agents 0.3.10 → 0.4.1

package/dist/do-oauth-client-provider-BqnOQzjy.d.ts

@@ -1,70 +0,0 @@
-import { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
-import {
-  OAuthClientInformation,
-  OAuthClientInformationFull,
-  OAuthClientMetadata,
-  OAuthTokens
-} from "@modelcontextprotocol/sdk/shared/auth.js";
-
-//#region src/mcp/do-oauth-client-provider.d.ts
-interface AgentsOAuthProvider extends OAuthClientProvider {
-  authUrl: string | undefined;
-  clientId: string | undefined;
-  serverId: string | undefined;
-  checkState(state: string): Promise<{
-    valid: boolean;
-    serverId?: string;
-    error?: string;
-  }>;
-  consumeState(state: string): Promise<void>;
-  deleteCodeVerifier(): Promise<void>;
-}
-declare class DurableObjectOAuthClientProvider implements AgentsOAuthProvider {
-  storage: DurableObjectStorage;
-  clientName: string;
-  baseRedirectUrl: string;
-  private _authUrl_;
-  private _serverId_;
-  private _clientId_;
-  constructor(
-    storage: DurableObjectStorage,
-    clientName: string,
-    baseRedirectUrl: string
-  );
-  get clientMetadata(): OAuthClientMetadata;
-  get clientUri(): string;
-  get redirectUrl(): string;
-  get clientId(): string;
-  set clientId(clientId_: string);
-  get serverId(): string;
-  set serverId(serverId_: string);
-  keyPrefix(clientId: string): string;
-  clientInfoKey(clientId: string): string;
-  clientInformation(): Promise<OAuthClientInformation | undefined>;
-  saveClientInformation(
-    clientInformation: OAuthClientInformationFull
-  ): Promise<void>;
-  tokenKey(clientId: string): string;
-  tokens(): Promise<OAuthTokens | undefined>;
-  saveTokens(tokens: OAuthTokens): Promise<void>;
-  get authUrl(): string | undefined;
-  stateKey(nonce: string): string;
-  state(): Promise<string>;
-  checkState(state: string): Promise<{
-    valid: boolean;
-    serverId?: string;
-    error?: string;
-  }>;
-  consumeState(state: string): Promise<void>;
-  redirectToAuthorization(authUrl: URL): Promise<void>;
-  invalidateCredentials(
-    scope: "all" | "client" | "tokens" | "verifier"
-  ): Promise<void>;
-  codeVerifierKey(clientId: string): string;
-  saveCodeVerifier(verifier: string): Promise<void>;
-  codeVerifier(): Promise<string>;
-  deleteCodeVerifier(): Promise<void>;
-}
-//#endregion
-export { DurableObjectOAuthClientProvider as n, AgentsOAuthProvider as t };
-//# sourceMappingURL=do-oauth-client-provider-BqnOQzjy.d.ts.map

package/dist/do-oauth-client-provider-DDg8QrEA.js

@@ -1,155 +0,0 @@
-import { nanoid } from "nanoid";
-
-//#region src/mcp/do-oauth-client-provider.ts
-const STATE_EXPIRATION_MS = 600 * 1e3;
-var DurableObjectOAuthClientProvider = class {
-	constructor(storage, clientName, baseRedirectUrl) {
-		this.storage = storage;
-		this.clientName = clientName;
-		this.baseRedirectUrl = baseRedirectUrl;
-		if (!storage) throw new Error("DurableObjectOAuthClientProvider requires a valid DurableObjectStorage instance");
-	}
-	get clientMetadata() {
-		return {
-			client_name: this.clientName,
-			client_uri: this.clientUri,
-			grant_types: ["authorization_code", "refresh_token"],
-			redirect_uris: [this.redirectUrl],
-			response_types: ["code"],
-			token_endpoint_auth_method: "none"
-		};
-	}
-	get clientUri() {
-		return new URL(this.redirectUrl).origin;
-	}
-	get redirectUrl() {
-		return this.baseRedirectUrl;
-	}
-	get clientId() {
-		if (!this._clientId_) throw new Error("Trying to access clientId before it was set");
-		return this._clientId_;
-	}
-	set clientId(clientId_) {
-		this._clientId_ = clientId_;
-	}
-	get serverId() {
-		if (!this._serverId_) throw new Error("Trying to access serverId before it was set");
-		return this._serverId_;
-	}
-	set serverId(serverId_) {
-		this._serverId_ = serverId_;
-	}
-	keyPrefix(clientId) {
-		return `/${this.clientName}/${this.serverId}/${clientId}`;
-	}
-	clientInfoKey(clientId) {
-		return `${this.keyPrefix(clientId)}/client_info/`;
-	}
-	async clientInformation() {
-		if (!this._clientId_) return;
-		return await this.storage.get(this.clientInfoKey(this.clientId)) ?? void 0;
-	}
-	async saveClientInformation(clientInformation) {
-		await this.storage.put(this.clientInfoKey(clientInformation.client_id), clientInformation);
-		this.clientId = clientInformation.client_id;
-	}
-	tokenKey(clientId) {
-		return `${this.keyPrefix(clientId)}/token`;
-	}
-	async tokens() {
-		if (!this._clientId_) return;
-		return await this.storage.get(this.tokenKey(this.clientId)) ?? void 0;
-	}
-	async saveTokens(tokens) {
-		await this.storage.put(this.tokenKey(this.clientId), tokens);
-	}
-	get authUrl() {
-		return this._authUrl_;
-	}
-	stateKey(nonce) {
-		return `/${this.clientName}/${this.serverId}/state/${nonce}`;
-	}
-	async state() {
-		const nonce = nanoid();
-		const state = `${nonce}.${this.serverId}`;
-		const storedState = {
-			nonce,
-			serverId: this.serverId,
-			createdAt: Date.now()
-		};
-		await this.storage.put(this.stateKey(nonce), storedState);
-		return state;
-	}
-	async checkState(state) {
-		const parts = state.split(".");
-		if (parts.length !== 2) return {
-			valid: false,
-			error: "Invalid state format"
-		};
-		const [nonce, serverId] = parts;
-		const key = this.stateKey(nonce);
-		const storedState = await this.storage.get(key);
-		if (!storedState) return {
-			valid: false,
-			error: "State not found or already used"
-		};
-		if (storedState.serverId !== serverId) {
-			await this.storage.delete(key);
-			return {
-				valid: false,
-				error: "State serverId mismatch"
-			};
-		}
-		if (Date.now() - storedState.createdAt > STATE_EXPIRATION_MS) {
-			await this.storage.delete(key);
-			return {
-				valid: false,
-				error: "State expired"
-			};
-		}
-		return {
-			valid: true,
-			serverId
-		};
-	}
-	async consumeState(state) {
-		const parts = state.split(".");
-		if (parts.length !== 2) {
