash = await hashToken(token);
   const expiresAt = Math.floor(Date.now() / 1e3) + SESSION_TTL_SECONDS;
@@ -63533,31 +63512,29 @@ async function createPlatformLocalSession(env2) {
   if (isPlatformHosted(env2)) {
     return null;
   }
-  const identity = await getPlatformIdentity(env2);
-  if (!identity) {
+  const apiKey = platformApiKey(env2);
+  if (!apiKey) {
     return null;
   }
+  const endpoint = platformEndpoint(env2);
+  const identity = await fetchLocalBootstrapIdentity(endpoint, apiKey).catch(() => null);
+  if (!identity) {
+    throw new Error("STANDARD_AGENTS_API_KEY could not be resolved to one active user-instance membership.");
+  }
   const agentBuilderNamespace = env2.AGENT_BUILDER;
   if (!agentBuilderNamespace || typeof agentBuilderNamespace.idFromName !== "function" || typeof agentBuilderNamespace.get !== "function") {
     throw new Error("Server misconfigured: AGENT_BUILDER Durable Object binding is required for platform auth");
   }
   const agentBuilderId = agentBuilderNamespace.idFromName("singleton");
   const agentBuilder = agentBuilderNamespace.get(agentBuilderId);
-  const username = identity.user.username;
-  let user = await agentBuilder.getUserByUsername(username);
-  if (!user) {
-    const legacyUsername = sanitizeUsername(`standard-agents-${identity.account.slug}`);
-    const legacyUser = legacyUsername !== username ? await agentBuilder.getUserByUsername(legacyUsername) : null;
-    if (legacyUser) {
-      user = await agentBuilder.updateUser(legacyUser.id, { username }) ?? legacyUser;
-    } else {
-      user = await agentBuilder.createUser({
-        username,
-        password_hash: await hashPassword(crypto.randomUUID()),
-        role: "admin"
-      });
-    }
-  }
+  const user = await agentBuilder.upsertPlatformReplicaUser({
+    platform_user_id: identity.user.id,
+    username: identity.user.username,
+    display_name: identity.user.display_name ?? null,
+    email: identity.user.email ?? null,
+    avatar_url: identity.user.avatar_url ?? null,
+    role: identity.user.role
+  });
   const token = generateUserToken();
   const tokenHash = await hashToken(token);
   const expiresAt = Math.floor(Date.now() / 1e3) + SESSION_TTL_SECONDS;
@@ -63577,6 +63554,94 @@ async function createPlatformLocalSession(env2) {
     platform: identity
   };
 }
+
+// src/api/api-keys/index.get.ts
+var index_get_default = defineController2(async ({ req, env: env2 }) => {
+  try {
+    if (isPlatformHosted(env2)) {
+      return Response.json({ error: "API keys are managed in the Standard Agents platform." }, { status: 410 });
+    }
+    const authResult = await requireAuth(req, env2);
+    if (authResult instanceof Response) {
+      return authResult;
+    }
+    if (authResult.authType === "super_admin") {
+      return Response.json({ keys: [], message: "Super admin has no API keys. Create a user account to manage API keys." });
+    }
+    const agentBuilderId = env2.AGENT_BUILDER.idFromName("singleton");
+    const agentBuilder = env2.AGENT_BUILDER.get(agentBuilderId);
+    const keys = await agentBuilder.listApiKeys(authResult.user.id);
+    return Response.json({ keys });
+  } catch (error) {
+    console.error("List API keys error:", error);
+    return Response.json(
+      { error: error.message || "Failed to list API keys" },
+      { status: 500 }
+    );
+  }
+});
+
+// src/api/api-keys/index.post.ts
+var index_post_default2 = defineController2(async ({ req, env: env2 }) => {
+  try {
+    if (isPlatformHosted(env2)) {
+      return Response.json({ error: "API keys are managed in the Standard Agents platform." }, { status: 410 });
+    }
+    const authResult = await requireAuth(req, env2);
+    if (authResult instanceof Response) {
