veryfront 0.1.62 → 0.1.64

package/esm/src/channels/invoke.js

@@ -0,0 +1,417 @@
+import * as dntShim from "../../_dnt.shims.js";
+import { fromError } from "../errors/veryfront-error.js";
+import { serverLogger } from "../utils/index.js";
+import { base64urlEncodeBytes } from "../utils/base64url.js";
+import { z } from "zod";
+import { getAgent as getRegisteredAgent, getAllAgentIds as getRegisteredAgentIds, } from "../agent/composition/composition.js";
+import { ensureProjectDiscovery as ensureProjectDiscoveryForProject } from "../server/handlers/request/api/project-discovery.js";
+const logger = serverLogger.component("channels-invoke");
+const SIGNATURE_SKEW_SECONDS = 5;
+const rawHistoryPartSchema = z.object({
+    type: z.string(),
+}).passthrough();
+const channelAttachmentSchema = z.object({
+    id: z.string(),
+    kind: z.enum(["image", "file"]),
+    filename: z.string().optional(),
+    mediaType: z.string().optional(),
+    privateUrl: z.string().optional(),
+});
+const channelInvokeHistoryMessageSchema = z.object({
+    id: z.string(),
+    role: z.enum(["user", "assistant", "system", "tool"]),
+    parts: z.array(rawHistoryPartSchema),
+    metadata: z.record(z.unknown()).optional(),
+    createdAt: z.string().optional(),
+});
+const channelInvokeRequestWireSchema = z.object({
+    dispatchId: z.string().min(1),
+    conversationId: z.string().min(1),
+    projectId: z.string().min(1),
+    assistantId: z.string().min(1),
+    platform: z.literal("slack"),
+    inboundMessage: z.object({
+        text: z.string(),
+        userId: z.string(),
+        userName: z.string(),
+        isDirectMessage: z.boolean(),
+        attachments: z.array(channelAttachmentSchema).optional(),
+    }),
+    conversationHistory: z.array(channelInvokeHistoryMessageSchema),
+    generation: z.object({
+        maxResponseTokens: z.number().int().positive().max(16384).optional(),
+    }).optional(),
+});
+export const ChannelInvokeRequestSchema = channelInvokeRequestWireSchema;
+export const ChannelAssistantsRequestSchema = z.object({
+    requestId: z.string().min(1),
+    projectId: z.string().min(1),
+    platform: z.literal("slack"),
+});
+export const ChannelAssistantSchema = z.object({
+    id: z.string().min(1),
+    name: z.string().min(1),
+    description: z.string().nullable().optional(),
+    model: z.string().nullable().optional(),
+});
+export const ChannelAssistantsResponseSchema = z.object({
+    assistants: z.array(ChannelAssistantSchema),
+});
+const channelTextPartSchema = z.object({
+    type: z.literal("text"),
+    text: z.string(),
+});
+const channelToolCallPartSchema = z.object({
+    type: z.literal("tool_call"),
+    id: z.string(),
+    name: z.string(),
+    input: z.record(z.unknown()),
+    state: z.enum(["streaming", "pending", "completed", "error"]),
+});
+const channelToolResultPartSchema = z.object({
+    type: z.literal("tool_result"),
+    tool_call_id: z.string(),
+    output: z.unknown(),
+    is_error: z.boolean().optional(),
+});
+const channelReasoningPartSchema = z.object({
+    type: z.literal("reasoning"),
+    text: z.string(),
+});
+const channelErrorPartSchema = z.object({
+    type: z.literal("error"),
+    code: z.string(),
+    message: z.string(),
+});
+export const ChannelResponsePartSchema = z.discriminatedUnion("type", [
+    channelTextPartSchema,
+    channelToolCallPartSchema,
+    channelToolResultPartSchema,
+    channelReasoningPartSchema,
+    channelErrorPartSchema,
+]);
+export const ChannelInvokeResponseSchema = z.object({
+    ignored: z.boolean(),
+    responseParts: z.array(ChannelResponsePartSchema).optional(),
+    tokenUsage: z.object({
+        inputTokens: z.number().int().nonnegative().optional(),
+        outputTokens: z.number().int().nonnegative().optional(),
+        totalTokens: z.number().int().nonnegative().optional(),
+    }).optional(),
+    error: z.object({
+        code: z.enum(["provider_error", "internal_error"]),
+        retryable: z.boolean(),
+    }).optional(),
+});
+const dispatchHeaderSchema = z.object({
+    alg: z.literal("EdDSA"),
+    typ: z.string().optional(),
+    kid: z.string().optional(),
+});
+const dispatchClaimsSchema = z.object({
+    iss: z.string(),
+    aud: z.string(),
+    sub: z.string(),
+    project_id: z.string(),
+    platform: z.string(),
+    body_sha256: z.string(),
+    iat: z.number().int(),
+    exp: z.number().int(),
+});
+export const defaultChannelInvokeDeps = {
+    ensureProjectDiscovery: ensureProjectDiscoveryForProject,
+    getAgent: getRegisteredAgent,
+    getAllAgentIds: getRegisteredAgentIds,
+};
+function getAssistantMetadata(agent) {
+    const rawConfig = agent.config;
+    return ChannelAssistantSchema.parse({
+        id: agent.id,
+        name: typeof rawConfig.name === "string" && rawConfig.name.trim().length > 0
+            ? rawConfig.name
+            : agent.id,
+        description: typeof rawConfig.description === "string" ? rawConfig.description : null,
+        model: agent.config.model ?? null,
+    });
+}
+export async function listChannelAssistants(ctx, deps) {
+    await deps.ensureProjectDiscovery(ctx);
+    const assistants = deps.getAllAgentIds()
+        .map((id) => deps.getAgent(id))
+        .filter((agent) => Boolean(agent))
+        .map(getAssistantMetadata)
+        .sort((left, right) => left.name.localeCompare(right.name));
