@agentforge-io/core 3.0.1 → 3.3.0

package/dist/domain/connector-auth.d.ts

@@ -62,6 +62,18 @@ export interface ConnectorAuth {
     /** Soft toggle. UI revoke flips this to false and the runtime stops
      *  resolving the token for tool calls. */
     isActive: boolean;
+    /**
+     * Per-installation context captured at authorize-time. Carries the
+     * data the tool runtime + refresh path need that is NOT in the token
+     * itself: today only `shop` (for Shopify, where the API base is
+     * `https://{shop}.myshopify.com/admin/api/...`).
+     *
+     * Free-form JSONB so future per-installation providers (Atlassian
+     * Cloud `cloudId`, Intercom region, etc.) can stamp their own keys
+     * without another schema bump. Connectors are responsible for
+     * documenting which keys they read.
+     */
+    metadata?: Record<string, unknown>;
     createdAt: Date;
     updatedAt: Date;
 }

package/dist/services/connector-registry.service.d.ts

@@ -5,7 +5,7 @@ import type { ToolRegistryService } from './tool-registry.service';
 import type { AgentToolDefinition } from '../types';
 export declare class ConnectorError extends Error {
     status: number;
-    code: 'unknown_connector' | 'not_connected' | 'not_configured' | 'invalid_state' | 'token_exchange_failed' | 'invalid_api_key' | 'wrong_auth_kind';
+    code: 'unknown_connector' | 'not_connected' | 'not_configured' | 'invalid_state' | 'token_exchange_failed' | 'invalid_api_key' | 'wrong_auth_kind' | 'missing_installation_context';
     constructor(code: ConnectorError['code'], message: string);
 }
 /**
@@ -35,6 +35,18 @@ export interface AuthorizeState {
      * persisted row and in the UI as "Connected by [Admin Name]".
      */
     tenantId?: string;
+    /**
+     * Per-installation domain captured at authorize-time and propagated
+     * to the token-exchange step. Only used by providers whose OAuth URLs
+     * are per-shop (Shopify); for the other connectors this stays
+     * undefined and `OAuth2Service.resolveEndpoints` falls back to the
+     * static URLs.
+     *
+     * Persisted on the resulting `ConnectorAuth.metadata.shop` so the
+     * connector's tool runtime + the refresh path can reconstruct the
+     * per-shop API base without round-tripping to the user.
+     */
+    shop?: string;
 }
 /**
  * Pluggable storage for the short-lived state map. Defaults to an
@@ -137,6 +149,7 @@ export declare class ConnectorRegistryService {
     get(connectorId: string): ConnectorDefinition;
     startAuthorize(connectorId: string, userId: string, redirectUri: string, opts?: {
         tenantId?: string;
+        shop?: string;
     }): Promise<{
         url: string;
     }>;
@@ -220,6 +233,7 @@ export declare class ConnectorRegistryService {
         userId: string;
         connectedByUserId?: string;
         accountLabel?: string;
+        metadata?: Record<string, unknown>;
     }): Promise<void>;
     /**
      * Encrypt tokens and compute `expiresAt`. Shared by both the