+      return authResult;
+    }
+    if (authResult.authType === "super_admin") {
+      return Response.json(
+        { error: "Super admin cannot create API keys. Please create a user account first." },
+        { status: 400 }
+      );
+    }
+    const body = await req.json();
+    const { name: name15 } = body;
+    if (!name15 || typeof name15 !== "string") {
+      return Response.json(
+        { error: "Name is required" },
+        { status: 400 }
+      );
+    }
+    if (name15.length < 1 || name15.length > 100) {
+      return Response.json(
+        { error: "Name must be between 1 and 100 characters" },
+        { status: 400 }
+      );
+    }
+    const apiKey = generateApiKey();
+    const keyHash = await hashToken(apiKey);
+    const keyPrefix = getTokenPrefix(apiKey);
+    const lastFive = getLastChars(apiKey, 5);
+    const agentBuilderId = env2.AGENT_BUILDER.idFromName("singleton");
+    const agentBuilder = env2.AGENT_BUILDER.get(agentBuilderId);
+    const id = await agentBuilder.createApiKey({
+      name: name15,
+      key_hash: keyHash,
+      key_prefix: keyPrefix,
+      last_five: lastFive,
+      user_id: authResult.user.id
+    });
+    const now = Math.floor(Date.now() / 1e3);
+    return Response.json({
+      key: apiKey,
+      // Only returned once on creation
+      id,
+      name: name15,
+      key_prefix: keyPrefix,
+      last_five: lastFive,
+      created_at: now
+    }, { status: 201 });
+  } catch (error) {
+    console.error("Create API key error:", error);
+    return Response.json(
+      { error: error.message || "Failed to create API key" },
+      { status: 500 }
+    );
+  }
+});
 var STATE_RELATIVE_PATH = path5__default.join(".agents", "bootstrap-session.json");
 var PROJECT_ROOT_ENV_KEYS = ["INIT_CWD", "PWD", "npm_config_local_prefix"];
 function readEnvString(env2, key) {
@@ -64669,6 +64734,9 @@ var tools_get_default = defineController2(async ({ url, tools, prompts, promptNa
 // src/api/users/index.get.ts
 var index_get_default2 = defineController2(async ({ req, env: env2 }) => {
   try {
+    if (isPlatformHosted(env2)) {
+      return Response.json({ error: "Users are managed in the Standard Agents platform." }, { status: 410 });
+    }
     const authResult = await requireAdmin(req, env2);
     if (authResult instanceof Response) {
       return authResult;
@@ -64700,6 +64768,9 @@ var index_get_default2 = defineController2(async ({ req, env: env2 }) => {
 var VALID_ROLES = ["admin", "user"];
 var index_post_default4 = defineController2(async ({ req, env: env2 }) => {
   try {
+    if (isPlatformHosted(env2)) {
+      return Response.json({ error: "Users are managed in the Standard Agents platform." }, { status: 410 });
+    }
     const authResult = await requireAdmin(req, env2);
     if (authResult instanceof Response) {
       return authResult;
@@ -64883,6 +64954,9 @@ var name_get_default = defineController2(async ({ params, agents, prompts, promp
 // src/api/api-keys/[id].delete.ts
 var id_delete_default = defineController2(async ({ req, env: env2, params }) => {
   try {
+    if (isPlatformHosted(env2)) {
+      return Response.json({ error: "API keys are managed in the Standard Agents platform." }, { status: 410 });
+    }
     const authResult = await requireAuth(req, env2);
     if (authResult instanceof Response) {
       return authResult;
@@ -65600,6 +65674,9 @@ var index_post_default6 = defineController2(async ({ req }) => {
 // src/api/users/[id].delete.ts
 var id_delete_default3 = defineController2(async ({ req, env: env2, params }) => {
   try {
+    if (isPlatformHosted(env2)) {
+      return Response.json({ error: "Users are managed in the Standard Agents platform." }, { status: 410 });
