@supaku/agentfactory-nextjs 0.4.6 → 0.4.8

package/dist/src/handlers/cleanup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cleanup.d.ts","sourceRoot":"","sources":["../../../src/handlers/cleanup.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAGvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAI7C,wBAAgB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU;oBAChB,WAAW;;;;;;;;;kBAgC2b,CAAC;wBAAkG,CAAC;;;;;;;mBAhC1iB,WAAW;;;;;;;;;kBAgC2b,CAAC;wBAAkG,CAAC;;;;;;;EADjlB"}
+{"version":3,"file":"cleanup.d.ts","sourceRoot":"","sources":["../../../src/handlers/cleanup.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAGvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAI7C,wBAAgB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU;oBAChB,WAAW;;;;;;;;;kBAgC0c,CAAC;wBAAkG,CAAC;;;;;;;mBAhCzjB,WAAW;;;;;;;;;kBAgC0c,CAAC;wBAAkG,CAAC;;;;;;;EADhmB"}

package/dist/src/middleware/factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../../src/middleware/factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AA0GlD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,4BAA4B,CAAC,UAAU,CAAC,EAAE,gBAAgB;0BAO3C,WAAW,KAAG,YAAY,GAAG,SAAS;;;;EA8GpE"}
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../../src/middleware/factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AA0GlD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,4BAA4B,CAAC,UAAU,CAAC,EAAE,gBAAgB;0BAO3C,WAAW,KAAG,YAAY,GAAG,SAAS;;;;EAgHpE"}

package/dist/src/middleware/factory.js

@@ -103,9 +103,32 @@ export function createAgentFactoryMiddleware(userConfig) {
     function middleware(request) {
         const { pathname } = request.nextUrl;
         const clientIP = getClientIP(request.headers);
-        // === PUBLIC ROUTES ===
-        if (publicRoutes.some(route => pathname === route || pathname.startsWith(route))) {
-            const result = checkRateLimit('public', clientIP);
+        // === PROTECTED INTERNAL APIS (checked first — no rate limiting) ===
+        // Must come before public routes because '/' in publicRoutes would
+        // match all pathnames via startsWith, rate-limiting authenticated workers.
+        if (protectedRoutes.some(route => pathname.startsWith(route))) {
+            const workerApiKey = process.env.WORKER_API_KEY;
+            // In development without key, allow access
+            if (!workerApiKey && process.env.NODE_ENV !== 'production') {
+                return NextResponse.next();
+            }
+            if (!workerApiKey) {
+                console.error('WORKER_API_KEY not configured - blocking protected API access');
+                return new NextResponse(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
+            }
+            const authHeader = request.headers.get('authorization');
+            if (!authHeader?.startsWith('Bearer ')) {
+                return new NextResponse(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
+            }
+            const token = authHeader.slice(7);
+            if (!timingSafeEqual(token, workerApiKey)) {
+                return new NextResponse(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
+            }
+            return NextResponse.next();
+        }
+        // === WEBHOOK ROUTE ===
+        if (pathname === webhookRoute) {
+            const result = checkRateLimit('webhook', clientIP);
             if (!result.allowed) {
                 return new NextResponse(JSON.stringify({ error: 'Too many requests' }), {
                     status: 429,
@@ -115,20 +138,19 @@ export function createAgentFactoryMiddleware(userConfig) {
                     },
                 });
             }
-            const response = NextResponse.next();
-            const rateLimitHeaders = buildRateLimitHeaders(result);
-            for (const [key, value] of Object.entries(rateLimitHeaders)) {
-                response.headers.set(key, value);
-            }
-            return response;
+            return NextResponse.next();
         }
         // === SESSION DETAIL PAGES ===
         if (sessionPages.some(route => pathname.startsWith(route))) {
             return NextResponse.next();
         }
-        // === WEBHOOK ROUTE ===
-        if (pathname === webhookRoute) {
-            const result = checkRateLimit('webhook', clientIP);
+        // === PASSTHROUGH ROUTES ===
+        if (passthroughRoutes.some(route => pathname === route || pathname.startsWith(route))) {
+            return NextResponse.next();
+        }
+        // === PUBLIC ROUTES (rate limited) ===
+        if (publicRoutes.some(route => pathname === route || pathname.startsWith(route))) {
+            const result = checkRateLimit('public', clientIP);
             if (!result.allowed) {
                 return new NextResponse(JSON.stringify({ error: 'Too many requests' }), {
                     status: 429,
@@ -138,32 +160,12 @@ export function createAgentFactoryMiddleware(userConfig) {
                     },
                 });
             }
-            return NextResponse.next();
-        }
-        // === PROTECTED INTERNAL APIS ===
-        if (protectedRoutes.some(route => pathname.startsWith(route))) {
-            const workerApiKey = process.env.WORKER_API_KEY;
-            // In development without key, allow access
-            if (!workerApiKey && process.env.NODE_ENV !== 'production') {
-                return NextResponse.next();
-            }
-            if (!workerApiKey) {
-                console.error('WORKER_API_KEY not configured - blocking protected API access');
-                return new NextResponse(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
-            }
-            const authHeader = request.headers.get('authorization');
-            if (!authHeader?.startsWith('Bearer ')) {
-                return new NextResponse(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
-            }
-            const token = authHeader.slice(7);
-            if (!timingSafeEqual(token, workerApiKey)) {
-                return new NextResponse(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
+            const response = NextResponse.next();
+            const rateLimitHeaders = buildRateLimitHeaders(result);
+            for (const [key, value] of Object.entries(rateLimitHeaders)) {
+                response.headers.set(key, value);
             }
-            return NextResponse.next();
-        }
-        // === PASSTHROUGH ROUTES ===
-        if (passthroughRoutes.some(route => pathname === route || pathname.startsWith(route))) {
-            return NextResponse.next();
+            return response;
         }
         // === ALL OTHER ROUTES ===
         return NextResponse.next();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@supaku/agentfactory-nextjs",
-  "version": "0.4.6",
+  "version": "0.4.8",
   "type": "module",
   "description": "Next.js API route handlers for AgentFactory — webhook processor, worker/session management, public stats",
   "author": "Supaku (https://supaku.com)",
@@ -48,9 +48,9 @@
     "LICENSE"
   ],
   "dependencies": {
-    "@supaku/agentfactory": "0.4.6",
-    "@supaku/agentfactory-server": "0.4.6",
-    "@supaku/agentfactory-linear": "0.4.6"
+    "@supaku/agentfactory-server": "0.4.8",
+    "@supaku/agentfactory": "0.4.8",
+    "@supaku/agentfactory-linear": "0.4.8"
   },
   "peerDependencies": {
     "next": ">=14.0.0"