-			console.warn(`[OAuth] consumeState called with invalid state format: ${state.substring(0, 20)}...`);
-			return;
-		}
-		const [nonce] = parts;
-		await this.storage.delete(this.stateKey(nonce));
-	}
-	async redirectToAuthorization(authUrl) {
-		this._authUrl_ = authUrl.toString();
-	}
-	async invalidateCredentials(scope) {
-		if (!this._clientId_) return;
-		const deleteKeys = [];
-		if (scope === "all" || scope === "client") deleteKeys.push(this.clientInfoKey(this.clientId));
-		if (scope === "all" || scope === "tokens") deleteKeys.push(this.tokenKey(this.clientId));
-		if (scope === "all" || scope === "verifier") deleteKeys.push(this.codeVerifierKey(this.clientId));
-		if (deleteKeys.length > 0) await this.storage.delete(deleteKeys);
-	}
-	codeVerifierKey(clientId) {
-		return `${this.keyPrefix(clientId)}/code_verifier`;
-	}
-	async saveCodeVerifier(verifier) {
-		const key = this.codeVerifierKey(this.clientId);
-		if (await this.storage.get(key)) return;
-		await this.storage.put(key, verifier);
-	}
-	async codeVerifier() {
-		const codeVerifier = await this.storage.get(this.codeVerifierKey(this.clientId));
-		if (!codeVerifier) throw new Error("No code verifier found");
-		return codeVerifier;
-	}
-	async deleteCodeVerifier() {
-		await this.storage.delete(this.codeVerifierKey(this.clientId));
-	}
-};
-
-//#endregion
-export { DurableObjectOAuthClientProvider as t };
-//# sourceMappingURL=do-oauth-client-provider-DDg8QrEA.js.map

package/dist/do-oauth-client-provider-DDg8QrEA.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"do-oauth-client-provider-DDg8QrEA.js","names":[],"sources":["../src/mcp/do-oauth-client-provider.ts"],"sourcesContent":["import type { OAuthClientProvider } from \"@modelcontextprotocol/sdk/client/auth.js\";\nimport type {\n  OAuthClientInformation,\n  OAuthClientInformationFull,\n  OAuthClientMetadata,\n  OAuthTokens\n} from \"@modelcontextprotocol/sdk/shared/auth.js\";\nimport { nanoid } from \"nanoid\";\n\nconst STATE_EXPIRATION_MS = 10 * 60 * 1000; // 10 minutes\n\ninterface StoredState {\n  nonce: string;\n  serverId: string;\n  createdAt: number;\n}\n\n// A slight extension to the standard OAuthClientProvider interface because `redirectToAuthorization` doesn't give us the interface we need\n// This allows us to track authentication for a specific server and associated dynamic client registration\nexport interface AgentsOAuthProvider extends OAuthClientProvider {\n  authUrl: string | undefined;\n  clientId: string | undefined;\n  serverId: string | undefined;\n  checkState(\n    state: string\n  ): Promise<{ valid: boolean; serverId?: string; error?: string }>;\n  consumeState(state: string): Promise<void>;\n  deleteCodeVerifier(): Promise<void>;\n}\n\nexport class DurableObjectOAuthClientProvider implements AgentsOAuthProvider {\n  private _authUrl_: string | undefined;\n  private _serverId_: string | undefined;\n  private _clientId_: string | undefined;\n\n  constructor(\n    public storage: DurableObjectStorage,\n    public clientName: string,\n    public baseRedirectUrl: string\n  ) {\n    if (!storage) {\n      throw new Error(\n        \"DurableObjectOAuthClientProvider requires a valid DurableObjectStorage instance\"\n      );\n    }\n  }\n\n  get clientMetadata(): OAuthClientMetadata {\n    return {\n      client_name: this.clientName,\n      client_uri: this.clientUri,\n      grant_types: [\"authorization_code\", \"refresh_token\"],\n      redirect_uris: [this.redirectUrl],\n      response_types: [\"code\"],\n      token_endpoint_auth_method: \"none\"\n    };\n  }\n\n  get clientUri() {\n    return new URL(this.redirectUrl).origin;\n  }\n\n  get redirectUrl() {\n    return this.baseRedirectUrl;\n  }\n\n  get clientId() {\n    if (!this._clientId_) {\n      throw new Error(\"Trying to access clientId before it was set\");\n    }\n    return this._clientId_;\n  }\n\n  set clientId(clientId_: string) {\n    this._clientId_ = clientId_;\n  }\n\n  get serverId() {\n    if (!this._serverId_) {\n      throw new Error(\"Trying to access serverId before it was set\");\n    }\n    return this._serverId_;\n  }\n\n  set serverId(serverId_: string) {\n    this._serverId_ = serverId_;\n  }\n\n  keyPrefix(clientId: string) {\n    return `/${this.clientName}/${this.serverId}/${clientId}`;\n  }\n\n  clientInfoKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/client_info/`;\n  }\n\n  async clientInformation(): Promise<OAuthClientInformation | undefined> {\n    if (!this._clientId_) {\n      return undefined;\n    }\n    return (\n      (await this.storage.get<OAuthClientInformation>(\n        this.clientInfoKey(this.clientId)\n      )) ?? undefined\n    );\n  }\n\n  async saveClientInformation(\n    clientInformation: OAuthClientInformationFull\n  ): Promise<void> {\n    await this.storage.put(\n      this.clientInfoKey(clientInformation.client_id),\n      clientInformation\n    );\n    this.clientId = clientInformation.client_id;\n  }\n\n  tokenKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/token`;\n  }\n\n  async tokens(): Promise<OAuthTokens | undefined> {\n    if (!this._clientId_) {\n      return undefined;\n    }\n    return (\n      (await this.storage.get<OAuthTokens>(this.tokenKey(this.clientId))) ??\n      undefined\n    );\n  }\n\n  async saveTokens(tokens: OAuthTokens): Promise<void> {\n    await this.storage.put(this.tokenKey(this.clientId), tokens);\n  }\n\n  get authUrl() {\n    return this._authUrl_;\n  }\n\n  stateKey(nonce: string) {\n    return `/${this.clientName}/${this.serverId}/state/${nonce}`;\n  }\n\n  async state(): Promise<string> {\n    const nonce = nanoid();\n    const state = `${nonce}.${this.serverId}`;\n    const storedState: StoredState = {\n      nonce,\n      serverId: this.serverId,\n      createdAt: Date.now()\n    };\n    await this.storage.put(this.stateKey(nonce), storedState);\n    return state;\n  }\n\n  async checkState(\n    state: string\n  ): Promise<{ valid: boolean; serverId?: string; error?: string }> {\n    const parts = state.split(\".