+    return ChannelAssistantsResponseSchema.parse({ assistants });
+}
+function base64urlDecodeToBytes(input) {
+    const normalized = input
+        .replaceAll("-", "+")
+        .replaceAll("_", "/")
+        .padEnd(Math.ceil(input.length / 4) * 4, "=");
+    return toArrayBuffer(Uint8Array.from(atob(normalized), (char) => char.charCodeAt(0)));
+}
+function toArrayBuffer(bytes) {
+    const buffer = new ArrayBuffer(bytes.byteLength);
+    new Uint8Array(buffer).set(bytes);
+    return buffer;
+}
+function pemToDer(pem, label) {
+    const body = pem
+        .replace(`-----BEGIN ${label}-----`, "")
+        .replace(`-----END ${label}-----`, "")
+        .replace(/\s/g, "");
+    return toArrayBuffer(Uint8Array.from(atob(body), (char) => char.charCodeAt(0)));
+}
+async function importEd25519PublicKey(pem) {
+    return dntShim.crypto.subtle.importKey("spki", pemToDer(pem, "PUBLIC KEY"), "Ed25519", false, ["verify"]);
+}
+async function sha256Base64url(body) {
+    const hash = await dntShim.crypto.subtle.digest("SHA-256", new TextEncoder().encode(body));
+    return base64urlEncodeBytes(new Uint8Array(hash));
+}
+export async function verifyDispatchJws(jws, body, options) {
+    const parts = jws.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Channel dispatch signature must be a compact JWS");
+    }
+    const encodedHeader = parts[0];
+    const encodedPayload = parts[1];
+    const encodedSignature = parts[2];
+    if (!encodedHeader || !encodedPayload || !encodedSignature) {
+        throw new Error("Channel dispatch signature must include header, payload, and signature");
+    }
+    const header = dispatchHeaderSchema.parse(JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedHeader))));
+    const claims = dispatchClaimsSchema.parse(JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedPayload))));
+    if (header.alg !== "EdDSA") {
+        throw new Error("Unsupported channel dispatch JWS algorithm");
+    }
+    const signingInput = new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`);
+    const signature = base64urlDecodeToBytes(encodedSignature);
+    const publicKey = await importEd25519PublicKey(options.publicKeyPem);
+    const verified = await dntShim.crypto.subtle.verify("Ed25519", publicKey, signature, signingInput);
+    if (!verified) {
+        throw new Error("Channel dispatch signature verification failed");
+    }
+    if (claims.aud !== options.audience) {
+        throw new Error("Channel dispatch audience mismatch");
+    }
+    if (options.expectedProjectId && claims.project_id !== options.expectedProjectId) {
+        throw new Error("Channel dispatch project mismatch");
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (claims.exp <= now) {
+        throw new Error("Channel dispatch signature expired");
+    }
+    if (claims.iat > now + SIGNATURE_SKEW_SECONDS) {
+        throw new Error("Channel dispatch signature issued in the future");
+    }
+    if (now - claims.iat > options.maxAgeSeconds) {
+        throw new Error("Channel dispatch signature is too old");
+    }
+    const bodySha256 = await sha256Base64url(body);
+    if (claims.body_sha256 !== bodySha256) {
+        throw new Error("Channel dispatch body hash mismatch");
+    }
+    return claims;
+}
+function normalizeConversationPart(part) {
+    if (part.type === "text" && typeof part.text === "string") {
+        return { type: "text", text: part.text };
+    }
+    if (part.type === "tool_call" &&
+        typeof part.id === "string" &&
+        typeof part.name === "string" &&
+        part.input &&
+        typeof part.input === "object" &&
+        !Array.isArray(part.input)) {
+        return {
+            type: `tool-${part.name}`,
+            toolCallId: part.id,
+            toolName: part.name,
+            args: part.input,
+        };
+    }
+    if (part.type === "tool_result" && typeof part.tool_call_id === "string") {
+        return {
+            type: "tool-result",
+            toolCallId: part.tool_call_id,
+            toolName: typeof part.tool_name === "string" ? part.tool_name : "unknown",
+            result: "output" in part ? part.output : undefined,
+        };
+    }
+    return null;
+}
+export function normalizeConversationHistoryForRuntime(messages) {
+    return messages.map((message) => ({
+        id: message.id,
+        role: message.role,
+        parts: message.parts
+            .map((part) => normalizeConversationPart(part))
+            .filter((part) => part !== null),
+        ...(message.createdAt ? { timestamp: Date.parse(message.createdAt) || undefined } : {}),
+        ...(message.metadata ? { metadata: message.metadata } : {}),
+    }));
+}
+export function resolveChannelInvokeAgent(assistantId, deps) {
+    return deps.getAgent(assistantId);
+}
+function normalizeToolCallState(status) {
+    switch (status) {
+        case "completed":
+            return "completed";
+        case "error":
+            return "error";
+        default:
+            return "pending";
+    }
+}
+function convertAssistantPartToChannelResponsePart(part, knownToolCallIds) {
+    if (part.type === "text" && "text" in part) {
+        return channelTextPartSchema.parse({
+            type: "text",
+            text: part.text,
+        });
+    }
+    const isToolCallPart = part.type === "tool-call" ||
