npm - agents - Versions diffs - 0.3.6 → 0.3.8 - Mend

agents 0.3.6 → 0.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/README.md +303 -314
package/dist/ai-types.js +1 -1
package/dist/{client-0lfEZpSQ.js → client-BA8NJB6l.js} +17 -4
package/dist/client-BA8NJB6l.js.map +1 -0
package/dist/{client-Cxno-5sH.d.ts → client-DGpERepg.d.ts} +8 -14
package/dist/client.d.ts +93 -24
package/dist/client.js +202 -2
package/dist/client.js.map +1 -0
package/dist/{do-oauth-client-provider-BH9zFtSy.d.ts → do-oauth-client-provider-BqnOQzjy.d.ts} +1 -1
package/dist/{do-oauth-client-provider-BfPFgQU0.js → do-oauth-client-provider-DDg8QrEA.js} +1 -1
package/dist/{do-oauth-client-provider-BfPFgQU0.js.map → do-oauth-client-provider-DDg8QrEA.js.map} +1 -1
package/dist/email-8ljcpvwV.d.ts +157 -0
package/dist/email-XHsSYsTO.js +223 -0
package/dist/email-XHsSYsTO.js.map +1 -0
package/dist/email.d.ts +30 -0
package/dist/email.js +3 -0
package/dist/{index-B7Ny-XfU.d.ts → index-N6791tVt.d.ts} +18 -3
package/dist/index.d.ts +543 -87
package/dist/index.js +6 -6
package/dist/{internal_context-neg89p5n.d.ts → internal_context-CEu5ji80.d.ts} +8 -3
package/dist/{internal_context-oN047Id3.js → internal_context-D9eKFth1.js} +1 -1
package/dist/internal_context-D9eKFth1.js.map +1 -0
package/dist/internal_context.d.ts +1 -1
package/dist/internal_context.js +1 -1
package/dist/mcp/client.d.ts +1 -1
package/dist/mcp/client.js +2 -2
package/dist/mcp/do-oauth-client-provider.d.ts +1 -1
package/dist/mcp/do-oauth-client-provider.js +1 -1
package/dist/mcp/index.d.ts +4 -2
package/dist/mcp/index.js +35 -35
package/dist/mcp/index.js.map +1 -1
package/dist/mcp/x402.d.ts +0 -1
package/dist/mcp/x402.js.map +1 -1
package/dist/{mcp-AK39tq6H.d.ts → mcp-BwPscEiF.d.ts} +1 -1
package/dist/observability/index.d.ts +1 -1
package/dist/observability/index.js +5 -5
package/dist/react.d.ts +70 -26
package/dist/react.js +83 -21
package/dist/react.js.map +1 -1
package/dist/schedule.d.ts +23 -2
package/dist/schedule.js +23 -1
package/dist/schedule.js.map +1 -1
package/dist/serializable.d.ts +68 -3
package/dist/src-CqnVUbg1.js +2146 -0
package/dist/src-CqnVUbg1.js.map +1 -0
package/dist/types-BITaDFf-.js +16 -0
package/dist/{types-4b5tlB0u.js.map → types-BITaDFf-.js.map} +1 -1
package/dist/{types-C5vR2Gzv.d.ts → types-DSSHBW6w.d.ts} +2 -1
package/dist/types.d.ts +1 -1
package/dist/types.js +1 -1
package/dist/utils-B49TmLCI.js +16 -0
package/dist/utils-B49TmLCI.js.map +1 -0
package/dist/utils.d.ts +10 -0
package/dist/utils.js +3 -0
package/dist/workflow-types-Z_Oem1FJ.d.ts +260 -0
package/dist/workflow-types.d.ts +48 -0
package/dist/workflow-types.js +16 -0
package/dist/workflow-types.js.map +1 -0
package/dist/workflows.d.ts +163 -0
package/dist/workflows.js +240 -0
package/dist/workflows.js.map +1 -0
package/package.json +22 -12
package/dist/client-0lfEZpSQ.js.map +0 -1
package/dist/client-CEO0P7vN.js +0 -117
package/dist/client-CEO0P7vN.js.map +0 -1
package/dist/internal_context-oN047Id3.js.map +0 -1
package/dist/src-C_iKczoR.js +0 -1191
package/dist/src-C_iKczoR.js.map +0 -1
package/dist/types-4b5tlB0u.js +0 -15

package/dist/email-XHsSYsTO.js ADDED Viewed

@@ -0,0 +1,223 @@
+//#region src/email.ts
+/**
+* Check if an email appears to be an auto-reply based on standard headers.
+* Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.
+*
+* @param headers - Headers array from postal-mime Email.headers or similar format
+* @returns true if email appears to be an auto-reply
+*
+* @example
+* ```typescript
+* if (isAutoReplyEmail(parsed.headers)) {
+*   // Skip processing auto-replies
+*   return;
+* }
+* ```
+*/
+function isAutoReplyEmail(headers) {
+	return headers.some((h) => {
+		const key = h.key.toLowerCase();
+		const value = h.value.toLowerCase();
+		if (key === "auto-submitted") return value !== "no";
+		if (key === "x-auto-response-suppress") return true;
+		if (key === "precedence") return value === "bulk" || value === "junk" || value === "list";
+		return false;
+	});
+}
+/** Default signature expiration: 30 days in seconds */
+const DEFAULT_MAX_AGE_SECONDS = 720 * 60 * 60;
+/** Maximum allowed clock skew for future timestamps: 5 minutes */
+const MAX_CLOCK_SKEW_SECONDS = 300;
+/**
+* Compute HMAC-SHA256 signature for agent routing headers
+* @param secret - Secret key for HMAC
+* @param agentName - Name of the agent
+* @param agentId - ID of the agent instance
+* @param timestamp - Unix timestamp in seconds
+* @returns Base64-encoded HMAC signature
+*/
+async function computeAgentSignature(secret, agentName, agentId, timestamp) {
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const data = encoder.encode(`${agentName}:${agentId}:${timestamp}`);
+	const signature = await crypto.subtle.sign("HMAC", key, data);
+	return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+/**
+* Verify HMAC-SHA256 signature for agent routing headers
+* @param secret - Secret key for HMAC
+* @param agentName - Name of the agent
+* @param agentId - ID of the agent instance
+* @param signature - Base64-encoded signature to verify
+* @param timestamp - Unix timestamp in seconds when signature was created
+* @param maxAgeSeconds - Maximum age of signature in seconds (default: 30 days)
+* @returns Verification result with reason if invalid
+*/
+async function verifyAgentSignature(secret, agentName, agentId, signature, timestamp, maxAgeSeconds = DEFAULT_MAX_AGE_SECONDS) {
+	try {
+		const timestampNum = Number.parseInt(timestamp, 10);
+		if (Number.isNaN(timestampNum)) return {
+			valid: false,
+			reason: "malformed_timestamp"
+		};
+		const now = Math.floor(Date.now() / 1e3);
+		if (timestampNum > now + MAX_CLOCK_SKEW_SECONDS) return {
+			valid: false,
+			reason: "invalid"
+		};
+		if (now - timestampNum > maxAgeSeconds) return {
+			valid: false,
+			reason: "expired"
+		};
+		const expected = await computeAgentSignature(secret, agentName, agentId, timestamp);
+		if (expected.length !== signature.length) return {
+			valid: false,
+			reason: "invalid"
+		};
+		let result = 0;
+		for (let i = 0; i < expected.length; i++) result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);
+		if (result !== 0) return {
+			valid: false,
+			reason: "invalid"
+		};
+		return { valid: true };
+	} catch (error) {
+		console.warn("[agents] Signature verification error:", error);
+		return {
+			valid: false,
+			reason: "invalid"
+		};
+	}
+}
+/**
+* Sign agent routing headers for secure reply flows.
+* Use this when sending outbound emails to ensure replies can be securely routed back.
