npm - @cat-factory/integrations - Versions diffs - 0.6.0 - Mend

@cat-factory/integrations 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

package/dist/modules/documents/notion.logic.js ADDED Viewed

@@ -0,0 +1,142 @@
+// Notion-specific pure logic, kept out of the worker so it is unit-testable
+// without a live workspace: parsing/normalizing a page id out of user input, and
+// converting Notion block JSON into the lightweight Markdown the generic planner
+// consumes. The fetch itself (a single integration token, no per-site base URL —
+// so no SSRF surface) lives in the worker's NotionProvider.
+/** What the connect UI renders, and which credentials the provider needs. */
+export const NOTION_DESCRIPTOR = {
+    source: 'notion',
+    label: 'Notion',
+    icon: 'i-lucide-notebook-text',
+    credentialFields: [
+        {
+            key: 'apiToken',
+            label: 'Internal integration token',
+            secret: true,
+            placeholder: 'ntn_… or secret_…',
+            help: 'Create an internal integration at notion.so/my-integrations, then share each page with it',
+        },
+    ],
+    refLabel: 'Page URL or ID',
+    refPlaceholder: 'https://notion.so/Title-abc123…  or  the page id',
+    searchable: true,
+};
+/**
+ * Map a Notion `/v1/search` response into lean hits, keeping only pages (the API
+ * also returns databases). The page title is read from its `properties` exactly
+ * as the single-page fetch does, so list + import titles agree.
+ */
+export function parseNotionSearchResults(json) {
+    const body = (json ?? {});
+    const out = [];
+    for (const row of Array.isArray(body.results) ? body.results : []) {
+        if (row.object && row.object !== 'page')
+            continue;
+        const id = row.id;
+        if (!id)
+            continue;
+        out.push({
+            source: 'notion',
+            externalId: formatNotionId(id.replace(/-/g, '')),
+            title: notionPageTitle(row.properties),
+            url: row.url ?? `https://www.notion.so/${id.replace(/-/g, '')}`,
+            excerpt: '',
+        });
+    }
+    return out;
+}
+/** Format 32 hex chars as a canonical dashed Notion/UUID id. */
+export function formatNotionId(hex32) {
+    const h = hex32.toLowerCase();
+    return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
+}
+/**
+ * Resolve a Notion page id from raw user input: a bare id (dashed UUID or 32 hex
+ * chars), or any Notion URL whose last path segment ends in the id. Returns the
+ * canonical dashed id, or null if none is found.
+ */
+export function parseNotionRef(input) {
+    // Drop query/hash, then scan for a UUID-shaped (dashes optional) run; the page
+    // id is the last such run (workspace URLs may carry a leading slug or id).
+    const cleaned = input.trim().split(/[?#]/)[0];
+    const matches = cleaned.match(/[0-9a-fA-F]{8}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{12}/g);
+    if (!matches || matches.length === 0)
+        return null;
+    const hex = matches[matches.length - 1].replace(/-/g, '');
+    if (hex.length !== 32)
+        return null;
+    return formatNotionId(hex);
+}
+function richTextOf(block) {
+    const payload = block.type
+        ? block[block.type]
+        : undefined;
+    const rich = payload?.rich_text;
+    if (!Array.isArray(rich))
+        return '';
+    return rich
+        .map((r) => r.plain_text ?? '')
+        .join('')
+        .trim();
+}
+/**
+ * Convert a Notion page's top-level blocks into the lightweight Markdown the
+ * generic planner/excerpt logic consumes: headings become `#`/`##`/`###`, list
+ * items / to-dos become `- `, and other text blocks become plain lines.
+ */
+export function notionBlocksToMarkdown(blocks) {
+    const lines = [];
+    for (const block of blocks) {
+        const text = richTextOf(block);
+        switch (block.type) {
+            case 'heading_1':
+                lines.push(`# ${text}`);
+                break;
+            case 'heading_2':
+                lines.push(`## ${text}`);
+                break;
+            case 'heading_3':
+                lines.push(`### ${text}`);
+                break;
+            case 'bulleted_list_item':
+            case 'numbered_list_item':
+            case 'to_do':
+                if (text)
+                    lines.push(`- ${text}`);
+                break;
+            case 'paragraph':
+            case 'quote':
+            case 'callout':
+            case 'toggle':
+            case 'code':
+                if (text)
+                    lines.push(text);
+                break;
+            default:
+                if (text)
+                    lines.push(text);
+        }
+    }
+    return lines
+        .join('\n')
+        .replace(/\n{3,}/g, '\n\n')
+        .trim();
+}
+/** Extract a page title from a Notion page object's `properties`. */
+export function notionPageTitle(properties) {
+    if (!properties)
+        return '(untitled)';
+    for (const value of Object.values(properties)) {
+        const prop = value;
+        if (prop?.type === 'title' && Array.isArray(prop.title)) {
+            const text = prop.title
+                .map((r) => r.plain_text ?? '')
+                .join('')
+                .trim();
+            if (text)
+                return text;
+        }
+    }
+    return '(untitled)';
+}
+//# sourceMappingURL=notion.logic.js.map

