veryfront 0.1.130 → 0.1.131

package/esm/cli/auth/login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/login.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,KAAK,iBAAiB,EAAwB,MAAM,2BAA2B,CAAC;AACzF,OAAO,EAAE,WAAW,EAAoB,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAQjG,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,OAAO,CAAC;AAErE,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AASD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAgB3E;AA8ID,wBAAsB,KAAK,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA8BzE;AAED,wBAAsB,mBAAmB,CACvC,GAAG,GAAE,iBAA0C,GAC9C,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAqB1B;AAED,wBAAsB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAI5C;AAED,wBAAsB,MAAM,CAC1B,GAAG,GAAE,iBAA0C,GAC9C,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAuC1B;AAED,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC"}
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/login.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,KAAK,iBAAiB,EAAwB,MAAM,2BAA2B,CAAC;AACzF,OAAO,EAAE,WAAW,EAAoB,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAQjG,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,OAAO,CAAC;AAErE,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AASD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAgB3E;AA8ID,wBAAsB,KAAK,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA8BzE;AAED,wBAAsB,mBAAmB,CACvC,GAAG,GAAE,iBAA0C,GAC9C,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAqB1B;AAED,wBAAsB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAI5C;AAED,wBAAsB,MAAM,CAC1B,GAAG,GAAE,iBAA0C,GAC9C,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAmD1B;AAED,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC"}

package/esm/cli/auth/login.js

@@ -238,6 +238,17 @@ export async function whoami(env = getEnvironmentConfig()) {
     console.log();
     console.log("  " + warning("✗") + " Not logged in");
     console.log("  " + dim("Run 'veryfront login' to authenticate"));
+    // Show provider tokens
+    try {
+        const { listProviderTokens } = await import("./provider-store.js");
+        const providers = await listProviderTokens();
+        for (const p of providers) {
+            console.log("  " + success("✓") + ` ${p} API key configured`);
+        }
+    }
+    catch {
+        // Provider store not available
+    }
     return null;
 }
 export { deleteToken, hasToken, readToken, saveToken };

package/esm/cli/auth/provider-store.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Provider-namespaced token storage for AI provider API keys.
+ *
+ * Stores API keys as plaintext with 0600 permissions in
+ * ~/.config/veryfront/tokens/<provider>. Same security model
+ * as the existing platform token in ~/.config/veryfront/token.
+ *
+ * @module cli/auth/provider-store
+ */
+export type ProviderName = "anthropic" | "openai";
+export interface ProviderCredential {
+    apiKey: string;
+    validatedAt: string;
+    provider: ProviderName;
+}
+export declare function saveProviderToken(provider: ProviderName, credential: ProviderCredential): Promise<void>;
+export declare function readProviderToken(provider: ProviderName): Promise<ProviderCredential | null>;
+export declare function deleteProviderToken(provider: ProviderName): Promise<void>;
+export declare function listProviderTokens(): Promise<ProviderName[]>;
+//# sourceMappingURL=provider-store.d.ts.map

package/esm/cli/auth/provider-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-store.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/provider-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,QAAQ,CAAC;AAElD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,YAAY,CAAC;CACxB;AAUD,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,kBAAkB,GAC7B,OAAO,CAAC,IAAI,CAAC,CAOf;AAED,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAQpC;AAED,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,YAAY,GACrB,OAAO,CAAC,IAAI,CAAC,CAOf;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,CAgBlE"}