+    }
     const authResult = await requireAdmin(req, env2);
     if (authResult instanceof Response) {
       return authResult;
@@ -65628,6 +65705,9 @@ var id_delete_default3 = defineController2(async ({ req, env: env2, params }) =>
 // src/api/users/[id].put.ts
 var id_put_default = defineController2(async ({ req, env: env2, params }) => {
   try {
+    if (isPlatformHosted(env2)) {
+      return Response.json({ error: "Users are managed in the Standard Agents platform." }, { status: 410 });
+    }
     const authResult = await requireAdmin(req, env2);
     if (authResult instanceof Response) {
       return authResult;
@@ -65661,7 +65741,7 @@ var id_put_default = defineController2(async ({ req, env: env2, params }) => {
       updateParams.password_hash = await hashPassword(password);
     }
     if (role) {
-      updateParams.role = role;
+      updateParams.role = role === "user" ? "user" : "admin";
     }
     const updatedUser = await agentBuilder.updateUser(id, updateParams);
     return Response.json({
@@ -65683,104 +65763,18 @@ var id_put_default = defineController2(async ({ req, env: env2, params }) => {
 });
 
 // src/api/auth/bootstrap.post.ts
-function deriveManagedUsername(platformUserId) {
-  return `sa-${platformUserId}`;
-}
-function uniqueEndpoints(preferred, candidates) {
-  return Array.from(new Set([preferred, ...candidates].filter(Boolean)));
-}
-var bootstrap_post_default = defineController2(async ({ req, env: env2 }) => {
+var bootstrap_post_default = defineController2(async ({ env: env2 }) => {
   try {
     const platformTokenSession = await createPlatformLocalSession(env2);
-    if (platformTokenSession) {
-      return Response.json(platformTokenSession);
+    if (!platformTokenSession) {
+      return new Response(null, { status: 204 });
     }
+    return Response.json(platformTokenSession);
   } catch (error) {
-    console.error("Platform auth bootstrap error:", error);
-    return Response.json(
-      { error: error instanceof Error ? error.message : "Failed to bootstrap platform auth" },
-      { status: 500 }
-    );
-  }
-  const bootstrap = findLocalBootstrapSession(void 0, env2);
-  const bootstrapState = bootstrap?.session;
-  if (!bootstrapState?.session_cookie) {
-    return new Response(null, { status: 204 });
+    const message = error instanceof Error ? error.message : "Failed to bootstrap platform auth";
+    const status = message.includes("STANDARD_AGENTS_API_KEY") ? 401 : 502;
+    return Response.json({ error: message }, { status });
   }
-  const endpoints = uniqueEndpoints(
-    bootstrapState.endpoint,
-    resolvePlatformEndpointCandidates(req, env2)
-  );
-  let platformUser = null;
-  for (const endpoint of endpoints) {
-    try {
-      const response = await fetch(`${endpoint}/auth/session`, {
-        method: "GET",
-        headers: {
-          Cookie: bootstrapState.session_cookie
-        }
-      });
-      if (response.status === 401) {
-        return Response.json(
-          { error: "Stored Standard Agents session is no longer valid. Run `agents login` again." },
-          { status: 401 }
-        );
-      }
-      if (!response.ok) {
-        continue;
-      }
-      const payload = await response.json().catch(() => ({}));
-      platformUser = payload.user ?? null;
-      break;
-    } catch {
-      continue;
-    }
-  }
-  const fallbackPlatformUserId = bootstrapState.user?.id;
-  const platformUserId = platformUser?.id ?? fallbackPlatformUserId;
-  if (!platformUserId) {
-    return Response.json(
-      { error: "Bad Gateway: platform API unreachable" },
-      { status: 502 }
-    );
-  }
-  const username = deriveManagedUsername(platformUserId);
