npm - @codemation/core-nodes - Versions diffs - 0.7.1 → 0.8.0 - Mend

@codemation/core-nodes 0.7.1 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/CHANGELOG.md +203 -0
package/LICENSE +1 -37
package/dist/index.cjs +957 -70
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +527 -61
package/dist/index.d.ts +527 -61
package/dist/index.js +936 -69
package/dist/index.js.map +1 -1
package/dist/metadata.json +162 -0
package/package.json +4 -3
package/src/authoring/defineRestNode.types.ts +17 -2
package/src/chatModels/CodemationChatModelConfig.ts +47 -0
package/src/chatModels/CodemationChatModelFactory.ts +103 -0
package/src/chatModels/ManagedModelFetcher.ts +23 -0
package/src/http/HttpRequestExecutor.ts +10 -2
package/src/http/SSRFBlockedError.ts +16 -0
package/src/http/SsrfGuard.ts +141 -0
package/src/http/httpRequest.types.ts +6 -0
package/src/index.ts +4 -0
package/src/nodes/AIAgentConfig.ts +66 -0
package/src/nodes/AIAgentNode.ts +205 -27
package/src/nodes/BM25Index.ts +90 -0
package/src/nodes/CallbackNodeFactory.ts +7 -0
package/src/nodes/CronTriggerFactory.ts +9 -1
package/src/nodes/DeferredMetaToolStrategy.ts +200 -0
package/src/nodes/DeferredMetaToolStrategyFactory.ts +18 -0
package/src/nodes/HttpRequestNodeFactory.ts +10 -3
package/src/nodes/ManualTriggerFactory.ts +16 -1
package/src/nodes/ToolLoadingStrategy.ts +28 -0
package/src/nodes/WebhookTriggerFactory.ts +16 -2
package/src/nodes/aggregate.ts +13 -2
package/src/nodes/aiAgent.ts +9 -0
package/src/nodes/assertion.ts +14 -1
package/src/nodes/collections/collectionDeleteNode.types.ts +6 -0
package/src/nodes/collections/collectionFindOneNode.types.ts +6 -0
package/src/nodes/collections/collectionGetNode.types.ts +6 -0
package/src/nodes/collections/collectionInsertNode.types.ts +6 -0
package/src/nodes/collections/collectionListNode.types.ts +6 -0
package/src/nodes/collections/collectionUpdateNode.types.ts +6 -0
package/src/nodes/filter.ts +14 -2
package/src/nodes/httpRequest.ts +72 -8
package/src/nodes/if.ts +14 -2
package/src/nodes/mapData.ts +13 -2
package/src/nodes/merge.ts +9 -2
package/src/nodes/noOp.ts +0 -1
package/src/nodes/split.ts +13 -2
package/src/nodes/subWorkflow.ts +15 -2
package/src/nodes/switch.ts +18 -2
package/src/nodes/testTrigger.ts +13 -0
package/src/nodes/wait.ts +7 -1
package/src/workflowAuthoring/WorkflowChatModelFactory.types.ts +4 -0
package/src/workflows/AIAgentConnectionWorkflowExpander.ts +6 -3
package/tsconfig.json +3 -1

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { AssistantModelMessage, ModelMessage, ToolModelMessage } from "ai";
+import { AssistantModelMessage, ModelMessage, ToolModelMessage, ToolSet } from "ai";
 import { Cron, CronCallback } from "croner";
 import { ReadableStream } from "node:stream/web";
 import { ZodType, input, output, z } from "zod";
@@ -243,6 +243,8 @@ type ConnectionInvocationAppendArgs = Readonly<{
   status: NodeExecutionStatus;
   managedInput?: JsonValue;
   managedOutput?: JsonValue;
+  statusLabel?: string;
+  subjectName?: string;
   error?: NodeExecutionError;
   queuedAt?: string;
   startedAt?: string;
@@ -400,6 +402,26 @@ interface NodeConfigBase {
    * configs (e.g. `AssertionNodeConfig`, `StringEqualsAssertionNodeConfig`).
    */
   readonly emitsAssertions?: true;
+  /**
+   * Static configuration summary surfaced in the workflow inspector — the design-time
+   * "what does this node do" panel that renders before any run telemetry exists.