\");\n    if (parts.length !== 2) {\n      return { valid: false, error: \"Invalid state format\" };\n    }\n\n    const [nonce, serverId] = parts;\n    const key = this.stateKey(nonce);\n    const storedState = await this.storage.get<StoredState>(key);\n\n    if (!storedState) {\n      return { valid: false, error: \"State not found or already used\" };\n    }\n\n    if (storedState.serverId !== serverId) {\n      await this.storage.delete(key);\n      return { valid: false, error: \"State serverId mismatch\" };\n    }\n\n    const age = Date.now() - storedState.createdAt;\n    if (age > STATE_EXPIRATION_MS) {\n      await this.storage.delete(key);\n      return { valid: false, error: \"State expired\" };\n    }\n\n    return { valid: true, serverId };\n  }\n\n  async consumeState(state: string): Promise<void> {\n    const parts = state.split(\".\");\n    if (parts.length !== 2) {\n      // This should never happen since checkState validates format first.\n      // Log for debugging but don't throw - state consumption is best-effort.\n      console.warn(\n        `[OAuth] consumeState called with invalid state format: ${state.substring(0, 20)}...`\n      );\n      return;\n    }\n    const [nonce] = parts;\n    await this.storage.delete(this.stateKey(nonce));\n  }\n\n  async redirectToAuthorization(authUrl: URL): Promise<void> {\n    this._authUrl_ = authUrl.toString();\n  }\n\n  async invalidateCredentials(\n    scope: \"all\" | \"client\" | \"tokens\" | \"verifier\"\n  ): Promise<void> {\n    if (!this._clientId_) return;\n\n    const deleteKeys: string[] = [];\n\n    if (scope === \"all\" || scope === \"client\") {\n      deleteKeys.push(this.clientInfoKey(this.clientId));\n    }\n    if (scope === \"all\" || scope === \"tokens\") {\n      deleteKeys.push(this.tokenKey(this.clientId));\n    }\n    if (scope === \"all\" || scope === \"verifier\") {\n      deleteKeys.push(this.codeVerifierKey(this.clientId));\n    }\n\n    if (deleteKeys.length > 0) {\n      await this.storage.delete(deleteKeys);\n    }\n  }\n\n  codeVerifierKey(clientId: string) {\n    return `${this.keyPrefix(clientId)}/code_verifier`;\n  }\n\n  async saveCodeVerifier(verifier: string): Promise<void> {\n    const key = this.codeVerifierKey(this.clientId);\n\n    // Don't overwrite existing verifier to preserve first PKCE verifier\n    const existing = await this.storage.get<string>(key);\n    if (existing) {\n      return;\n    }\n\n    await this.storage.put(key, verifier);\n  }\n\n  async codeVerifier(): Promise<string> {\n    const codeVerifier = await this.storage.get<string>(\n      this.codeVerifierKey(this.clientId)\n    );\n    if (!codeVerifier) {\n      throw new Error(\"No code verifier found\");\n    }\n    return codeVerifier;\n  }\n\n  async deleteCodeVerifier(): Promise<void> {\n    await this.storage.delete(this.codeVerifierKey(this.clientId));\n  }\n}\n"],"mappings":";;;AASA,MAAM,sBAAsB,MAAU;AAqBtC,IAAa,mCAAb,MAA6E;CAK3E,YACE,AAAO,SACP,AAAO,YACP,AAAO,iBACP;EAHO;EACA;EACA;AAEP,MAAI,CAAC,QACH,OAAM,IAAI,MACR,kFACD;;CAIL,IAAI,iBAAsC;AACxC,SAAO;GACL,aAAa,KAAK;GAClB,YAAY,KAAK;GACjB,aAAa,CAAC,sBAAsB,gBAAgB;GACpD,eAAe,CAAC,KAAK,YAAY;GACjC,gBAAgB,CAAC,OAAO;GACxB,4BAA4B;GAC7B;;CAGH,IAAI,YAAY;AACd,SAAO,IAAI,IAAI,KAAK,YAAY,CAAC;;CAGnC,IAAI,cAAc;AAChB,SAAO,KAAK;;CAGd,IAAI,WAAW;AACb,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,MAAM,8CAA8C;AAEhE,SAAO,KAAK;;CAGd,IAAI,SAAS,WAAmB;AAC9B,OAAK,aAAa;;CAGpB,IAAI,WAAW;AACb,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,MAAM,8CAA8C;AAEhE,SAAO,KAAK;;CAGd,IAAI,SAAS,WAAmB;AAC9B,OAAK,aAAa;;CAGpB,UAAU,UAAkB;AAC1B,SAAO,IAAI,KAAK,WAAW,GAAG,KAAK,SAAS,GAAG;;CAGjD,cAAc,UAAkB;AAC9B,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,oBAAiE;AACrE,MAAI,CAAC,KAAK,WACR;AAEF,SACG,MAAM,KAAK,QAAQ,IAClB,KAAK,cAAc,KAAK,SAAS,CAClC,IAAK;;CAIV,MAAM,sBACJ,mBACe;AACf,QAAM,KAAK,QAAQ,IACjB,KAAK,cAAc,kBAAkB,UAAU,EAC/C,kBACD;AACD,OAAK,WAAW,kBAAkB;;CAGpC,SAAS,UAAkB;AACzB,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,SAA2C;AAC/C,MAAI,CAAC,KAAK,WACR;AAEF,SACG,MAAM,KAAK,QAAQ,IAAiB,KAAK,SAAS,KAAK,SAAS,CAAC,IAClE;;CAIJ,MAAM,WAAW,QAAoC;AACnD,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS,KAAK,SAAS,EAAE,OAAO;;CAG9D,IAAI,UAAU;AACZ,SAAO,KAAK;;CAGd,SAAS,OAAe;AACtB,SAAO,IAAI,KAAK,WAAW,GAAG,KAAK,SAAS,SAAS;;CAGvD,MAAM,QAAyB;EAC7B,MAAM,QAAQ,QAAQ;EACtB,MAAM,QAAQ,GAAG,MAAM,GAAG,KAAK;EAC/B,MAAM,cAA2B;GAC/B;GACA,UAAU,KAAK;GACf,WAAW,KAAK,KAAK;GACtB;AACD,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS,MAAM,EAAE,YAAY;AACzD,SAAO;;CAGT,MAAM,WACJ,OACgE;EAChE,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,MAAI,MAAM,WAAW,EACnB,QAAO;GAAE,OAAO;GAAO,OAAO;GAAwB;EAGxD,MAAM,CAAC,OAAO,YAAY;EAC1B,MAAM,MAAM,KAAK,SAAS,MAAM;EAChC,MAAM,cAAc,MAAM,KAAK,QAAQ,IAAiB,IAAI;AAE5D,MAAI,CAAC,YACH,QAAO;GAAE,OAAO;GAAO,OAAO;GAAmC;AAGnE,MAAI,YAAY,aAAa,UAAU;AACrC,SAAM,KAAK,QAAQ,OAAO,IAAI;AAC9B,UAAO;IAAE,OAAO;IAAO,OAAO;IAA2B;;AAI3D,MADY,KAAK,KAAK,GAAG,YAAY,YAC3B,qBAAqB;AAC7B,SAAM,KAAK,QAAQ,OAAO,IAAI;AAC9B,UAAO;IAAE,OAAO;IAAO,OAAO;IAAiB;;AAGjD,SAAO;GAAE,OAAO;GAAM;GAAU;;CAGlC,MAAM,aAAa,OAA8B;EAC/C,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,MAAI,MAAM,WAAW,GAAG;AAGtB,WAAQ,KACN,0DAA0D,MAAM,UAAU,GAAG,GAAG,CAAC,KAClF;AACD;;EAEF,MAAM,CAAC,SAAS;AAChB,QAAM,KAAK,QAAQ,OAAO,KAAK,SAAS,MAAM,CAAC;;CAGjD,MAAM,wBAAwB,SAA6B;AACzD,OAAK,YAAY,QAAQ,UAAU;;CAGrC,MAAM,sBACJ,OACe;AACf,MAAI,CAAC,KAAK,WAAY;EAEtB,MAAM,aAAuB,EAAE;AAE/B,MAAI,UAAU,SAAS,UAAU,SAC/B,YAAW,KAAK,KAAK,cAAc,KAAK,SAAS,CAAC;AAEpD,MAAI,UAAU,SAAS,UAAU,SAC/B,YAAW,KAAK,KAAK,SAAS,KAAK,SAAS,CAAC;AAE/C,MAAI,UAAU,SAAS,UAAU,WAC/B,YAAW,KAAK,KAAK,gBAAgB,KAAK,SAAS,CAAC;AAGtD,MAAI,WAAW,SAAS,EACtB,OAAM,KAAK,QAAQ,OAAO,WAAW;;CAIzC,gBAAgB,UAAkB;AAChC,SAAO,GAAG,KAAK,UAAU,SAAS,CAAC;;CAGrC,MAAM,iBAAiB,UAAiC;EACtD,MAAM,MAAM,KAAK,gBAAgB,KAAK,SAAS;AAI/C,MADiB,MAAM,KAAK,QAAQ,IAAY,IAAI,CAElD;AAGF,QAAM,KAAK,QAAQ,IAAI,KAAK,SAAS;;CAGvC,MAAM,eAAgC;EACpC,MAAM,eAAe,MAAM,KAAK,QAAQ,IACtC,KAAK,gBAAgB,KAAK,SAAS,CACpC;AACD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM,yBAAyB;AAE3C,SAAO;;CAGT,MAAM,qBAAoC;AACxC,QAAM,KAAK,QAAQ,OAAO,KAAK,gBAAgB,KAAK,SAAS,CAAC"}