package/dist/modules/documents/notion.logic.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"notion.logic.js","sourceRoot":"","sources":["../../../src/modules/documents/notion.logic.ts"],"names":[],"mappings":"AAEA,4EAA4E;AAC5E,iFAAiF;AACjF,iFAAiF;AACjF,iFAAiF;AACjF,4DAA4D;AAE5D,6EAA6E;AAC7E,MAAM,CAAC,MAAM,iBAAiB,GAA6B;IACzD,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,QAAQ;IACf,IAAI,EAAE,wBAAwB;IAC9B,gBAAgB,EAAE;QAChB;YACE,GAAG,EAAE,UAAU;YACf,KAAK,EAAE,4BAA4B;YACnC,MAAM,EAAE,IAAI;YACZ,WAAW,EAAE,mBAAmB;YAChC,IAAI,EAAE,2FAA2F;SAClG;KACF;IACD,QAAQ,EAAE,gBAAgB;IAC1B,cAAc,EAAE,kDAAkD;IAClE,UAAU,EAAE,IAAI;CACjB,CAAA;AAWD;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAAa;IACpD,MAAM,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,CAAyB,CAAA;IACjD,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAClE,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM;YAAE,SAAQ;QACjD,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,CAAA;QACjB,IAAI,CAAC,EAAE;YAAE,SAAQ;QACjB,GAAG,CAAC,IAAI,CAAC;YACP,MAAM,EAAE,QAAQ;YAChB,UAAU,EAAE,cAAc,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAChD,KAAK,EAAE,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC;YACtC,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,yBAAyB,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE;YAC/D,OAAO,EAAE,EAAE;SACZ,CAAC,CAAA;IACJ,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,CAAA;IAC7B,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAA;AACtG,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,+EAA+E;IAC/E,2EAA2E;IAC3E,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAE,CAAA;IAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAC3B,kFAAkF,CACnF,CAAA;IACD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACjD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;IAC1D,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,IAAI,CAAA;IAClC,OAAO,cAAc,CAAC,GAAG,CAAC,CAAA;AAC5B,CAAC;AAcD,SAAS,UAAU,CAAC,KAAkB;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI;QACxB,CAAC,CAAE,KAAK,CAAC,KAAK,CAAC,IAAI,CAA4C;QAC/D,CAAC,CAAC,SAAS,CAAA;IACb,MAAM,IAAI,GAAG,OAAO,EAAE,SAAS,CAAA;IAC/B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAA;IACnC,OAAO,IAAI;SACR,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;SAC9B,IAAI,CAAC,EAAE,CAAC;SACR,IAAI,EAAE,CAAA;AACX,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAqB;IAC1D,MAAM,KAAK,GAAa,EAAE,CAAA;IAC1B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAA;QAC9B,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,KAAK,WAAW;gBACd,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAA;gBACvB,MAAK;YACP,KAAK,WAAW;gBACd,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAA;gBACxB,MAAK;YACP,KAAK,WAAW;gBACd,KAAK,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAA;gBACzB,MAAK;YACP,KAAK,oBAAoB,CAAC;YAC1B,KAAK,oBAAoB,CAAC;YAC1B,KAAK,OAAO;gBACV,IAAI,IAAI;oBAAE,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAA;gBACjC,MAAK;YACP,KAAK,WAAW,CAAC;YACjB,KAAK,OAAO,CAAC;YACb,KAAK,SAAS,CAAC;YACf,KAAK,QAAQ,CAAC;YACd,KAAK,MAAM;gBACT,IAAI,IAAI;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBAC1B,MAAK;YACP;gBACE,IAAI,IAAI;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IACD,OAAO,KAAK;SACT,IAAI,CAAC,IAAI,CAAC;SACV,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC;SAC1B,IAAI,EAAE,CAAA;AACX,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,eAAe,CAAC,UAA+C;IAC7E,IAAI,CAAC,UAAU;QAAE,OAAO,YAAY,CAAA;IACpC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,KAA8C,CAAA;QAC3D,IAAI,IAAI,EAAE,IAAI,KAAK,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK;iBACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;iBAC9B,IAAI,CAAC,EAAE,CAAC;iBACR,IAAI,EAAE,CAAA;YACT,IAAI,IAAI;gBAAE,OAAO,IAAI,CAAA;QACvB,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAA;AACrB,CAAC"}

package/dist/modules/email/EmailConnectionService.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { Clock, EmailConnectionRepository, EmailProviderKind, EmailSender, SecretCipher } from '@cat-factory/kernel';
+/** Safe connection metadata exposed to clients (never the API key). */
+export interface EmailConnection {
+    provider: EmailProviderKind;
+    fromAddress: string;
+    connectedAt: number;
+}
+export interface EmailConnectionServiceDependencies {
+    emailConnectionRepository: EmailConnectionRepository;
+    secretCipher: SecretCipher;
+    clock: Clock;
+}
+export declare class EmailConnectionService {
+    private readonly deps;
+    constructor(deps: EmailConnectionServiceDependencies);
+    /** Connect an account's email sender by storing the provider + sealed API key. */
+    connect(accountId: string, input: {
+        provider: EmailProviderKind;
+        apiKey: string;
+        fromAddress: string;
+    }): Promise<EmailConnection>;
+    /** The account's current connection (safe metadata), or null. */
+    getConnection(accountId: string): Promise<EmailConnection | null>;
+    /** Disconnect the account's email sender (tombstones the binding). */
+    disconnect(accountId: string): Promise<void>;
+    /**
+     * Build a ready-to-send EmailSender for an account by decrypting its API key, or
+     * null when the account has no connection. The resolver the invitation flow uses.
+     */
+    resolveSender(accountId: string): Promise<EmailSender | null>;
+    /** Send a test email through the account's configured sender (UI "send test"). */
+    sendTest(accountId: string, to: string): Promise<void>;
+}
+//# sourceMappingURL=EmailConnectionService.d.ts.map