-  if (!env2.AGENT_BUILDER || typeof env2.AGENT_BUILDER.idFromName !== "function") {
-    return Response.json(
-      { error: "Server misconfigured: AGENT_BUILDER Durable Object binding is required for platform auth" },
-      { status: 500 }
-    );
-  }
-  const agentBuilderId = env2.AGENT_BUILDER.idFromName("singleton");
-  const agentBuilder = env2.AGENT_BUILDER.get(agentBuilderId);
-  let user = await agentBuilder.getUserByUsername(username);
-  if (!user) {
-    user = await agentBuilder.createUser({
-      username,
-      password_hash: await hashPassword(crypto.randomUUID()),
-      role: "admin"
-    });
-  }
-  const token = generateUserToken();
-  const tokenHash = await hashToken(token);
-  const expiresAt = Math.floor(Date.now() / 1e3) + 30 * 24 * 60 * 60;
-  await agentBuilder.createSession({
-    user_id: user.id,
-    token_hash: tokenHash,
-    expires_at: expiresAt
-  });
-  return Response.json({
-    token,
-    user: {
-      id: user.id,
-      username: user.username,
-      role: user.role
-    },
-    platform_user: {
-      id: platformUserId,
-      email: platformUser?.email ?? bootstrapState.user?.email
-    }
-  });
 });
 
 // src/api/auth/config.get.ts
@@ -65791,7 +65785,7 @@ var config_get_default2 = defineController2(async ({ req, env: env2 }) => {
   const platformConnected = hasPlatformApiKey(env2) || !!findLocalBootstrapSession(void 0, env2);
   const localPassword = typeof env2.SUPER_ADMIN_PASSWORD === "string" && env2.SUPER_ADMIN_PASSWORD.length > 0;
   const hosted = isPlatformHosted(env2);
-  const standardAgentsLogin = hosted && typeof env2.STANDARD_AGENTS_OAUTH_CLIENT_ID === "string" && env2.STANDARD_AGENTS_OAUTH_CLIENT_ID.trim() !== "";
+  const standardAgentsLogin = hosted;
   return {
     github: githubConfigured,
     google: googleConfigured,
@@ -65799,6 +65793,7 @@ var config_get_default2 = defineController2(async ({ req, env: env2 }) => {
     localPassword,
     hosted,
     standardAgentsLogin,
+    platformLoginUrl: hosted ? platformLoginUrl(req, env2, "/") : void 0,
     platformEndpoint: hasPlatformApiKey(env2) ? platformEndpoint(env2) : configuredPlatformEndpoint
   };
 });
@@ -65806,6 +65801,12 @@ var config_get_default2 = defineController2(async ({ req, env: env2 }) => {
 // src/api/auth/login.post.ts
 var login_post_default = defineController2(async ({ req, env: env2 }) => {
   try {
+    if (isPlatformHosted(env2)) {
+      return Response.json(
+        { error: "Hosted instances authenticate through the Standard Agents platform." },
+        { status: 404 }
+      );
+    }
     const body = await req.json();
     const { username, password } = body;
     if (!password) {
@@ -65931,6 +65932,100 @@ var me_get_default = defineController2(async ({ req, env: env2 }) => {
   }
 });
 
+// src/utils/platform-signed-payload.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+function base64UrlToBytes(value) {
+  const padded = value.replace(/-/g, "+").replace(/_/g, "/") + "=".repeat((4 - value.length % 4) % 4);
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+  return bytes;
+}
+function decodeJson(value) {
+  return JSON.parse(decoder.decode(base64UrlToBytes(value)));
+}
+function parsePublicJwk(value) {
+  if (typeof value !== "string" || !value.trim()) return null;
+  try {
+    const parsed = JSON.parse(value);
+    if (parsed.kty !== "EC" || parsed.crv !== "P-256" || !parsed.x || !parsed.y) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+async function importPublicKey(jwk) {
+  return crypto.subtle.importKey(
+    "jwk",
+    jwk,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+}
+async function verifyPlatformSignedPayload(token, publicJwkValue, options) {
+  const publicJwk = parsePublicJwk(publicJwkValue);