package/dist/email-8ljcpvwV.d.ts

@@ -1,157 +0,0 @@
-//#region src/email.d.ts
-/**
- * Header object as returned by postal-mime and similar email parsing libraries.
- * Each header has a lowercase key and a string value.
- */
-type EmailHeader = {
-  /** Lowercase header name (e.g., "content-type", "x-custom-header") */ key: string; /** Header value */
-  value: string;
-};
-/**
- * Check if an email appears to be an auto-reply based on standard headers.
- * Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.
- *
- * @param headers - Headers array from postal-mime Email.headers or similar format
- * @returns true if email appears to be an auto-reply
- *
- * @example
- * ```typescript
- * if (isAutoReplyEmail(parsed.headers)) {
- *   // Skip processing auto-replies
- *   return;
- * }
- * ```
- */
-declare function isAutoReplyEmail(headers: EmailHeader[]): boolean;
-/** Default signature expiration: 30 days in seconds */
-declare const DEFAULT_MAX_AGE_SECONDS: number;
-/**
- * Sign agent routing headers for secure reply flows.
- * Use this when sending outbound emails to ensure replies can be securely routed back.
- *
- * @param secret - Secret key for HMAC signing (store in environment variables)
- * @param agentName - Name of the agent
- * @param agentId - ID of the agent instance
- * @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts
- *
- * @example
- * ```typescript
- * const headers = await signAgentHeaders(env.EMAIL_SECRET, "MyAgent", this.name);
- * // Use these headers when sending outbound emails
- * ```
- */
-declare function signAgentHeaders(
-  secret: string,
-  agentName: string,
-  agentId: string
-): Promise<Record<string, string>>;
-type EmailResolverResult = {
-  agentName: string;
-  agentId: string; /** @internal Indicates this resolver requires secure reply signing */
-  _secureRouted?: boolean;
-} | null;
-type EmailResolver<Env> = (
-  email: ForwardableEmailMessage,
-  env: Env
-) => Promise<EmailResolverResult>;
-/**
- * Reason for signature verification failure
- */
-type SignatureFailureReason =
-  | "missing_headers"
-  | "expired"
-  | "invalid"
-  | "malformed_timestamp";
-/**
- * Options for createSecureReplyEmailResolver
- */
-type SecureReplyResolverOptions = {
-  /**
-   * Maximum age of signature in seconds.
-   * Signatures older than this will be rejected.
-   * Default: 30 days (2592000 seconds)
-   */
-  maxAge?: number;
-  /**
-   * Callback invoked when signature verification fails.
-   * Useful for logging and debugging.
-   */
-  onInvalidSignature?: (
-    email: ForwardableEmailMessage,
-    reason: SignatureFailureReason
-  ) => void;
-};
-/**
- * @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).
- * @throws Always throws an error with migration guidance.
- */
-declare function createHeaderBasedEmailResolver<Env>(): EmailResolver<Env>;
-/**
- * Create a resolver for routing email replies with signature verification.
- * This resolver verifies that replies contain a valid HMAC signature, preventing
- * attackers from routing emails to arbitrary agent instances.
- *
- * @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)
- * @param options - Optional configuration for signature verification
- * @returns A function that resolves the agent to route the email to, or null if signature is invalid
- *
- * @example
- * ```typescript
- * // In your email handler
- * const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {
- *   maxAge: 7 * 24 * 60 * 60, // 7 days
- *   onInvalidSignature: (email, reason) => {
- *     console.warn(`Invalid signature from ${email.from}: ${reason}`);
- *   }
- * });
- * const addressResolver = createAddressBasedEmailResolver("MyAgent");
- *
- * await routeAgentEmail(email, env, {
- *   resolver: async (email, env) => {
- *     // Try secure reply routing first
- *     const replyRouting = await secureResolver(email, env);
- *     if (replyRouting) return replyRouting;
- *     // Fall back to address-based routing
- *     return addressResolver(email, env);
- *   }
- * });
- * ```
- */
-declare function createSecureReplyEmailResolver<Env>(
-  secret: string,
-  options?: SecureReplyResolverOptions
-): EmailResolver<Env>;
-/**
- * Create a resolver that uses the email address to determine the agent to route the email to
- * @param defaultAgentName The default agent name to use if the email address does not contain a sub-address
- * @returns A function that resolves the agent to route the email to
- */
-declare function createAddressBasedEmailResolver<Env>(
-  defaultAgentName: string
-): EmailResolver<Env>;
-/**
- * Create a resolver that uses the agentName and agentId to determine the agent to route the email to
- * @param agentName The name of the agent to route the email to
- * @param agentId The id of the agent to route the email to
- * @returns A function that resolves the agent to route the email to
- */
-declare function createCatchAllEmailResolver<Env>(
-  agentName: string,
-  agentId: string
-): EmailResolver<Env>;
-//#endregion
-export {
-  SecureReplyResolverOptions as a,
-  createCatchAllEmailResolver as c,
-  isAutoReplyEmail as d,
-  signAgentHeaders as f,
-  EmailResolverResult as i,
-  createHeaderBasedEmailResolver as l,
-  EmailHeader as n,
-  SignatureFailureReason as o,
-  EmailResolver as r,
-  createAddressBasedEmailResolver as s,
-  DEFAULT_MAX_AGE_SECONDS as t,
-  createSecureReplyEmailResolver as u
-};
-//# sourceMappingURL=email-8ljcpvwV.d.ts.map

package/dist/email-XHsSYsTO.js

@@ -1,223 +0,0 @@
-//#region src/email.ts
-/**
-* Check if an email appears to be an auto-reply based on standard headers.
-* Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.
-*
-* @param headers - Headers array from postal-mime Email.headers or similar format
-* @returns true if email appears to be an auto-reply
-*
-* @example
-* ```typescript
-* if (isAutoReplyEmail(parsed.headers)) {
-*   // Skip processing auto-replies
-*   return;
-* }
-* ```
-*/
-function isAutoReplyEmail(headers) {
-	return headers.some((h) => {
-		const key = h.key.toLowerCase();
-		const value = h.value.toLowerCase();
-		if (key === "auto-submitted") return value !== "no";
-		if (key === "x-auto-response-suppress") return true;
-		if (key === "precedence") return value === "bulk" || value === "junk" || value === "list";
-		return false;
-	});
-}
-/** Default signature expiration: 30 days in seconds */
-const DEFAULT_MAX_AGE_SECONDS = 720 * 60 * 60;
-/** Maximum allowed clock skew for future timestamps: 5 minutes */
-const MAX_CLOCK_SKEW_SECONDS = 300;
-/**
-* Compute HMAC-SHA256 signature for agent routing headers
-* @param secret - Secret key for HMAC
-* @param agentName - Name of the agent
-* @param agentId - ID of the agent instance
-* @param timestamp - Unix timestamp in seconds
-* @returns Base64-encoded HMAC signature
-*/
-async function computeAgentSignature(secret, agentName, agentId, timestamp) {
-	const encoder = new TextEncoder();
-	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
-		name: "HMAC",
-		hash: "SHA-256"
-	}, false, ["sign"]);
-	const data = encoder.encode(`${agentName}:${agentId}:${timestamp}`);
-	const signature = await crypto.subtle.sign("HMAC", key, data);
-	return btoa(String.fromCharCode(...new Uint8Array(signature)));
-}
-/**
-* Verify HMAC-SHA256 signature for agent routing headers
-* @param secret - Secret key for HMAC
-* @param agentName - Name of the agent
-* @param agentId - ID of the agent instance
-* @param signature - Base64-encoded signature to verify
-* @param timestamp - Unix timestamp in seconds when signature was created
-* @param maxAgeSeconds - Maximum age of signature in seconds (default: 30 days)
-* @returns Verification result with reason if invalid
-*/
-async function verifyAgentSignature(secret, agentName, agentId, signature, timestamp, maxAgeSeconds = DEFAULT_MAX_AGE_SECONDS) {
-	try {
-		const timestampNum = Number.parseInt(timestamp, 10);
-		if (Number.isNaN(timestampNum)) return {
-			valid: false,
-			reason: "malformed_timestamp"
-		};
-		const now = Math.floor(Date.now() / 1e3);
-		if (timestampNum > now + MAX_CLOCK_SKEW_SECONDS) return {
-			valid: false,
-			reason: "invalid"
-		};
-		if (now - timestampNum > maxAgeSeconds) return {
-			valid: false,
-			reason: "expired"
-		};
-		const expected = await computeAgentSignature(secret, agentName, agentId, timestamp);
-		if (expected.length !== signature.length) return {
-			valid: false,
-			reason: "invalid"
-		};
-		let result = 0;
-		for (let i = 0; i < expected.length; i++) result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);
-		if (result !== 0) return {
-			valid: false,
-			reason: "invalid"
-		};
-		return { valid: true };
-	} catch (error) {
-		console.warn("[agents] Signature verification error:", error);
-		return {
-			valid: false,
-			reason: "invalid"
-		};
-	}
-}
-/**
-* Sign agent routing headers for secure reply flows.
-* Use this when sending outbound emails to ensure replies can be securely routed back.
-*
-* @param secret - Secret key for HMAC signing (store in environment variables)
-* @param agentName - Name of the agent
-* @param agentId - ID of the agent instance
-* @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts
-*
-* @example
-* ```typescript
-* const headers = await signAgentHeaders(env.EMAIL_SECRET, "MyAgent", this.name);
-* // Use these headers when sending outbound emails
-* ```
-*/
-async function signAgentHeaders(secret, agentName, agentId) {
-	if (!secret) throw new Error("secret is required for signing agent headers");
-	if (!agentName) throw new Error("agentName is required for signing agent headers");
-	if (!agentId) throw new Error("agentId is required for signing agent headers");
-	if (agentName.includes(":")) throw new Error("agentName cannot contain colons");
-	if (agentId.includes(":")) throw new Error("agentId cannot contain colons");
-	const timestamp = Math.floor(Date.now() / 1e3).toString();
-	const signature = await computeAgentSignature(secret, agentName, agentId, timestamp);
-	return {
-		"X-Agent-Name": agentName,
-		"X-Agent-ID": agentId,
-		"X-Agent-Sig": signature,
-		"X-Agent-Sig-Ts": timestamp
-	};
-}
-/**
-* @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).
-* @throws Always throws an error with migration guidance.
-*/
-function createHeaderBasedEmailResolver() {
-	throw new Error("createHeaderBasedEmailResolver has been removed due to a security vulnerability. It trusted attacker-controlled email headers for routing, enabling IDOR attacks.\n\nMigration options:\n  - For inbound mail: use createAddressBasedEmailResolver(agentName)\n  - For reply flows: use createSecureReplyEmailResolver(secret) with signed headers\n\nSee https://github.com/cloudflare/agents/blob/main/docs/email.md for details.");
-}
-/**
-* Create a resolver for routing email replies with signature verification.
-* This resolver verifies that replies contain a valid HMAC signature, preventing
-* attackers from routing emails to arbitrary agent instances.
