@adminide-stack/form-builder-core 5.1.4-alpha.82 → 5.1.6-alpha.0

package/lib/utils/authMetaDataSchema.js

@@ -0,0 +1,1601 @@
+import {CONTRIBUTION_POINTS,ContributeDefaultValueSourceType}from'common';import {resolveConnectorFieldTokensInValue}from'../config/connectorFieldTokenResolver.js';import {parseSampleNodes,flattenSchemas}from'./schemaHelpers.js';const parseScopes = raw => raw.split(',').map(s => s.trim()).filter(Boolean);
+const parseEnumValues = raw => {
+  if (Array.isArray(raw)) return raw;
+  if (raw === null || raw === undefined) return [];
+  if (typeof raw !== 'string') return [];
+  if (!raw.trim()) return [];
+  try {
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed) ? parsed : [];
+  } catch (_) {
+    return raw.split('\n').map(line => line.trim()).filter(Boolean).map(line => {
+      const [value, label] = line.split(':');
+      return {
+        value: (value || '').trim(),
+        label: (label || value || '').trim()
+      };
+    });
+  }
+};
+const toEnvKey = value => (value || '').replace(/([a-z0-9])([A-Z])/g, '$1_$2').replace(/([A-Z]+)([A-Z][a-z])/g, '$1_$2').replace(/[^a-zA-Z0-9]+/g, '_').replace(/^_+|_+$/g, '').toUpperCase();
+const mapProviderFields = (fields, providerId) => fields.map(field => ({
+  name: field.name,
+  label: field.label,
+  type: field.type,
+  placeholder: field.placeholder,
+  description: field.description,
+  required: field.required,
+  defaultValue: field.defaultValue ?? '',
+  isConfigField: field.isConfigField,
+  isSecret: field.isSecret,
+  secretSource: field.isSecret ? field.secretSource || {
+    type: 'vault',
+    secretType: field.secretType,
+    secretKey: field.secretKey || (providerId ? `${toEnvKey(providerId)}_${toEnvKey(field.name)}` : toEnvKey(field.name))
+  } : null,
+  uiWidget: field.uiWidget,
+  enumValues: parseEnumValues(field.enumValues),
+  readOnly: field.readOnly,
+  iconType: field.iconType,
+  genericType: field.genericType || undefined,
+  placement: field.placement || undefined,
+  placementKey: field.placementKey || undefined,
+  scope: field.scope || undefined
+}));
+const buildProviderConfig = (providerConfig, connectorType) => {
+  const base = {
+    id: providerConfig.id,
+    title: providerConfig.title,
+    description: providerConfig.description,
+    icon: providerConfig.icon || {
+      name: providerConfig.iconName,
+      style: providerConfig.iconFontSize ? {
+        fontSize: providerConfig.iconFontSize
+      } : undefined
+    },
+    logo: providerConfig.logo || undefined,
+    color: providerConfig.color || undefined,
+    enabled: providerConfig.enabled,
+    scopes: Array.isArray(providerConfig.scopes) ? providerConfig.scopes : parseScopes(providerConfig.scopes),
+    authMethods: providerConfig.authMethods.length > 0 ? providerConfig.authMethods : ['api_key'],
+    categories: providerConfig.categories || [providerConfig.category],
+    fields: mapProviderFields(providerConfig.fields, providerConfig.id)
+  };
+  if (connectorType === 'mcp') {
+    return {
+      ...base,
+      providerUrl: providerConfig.providerUrl || undefined,
+      mcpUrl: providerConfig.mcpUrl
+    };
+  }
+  return {
+    ...base,
+    providerUrl: providerConfig.providerUrl,
+    useCustomOAuthEndpoints: providerConfig.useCustomOAuthEndpoints,
+    usePKCE: providerConfig.usePKCE,
+    clientAuthMethod: providerConfig.clientAuthMethod,
+    authorizationUrl: providerConfig.authorizationUrl,
+    tokenUrl: providerConfig.tokenUrl,
+    revocationUrl: providerConfig.revocationUrl,
+    useBasicAuth: providerConfig.useBasicAuth
+  };
+};
+const buildAppSeed = p => {
+  const authMethods = p.authMethods ? [...p.authMethods] : ['oauth2'];
+  return {
+    key: `${p.id}:app`,
+    providerId: p.id,
+    title: p.title,
+    description: p.description || '',
+    scopes: p.scopes || [],
+    providerUrl: p.providerUrl || '',
+    useCustomOAuthEndpoints: p.useCustomOAuthEndpoints,
+    usePKCE: p.usePKCE,
+    clientAuthMethod: p.clientAuthMethod,
+    authorizationUrl: p.authorizationUrl,
+    tokenUrl: p.tokenUrl,
+    revocationUrl: p.revocationUrl,
+    useBasicAuth: p.useBasicAuth,
+    mcpUrl: p.mcpUrl || '',
+    connectorType: 'app',
+    authMethods,
+    fields: p.fields || [],
+    resources: p.resources || [],
+    customButtons: p.customButtons || [],
+    formIcon: p.logo || '',
+    categories: p.categories
+  };
+};
+const buildMcpSeed = p => ({
+  key: `${p.id}:mcp`,
+  providerId: p.id,
+  title: p.title,
+  description: p.description || '',
+  scopes: p.scopes || [],
+  providerUrl: p.mcpUrl || '',
+  mcpUrl: p.mcpUrl || '',
+  connectorType: 'mcp',
+  authMethods: [...p.authMethods],
+  fields: p.fields || [],
+  resources: [],
+  customButtons: [],
+  formIcon: p.logo || '',
+  categories: p.categories
+});
+function buildProviderSeedFromConfig(provider, connectorType) {
+  if (connectorType === 'mcp') {
+    return buildMcpSeed(provider);
+  }
+  return buildAppSeed(provider);
+}
+// Auth seed generation
+const sanitizeFieldKey = value => value.replace(/[^a-zA-Z0-9_]/g, '_');
+const seedIsApiKeyOnly = seed => seed.connectorType !== 'mcp' && !seed.authMethods.includes('oauth2') && !seed.authMethods.includes('bearer_token');
+const STEP_KEY = 'step1';
+const seedTemplateType = seed => seed.connectorType === 'mcp' ? 'mcp' : seed.authMethods.includes('oauth2') ? 'oauth' : 'api';
+function buildResourcesNode(seed) {
+  if (seed.resources.length === 0) return null;
+  const properties = {};
+  for (const originalResource of seed.resources) {
+    const resource = resolveConnectorFieldTokensInValue(originalResource, {
+      fields: seed.fields,
+      basePath: `${STEP_KEY}.oauthConnector`,
+      context: `${seed.key}.${originalResource.name}`
+    });
+    const prefix = resource.name;
+    const selectedSource = resource.type === 'jsCode' ? 'js-code' : resource.type;
+    properties[`${prefix}.id`] = resource.name;
+    properties[`${prefix}.name`] = resource.label;