+  if (!publicJwk) return null;
+  const normalized = token.startsWith("sap_") ? token.slice(4) : token;
+  const parts = normalized.split(".");
+  if (parts.length !== 3) return null;
+  const [headerB64, payloadB64, signatureB64] = parts;
+  let header;
+  let payload;
+  try {
+    header = decodeJson(headerB64);
+    payload = decodeJson(payloadB64);
+  } catch {
+    return null;
+  }
+  if (header.alg !== "ES256" || payload.kind !== options.kind) return null;
+  if (options.projectId && payload.project_id !== options.projectId) return null;
+  if (typeof payload.exp !== "number" || payload.exp < Math.floor(Date.now() / 1e3)) {
+    return null;
+  }
+  const key = await importPublicKey(publicJwk);
+  const signed = encoder.encode(`${headerB64}.${payloadB64}`);
+  const signature = base64UrlToBytes(signatureB64);
+  const verified = await crypto.subtle.verify(
+    { name: "ECDSA", hash: "SHA-256" },
+    key,
+    signature,
+    signed
+  );
+  return verified ? payload : null;
+}
+
+// src/api/auth/platform-replica.post.ts
+var platform_replica_post_default = defineController2(async ({ req, env: env2 }) => {
+  const body = await req.json().catch(() => null);
+  const token = typeof body?.snapshot === "string" ? body.snapshot : req.headers.get("Authorization")?.startsWith("Bearer ") ? req.headers.get("Authorization").slice("Bearer ".length) : null;
+  if (!token) {
+    return Response.json({ error: "Missing replica snapshot" }, { status: 400 });
+  }
+  const payload = await verifyPlatformSignedPayload(
+    token,
+    env2.STANDARD_AGENTS_AUTH_PUBLIC_KEY_JWK ?? env2.STANDARD_AGENTS_AUTH_PUBLIC_KEY,
+    {
+      kind: "instance_snapshot",
+      projectId: typeof env2.STANDARD_AGENTS_PROJECT_ID === "string" ? env2.STANDARD_AGENTS_PROJECT_ID : void 0
+    }
+  );
+  if (!payload || !Array.isArray(payload.users)) {
+    return Response.json({ error: "Invalid replica snapshot" }, { status: 401 });
+  }
+  const agentBuilder = env2.AGENT_BUILDER.get(env2.AGENT_BUILDER.idFromName("singleton"));
+  const result = await agentBuilder.applyPlatformReplicaSnapshot({
+    users: payload.users,
+    api_keys: payload.api_keys ?? []
+  });
+  return Response.json({ ok: true, ...result });
+});
+
 // src/api/envs/_shared.ts
 function buildScopedEnvResponse(entries) {
   const variables = [...entries].sort((a, b) => a.name.localeCompare(b.name)).map((entry) => ({
@@ -66314,6 +66409,12 @@ var npm_token_status_get_default = defineController2(async ({ env: env2 }) => {
 
 // src/api/platform/[...path].ts
 var path_default = defineController2(async ({ req, params, env: env2, url }) => {
+  if (isPlatformHosted(env2)) {
+    return Response.json(
+      { error: "Platform proxy is disabled on hosted instances" },
+      { status: 410 }
+    );
+  }
   const endpoints = resolvePlatformEndpointCandidates(req, env2);
   const apiKey = env2.PLATFORM_API_KEY;
   if (endpoints.length === 0 || !apiKey) {
@@ -66353,7 +66454,7 @@ var path_default = defineController2(async ({ req, params, env: env2, url }) =>
 });
 
 // src/api/platform-auth/bootstrap.post.ts
-function uniqueEndpoints2(preferred, candidates) {
+function uniqueEndpoints(preferred, candidates) {
   return Array.from(new Set([preferred, ...candidates].filter((value) => Boolean(value))));
 }
 function buildSessionCookieHeader(req, sessionCookie) {
@@ -66367,6 +66468,12 @@ function buildSessionCookieHeader(req, sessionCookie) {
   return `${sessionCookie}; ${attributes.join("; ")}`;
 }
 var bootstrap_post_default2 = defineController2(async ({ req, env: env2 }) => {
+  if (isPlatformHosted(env2)) {
+    return Response.json(
+      { error: "Platform auth bridge is disabled on hosted instances" },