+*
+* @param secret - Secret key for HMAC signing (store in environment variables)
+* @param agentName - Name of the agent
+* @param agentId - ID of the agent instance
+* @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts
+*
+* @example
+* ```typescript
+* const headers = await signAgentHeaders(env.EMAIL_SECRET, "MyAgent", this.name);
+* // Use these headers when sending outbound emails
+* ```
+*/
+async function signAgentHeaders(secret, agentName, agentId) {
+	if (!secret) throw new Error("secret is required for signing agent headers");
+	if (!agentName) throw new Error("agentName is required for signing agent headers");
+	if (!agentId) throw new Error("agentId is required for signing agent headers");
+	if (agentName.includes(":")) throw new Error("agentName cannot contain colons");
+	if (agentId.includes(":")) throw new Error("agentId cannot contain colons");
+	const timestamp = Math.floor(Date.now() / 1e3).toString();
+	const signature = await computeAgentSignature(secret, agentName, agentId, timestamp);
+	return {
+		"X-Agent-Name": agentName,
+		"X-Agent-ID": agentId,
+		"X-Agent-Sig": signature,
+		"X-Agent-Sig-Ts": timestamp
+	};
+}
+/**
+* @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).
+* @throws Always throws an error with migration guidance.
+*/
+function createHeaderBasedEmailResolver() {
+	throw new Error("createHeaderBasedEmailResolver has been removed due to a security vulnerability. It trusted attacker-controlled email headers for routing, enabling IDOR attacks.\n\nMigration options:\n  - For inbound mail: use createAddressBasedEmailResolver(agentName)\n  - For reply flows: use createSecureReplyEmailResolver(secret) with signed headers\n\nSee https://github.com/cloudflare/agents/blob/main/docs/email.md for details.");
+}
+/**
+* Create a resolver for routing email replies with signature verification.
+* This resolver verifies that replies contain a valid HMAC signature, preventing
+* attackers from routing emails to arbitrary agent instances.
+*
+* @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)
+* @param options - Optional configuration for signature verification
+* @returns A function that resolves the agent to route the email to, or null if signature is invalid
+*
+* @example
+* ```typescript
+* // In your email handler
+* const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {
+*   maxAge: 7 * 24 * 60 * 60, // 7 days
+*   onInvalidSignature: (email, reason) => {
+*     console.warn(`Invalid signature from ${email.from}: ${reason}`);
+*   }
+* });
+* const addressResolver = createAddressBasedEmailResolver("MyAgent");
+*
+* await routeAgentEmail(email, env, {
+*   resolver: async (email, env) => {
+*     // Try secure reply routing first
+*     const replyRouting = await secureResolver(email, env);
+*     if (replyRouting) return replyRouting;
+*     // Fall back to address-based routing
+*     return addressResolver(email, env);
+*   }
+* });
+* ```
+*/
+function createSecureReplyEmailResolver(secret, options) {
+	if (!secret) throw new Error("secret is required for createSecureReplyEmailResolver");
+	const maxAge = options?.maxAge ?? DEFAULT_MAX_AGE_SECONDS;
+	const onInvalidSignature = options?.onInvalidSignature;
+	return async (email, _env) => {
+		const agentName = email.headers.get("x-agent-name");
+		const agentId = email.headers.get("x-agent-id");
+		const signature = email.headers.get("x-agent-sig");
+		const timestamp = email.headers.get("x-agent-sig-ts");
+		if (!agentName || !agentId || !signature || !timestamp) {
+			onInvalidSignature?.(email, "missing_headers");
+			return null;
+		}
+		const result = await verifyAgentSignature(secret, agentName, agentId, signature, timestamp, maxAge);
+		if (!result.valid) {
+			onInvalidSignature?.(email, result.reason);
+			return null;
+		}
+		return {
+			agentName,
+			agentId,