+        (part.type.startsWith("tool-") && part.type !== "tool-result");
+    if (isToolCallPart &&
+        "toolCallId" in part &&
+        "toolName" in part &&
+        !knownToolCallIds.has(part.toolCallId)) {
+        return channelToolCallPartSchema.parse({
+            type: "tool_call",
+            id: part.toolCallId,
+            name: part.toolName,
+            input: "args" in part ? part.args : ("input" in part ? part.input : {}),
+            state: "pending",
+        });
+    }
+    return null;
+}
+function findLastAssistantMessage(messages) {
+    for (let index = messages.length - 1; index >= 0; index -= 1) {
+        if (messages[index]?.role === "assistant") {
+            return messages[index];
+        }
+    }
+    return undefined;
+}
+export function buildChannelResponseParts(response) {
+    const responseParts = [];
+    const knownToolCallIds = new Set();
+    if (response.thinking?.trim()) {
+        responseParts.push(channelReasoningPartSchema.parse({
+            type: "reasoning",
+            text: response.thinking,
+        }));
+    }
+    for (const toolCall of response.toolCalls) {
+        knownToolCallIds.add(toolCall.id);
+        responseParts.push(channelToolCallPartSchema.parse({
+            type: "tool_call",
+            id: toolCall.id,
+            name: toolCall.name,
+            input: toolCall.args,
+            state: normalizeToolCallState(toolCall.status),
+        }));
+        if (toolCall.status === "completed" || toolCall.status === "error") {
+            responseParts.push(channelToolResultPartSchema.parse({
+                type: "tool_result",
+                tool_call_id: toolCall.id,
+                output: toolCall.status === "error"
+                    ? { error: toolCall.error ?? "Tool execution failed" }
+                    : toolCall.result,
+                ...(toolCall.status === "error" ? { is_error: true } : {}),
+            }));
+        }
+    }
+    const lastAssistantMessage = findLastAssistantMessage(response.messages);
+    if (lastAssistantMessage) {
+        for (const part of lastAssistantMessage.parts) {
+            const converted = convertAssistantPartToChannelResponsePart(part, knownToolCallIds);
+            if (converted) {
+                responseParts.push(converted);
+            }
+        }
+    }
+    else if (response.text.trim()) {
+        responseParts.push(channelTextPartSchema.parse({
+            type: "text",
+            text: response.text,
+        }));
+    }
+    return responseParts;
+}
+function classifyRuntimeError(error) {
+    const veryfrontError = fromError(error);
+    if (veryfrontError?.type === "no_ai_available") {
+        return { code: "provider_error", retryable: false };
+    }
+    if (veryfrontError?.type === "api" || veryfrontError?.type === "network") {
+        return { code: "provider_error", retryable: true };
+    }
+    return { code: "internal_error", retryable: true };
+}
+export async function executeChannelInvoke(payload, ctx, deps) {
+    await deps.ensureProjectDiscovery(ctx);
+    const agent = resolveChannelInvokeAgent(payload.assistantId, deps);
+    if (!agent) {
+        logger.error("Channel invoke could not resolve a runtime agent for the request", {
+            requestedAssistantId: payload.assistantId,
+            discoveredAgentIds: deps.getAllAgentIds(),
+            projectSlug: ctx.projectSlug,
+            projectId: ctx.projectId,
+        });
+        return {
+            ignored: false,
+            error: {
+                code: "internal_error",
+                retryable: false,
+            },
+        };
+    }
+    const messages = normalizeConversationHistoryForRuntime(payload.conversationHistory);
+    await agent.clearMemory();
+    try {
+        const result = await agent.generate({
+            input: messages,
+            context: {
+                requestId: payload.dispatchId,
+                dispatchId: payload.dispatchId,
+                conversationId: payload.conversationId,
+                projectId: payload.projectId,
+                assistantId: payload.assistantId,
+                channel: payload.inboundMessage,
+            },
+            ...(payload.generation?.maxResponseTokens
+                ? {
+                    maxOutputTokens: payload.generation.maxResponseTokens,
+                }
+                : {}),
+        });
+        return ChannelInvokeResponseSchema.parse({
+            ignored: false,
+            responseParts: buildChannelResponseParts(result),
+            tokenUsage: result.usage
+                ? {
+                    inputTokens: result.usage.promptTokens,
+                    outputTokens: result.usage.completionTokens,
+                    totalTokens: result.usage.totalTokens,
+                }
+                : undefined,
+        });
+    }
+    catch (error) {
+        logger.error("Channel invoke runtime execution failed", {
+            error: error instanceof Error ? error.message : String(error),
+            stack: error instanceof Error ? error.stack : undefined,
+            projectSlug: ctx.projectSlug,
+            projectId: ctx.projectId,
+            dispatchId: payload.dispatchId,
+        });
+        return {
+            ignored: false,
+            error: classifyRuntimeError(error),
+        };
+    }
+}