package/esm/cli/auth/provider-store.js

@@ -0,0 +1,62 @@
+/**
+ * Provider-namespaced token storage for AI provider API keys.
+ *
+ * Stores API keys as plaintext with 0600 permissions in
+ * ~/.config/veryfront/tokens/<provider>. Same security model
+ * as the existing platform token in ~/.config/veryfront/token.
+ *
+ * @module cli/auth/provider-store
+ */
+import { getEnvironmentConfig } from "../../src/config/index.js";
+import { join } from "../../src/platform/compat/path/index.js";
+import { createFileSystem } from "../../src/platform/index.js";
+function getTokenDir() {
+    const env = getEnvironmentConfig();
+    const configDir = env.xdgConfigHome
+        ? join(env.xdgConfigHome, "veryfront")
+        : join(env.homeDir, ".config", "veryfront");
+    return join(configDir, "tokens");
+}
+export async function saveProviderToken(provider, credential) {
+    const fs = createFileSystem();
+    const dir = getTokenDir();
+    await fs.mkdir(dir, { recursive: true });
+    const path = join(dir, provider);
+    await fs.writeTextFile(path, JSON.stringify(credential));
+    await fs.chmod(path, 0o600);
+}
+export async function readProviderToken(provider) {
+    const fs = createFileSystem();
+    try {
+        const raw = await fs.readTextFile(join(getTokenDir(), provider));
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+export async function deleteProviderToken(provider) {
+    const fs = createFileSystem();
+    try {
+        await fs.remove(join(getTokenDir(), provider));
+    }
+    catch {
+        // Token doesn't exist — fine
+    }
+}
+export async function listProviderTokens() {
+    const fs = createFileSystem();
+    const providers = [];
+    try {
+        for await (const entry of fs.readDir(getTokenDir())) {
+            if (entry.isFile &&
+                (entry.name === "anthropic" || entry.name === "openai")) {
+                providers.push(entry.name);
+            }
+        }
+    }
+    catch {
+        // Directory doesn't exist
+    }
+    return providers;
+}

package/esm/cli/auth/providers/anthropic.d.ts

@@ -0,0 +1,2 @@
+export declare function loginAnthropic(): Promise<boolean>;
+//# sourceMappingURL=anthropic.d.ts.map

package/esm/cli/auth/providers/anthropic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../../../src/cli/auth/providers/anthropic.ts"],"names":[],"mappings":"AAKA,wBAAsB,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC,CAwCvD"}

package/esm/cli/auth/providers/anthropic.js

@@ -0,0 +1,37 @@
+import * as dntShim from "../../../_dnt.shims.js";
+import { logError, logSuccess, promptPassword } from "../../utils/index.js";
+import { saveProviderToken } from "../provider-store.js";
+import { dim } from "../../ui/colors.js";
+export async function loginAnthropic() {
+    console.log(`\n  Enter your Anthropic API key.`);
+    console.log(`  ${dim("Get one at: https://console.anthropic.com/settings/keys")}\n`);
+    const apiKey = promptPassword("  API key: ");
+    if (!apiKey) {
+        logError("No API key provided.");
+        return false;
+    }
+    try {
+        const resp = await dntShim.fetch("https://api.anthropic.com/v1/models", {
+            headers: {
+                "x-api-key": apiKey,
+                "anthropic-version": "2023-06-01",
+            },
+        });
+        if (!resp.ok) {
+            logError(`Invalid API key (HTTP ${resp.status}). Check your key at console.anthropic.com`);
+            return false;
+        }
+    }
+    catch (e) {
+        logError(`Failed to validate key: ${e instanceof Error ? e.message : String(e)}`);
+        return false;
+    }
+    const credential = {
+        apiKey,
+        validatedAt: new Date().toISOString(),
+        provider: "anthropic",
+    };
+    await saveProviderToken("anthropic", credential);
+    logSuccess("Anthropic API key configured");
+    return true;
+}

package/esm/cli/auth/providers/openai.d.ts

@@ -0,0 +1,2 @@
+export declare function loginOpenAI(baseUrl?: string): Promise<boolean>;
+//# sourceMappingURL=openai.d.ts.map

package/esm/cli/auth/providers/openai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../../../src/cli/auth/providers/openai.ts"],"names":[],"mappings":"AAKA,wBAAsB,WAAW,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAuCpE"}