package/dist/services/connector-registry.service.js

@@ -139,13 +139,23 @@ class ConnectorRegistryService {
             throw new ConnectorError('not_configured', `Connector "${connectorId}" is not configured — the operator must ` +
                 `set its OAuth credentials before users can connect.`);
         }
-        const { url, state, pkceVerifier } = this.deps.oauth.buildAuthorizeUrl(def.oauth, redirectUri);
+        // Per-installation providers (Shopify) require a `shop` so the
+        // service can pick the right per-shop authorize URL. Fail loud
+        // here rather than at the provider — the alternative is a generic
+        // "invalid_client" round-trip with no breadcrumb.
+        if (def.oauth.resolveEndpoints && !opts?.shop) {
+            throw new ConnectorError('missing_installation_context', `Connector "${connectorId}" requires a per-installation domain ` +
+                `(e.g. shop) in startAuthorize opts. The connector defines ` +
+                `resolveEndpoints but no shop was provided.`);
+        }
+        const { url, state, pkceVerifier } = this.deps.oauth.buildAuthorizeUrl(def.oauth, redirectUri, opts?.shop ? { shop: opts.shop } : undefined);
         await this.stateStore.set(state, {
             userId,
             connectorId,
             pkceVerifier,
             createdAt: Date.now(),
             tenantId: opts?.tenantId,
+            shop: opts?.shop,
         });
         return { url };
     }
@@ -172,7 +182,7 @@ class ConnectorRegistryService {
         }
         let tokens;
         try {
-            tokens = await this.deps.oauth.exchangeCode(def.oauth, code, redirectUri, ctx.pkceVerifier);
+            tokens = await this.deps.oauth.exchangeCode(def.oauth, code, redirectUri, ctx.pkceVerifier, ctx.shop ? { shop: ctx.shop } : undefined);
         }
         catch (e) {
             throw new ConnectorError('token_exchange_failed', e.message);
@@ -183,11 +193,16 @@ class ConnectorRegistryService {
         // user-scoped grants in the personal lane (one row per
         // `(userId, connectorId)`). Both branches share the cipher + token
         // shape via `buildAuthFields`.
+        //
+        // For per-installation providers (Shopify) we also stamp
+        // `metadata.shop` so the tool runtime + refresh path can
+        // reconstruct the per-shop API base without a round-trip.
+        const metadata = ctx.shop ? { shop: ctx.shop } : undefined;
         if (ctx.tenantId) {
-            await this.upsertAuthForTenant(ctx.tenantId, ctx.connectorId, tokens, { userId: ctx.userId });
+            await this.upsertAuthForTenant(ctx.tenantId, ctx.connectorId, tokens, { userId: ctx.userId, metadata });
         }
         else {
-            await this.upsertAuth(ctx.userId, ctx.connectorId, tokens);
+            await this.upsertAuth(ctx.userId, ctx.connectorId, tokens, { metadata });
         }
         return {
             connectorId: ctx.connectorId,
@@ -332,13 +347,14 @@ class ConnectorRegistryService {
         return tools;
     }
     // ─── Internals ───────────────────────────────────────────────────────────
-    async upsertAuth(userId, connectorId, tokens) {
+    async upsertAuth(userId, connectorId, tokens, opts) {
         const existing = await this.deps.authRepo.findByUserAndConnector(userId, connectorId);
         const fields = this.buildAuthFields(tokens);
         if (existing) {
             await this.deps.authRepo.update(existing.id, {
                 ...fields,
                 isActive: true,
+                ...(opts?.metadata ? { metadata: opts.metadata } : {}),
             });
         }
         else {
@@ -352,6 +368,7 @@ class ConnectorRegistryService {
                 // satisfies the contract.
                 accessTokenEncrypted: fields.accessTokenEncrypted,
                 isActive: true,
+                metadata: opts?.metadata,
             });
         }
     }
@@ -378,6 +395,7 @@ class ConnectorRegistryService {
                 // reflects who last attached the integration.
                 connectedByUserId,
                 ...(opts.accountLabel ? { accountLabel: opts.accountLabel } : {}),
+                ...(opts.metadata ? { metadata: opts.metadata } : {}),
             });
         }
         else {
@@ -391,6 +409,7 @@ class ConnectorRegistryService {
                 accessTokenEncrypted: fields.accessTokenEncrypted,
                 accountLabel: opts.accountLabel,
                 isActive: true,
+                metadata: opts.metadata,
             });
         }
     }