package/esm/src/embedding/embedding.js

@@ -30,10 +30,10 @@ export function embedding(config) {
     return {
         model: modelId,
         async embed(text) {
-            const value = queryPrefix + text;
-            if (!value.trim()) {
+            if (!text.trim()) {
                 throw new Error("Cannot embed an empty string");
             }
+            const value = queryPrefix + text;
             const result = await embed({ model, value });
             return result.embedding;
         },

package/esm/src/integrations/endpoint-executor.d.ts

@@ -1,4 +1,5 @@
 import type { IntegrationEndpoint } from "./types.js";
+export declare function validateEndpointUrl(url: string): void;
 interface ExecutionContext {
     integration: string;
     toolId: string;

package/esm/src/integrations/endpoint-executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"endpoint-executor.d.ts","sourceRoot":"","sources":["../../../src/src/integrations/endpoint-executor.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAGtD,UAAU,gBAAgB;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,eAAe,CACnC,QAAQ,EAAE,mBAAmB,EAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,WAAW,EAAE,MAAM,EACnB,GAAG,EAAE,gBAAgB,GACpB,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAK9C"}
+{"version":3,"file":"endpoint-executor.d.ts","sourceRoot":"","sources":["../../../src/src/integrations/endpoint-executor.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAetD,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAiCrD;AAED,UAAU,gBAAgB;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,eAAe,CACnC,QAAQ,EAAE,mBAAmB,EAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,WAAW,EAAE,MAAM,EACnB,GAAG,EAAE,gBAAgB,GACpB,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAK9C"}