package/esm/cli/auth/providers/openai.js

@@ -0,0 +1,35 @@
+import * as dntShim from "../../../_dnt.shims.js";
+import { logError, logSuccess, promptPassword } from "../../utils/index.js";
+import { saveProviderToken } from "../provider-store.js";
+import { dim } from "../../ui/colors.js";
+export async function loginOpenAI(baseUrl) {
+    console.log(`\n  Enter your OpenAI API key.`);
+    console.log(`  ${dim("Get one at: https://platform.openai.com/api-keys")}\n`);
+    const apiKey = promptPassword("  API key: ");
+    if (!apiKey) {
+        logError("No API key provided.");
+        return false;
+    }
+    const endpoint = baseUrl ?? "https://api.openai.com";
+    try {
+        const resp = await dntShim.fetch(`${endpoint}/v1/models`, {
+            headers: { Authorization: `Bearer ${apiKey}` },
+        });
+        if (!resp.ok) {
+            logError(`Invalid API key (HTTP ${resp.status}). Check your key at platform.openai.com`);
+            return false;
+        }
+    }
+    catch (e) {
+        logError(`Failed to validate key: ${e instanceof Error ? e.message : String(e)}`);
+        return false;
+    }
+    const credential = {
+        apiKey,
+        validatedAt: new Date().toISOString(),
+        provider: "openai",
+    };
+    await saveProviderToken("openai", credential);
+    logSuccess("OpenAI API key configured");
+    return true;
+}

package/esm/cli/auth/utils.d.ts

@@ -5,8 +5,13 @@
  */
 import type { AuthMethod } from "./login.js";
 import type { ParsedArgs } from "../shared/types.js";
+import type { ProviderName } from "./provider-store.js";
 /**
  * Parse login method from CLI arguments
  */
 export declare function parseLoginMethod(args: ParsedArgs): AuthMethod | undefined;
+/**
+ * Parse --provider flag from CLI arguments
+ */
+export declare function parseProvider(args: ParsedArgs): ProviderName | undefined;
 //# sourceMappingURL=utils.d.ts.map

package/esm/cli/auth/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,UAAU,GACf,UAAU,GAAG,SAAS,CAMxB"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/cli/auth/utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAExD;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,UAAU,GACf,UAAU,GAAG,SAAS,CAMxB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,YAAY,GAAG,SAAS,CAIxE"}

package/esm/cli/auth/utils.js

@@ -17,3 +17,12 @@ export function parseLoginMethod(args) {
         return "token";
     return undefined;
 }
+/**
+ * Parse --provider flag from CLI arguments
+ */
+export function parseProvider(args) {
+    const provider = args.provider;
+    if (provider === "anthropic" || provider === "openai")
+        return provider;
+    return undefined;
+}

package/esm/cli/router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/cli/router.ts"],"names":[],"mappings":"AA0DA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAmEpD;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA0FlE"}
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/cli/router.ts"],"names":[],"mappings":"AA0DA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AA0FpD;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA0FlE"}

package/esm/cli/router.js

@@ -76,9 +76,30 @@ const commands = {
     "deploy": handleDeployCommand,
     "up": handleUpCommand,
     "login": async (args) => {
+        const { parseProvider } = await import("./auth/utils.js");
+        const provider = parseProvider(args);
+        if (provider === "anthropic") {
+            const { loginAnthropic } = await import("./auth/providers/anthropic.js");
+            await loginAnthropic();
+            return;
+        }
+        if (provider === "openai") {
+            const { loginOpenAI } = await import("./auth/providers/openai.js");
+            await loginOpenAI(args["base-url"]);
+            return;
+        }
         await login(parseLoginMethod(args));
     },
-    "logout": async () => {
+    "logout": async (args) => {
+        const { parseProvider } = await import("./auth/utils.js");
+        const provider = parseProvider(args);
+        if (provider) {
+            const { deleteProviderToken } = await import("./auth/provider-store.js");
+            await deleteProviderToken(provider);
+            const { logSuccess } = await import("./utils/index.js");
+            logSuccess(`${provider} API key removed`);
+            return;
+        }
         await logout();
     },
     "whoami": async () => {

