npm - @voltagent/server-core - Versions diffs - 1.0.35 → 1.0.36 - Mend

@voltagent/server-core 1.0.35 → 1.0.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -1795,10 +1795,14 @@ interface AuthProvider<TRequest = any> {
  * Default route configurations for authentication
  */
 /**
- * Routes that don't require authentication by default
- * These are typically used by VoltOps and management tools
+ * Routes that don't require authentication by default (legacy auth)
  */
+declare const DEFAULT_LEGACY_PUBLIC_ROUTES: string[];
 declare const DEFAULT_PUBLIC_ROUTES: string[];
+/**
+ * Routes that require console access when authNext is enabled
+ */
+declare const DEFAULT_CONSOLE_ROUTES: string[];
 /**
  * Routes that require authentication by default
  * These endpoints execute operations, modify state, or access sensitive data
@@ -1833,6 +1837,18 @@ declare function pathMatches(path: string, pattern: string): boolean;
  */
 declare function requiresAuth(method: string, path: string, publicRoutes?: string[], defaultPrivate?: boolean): boolean;
+type AuthNextAccess = "public" | "console" | "user";
+interface AuthNextRoutesConfig {
+    publicRoutes?: string[];
+    consoleRoutes?: string[];
+}
+interface AuthNextConfig<TRequest = any> extends AuthNextRoutesConfig {
+    provider: AuthProvider<TRequest>;
+}
+declare function isAuthNextConfig<TRequest>(value: AuthProvider<TRequest> | AuthNextConfig<TRequest>): value is AuthNextConfig<TRequest>;
+declare function normalizeAuthNextConfig<TRequest>(value: AuthProvider<TRequest> | AuthNextConfig<TRequest>): AuthNextConfig<TRequest>;
+declare function resolveAuthNextAccess<TRequest>(method: string, path: string, authNext: AuthNextConfig<TRequest> | AuthProvider<TRequest>): AuthNextAccess;
 /**
  * Authentication utility functions
  */
@@ -1879,6 +1895,9 @@ declare function isDevRequest(req: Request): boolean;
  * // Production with console key
  * NODE_ENV=production + x-console-access-key=valid-key → true
  *
+ * // Production with console key in query param
+ * NODE_ENV=production + ?key=valid-key → true
+ *
  * // Production without key
  * NODE_ENV=production + no key → false
  *
@@ -2243,19 +2262,19 @@ declare function createWebSocketRouter(): WebSocketRouter;
  * Create and configure a WebSocket server
  * @param deps Server provider dependencies
  * @param logger Logger instance
- * @param auth Optional authentication provider
+ * @param auth Optional authentication provider or authNext config
  * @returns Configured WebSocket server
  */
-declare function createWebSocketServer(deps: ServerProviderDeps, logger: Logger, _auth?: AuthProvider<any>): WebSocketServer;
+declare function createWebSocketServer(deps: ServerProviderDeps, logger: Logger, _auth?: AuthProvider<any> | AuthNextConfig<any>): WebSocketServer;
 /**
  * Setup WebSocket upgrade handler for HTTP server
  * @param server HTTP server instance
  * @param wss WebSocket server instance
  * @param pathPrefix Path prefix for WebSocket connections (default: "/ws")
- * @param auth Optional authentication provider
+ * @param auth Optional authentication provider or authNext config
  * @param logger Logger instance
  */
-declare function setupWebSocketUpgrade(server: any, wss: WebSocketServer, pathPrefix?: string, auth?: AuthProvider<any>, logger?: Logger): void;
+declare function setupWebSocketUpgrade(server: any, wss: WebSocketServer, pathPrefix?: string, auth?: AuthProvider<any> | AuthNextConfig<any>, logger?: Logger): void;
 /**
  * WebSocket handler for Observability events
@@ -2354,4 +2373,4 @@ declare abstract class BaseServerProvider implements IServerProvider {
     private collectFeatureEndpoints;
 }
-export { A2AServerLikeWithHandlers, type A2AServerLookupResult, AgentListSchema, AgentParamsSchema, AgentResponseSchema, ApiResponse, type AuthProvider, type BaseCustomEndpointDefinition, type BaseServerConfig, BaseServerProvider, BasicJsonSchema, type CLIAnnouncement, type CapabilityRecord, CustomEndpointError, type CustomEndpointHandler, DEFAULT_A2A_ROUTE_PREFIX, DEFAULT_A2A_WELL_KNOWN_PREFIX, DEFAULT_MCP_HTTP_SEGMENT, DEFAULT_MCP_MESSAGES_SEGMENT, DEFAULT_MCP_ROUTE_PREFIX, DEFAULT_MCP_SSE_SEGMENT, DEFAULT_PUBLIC_ROUTES, ErrorSchema, type FilterContext, GenerateOptionsSchema, HttpMethod, type IWebSocket, type JWTAuthOptions, type