+    properties[`${prefix}.type`] = resource.type === 'rest-api' ? 'apiRequest' : resource.type;
+    properties[`${prefix}.selectedSource`] = selectedSource;
+    properties[`${prefix}.description`] = '';
+    properties[`${prefix}.key`] = resource.name;
+    if (resource.type === 'rest-api' && resource.config.restApi) {
+      const r = resource.config.restApi;
+      const rp = `${prefix}.config.restApi`;
+      properties[`${rp}.httpMethod`] = r.httpMethod;
+      properties[`${rp}.url`] = r.url;
+      properties[`${rp}.urlParams`] = r.urlParams;
+      r.headers.forEach((h, i) => {
+        properties[`${rp}.headers.${i}.key`] = h.key;
+        properties[`${rp}.headers.${i}.value`] = h.value;
+      });
+      properties[`${rp}.body.format`] = r.body.format;
+      properties[`${rp}.body.data`] = r.body.data;
+      properties[`${rp}.body.rawData`] = r.body.rawData;
+      properties[`${rp}.cookies`] = r.cookies;
+      properties[`${rp}.runBehavior`] = r.runBehavior;
+      properties[`${rp}.transformResults`] = r.transformResults;
+    }
+    if (resource.type === 'jsCode' && resource.config.jsCode) {
+      const j = resource.config.jsCode;
+      const jp = `${prefix}.config.jsCode`;
+      properties[`${jp}.query`] = j.query;
+      properties[`${jp}.transformResults`] = j.transformResults;
+    }
+    if (resource.type === 'graphql' && resource.config.graphql) {
+      const g = resource.config.graphql;
+      const gp = `${prefix}.config.graphql`;
+      properties[`${gp}.query`] = g.query;
+      properties[`${gp}.useInternalLink`] = g.useInternalLink;
+      properties[`${gp}.transformResults`] = g.transformResults;
+      properties[`${gp}.variables`] = g.variables;
+    }
+  }
+  return {
+    type: 'resources',
+    properties
+  };
+}
+function buildCustomButtonsNode(seed) {
+  if (seed.customButtons.length === 0) return null;
+  const node = {
+    type: 'customButtons'
+  };
+  seed.customButtons.forEach((btn, idx) => {
+    const base = `properties.${STEP_KEY}.${idx}`;
+    node[`${base}.id`] = btn.id || `btn-${Math.random().toString(36).substring(2, 15)}`;
+    node[`${base}.title`] = btn.title;
+    node[`${base}.action`] = btn.action;
+    if (btn.resourceId) node[`${base}.resourceId`] = btn.resourceId;
+    if (btn.inngestId) node[`${base}.inngestId`] = btn.inngestId;
+  });
+  return node;
+}
+function buildInngestNode() {
+  return {
+    type: 'inngest',
+    'properties.generatedCode.submit': `async ({ event, step }) => {\nreturn {\n  functionId: 'new-function',\n  timestamp: new Date().toISOString()\n};\n}`,
+    'properties.raw.submit.functionID': 'new-function',
+    'properties.raw.submit.functionName': 'New Workflow Function',
+    'properties.raw.submit.functionDescription': 'A new Workflow function',
+    'properties.raw.submit.enabled': false,
+    'properties.raw.submit.displaySubmitButton': false,
+    'properties.raw.submit.events.0': 'app.event',
+    'properties.raw.submit.metadata.version': '1.0.0',
+    'properties.raw.submit.selectedStep': null,
+    'properties.raw.submit.activeTab': 'config',
+    'properties.raw.submit.editorSettings.theme': 'vs-dark',
+    'properties.raw.submit.editorSettings.fontSize': 14,
+    'properties.raw.submit.editorSettings.tabSize': 2,
+    'properties.raw.submit.editorSettings.wordWrap': true,
+    'properties.raw.submit.generatedCode': `async ({ event, step }) => {\nreturn {\n  functionId: 'new-function',\n  timestamp: new Date().toISOString()\n};\n}`,
+    'properties.raw.submit.isCodeManuallyEdited': false,
+    'properties.raw.submit.stepEditorStates.activeTab': 'config',
+    'properties.raw.submit.version': '1.0.0'
+  };
+}
+const seedCategory = seed => seed.categories[0];
+const toVaultPrefix = value => value.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase();
+const seedAuthMethodDefault = seed => seed.authMethods.includes('oauth2') ? 'oauth' : seed.connectorType === 'mcp' ? 'mcp' : 'api_key';
+/**
+ * Build a `genericType -> count` map for the given fields. Used by
+ * {@link resolveFieldKey} to detect colliding `genericType` values so that
+ * generated config paths (e.g. `oauthConnector.info`) don't clash when
+ * multiple fields declare the same generic bucket.
+ */
+const buildGenericTypeCounts = fields => {
+  const counts = new Map();
+  if (!fields) return counts;
+  for (const field of fields) {
+    const gt = field?.genericType;
+    if (gt) counts.set(gt, (counts.get(gt) || 0) + 1);
+  }
+  return counts;
+};
+/**
+ * Reserved `genericType` value that means "this is a custom config field —
+ * route it under `oauthConnector.additionalKeys.<fieldName>`". Use this for
+ * any field that doesn't fit a canonical genericType (api_key, base_url,
+ * username, subdomain, etc.). Each field gets its own leaf path, so an
+ * arbitrary number of additional keys can coexist without collision.
+ */
+const ADDITIONAL_KEYS_GENERIC_TYPE = 'additionalKeys';
+/**
+ * Resolve the path-segment for a config field. Rules (first match wins):
+ *   1. `genericType === 'additionalKeys'` → `additionalKeys.<field.name>` (namespaced)
+ *   2. unique `genericType` → that value
+ *   3. otherwise → `field.name` (collision fallback for legacy connectors)
+ */
+const resolveFieldKey = (field, genericTypeCounts) => {
+  const gt = field?.genericType;
+  if (gt === ADDITIONAL_KEYS_GENERIC_TYPE) return `${ADDITIONAL_KEYS_GENERIC_TYPE}.${field.name}`;
+  if (gt && (genericTypeCounts.get(gt) || 0) <= 1) return gt;
+  return field.name;
+};
+function buildPreGeneratedFormSteps(seed, namespace) {
+  const vaultPrefix = toVaultPrefix(seed.providerId);
+  const isApp = seed.connectorType === 'app';
+  const isApiKeyOnly = seedIsApiKeyOnly(seed);
+  const templateType = seedTemplateType(seed);
+  const fullPath = `integrationSettings.settings.${templateType}.${namespace}.oauthConnector`;
+  if (isApiKeyOnly) {
+    // api_key-only: oauthConnector element with minimal children (so widget renders),
+    // plus custom field elements with full secret/config metadata.