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "veryfront",
-    "version": "0.1.130",
+    "version": "0.1.131",
     "license": "Apache-2.0",
     "nodeModulesDir": "auto",
     "exclude": [

package/esm/src/channels/control-plane.js

@@ -148,13 +148,13 @@ function resolveAgentSkills(agent) {
     }))
         .sort((left, right) => left.name.localeCompare(right.name));
 }
-function getRuntimeAgentMetadata(agent) {
+function getRuntimeAgentMetadata(id, agent) {
     const rawConfig = agent.config;
     return RuntimeAgentSchema.parse({
-        id: agent.id,
+        id,
         name: typeof rawConfig.name === "string" && rawConfig.name.trim().length > 0
             ? rawConfig.name
-            : agent.id,
+            : id,
         description: typeof rawConfig.description === "string" ? rawConfig.description : null,
         model: agent.config.model ?? null,
         version: typeof rawConfig.version === "string" ? rawConfig.version : null,
@@ -164,9 +164,9 @@ function getRuntimeAgentMetadata(agent) {
 export async function listRuntimeAgents(ctx, deps) {
     await deps.ensureProjectDiscovery(ctx);
     const agents = deps.getAllAgentIds()
-        .map((id) => deps.getAgent(id))
-        .filter((agent) => Boolean(agent))
-        .map(getRuntimeAgentMetadata)
+        .map((id) => ({ id, agent: deps.getAgent(id) }))
+        .filter((entry) => Boolean(entry.agent))
+        .map(({ id, agent }) => getRuntimeAgentMetadata(id, agent))
         .sort((left, right) => left.name.localeCompare(right.name));
     return RuntimeAgentListResponseSchema.parse({ agents });
 }

package/esm/src/discovery/handlers/agent-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"agent-handler.d.ts","sourceRoot":"","sources":["../../../../src/src/discovery/handlers/agent-handler.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AAElD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,eAAO,MAAM,YAAY,EAAE,gBAAgB,CAAC,KAAK,CAWhD,CAAC"}
+{"version":3,"file":"agent-handler.d.ts","sourceRoot":"","sources":["../../../../src/src/discovery/handlers/agent-handler.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AAGlD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD,eAAO,MAAM,YAAY,EAAE,gBAAgB,CAAC,KAAK,CAmBhD,CAAC"}

package/esm/src/discovery/handlers/agent-handler.js

@@ -2,12 +2,21 @@
  * Agent Discovery Handler
  */
 import { registerAgent } from "../../agent/index.js";
+import { agentRegistry } from "../../agent/composition/index.js";
 import { filenameToId, trackAgentPath } from "../discovery-utils.js";
 export const agentHandler = {
     typeName: "agent",
     validate: (item) => item !== null && typeof item === "object" && typeof item.generate === "function",
-    getId: (agent, file) => agent.id || filenameToId(file),
+    getId: (agent, file) => {
+        const configuredId = agent.config.id;
+        return typeof configuredId === "string" && configuredId.trim().length > 0
+            ? configuredId
+            : filenameToId(file);
+    },
     register: (id, agent, file) => {
+        if (agent.id !== id) {
+            agentRegistry.delete(agent.id);
+        }
         registerAgent(id, agent);
         trackAgentPath(id, file);
         return agent;

package/esm/src/rendering/rsc/client-boot.ts

@@ -6,6 +6,7 @@
 import type { ClientModuleStrategy } from "./client-module-strategy.ts";
 import {
   buildClientModuleUrl,
+  type ClientRuntimeHydrationData,
   getHydrationReactImportSpecifiers,
   readHydrationData,
   resolveClientModuleStrategy,
@@ -58,6 +59,18 @@ export function selectHydrationRoot<T extends HydrationRootCandidate>(
     fallback;
 }
 