LogStreamClient, LogStreamManager, type MCPAgentMetadata, type MCPListedTool, type MCPServerCapabilitiesConfig, type MCPServerLike, type MCPServerMetadata, type MCPServerPackageInfo, type MCPServerRemoteInfo, type MCPToolMetadata, type MCPToolOrigin, type MCPWorkflowSummary, MCP_SESSION_QUERY_PARAM, type McpInvokeToolRequest, type McpInvokeToolResponse, type McpPromptDetailResponse, type McpPromptListResponse, type McpResourceDetailResponse, type McpResourceListResponse, type McpResourceTemplateListResponse, type McpRouteOptions, type McpRoutePaths, type McpServerDetailResponse, type McpServerListResponse, type McpServerLookupResult, McpSessionStore, type McpSetLogLevelRequest, type McpSetLogLevelResponse, type McpToolListResponse, ObjectRequestSchema, ObjectResponseSchema, PROTECTED_ROUTES, ParamsSchema, type PortConfig, type ProcessedAgentOptions, type ProtocolConfig, type ProtocolRecord, type ServerEndpointSummary, type ServerProviderConfig, type ServerStartupOptions, StreamObjectEventSchema, StreamTextEventSchema, SubAgentResponseSchema, TextRequestSchema, TextResponseSchema, type TriggerHandlerHttpResponse, type TriggerHttpRequestContext, type WebSocketAdapter, type WebSocketConnectionHandler, type WebSocketConnectionInfo, type WebSocketEventHandlers, type WebSocketMessage, WebSocketRouter, WorkflowCancelRequestSchema, WorkflowCancelResponseSchema, WorkflowExecutionParamsSchema, WorkflowExecutionRequestSchema, WorkflowExecutionResponseSchema, WorkflowListSchema, WorkflowParamsSchema, WorkflowResponseSchema, WorkflowResumeRequestSchema, WorkflowResumeResponseSchema, WorkflowStreamEventSchema, WorkflowSuspendRequestSchema, WorkflowSuspendResponseSchema, buildA2AEndpointPath, buildAgentCardPath, buildMcpRoutePaths, cleanupWebSockets, closeAllObservabilityConnections, colors, createJWT, createSSEHeaders, createSSEResponse, createSSEStream, createWebSocketRouter, createWebSocketServer, executeTriggerHandler, fetchAnnouncements, formatSSE, getLandingPageHTML, getLogsBySpanIdHandler, getLogsByTraceIdHandler, getObservabilityStatusHandler, getPortsToTry, getSpanByIdHandler, getTraceByIdHandler, getTracesHandler, handleCheckUpdates, handleExecuteTool, handleGetMcpPrompt, handleGetMcpResource, handleGetMcpServer, handleInstallUpdates, handleInvokeMcpServerTool, handleListMcpPrompts, handleListMcpResourceTemplates, handleListMcpResources, handleListMcpServerTools, handleListMcpServers, handleListTools, handleObservabilityConnection, handleSetMcpLogLevel, handleWebSocketConnection, hasConsoleAccess, isDevRequest, jwtAuth, listA2AServers, listMcpServers, lookupA2AServer, lookupMcpServer, pathMatches, portManager, preferredPorts, printAnnouncements, printServerStartup, processAgentOptions, processWorkflowOptions, queryLogsHandler, requiresAuth, setupObservabilityHandler, setupObservabilityListeners, setupWebSocketUpgrade, showAnnouncements, transformToSSE, validateBaseCustomEndpoint, validateEndpointMethod, validateEndpointPath };
+export { A2AServerLikeWithHandlers, type A2AServerLookupResult, AgentListSchema, AgentParamsSchema, AgentResponseSchema, ApiResponse, type AuthNextAccess, type AuthNextConfig, type AuthNextRoutesConfig, type AuthProvider, type BaseCustomEndpointDefinition, type BaseServerConfig, BaseServerProvider, BasicJsonSchema, type CLIAnnouncement, type CapabilityRecord, CustomEndpointError, type CustomEndpointHandler, DEFAULT_A2A_ROUTE_PREFIX, DEFAULT_A2A_WELL_KNOWN_PREFIX, DEFAULT_CONSOLE_ROUTES, DEFAULT_LEGACY_PUBLIC_ROUTES, DEFAULT_MCP_HTTP_SEGMENT, DEFAULT_MCP_MESSAGES_SEGMENT, DEFAULT_MCP_ROUTE_PREFIX, DEFAULT_MCP_SSE_SEGMENT, DEFAULT_PUBLIC_ROUTES, ErrorSchema, type FilterContext, GenerateOptionsSchema, HttpMethod, type IWebSocket, type JWTAuthOptions, type LogStreamClient, LogStreamManager, type MCPAgentMetadata, type MCPListedTool, type MCPServerCapabilitiesConfig, type MCPServerLike, type MCPServerMetadata, type MCPServerPackageInfo, type MCPServerRemoteInfo, type MCPToolMetadata, type MCPToolOrigin, type MCPWorkflowSummary, MCP_SESSION_QUERY_PARAM, type McpInvokeToolRequest, type McpInvokeToolResponse, type McpPromptDetailResponse, type McpPromptListResponse, type McpResourceDetailResponse, type McpResourceListResponse, type McpResourceTemplateListResponse, type McpRouteOptions, type McpRoutePaths, type McpServerDetailResponse, type McpServerListResponse, type