package/dist/modules/email/EmailConnectionService.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"EmailConnectionService.d.ts","sourceRoot":"","sources":["../../../src/modules/email/EmailConnectionService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,KAAK,EAEL,yBAAyB,EAEzB,iBAAiB,EACjB,WAAW,EACX,YAAY,EACb,MAAM,qBAAqB,CAAA;AAU5B,uEAAuE;AACvE,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,iBAAiB,CAAA;IAC3B,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,kCAAkC;IACjD,yBAAyB,EAAE,yBAAyB,CAAA;IACpD,YAAY,EAAE,YAAY,CAAA;IAC1B,KAAK,EAAE,KAAK,CAAA;CACb;AAUD,qBAAa,sBAAsB;IACrB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAAjC,YAA6B,IAAI,EAAE,kCAAkC,EAAI;IAEzE,kFAAkF;IAC5E,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE;QAAE,QAAQ,EAAE,iBAAiB,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,eAAe,CAAC,CAmB1B;IAED,iEAAiE;IAC3D,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAItE;IAED,sEAAsE;IAChE,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAIjD;IAED;;;OAGG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAUlE;IAED,kFAAkF;IAC5E,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAU3D;CACF"}

package/dist/modules/email/EmailConnectionService.js ADDED Viewed

@@ -0,0 +1,82 @@
+import { ValidationError } from '@cat-factory/kernel';
+import { createEmailSender } from './adapters.js';
+function toConnection(record) {
+    return {
+        provider: record.provider,
+        fromAddress: record.fromAddress,
+        connectedAt: record.createdAt,
+    };
+}
+export class EmailConnectionService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    /** Connect an account's email sender by storing the provider + sealed API key. */
+    async connect(accountId, input) {
+        if (!input.apiKey.trim())
+            throw new ValidationError('API key is required');
+        if (!input.fromAddress.trim())
+            throw new ValidationError('From address is required');
+        // getByAccount already filters tombstones, so a present record is a live one whose
+        // original createdAt we preserve; a reconnect after disconnect starts a fresh one.
+        const existing = await this.deps.emailConnectionRepository.getByAccount(accountId);
+        const apiKeyCipher = await this.deps.secretCipher.encrypt(input.apiKey.trim());
+        const now = this.deps.clock.now();
+        const record = {
+            accountId,
+            provider: input.provider,
+            fromAddress: input.fromAddress.trim(),
+            apiKeyCipher,
+            createdAt: existing ? existing.createdAt : now,
+            updatedAt: now,
+            deletedAt: null,
+        };
+        await this.deps.emailConnectionRepository.upsert(record);
+        return toConnection(record);
+    }
+    /** The account's current connection (safe metadata), or null. */
+    async getConnection(accountId) {
+        const record = await this.deps.emailConnectionRepository.getByAccount(accountId);
+        if (!record || record.deletedAt)
+            return null;
+        return toConnection(record);
+    }
+    /** Disconnect the account's email sender (tombstones the binding). */
+    async disconnect(accountId) {
+        const record = await this.deps.emailConnectionRepository.getByAccount(accountId);
+        if (!record || record.deletedAt)
+            return;
+        await this.deps.emailConnectionRepository.softDelete(accountId, this.deps.clock.now());
+    }
+    /**
+     * Build a ready-to-send EmailSender for an account by decrypting its API key, or
+     * null when the account has no connection. The resolver the invitation flow uses.
+     */
+    async resolveSender(accountId) {
+        const record = await this.deps.emailConnectionRepository.getByAccount(accountId);
+        if (!record || record.deletedAt)
+            return null;
+        const apiKey = await this.deps.secretCipher.decrypt(record.apiKeyCipher);
+        return createEmailSender({
+            provider: record.provider,
+            from: record.fromAddress,
+            sendgrid: record.provider === 'sendgrid' ? { apiKey } : undefined,
+            resend: record.provider === 'resend' ? { apiKey } : undefined,
+        });
+    }
+    /** Send a test email through the account's configured sender (UI "send test"). */
+    async sendTest(accountId, to) {
+        const sender = await this.resolveSender(accountId);
+        if (!sender)
+            throw new ValidationError('No email sender is connected for this account');
+        const message = {
+            to,
+            subject: 'Cat Factory email test',
+            text: 'Your Cat Factory email sender is configured correctly.',
+            html: '<p>Your Cat Factory email sender is configured correctly.</p>',
+        };
+        await sender.send(message);
+    }
+}
+//# sourceMappingURL=EmailConnectionService.js.map

