mop-agent 0.1.6 → 0.1.7

package/README.md

@@ -5,7 +5,7 @@ through MOP-FLOW. It stores project memory, performs semantic recall and
 consolidation, serves grounded chat, and can request approved actions from a
 linked FLOW node.
 
-> **Release status:** npm package `mop-agent@0.1.6` contains the corrected VPS
+> **Release status:** npm package `mop-agent@0.1.7` contains the corrected VPS
 > installer and first-run Admin/Assistant flow. The canonical installation command is
 > exactly `npx mop-agent`.
 

package/apps/web/app/api/setup/status/route.ts

@@ -3,5 +3,13 @@ import { auth, ownerExists } from "@/lib/auth";
 
 export async function GET(req: Request): Promise<Response> {
   const session = await auth.api.getSession({ headers: req.headers });
-  return Response.json({ ownerExists: ownerExists(), authenticated: !!session });
+  return Response.json(
+    { ownerExists: ownerExists(), authenticated: !!session },
+    {
+      headers: {
+        "Cache-Control": "private, no-store, no-cache, max-age=0, must-revalidate",
+        "Vary": "Cookie",
+      },
+    },
+  );
 }

package/apps/web/app/assistant/layout.tsx

@@ -1,6 +1,9 @@
 import type { ReactNode } from "react";
 import { requirePageSession } from "@/lib/page-auth";
 
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
 export default async function AssistantLayout({ children }: { children: ReactNode }) {
   await requirePageSession();
   return children;

package/apps/web/app/brain/layout.tsx

@@ -1,6 +1,9 @@
 import type { ReactNode } from "react";
 import { requirePageSession } from "@/lib/page-auth";
 
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
 export default async function BrainLayout({ children }: { children: ReactNode }) {
   await requirePageSession();
   return children;

package/apps/web/app/chat/layout.tsx

@@ -1,6 +1,9 @@
 import type { ReactNode } from "react";
 import { requirePageSession } from "@/lib/page-auth";
 
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
 export default async function ChatLayout({ children }: { children: ReactNode }) {
   await requirePageSession();
   return children;

package/apps/web/app/page.tsx

@@ -1,6 +1,9 @@
 import { requirePageSession } from "@/lib/page-auth";
 import { redirect } from "next/navigation";
 
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
 /**
  * Product entry point. First-run and signed-out users belong in the account
  * setup flow; authenticated users land in the assistant, not the Brain tools.

package/apps/web/app/settings/layout.tsx

@@ -1,6 +1,9 @@
 import type { ReactNode } from "react";
 import { requirePageSession } from "@/lib/page-auth";
 
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
 export default async function SettingsLayout({ children }: { children: ReactNode }) {
   await requirePageSession();
   return children;

package/apps/web/app/setup/page.tsx

@@ -3,6 +3,30 @@
 import { useEffect, useState } from "react";
 import { signIn, signUp } from "@/lib/auth-client";
 
+type SetupStatus = { ownerExists: boolean; authenticated: boolean };
+
+async function getSetupStatus(): Promise<SetupStatus> {
+  const response = await fetch(`/api/setup/status?t=${Date.now()}`, {
+    cache: "no-store",
+    credentials: "include",
+    headers: { "cache-control": "no-cache" },
+  });
+  if (!response.ok) throw new Error(`setup status ${response.status}`);
+  return response.json() as Promise<SetupStatus>;
+}
+
+async function waitForSession(): Promise<boolean> {
+  for (let attempt = 0; attempt < 5; attempt += 1) {
+    try {
+      if ((await getSetupStatus()).authenticated) return true;
+    } catch {
+      // A short deployment/network gap should not strand the form in busy mode.
+    }
+    await new Promise((resolve) => setTimeout(resolve, 250));
+  }
+  return false;
+}
+
 export default function SetupPage() {
   const [ownerExists, setOwnerExists] = useState<boolean | null>(null);
   const [email, setEmail] = useState("");
@@ -13,11 +37,10 @@ export default function SetupPage() {
   const [mode, setMode] = useState<"signup" | "signin">("signup");
 
   useEffect(() => {
-    fetch("/api/setup/status")
-      .then((r) => r.json() as Promise<{ ownerExists: boolean; authenticated: boolean }>)
+    getSetupStatus()
       .then((status) => {
         if (status.authenticated) {
-          window.location.replace("/assistant");
+          window.location.replace(`/assistant?auth=${Date.now()}`);
           return;
         }
         setOwnerExists(status.ownerExists);
@@ -38,8 +61,26 @@ export default function SetupPage() {
         setBusy(false);
         return;
       }
-      // Better Auth creates the first session together with the owner account.
-      window.location.replace("/assistant");
+      // Verify the cookie before entering a server-protected route. If the
+      // signup response did not establish it, explicitly sign in once.
+      if (!(await waitForSession())) {
+        const login = await signIn.email({ email, password });
+        if (login.error) {
+          setMode("signin");
+          setOwnerExists(true);
+          setMsg(login.error.message ?? "Admin created, but sign in failed. Please sign in below.");
+          setBusy(false);
+          return;
+        }
+      }
+      if (await waitForSession()) {
+        window.location.replace(`/assistant?auth=${Date.now()}`);
+        return;
+      }
+      setMode("signin");
+      setOwnerExists(true);
+      setMsg("Admin created, but the session cookie was not accepted. Please sign in again.");
+      setBusy(false);
       return;
     }
 
@@ -49,7 +90,12 @@ export default function SetupPage() {
       setBusy(false);
       return;
     }
-    window.location.replace("/assistant");
+    if (await waitForSession()) {
+      window.location.replace(`/assistant?auth=${Date.now()}`);
+      return;
+    }
+    setMsg("Sign in succeeded, but the session cookie was not accepted. Check that you are using the configured HTTPS domain.");
+    setBusy(false);
   }
 
   const loading = ownerExists === null && !msg;

package/apps/web/app/team/layout.tsx

@@ -1,6 +1,9 @@
 import type { ReactNode } from "react";
 import { requirePageSession } from "@/lib/page-auth";
 
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
 export default async function TeamLayout({ children }: { children: ReactNode }) {
   await requirePageSession();
   return children;

package/apps/web/lib/page-auth.ts

@@ -1,9 +1,12 @@
 import { auth, ownerExists } from "@/lib/auth";
 import { headers } from "next/headers";
 import { redirect } from "next/navigation";
+import { unstable_noStore as noStore } from "next/cache";
 
 /** Server-side guard for authenticated application pages. */
 export async function requirePageSession() {
+  // Auth redirects are cookie-specific and must never enter Next's route cache.
+  noStore();
   if (!ownerExists()) redirect("/setup");
 
   const session = await auth.api.getSession({ headers: await headers() });

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "mop-agent",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "mop-agent",
-      "version": "0.1.6",
+      "version": "0.1.7",
       "license": "UNLICENSED",
       "workspaces": [
         "packages/*",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mop-agent",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Self-hosted AI assistant with persistent cross-project memory, installed with npx mop-agent.",
   "author": "BURHANDEV ENTERPRISE",
   "license": "UNLICENSED",