+    const minimalChildren = [{
+      id: 'provider',
+      type: 'string',
+      label: 'Provider',
+      default: seed.providerId,
+      scope: 2 /* ConfigurationScope.MACHINE */,
+      readOnly: true
+    }, {
+      id: 'providerTitle',
+      type: 'string',
+      label: 'Provider Title',
+      default: seed.title,
+      scope: 2 /* ConfigurationScope.MACHINE */,
+      readOnly: true
+    }, {
+      id: 'providerUrl',
+      type: 'string',
+      label: 'Provider URL',
+      default: seed.providerUrl,
+      scope: 2 /* ConfigurationScope.MACHINE */,
+      readOnly: true
+    }, {
+      id: 'description',
+      type: 'string',
+      label: 'Description',
+      scope: 2 /* ConfigurationScope.MACHINE */,
+      default: seed.description,
+      readOnly: true
+    }, {
+      id: 'connectorType',
+      type: 'string',
+      label: 'Connector Type',
+      default: seed.connectorType,
+      scope: 2 /* ConfigurationScope.MACHINE */,
+      readOnly: true
+    }, {
+      id: 'authMethod',
+      type: 'string',
+      label: 'Auth Method',
+      default: 'api_key',
+      scope: 2 /* ConfigurationScope.MACHINE */,
+      readOnly: true
+    }];
+    const minimalUiOverrides = {
+      provider: {
+        'ui:readonly': true
+      },
+      providerTitle: {
+        'ui:readonly': true
+      },
+      providerUrl: {
+        'ui:readonly': true
+      },
+      description: {
+        'ui:readonly': true
+      },
+      connectorType: {
+        'ui:widget': 'hidden'
+      },
+      authMethod: {}
+    };
+    const elements = [{
+      id: 'oauthConnector',
+      type: 'object',
+      label: 'OAuth Connector',
+      required: false,
+      description: seed.description || 'Connect to external providers',
+      connectorType: seed.connectorType,
+      widget: 'OAuthConnectorWidget',
+      uiField: 'OAuthConnectorField',
+      children: minimalChildren,
+      _widgetUiOverrides: minimalUiOverrides,
+      connectorProvider: seed.providerId,
+      connectorProviderTitle: seed.title,
+      connectorDescription: seed.description,
+      connectorCategory: seedCategory(seed),
+      ...(seed.connectorType === 'mcp' ? {
+        connectorMcpUrl: seed.providerUrl
+      } : {
+        connectorProviderUrl: seed.providerUrl
+      }),
+      connectorScopes: seed.scopes,
+      useCustomOAuthEndpoints: seed.useCustomOAuthEndpoints ?? false,
+      connectorAuthorizationUrl: seed.authorizationUrl || '',
+      connectorTokenUrl: seed.tokenUrl || '',
+      connectorRevocationUrl: seed.revocationUrl || '',
+      useBasicAuth: seed.useBasicAuth ?? false,
+      connectorRedirectUri: '{{CLIENT_URL}}/{{CONNECTOR_ENDPOINT}}',
+      // connectorAuthMethod — present only for non-oauth connectors (matches reference forms)
+      ...(!seed.authMethods.includes('oauth2') ? {
+        connectorAuthMethod: seedAuthMethodDefault(seed)
+      } : {}),
+      ...(seed.fields.length > 0 ? {
+        connectorProviderFields: seed.fields
+      } : {}),
+      ...(seed.resources.length > 0 ? {
+        connectorProviderResources: seed.resources
+      } : {}),
+      ...(seed.customButtons.length > 0 ? {
+        connectorProviderCustomButtons: seed.customButtons
+      } : {}),
+      addedFromStepperConfigToggle: true,
+      isSchemaElement: true,
+      sourceSchemaId: 'configuration',
+      fullPath,
+      contributionPoint: 'configuration.integrationSettings',
+      templateType,
+      namespace
+    }];
+    return [{
+      id: STEP_KEY,
+      title: 'Step 1',
+      elements
+    }];
+  }
+  // Full OAuth children
+  const children = [{
+    id: 'clientId',
+    type: 'string',
+    label: 'Client ID',
+    description: 'OAuth application client identifier',
+    format: 'secret',
+    readOnly: true,
+    default: '',
+    scope: isApp ? 6 /* ConfigurationScope.MACHINE_OVERRIDABLE */ : 1 /* ConfigurationScope.APPLICATION */,
+    schemaExtensions: {
+      defaultValueSource: {
+        type: ContributeDefaultValueSourceType.Vault,
+        secretType: 'OAUTH_CLIENT',
+        secretKey: `${vaultPrefix}_CLIENT_ID`,
+        ...(isApp ? {
+          requiredSignature: true
+        } : {})
+      }
+    }
+  }, {
+    id: 'clientSecret',
+    type: 'string',
+    label: 'Client Secret',
+    description: 'OAuth application client secret',
+    format: 'secret',
+    readOnly: true,
+    default: '',
+    scope: isApp ? 6 /* ConfigurationScope.MACHINE_OVERRIDABLE */ : 1 /* ConfigurationScope.APPLICATION */,
+    schemaExtensions: {
+      defaultValueSource: {
+        type: ContributeDefaultValueSourceType.Vault,
+        secretType: 'OAUTH_CLIENT',
+        secretKey: `${vaultPrefix}_CLIENT_SECRET`,
+        ...(isApp ? {
+          requiredSignature: true
+        } : {})
+      }
+    }
+  }, {
+    id: 'apiKey',
+    type: 'string',
+    label: 'API Key',
+    description: 'API Key for MCP integration',
+    format: 'secret',
+    writeOnly: true,
+    default: '',
+    scope: 4 /* ConfigurationScope.RESOURCE */,
+    schemaExtensions: {
+      defaultValueSource: {
+        type: ContributeDefaultValueSourceType.Vault,
+        secretType: 'API_KEY',
+        secretKey: `${vaultPrefix}_API_KEY`
+      }
+    }
+  }, {
+    id: 'accessToken',
+    type: 'string',
+    label: 'Access Token',
+    format: 'secret',
+    writeOnly: true,
+    default: '',
+    readOnly: true,
+    scope: 1 /* ConfigurationScope.APPLICATION */,
+    schemaExtensions: {
+      defaultValueSource: {
+        type: ContributeDefaultValueSourceType.Vault,
+        secretType: 'OAUTH_CLIENT',
+        secretKey: `${vaultPrefix}_ACCESS_TOKEN`
+      }
+    }
+  }, {
+    id: 'refreshToken',
+    type: 'string',
+    label: 'Refresh Token',
+    format: 'secret',
+    writeOnly: true,
+    default: '',
+    readOnly: true,
+    scope: 1 /* ConfigurationScope.APPLICATION */,
+    schemaExtensions: {
+      defaultValueSource: {
+        type: ContributeDefaultValueSourceType.Vault,
+        secretType: 'OAUTH_CLIENT',
+        secretKey: `${vaultPrefix}_REFRESH_TOKEN`
+      }
+    }
+  }, {
+    id: 'expiresAt',
+    type: 'number',
+    label: 'Expires At',
+    description: 'Access token expiry as Unix timestamp in milliseconds; 0 if unset',
+    default: 0,
+    readOnly: true,
+    scope: 1 /* ConfigurationScope.APPLICATION */
+  }, {
+    id: 'urlTemplateKeyValues',
+    type: 'string',
+    label: 'URL Template Key Values',
+    description: 'Stringified JSON of resolved values for URL template placeholders (e.g. {"zoho-region":"eu"})',
+    default: '{}',
+    readOnly: true,
+    scope: 1 /* ConfigurationScope.APPLICATION */
+  }, {
+    id: 'authRequestMeta',
+    type: 'string',
+    label: 'Auth Request Metadata',
+    description: 'Serialized OAuth authorization-request metadata (e.g. PKCE verifier, state) for session continuity',
+    default: '',
+    readOnly: true,
+    scope: 1 /* ConfigurationScope.APPLICATION */