+interface RSCBootDocument {
+  getElementById(id: string): Element | null;
+}
+
+export function shouldAttemptRSCTransport(
+  doc: RSCBootDocument,
+  hydrationData: ClientRuntimeHydrationData | null,
+): boolean {
+  if (hydrationData?.pagePath) return false;
+  return !!doc.getElementById(RSC_ROOT_ID);
+}
+
 async function tryStream(q: string): Promise<boolean> {
   try {
     const res = await fetch(RSC_PATH_PREFIX + "stream" + q);
@@ -151,8 +164,12 @@ export async function boot(): Promise<void> {
       console.debug?.("[RSC] Found page component in hydration data:", pagePath);
       if (await hydratePageComponent(pagePath, clientModuleStrategy)) {
         console.debug?.("[RSC] Client component hydrated successfully");
-        return;
       }
+      return;
+    }
+
+    if (!shouldAttemptRSCTransport(document, hydrationData)) {
+      return;
     }
 
     if (await tryStream(q)) {

package/esm/src/server/handlers/preview/markdown-html-generator.d.ts

@@ -24,6 +24,8 @@ interface MarkdownHtmlOptions {
     projectId: string;
     /** File path of the markdown file. */
     filePath: string;
+    /** CSP nonce for inline scripts. */
+    nonce?: string;
 }
 /**
  * Generate a complete HTML document for markdown preview rendering.

package/esm/src/server/handlers/preview/markdown-html-generator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"markdown-html-generator.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-html-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAKrD,oDAAoD;AACpD,UAAU,mBAAmB;IAC3B,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;IACzB,gDAAgD;IAChD,GAAG,EAAE,GAAG,CAAC;IACT,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAuDD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,mBAAmB,GAAG,MAAM,CA0FzE"}
+{"version":3,"file":"markdown-html-generator.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-html-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAMrD,oDAAoD;AACpD,UAAU,mBAAmB;IAC3B,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;IACzB,gDAAgD;IAChD,GAAG,EAAE,GAAG,CAAC;IACT,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAyDD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,mBAAmB,GAAG,MAAM,CA2FzE"}

package/esm/src/server/handlers/preview/markdown-html-generator.js

@@ -1,4 +1,5 @@
 import { escapeHtml } from "../../../utils/html-escape.js";
+import { buildNonceAttribute } from "../../../html/html-escape.js";
 /**
  * Detect the preferred color theme from request parameters and client hints.
  *
@@ -23,10 +24,11 @@ function detectTheme(req, url) {
  * Generate the studio bridge `<script>` tag.
  * Injected only when embedded in Studio (`studio_embed=true`).
  */
-function buildStudioScript(url, projectId, filePath) {
+function buildStudioScript(url, projectId, filePath, nonce) {
     const studioEmbed = url.searchParams.get("studio_embed") === "true";
     if (!studioEmbed)
         return "";
+    const nonceAttr = buildNonceAttribute(nonce);
     const rawQueryProjectId = url.searchParams.get("vf_project_id")?.trim() || "";
     // Validate query param before using it in bridge config.
     const queryProjectId = /^[a-zA-Z0-9_-]+$/.test(rawQueryProjectId) ? rawQueryProjectId : "";
@@ -40,8 +42,8 @@ function buildStudioScript(url, projectId, filePath) {
     };
     // Escape </script> sequences to prevent XSS breakout from inline JSON
     const safeJson = JSON.stringify(bridgeConfig).replace(/</g, "\\u003c");
-    return `<script>window.__VF_BRIDGE_CONFIG__=${safeJson};</script>
-  <script type="module" src="/_veryfront/studio-bridge.js"></script>`;
+    return `<script${nonceAttr}>window.__VF_BRIDGE_CONFIG__=${safeJson};</script>
+  <script type="module" src="/_veryfront/studio-bridge.js"${nonceAttr}></script>`;
 }
 /**
  * Generate a complete HTML document for markdown preview rendering.
@@ -51,10 +53,11 @@ function buildStudioScript(url, projectId, filePath) {
  * studio bridge integration.
  */
 export function generateMarkdownHtml(options) {
-    const { rawHtml, title, description, request, url, projectId, filePath } = options;
+    const { rawHtml, title, description, request, url, projectId, filePath, nonce } = options;
     const theme = detectTheme(request, url);
-    const studioScript = buildStudioScript(url, projectId, filePath);
+    const studioScript = buildStudioScript(url, projectId, filePath, nonce);
     const themeAttrs = theme ? ` data-theme="${theme}" style="color-scheme: ${theme};"` : "";
+    const nonceAttr = buildNonceAttribute(nonce);
     return `<!DOCTYPE html>
 <html lang="en"${themeAttrs}>
 <head>
@@ -75,7 +78,7 @@ export function generateMarkdownHtml(options) {
 