package/esm/src/integrations/endpoint-executor.js

@@ -8,6 +8,48 @@
 import * as dntShim from "../../_dnt.shims.js";
 import { logger } from "../utils/index.js";
 import { INVALID_ARGUMENT } from "../errors/index.js";
+const PRIVATE_IP_RANGES = [
+    /^127\./, // 127.0.0.0/8
+    /^10\./, // 10.0.0.0/8
+    /^172\.(1[6-9]|2\d|3[01])\./, // 172.16.0.0/12
+    /^192\.168\./, // 192.168.0.0/16
+    /^169\.254\./, // 169.254.0.0/16
+    /^0\./, // 0.0.0.0/8
+    /^::1$/, // IPv6 loopback
+    /^f[cd][0-9a-f]{2}:/i, // IPv6 unique local (fc00::/7)
+    /^fe80:/i, // IPv6 link-local (fe80::/10)
+];
+export function validateEndpointUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw INVALID_ARGUMENT.create({ detail: `Invalid endpoint URL: ${url}` });
+    }
+    if (parsed.protocol !== "https:") {
+        throw INVALID_ARGUMENT.create({
+            detail: `Endpoint URL must use HTTPS: ${parsed.protocol}`,
+        });
+    }
+    const hostname = parsed.hostname.toLowerCase();
+    if (hostname === "localhost") {
+        throw INVALID_ARGUMENT.create({
+            detail: "Endpoint URL must not target localhost",
+        });
+    }
+    // Strip IPv6 brackets for regex matching
+    const bare = hostname.startsWith("[") && hostname.endsWith("]")
+        ? hostname.slice(1, -1)
+        : hostname;
+    for (const range of PRIVATE_IP_RANGES) {
+        if (range.test(bare)) {
+            throw INVALID_ARGUMENT.create({
+                detail: "Endpoint URL must not target private/internal networks",
+            });
+        }
+    }
+}
 export async function executeEndpoint(endpoint, args, accessToken, ctx) {
     if (endpoint.type === "graphql") {
         return executeGraphQL(endpoint, args, accessToken, ctx);
@@ -40,6 +82,7 @@ async function executeGraphQL(endpoint, args, accessToken, ctx) {
             headers[key] = args[key] !== undefined ? String(args[key]) : String(def.default ?? "");
         }
     }
+    validateEndpointUrl(endpoint.url);
     logger.debug("Executing GraphQL endpoint", {
         integration: ctx.integration,
         tool: ctx.toolId,
@@ -112,6 +155,7 @@ async function executeRest(endpoint, args, accessToken, ctx) {
         body = JSON.stringify(bodyObj);
         headers["Content-Type"] = endpoint.contentType ?? "application/json";
     }
+    validateEndpointUrl(urlObj.toString());
     logger.debug("Executing REST endpoint", {
         integration: ctx.integration,
         tool: ctx.toolId,

package/esm/src/integrations/schema.d.ts

@@ -458,7 +458,7 @@ export declare const IntegrationConfigSchema: z.ZodObject<{
         id?: string | undefined;
         requiresWrite?: boolean | undefined;
     }[];
-    name: "github" | "aws" | "twitter" | "zoom" | "anthropic" | "linear" | "gmail" | "calendar" | "sheets" | "drive" | "outlook" | "teams" | "sharepoint" | "onedrive" | "jira" | "confluence" | "bitbucket" | "slack" | "notion" | "figma" | "discord" | "gitlab" | "airtable" | "dropbox" | "hubspot" | "salesforce" | "asana" | "monday" | "intercom" | "freshdesk" | "mailchimp" | "shopify" | "quickbooks" | "xero" | "box" | "webex" | "trello" | "clickup" | "pipedrive" | "servicenow" | "supabase" | "neon" | "stripe" | "sentry" | "posthog" | "zendesk" | "docs-google" | "snowflake" | "mixpanel" | "twilio";
+    name: "github" | "aws" | "twitter" | "zoom" | "anthropic" | "linear" | "slack" | "gmail" | "calendar" | "sheets" | "drive" | "outlook" | "teams" | "sharepoint" | "onedrive" | "jira" | "confluence" | "bitbucket" | "notion" | "figma" | "discord" | "gitlab" | "airtable" | "dropbox" | "hubspot" | "salesforce" | "asana" | "monday" | "intercom" | "freshdesk" | "mailchimp" | "shopify" | "quickbooks" | "xero" | "box" | "webex" | "trello" | "clickup" | "pipedrive" | "servicenow" | "supabase" | "neon" | "stripe" | "sentry" | "posthog" | "zendesk" | "docs-google" | "snowflake" | "mixpanel" | "twilio";
     displayName: string;
     category?: string | undefined;
     icon?: string | undefined;
@@ -524,7 +524,7 @@ export declare const IntegrationConfigSchema: z.ZodObject<{
         id?: string | undefined;
         requiresWrite?: boolean | undefined;
     }[];
-    name: "github" | "aws" | "twitter" | "zoom" | "anthropic" | "linear" | "gmail" | "calendar" | "sheets" | "drive" | "outlook" | "teams" | "sharepoint" | "onedrive" | "jira" | "confluence" | "bitbucket" | "slack" | "notion" | "figma" | "discord" | "gitlab" | "airtable" | "dropbox" | "hubspot" | "salesforce" | "asana" | "monday" | "intercom" | "freshdesk" | "mailchimp" | "shopify" | "quickbooks" | "xero" | "box" | "webex" | "trello" | "clickup" | "pipedrive" | "servicenow" | "supabase" | "neon" | "stripe" | "sentry" | "posthog" | "zendesk" | "docs-google" | "snowflake" | "mixpanel" | "twilio";
+    name: "github" | "aws" | "twitter" | "zoom" | "anthropic" | "linear" | "slack" | "gmail" | "calendar" | "sheets" | "drive" | "outlook" | "teams" | "sharepoint" | "onedrive" | "jira" | "confluence" | "bitbucket" | "notion" | "figma" | "discord" | "gitlab" | "airtable" | "dropbox" | "hubspot" | "salesforce" | "asana" | "monday" | "intercom" | "freshdesk" | "mailchimp" | "shopify" | "quickbooks" | "xero" | "box" | "webex" | "trello" | "clickup" | "pipedrive" | "servicenow" | "supabase" | "neon" | "stripe" | "sentry" | "posthog" | "zendesk" | "docs-google" | "snowflake" | "mixpanel" | "twilio";
     displayName: string;
     category?: string | undefined;
     icon?: string | undefined;