+      { status: 410 }
+    );
+  }
   const requestCookie = req.headers.get("Cookie")?.trim() || "";
   const configuredEndpoints = resolvePlatformEndpointCandidates(req, env2);
   let cookie = requestCookie;
@@ -66376,7 +66483,7 @@ var bootstrap_post_default2 = defineController2(async ({ req, env: env2 }) => {
     const bootstrap = findLocalBootstrapSession(void 0, env2)?.session;
     if (bootstrap?.session_cookie) {
       cookie = bootstrap.session_cookie;
-      endpoints = uniqueEndpoints2(bootstrap.endpoint, configuredEndpoints);
+      endpoints = uniqueEndpoints(bootstrap.endpoint, configuredEndpoints);
       bootstrappedFromProject = true;
     } else {
       const localSession = await createPlatformLocalSession(env2);
@@ -66437,6 +66544,12 @@ var bootstrap_post_default2 = defineController2(async ({ req, env: env2 }) => {
 
 // src/api/platform-auth/login.post.ts
 var login_post_default2 = defineController2(async ({ req, env: env2 }) => {
+  if (isPlatformHosted(env2)) {
+    return Response.json(
+      { error: "Platform auth bridge is disabled on hosted instances" },
+      { status: 410 }
+    );
+  }
   const endpoints = resolvePlatformEndpointCandidates(req, env2);
   if (endpoints.length === 0) {
     const localSession = await createPlatformLocalSession(env2);
@@ -66489,6 +66602,9 @@ var login_post_default2 = defineController2(async ({ req, env: env2 }) => {
 
 // src/api/platform-auth/logout.post.ts
 var logout_post_default2 = defineController2(async ({ req, env: env2 }) => {
+  if (isPlatformHosted(env2)) {
+    return Response.json({ success: true });
+  }
   const endpoints = resolvePlatformEndpointCandidates(req, env2);
   if (endpoints.length === 0) {
     return Response.json({ success: true });
@@ -66526,7 +66642,7 @@ var logout_post_default2 = defineController2(async ({ req, env: env2 }) => {
 });
 
 // src/api/platform-auth/me.get.ts
-function uniqueEndpoints3(preferred, candidates) {
+function uniqueEndpoints2(preferred, candidates) {
   return Array.from(new Set([preferred, ...candidates].filter((value) => Boolean(value))));
 }
 function buildSessionCookieHeader2(req, sessionCookie) {
@@ -66540,6 +66656,12 @@ function buildSessionCookieHeader2(req, sessionCookie) {
   return `${sessionCookie}; ${attributes.join("; ")}`;
 }
 var me_get_default2 = defineController2(async ({ req, env: env2 }) => {
+  if (isPlatformHosted(env2)) {
+    return Response.json(
+      { error: "Platform auth bridge is disabled on hosted instances" },
+      { status: 410 }
+    );
+  }
   const requestCookie = req.headers.get("Cookie")?.trim() || "";
   const configuredEndpoints = resolvePlatformEndpointCandidates(req, env2);
   let cookie = requestCookie;
@@ -66549,7 +66671,7 @@ var me_get_default2 = defineController2(async ({ req, env: env2 }) => {
     const bootstrap = findLocalBootstrapSession(void 0, env2)?.session;
     if (bootstrap?.session_cookie) {
       cookie = bootstrap.session_cookie;
-      endpoints = uniqueEndpoints3(bootstrap.endpoint, configuredEndpoints);
+      endpoints = uniqueEndpoints2(bootstrap.endpoint, configuredEndpoints);
       bootstrappedFromProject = true;
     } else {
       const identity = await getPlatformIdentity(env2);
@@ -66665,6 +66787,12 @@ async function proxyPlatformSessionRequest({
 
 // src/api/platform-session/[...path].ts
 var path_default2 = defineController2(async ({ req, params, env: env2, url }) => {
+  if (isPlatformHosted(env2)) {
+    return Response.json(
+      { error: "Platform session proxy is disabled on hosted instances" },
+      { status: 410 }
+    );
+  }
   if (!req.headers.get("Cookie") && hasPlatformApiKey(env2)) {
     return proxyPlatformSessionRequest({ req, params, env: env2 });
   }