McpServerLookupResult, McpSessionStore, type McpSetLogLevelRequest, type McpSetLogLevelResponse, type McpToolListResponse, ObjectRequestSchema, ObjectResponseSchema, PROTECTED_ROUTES, ParamsSchema, type PortConfig, type ProcessedAgentOptions, type ProtocolConfig, type ProtocolRecord, type ServerEndpointSummary, type ServerProviderConfig, type ServerStartupOptions, StreamObjectEventSchema, StreamTextEventSchema, SubAgentResponseSchema, TextRequestSchema, TextResponseSchema, type TriggerHandlerHttpResponse, type TriggerHttpRequestContext, type WebSocketAdapter, type WebSocketConnectionHandler, type WebSocketConnectionInfo, type WebSocketEventHandlers, type WebSocketMessage, WebSocketRouter, WorkflowCancelRequestSchema, WorkflowCancelResponseSchema, WorkflowExecutionParamsSchema, WorkflowExecutionRequestSchema, WorkflowExecutionResponseSchema, WorkflowListSchema, WorkflowParamsSchema, WorkflowResponseSchema, WorkflowResumeRequestSchema, WorkflowResumeResponseSchema, WorkflowStreamEventSchema, WorkflowSuspendRequestSchema, WorkflowSuspendResponseSchema, buildA2AEndpointPath, buildAgentCardPath, buildMcpRoutePaths, cleanupWebSockets, closeAllObservabilityConnections, colors, createJWT, createSSEHeaders, createSSEResponse, createSSEStream, createWebSocketRouter, createWebSocketServer, executeTriggerHandler, fetchAnnouncements, formatSSE, getLandingPageHTML, getLogsBySpanIdHandler, getLogsByTraceIdHandler, getObservabilityStatusHandler, getPortsToTry, getSpanByIdHandler, getTraceByIdHandler, getTracesHandler, handleCheckUpdates, handleExecuteTool, handleGetMcpPrompt, handleGetMcpResource, handleGetMcpServer, handleInstallUpdates, handleInvokeMcpServerTool, handleListMcpPrompts, handleListMcpResourceTemplates, handleListMcpResources, handleListMcpServerTools, handleListMcpServers, handleListTools, handleObservabilityConnection, handleSetMcpLogLevel, handleWebSocketConnection, hasConsoleAccess, isAuthNextConfig, isDevRequest, jwtAuth, listA2AServers, listMcpServers, lookupA2AServer, lookupMcpServer, normalizeAuthNextConfig, pathMatches, portManager, preferredPorts, printAnnouncements, printServerStartup, processAgentOptions, processWorkflowOptions, queryLogsHandler, requiresAuth, resolveAuthNextAccess, setupObservabilityHandler, setupObservabilityListeners, setupWebSocketUpgrade, showAnnouncements, transformToSSE, validateBaseCustomEndpoint, validateEndpointMethod, validateEndpointPath };

package/dist/index.d.ts CHANGED Viewed

@@ -1795,10 +1795,14 @@ interface AuthProvider<TRequest = any> {
  * Default route configurations for authentication
  */
 /**
- * Routes that don't require authentication by default
- * These are typically used by VoltOps and management tools
+ * Routes that don't require authentication by default (legacy auth)
  */
+declare const DEFAULT_LEGACY_PUBLIC_ROUTES: string[];
 declare const DEFAULT_PUBLIC_ROUTES: string[];
+/**
+ * Routes that require console access when authNext is enabled
+ */
+declare const DEFAULT_CONSOLE_ROUTES: string[];
 /**
  * Routes that require authentication by default
  * These endpoints execute operations, modify state, or access sensitive data
@@ -1833,6 +1837,18 @@ declare function pathMatches(path: string, pattern: string): boolean;
  */
 declare function requiresAuth(method: string, path: string, publicRoutes?: string[], defaultPrivate?: boolean): boolean;
+type AuthNextAccess = "public" | "console" | "user";
+interface AuthNextRoutesConfig {
+    publicRoutes?: string[];
+    consoleRoutes?: string[];
+}
+interface AuthNextConfig<TRequest = any> extends AuthNextRoutesConfig {
+    provider: AuthProvider<TRequest>;
+}
+declare function isAuthNextConfig<TRequest>(value: AuthProvider<TRequest> | AuthNextConfig<TRequest>): value is AuthNextConfig<TRequest>;
+declare function normalizeAuthNextConfig<TRequest>(value: AuthProvider<TRequest> | AuthNextConfig<TRequest>): AuthNextConfig<TRequest>;
+declare function resolveAuthNextAccess<TRequest>(method: string, path: string, authNext: AuthNextConfig<TRequest> | AuthProvider<TRequest>): AuthNextAccess;
 /**
  * Authentication utility functions
  */
@@ -1879,6 +1895,9 @@ declare function isDevRequest(req: Request): boolean;
  * // Production with console key
  * NODE_ENV=production + x-console-access-key=valid-key → true
  *
+ * // Production with console key in query param