-*
-* @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)
-* @param options - Optional configuration for signature verification
-* @returns A function that resolves the agent to route the email to, or null if signature is invalid
-*
-* @example
-* ```typescript
-* // In your email handler
-* const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {
-*   maxAge: 7 * 24 * 60 * 60, // 7 days
-*   onInvalidSignature: (email, reason) => {
-*     console.warn(`Invalid signature from ${email.from}: ${reason}`);
-*   }
-* });
-* const addressResolver = createAddressBasedEmailResolver("MyAgent");
-*
-* await routeAgentEmail(email, env, {
-*   resolver: async (email, env) => {
-*     // Try secure reply routing first
-*     const replyRouting = await secureResolver(email, env);
-*     if (replyRouting) return replyRouting;
-*     // Fall back to address-based routing
-*     return addressResolver(email, env);
-*   }
-* });
-* ```
-*/
-function createSecureReplyEmailResolver(secret, options) {
-	if (!secret) throw new Error("secret is required for createSecureReplyEmailResolver");
-	const maxAge = options?.maxAge ?? DEFAULT_MAX_AGE_SECONDS;
-	const onInvalidSignature = options?.onInvalidSignature;
-	return async (email, _env) => {
-		const agentName = email.headers.get("x-agent-name");
-		const agentId = email.headers.get("x-agent-id");
-		const signature = email.headers.get("x-agent-sig");
-		const timestamp = email.headers.get("x-agent-sig-ts");
-		if (!agentName || !agentId || !signature || !timestamp) {
-			onInvalidSignature?.(email, "missing_headers");
-			return null;
-		}
-		const result = await verifyAgentSignature(secret, agentName, agentId, signature, timestamp, maxAge);
-		if (!result.valid) {
-			onInvalidSignature?.(email, result.reason);
-			return null;
-		}
-		return {
-			agentName,
-			agentId,
-			_secureRouted: true
-		};
-	};
-}
-/**
-* Create a resolver that uses the email address to determine the agent to route the email to
-* @param defaultAgentName The default agent name to use if the email address does not contain a sub-address
-* @returns A function that resolves the agent to route the email to
-*/
-function createAddressBasedEmailResolver(defaultAgentName) {
-	return async (email, _env) => {
-		const emailMatch = email.to.match(/^([^+@]{1,64})(?:\+([^@]{1,64}))?@(.{1,253})$/);
-		if (!emailMatch) return null;
-		const [, localPart, subAddress] = emailMatch;
-		if (subAddress) return {
-			agentName: localPart,
-			agentId: subAddress
-		};
-		return {
-			agentName: defaultAgentName,
-			agentId: localPart
-		};
-	};
-}
-/**
-* Create a resolver that uses the agentName and agentId to determine the agent to route the email to
-* @param agentName The name of the agent to route the email to
-* @param agentId The id of the agent to route the email to
-* @returns A function that resolves the agent to route the email to
-*/
-function createCatchAllEmailResolver(agentName, agentId) {
-	return async () => ({
-		agentName,
-		agentId
-	});
-}
-
-//#endregion
-export { createSecureReplyEmailResolver as a, createHeaderBasedEmailResolver as i, createAddressBasedEmailResolver as n, isAutoReplyEmail as o, createCatchAllEmailResolver as r, signAgentHeaders as s, DEFAULT_MAX_AGE_SECONDS as t };
-//# sourceMappingURL=email-XHsSYsTO.js.map

package/dist/email-XHsSYsTO.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"email-XHsSYsTO.js","names":[],"sources":["../src/email.ts"],"sourcesContent":["/**\n * Email routing types, resolvers, and signing utilities for Agents\n */\n\n// Re-export AgentEmail type\nexport type { AgentEmail } from \"./internal_context\";\n\n// ============================================================================\n// Email header utilities\n// ============================================================================\n\n/**\n * Header object as returned by postal-mime and similar email parsing libraries.\n * Each header has a lowercase key and a string value.\n */\nexport type EmailHeader = {\n  /** Lowercase header name (e.g., \"content-type\", \"x-custom-header\") */\n  key: string;\n  /** Header value */\n  value: string;\n};\n\n/**\n * Check if an email appears to be an auto-reply based on standard headers.\n * Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.\n *\n * @param headers - Headers array from postal-mime Email.headers or similar format\n * @returns true if email appears to be an auto-reply\n *\n * @example\n * ```typescript\n * if (isAutoReplyEmail(parsed.headers)) {\n *   // Skip processing auto-replies\n *   return;\n * }\n * ```\n */\nexport function isAutoReplyEmail(headers: EmailHeader[]): boolean {\n  return headers.some((h) => {\n    const key = h.key.toLowerCase();\n    const value = h.value.toLowerCase();\n\n    // RFC 3834: Auto-Submitted header\n    // \"no\" means normal (human-sent) email, anything else indicates auto-reply\n    if (key === \"auto-submitted\") {\n      return value !== \"no\";\n    }\n\n    // X-Auto-Response-Suppress: any value indicates sender doesn't want auto-replies\n    if (key === \"x-auto-response-suppress\") {\n      return true;\n    }\n\n    // Precedence: only bulk/junk/list indicate automated/mass mail\n    if (key === \"precedence\") {\n      return value === \"bulk\" || value === \"junk\" || value === \"list\";\n    }\n\n    return false;\n  });\n}\n\n// ============================================================================\n// Signing utilities\n// ============================================================================\n\n/** Default signature expiration: 30 days in seconds */\nexport const DEFAULT_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;\n\n/** Maximum allowed clock skew for future timestamps: 5 minutes */\nconst MAX_CLOCK_SKEW_SECONDS = 5 * 60;\n\n/**\n * Compute HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param timestamp - Unix timestamp in seconds\n * @returns Base64-encoded HMAC signature\n */\nasync function computeAgentSignature(\n  secret: string,\n  agentName: string,\n  agentId: string,\n  timestamp: string\n): Promise<string> {\n  const encoder = new TextEncoder();\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    encoder.