@agentforge-io/core 1.0.0 → 2.0.1

package/dist/services/agent-runner.service.d.ts

@@ -26,9 +26,17 @@ export declare class AgentRunnerService {
      *   - `extras`: a name→definition map so `dispatchTool` can route execution
      *     for tools that aren't in the global registry
      *
-     * Extras with the same name as a global tool shadow the global one — useful
-     * when a connector wants to override the built-in `http_request`, for
-     * example. The shadowing only lasts for this call.
+     * **Connector tools follow the same whitelist as global tools.** An extra
+     * is only injected if its name appears in `agent.tools[]`. That keeps
+     * "an agent only sees what its definition declares" — a single contract
+     * for built-ins, MCP tools, and connector tools alike. Without this
+     * filter, any agent run by a user with Gmail/Drive/... connected would
+     * silently gain access to those APIs, which is both a security hole and
+     * makes curation impossible.
+     *
+     * Extras with the same name as a global tool shadow the global one —
+     * useful when a connector wants to override the built-in `http_request`,
+     * for example. The shadowing only lasts for this call.
      */
     private buildToolList;
     private dispatchTool;

package/dist/services/agent-runner.service.js

@@ -193,17 +193,28 @@ class AgentRunnerService {
      *   - `extras`: a name→definition map so `dispatchTool` can route execution
      *     for tools that aren't in the global registry
      *
-     * Extras with the same name as a global tool shadow the global one — useful
-     * when a connector wants to override the built-in `http_request`, for
-     * example. The shadowing only lasts for this call.
+     * **Connector tools follow the same whitelist as global tools.** An extra
+     * is only injected if its name appears in `agent.tools[]`. That keeps
+     * "an agent only sees what its definition declares" — a single contract
+     * for built-ins, MCP tools, and connector tools alike. Without this
+     * filter, any agent run by a user with Gmail/Drive/... connected would
+     * silently gain access to those APIs, which is both a security hole and
+     * makes curation impossible.
+     *
+     * Extras with the same name as a global tool shadow the global one —
+     * useful when a connector wants to override the built-in `http_request`,
+     * for example. The shadowing only lasts for this call.
      */
     buildToolList(agent, overrides) {
         const fromRegistry = agent.tools?.length
             ? this.toolRegistry.getToolsForAgent(agent.id, agent.tools)
             : [];
+        const allowed = new Set(agent.tools ?? []);
         const extras = new Map();
         const extrasSchema = [];
         for (const t of overrides?.extraTools ?? []) {
+            if (!allowed.has(t.name))
+                continue;
             extras.set(t.name, t);
             extrasSchema.push({
                 name: t.name,

package/dist/services/connector-registry.service.d.ts

@@ -143,6 +143,23 @@ export declare class ConnectorRegistryService {
     }>;
     listForUser(userId: string): Promise<ConnectorStatus[]>;
     disconnect(userId: string, connectorId: string): Promise<void>;
+    /**
+     * Returns the full catalog of tool *definitions* across every registered
+     * connector, regardless of whether any user has authorized them. Used by
+     * the agent-editor UI so an operator can whitelist connector tools per
+     * agent the same way they whitelist built-ins — the runner enforces the
+     * whitelist via `agent.tools[]`, so listing here doesn't grant access.
+     *
+     * No tokens are surfaced and no `execute` is returned: this view is
+     * deliberately metadata-only.
+     */
+    availableTools(): Array<{
+        name: string;
+        description: string;
+        connectorId: string;
+        connectorName: string;
+        inputSchema: unknown;
+    }>;
     /**
      * Returns the toolbelt for `userId`: one `AgentToolDefinition` per tool
      * of every connector the user has authorized. Each handler is bound to a

package/dist/services/connector-registry.service.js

@@ -179,6 +179,32 @@ class ConnectorRegistryService {
             throw new ConnectorError('not_connected', 'No active auth row');
         await this.deps.authRepo.delete(a.id);
     }
+    // ─── Catalog (no auth) ───────────────────────────────────────────────────
+    /**
+     * Returns the full catalog of tool *definitions* across every registered
+     * connector, regardless of whether any user has authorized them. Used by
+     * the agent-editor UI so an operator can whitelist connector tools per
+     * agent the same way they whitelist built-ins — the runner enforces the
+     * whitelist via `agent.tools[]`, so listing here doesn't grant access.
+     *
+     * No tokens are surfaced and no `execute` is returned: this view is
+     * deliberately metadata-only.
+     */
+    availableTools() {
+        const out = [];
+        for (const def of this.defs.values()) {
+            for (const factory of def.tools) {
+                out.push({
+                    name: factory.definition.name,
+                    description: factory.definition.description,
+                    connectorId: def.id,
+                    connectorName: def.name,
+                    inputSchema: factory.definition.inputSchema,
+                });
+            }
+        }
+        return out;
+    }
     // ─── Per-user tool synthesis ─────────────────────────────────────────────
     /**
      * Returns the toolbelt for `userId`: one `AgentToolDefinition` per tool

package/dist/services/index.d.ts

@@ -1,4 +1,4 @@
-export { ToolRegistryService, type Logger } from './tool-registry.service';
+export { ToolRegistryService, type Logger, type ToolDescription, } from './tool-registry.service';
 export { AgentRunnerService } from './agent-runner.service';
 export { PreparedStreamService, PreparedStreamError, } from './prepared-stream.service';
 export { InMemoryPreparedStreamStore } from './in-memory-prepared-stream.store';

package/dist/services/tool-registry.service.d.ts

@@ -39,4 +39,13 @@ export interface ToolDescription {
     description: string;
     inputSchema: Record<string, unknown>;
     agents?: string[];
+    /**
+     * Set when this tool comes from an OAuth connector (Gmail, Drive, …)
+     * rather than the global built-in registry. The UI groups the picker
+     * by this id so operators can see at a glance which provider each
+     * tool belongs to. Built-in tools leave this undefined.
+     */
+    connectorId?: string;
+    /** Human-readable connector label paired with `connectorId`. */
+    connectorName?: string;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentforge-io/core",
-  "version": "1.0.0",
+  "version": "2.0.1",
   "description": "Framework-free AI runtime SDK. Owns: agent loop (Anthropic), conversations, tools, streaming, agent-job queue, SdkHooks. Identity, billing, infra (email/uploads/secrets) live in the host's modules — not here.",
   "license": "MIT",
   "main": "dist/index.js",