+ * NODE_ENV=production + ?key=valid-key → true
+ *
  * // Production without key
  * NODE_ENV=production + no key → false
  *
@@ -2243,19 +2262,19 @@ declare function createWebSocketRouter(): WebSocketRouter;
  * Create and configure a WebSocket server
  * @param deps Server provider dependencies
  * @param logger Logger instance
- * @param auth Optional authentication provider
+ * @param auth Optional authentication provider or authNext config
  * @returns Configured WebSocket server
  */
-declare function createWebSocketServer(deps: ServerProviderDeps, logger: Logger, _auth?: AuthProvider<any>): WebSocketServer;
+declare function createWebSocketServer(deps: ServerProviderDeps, logger: Logger, _auth?: AuthProvider<any> | AuthNextConfig<any>): WebSocketServer;
 /**
  * Setup WebSocket upgrade handler for HTTP server
  * @param server HTTP server instance
  * @param wss WebSocket server instance
  * @param pathPrefix Path prefix for WebSocket connections (default: "/ws")
- * @param auth Optional authentication provider
+ * @param auth Optional authentication provider or authNext config
  * @param logger Logger instance
  */
-declare function setupWebSocketUpgrade(server: any, wss: WebSocketServer, pathPrefix?: string, auth?: AuthProvider<any>, logger?: Logger): void;
+declare function setupWebSocketUpgrade(server: any, wss: WebSocketServer, pathPrefix?: string, auth?: AuthProvider<any> | AuthNextConfig<any>, logger?: Logger): void;
 /**
  * WebSocket handler for Observability events
@@ -2354,4 +2373,4 @@ declare abstract class BaseServerProvider implements IServerProvider {
     private collectFeatureEndpoints;
 }
-export { A2AServerLikeWithHandlers, type A2AServerLookupResult, AgentListSchema, AgentParamsSchema, AgentResponseSchema, ApiResponse, type AuthProvider, type BaseCustomEndpointDefinition, type BaseServerConfig, BaseServerProvider, BasicJsonSchema, type CLIAnnouncement, type CapabilityRecord, CustomEndpointError, type CustomEndpointHandler, DEFAULT_A2A_ROUTE_PREFIX, DEFAULT_A2A_WELL_KNOWN_PREFIX, DEFAULT_MCP_HTTP_SEGMENT, DEFAULT_MCP_MESSAGES_SEGMENT, DEFAULT_MCP_ROUTE_PREFIX, DEFAULT_MCP_SSE_SEGMENT, DEFAULT_PUBLIC_ROUTES, ErrorSchema, type FilterContext, GenerateOptionsSchema, HttpMethod, type IWebSocket, type JWTAuthOptions, type LogStreamClient, LogStreamManager, type MCPAgentMetadata, type MCPListedTool, type MCPServerCapabilitiesConfig, type MCPServerLike, type MCPServerMetadata, type MCPServerPackageInfo, type MCPServerRemoteInfo, type MCPToolMetadata, type MCPToolOrigin, type MCPWorkflowSummary, MCP_SESSION_QUERY_PARAM, type McpInvokeToolRequest, type McpInvokeToolResponse, type McpPromptDetailResponse, type McpPromptListResponse, type McpResourceDetailResponse, type McpResourceListResponse, type McpResourceTemplateListResponse, type McpRouteOptions, type McpRoutePaths, type McpServerDetailResponse, type McpServerListResponse, type McpServerLookupResult, McpSessionStore, type McpSetLogLevelRequest, type McpSetLogLevelResponse, type McpToolListResponse, ObjectRequestSchema, ObjectResponseSchema, PROTECTED_ROUTES, ParamsSchema, type PortConfig, type ProcessedAgentOptions, type ProtocolConfig, type ProtocolRecord, type ServerEndpointSummary, type ServerProviderConfig, type ServerStartupOptions, StreamObjectEventSchema, StreamTextEventSchema, SubAgentResponseSchema, TextRequestSchema, TextResponseSchema, type TriggerHandlerHttpResponse, type TriggerHttpRequestContext, type WebSocketAdapter, type WebSocketConnectionHandler, type WebSocketConnectionInfo, type WebSocketEventHandlers, type WebSocketMessage, WebSocketRouter, WorkflowCancelRequestSchema, WorkflowCancelResponseSchema, WorkflowExecutionParamsSchema, WorkflowExecutionRequestSchema, WorkflowExecutionResponseSchema, WorkflowListSchema, WorkflowParamsSchema, WorkflowResponseSchema, WorkflowResumeRequestSchema, WorkflowResumeResponseSchema, WorkflowStreamEventSchema, WorkflowSuspendRequestSchema, WorkflowSuspendResponseSchema, buildA2AEndpointPath, buildAgentCardPath, buildMcpRoutePaths, cleanupWebSockets, closeAllObservabilityConnections, colors, createJWT, createSSEHeaders, createSSEResponse, createSSEStream, createWebSocketRouter, createWebSocketServer, executeTriggerHandler, fetchAnnouncements, formatSSE, getLandingPageHTML, getLogsBySpanIdHandler, getLogsByTraceIdHandler, getObservabilityStatusHandler, getPortsToTry, getSpanByIdHandler, getTraceByIdHandler, getTracesHandler, handleCheckUpdates, handleExecuteTool, handleGetMcpPrompt, handleGetMcpResource, handleGetMcpServer, handleInstallUpdates, handleInvokeMcpServerTool, handleListMcpPrompts, handleListMcpResourceTemplates, handleListMcpResources, handleListMcpServerTools, handleListMcpServers, handleListTools, handleObservabilityConnection, handleSetMcpLogLevel, handleWebSocketConnection, hasConsoleAccess, isDevRequest, jwtAuth, listA2AServers, listMcpServers, lookupA2AServer, lookupMcpServer, pathMatches, portManager, preferredPorts, printAnnouncements, printServerStartup, processAgentOptions, processWorkflowOptions, queryLogsHandler, requiresAuth, setupObservabilityHandler, setupObservabilityListeners, setupWebSocketUpgrade, showAnnouncements, transformToSSE, validateBaseCustomEndpoint, validateEndpointMethod, validateEndpointPath };
+export { A2AServerLikeWithHandlers, type A2AServerLookupResult, AgentListSchema, AgentParamsSchema, AgentResponseSchema, ApiResponse, type AuthNextAccess, type AuthNextConfig, type AuthNextRoutesConfig, type AuthProvider, type BaseCustomEndpointDefinition, type BaseServerConfig, BaseServerProvider, BasicJsonSchema, type CLIAnnouncement, type CapabilityRecord, CustomEndpointError, type CustomEndpointHandler, DEFAULT_A2A_ROUTE_PREFIX, DEFAULT_A2A_WELL_KNOWN_PREFIX, DEFAULT_CONSOLE_ROUTES, DEFAULT_LEGACY_PUBLIC_ROUTES, DEFAULT_MCP_HTTP_SEGMENT, DEFAULT_MCP_MESSAGES_SEGMENT, DEFAULT_MCP_ROUTE_PREFIX, DEFAULT_MCP_SSE_SEGMENT, DEFAULT_PUBLIC_ROUTES, ErrorSchema, type FilterContext, GenerateOptionsSchema, HttpMethod, type IWebSocket, type JWTAuthOptions, type LogStreamClient, LogStreamManager, type MCPAgentMetadata, type MCPListedTool, type MCPServerCapabilitiesConfig, type MCPServerLike, type MCPServerMetadata, type MCPServerPackageInfo, type MCPServerRemoteInfo, type MCPToolMetadata, type MCPToolOrigin, type MCPWorkflowSummary, MCP_SESSION_QUERY_PARAM, type McpInvokeToolRequest, type McpInvokeToolResponse, type McpPromptDetailResponse, type McpPromptListResponse, type McpResourceDetailResponse, type McpResourceListResponse, type McpResourceTemplateListResponse, type McpRouteOptions, type McpRoutePaths, type McpServerDetailResponse, type McpServerListResponse, type McpServerLookupResult, McpSessionStore, type McpSetLogLevelRequest, type McpSetLogLevelResponse, type McpToolListResponse, ObjectRequestSchema, ObjectResponseSchema, PROTECTED_ROUTES, ParamsSchema, type PortConfig, type ProcessedAgentOptions, type ProtocolConfig, type ProtocolRecord, type ServerEndpointSummary, type ServerProviderConfig, type ServerStartupOptions, StreamObjectEventSchema, StreamTextEventSchema, SubAgentResponseSchema, TextRequestSchema, TextResponseSchema, type TriggerHandlerHttpResponse, type TriggerHttpRequestContext, type WebSocketAdapter, type WebSocketConnectionHandler, type WebSocketConnectionInfo, type WebSocketEventHandlers, type WebSocketMessage, WebSocketRouter, WorkflowCancelRequestSchema, WorkflowCancelResponseSchema, WorkflowExecutionParamsSchema, WorkflowExecutionRequestSchema, WorkflowExecutionResponseSchema, WorkflowListSchema, WorkflowParamsSchema, WorkflowResponseSchema, WorkflowResumeRequestSchema, WorkflowResumeResponseSchema, WorkflowStreamEventSchema, WorkflowSuspendRequestSchema, WorkflowSuspendResponseSchema, buildA2AEndpointPath, buildAgentCardPath, buildMcpRoutePaths, cleanupWebSockets, closeAllObservabilityConnections, colors, createJWT, createSSEHeaders, createSSEResponse, createSSEStream, createWebSocketRouter, createWebSocketServer, executeTriggerHandler, fetchAnnouncements, formatSSE, getLandingPageHTML, getLogsBySpanIdHandler, getLogsByTraceIdHandler, getObservabilityStatusHandler, getPortsToTry, getSpanByIdHandler, getTraceByIdHandler, getTracesHandler, handleCheckUpdates, handleExecuteTool, handleGetMcpPrompt, handleGetMcpResource, handleGetMcpServer, handleInstallUpdates, handleInvokeMcpServerTool, handleListMcpPrompts, handleListMcpResourceTemplates, handleListMcpResources, handleListMcpServerTools, handleListMcpServers, handleListTools, handleObservabilityConnection, handleSetMcpLogLevel, handleWebSocketConnection, hasConsoleAccess, isAuthNextConfig, isDevRequest, jwtAuth, listA2AServers, listMcpServers, lookupA2AServer, lookupMcpServer, normalizeAuthNextConfig, pathMatches, portManager, preferredPorts, printAnnouncements, printServerStartup, processAgentOptions, processWorkflowOptions, queryLogsHandler, requiresAuth, resolveAuthNextAccess, setupObservabilityHandler, setupObservabilityListeners, setupWebSocketUpgrade, showAnnouncements, transformToSSE, validateBaseCustomEndpoint, validateEndpointMethod, validateEndpointPath };