   ${studioScript}
 
-  <script type="module">
+  <script type="module"${nonceAttr}>
     import mermaid from 'https://esm.sh/mermaid@11.4.1?pin=v135';
 
     function getMermaidTheme() {
@@ -135,7 +138,7 @@ export function generateMarkdownHtml(options) {
   </script>
 
   <!-- Preview HMR -->
-  <script src="/_veryfront/preview-hmr.js"></script>
+  <script src="/_veryfront/preview-hmr.js"${nonceAttr}></script>
 </body>
 </html>`;
 }

package/esm/src/server/handlers/preview/markdown-preview.handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"markdown-preview.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-preview.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAgBnG,qBAAa,sBAAuB,SAAQ,WAAW;IACrD,QAAQ,EAAE,eAAe,CAKvB;IAEI,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;YAmEjE,cAAc;CAiF7B"}
+{"version":3,"file":"markdown-preview.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/markdown-preview.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAgBnG,qBAAa,sBAAuB,SAAQ,WAAW;IACrD,QAAQ,EAAE,eAAe,CAKvB;IAEI,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;YAmEjE,cAAc;CAoF7B"}

package/esm/src/server/handlers/preview/markdown-preview.handler.js

@@ -103,6 +103,7 @@ export class MarkdownPreviewHandler extends BaseHandler {
                 return this.continue();
             }
             const bundle = await compileMarkdownRuntime("development", ctx.projectDir, body, frontmatter, filePath, "server");
+            const responseBuilder = this.createResponseBuilder(ctx);
             const html = generateMarkdownHtml({
                 rawHtml: bundle.rawHtml || "",
                 title: frontmatter.title != null ? String(frontmatter.title) : filePath,
@@ -111,15 +112,17 @@ export class MarkdownPreviewHandler extends BaseHandler {
                 url,
                 projectId: ctx.projectSlug || ctx.projectId || "markdown-preview",
                 filePath,
+                nonce: responseBuilder.nonce,
             });
-            const responseBuilder = this.createResponseBuilder(ctx)
+            responseBuilder
                 .withCache("no-cache")
-                .withContentType("text/html; charset=utf-8", html, HTTP_OK);
+                .withSecurity(ctx.securityConfig ?? undefined, req);
+            const response = responseBuilder.withContentType("text/html; charset=utf-8", html, HTTP_OK);
             logger.debug("Serving markdown preview", {
                 filePath,
                 htmlLength: html.length,
             });
-            return this.respond(responseBuilder);
+            return this.respond(response);
         }
         catch (error) {
             logger.error("Error rendering markdown", {

package/esm/src/server/handlers/request/api/project-discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"project-discovery.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/project-discovery.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AA8CrD;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAkE/E"}
+{"version":3,"file":"project-discovery.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/project-discovery.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AA+DrD;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA8D/E"}