package/esm/src/oauth/handlers/init-handler.d.ts

@@ -20,9 +20,13 @@ export interface OAuthStatusHandlerOptions {
     tokenStore?: TokenStore;
     /** EnvReader for dynamic env vars (defaults to getEnv) */
     envReader?: EnvReader;
+    /** Optional authentication check — return true if the request is authenticated */
+    isAuthenticated?: (req: dntShim.Request) => boolean | Promise<boolean>;
 }
-export declare function createOAuthStatusHandler(config: OAuthServiceConfig, options?: OAuthStatusHandlerOptions): () => Promise<dntShim.Response>;
+export declare function createOAuthStatusHandler(config: OAuthServiceConfig, options?: OAuthStatusHandlerOptions): (req: dntShim.Request) => Promise<dntShim.Response>;
 export declare function createOAuthDisconnectHandler(config: OAuthServiceConfig, options?: {
     tokenStore?: TokenStore;
-}): () => Promise<dntShim.Response>;
+    /** Optional authentication check — return true if the request is authenticated */
+    isAuthenticated?: (req: dntShim.Request) => boolean | Promise<boolean>;
+}): (req: dntShim.Request) => Promise<dntShim.Response>;
 //# sourceMappingURL=init-handler.d.ts.map

package/esm/src/oauth/handlers/init-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init-handler.d.ts","sourceRoot":"","sources":["../../../../src/src/oauth/handlers/init-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,wBAAwB,CAAC;AAElD,OAAO,EACL,KAAK,iBAAiB,EAEvB,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EAAE,KAAK,SAAS,EAAgB,MAAM,sBAAsB,CAAC;AACpE,OAAO,KAAK,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK3F,MAAM,WAAW,uBAAuB;IACtC,oDAAoD;IACpD,UAAU,CAAC,EAAE,UAAU,CAAC;IAExB,gEAAgE;IAChE,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,WAAW,CAAC,EAAE,uBAAuB,CAAC;IAEtC,gFAAgF;IAChF,GAAG,CAAC,EAAE,iBAAiB,CAAC;IAExB,0DAA0D;IAC1D,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,kBAAkB,EAC1B,OAAO,GAAE,uBAA4B,GACpC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAsCjC;AAED,MAAM,WAAW,yBAAyB;IACxC,oDAAoD;IACpD,UAAU,CAAC,EAAE,UAAU,CAAC;IAExB,0DAA0D;IAC1D,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,kBAAkB,EAC1B,OAAO,GAAE,yBAA8B,GACtC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAoBjC;AAED,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,kBAAkB,EAC1B,OAAO,GAAE;IAAE,UAAU,CAAC,EAAE,UAAU,CAAA;CAAO,GACxC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAWjC"}
+{"version":3,"file":"init-handler.d.ts","sourceRoot":"","sources":["../../../../src/src/oauth/handlers/init-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,wBAAwB,CAAC;AAElD,OAAO,EACL,KAAK,iBAAiB,EAEvB,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EAAE,KAAK,SAAS,EAAgB,MAAM,sBAAsB,CAAC;AACpE,OAAO,KAAK,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK3F,MAAM,WAAW,uBAAuB;IACtC,oDAAoD;IACpD,UAAU,CAAC,EAAE,UAAU,CAAC;IAExB,gEAAgE;IAChE,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,WAAW,CAAC,EAAE,uBAAuB,CAAC;IAEtC,gFAAgF;IAChF,GAAG,CAAC,EAAE,iBAAiB,CAAC;IAExB,0DAA0D;IAC1D,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,kBAAkB,EAC1B,OAAO,GAAE,uBAA4B,GACpC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAsCjC;AAED,MAAM,WAAW,yBAAyB;IACxC,oDAAoD;IACpD,UAAU,CAAC,EAAE,UAAU,CAAC;IAExB,0DAA0D;IAC1D,SAAS,CAAC,EAAE,SAAS,CAAC;IAEtB,kFAAkF;IAClF,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACxE;AAED,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,kBAAkB,EAC1B,OAAO,GAAE,yBAA8B,GACtC,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAwBrD;AAED,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,kBAAkB,EAC1B,OAAO,GAAE;IACP,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,kFAAkF;IAClF,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACnE,GACL,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAerD"}