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"]\n  );\n  const data = encoder.encode(`${agentName}:${agentId}:${timestamp}`);\n  const signature = await crypto.subtle.sign(\"HMAC\", key, data);\n  return btoa(String.fromCharCode(...new Uint8Array(signature)));\n}\n\n/**\n * Result of signature verification\n */\ntype SignatureVerificationResult =\n  | { valid: true }\n  | { valid: false; reason: \"expired\" | \"invalid\" | \"malformed_timestamp\" };\n\n/**\n * Verify HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param signature - Base64-encoded signature to verify\n * @param timestamp - Unix timestamp in seconds when signature was created\n * @param maxAgeSeconds - Maximum age of signature in seconds (default: 30 days)\n * @returns Verification result with reason if invalid\n */\nasync function verifyAgentSignature(\n  secret: string,\n  agentName: string,\n  agentId: string,\n  signature: string,\n  timestamp: string,\n  maxAgeSeconds: number = DEFAULT_MAX_AGE_SECONDS\n): Promise<SignatureVerificationResult> {\n  try {\n    // Validate timestamp format\n    const timestampNum = Number.parseInt(timestamp, 10);\n    if (Number.isNaN(timestampNum)) {\n      return { valid: false, reason: \"malformed_timestamp\" };\n    }\n\n    // Check timestamp validity\n    const now = Math.floor(Date.now() / 1000);\n\n    // Reject timestamps too far in the future (prevents extending signature validity)\n    if (timestampNum > now + MAX_CLOCK_SKEW_SECONDS) {\n      return { valid: false, reason: \"invalid\" };\n    }\n\n    // Check if signature has expired\n    if (now - timestampNum > maxAgeSeconds) {\n      return { valid: false, reason: \"expired\" };\n    }\n\n    const expected = await computeAgentSignature(\n      secret,\n      agentName,\n      agentId,\n      timestamp\n    );\n    // Constant-time comparison to prevent timing attacks\n    if (expected.length !== signature.length) {\n      return { valid: false, reason: \"invalid\" };\n    }\n    let result = 0;\n    for (let i = 0; i < expected.length; i++) {\n      result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n    }\n    if (result !== 0) {\n      return { valid: false, reason: \"invalid\" };\n    }\n    return { valid: true };\n  } catch (error) {\n    console.warn(\"[agents] Signature verification error:\", error);\n    return { valid: false, reason: \"invalid\" };\n  }\n}\n\n/**\n * Sign agent routing headers for secure reply flows.\n * Use this when sending outbound emails to ensure replies can be securely routed back.\n *\n * @param secret - Secret key for HMAC signing (store in environment variables)\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts\n *\n * @example\n * ```typescript\n * const headers = await signAgentHeaders(env.EMAIL_SECRET, \"MyAgent\", this.name);\n * // Use these headers when sending outbound emails\n * ```\n */\nexport async function signAgentHeaders(\n  secret: string,\n  agentName: string,\n  agentId: string\n): Promise<Record<string, string>> {\n  if (!secret) {\n    throw new Error(\"secret is required for signing agent headers\");\n  }\n  if (!agentName) {\n    throw new Error(\"agentName is required for signing agent headers\");\n  }\n  if (!agentId) {\n    throw new Error(\"agentId is required for signing agent headers\");\n  }\n  // Reject colons to prevent signature confusion attacks\n  // (signature payload uses colon as delimiter: \"agentName:agentId:timestamp\")\n  if (agentName.includes(\":\")) {\n    throw new Error(\"agentName cannot contain colons\");\n  }\n  if (agentId.includes(\":\")) {\n    throw new Error(\"agentId cannot contain colons\");\n  }\n\n  const timestamp = Math.floor(Date.now() / 1000).toString();\n  const signature = await computeAgentSignature(\n    secret,\n    agentName,\n    agentId,\n    timestamp\n  );\n  return {\n    \"X-Agent-Name\": agentName,\n    \"X-Agent-ID\": agentId,\n    \"X-Agent-Sig\": signature,\n    \"X-Agent-Sig-Ts\": timestamp\n  };\n}\n\n// ============================================================================\n// Email routing types and resolvers\n// ============================================================================\n\nexport type EmailResolverResult = {\n  agentName: string;\n  agentId: string;\n  /** @internal Indicates this resolver requires secure reply signing */\n  _secureRouted?: boolean;\n} | null;\n\nexport type EmailResolver<Env> = (\n  email: ForwardableEmailMessage,\n  env: Env\n) => Promise<EmailResolverResult>;\n\n/**\n * Reason for signature verification failure\n */\nexport type SignatureFailureReason =\n  | \"missing_headers\"\n  | \"expired\"\n  | \"invalid\"\n  | \"malformed_timestamp\";\n\n/**\n * Options for createSecureReplyEmailResolver\n */\nexport type SecureReplyResolverOptions = {\n  /**\n   * Maximum age of signature in seconds.\n   * Signatures older than this will be rejected.\n   * Default: 30 days (2592000 seconds)\n   */\n  maxAge?: number;\n  /**\n   * Callback invoked when signature verification fails.\n   * Useful for logging and debugging.\n   */\n  onInvalidSignature?: (\n    email: ForwardableEmailMessage,\n    reason: SignatureFailureReason\n  ) => void;\n};\n\n/**\n * @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).\n * @throws Always throws an error with migration guidance.\n */\nexport function createHeaderBasedEmailResolver<Env>(): EmailResolver<Env> {\n  throw new Error(\n    \"createHeaderBasedEmailResolver has been removed due to a security vulnerability. \" +\n      \"It trusted attacker-controlled email headers for routing, enabling IDOR attacks.\\n\\n\" +\n      \"Migration options:\\n\" +\n      \"  - For inbound mail: use createAddressBasedEmailResolver(agentName)\\n\" +\n      \"  - For reply flows: use createSecureReplyEmailResolver(secret) with signed headers\\n\\n\" +\n      \"See https://github.com/cloudflare/agents/blob/main/docs/email.md for details.\"\n  );\n}\n\n/**\n * Create a resolver for routing email replies with signature verification.\n * This resolver verifies that replies contain a valid HMAC signature, preventing\n * attackers from routing emails to arbitrary agent instances.