@agentforge-io/core 0.2.0 → 2.0.0

package/dist/services/agent-runner.service.d.ts

@@ -26,9 +26,17 @@ export declare class AgentRunnerService {
      *   - `extras`: a name→definition map so `dispatchTool` can route execution
      *     for tools that aren't in the global registry
      *
-     * Extras with the same name as a global tool shadow the global one — useful
-     * when a connector wants to override the built-in `http_request`, for
-     * example. The shadowing only lasts for this call.
+     * **Connector tools follow the same whitelist as global tools.** An extra
+     * is only injected if its name appears in `agent.tools[]`. That keeps
+     * "an agent only sees what its definition declares" — a single contract
+     * for built-ins, MCP tools, and connector tools alike. Without this
+     * filter, any agent run by a user with Gmail/Drive/... connected would
+     * silently gain access to those APIs, which is both a security hole and
+     * makes curation impossible.
+     *
+     * Extras with the same name as a global tool shadow the global one —
+     * useful when a connector wants to override the built-in `http_request`,
+     * for example. The shadowing only lasts for this call.
      */
     private buildToolList;
     private dispatchTool;

package/dist/services/agent-runner.service.js

@@ -193,17 +193,28 @@ class AgentRunnerService {
      *   - `extras`: a name→definition map so `dispatchTool` can route execution
      *     for tools that aren't in the global registry
      *
-     * Extras with the same name as a global tool shadow the global one — useful
-     * when a connector wants to override the built-in `http_request`, for
-     * example. The shadowing only lasts for this call.
+     * **Connector tools follow the same whitelist as global tools.** An extra
+     * is only injected if its name appears in `agent.tools[]`. That keeps
+     * "an agent only sees what its definition declares" — a single contract
+     * for built-ins, MCP tools, and connector tools alike. Without this
+     * filter, any agent run by a user with Gmail/Drive/... connected would
+     * silently gain access to those APIs, which is both a security hole and
+     * makes curation impossible.
+     *
+     * Extras with the same name as a global tool shadow the global one —
+     * useful when a connector wants to override the built-in `http_request`,
+     * for example. The shadowing only lasts for this call.
      */
     buildToolList(agent, overrides) {
         const fromRegistry = agent.tools?.length
             ? this.toolRegistry.getToolsForAgent(agent.id, agent.tools)
             : [];
+        const allowed = new Set(agent.tools ?? []);
         const extras = new Map();
         const extrasSchema = [];
         for (const t of overrides?.extraTools ?? []) {
+            if (!allowed.has(t.name))
+                continue;
             extras.set(t.name, t);
             extrasSchema.push({
                 name: t.name,

package/dist/services/agent.service.d.ts

@@ -29,6 +29,18 @@ export interface AgentRecord {
     mcpServers?: McpServerConfig[];
     metadata?: Record<string, unknown>;
     isActive?: boolean;
+    /**
+     * When set, connector tools (Gmail, Drive, ...) are resolved against
+     * this user's OAuth authorizations instead of the caller's. Used by
+     * public-chat agents — a visitor's browser session can leverage the
+     * agent owner's authorized connectors without exposing the owner's
+     * identity in the conversation record.
+     *
+     * Leave undefined for personal agents where the caller owns the
+     * connectors themselves; in that case the SDK falls back to the
+     * caller's userId, preserving the original behavior.
+     */
+    connectorOwnerUserId?: string;
 }
 /**
  * Host-supplied resolver for per-tenant agent configurations. The SDK never