package/esm/src/server/handlers/request/api/project-discovery.js

@@ -12,6 +12,21 @@ const logger = serverLogger.component("api-wrapper");
  * allows retry on failure (the key is deleted if discovery rejects).
  */
 const discoveredProjects = new Map();
+function buildDiscoveryConfig(ctx) {
+    const ai = ctx.config?.ai;
+    const skillDiscoveryEnabled = ai?.skills?.discovery?.enabled ?? true;
+    return {
+        baseDir: ctx.projectDir,
+        toolDirs: ai?.tools?.discovery?.paths ?? ["tools"],
+        agentDirs: ai?.agents?.discovery?.paths ?? ["agents"],
+        skillDirs: skillDiscoveryEnabled ? (ai?.skills?.discovery?.paths ?? ["skills"]) : [],
+        resourceDirs: ["resources"],
+        promptDirs: ["prompts"],
+        workflowDirs: ["workflows"],
+        fsAdapter: ctx.adapter.fs,
+        verbose: false,
+    };
+}
 /** Build a discovery cache key that incorporates the release/version. */
 function discoveryKey(ctx) {
     const cacheContext = tryGetCacheKeyContext();
@@ -59,11 +74,7 @@ export async function ensureProjectDiscovery(ctx) {
         clearTranspileCache();
         agentRegistry.clear();
         toolRegistry.clear();
-        const result = await discoverAll({
-            baseDir: ctx.projectDir,
-            fsAdapter: ctx.adapter.fs,
-            verbose: false,
-        });
+        const result = await discoverAll(buildDiscoveryConfig(ctx));
         const logData = {
             projectSlug: ctx.projectSlug,
             releaseId: ctx.releaseId,

package/esm/src/server/handlers/request/api/security-headers.d.ts

@@ -3,4 +3,5 @@ import type { HandlerContext } from "../../types.js";
 export declare function buildCSP(ctx: HandlerContext): string;
 export declare function getSecurityHeader(headerName: string, defaultValue: string, ctx: HandlerContext): string;
 export declare function applySecurityHeaders(headers: dntShim.Headers, ctx: HandlerContext, req?: dntShim.Request): void;
+export declare function applySecurityHeadersWithNonce(headers: dntShim.Headers, ctx: HandlerContext, nonce: string, req?: dntShim.Request): void;
 //# sourceMappingURL=security-headers.d.ts.map

package/esm/src/server/handlers/request/api/security-headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AACxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAarD,wBAAgB,QAAQ,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM,CAQpD;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,cAAc,GAClB,MAAM,CAER;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAa/G"}
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/api/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AACxD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAarD,wBAAgB,QAAQ,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM,CAQpD;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,cAAc,GAClB,MAAM,CAER;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAE/G;AAED,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,OAAO,CAAC,OAAO,EACxB,GAAG,EAAE,cAAc,EACnB,KAAK,EAAE,MAAM,EACb,GAAG,CAAC,EAAE,OAAO,CAAC,OAAO,GACpB,IAAI,CAaN"}

package/esm/src/server/handlers/request/api/security-headers.js

@@ -10,7 +10,10 @@ export function getSecurityHeader(headerName, defaultValue, ctx) {
     return coreGetSecurityHeader(headerName, defaultValue, ctx.securityConfig, ctx.adapter);
 }
 export function applySecurityHeaders(headers, ctx, req) {
-    coreApplySecurityHeaders(headers, isDev(ctx), generateNonce(), ctx.cspUserHeader ?? null, ctx.securityConfig, ctx.adapter, ctx.parsedDomain?.allowIframeEmbed ?? false);
+    applySecurityHeadersWithNonce(headers, ctx, generateNonce(), req);
+}
+export function applySecurityHeadersWithNonce(headers, ctx, nonce, req) {
+    coreApplySecurityHeaders(headers, isDev(ctx), nonce, ctx.cspUserHeader ?? null, ctx.securityConfig, ctx.adapter, ctx.parsedDomain?.allowIframeEmbed ?? false);
     if (req) {
         applyCsrfCookie(req, headers, ctx.securityConfig?.csrf);
     }