@@ -68817,116 +68945,71 @@ var name_get_default7 = defineController2(async ({ params, url, prompts, agents,
 
 // src/api/auth/sa/callback.get.ts
 var SESSION_TTL_SECONDS2 = 30 * 24 * 60 * 60;
-function readNamedCookie(req, name15) {
-  const header = req.headers.get("Cookie");
-  if (!header) return null;
-  for (const part of header.split(";")) {
-    const eq = part.indexOf("=");
-    if (eq === -1) continue;
-    if (part.slice(0, eq).trim() === name15) return decodeURIComponent(part.slice(eq + 1).trim()) || null;
-  }
-  return null;
+function safeReturnTo(value) {
+  if (!value || !value.startsWith("/") || value.startsWith("//")) return "/";
+  return value;
 }
 function failRedirect(req, reason) {
   const origin = new URL(req.url).origin;
-  const headers = new Headers({ Location: `${origin}/login?sa_error=${encodeURIComponent(reason)}` });
-  headers.append("Set-Cookie", "sa_oauth=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0");
-  return new Response(null, { status: 302, headers });
+  return new Response(null, {
+    status: 302,
+    headers: { Location: `${origin}/login?sa_error=${encodeURIComponent(reason)}` }
+  });
 }
 var callback_get_default = defineController2(async ({ req, env: env2 }) => {
+  if (!isPlatformHosted(env2)) {
+    return failRedirect(req, "not_hosted");
+  }
   const url = new URL(req.url);
-  const code = url.searchParams.get("code");
-  const state = url.searchParams.get("state");
-  const stash = readNamedCookie(req, "sa_oauth");
-  if (!code || !state || !stash) {
+  const handoff = url.searchParams.get("handoff") || url.searchParams.get("token");
+  if (!handoff) {
     return failRedirect(req, "invalid_response");
   }
-  const sep = stash.indexOf(":");
-  const verifier = sep === -1 ? "" : stash.slice(0, sep);
-  const expectedState = sep === -1 ? "" : stash.slice(sep + 1);
-  if (!verifier || expectedState !== state) {
-    return failRedirect(req, "state_mismatch");
-  }
-  const clientId = typeof env2.STANDARD_AGENTS_OAUTH_CLIENT_ID === "string" ? env2.STANDARD_AGENTS_OAUTH_CLIENT_ID.trim() : "";
-  if (!clientId) {
-    return failRedirect(req, "not_configured");
-  }
-  const endpoint = platformEndpoint(env2);
-  const redirectUri = `${url.origin}/api/auth/sa/callback`;
-  let platformUserId;
-  try {
-    const tokenRes = await fetch(`${endpoint}/oauth/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        client_id: clientId,
-        redirect_uri: redirectUri,
-        code_verifier: verifier
-      }).toString()
-    });
-    if (!tokenRes.ok) return failRedirect(req, "token_exchange_failed");
-    const tokenBody = await tokenRes.json().catch(() => ({}));
-    if (!tokenBody.access_token) return failRedirect(req, "token_exchange_failed");
-    const userRes = await fetch(`${endpoint}/oauth/userinfo`, {
-      headers: { Authorization: `Bearer ${tokenBody.access_token}` }
-    });
-    if (!userRes.ok) return failRedirect(req, "userinfo_failed");
-    const userinfo = await userRes.json().catch(() => ({}));
-    if (!userinfo.sub) return failRedirect(req, "userinfo_failed");
-    platformUserId = userinfo.sub;
-  } catch {
-    return failRedirect(req, "platform_unreachable");
-  }
-  const session = await mintLocalSessionForPlatformUser(env2, platformUserId);
-  const headers = new Headers({ Location: `${url.origin}/` });
-  headers.append("Set-Cookie", buildSessionCookie(req, session.token, SESSION_TTL_SECONDS2));
-  headers.append("Set-Cookie", "sa_oauth=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0");
-  return new Response(null, { status: 302, headers });
+  const configuredProjectId = typeof env2.STANDARD_AGENTS_PROJECT_ID === "string" ? env2.STANDARD_AGENTS_PROJECT_ID : void 0;