package/dist/services/oauth2.service.d.ts

@@ -54,6 +54,42 @@ export interface OAuth2ProviderConfig {
      * every existing connector relies on it.
      */
     tokenAuth?: 'body' | 'basic';
+    /**
+     * Optional URL resolver for providers whose OAuth endpoints depend on
+     * per-installation context. Shopify is the canonical case: the
+     * authorize URL is `https://{shop}.myshopify.com/admin/oauth/authorize`
+     * and the token URL is `https://{shop}.myshopify.com/admin/oauth/access_token`
+     * — neither can be a static string.
+     *
+     * When set, the service calls this hook at authorize-time AND
+     * token-exchange/refresh-time, using the returned URLs INSTEAD of
+     * `authorizeUrl` / `tokenUrl`. The static fields stay required (used
+     * as the fallback when no `builderCtx` is passed) so existing call
+     * sites don't crash.
+     *
+     * The returned shape is `{ authorizeUrl, tokenUrl }` — same two fields
+     * — because Shopify (and similar providers) move both endpoints to
+     * the same per-shop domain. Returning both keeps the resolver atomic:
+     * we never get into a state where the authorize URL points at shop A
+     * and the token URL points at shop B.
+     */
+    resolveEndpoints?: (ctx: OAuthBuilderContext) => {
+        authorizeUrl: string;
+        tokenUrl: string;
+    };
+}
+/**
+ * Context handed to `OAuth2ProviderConfig.resolveEndpoints` when the
+ * provider's URLs are per-installation. Optional fields so providers
+ * can subscribe to whatever they need; today only `shop` is used (by
+ * Shopify), but we leave room for future regional providers (Atlassian
+ * Cloud, Google Workspace EU, etc.) without another minor bump.
+ */
+export interface OAuthBuilderContext {
+    /** Per-installation domain. For Shopify: `tienda.myshopify.com`. */
+    shop?: string;
+    /** Optional region hint for providers with regional endpoints. */
+    region?: string;
 }
 export interface AuthorizeUrlResult {
     url: string;
@@ -84,9 +120,19 @@ interface OAuth2ServiceDeps {
 export declare class OAuth2Service {
     private readonly fetchImpl;
     constructor(deps?: OAuth2ServiceDeps);
-    buildAuthorizeUrl(cfg: OAuth2ProviderConfig, redirectUri: string): AuthorizeUrlResult;
-    exchangeCode(cfg: OAuth2ProviderConfig, code: string, redirectUri: string, pkceVerifier?: string): Promise<TokenSet>;
-    refresh(cfg: OAuth2ProviderConfig, refreshToken: string): Promise<TokenSet>;
+    buildAuthorizeUrl(cfg: OAuth2ProviderConfig, redirectUri: string, builderCtx?: OAuthBuilderContext): AuthorizeUrlResult;
+    exchangeCode(cfg: OAuth2ProviderConfig, code: string, redirectUri: string, pkceVerifier?: string, builderCtx?: OAuthBuilderContext): Promise<TokenSet>;
+    refresh(cfg: OAuth2ProviderConfig, refreshToken: string, builderCtx?: OAuthBuilderContext): Promise<TokenSet>;
+    /**
+     * Resolve the actual (authorizeUrl, tokenUrl) pair for a given call.
+     * When the provider declares `resolveEndpoints`, the resolver is
+     * invoked with the per-call context (e.g. `{ shop }` for Shopify);
+     * otherwise we fall back to the static fields. This is the single
+     * choke point so authorize / exchange / refresh stay in sync — there
+     * is no path where authorize uses the per-shop URL but refresh
+     * accidentally hits the static one.
+     */
+    private resolveEndpoints;
     private postToken;
 }
 export {};