package/dist/modules/email/EmailConnectionService.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"EmailConnectionService.js","sourceRoot":"","sources":["../../../src/modules/email/EmailConnectionService.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AAqBjD,SAAS,YAAY,CAAC,MAA6B;IACjD,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,WAAW,EAAE,MAAM,CAAC,SAAS;KAC9B,CAAA;AACH,CAAC;AAED,MAAM,OAAO,sBAAsB;IACJ,IAAI;IAAjC,YAA6B,IAAwC;oBAAxC,IAAI;IAAuC,CAAC;IAEzE,kFAAkF;IAClF,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,KAA2E;QAE3E,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE;YAAE,MAAM,IAAI,eAAe,CAAC,qBAAqB,CAAC,CAAA;QAC1E,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE;YAAE,MAAM,IAAI,eAAe,CAAC,0BAA0B,CAAC,CAAA;QACpF,mFAAmF;QACnF,mFAAmF;QACnF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;QAClF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;QAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAA;QACjC,MAAM,MAAM,GAA0B;YACpC,SAAS;YACT,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE;YACrC,YAAY;YACZ,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG;YAC9C,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,IAAI;SAChB,CAAA;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QACxD,OAAO,YAAY,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC;IAED,iEAAiE;IACjE,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;QAChF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAC5C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC;IAED,sEAAsE;IACtE,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;QAChF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS;YAAE,OAAM;QACvC,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAA;IACxF,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;QAChF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;QACxE,OAAO,iBAAiB,CAAC;YACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,WAAW;YACxB,QAAQ,EAAE,MAAM,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS;YACjE,MAAM,EAAE,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAC,CAAA;IACJ,CAAC;IAED,kFAAkF;IAClF,KAAK,CAAC,QAAQ,CAAC,SAAiB,EAAE,EAAU;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;QAClD,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,eAAe,CAAC,+CAA+C,CAAC,CAAA;QACvF,MAAM,OAAO,GAAiB;YAC5B,EAAE;YACF,OAAO,EAAE,wBAAwB;YACjC,IAAI,EAAE,wDAAwD;YAC9D,IAAI,EAAE,+DAA+D;SACtE,CAAA;QACD,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC5B,CAAC;CACF"}

package/dist/modules/email/adapters.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import type { EmailMessage, EmailSender } from '@cat-factory/kernel';
+/** HKDF info string scoping the email-API-key cipher (mirrors SLACK_CIPHER_INFO). */
+export declare const EMAIL_CIPHER_INFO = "cat-factory:email";
+export interface SendGridConfig {
+    apiKey: string;
+    from: string;
+}
+/** SendGrid v3 mail-send adapter. */
+export declare class SendGridEmailSender implements EmailSender {
+    private readonly config;
+    constructor(config: SendGridConfig);
+    send(message: EmailMessage): Promise<void>;
+}
+export interface ResendConfig {
+    apiKey: string;
+    from: string;
+}
+/** Resend email-send adapter. */
+export declare class ResendEmailSender implements EmailSender {
+    private readonly config;
+    constructor(config: ResendConfig);
+    send(message: EmailMessage): Promise<void>;
+}
+export interface EmailProviderConfig {
+    provider: 'sendgrid' | 'resend' | null;
+    from: string;
+    sendgrid?: {
+        apiKey: string;
+    };
+    resend?: {
+        apiKey: string;
+    };
+}
+/**
+ * Build the configured EmailSender, or null when no provider is set. The opt-in seam
+ * the facades use: unconfigured ⇒ the email-dependent features simply aren't wired.
+ */
+export declare function createEmailSender(config: EmailProviderConfig): EmailSender | null;
+//# sourceMappingURL=adapters.d.ts.map

package/dist/modules/email/adapters.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../../../src/modules/email/adapters.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AAEpE,qFAAqF;AACrF,eAAO,MAAM,iBAAiB,sBAAsB,CAAA;AAMpD,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;CACb;AAED,qCAAqC;AACrC,qBAAa,mBAAoB,YAAW,WAAW;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM;IAAnC,YAA6B,MAAM,EAAE,cAAc,EAAI;IAEjD,IAAI,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAoB/C;CACF;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;CACb;AAED,iCAAiC;AACjC,qBAAa,iBAAkB,YAAW,WAAW;IACvC,OAAO,CAAC,QAAQ,CAAC,MAAM;IAAnC,YAA6B,MAAM,EAAE,YAAY,EAAI;IAE/C,IAAI,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAkB/C;CACF;AAUD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,UAAU,GAAG,QAAQ,GAAG,IAAI,CAAA;IACtC,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAA;IAC7B,MAAM,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAA;CAC5B;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,mBAAmB,GAAG,WAAW,GAAG,IAAI,CAQjF"}