+  }, {
+    id: 'provider',
+    type: 'string',
+    label: 'Provider',
+    default: seed.providerId,
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'providerTitle',
+    type: 'string',
+    label: 'Provider Title',
+    default: seed.title,
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'providerUrl',
+    type: 'string',
+    label: 'Provider URL',
+    default: seed.providerUrl,
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'useCustomOAuthEndpoints',
+    type: 'boolean',
+    label: 'Use Custom OAuth Endpoints',
+    default: seed.useCustomOAuthEndpoints ?? false,
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'authorizationUrl',
+    type: 'string',
+    label: 'Authorization URL',
+    default: seed.authorizationUrl || '',
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'tokenUrl',
+    type: 'string',
+    label: 'Token URL',
+    default: seed.tokenUrl || '',
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'revocationUrl',
+    type: 'string',
+    label: 'Revocation URL',
+    default: seed.revocationUrl || '',
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'useBasicAuth',
+    type: 'boolean',
+    label: 'Use Basic Auth',
+    default: seed.useBasicAuth ?? false,
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'redirectUri',
+    type: 'string',
+    label: 'Redirect URI',
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    default: '{{CLIENT_URL}}/{{CONNECTOR_ENDPOINT}}',
+    readOnly: true,
+    defaultValueSource: {
+      type: ContributeDefaultValueSourceType.Environment
+    }
+  }, {
+    id: 'scopes',
+    type: 'array',
+    label: 'Scopes',
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    default: seed.scopes,
+    readOnly: true
+  }, {
+    id: 'description',
+    type: 'string',
+    label: 'Description',
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    default: seed.description,
+    readOnly: true
+  }, {
+    id: 'connectorType',
+    type: 'string',
+    label: 'Connector Type',
+    default: seed.connectorType,
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'mcpUrl',
+    type: 'string',
+    label: 'MCP URL',
+    default: seed.mcpUrl || '',
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'authMethod',
+    type: 'string',
+    label: 'Auth Method',
+    default: seedAuthMethodDefault(seed),
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'mcpScopes',
+    type: 'array',
+    label: 'MCP Scopes',
+    default: seed.connectorType === 'mcp' ? seed.scopes : [],
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }, {
+    id: 'hideCredentials',
+    type: 'boolean',
+    label: 'Hide Credentials',
+    default: false,
+    scope: 2 /* ConfigurationScope.MACHINE */
+  }, {
+    id: 'isConnected',
+    type: 'boolean',
+    label: 'Connected',
+    default: false,
+    scope: 2 /* ConfigurationScope.MACHINE */,
+    readOnly: true
+  }];
+  const widgetUiOverrides = {
+    clientId: {
+      'ui:widget': 'hidden',
+      'ui:placeholder': 'Enter OAuth Client ID'
+    },
+    clientSecret: {
+      'ui:widget': 'hidden',
+      'ui:placeholder': 'Enter OAuth Client Secret'
+    },
+    apiKey: {
+      'ui:widget': seed.connectorType === 'mcp' || !seed.authMethods.includes('oauth2') ? 'password' : 'hidden',
+      'ui:placeholder': 'Enter API Key'
+    },
+    accessToken: {
+      'ui:widget': 'hidden'
+    },
+    refreshToken: {
+      'ui:widget': 'hidden'
+    },
+    expiresAt: {
+      'ui:widget': 'hidden'
+    },
+    urlTemplateKeyValues: {
+      'ui:widget': 'hidden'
+    },
+    authRequestMeta: {
+      'ui:widget': 'hidden'
+    },
+    provider: {
+      'ui:readonly': true
+    },
+    providerTitle: {
+      'ui:readonly': true
+    },
+    providerUrl: {
+      'ui:readonly': true
+    },
+    useCustomOAuthEndpoints: {
+      'ui:readonly': true
+    },
+    authorizationUrl: {
+      'ui:readonly': true
+    },
+    tokenUrl: {
+      'ui:readonly': true
+    },
+    revocationUrl: {
+      'ui:readonly': true
+    },
+    redirectUri: {
+      'ui:readonly': true
+    },
+    scopes: {
+      'ui:readonly': true,
+      'ui:widget': 'chips'
+    },
+    description: {
+      'ui:readonly': true
+    },
+    connectorType: {
+      'ui:widget': 'hidden'
+    },
+    mcpUrl: {
+      'ui:readonly': true
+    },
+    authMethod: {},
+    mcpScopes: {
+      'ui:readonly': true,
+      'ui:widget': 'chips'
+    },
+    hideCredentials: {
+      'ui:widget': 'hidden'
+    },
+    isConnected: {
+      'ui:widget': 'hidden'
+    }
+  };
+  return [{
+    id: STEP_KEY,
+    title: 'Step 1',
+    elements: [{
+      id: 'oauthConnector',
+      type: 'object',
+      label: 'OAuth Connector',
+      required: false,
+      description: seed.description || 'Connect to external OAuth providers',
+      connectorType: seed.connectorType,
+      widget: 'OAuthConnectorWidget',
+      uiField: 'OAuthConnectorField',
+      children,
+      _widgetUiOverrides: widgetUiOverrides,
+      connectorProvider: seed.providerId,
+      connectorProviderTitle: seed.title,
+      connectorDescription: seed.description,
+      connectorCategory: seedCategory(seed),
+      ...(seed.connectorType === 'mcp' ? {
+        connectorMcpUrl: seed.providerUrl
+      } : {
+        connectorProviderUrl: seed.providerUrl
+      }),
+      connectorScopes: seed.scopes,
+      useCustomOAuthEndpoints: seed.useCustomOAuthEndpoints ?? false,
+      connectorAuthorizationUrl: seed.authorizationUrl || '',
+      connectorTokenUrl: seed.tokenUrl || '',
+      connectorRevocationUrl: seed.revocationUrl || '',
+      useBasicAuth: seed.useBasicAuth ?? false,
+      connectorRedirectUri: '{{CLIENT_URL}}/{{CONNECTOR_ENDPOINT}}',
+      // connectorAuthMethod — present only for non-oauth connectors (matches reference forms)
+      ...(!seed.authMethods.includes('oauth2') ? {
+        connectorAuthMethod: seedAuthMethodDefault(seed)
+      } : {}),
+      ...(seed.fields.length > 0 ? {
+        connectorProviderFields: seed.fields
+      } : {}),
+      ...(seed.resources.length > 0 ? {
+        connectorProviderResources: seed.resources
+      } : {}),
+      ...(seed.customButtons.length > 0 ? {
+        connectorProviderCustomButtons: seed.customButtons
+      } : {}),
+      addedFromStepperConfigToggle: true,
+      isSchemaElement: true,
+      sourceSchemaId: 'configuration',
+      fullPath,
+      contributionPoint: 'configuration.integrationSettings',
+      templateType,
+      namespace
+    }]
+  }];
+}
+const buildCategoryKeyLookup = () => {
+  const lookup = new Map();
+  const prefix = 'uiLayout.credential.templates.';
+  const suffix = '.value';
+  for (const [key, value] of Object.entries(CONTRIBUTION_POINTS)) {
+    if (key.startsWith(prefix) && key.endsWith(suffix)) {
+      lookup.set(value, key.slice(prefix.length, -suffix.length));
+    }
+  }
+  return lookup;
+};
+const CATEGORY_KEY_LOOKUP = buildCategoryKeyLookup();