package/dist/index.js CHANGED Viewed

@@ -43,7 +43,9 @@ __export(index_exports, {
   CustomEndpointError: () => CustomEndpointError,
   DEFAULT_A2A_ROUTE_PREFIX: () => DEFAULT_A2A_ROUTE_PREFIX,
   DEFAULT_A2A_WELL_KNOWN_PREFIX: () => DEFAULT_A2A_WELL_KNOWN_PREFIX,
+  DEFAULT_CONSOLE_ROUTES: () => DEFAULT_CONSOLE_ROUTES,
   DEFAULT_CORS_OPTIONS: () => DEFAULT_CORS_OPTIONS,
+  DEFAULT_LEGACY_PUBLIC_ROUTES: () => DEFAULT_LEGACY_PUBLIC_ROUTES,
   DEFAULT_MCP_HTTP_SEGMENT: () => DEFAULT_MCP_HTTP_SEGMENT,
   DEFAULT_MCP_MESSAGES_SEGMENT: () => DEFAULT_MCP_MESSAGES_SEGMENT,
   DEFAULT_MCP_ROUTE_PREFIX: () => DEFAULT_MCP_ROUTE_PREFIX,
@@ -152,6 +154,7 @@ __export(index_exports, {
   handleSuspendWorkflow: () => handleSuspendWorkflow,
   handleWebSocketConnection: () => handleWebSocketConnection,
   hasConsoleAccess: () => hasConsoleAccess,
+  isAuthNextConfig: () => isAuthNextConfig,
   isDevRequest: () => isDevRequest,
   isErrorResponse: () => isErrorResponse,
   isJsonRpcRequest: () => isJsonRpcRequest,
@@ -165,6 +168,7 @@ __export(index_exports, {
   lookupMcpServer: () => lookupMcpServer,
   mapHandlerResponse: () => mapHandlerResponse,
   mapLogResponse: () => mapLogResponse,
+  normalizeAuthNextConfig: () => normalizeAuthNextConfig,
   normalizeError: () => normalizeError,
   parseJsonRpcRequest: () => parseJsonRpcRequest,
   pathMatches: () => pathMatches,
@@ -177,6 +181,7 @@ __export(index_exports, {
   queryLogsHandler: () => queryLogsHandler,
   requiresAuth: () => requiresAuth,
   resolveAgentCard: () => resolveAgentCard,
+  resolveAuthNextAccess: () => resolveAuthNextAccess,
   setupObservabilityHandler: () => setupObservabilityHandler,
   setupObservabilityListeners: () => setupObservabilityListeners,
   setupWebSocketUpgrade: () => setupWebSocketUpgrade,
@@ -4066,7 +4071,7 @@ VOLTAGENT_SECRET_KEY=${secretKey}
 __name(setupObservabilityHandler, "setupObservabilityHandler");
 // src/auth/defaults.ts
-var DEFAULT_PUBLIC_ROUTES = [
+var DEFAULT_LEGACY_PUBLIC_ROUTES = [
   // Agent management endpoints (VoltOps uses these)
   "GET /agents",
   // List all agents
@@ -4094,6 +4099,47 @@ var DEFAULT_PUBLIC_ROUTES = [
   // A2A (agent-to-agent discovery)
   "GET /agents/:id/card"
 ];
+var DEFAULT_PUBLIC_ROUTES = DEFAULT_LEGACY_PUBLIC_ROUTES;
+var DEFAULT_CONSOLE_ROUTES = [
+  // Agent management endpoints (VoltOps uses these)
+  "GET /agents",
+  // List all agents
+  "GET /agents/:id",
+  // Get agent details
+  // Workflow management endpoints
+  "GET /workflows",
+  // List all workflows
+  "GET /workflows/:id",
+  // Get workflow details
+  // Tool management endpoints
+  "GET /tools",
+  // List all tools
+  // API documentation
+  "GET /doc",
+  // OpenAPI spec
+  "GET /ui",
+  // Swagger UI
+  "GET /",
+  // Landing page
+  // MCP (public discovery)
+  "GET /mcp/servers",
+  "GET /mcp/servers/:serverId",
+  "GET /mcp/servers/:serverId/tools",
+  // A2A (agent-to-agent discovery)
+  "GET /agents/:id/card",
+  "GET /agents/:id/history",
+  "GET /workflows/executions",
+  "GET /workflows/:id/executions/:executionId/state",
+  "GET /api/logs",
+  "POST /setup-observability",
+  "/observability/*",
+  "GET /updates",
+  "POST /updates",
+  "POST /updates/:packageName",
+  "WS /ws",
+  "WS /ws/logs",
+  "WS /ws/observability/**"
+];
 var PROTECTED_ROUTES = [
   // ========================================
   // AGENT EXECUTION (User Data)
@@ -4183,7 +4229,7 @@ function pathMatches(path2, pattern) {
 }
 __name(pathMatches, "pathMatches");
 function requiresAuth(method, path2, publicRoutes, defaultPrivate) {
-  for (const publicRoute of DEFAULT_PUBLIC_ROUTES) {
+  for (const publicRoute of DEFAULT_LEGACY_PUBLIC_ROUTES) {
     if (publicRoute.includes(" ")) {
       const [routeMethod, routePath] = publicRoute.split(" ");
       if (method.toUpperCase() === routeMethod && pathMatches(path2, routePath)) {
@@ -4226,6 +4272,48 @@ function requiresAuth(method, path2, publicRoutes, defaultPrivate) {