+  const payload = await verifyPlatformSignedPayload(
+    handoff,
+    env2.STANDARD_AGENTS_AUTH_PUBLIC_KEY_JWK ?? env2.STANDARD_AGENTS_AUTH_PUBLIC_KEY,
+    {
+      kind: "instance_handoff",
+      projectId: configuredProjectId
+    }
+  );
+  if (!payload || !payload.platform_user_id || !payload.role) {
+    return failRedirect(req, "forbidden");
+  }
+  if (!configuredProjectId && payload.project_id !== hostedInstanceRedirectId(req, env2)) {
+    return failRedirect(req, "forbidden");
+  }
+  const session = await mintLocalSessionForPlatformUser(env2, {
+    platform_user_id: payload.platform_user_id,
+    username: payload.username ?? null,
+    display_name: payload.display_name ?? null,
+    email: payload.email ?? null,
+    avatar_url: payload.avatar_url ?? null,
+    role: payload.role
+  });
+  const returnTo = safeReturnTo(url.searchParams.get("return_to"));
+  return new Response(null, {
+    status: 302,
+    headers: {
+      Location: `${url.origin}${returnTo}`,
+      "Set-Cookie": buildSessionCookie(req, session.token, SESSION_TTL_SECONDS2)
+    }
+  });
 });
 
 // src/api/auth/sa/start.get.ts
-function randomToken(bytesLength = 32) {
-  const bytes = new Uint8Array(bytesLength);
-  crypto.getRandomValues(bytes);
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function base64Url(bytes) {
-  let binary = "";
-  for (const byte of new Uint8Array(bytes)) binary += String.fromCharCode(byte);
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-async function pkceChallenge(verifier) {
-  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
-  return base64Url(digest);
-}
 var start_get_default = defineController2(async ({ req, env: env2 }) => {
-  const clientId = typeof env2.STANDARD_AGENTS_OAUTH_CLIENT_ID === "string" ? env2.STANDARD_AGENTS_OAUTH_CLIENT_ID.trim() : "";
-  if (!clientId) {
-    return Response.json({ error: "Standard Agents login is not configured for this instance." }, { status: 400 });
+  if (!isPlatformHosted(env2)) {
+    return Response.json({ error: "Standard Agents hosted login is only available on deployed instances." }, { status: 404 });
   }
-  const verifier = randomToken(32);
-  const challenge = await pkceChallenge(verifier);
-  const state = randomToken(16);
-  const reqUrl = new URL(req.url);
-  const redirectUri = `${reqUrl.origin}/api/auth/sa/callback`;
-  const authorize = new URL(`${platformEndpoint(env2)}/oauth/authorize`);
-  authorize.searchParams.set("client_id", clientId);
-  authorize.searchParams.set("redirect_uri", redirectUri);
-  authorize.searchParams.set("code_challenge", challenge);
-  authorize.searchParams.set("code_challenge_method", "S256");
-  authorize.searchParams.set("state", state);
-  authorize.searchParams.set("scope", "openid profile email");
-  const attrs = ["Path=/", "HttpOnly", "SameSite=Lax", "Max-Age=600"];
-  try {
-    if (reqUrl.protocol === "https:") attrs.push("Secure");
-  } catch {
-  }
-  const oauthCookie = `sa_oauth=${encodeURIComponent(`${verifier}:${state}`)}; ${attrs.join("; ")}`;
+  const url = new URL(req.url);
+  const returnTo = url.searchParams.get("return_to") || "/";
   return new Response(null, {
     status: 302,
-    headers: { Location: authorize.toString(), "Set-Cookie": oauthCookie }
+    headers: {
+      Location: platformLoginUrl(req, env2, returnTo)
+    }
   });
 });
 
@@ -70027,6 +70110,7 @@ var routeHandlers = {
   "POST:/auth/login": login_post_default,
   "POST:/auth/logout": logout_post_default,
   "GET:/auth/me": me_get_default,
+  "POST:/auth/platform-replica": platform_replica_post_default,
   "GET:/envs/instance": instance_get_default,
   "PATCH:/envs/instance": instance_patch_default,
   "POST:/models/available": available_post_default,