+const categoryToTemplateTypeKey = category => {
+  const key = CATEGORY_KEY_LOOKUP.get(category);
+  if (!key) {
+    throw new Error(`No contribution-point template type found for category "${category}"`);
+  }
+  return key;
+};
+function buildOAuthConfigurationContribution(seedsWithNamespaces) {
+  const formProperties = {
+    required: []
+  };
+  const formUIProperties = {};
+  const metaPaths = new Set();
+  for (const {
+    seed,
+    namespace
+  } of seedsWithNamespaces) {
+    const vaultPrefix = toVaultPrefix(seed.providerId);
+    const isApp = seed.connectorType === 'app';
+    const isApiKeyOnly = seedIsApiKeyOnly(seed);
+    const templateType = seedTemplateType(seed);
+    const basePath = `integrationSettings.settings.${templateType}.${namespace}.oauthConnector`;
+    // Helper to add a config field under the oauthConnector basePath
+    const addField = (fieldName, def, uiDef) => {
+      formProperties[`${basePath}.${fieldName}`] = {
+        ...def,
+        fieldMeta: {
+          addedFromStepperConfigToggle: true
+        }
+      };
+      if (uiDef && Object.keys(uiDef).length > 0) {
+        formUIProperties[`${basePath}.${fieldName}`] = uiDef;
+      }
+    };
+    // Register oauthConnector path + all parents for meta entries (always, so widget renders)
+    const baseParts = basePath.split('.');
+    for (let i = 1; i < baseParts.length; i++) {
+      metaPaths.add(baseParts.slice(0, i).join('.'));
+    }
+    metaPaths.add(basePath);
+    // Root OAuthConnector UI entry (always, so widget renders)
+    // Include ui:options so providerFields / authMethods survive the $ref resolution
+    const uiOptions = {
+      provider: seed.providerId,
+      connectorType: seed.connectorType,
+      defaultAuthMethod: seedAuthMethodDefault(seed)
+    };
+    if (seed.authMethods.length > 0) uiOptions.authMethods = seed.authMethods;
+    if (seed.clientAuthMethod) uiOptions.defaultClientAuthMethod = seed.clientAuthMethod;
+    if (seed.usePKCE !== undefined) uiOptions.usePKCE = seed.usePKCE;
+    uiOptions.category = seedCategory(seed);
+    if (seed.fields.length > 0) {
+      const genericTypeCounts = buildGenericTypeCounts(seed.fields);
+      uiOptions.providerFields = seed.fields.map(field => field.isConfigField ? {
+        ...field,
+        keyReference: `${basePath}.${resolveFieldKey(field, genericTypeCounts)}`,
+        schemaReference: 'configuration'
+      } : field);
+    }
+    if (seed.resources.length > 0) uiOptions.providerResources = seed.resources;
+    if (seed.customButtons.length > 0) uiOptions.providerCustomButtons = seed.customButtons;
+    formUIProperties[basePath] = {
+      'ui:widget': 'OAuthConnectorWidget',
+      'ui:field': 'OAuthConnectorField',
+      'ui:options': uiOptions
+    };
+    // ── OAuth sub-fields — only for non-api_key-only connectors ─────
+    if (!isApiKeyOnly) {
+      addField('clientId', {
+        type: 'string',
+        title: 'Client ID',
+        description: 'OAuth application client identifier',
+        format: 'secret',
+        default: '',
+        readOnly: true,
+        scope: isApp ? 6 /* ConfigurationScope.MACHINE_OVERRIDABLE */ : 1 /* ConfigurationScope.APPLICATION */,
+        defaultValueSource: {
+          type: ContributeDefaultValueSourceType.Vault,
+          secretType: 'OAUTH_CLIENT',
+          secretKey: `${vaultPrefix}_CLIENT_ID`,
+          ...(isApp ? {
+            requiredSignature: true
+          } : {})
+        }
+      }, {
+        'ui:widget': 'hidden',
+        'ui:description': 'OAuth application client identifier',
+        'ui:placeholder': 'Enter OAuth Client ID'
+      });
+      addField('clientSecret', {
+        type: 'string',
+        title: 'Client Secret',
+        description: 'OAuth application client secret',
+        format: 'secret',
+        default: '',
+        readOnly: true,
+        scope: isApp ? 6 /* ConfigurationScope.MACHINE_OVERRIDABLE */ : 1 /* ConfigurationScope.APPLICATION */,
+        defaultValueSource: {
+          type: ContributeDefaultValueSourceType.Vault,
+          secretType: 'OAUTH_CLIENT',
+          secretKey: `${vaultPrefix}_CLIENT_SECRET`,
+          ...(isApp ? {
+            requiredSignature: true
+          } : {})
+        }
+      }, {
+        'ui:widget': 'hidden',
+        'ui:description': 'OAuth application client secret',
+        'ui:placeholder': 'Enter OAuth Client Secret'
+      });
+      addField('apiKey', {
+        type: 'string',
+        title: 'API Key',
+        description: 'API Key for MCP integration',
+        format: 'secret',
+        default: '',
+        writeOnly: true,
+        scope: 4 /* ConfigurationScope.RESOURCE */,
+        defaultValueSource: {
+          type: ContributeDefaultValueSourceType.Vault,
+          secretType: 'API_KEY',
+          secretKey: `${vaultPrefix}_API_KEY`
+        }
+      }, {
+        'ui:widget': !seed.authMethods.includes('oauth2') ? 'password' : 'hidden',
+        'ui:description': 'API Key for MCP integration',
+        'ui:placeholder': 'Enter API Key'
+      });
+      addField('accessToken', {
+        type: 'string',
+        title: 'Access Token',
+        description: '',
+        format: 'secret',
+        default: '',
+        readOnly: true,
+        writeOnly: true,
+        scope: 1 /* ConfigurationScope.APPLICATION */,
+        defaultValueSource: {
+          type: ContributeDefaultValueSourceType.Vault,
+          secretType: 'OAUTH_CLIENT',
+          secretKey: `${vaultPrefix}_ACCESS_TOKEN`
+        }
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('refreshToken', {
+        type: 'string',
+        title: 'Refresh Token',
+        description: '',
+        format: 'secret',
+        default: '',
+        readOnly: true,
+        writeOnly: true,
+        scope: 1 /* ConfigurationScope.APPLICATION */,
+        defaultValueSource: {
+          type: ContributeDefaultValueSourceType.Vault,
+          secretType: 'OAUTH_CLIENT',
+          secretKey: `${vaultPrefix}_REFRESH_TOKEN`
+        }
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('expiresAt', {
+        type: 'number',
+        title: 'Expires At',
+        description: 'Access token expiry as Unix timestamp in milliseconds; 0 if unset',
+        default: 0,
+        readOnly: true,
+        scope: 1 /* ConfigurationScope.APPLICATION */
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('urlTemplateKeyValues', {
+        type: 'string',
+        title: 'URL Template Key Values',
+        description: 'Stringified JSON of resolved values for URL template placeholders (e.g. {"zoho-region":"eu"})',
+        default: '{}',
+        readOnly: true,
+        scope: 1 /* ConfigurationScope.APPLICATION */
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('authRequestMeta', {
+        type: 'string',
+        title: 'Auth Request Metadata',