package/dist/services/agent.service.js

@@ -157,7 +157,11 @@ class AgentService {
             role: 'user',
             content: params.content,
         });
-        const extraTools = await this.resolveExtraTools(params.userId);
+        // Connector tools follow `agent.connectorOwnerUserId` when the
+        // resolved agent declares one (e.g. a public-chat agent reusing the
+        // owner's Gmail authorization); otherwise they fall back to the
+        // caller's userId, which is the historical personal-agent path.
+        const extraTools = await this.resolveExtraTools(agent.connectorOwnerUserId ?? params.userId);
         const response = await this.runner.run(agent, messages, {
             userId: params.userId,
             conversationId: params.conversationId,
@@ -217,7 +221,10 @@ class AgentService {
         });
         let fullContent = '';
         let finalUsage = { inputTokens: 0, outputTokens: 0, totalTokens: 0 };
-        const extraTools = await this.resolveExtraTools(params.userId);
+        // Same precedence as sendMessage — agent.connectorOwnerUserId takes
+        // priority so a public-chat agent always uses the owner's connector
+        // toolbelt regardless of which visitor session is streaming.
+        const extraTools = await this.resolveExtraTools(agent.connectorOwnerUserId ?? params.userId);
         for await (const chunk of this.runner.stream(agent, messages, {
             userId: params.userId,
             conversationId: params.conversationId,
@@ -325,5 +332,6 @@ function toAgentDefinition(record) {
         tools: record.tools,
         mcpServers: record.mcpServers,
         metadata: record.metadata,
+        connectorOwnerUserId: record.connectorOwnerUserId,
     };
 }

package/dist/services/connector-registry.service.d.ts

@@ -143,6 +143,23 @@ export declare class ConnectorRegistryService {
     }>;
     listForUser(userId: string): Promise<ConnectorStatus[]>;
     disconnect(userId: string, connectorId: string): Promise<void>;
+    /**
+     * Returns the full catalog of tool *definitions* across every registered
+     * connector, regardless of whether any user has authorized them. Used by
+     * the agent-editor UI so an operator can whitelist connector tools per
+     * agent the same way they whitelist built-ins — the runner enforces the
+     * whitelist via `agent.tools[]`, so listing here doesn't grant access.
+     *
+     * No tokens are surfaced and no `execute` is returned: this view is
+     * deliberately metadata-only.
+     */
+    availableTools(): Array<{
+        name: string;
+        description: string;
+        connectorId: string;
+        connectorName: string;
+        inputSchema: unknown;
+    }>;
     /**
      * Returns the toolbelt for `userId`: one `AgentToolDefinition` per tool
      * of every connector the user has authorized. Each handler is bound to a

package/dist/services/connector-registry.service.js

@@ -179,6 +179,32 @@ class ConnectorRegistryService {
             throw new ConnectorError('not_connected', 'No active auth row');
         await this.deps.authRepo.delete(a.id);
     }
+    // ─── Catalog (no auth) ───────────────────────────────────────────────────
+    /**
+     * Returns the full catalog of tool *definitions* across every registered
+     * connector, regardless of whether any user has authorized them. Used by
+     * the agent-editor UI so an operator can whitelist connector tools per
+     * agent the same way they whitelist built-ins — the runner enforces the
+     * whitelist via `agent.tools[]`, so listing here doesn't grant access.
+     *
+     * No tokens are surfaced and no `execute` is returned: this view is
+     * deliberately metadata-only.
+     */
+    availableTools() {
+        const out = [];
+        for (const def of this.defs.values()) {
+            for (const factory of def.tools) {
+                out.push({
+                    name: factory.definition.name,
+                    description: factory.definition.description,
+                    connectorId: def.id,
+                    connectorName: def.name,
+                    inputSchema: factory.definition.inputSchema,
+                });
+            }
+        }
+        return out;
+    }
     // ─── Per-user tool synthesis ─────────────────────────────────────────────
     /**
      * Returns the toolbelt for `userId`: one `AgentToolDefinition` per tool

package/dist/types/config.types.d.ts

@@ -94,6 +94,15 @@ export interface AgentDefinition {
     requiredPlan?: string[];
     /** Custom metadata */
     metadata?: Record<string, unknown>;
+    /**
+     * When set, connector tools (Gmail, Drive, ...) are resolved against
+     * this user's OAuth authorizations instead of the caller's. Lets a
+     * public-chat agent reuse the agent owner's authorized connectors
+     * while keeping the conversation scoped to the visitor. Leave
+     * undefined for personal agents — the SDK falls back to the caller's
+     * userId, preserving the original behavior.
+     */
+    connectorOwnerUserId?: string;
 }
 /**
  * Configuration for an MCP server the runtime should connect to.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentforge-io/core",
-  "version": "0.2.0",
+  "version": "2.0.0",
   "description": "Framework-free AI runtime SDK. Owns: agent loop (Anthropic), conversations, tools, streaming, agent-job queue, SdkHooks. Identity, billing, infra (email/uploads/secrets) live in the host's modules — not here.",
   "license": "MIT",
   "main": "dist/index.js",