package/dist/modules/email/adapters.js ADDED Viewed

@@ -0,0 +1,79 @@
+/** HKDF info string scoping the email-API-key cipher (mirrors SLACK_CIPHER_INFO). */
+export const EMAIL_CIPHER_INFO = 'cat-factory:email';
+/** SendGrid v3 mail-send adapter. */
+export class SendGridEmailSender {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async send(message) {
+        const content = [];
+        if (message.text)
+            content.push({ type: 'text/plain', value: message.text });
+        content.push({ type: 'text/html', value: message.html });
+        const res = await fetch('https://api.sendgrid.com/v3/mail/send', {
+            method: 'POST',
+            headers: {
+                authorization: `Bearer ${this.config.apiKey}`,
+                'content-type': 'application/json',
+            },
+            body: JSON.stringify({
+                personalizations: [{ to: [{ email: message.to }] }],
+                from: { email: this.config.from },
+                subject: message.subject,
+                content,
+            }),
+        });
+        if (!res.ok) {
+            throw new Error(`SendGrid send failed (HTTP ${res.status}): ${await safeBody(res)}`);
+        }
+    }
+}
+/** Resend email-send adapter. */
+export class ResendEmailSender {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async send(message) {
+        const res = await fetch('https://api.resend.com/emails', {
+            method: 'POST',
+            headers: {
+                authorization: `Bearer ${this.config.apiKey}`,
+                'content-type': 'application/json',
+            },
+            body: JSON.stringify({
+                from: this.config.from,
+                to: message.to,
+                subject: message.subject,
+                html: message.html,
+                ...(message.text ? { text: message.text } : {}),
+            }),
+        });
+        if (!res.ok) {
+            throw new Error(`Resend send failed (HTTP ${res.status}): ${await safeBody(res)}`);
+        }
+    }
+}
+async function safeBody(res) {
+    try {
+        return (await res.text()).slice(0, 500);
+    }
+    catch {
+        return '';
+    }
+}
+/**
+ * Build the configured EmailSender, or null when no provider is set. The opt-in seam
+ * the facades use: unconfigured ⇒ the email-dependent features simply aren't wired.
+ */
+export function createEmailSender(config) {
+    if (config.provider === 'sendgrid' && config.sendgrid?.apiKey) {
+        return new SendGridEmailSender({ apiKey: config.sendgrid.apiKey, from: config.from });
+    }
+    if (config.provider === 'resend' && config.resend?.apiKey) {
+        return new ResendEmailSender({ apiKey: config.resend.apiKey, from: config.from });
+    }
+    return null;
+}
+//# sourceMappingURL=adapters.js.map

package/dist/modules/email/adapters.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adapters.js","sourceRoot":"","sources":["../../../src/modules/email/adapters.ts"],"names":[],"mappings":"AAEA,qFAAqF;AACrF,MAAM,CAAC,MAAM,iBAAiB,GAAG,mBAAmB,CAAA;AAWpD,qCAAqC;AACrC,MAAM,OAAO,mBAAmB;IACD,MAAM;IAAnC,YAA6B,MAAsB;sBAAtB,MAAM;IAAmB,CAAC;IAEvD,KAAK,CAAC,IAAI,CAAC,OAAqB;QAC9B,MAAM,OAAO,GAAsC,EAAE,CAAA;QACrD,IAAI,OAAO,CAAC,IAAI;YAAE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAC3E,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QACxD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,uCAAuC,EAAE;YAC/D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;gBAC7C,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,gBAAgB,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;gBACnD,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;gBACjC,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,OAAO;aACR,CAAC;SACH,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,MAAM,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACtF,CAAC;IACH,CAAC;CACF;AAOD,iCAAiC;AACjC,MAAM,OAAO,iBAAiB;IACC,MAAM;IAAnC,YAA6B,MAAoB;sBAApB,MAAM;IAAiB,CAAC;IAErD,KAAK,CAAC,IAAI,CAAC,OAAqB;QAC9B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,+BAA+B,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;gBAC7C,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;gBACtB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChD,CAAC;SACH,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4BAA4B,GAAG,CAAC,MAAM,MAAM,MAAM,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACpF,CAAC;IACH,CAAC;CACF;AAED,KAAK,UAAU,QAAQ,CAAC,GAAa;IACnC,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAA;IACX,CAAC;AACH,CAAC;AASD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA2B;IAC3D,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,IAAI,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;QAC9D,OAAO,IAAI,mBAAmB,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;IACvF,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;QAC1D,OAAO,IAAI,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;IACnF,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/modules/environments/EnvironmentConnectionService.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import type { Clock } from '@cat-factory/kernel';
+import type { EnvironmentConnectionRecord, EnvironmentConnectionRepository } from '@cat-factory/kernel';
+import type { SecretCipher } from '@cat-factory/kernel';
+import type { SecretResolver, UrlSafetyPolicy } from '@cat-factory/kernel';
+import type { EnvironmentConnection, EnvironmentManifest } from '@cat-factory/kernel';
+import type { WorkspaceRepository } from '@cat-factory/kernel';
+export interface EnvironmentConnectionServiceDependencies {
+    environmentConnectionRepository: EnvironmentConnectionRepository;
+    workspaceRepository: WorkspaceRepository;
+    secretCipher: SecretCipher;
+    clock: Clock;
+    /** URL/host safety policy applied to a registered manifest. Defaults to strict. */
+    urlPolicy?: UrlSafetyPolicy;
+}
+/** Collect every secret key a manifest's auth scheme references. */
+export declare function referencedSecretKeys(manifest: EnvironmentManifest): string[];
+export interface ResolvedConnection {
+    record: EnvironmentConnectionRecord;
+    manifest: EnvironmentManifest;
+}
+export declare class EnvironmentConnectionService {
+    private readonly deps;
+    constructor(deps: EnvironmentConnectionServiceDependencies);
+    /** Register (or replace) a workspace's environment provider. */
+    register(workspaceId: string, input: {
+        manifest: EnvironmentManifest;
+        secrets: Record<string, string>;
+    }): Promise<EnvironmentConnection>;
+    /** Rotate/replace the secret bundle without re-sending the manifest. */
+    updateSecrets(workspaceId: string, secrets: Record<string, string>): Promise<EnvironmentConnection>;
+    /** The workspace's current connection (safe metadata), or null. */
+    getConnection(workspaceId: string): Promise<EnvironmentConnection | null>;
+    /** Resolve the live connection + parsed manifest, or throw if not registered. */
+    requireConnection(workspaceId: string): Promise<ResolvedConnection>;
+    /** Build a secret resolver from the workspace's decrypted secret bundle. */
+    resolveSecrets(workspaceId: string): Promise<SecretResolver>;
+    /** Unregister the provider (tombstones the binding). */
+    unregister(workspaceId: string): Promise<void>;
+    private decryptSecrets;
+    private toConnection;
+}
+//# sourceMappingURL=EnvironmentConnectionService.d.ts.map