+        description: 'Serialized OAuth authorization-request metadata (e.g. PKCE verifier, state) for session continuity',
+        default: '',
+        readOnly: true,
+        scope: 1 /* ConfigurationScope.APPLICATION */
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('provider', {
+        type: 'string',
+        title: 'Provider',
+        default: seed.providerId,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('providerTitle', {
+        type: 'string',
+        title: 'Provider Title',
+        default: seed.title,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('providerUrl', {
+        type: 'string',
+        title: 'Provider URL',
+        default: seed.providerUrl,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('useCustomOAuthEndpoints', {
+        type: 'boolean',
+        title: 'Use Custom OAuth Endpoints',
+        default: seed.useCustomOAuthEndpoints ?? false,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('authorizationUrl', {
+        type: 'string',
+        title: 'Authorization URL',
+        default: seed.authorizationUrl || '',
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('tokenUrl', {
+        type: 'string',
+        title: 'Token URL',
+        default: seed.tokenUrl || '',
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('revocationUrl', {
+        type: 'string',
+        title: 'Revocation URL',
+        default: seed.revocationUrl || '',
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('useBasicAuth', {
+        type: 'boolean',
+        title: 'Use Basic Auth',
+        default: seed.useBasicAuth ?? false,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:widget': 'hidden'
+      });
+      if (seed.clientAuthMethod) {
+        addField('clientAuthMethod', {
+          type: 'string',
+          title: 'Client Auth Method',
+          default: seed.clientAuthMethod,
+          readOnly: true,
+          scope: 2 /* ConfigurationScope.MACHINE */
+        }, {
+          'ui:widget': 'hidden'
+        });
+      }
+      addField('redirectUri', {
+        type: 'string',
+        title: 'Redirect URI',
+        default: '{{CLIENT_URL}}/{{CONNECTOR_ENDPOINT}}',
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */,
+        defaultValueSource: {
+          type: ContributeDefaultValueSourceType.Environment
+        }
+      }, {
+        'ui:readonly': true
+      });
+      addField('scopes', {
+        type: 'string',
+        title: 'Scopes',
+        default: seed.scopes,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true,
+        'ui:widget': 'chips'
+      });
+      addField('description', {
+        type: 'string',
+        title: 'Description',
+        default: seed.description,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('connectorType', {
+        type: 'string',
+        title: 'Connector Type',
+        default: seed.connectorType,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('mcpUrl', {
+        type: 'string',
+        title: 'MCP URL',
+        default: seed.mcpUrl || '',
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('authMethod', {
+        type: 'string',
+        title: 'Auth Method',
+        default: seedAuthMethodDefault(seed),
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {});
+      addField('mcpScopes', {
+        type: 'string',
+        title: 'MCP Scopes',
+        default: seed.connectorType === 'mcp' ? seed.scopes : [],
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true,
+        'ui:widget': 'chips'
+      });
+      addField('hideCredentials', {
+        type: 'string',
+        title: 'Hide Credentials',
+        default: false,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('isConnected', {
+        type: 'string',
+        title: 'Connected',
+        default: false,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:widget': 'hidden'
+      });
+    } else {
+      // api_key-only: still need minimal sub-fields so the widget can render
+      addField('provider', {
+        type: 'string',
+        title: 'Provider',
+        default: seed.providerId,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('providerTitle', {
+        type: 'string',
+        title: 'Provider Title',
+        default: seed.title,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('providerUrl', {
+        type: 'string',
+        title: 'Provider URL',
+        default: seed.providerUrl,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('description', {
+        type: 'string',
+        title: 'Description',
+        default: seed.description,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:readonly': true
+      });
+      addField('connectorType', {
+        type: 'string',
+        title: 'Connector Type',
+        default: seed.connectorType,
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {
+        'ui:widget': 'hidden'
+      });
+      addField('authMethod', {
+        type: 'string',
+        title: 'Auth Method',
+        default: 'api_key',
+        readOnly: true,
+        scope: 2 /* ConfigurationScope.MACHINE */
+      }, {});
+    }
+    // Custom isConfigField fields should also be written into configuration schema.
+    const customFieldGenericCounts = buildGenericTypeCounts(seed.fields);
+    for (const field of seed.fields) {
+      if (!field.isConfigField) continue;
+      const fieldPath = `${basePath}.${resolveFieldKey(field, customFieldGenericCounts)}`;
+      const fieldDef = {
+        type: field.type,
+        title: field.label,
+        description: field.description || '',
+        fieldMeta: {
+          addedFromStepperConfigToggle: true
+        },
+        required: field.required,
+        scope: field.scope || 4 /* ConfigurationScope.RESOURCE */
+      };
+      if (field.isSecret && field.secretSource) {
+        fieldDef.format = 'secret';
+        fieldDef.writeOnly = true;
+        fieldDef['x-env'] = {
+          isEnvironmentVariable: true,
+          vaultKeyName: field.secretSource.secretKey,
+          secretType: field.secretSource.secretType
+        };
+        fieldDef.defaultValueSource = {
+          type: field.secretSource.type,
+          secretType: field.secretSource.secretType,
+          secretKey: field.secretSource.secretKey
+        };
+        fieldDef.isEnvironmentVariable = true;
+        fieldDef.secretType = field.secretSource.secretType;
+        fieldDef.vaultKeyName = field.secretSource.secretKey;
+        if (field.placeholder) fieldDef.placeholder = field.placeholder;
+      }
+      formProperties[fieldPath] = fieldDef;
+      const uiEntry = {};
+      if (field.uiWidget && field.uiWidget !== 'text') {
+        uiEntry['ui:widget'] = field.uiWidget;
+      }
+      if (field.placeholder) {
+        uiEntry['ui:placeholder'] = field.placeholder;
+      }
+      if (Object.keys(uiEntry).length > 0) {
+        formUIProperties[fieldPath] = uiEntry;
+      }
+      // Ensure meta paths include this custom field path.