 }
 __name(requiresAuth, "requiresAuth");
+// src/auth/next.ts
+function isAuthNextConfig(value) {
+  return typeof value.provider !== "undefined";
+}
+__name(isAuthNextConfig, "isAuthNextConfig");
+function normalizeAuthNextConfig(value) {
+  return isAuthNextConfig(value) ? value : { provider: value };
+}
+__name(normalizeAuthNextConfig, "normalizeAuthNextConfig");
+function routeMatches(method, path2, routePattern) {
+  const parts = routePattern.split(" ");
+  if (parts.length === 2) {
+    const [routeMethod, routePath] = parts;
+    if (method.toUpperCase() !== routeMethod.toUpperCase()) {
+      return false;
+    }
+    return pathMatches(path2, routePath);
+  }
+  return pathMatches(path2, routePattern);
+}
+__name(routeMatches, "routeMatches");
+function matchesAnyRoute(method, path2, routes) {
+  if (!routes || routes.length === 0) {
+    return false;
+  }
+  return routes.some((route) => routeMatches(method, path2, route));
+}
+__name(matchesAnyRoute, "matchesAnyRoute");
+function resolveAuthNextAccess(method, path2, authNext) {
+  const config = normalizeAuthNextConfig(authNext);
+  const publicRoutes = [...config.publicRoutes ?? [], ...config.provider.publicRoutes ?? []];
+  if (matchesAnyRoute(method, path2, publicRoutes)) {
+    return "public";
+  }
+  const consoleRoutes = config.consoleRoutes ?? DEFAULT_CONSOLE_ROUTES;
+  if (matchesAnyRoute(method, path2, consoleRoutes)) {
+    return "console";
+  }
+  return "user";
+}
+__name(resolveAuthNextAccess, "resolveAuthNextAccess");
 // src/auth/utils.ts
 function isDevRequest(req) {
   const hasDevHeader = req.headers.get("x-voltagent-dev") === "true";
@@ -4238,8 +4326,10 @@ function hasConsoleAccess(req) {
     return true;
   }
   const consoleKey = req.headers.get("x-console-access-key");
+  const url = new URL(req.url, "http://localhost");
+  const queryKey = url.searchParams.get("key");
   const configuredKey = process.env.VOLTAGENT_CONSOLE_ACCESS_KEY;
-  if (configuredKey && consoleKey === configuredKey) {
+  if (configuredKey && (consoleKey === configuredKey || queryKey === configuredKey)) {
     return true;
   }
   return false;
@@ -5198,13 +5288,16 @@ function isDevWebSocketRequest(req) {
   return hasDevHeader && isDevEnv;
 }
 __name(isDevWebSocketRequest, "isDevWebSocketRequest");
-function hasWebSocketConsoleAccess(req) {
-  const url = new URL(req.url || "", `http://${req.headers.host || "localhost"}`);
+function isWebSocketDevBypass(req, url) {
   if (isDevWebSocketRequest(req)) {
     return true;
   }
   const devParam = url.searchParams.get("dev");
-  if (devParam === "true" && process.env.NODE_ENV !== "production") {
+  return devParam === "true" && process.env.NODE_ENV !== "production";
+}
+__name(isWebSocketDevBypass, "isWebSocketDevBypass");
+function hasWebSocketConsoleAccess(req, url) {
+  if (isWebSocketDevBypass(req, url)) {
     return true;
   }
   const configuredKey = process.env.VOLTAGENT_CONSOLE_ACCESS_KEY;
@@ -5237,26 +5330,34 @@ function setupWebSocketUpgrade(server, wss, pathPrefix = "/ws", auth, logger) {
       let user = null;
       if (auth) {
         try {
-          if (path2.includes("/observability")) {
-            const hasAccess = hasWebSocketConsoleAccess(req);
-            if (!hasAccess) {
-              logger?.debug("[WebSocket] Unauthorized observability connection attempt");
-              socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
-              socket.destroy();
-              return;
-            }
-            user = { id: "console", type: "console-access" };
-          } else {
-            const hasConsoleAccess2 = hasWebSocketConsoleAccess(req);
-            if (hasConsoleAccess2) {
+          if (isAuthNextConfig(auth)) {
+            const config = normalizeAuthNextConfig(auth);
+            const provider = config.provider;
+            const access = resolveAuthNextAccess("WS", path2, config);
+            if (access === "public") {
+              const token = url.searchParams.get("token");
+              if (token) {
+                try {
+                  user = await provider.verifyToken(token);
+                } catch {
+                }
+              }
+            } else if (access === "console") {
+              const hasAccess = hasWebSocketConsoleAccess(req, url);