package/dist/modules/environments/EnvironmentConnectionService.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"EnvironmentConnectionService.d.ts","sourceRoot":"","sources":["../../../src/modules/environments/EnvironmentConnectionService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAChD,OAAO,KAAK,EACV,2BAA2B,EAC3B,+BAA+B,EAChC,MAAM,qBAAqB,CAAA;AAC5B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAC1E,OAAO,KAAK,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAA;AAGrF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAA;AAQ9D,MAAM,WAAW,wCAAwC;IACvD,+BAA+B,EAAE,+BAA+B,CAAA;IAChE,mBAAmB,EAAE,mBAAmB,CAAA;IACxC,YAAY,EAAE,YAAY,CAAA;IAC1B,KAAK,EAAE,KAAK,CAAA;IACZ,mFAAmF;IACnF,SAAS,CAAC,EAAE,eAAe,CAAA;CAC5B;AAED,oEAAoE;AACpE,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,mBAAmB,GAAG,MAAM,EAAE,CAe5E;AAUD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,2BAA2B,CAAA;IACnC,QAAQ,EAAE,mBAAmB,CAAA;CAC9B;AAED,qBAAa,4BAA4B;IAC3B,OAAO,CAAC,QAAQ,CAAC,IAAI;IAAjC,YAA6B,IAAI,EAAE,wCAAwC,EAAI;IAE/E,gEAAgE;IAC1D,QAAQ,CACZ,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE;QAAE,QAAQ,EAAE,mBAAmB,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACxE,OAAO,CAAC,qBAAqB,CAAC,CA2BhC;IAED,wEAAwE;IAClE,aAAa,CACjB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC9B,OAAO,CAAC,qBAAqB,CAAC,CAUhC;IAED,mEAAmE;IAC7D,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAK9E;IAED,iFAAiF;IAC3E,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAOxE;IAED,4EAA4E;IACtE,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAKjE;IAED,wDAAwD;IAClD,UAAU,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAInD;YAEa,cAAc;IAQ5B,OAAO,CAAC,YAAY;CAYrB"}