+			_secureRouted: true
+		};
+	};
+}
+/**
+* Create a resolver that uses the email address to determine the agent to route the email to
+* @param defaultAgentName The default agent name to use if the email address does not contain a sub-address
+* @returns A function that resolves the agent to route the email to
+*/
+function createAddressBasedEmailResolver(defaultAgentName) {
+	return async (email, _env) => {
+		const emailMatch = email.to.match(/^([^+@]{1,64})(?:\+([^@]{1,64}))?@(.{1,253})$/);
+		if (!emailMatch) return null;
+		const [, localPart, subAddress] = emailMatch;
+		if (subAddress) return {
+			agentName: localPart,
+			agentId: subAddress
+		};
+		return {
+			agentName: defaultAgentName,
+			agentId: localPart
+		};
+	};
+}
+/**
+* Create a resolver that uses the agentName and agentId to determine the agent to route the email to
+* @param agentName The name of the agent to route the email to
+* @param agentId The id of the agent to route the email to
+* @returns A function that resolves the agent to route the email to
+*/
+function createCatchAllEmailResolver(agentName, agentId) {
+	return async () => ({
+		agentName,
+		agentId
+	});
+}
+//#endregion
+export { createSecureReplyEmailResolver as a, createHeaderBasedEmailResolver as i, createAddressBasedEmailResolver as n, isAutoReplyEmail as o, createCatchAllEmailResolver as r, signAgentHeaders as s, DEFAULT_MAX_AGE_SECONDS as t };
+//# sourceMappingURL=email-XHsSYsTO.js.map

package/dist/email-XHsSYsTO.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"email-XHsSYsTO.js","names":[],"sources":["../src/email.ts"],"sourcesContent":["/**\n * Email routing types, resolvers, and signing utilities for Agents\n */\n\n// Re-export AgentEmail type\nexport type { AgentEmail } from \"./internal_context\";\n\n// ============================================================================\n// Email header utilities\n// ============================================================================\n\n/**\n * Header object as returned by postal-mime and similar email parsing libraries.\n * Each header has a lowercase key and a string value.\n */\nexport type EmailHeader = {\n /** Lowercase header name (e.g., \"content-type\", \"x-custom-header\") */\n key: string;\n /** Header value */\n value: string;\n};\n\n/**\n * Check if an email appears to be an auto-reply based on standard headers.\n * Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.\n *\n * @param headers - Headers array from postal-mime Email.headers or similar format\n * @returns true if email appears to be an auto-reply\n *\n * @example\n * ```typescript\n * if (isAutoReplyEmail(parsed.headers)) {\n * // Skip processing auto-replies\n * return;\n * }\n * ```\n */\nexport function isAutoReplyEmail(headers: EmailHeader[]): boolean {\n return headers.some((h) => {\n const key = h.key.toLowerCase();\n const value = h.value.toLowerCase();\n\n // RFC 3834: Auto-Submitted header\n // \"no\" means normal (human-sent) email, anything else indicates auto-reply\n if (key === \"auto-submitted\") {\n return value !== \"no\";\n }\n\n // X-Auto-Response-Suppress: any value indicates sender doesn't want auto-replies\n if (key === \"x-auto-response-suppress\") {\n return true;\n }\n\n // Precedence: only bulk/junk/list indicate automated/mass mail\n if (key === \"precedence\") {\n return value === \"bulk\" || value === \"junk\" || value === \"list\";\n }\n\n return false;\n });\n}\n\n// ============================================================================\n// Signing utilities\n// ============================================================================\n\n/** Default signature expiration: 30 days in seconds */\nexport const DEFAULT_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;\n\n/** Maximum allowed clock skew for future timestamps: 5 minutes */\nconst