+              if (!hasAccess) {
+                logger?.debug("[WebSocket] Unauthorized console connection attempt");
+                socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+                socket.destroy();
+                return;
+              }
               user = { id: "console", type: "console-access" };
             } else {
-              const needsAuth = requiresAuth("WS", path2, auth.publicRoutes, auth.defaultPrivate);
-              if (needsAuth) {
+              if (isWebSocketDevBypass(req, url)) {
+              } else {
                 const token = url.searchParams.get("token");
                 if (token) {
                   try {
-                    user = await auth.verifyToken(token);
+                    user = await provider.verifyToken(token);
                   } catch (error) {
                     logger?.debug("[WebSocket] Token verification failed:", { error });
                     socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
@@ -5269,12 +5370,48 @@ function setupWebSocketUpgrade(server, wss, pathPrefix = "/ws", auth, logger) {
                   socket.destroy();
                   return;
                 }
+              }
+            }
+          } else {
+            if (path2.includes("/observability")) {
+              const hasAccess = hasWebSocketConsoleAccess(req, url);
+              if (!hasAccess) {
+                logger?.debug("[WebSocket] Unauthorized observability connection attempt");
+                socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+                socket.destroy();
+                return;
+              }
+              user = { id: "console", type: "console-access" };
+            } else {
+              const hasConsoleAccess2 = hasWebSocketConsoleAccess(req, url);
+              if (hasConsoleAccess2) {
+                user = { id: "console", type: "console-access" };
               } else {
-                const token = url.searchParams.get("token");
-                if (token) {
-                  try {
-                    user = await auth.verifyToken(token);
-                  } catch {
+                const needsAuth = requiresAuth("WS", path2, auth.publicRoutes, auth.defaultPrivate);
+                if (needsAuth) {
+                  const token = url.searchParams.get("token");
+                  if (token) {
+                    try {
+                      user = await auth.verifyToken(token);
+                    } catch (error) {
+                      logger?.debug("[WebSocket] Token verification failed:", { error });
+                      socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+                      socket.destroy();
+                      return;
+                    }
+                  } else {
+                    logger?.debug("[WebSocket] No token provided for protected WebSocket");
+                    socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+                    socket.destroy();
+                    return;
+                  }
+                } else {
+                  const token = url.searchParams.get("token");
+                  if (token) {
+                    try {
+                      user = await auth.verifyToken(token);
+                    } catch {
+                    }
                   }
                 }
               }
@@ -5534,7 +5671,9 @@ var DEFAULT_CORS_OPTIONS = {
   CustomEndpointError,
   DEFAULT_A2A_ROUTE_PREFIX,
   DEFAULT_A2A_WELL_KNOWN_PREFIX,
+  DEFAULT_CONSOLE_ROUTES,
   DEFAULT_CORS_OPTIONS,
+  DEFAULT_LEGACY_PUBLIC_ROUTES,
   DEFAULT_MCP_HTTP_SEGMENT,
   DEFAULT_MCP_MESSAGES_SEGMENT,
   DEFAULT_MCP_ROUTE_PREFIX,
@@ -5643,6 +5782,7 @@ var DEFAULT_CORS_OPTIONS = {
   handleSuspendWorkflow,
   handleWebSocketConnection,
   hasConsoleAccess,
+  isAuthNextConfig,
   isDevRequest,
   isErrorResponse,
   isJsonRpcRequest,
@@ -5656,6 +5796,7 @@ var DEFAULT_CORS_OPTIONS = {
   lookupMcpServer,
   mapHandlerResponse,
   mapLogResponse,
+  normalizeAuthNextConfig,
   normalizeError,
   parseJsonRpcRequest,
   pathMatches,
@@ -5668,6 +5809,7 @@ var DEFAULT_CORS_OPTIONS = {
   queryLogsHandler,
   requiresAuth,
   resolveAgentCard,
+  resolveAuthNextAccess,
   setupObservabilityHandler,
   setupObservabilityListeners,
   setupWebSocketUpgrade,