+      const parts = fieldPath.split('.');
+      for (let i = 1; i < parts.length; i++) {
+        metaPaths.add(parts.slice(0, i).join('.'));
+      }
+    }
+  }
+  // Build meta entries for all parent paths
+  const sortedMeta = Array.from(metaPaths).sort();
+  for (const path of sortedMeta) {
+    const parts = path.split('.');
+    formProperties[`${path}.meta`] = {
+      title: parts[parts.length - 1],
+      description: '',
+      type: 'object',
+      position: 0
+    };
+    formProperties[`${path}.required`] = [];
+  }
+  return [{
+    type: 'form-metadata',
+    properties: {
+      schemaId: 'configuration'
+    }
+  }, {
+    type: 'form',
+    properties: formProperties
+  }, {
+    type: 'formUI',
+    properties: formUIProperties
+  }];
+}
+function generateFromSeeds(seeds, title, formIcon, formExtensionId) {
+  const allNodes = [];
+  const mergedUiLayoutTemplates = {};
+  const mergedUiLayoutUi = {};
+  let uiLayoutFormMetadataNode = null;
+  const seedsWithNamespaces = [];
+  seeds.forEach((seed, idx) => {
+    const generatedFormId = `${sanitizeFieldKey(seed.providerId)}-${seed.connectorType}-${Math.random().toString(36).substring(2, 10)}`;
+    const providerTitle = `${seed.title} (${seed.connectorType.toUpperCase()})`;
+    const namespace = generatedFormId;
+    seedsWithNamespaces.push({
+      seed,
+      namespace
+    });
+    // ── Stepper-form: minimal form node with $ref to configuration ──
+    seedIsApiKeyOnly(seed);
+    const formProperties = {
+      required: [],
+      [`${STEP_KEY}.meta`]: {
+        title: 'Step 1',
+        description: '',
+        type: 'object',
+        position: 0
+      },
+      [`${STEP_KEY}.required`]: []
+    };
+    // oauthConnector $ref — always present so the widget renders for all forms
+    formProperties[`${STEP_KEY}.oauthConnector`] = {
+      $ref: `configuration#/properties/integrationSettings.settings.${seedTemplateType(seed)}.${namespace}.oauthConnector`
+    };
+    // Custom isConfigField fields are rendered inside the OAuthConnectorWidget
+    // via connectorProviderFields — no standalone $refs needed in the stepper form.
+    const formNode = {
+      type: 'form',
+      properties: formProperties
+    };
+    const formUINode = {
+      type: 'formUI',
+      properties: {
+        [STEP_KEY]: {
+          'ui:options': {}
+        }
+      }
+    };
+    const definitionsNode = {
+      type: 'definitions',
+      properties: {}
+    };
+    const connectionsNode = {
+      type: 'connections',
+      properties: {
+        type: 'connections',
+        'properties.steps.0': STEP_KEY,
+        [`properties.transitions.${STEP_KEY}`]: {}
+      }
+    };
+    const buttonsNode = buildCustomButtonsNode(seed);
+    const resourcesNode = buildResourcesNode(seed);
+    const inngestNode = buildInngestNode();
+    const formDataNode = {
+      type: 'formData',
+      properties: {}
+    };
+    // form-metadata goes LAST (matches manual GUI pattern)
+    const formMetadataNode = {
+      type: 'form-metadata',
+      properties: {
+        title: providerTitle,
+        formIcon: seed.formIcon || '',
+        id: generatedFormId,
+        category: seedCategory(seed),
+        preGeneratedFormSteps: buildPreGeneratedFormSteps(seed, namespace)
+      }
+    };
+    // Emit nodes: form-metadata FIRST (parseSampleNodes splits groups at form-metadata boundaries)
+    allNodes.push(formMetadataNode, formNode, formUINode);
+    allNodes.push(definitionsNode, connectionsNode);
+    allNodes.push(buttonsNode || {
+      type: 'customButtons',
+      properties: {}
+    });
+    allNodes.push(resourcesNode || {
+      type: 'resources',
+      properties: {}
+    });
+    allNodes.push(inngestNode);
+    allNodes.push(formDataNode);
+    // Build merged uiLayout (single record)
+    // Only build the metadata node once
+    if (!uiLayoutFormMetadataNode) {
+      uiLayoutFormMetadataNode = {
+        type: 'form-metadata',
+        properties: {
+          id: 'uilayout-oauth',
+          title: 'uiLayout',
+          schemaId: 'uiLayout',
+          contributionPoint: 'credential',
+          namespace: 'templates'
+        }
+      };
+    }
+    // Add to merged templates — key must match formId (same pattern as commonApiSample)
+    const hasDualAuth = seed.connectorType === 'app' && seed.authMethods.includes('api_key') && seed.authMethods.includes('oauth2');
+    const templateProperties = {
+      templateName: {
+        type: 'string',
+        title: 'templateName',
+        default: providerTitle,
+        scope: 3 /* ConfigurationScope.WINDOW */
+      },
+      projectType: {
+        type: 'string',
+        title: 'projectType',
+        default: seed.connectorType === 'mcp' ? 'MCP' : !seed.authMethods.includes('oauth2') && (seed.authMethods.includes('api_key') || seed.authMethods.includes('bearer_token')) ? 'API' : 'OAuth',
+        scope: 3 /* ConfigurationScope.WINDOW */
+      },
+      description: {
+        type: 'string',
+        title: 'description',
+        default: seed.description || `${seed.title} connector template`,
+        scope: 3 /* ConfigurationScope.WINDOW */
+      },
+      tags: {
+        type: 'array',
+        title: 'tags',
+        items: {
+          type: 'string'
+        },
+        uniqueItems: true,
+        default: [seed.providerId, seed.connectorType, 'connector'],
+        scope: 3 /* ConfigurationScope.WINDOW */
+      },
+      keywords: {
+        type: 'array',
+        title: 'keywords',
+        items: {
+          type: 'string'
+        },
+        uniqueItems: true,
+        default: seed.connectorType === 'mcp' ? [seed.providerId, 'mcp', seed.authMethods.includes('oauth2') ? 'oauth' : 'api-key'] : !seed.authMethods.includes('oauth2') && seed.authMethods.includes('api_key') ? [seed.providerId, 'api', 'api-key'] : [seed.providerId, seed.connectorType, 'oauth widget'],
+        scope: 3 /* ConfigurationScope.WINDOW */
+      },
+      formId: {
+        type: 'string',
+        title: 'formId',
+        default: generatedFormId,
+        scope: 3 /* ConfigurationScope.WINDOW */
+      },
+      formExtensionId: {
+        type: 'string',
+        title: 'formExtensionId',
+        default: formExtensionId,
+        scope: 3 /* ConfigurationScope.WINDOW */
+      },
+      formIcon: {
+        type: 'string',
+        title: 'formIcon',
+        default: seed.formIcon || '',
+        scope: 3 /* ConfigurationScope.WINDOW */
+      }