MAX_CLOCK_SKEW_SECONDS = 5 * 60;\n\n/**\n * Compute HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param timestamp - Unix timestamp in seconds\n * @returns Base64-encoded HMAC signature\n */\nasync function computeAgentSignature(\n secret: string,\n agentName: string,\n agentId: string,\n timestamp: string\n): Promise<string> {\n const encoder = new TextEncoder();\n const key = await crypto.subtle.importKey(\n \"raw\",\n encoder.encode(secret),\n { name: \"HMAC\", hash: \"SHA-256\" },\n false,\n [\"sign\"]\n );\n const data = encoder.encode(`${agentName}:${agentId}:${timestamp}`);\n const signature = await crypto.subtle.sign(\"HMAC\", key, data);\n return btoa(String.fromCharCode(...new Uint8Array(signature)));\n}\n\n/**\n * Result of signature verification\n */\ntype SignatureVerificationResult =\n | { valid: true }\n | { valid: false; reason: \"expired\" | \"invalid\" | \"malformed_timestamp\" };\n\n/**\n * Verify HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param signature - Base64-encoded signature to verify\n * @param timestamp - Unix timestamp in seconds when signature was created\n * @param maxAgeSeconds - Maximum age of signature in seconds (default: 30 days)\n * @returns Verification result with reason if invalid\n */\nasync function verifyAgentSignature(\n secret: string,\n agentName: string,\n agentId: string,\n signature: string,\n timestamp: string,\n maxAgeSeconds: number = DEFAULT_MAX_AGE_SECONDS\n): Promise<SignatureVerificationResult> {\n try {\n // Validate timestamp format\n const timestampNum = Number.parseInt(timestamp, 10);\n if (Number.isNaN(timestampNum)) {\n return { valid: false, reason: \"malformed_timestamp\" };\n }\n\n // Check timestamp validity\n const now = Math.floor(Date.now() / 1000);\n\n // Reject timestamps too far in the future (prevents extending signature validity)\n if (timestampNum > now + MAX_CLOCK_SKEW_SECONDS) {\n return { valid: false, reason: \"invalid\" };\n }\n\n // Check if signature has expired\n if (now - timestampNum > maxAgeSeconds) {\n return { valid: false, reason: \"expired\" };\n }\n\n const expected = await computeAgentSignature(\n secret,\n agentName,\n agentId,\n timestamp\n );\n // Constant-time comparison to prevent timing attacks\n if (expected.length !== signature.length) {\n return { valid: false, reason: \"invalid\" };\n }\n let result = 0;\n for (let i = 0; i < expected.length; i++) {\n result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n }\n if (result !== 0) {\n return { valid: false, reason: \"invalid\" };\n }\n return { valid: true };\n } catch (error) {\n console.warn(\"[agents] Signature verification error:\", error);\n return { valid: false, reason: \"invalid\" };\n }\n}\n\n/**\n * Sign agent routing headers for secure reply flows.\n * Use this when sending outbound emails to ensure replies can be securely routed back.\n *\n * @param secret - Secret key for HMAC signing (store in environment variables)\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts\n *\n * @example\n * ```typescript\n * const headers = await signAgentHeaders(env.EMAIL_SECRET, \"MyAgent\", this.name);\n * // Use these headers when sending outbound emails\n * ```\n */\nexport async function signAgentHeaders(\n secret: string,\n agentName: string,\n agentId: string\n): Promise<Record<string, string>> {\n if (!secret) {\n throw new Error(\"secret is required for signing agent headers\");\n }\n if (!agentName) {\n throw new Error(\"agentName is required for signing agent headers\");\n }\n if (!agentId) {\n throw new Error(\"agentId is required for signing agent headers\");\n }\n // Reject colons to prevent signature confusion attacks\n // (signature payload uses colon as delimiter: \"agentName:agentId:timestamp\")\n if (agentName.includes(\":\")) {\n throw new Error(\"agentName cannot contain colons\");\n }\n if (agentId.includes(\":\")) {\n throw new Error(\"agentId cannot contain colons\");\n }\n\n const timestamp = Math.floor(Date.now() / 1000).toString();\n const signature = await computeAgentSignature(\n secret,\n agentName,\n agentId,\n timestamp\n );\n return {\n \"X-Agent-Name\": agentName,\n \"X-Agent-ID\": agentId,\n \"X-Agent-Sig\": signature,\n \"X-Agent-Sig-Ts\": timestamp\n };\n}\n\n// ============================================================================\n// Email routing types and resolvers\n// ============================================================================\n\nexport type EmailResolverResult = {\n agentName: string;\n agentId: string;\n /** @internal Indicates this resolver requires secure reply signing */\n _secureRouted?: boolean;\n} | null;\n\nexport type EmailResolver<Env> = (\n email: ForwardableEmailMessage,\n env: Env\n) => Promise<EmailResolverResult>;\n\n/**\n * Reason for signature verification failure\n */\nexport type SignatureFailureReason =\n | \"missing_headers\"\n | \"expired\"\n | \"invalid\"\n | \"malformed_timestamp\";\n\n/**\n * Options for createSecureReplyEmailResolver\n */\nexport type SecureReplyResolverOptions = {\n /**\n * Maximum age of signature in seconds.\n * Signatures older than this will be rejected.\n * Default: 30 days (2592000 seconds)\n */\n maxAge?: number;\n /**\n * Callback invoked when signature verification fails.\n * Useful for logging and debugging.\n */\n onInvalidSignature?: (\n email: ForwardableEmailMessage,\n reason: SignatureFailureReason\n ) => void;\n};\n\n/**\n * @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).\n * @throws Always throws an error with migration guidance.\n */\nexport function createHeaderBasedEmailResolver<Env>(): EmailResolver<Env> {\n throw new Error(\n \"createHeaderBasedEmailResolver has been removed due to a security vulnerability. \" +\n \"It trusted attacker-controlled email headers for routing, enabling IDOR attacks.\\n\\n\" +\n \"Migration options:\\n\" +\n \" - For inbound mail: use createAddressBasedEmailResolver(agentName)\\n\" +\n \" - For reply flows: use createSecureReplyEmailResolver(secret) with signed headers\\n\\n\" +\n \"See https://github.com/cloudflare/agents/blob/main/docs/email.md for details.\"\n );\n}\n\n/**\n * Create a resolver for routing email replies with signature verification.\n * This resolver verifies that replies contain a valid HMAC signature, preventing\n * attackers from routing emails to arbitrary agent instances.\n *\n * @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)\n * @param options - Optional configuration for signature verification\n * @returns A function that resolves the agent to route the email to, or null if signature is invalid\n *\n * @example\n * ```typescript\n * // In your email handler\n * const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {\n * maxAge: 7 * 24 * 60 * 60, // 7 days\n * onInvalidSignature: (email, reason) => {\n * console.warn(`Invalid signature from ${email.from}: ${reason}`);\n * }\n * });\n * const addressResolver = createAddressBasedEmailResolver(\"MyAgent\");\n *\n * await routeAgentEmail(email, env, {\n * resolver: async (email, env) => {\n * // Try secure reply routing first\n * const replyRouting = await secureResolver(email, env);\n * if (replyRouting) return replyRouting;\n * // Fall back to address-based routing\n * return addressResolver(email, env);\n * }\n * });\n * ```\n */\nexport function createSecureReplyEmailResolver<Env>(\n secret: string,\n options?: SecureReplyResolverOptions\n): EmailResolver<Env> {\n if (!secret) {\n throw new Error(\"secret is required for createSecureReplyEmailResolver\");\n }\n\n const maxAge = options?.maxAge ?? DEFAULT_MAX_AGE_SECONDS;\n const onInvalidSignature = options?.onInvalidSignature;\n\n return async (email: ForwardableEmailMessage, _env: Env) => {\n const agentName = email.headers.get(\"x-agent-name\");\n const agentId = email.headers.get(\"x-agent-id\");\n const signature = email.headers.get(\"x-agent-sig\");\n const timestamp = email.headers.get(\"x-agent-sig-ts\");\n\n if (!agentName || !agentId || !signature || !timestamp) {\n onInvalidSignature?.