package/esm/src/oauth/handlers/init-handler.js

@@ -37,7 +37,10 @@ export function createOAuthInitHandler(config, options = {}) {
 export function createOAuthStatusHandler(config, options = {}) {
     const tokenStore = options.tokenStore ?? memoryTokenStore;
     const envReader = options.envReader ?? getEnv;
-    return async function handler() {
+    return async function handler(req) {
+        if (options.isAuthenticated && !(await options.isAuthenticated(req))) {
+            return dntShim.Response.json({ error: "Unauthorized" }, { status: 401 });
+        }
         const tokens = await tokenStore.getTokens(config.serviceId);
         const isConnected = !!tokens?.accessToken;
         const isExpired = tokens?.expiresAt ? Date.now() > tokens.expiresAt : false;
@@ -54,7 +57,10 @@ export function createOAuthStatusHandler(config, options = {}) {
 }
 export function createOAuthDisconnectHandler(config, options = {}) {
     const tokenStore = options.tokenStore ?? memoryTokenStore;
-    return async function handler() {
+    return async function handler(req) {
+        if (options.isAuthenticated && !(await options.isAuthenticated(req))) {
+            return dntShim.Response.json({ error: "Unauthorized" }, { status: 401 });
+        }
         await tokenStore.clearTokens(config.serviceId);
         return dntShim.Response.json({
             success: true,

package/esm/src/platform/compat/opaque-deps.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"opaque-deps.d.ts","sourceRoot":"","sources":["../../../../src/src/platform/compat/opaque-deps.ts"],"names":[],"mappings":"AA2BA,KAAK,YAAY,GAAG,GAAG,CAAC;AAExB,yEAAyE;AACzE,wBAAgB,kBAAkB,IAAI,OAAO,CAAC,YAAY,CAAC,CAE1D;AAED,8DAA8D;AAC9D,wBAAgB,oBAAoB,IAAI,OAAO,CAAC,YAAY,CAAC,CAK5D;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,YAAY,EAAE,CACZ,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,MAAM,KACb,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACnC,CAAC,CAWD"}
+{"version":3,"file":"opaque-deps.d.ts","sourceRoot":"","sources":["../../../../src/src/platform/compat/opaque-deps.ts"],"names":[],"mappings":"AA2BA,KAAK,YAAY,GAAG,GAAG,CAAC;AAUxB,yEAAyE;AACzE,wBAAgB,kBAAkB,IAAI,OAAO,CAAC,YAAY,CAAC,CAE1D;AAED,8DAA8D;AAC9D,wBAAgB,oBAAoB,IAAI,OAAO,CAAC,YAAY,CAAC,CAK5D;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,YAAY,EAAE,CACZ,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,MAAM,KACb,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACnC,CAAC,CAkBD"}

package/esm/src/platform/compat/opaque-deps.js

@@ -15,7 +15,7 @@
  * @module platform/compat
  */
 import * as dntShim from "../../../_dnt.shims.js";
-import { isDeno } from "./runtime.js";
+import { isDeno, isDenoCompiled } from "./runtime.js";
 import { dynamicImport } from "./dynamic-import.js";
 function resolve(pkg, version) {
     return isDeno ? `npm:${pkg}@${version}` : pkg;
@@ -45,6 +45,15 @@ export async function importKreuzberg() {
     if (isDeno) {
         // Regular import — visible to deno compile, resolved via deno.json import map
         const mod = await import("@kreuzberg/wasm");
+        if (isDenoCompiled) {
+            // Kreuzberg's initWasm() internally uses a computed dynamic import() to
+            // load the WASM glue module (kreuzberg_wasm.js). deno compile cannot
+            // trace computed import() paths, so the glue module is absent from the
+            // binary's embedded module graph. Pre-importing it here populates Deno's
+            // in-process module cache so the subsequent import() inside initWasm()
+            // resolves from cache instead of hitting the missing file.
+            await import("@kreuzberg/wasm/dist/pkg/kreuzberg_wasm.js");
+        }
         await mod.initWasm?.();
         return mod;
     }