package/dist/modules/environments/EnvironmentConnectionService.js ADDED Viewed

@@ -0,0 +1,120 @@
+import { ConflictError, STRICT_URL_SAFETY_POLICY, ValidationError } from '@cat-factory/kernel';
+import { requireWorkspace } from '@cat-factory/kernel';
+import { assertSafeEnvironmentUrl } from './environments.logic.js';
+/** Collect every secret key a manifest's auth scheme references. */
+export function referencedSecretKeys(manifest) {
+    const auth = manifest.auth;
+    switch (auth.type) {
+        case 'none':
+            return [];
+        case 'api_key':
+        case 'bearer':
+            return [auth.secretRef.key];
+        case 'basic':
+            return [auth.usernameSecretRef.key, auth.passwordSecretRef.key];
+        case 'oauth2_client_credentials':
+            return [auth.clientIdSecretRef.key, auth.clientSecretSecretRef.key];
+        case 'custom_headers':
+            return auth.headers.map((h) => h.secretRef.key);
+    }
+}
+/** Validate every URL a manifest will fetch (defence against SSRF). */
+function assertManifestUrlsSafe(manifest, policy) {
+    assertSafeEnvironmentUrl(manifest.baseUrl, 'base URL', policy);
+    if (manifest.auth.type === 'oauth2_client_credentials') {
+        assertSafeEnvironmentUrl(manifest.auth.tokenUrl, 'OAuth token URL', policy);
+    }
+}
+export class EnvironmentConnectionService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    /** Register (or replace) a workspace's environment provider. */
+    async register(workspaceId, input) {
+        await requireWorkspace(this.deps.workspaceRepository, workspaceId);
+        // The manifest is validated against the Valibot schema at the controller
+        // (jsonBody); here we enforce the additional SSRF + secret-completeness rules.
+        const manifest = input.manifest;
+        assertManifestUrlsSafe(manifest, this.deps.urlPolicy ?? STRICT_URL_SAFETY_POLICY);
+        // Every secret the manifest references must be supplied.
+        const missing = referencedSecretKeys(manifest).filter((key) => !(key in input.secrets));
+        if (missing.length) {
+            throw new ValidationError(`Missing secret values for: ${missing.join(', ')}`);
+        }
+        const existing = await this.deps.environmentConnectionRepository.getByWorkspace(workspaceId);
+        const secretsCipher = await this.deps.secretCipher.encrypt(JSON.stringify(input.secrets));
+        const record = {
+            workspaceId,
+            providerId: manifest.providerId,
+            label: manifest.label,
+            baseUrl: manifest.baseUrl,
+            manifestJson: JSON.stringify(manifest),
+            secretsCipher,
+            createdAt: existing?.createdAt ?? this.deps.clock.now(),
+            deletedAt: null,
+        };
+        await this.deps.environmentConnectionRepository.upsert(record);
+        return this.toConnection(record, Object.keys(input.secrets));
+    }
+    /** Rotate/replace the secret bundle without re-sending the manifest. */
+    async updateSecrets(workspaceId, secrets) {
+        const { record, manifest } = await this.requireConnection(workspaceId);
+        const missing = referencedSecretKeys(manifest).filter((key) => !(key in secrets));
+        if (missing.length) {
+            throw new ValidationError(`Missing secret values for: ${missing.join(', ')}`);
+        }
+        const secretsCipher = await this.deps.secretCipher.encrypt(JSON.stringify(secrets));
+        const updated = { ...record, secretsCipher };
+        await this.deps.environmentConnectionRepository.upsert(updated);
+        return this.toConnection(updated, Object.keys(secrets));
+    }
+    /** The workspace's current connection (safe metadata), or null. */
+    async getConnection(workspaceId) {
+        const record = await this.deps.environmentConnectionRepository.getByWorkspace(workspaceId);
+        if (!record)
+            return null;
+        const keys = Object.keys(await this.decryptSecrets(record));
+        return this.toConnection(record, keys);
+    }
+    /** Resolve the live connection + parsed manifest, or throw if not registered. */
+    async requireConnection(workspaceId) {
+        const record = await this.deps.environmentConnectionRepository.getByWorkspace(workspaceId);
+        if (!record) {
+            throw new ConflictError(`Workspace '${workspaceId}' has no environment provider registered`);
+        }
+        const manifest = JSON.parse(record.manifestJson);
+        return { record, manifest };
+    }
+    /** Build a secret resolver from the workspace's decrypted secret bundle. */
+    async resolveSecrets(workspaceId) {
+        const record = await this.deps.environmentConnectionRepository.getByWorkspace(workspaceId);
+        if (!record)
+            return () => undefined;
+        const bundle = await this.decryptSecrets(record);
+        return (key) => bundle[key];
+    }
+    /** Unregister the provider (tombstones the binding). */
+    async unregister(workspaceId) {
+        const record = await this.deps.environmentConnectionRepository.getByWorkspace(workspaceId);
+        if (!record)
+            return;
+        await this.deps.environmentConnectionRepository.softDelete(workspaceId, this.deps.clock.now());
+    }
+    async decryptSecrets(record) {
+        if (!record.secretsCipher)
+            return {};
+        const parsed = JSON.parse(await this.deps.secretCipher.decrypt(record.secretsCipher));
+        return parsed && typeof parsed === 'object' ? parsed : {};
+    }
+    toConnection(record, secretKeys) {
+        return {
+            providerId: record.providerId,
+            label: record.label,
+            baseUrl: record.baseUrl,
+            connectedAt: record.createdAt,
+            secretKeys,
+        };
+    }
+}
+//# sourceMappingURL=EnvironmentConnectionService.js.map