package/esm/src/server/handlers/request/openapi-docs.handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openapi-docs.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/request/openapi-docs.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAWnG,qBAAa,kBAAmB,SAAQ,WAAW;IACjD,QAAQ,EAAE,eAAe,CAKvB;cAEiB,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO;IAMnF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IAazE,OAAO,CAAC,gBAAgB;CAsCzB"}
+{"version":3,"file":"openapi-docs.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/request/openapi-docs.handler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,2BAA2B,CAAC;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAmB,aAAa,EAAE,MAAM,aAAa,CAAC;AAWnG,qBAAa,kBAAmB,SAAQ,WAAW;IACjD,QAAQ,EAAE,eAAe,CAKvB;cAEiB,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO;IAMnF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IAezE,OAAO,CAAC,gBAAgB;CAwCzB"}

package/esm/src/server/handlers/request/openapi-docs.handler.js

@@ -1,6 +1,6 @@
 import { BaseHandler } from "../response/base.js";
 import { HTTP_OK, PRIORITY_HIGH_DEV } from "../../../utils/constants/index.js";
-import { escapeHtml } from "../../../html/html-escape.js";
+import { buildNonceAttribute, escapeHtml } from "../../../html/html-escape.js";
 /** Default paths */
 const DEFAULT_DOCS_PATH = "/_docs";
 const DEFAULT_JSON_PATH = "/_openapi.json";
@@ -21,17 +21,20 @@ export class OpenAPIDocsHandler extends BaseHandler {
     handle(req, ctx) {
         if (!this.shouldHandle(req, ctx))
             return Promise.resolve(this.continue());
-        const html = this.generateDocsPage(ctx);
         const isDev = !!ctx.isLocalProject;
-        const response = this.createResponseBuilder(ctx)
+        const builder = this.createResponseBuilder(ctx);
+        const html = this.generateDocsPage(ctx, builder.nonce);
+        const response = builder
             .withCache(isDev ? "no-cache" : { maxAge: DOCS_CACHE_MAX_AGE_SECONDS, public: true })
+            .withSecurity(ctx.securityConfig ?? undefined, req)
             .withContentType("text/html; charset=utf-8", html, HTTP_OK);
         return Promise.resolve(this.respond(response));
     }
-    generateDocsPage(ctx) {
+    generateDocsPage(ctx, nonce) {
         const specUrl = ctx.config?.openapi?.paths?.json ?? DEFAULT_JSON_PATH;
         const title = escapeHtml(ctx.config?.openapi?.title ?? "API Documentation");
         const description = escapeHtml(ctx.config?.openapi?.description ?? "");
+        const nonceAttr = buildNonceAttribute(nonce);
         const configuration = JSON.stringify({
             theme: "purple",
             layout: "modern",
@@ -47,7 +50,7 @@ export class OpenAPIDocsHandler extends BaseHandler {
   <meta name="viewport" content="width=device-width, initial-scale=1"/>
   <title>${title}</title>
   ${description ? `<meta name="description" content="${description}"/>` : ""}
-  <style>
+  <style${nonceAttr}>
     body {
       margin: 0;
       padding: 0;
@@ -59,8 +62,9 @@ export class OpenAPIDocsHandler extends BaseHandler {
     id="api-reference"
     data-url="${specUrl}"
     data-configuration='${configuration}'
+    ${nonce ? `nonce="${escapeHtml(nonce)}"` : ""}
   ></script>
-  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
+  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"${nonceAttr}></script>
 </body>
 </html>`;
     }

package/esm/src/server/handlers/request/rsc/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/rsc/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EACV,cAAc,EACd,eAAe,EAEf,aAAa,EACd,MAAM,gBAAgB,CAAC;AAQxB,qBAAa,UAAW,SAAQ,WAAW;IACzC,QAAQ,EAAE,eAAe,CAIvB;IAEF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;CAmD1E"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/request/rsc/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,OAAO,MAAM,8BAA8B,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EACV,cAAc,EACd,eAAe,EAEf,aAAa,EACd,MAAM,gBAAgB,CAAC;AASxB,qBAAa,UAAW,SAAQ,WAAW;IACzC,QAAQ,EAAE,eAAe,CAIvB;IAEF,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;CAqD1E"}