(email, \"missing_headers\");\n return null;\n }\n\n const result = await verifyAgentSignature(\n secret,\n agentName,\n agentId,\n signature,\n timestamp,\n maxAge\n );\n\n if (!result.valid) {\n onInvalidSignature?.(email, result.reason);\n return null;\n }\n\n return { agentName, agentId, _secureRouted: true };\n };\n}\n\n/**\n * Create a resolver that uses the email address to determine the agent to route the email to\n * @param defaultAgentName The default agent name to use if the email address does not contain a sub-address\n * @returns A function that resolves the agent to route the email to\n */\nexport function createAddressBasedEmailResolver<Env>(\n defaultAgentName: string\n): EmailResolver<Env> {\n return async (email: ForwardableEmailMessage, _env: Env) => {\n // Length limits per RFC 5321: local part max 64 chars, domain max 253 chars\n const emailMatch = email.to.match(\n /^([^+@]{1,64})(?:\\+([^@]{1,64}))?@(.{1,253})$/\n );\n if (!emailMatch) {\n return null;\n }\n\n const [, localPart, subAddress] = emailMatch;\n\n if (subAddress) {\n return {\n agentName: localPart,\n agentId: subAddress\n };\n }\n\n // Option 2: Use defaultAgentName namespace, localPart as agentId\n // Common for catch-all email routing to a single EmailAgent namespace\n return {\n agentName: defaultAgentName,\n agentId: localPart\n };\n };\n}\n\n/**\n * Create a resolver that uses the agentName and agentId to determine the agent to route the email to\n * @param agentName The name of the agent to route the email to\n * @param agentId The id of the agent to route the email to\n * @returns A function that resolves the agent to route the email to\n */\nexport function createCatchAllEmailResolver<Env>(\n agentName: string,\n agentId: string\n): EmailResolver<Env> {\n return async () => ({ agentName, agentId });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAqCA,SAAgB,iBAAiB,SAAiC;AAChE,QAAO,QAAQ,MAAM,MAAM;EACzB,MAAM,MAAM,EAAE,IAAI,aAAa;EAC/B,MAAM,QAAQ,EAAE,MAAM,aAAa;AAInC,MAAI,QAAQ,iBACV,QAAO,UAAU;AAInB,MAAI,QAAQ,2BACV,QAAO;AAIT,MAAI,QAAQ,aACV,QAAO,UAAU,UAAU,UAAU,UAAU,UAAU;AAG3D,SAAO;GACP;;;AAQJ,MAAa,0BAA0B,MAAU,KAAK;;AAGtD,MAAM,yBAAyB;;;;;;;;;AAU/B,eAAe,sBACb,QACA,WACA,SACA,WACiB;CACjB,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,OAAO,CACT;CACD,MAAM,OAAO,QAAQ,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,YAAY;CACnE,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,KAAK;AAC7D,QAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,UAAU,CAAC,CAAC;;;;;;;;;;;;AAoBhE,eAAe,qBACb,QACA,WACA,SACA,WACA,WACA,gBAAwB,yBACc;AACtC,KAAI;EAEF,MAAM,eAAe,OAAO,SAAS,WAAW,GAAG;AACnD,MAAI,OAAO,MAAM,aAAa,CAC5B,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAuB;EAIxD,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAGzC,MAAI,eAAe,MAAM,uBACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAI5C,MAAI,MAAM,eAAe,cACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAG5C,MAAM,WAAW,MAAM,sBACrB,QACA,WACA,SACA,UACD;AAED,MAAI,SAAS,WAAW,UAAU,OAChC,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAE5C,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,QAAQ,IACnC,WAAU,SAAS,WAAW,EAAE,GAAG,UAAU,WAAW,EAAE;AAE5D,MAAI,WAAW,EACb,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAE5C,SAAO,EAAE,OAAO,MAAM;UACf,OAAO;AACd,UAAQ,KAAK,0CAA0C,MAAM;AAC7D,SAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;;;;;;;;;;;;;;;;;;AAmB9C,eAAsB,iBACpB,QACA,WACA,SACiC;AACjC,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,+CAA+C;AAEjE,KAAI,CAAC,UACH,OAAM,IAAI,MAAM,kDAAkD;AAEpE,