package/dist/services/oauth2.service.js

@@ -12,7 +12,8 @@ class OAuth2Service {
     constructor(deps = {}) {
         this.fetchImpl = deps.fetchImpl ?? fetch;
     }
-    buildAuthorizeUrl(cfg, redirectUri) {
+    buildAuthorizeUrl(cfg, redirectUri, builderCtx) {
+        const resolved = this.resolveEndpoints(cfg, builderCtx);
         const state = (0, crypto_1.randomBytes)(16).toString('hex');
         const usePkce = cfg.usePkce !== false;
         const params = {
@@ -30,12 +31,12 @@ class OAuth2Service {
             params.code_challenge = challenge;
             params.code_challenge_method = 'S256';
         }
-        const url = new URL(cfg.authorizeUrl);
+        const url = new URL(resolved.authorizeUrl);
         for (const [k, v] of Object.entries(params))
             url.searchParams.set(k, v);
         return { url: url.toString(), state, pkceVerifier };
     }
-    async exchangeCode(cfg, code, redirectUri, pkceVerifier) {
+    async exchangeCode(cfg, code, redirectUri, pkceVerifier, builderCtx) {
         const body = new URLSearchParams({
             grant_type: 'authorization_code',
             code,
@@ -51,9 +52,9 @@ class OAuth2Service {
         }
         if (pkceVerifier)
             body.set('code_verifier', pkceVerifier);
-        return this.postToken(cfg, body);
+        return this.postToken(cfg, body, builderCtx);
     }
-    async refresh(cfg, refreshToken) {
+    async refresh(cfg, refreshToken, builderCtx) {
         const body = new URLSearchParams({
             grant_type: 'refresh_token',
             refresh_token: refreshToken,
@@ -62,9 +63,25 @@ class OAuth2Service {
             body.set('client_id', cfg.clientId);
             body.set('client_secret', cfg.clientSecret);
         }
-        return this.postToken(cfg, body);
+        return this.postToken(cfg, body, builderCtx);
     }
-    async postToken(cfg, body) {
+    /**
+     * Resolve the actual (authorizeUrl, tokenUrl) pair for a given call.
+     * When the provider declares `resolveEndpoints`, the resolver is
+     * invoked with the per-call context (e.g. `{ shop }` for Shopify);
+     * otherwise we fall back to the static fields. This is the single
+     * choke point so authorize / exchange / refresh stay in sync — there
+     * is no path where authorize uses the per-shop URL but refresh
+     * accidentally hits the static one.
+     */
+    resolveEndpoints(cfg, builderCtx) {
+        if (cfg.resolveEndpoints) {
+            return cfg.resolveEndpoints(builderCtx ?? {});
+        }
+        return { authorizeUrl: cfg.authorizeUrl, tokenUrl: cfg.tokenUrl };
+    }
+    async postToken(cfg, body, builderCtx) {
+        const resolved = this.resolveEndpoints(cfg, builderCtx);
         const headers = {
             'content-type': 'application/x-www-form-urlencoded',
             accept: 'application/json',
@@ -76,14 +93,14 @@ class OAuth2Service {
             const credentials = Buffer.from(`${cfg.clientId}:${cfg.clientSecret}`).toString('base64');
             headers.authorization = `Basic ${credentials}`;
         }
-        const res = await this.fetchImpl(cfg.tokenUrl, {
+        const res = await this.fetchImpl(resolved.tokenUrl, {
             method: 'POST',
             headers,
             body: body.toString(),
         });
         if (!res.ok) {
             const text = await res.text().catch(() => '');
-            throw new Error(`OAuth2 token endpoint ${cfg.tokenUrl} returned ${res.status}: ${text}`);
+            throw new Error(`OAuth2 token endpoint ${resolved.tokenUrl} returned ${res.status}: ${text}`);
         }
         const json = (await res.json());
         const tokens = cfg.tokenExtractor
@@ -95,7 +112,7 @@ class OAuth2Service {
         // here with a descriptive error so the connector author knows their
         // extractor (or the default) missed the token.
         if (!tokens.accessToken) {
-            throw new Error(`OAuth2 token endpoint ${cfg.tokenUrl} returned a response without an access token. ` +
+            throw new Error(`OAuth2 token endpoint ${resolved.tokenUrl} returned a response without an access token. ` +
                 'If the provider uses a non-standard envelope, supply `tokenExtractor` on the ConnectorDefinition.');
         }
         return tokens;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentforge-io/core",
-  "version": "3.0.1",
+  "version": "3.3.0",
   "description": "Framework-free AI runtime SDK. Owns: agent loop (Anthropic), conversations, tools, streaming, agent-job queue, SdkHooks. Identity, billing, infra (email/uploads/secrets) live in the host's modules — not here.",
   "license": "MIT",
   "main": "dist/index.js",