\n *\n * @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)\n * @param options - Optional configuration for signature verification\n * @returns A function that resolves the agent to route the email to, or null if signature is invalid\n *\n * @example\n * ```typescript\n * // In your email handler\n * const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {\n *   maxAge: 7 * 24 * 60 * 60, // 7 days\n *   onInvalidSignature: (email, reason) => {\n *     console.warn(`Invalid signature from ${email.from}: ${reason}`);\n *   }\n * });\n * const addressResolver = createAddressBasedEmailResolver(\"MyAgent\");\n *\n * await routeAgentEmail(email, env, {\n *   resolver: async (email, env) => {\n *     // Try secure reply routing first\n *     const replyRouting = await secureResolver(email, env);\n *     if (replyRouting) return replyRouting;\n *     // Fall back to address-based routing\n *     return addressResolver(email, env);\n *   }\n * });\n * ```\n */\nexport function createSecureReplyEmailResolver<Env>(\n  secret: string,\n  options?: SecureReplyResolverOptions\n): EmailResolver<Env> {\n  if (!secret) {\n    throw new Error(\"secret is required for createSecureReplyEmailResolver\");\n  }\n\n  const maxAge = options?.maxAge ?? DEFAULT_MAX_AGE_SECONDS;\n  const onInvalidSignature = options?.onInvalidSignature;\n\n  return async (email: ForwardableEmailMessage, _env: Env) => {\n    const agentName = email.headers.get(\"x-agent-name\");\n    const agentId = email.headers.get(\"x-agent-id\");\n    const signature = email.headers.get(\"x-agent-sig\");\n    const timestamp = email.headers.get(\"x-agent-sig-ts\");\n\n    if (!agentName || !agentId || !signature || !timestamp) {\n      onInvalidSignature?.(email, \"missing_headers\");\n      return null;\n    }\n\n    const result = await verifyAgentSignature(\n      secret,\n      agentName,\n      agentId,\n      signature,\n      timestamp,\n      maxAge\n    );\n\n    if (!result.valid) {\n      onInvalidSignature?.(email, result.reason);\n      return null;\n    }\n\n    return { agentName, agentId, _secureRouted: true };\n  };\n}\n\n/**\n * Create a resolver that uses the email address to determine the agent to route the email to\n * @param defaultAgentName The default agent name to use if the email address does not contain a sub-address\n * @returns A function that resolves the agent to route the email to\n */\nexport function createAddressBasedEmailResolver<Env>(\n  defaultAgentName: string\n): EmailResolver<Env> {\n  return async (email: ForwardableEmailMessage, _env: Env) => {\n    // Length limits per RFC 5321: local part max 64 chars, domain max 253 chars\n    const emailMatch = email.to.match(\n      /^([^+@]{1,64})(?:\\+([^@]{1,64}))?@(.{1,253})$/\n    );\n    if (!emailMatch) {\n      return null;\n    }\n\n    const [, localPart, subAddress] = emailMatch;\n\n    if (subAddress) {\n      return {\n        agentName: localPart,\n        agentId: subAddress\n      };\n    }\n\n    // Option 2: Use defaultAgentName namespace, localPart as agentId\n    // Common for catch-all email routing to a single EmailAgent namespace\n    return {\n      agentName: defaultAgentName,\n      agentId: localPart\n    };\n  };\n}\n\n/**\n * Create a resolver that uses the agentName and agentId to determine the agent to route the email to\n * @param agentName The name of the agent to route the email to\n * @param agentId The id of the agent to route the email to\n * @returns A function that resolves the agent to route the email to\n */\nexport function createCatchAllEmailResolver<Env>(\n  agentName: string,\n  agentId: string\n): EmailResolver<Env> {\n  return async () => ({ agentName, agentId });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAqCA,SAAgB,iBAAiB,SAAiC;AAChE,QAAO,QAAQ,MAAM,MAAM;EACzB,MAAM,MAAM,EAAE,IAAI,aAAa;EAC/B,MAAM,QAAQ,EAAE,MAAM,aAAa;AAInC,MAAI,QAAQ,iBACV,QAAO,UAAU;AAInB,MAAI,QAAQ,2BACV,QAAO;AAIT,MAAI,QAAQ,aACV,QAAO,UAAU,UAAU,UAAU,UAAU,UAAU;AAG3D,SAAO;GACP;;;AAQJ,MAAa,0BAA0B,MAAU,KAAK;;AAGtD,MAAM,yBAAyB;;;;;;;;;AAU/B,eAAe,sBACb,QACA,WACA,SACA,WACiB;CACjB,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,OAAO,CACT;CACD,MAAM,OAAO,QAAQ,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,YAAY;CACnE,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,KAAK;AAC7D,QAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,UAAU,CAAC,CAAC;;;;;;;;;;;;AAoBhE,eAAe,qBACb,QACA,WACA,SACA,WACA,WACA,gBAAwB,yBACc;AACtC,KAAI;EAEF,MAAM,eAAe,OAAO,SAAS,WAAW,GAAG;AACnD,MAAI,OAAO,MAAM,aAAa,CAC5B,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAuB;EAIxD,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAGzC,MAAI,eAAe,MAAM,uBACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAI5C,MAAI,MAAM,eAAe,cACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAG5C,MAAM,WAAW,MAAM,sBACrB,QACA,WACA,SACA,UACD;AAED,MAAI,SAAS,WAAW,UAAU,OAChC,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAE5C,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,QAAQ,IACnC,WAAU,SAAS,WAAW,EAAE,GAAG,UAAU,WAAW,EAAE;AAE5D,MAAI,WAAW,EACb,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAE5C,SAAO,EAAE,OAAO,MAAM;UACf,OAAO;AACd,UAAQ,KAAK,0CAA0C,MAAM;AAC7D,SAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;;;;;;;;;;;;;;;;;;AAmB9C,eAAsB,iBACpB,QACA,WACA,SACiC;AACjC,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,+CAA+C;AAEjE,KAAI,CAAC,UACH,OAAM,IAAI,MAAM,kDAAkD;AAEpE,KAAI,CAAC,QACH,OAAM,IAAI,MAAM,gDAAgD;AAIlE,KAAI,UAAU,SAAS,IAAI,CACzB,OAAM,IAAI,MAAM,kCAAkC;AAEpD,KAAI,QAAQ,SAAS,IAAI,CACvB,OAAM,IAAI,MAAM,gCAAgC;CAGlD,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,CAAC,UAAU;CAC1D,MAAM,YAAY,MAAM,sBACtB,QACA,WACA,SACA,UACD;AACD,QAAO;EACL,gBAAgB;EAChB,cAAc;EACd,eAAe;EACf,kBAAkB;EACnB;;;;;;AAoDH,SAAgB,iCAA0D;AACxE,OAAM,IAAI,MACR,saAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCH,SAAgB,+BACd,QACA,SACoB;AACpB,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,wDAAwD;CAG1E,MAAM,SAAS,SAAS,UAAU;CAClC,MAAM,qBAAqB,SAAS;AAEpC,QAAO,OAAO,OAAgC,SAAc;EAC1D,MAAM,YAAY,MAAM,QAAQ,IAAI,eAAe;EACnD,MAAM,UAAU,MAAM,QAAQ,IAAI,aAAa;EAC/C,MAAM,YAAY,MAAM,QAAQ,IAAI,cAAc;EAClD,MAAM,YAAY,MAAM,QAAQ,IAAI,iBAAiB;AAErD,MAAI,CAAC,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,WAAW;AACtD,wBAAqB,OAAO,kBAAkB;AAC9C,UAAO;;EAGT,MAAM,SAAS,MAAM,qBACnB,QACA,WACA,SACA,WACA,WACA,OACD;AAED,MAAI,CAAC,OAAO,OAAO;AACjB,wBAAqB,OAAO,OAAO,OAAO;AAC1C,UAAO;;AAGT,SAAO;GAAE;GAAW;GAAS,eAAe;GAAM;;;;;;;;AAStD,SAAgB,gCACd,kBACoB;AACpB,QAAO,OAAO,OAAgC,SAAc;EAE1D,MAAM,aAAa,MAAM,GAAG,MAC1B,gDACD;AACD,MAAI,CAAC,WACH,QAAO;EAGT,MAAM,GAAG,WAAW,cAAc;AAElC,MAAI,WACF,QAAO;GACL,WAAW;GACX,SAAS;GACV;AAKH,SAAO;GACL,WAAW;GACX,SAAS;GACV;;;;;;;;;AAUL,SAAgB,4BACd,WACA,SACoB;AACpB,QAAO,aAAa;EAAE;EAAW;EAAS"}