KAAI,CAAC,QACH,OAAM,IAAI,MAAM,gDAAgD;AAIlE,KAAI,UAAU,SAAS,IAAI,CACzB,OAAM,IAAI,MAAM,kCAAkC;AAEpD,KAAI,QAAQ,SAAS,IAAI,CACvB,OAAM,IAAI,MAAM,gCAAgC;CAGlD,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,CAAC,UAAU;CAC1D,MAAM,YAAY,MAAM,sBACtB,QACA,WACA,SACA,UACD;AACD,QAAO;EACL,gBAAgB;EAChB,cAAc;EACd,eAAe;EACf,kBAAkB;EACnB;;;;;;AAoDH,SAAgB,iCAA0D;AACxE,OAAM,IAAI,MACR,saAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCH,SAAgB,+BACd,QACA,SACoB;AACpB,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,wDAAwD;CAG1E,MAAM,SAAS,SAAS,UAAU;CAClC,MAAM,qBAAqB,SAAS;AAEpC,QAAO,OAAO,OAAgC,SAAc;EAC1D,MAAM,YAAY,MAAM,QAAQ,IAAI,eAAe;EACnD,MAAM,UAAU,MAAM,QAAQ,IAAI,aAAa;EAC/C,MAAM,YAAY,MAAM,QAAQ,IAAI,cAAc;EAClD,MAAM,YAAY,MAAM,QAAQ,IAAI,iBAAiB;AAErD,MAAI,CAAC,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,WAAW;AACtD,wBAAqB,OAAO,kBAAkB;AAC9C,UAAO;;EAGT,MAAM,SAAS,MAAM,qBACnB,QACA,WACA,SACA,WACA,WACA,OACD;AAED,MAAI,CAAC,OAAO,OAAO;AACjB,wBAAqB,OAAO,OAAO,OAAO;AAC1C,UAAO;;AAGT,SAAO;GAAE;GAAW;GAAS,eAAe;GAAM;;;;;;;;AAStD,SAAgB,gCACd,kBACoB;AACpB,QAAO,OAAO,OAAgC,SAAc;EAE1D,MAAM,aAAa,MAAM,GAAG,MAC1B,gDACD;AACD,MAAI,CAAC,WACH,QAAO;EAGT,MAAM,GAAG,WAAW,cAAc;AAElC,MAAI,WACF,QAAO;GACL,WAAW;GACX,SAAS;GACV;AAKH,SAAO;GACL,WAAW;GACX,SAAS;GACV;;;;;;;;;AAUL,SAAgB,4BACd,WACA,SACoB;AACpB,QAAO,aAAa;EAAE;EAAW;EAAS"}

package/dist/email.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import { n as AgentEmail } from "./internal_context-CEu5ji80.js";
+import {
+  a as SecureReplyResolverOptions,
+  c as createCatchAllEmailResolver,
+  d as isAutoReplyEmail,
+  f as signAgentHeaders,
+  i as EmailResolverResult,
+  l as createHeaderBasedEmailResolver,
+  n as EmailHeader,
+  o as SignatureFailureReason,
+  r as EmailResolver,
+  s as createAddressBasedEmailResolver,
+  t as DEFAULT_MAX_AGE_SECONDS,
+  u as createSecureReplyEmailResolver
+} from "./email-8ljcpvwV.js";
+export {
+  AgentEmail,
+  DEFAULT_MAX_AGE_SECONDS,
+  EmailHeader,
+  EmailResolver,
+  EmailResolverResult,
+  SecureReplyResolverOptions,
+  SignatureFailureReason,
+  createAddressBasedEmailResolver,
+  createCatchAllEmailResolver,
+  createHeaderBasedEmailResolver,
+  createSecureReplyEmailResolver,
+  isAutoReplyEmail,
+  signAgentHeaders
+};

package/dist/email.js ADDED Viewed

@@ -0,0 +1,3 @@
+import { a as createSecureReplyEmailResolver, i as createHeaderBasedEmailResolver, n as createAddressBasedEmailResolver, o as isAutoReplyEmail, r as createCatchAllEmailResolver, s as signAgentHeaders, t as DEFAULT_MAX_AGE_SECONDS } from "./email-XHsSYsTO.js";
+export { DEFAULT_MAX_AGE_SECONDS, createAddressBasedEmailResolver, createCatchAllEmailResolver, createHeaderBasedEmailResolver, createSecureReplyEmailResolver, isAutoReplyEmail, signAgentHeaders };

package/dist/{index-B7Ny-XfU.d.ts → index-N6791tVt.d.ts} RENAMED Viewed

@@ -1,7 +1,6 @@
-import { n as BaseEvent, t as MCPObservabilityEvent } from "./mcp-AK39tq6H.js";
+import { n as BaseEvent, t as MCPObservabilityEvent } from "./mcp-BwPscEiF.js";
 //#region src/observability/agent.d.ts
 /**
  * Agent-specific observability events
  * These track the lifecycle and operations of an Agent
@@ -30,6 +29,22 @@ type AgentObservabilityEvent =
       {
         connectionId: string;
       }
+    >
+  | BaseEvent<
+      | "workflow:start"
+      | "workflow:event"
+      | "workflow:approved"
+      | "workflow:rejected"
+      | "workflow:terminated"
+      | "workflow:paused"
+      | "workflow:resumed"
+      | "workflow:restarted",
+      {
+        workflowId: string;
+        workflowName?: string;
+        eventType?: string;
+        reason?: string;
+      }
     >;
 //#endregion
 //#region src/observability/index.d.ts
@@ -55,4 +70,4 @@ export {
   genericObservability as r,
   Observability as t
 };
-//# sourceMappingURL=index-B7Ny-XfU.d.ts.map
+//# sourceMappingURL=index-N6791tVt.d.ts.map