+    };
+    if (hasDualAuth) {
+      templateProperties.apiKeyEnabled = {
+        type: 'boolean',
+        title: 'apiKeyEnabled',
+        default: true,
+        scope: 3 /* ConfigurationScope.WINDOW */
+      };
+      templateProperties.oAuthEnabled = {
+        type: 'boolean',
+        title: 'oAuthEnabled',
+        default: false,
+        scope: 3 /* ConfigurationScope.WINDOW */
+      };
+    } else {
+      // If connectorType is 'app' and only oauth2 is present, enabled should be false
+      const isAppOnlyOauth = seed.connectorType === 'app' && seed.authMethods.length === 1 && seed.authMethods[0] === 'oauth2';
+      templateProperties.enabled = {
+        type: 'boolean',
+        title: 'enabled',
+        default: !isAppOnlyOauth,
+        scope: 3 /* ConfigurationScope.WINDOW */
+      };
+    }
+    mergedUiLayoutTemplates[generatedFormId] = {
+      type: 'object',
+      title: providerTitle,
+      properties: templateProperties,
+      required: []
+    };
+    const templateUi = {
+      templateName: {
+        'ui:widget': 'text'
+      },
+      projectType: {
+        'ui:widget': 'text'
+      },
+      description: {
+        'ui:widget': 'textarea',
+        'ui:options': {
+          rows: 2
+        }
+      },
+      tags: {
+        'ui:widget': 'chips',
+        'ui:options': {
+          label: false
+        }
+      },
+      keywords: {
+        'ui:widget': 'chips',
+        'ui:options': {
+          label: false
+        }
+      },
+      formId: {
+        'ui:readonly': true
+      },
+      formExtensionId: {
+        'ui:readonly': true
+      },
+      formIcon: {
+        'ui:widget': 'text'
+      }
+    };
+    if (hasDualAuth) {
+      templateUi.apiKeyEnabled = {
+        'ui:widget': 'switch'
+      };
+      templateUi.oAuthEnabled = {
+        'ui:widget': 'switch'
+      };
+    } else {
+      templateUi.enabled = {
+        'ui:widget': 'switch'
+      };
+    }
+    mergedUiLayoutUi[generatedFormId] = templateUi;
+  });
+  // Compose a single flattened uiLayout schema record for all providers, with '{credentialPath}.{category}.' prefix
+  // Group by connector category so each provider lands under its actual category key
+  const credentialBasePath = CONTRIBUTION_POINTS['uiLayout.credential.path'];
+  const prefixedTemplates = {};
+  const prefixedUi = {};
+  // Build a namespace→category lookup from seeds using contribution-point template type keys
+  const nsToCategoryMap = new Map();
+  seedsWithNamespaces.forEach(({
+    seed,
+    namespace
+  }) => {
+    nsToCategoryMap.set(namespace, categoryToTemplateTypeKey(seedCategory(seed)));
+  });
+  Object.keys(mergedUiLayoutTemplates).forEach(key => {
+    const categoryKey = nsToCategoryMap.get(key);
+    if (!categoryKey) throw new Error(`Missing category mapping for namespace "${key}"`);
+    prefixedTemplates[`${credentialBasePath}.${categoryKey}.${key}`] = mergedUiLayoutTemplates[key];
+  });
+  Object.keys(mergedUiLayoutUi).forEach(key => {
+    const categoryKey = nsToCategoryMap.get(key);
+    if (!categoryKey) throw new Error(`Missing category mapping for namespace "${key}"`);
+    prefixedUi[`${credentialBasePath}.${categoryKey}.${key}`] = mergedUiLayoutUi[key];
+  });
+  const uiLayoutSchema = {
+    type: 'object',
+    properties: {
+      ...prefixedTemplates
+    }
+  };
+  const uiLayoutUiSchema = {
+    ...prefixedUi
+  };
+  const flattenedUiLayout = flattenSchemas({
+    formSchema: uiLayoutSchema,
+    uiSchema: uiLayoutUiSchema
+  });
+  const uiLayoutFormNode = {
+    type: 'form',
+    properties: flattenedUiLayout.formSchema || {}
+  };
+  const uiLayoutFormUINode = {
+    type: 'formUI',
+    properties: flattenedUiLayout.uiSchema || {}
+  };
+  // Merged configuration contribution (ALWAYS emitted)
+  allNodes.push(...buildOAuthConfigurationContribution(seedsWithNamespaces));
+  if (!uiLayoutFormMetadataNode) return allNodes;
+  return [...allNodes, uiLayoutFormMetadataNode, uiLayoutFormNode, uiLayoutFormUINode];
+}
+function createOAuthSeedGenerator(seeds) {
+  return (title = '', formIcon = '', formExtensionId = '') => generateFromSeeds(seeds, title, formIcon, formExtensionId);
+}
+// create provider refs
+const findRefPath = node => {
+  if (!node || typeof node !== 'object') return null;
+  if (typeof node.$ref === 'string') return node.$ref;
+  for (const value of Object.values(node)) {
+    if (Array.isArray(value)) {
+      for (const entry of value) {
+        const found = findRefPath(entry);
+        if (found) return found;
+      }
+    } else if (value && typeof value === 'object') {
+      const found = findRefPath(value);
+      if (found) return found;
+    }
+  }
+  return null;
+};
+const buildProviderWithRefs = (provider, sampleNodes) => {
+  const refPath = findRefPath({
+    nodes: sampleNodes
+  });
+  const refMatch = refPath && /integrationSettings\.settings\.([^.]+)\.([^.]+)\.oauthConnector/.exec(refPath);
+  const templateType = refMatch?.[1];
+  const namespace = refMatch?.[2];
+  const basePath = templateType && namespace ? `integrationSettings.settings.${templateType}.${namespace}.oauthConnector` : null;
+  if (!basePath) return provider;
+  const providerFieldGenericCounts = buildGenericTypeCounts(provider.fields);
+  return {
+    ...provider,
+    fields: provider.fields.map(field => {
+      if (!field.isConfigField) return field;
+      return {
+        ...field,
+        keyReference: `${basePath}.${resolveFieldKey(field, providerFieldGenericCounts)}`,
+        schemaReference: 'configuration'
+      };
+    })
+  };
+};
+const buildMetadataSchema = sampleNodes => {
+  const parsed = parseSampleNodes(sampleNodes, 'stepper-form', 'Multi Form');
+  const mainNodes = parsed.mainMetadataNode ? [parsed.mainMetadataNode, ...parsed.mainNodes] : parsed.mainNodes;
+  return [{
+    schemaId: 'stepper-form',
+    formId: parsed.mainMetadataNode?.properties?.id || '',
+    integrationConfigurationId: null,
+    type: 'Multi Form',
+    configurationNodes: mainNodes
+  }, ...parsed.additionalSchemas.map(entry => ({
+    schemaId: entry.schemaId,
+    formId: entry.formId || '',
+    integrationConfigurationId: null,
+    type: entry.type || 'Contribution',
+    configurationNodes: entry.configurationNodes,
+    contributes: {}
+  }))];
+};export{buildMetadataSchema,buildProviderConfig,buildProviderSeedFromConfig,buildProviderWithRefs,createOAuthSeedGenerator};//# sourceMappingURL=authMetaDataSchema.js.map