package/dist/modules/environments/EnvironmentConnectionService.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"EnvironmentConnectionService.js","sourceRoot":"","sources":["../../../src/modules/environments/EnvironmentConnectionService.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,aAAa,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAC9F,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAEtD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAA;AAgBlE,oEAAoE;AACpE,MAAM,UAAU,oBAAoB,CAAC,QAA6B;IAChE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAA;IAC1B,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,EAAE,CAAA;QACX,KAAK,SAAS,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;QAC7B,KAAK,OAAO;YACV,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QACjE,KAAK,2BAA2B;YAC9B,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAA;QACrE,KAAK,gBAAgB;YACnB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,sBAAsB,CAAC,QAA6B,EAAE,MAAuB;IACpF,wBAAwB,CAAC,QAAQ,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;IAC9D,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,2BAA2B,EAAE,CAAC;QACvD,wBAAwB,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAA;IAC7E,CAAC;AACH,CAAC;AAOD,MAAM,OAAO,4BAA4B;IACV,IAAI;IAAjC,YAA6B,IAA8C;oBAA9C,IAAI;IAA6C,CAAC;IAE/E,gEAAgE;IAChE,KAAK,CAAC,QAAQ,CACZ,WAAmB,EACnB,KAAyE;QAEzE,MAAM,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,WAAW,CAAC,CAAA;QAClE,yEAAyE;QACzE,+EAA+E;QAC/E,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;QAC/B,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,wBAAwB,CAAC,CAAA;QAEjF,yDAAyD;QACzD,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QACvF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAI,eAAe,CAAC,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC/E,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QAC5F,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QACzF,MAAM,MAAM,GAAgC;YAC1C,WAAW;YACX,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;YACtC,aAAa;YACb,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;YACvD,SAAS,EAAE,IAAI;SAChB,CAAA;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC9D,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;IAC9D,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,aAAa,CACjB,WAAmB,EACnB,OAA+B;QAE/B,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAA;QACtE,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC,CAAA;QACjF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAI,eAAe,CAAC,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC/E,CAAC;QACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAA;QACnF,MAAM,OAAO,GAAgC,EAAE,GAAG,MAAM,EAAE,aAAa,EAAE,CAAA;QACzE,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC/D,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IACzD,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,aAAa,CAAC,WAAmB;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QAC1F,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAA;QAC3D,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IACxC,CAAC;IAED,iFAAiF;IACjF,KAAK,CAAC,iBAAiB,CAAC,WAAmB;QACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QAC1F,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,aAAa,CAAC,cAAc,WAAW,0CAA0C,CAAC,CAAA;QAC9F,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAwB,CAAA;QACvE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;IAC7B,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,cAAc,CAAC,WAAmB;QACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QAC1F,IAAI,CAAC,MAAM;YAAE,OAAO,GAAG,EAAE,CAAC,SAAS,CAAA;QACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAA;QAChD,OAAO,CAAC,GAAW,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;IACrC,CAAC;IAED,wDAAwD;IACxD,KAAK,CAAC,UAAU,CAAC,WAAmB;QAClC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;QAC1F,IAAI,CAAC,MAAM;YAAE,OAAM;QACnB,MAAM,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAA;IAChG,CAAC;IAEO,KAAK,CAAC,cAAc,CAC1B,MAAmC;QAEnC,IAAI,CAAC,MAAM,CAAC,aAAa;YAAE,OAAO,EAAE,CAAA;QACpC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAA;QACrF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAiC,CAAC,CAAC,CAAC,EAAE,CAAA;IACvF,CAAC;IAEO,YAAY,CAClB,MAAmC,EACnC,UAAoB;QAEpB,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,SAAS;YAC7B,UAAU;SACX,CAAA;IACH,CAAC;CACF"}

package/dist/modules/environments/EnvironmentProvisioningService.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+import type { Clock, IdGenerator } from '@cat-factory/kernel';
+import type { EnvironmentRegistryRepository } from '@cat-factory/kernel';
+import type { EnvironmentProvider, ProvisionContext, UrlSafetyPolicy } from '@cat-factory/kernel';
+import type { SecretCipher } from '@cat-factory/kernel';
+import type { EnvironmentAccessHandle, EnvironmentHandle } from '@cat-factory/kernel';
+import type { EnvironmentConnectionService } from './EnvironmentConnectionService.js';
+export interface EnvironmentProvisioningServiceDependencies {
+    connectionService: EnvironmentConnectionService;
+    environmentProvider: EnvironmentProvider;
+    environmentRegistryRepository: EnvironmentRegistryRepository;
+    secretCipher: SecretCipher;
+    idGenerator: IdGenerator;
+    clock: Clock;
+    /** URL/host safety policy applied to the URL a provider returns. Defaults to strict. */
+    urlPolicy?: UrlSafetyPolicy;
+}
+export interface ProvisionArgs {
+    workspaceId: string;
+    blockId?: string | null;
+    executionId?: string | null;
+    inputs?: Record<string, string>;
+    /** Typed git/PR/repo context; passed to the provider and flattened into `inputs`. */
+    context?: ProvisionContext;
+}
+/** The compact env view injected into a downstream agent's run context. */
+export interface ResolvedEnvironment {
+    url: string | null;
+    status: EnvironmentHandle['status'];
+    access: EnvironmentAccessHandle | null;
+    expiresAt: number | null;
+}
+export declare class EnvironmentProvisioningService {
+    private readonly deps;
+    constructor(deps: EnvironmentProvisioningServiceDependencies);
+    private get urlPolicy();
+    /** Provision an environment, persisting an encrypted record keyed by block/run. */
+    provision(args: ProvisionArgs): Promise<EnvironmentHandle>;
+    /** Re-poll the provider for an environment's status and persist any change. */
+    refreshStatus(workspaceId: string, id: string): Promise<EnvironmentHandle>;
+    /** List a workspace's environments (no creds). */
+    listHandles(workspaceId: string): Promise<EnvironmentHandle[]>;
+    /** A single environment handle (no creds), or null. */
+    getHandle(workspaceId: string, id: string): Promise<EnvironmentHandle | null>;
+    /** A single environment handle WITH decrypted access creds, or null. */
+    getHandleWithAccess(workspaceId: string, id: string): Promise<EnvironmentHandle | null>;
+    /**
+     * The live environment provisioned for a block, with decrypted access — the
+     * discovery entry point the execution engine calls to enrich tester context.
+     */
+    resolveForBlock(workspaceId: string, blockId: string): Promise<ResolvedEnvironment | null>;
+    private resolveExpiry;
+    private encryptAccess;
+    private decryptAccess;
+    private decryptFields;
+}
+//# sourceMappingURL=EnvironmentProvisioningService.d.ts.map