package/esm/src/prompt/factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../../src/src/prompt/factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAGvD,wBAAgB,MAAM,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CA0BnD"}
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../../src/src/prompt/factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAIvD,wBAAgB,MAAM,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CA0BnD"}

package/esm/src/prompt/factory.js

@@ -1,4 +1,5 @@
 import { createError, toError } from "../errors/veryfront-error.js";
+import { COMMON_BLOCKED_PATTERNS } from "../agent/middleware/security/validator.js";
 export function prompt(config) {
     const id = config.id ?? generatePromptId();
     return {
@@ -24,9 +25,16 @@ let promptIdCounter = 0;
 function generatePromptId() {
     return `prompt_${Date.now()}_${promptIdCounter++}`;
 }
+function sanitizeVariableValue(value) {
+    let sanitized = value;
+    for (const pattern of COMMON_BLOCKED_PATTERNS.promptInjection) {
+        sanitized = sanitized.replace(pattern, "");
+    }
+    return sanitized;
+}
 function interpolateVariables(template, variables) {
     return template.replace(/\{(\w+)\}/g, (match, key) => {
         const value = variables[key];
-        return value != null ? String(value) : match;
+        return value != null ? sanitizeVariableValue(String(value)) : match;
     });
 }

package/esm/src/react/components/ai/markdown.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"markdown.d.ts","sourceRoot":"","sources":["../../../../../src/src/react/components/ai/markdown.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAM/B,MAAM,WAAW,aAAa;IAC5B,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yEAAyE;IACzE,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iCAAiC;IACjC,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,KAAK,CAAC,SAAS,CAAC;CAC9D;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAkJD,wBAAgB,QAAQ,CAAC,EACvB,QAAQ,EACR,SAAS,EACT,aAAoB,EACpB,eAAe,GAChB,EAAE,aAAa,GAAG,KAAK,CAAC,YAAY,CA+FpC"}
+{"version":3,"file":"markdown.d.ts","sourceRoot":"","sources":["../../../../../src/src/react/components/ai/markdown.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAM/B,MAAM,WAAW,aAAa;IAC5B,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yEAAyE;IACzE,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iCAAiC;IACjC,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,KAAK,CAAC,SAAS,CAAC;CAC9D;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAmJD,wBAAgB,QAAQ,CAAC,EACvB,QAAQ,EACR,SAAS,EACT,aAAoB,EACpB,eAAe,GAChB,EAAE,aAAa,GAAG,KAAK,CAAC,YAAY,CA+FpC"}

package/esm/src/react/components/ai/markdown.js

@@ -3,10 +3,10 @@ import { cn } from "./theme.js";
 import { isBrowserEnvironment } from "../../../platform/compat/runtime.js";
 import { validateTrustedHtml } from "../../../security/client/html-sanitizer.js";
 import { RichCodeBlock } from "./chat/components/code-block.js";
-const ESM_REACT_MARKDOWN = "https://esm.sh/react-markdown@9?external=react&target=es2022";
-const ESM_REMARK_GFM = "https://esm.sh/remark-gfm@4?target=es2022";
-const ESM_REHYPE_HIGHLIGHT = "https://esm.sh/rehype-highlight@7?target=es2022";
-const ESM_MERMAID = "https://esm.sh/mermaid@11";
+const ESM_REACT_MARKDOWN = "https://esm.sh/react-markdown@9.0.3?external=react&target=es2022&pin=v135";
+const ESM_REMARK_GFM = "https://esm.sh/remark-gfm@4.0.1?target=es2022&pin=v135";
+const ESM_REHYPE_HIGHLIGHT = "https://esm.sh/rehype-highlight@7.0.2?target=es2022&pin=v135";
+const ESM_MERMAID = "https://esm.sh/mermaid@11.4.1?pin=v135";
 const dynamicImport = new Function("url", "return import(url)");
 // deno-lint-ignore no-explicit-any
 let ReactMarkdown = null;