+   *
+   * Return 2–6 short label/value pairs derived from this config (method + url for an HTTP
+   * call, model + tool list for an agent, schedule + timezone for a cron trigger, etc.).
+   * Values are truncated by the UI; aim for one line each. Return `undefined` to opt out
+   * — the inspector hides the section when no rows are produced.
+   *
+   * Implement on the config class instance so the function can read sibling config fields.
+   * `defineNode({ inspectorSummary })` plumbs through to this.
+   */
+  inspectorSummary?(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
+}
+/**
+ * One row of a node's static configuration summary. See {@link NodeConfigBase.inspectorSummary}.
+ */
+interface NodeInspectorSummaryRow {
+  readonly label: string;
+  readonly value: string;
 }
 declare const runnableNodeInputType: unique symbol;
 declare const runnableNodeOutputType: unique symbol;
@@ -623,32 +645,27 @@ interface TestTriggerNodeConfig<TOutputJson$1 = unknown> extends TriggerNodeConf
   caseLabel?(item: Item<TOutputJson$1>): string | undefined;
 }
 //#endregion
-//#region ../core/src/contracts/assertionTypes.d.ts
-/**
- * One assertion emitted by an assertion-emitting node (a node whose config sets
- * `emitsAssertions: true`). Each emitted item on `main` carries one of these as `item.json`.
- *
- * Pass/fail is derived from `score >= (passThreshold ?? 0.5)` — see {@link deriveAssertionPassed}.
- * The `errored` marker is for cases where the assertion code itself threw (distinct from
- * "the assertion was evaluated and the score was low") and is treated as a hard fail in rollups
- * regardless of `score`.
- */
-interface AssertionResult {
-  readonly name: string;
-  /** 0..1 score. Source of truth for pass/fail (compared against `passThreshold`). */
-  readonly score: number;
-  /** 0..1 threshold for "passed". When omitted, consumers default to 0.5. */
-  readonly passThreshold?: number;
-  /** True when evaluating the assertion threw — treated as fail regardless of `score`. */
-  readonly errored?: true;
-  /** What the assertion expected. Free-form JSON; UIs render with a JSON viewer. */
-  readonly expected?: JsonValue;
-  /** What the workflow actually produced. */
-  readonly actual?: JsonValue;
-  /** Short human-readable explanation, especially for fails / errors. */
-  readonly message?: string;
-  /** Bag of supplemental fields (e.g. judge prompt, judge raw response, comparison method). */
-  readonly details?: Readonly<Record<string, JsonValue>>;
+//#region ../core/src/contracts/CostTrackingTelemetryContract.d.ts
+type CostTrackingComponent = "chat" | "ocr" | "rag";
+interface CostTrackingUsageRecord {
+  readonly component: CostTrackingComponent;
+  readonly provider: string;
+  readonly operation: string;
+  readonly pricingKey: string;
+  readonly usageUnit: string;
+  readonly quantity: number;
+  readonly modelName?: string;
+  readonly attributes?: TelemetryAttributes;
+}
+interface CostTrackingPriceQuote {
+  readonly currency: string;
+  readonly currencyScale: number;
+  readonly estimatedAmountMinor: number;
+  readonly estimateKind: "catalog";
+}
+interface CostTrackingTelemetry {
+  captureUsage(args: CostTrackingUsageRecord): Promise<CostTrackingPriceQuote | undefined>;
+  forScope(scope: TelemetryScope): CostTrackingTelemetry;
 }
 //#endregion
 //#region ../core/src/contracts/telemetryTypes.d.ts
@@ -731,27 +748,87 @@ interface ExecutionTelemetry extends TelemetryScope {
   }>): NodeExecutionTelemetry;
 }
 //#endregion
-//#region ../core/src/contracts/CostTrackingTelemetryContract.d.ts
-type CostTrackingComponent = "chat" | "ocr" | "rag";
-interface CostTrackingUsageRecord {
-  readonly component: CostTrackingComponent;
-  readonly provider: string;
-  readonly operation: string;
-  readonly pricingKey: string;
-  readonly usageUnit: string;
-  readonly quantity: number;
-  readonly modelName?: string;
-  readonly attributes?: TelemetryAttributes;
-}
-interface CostTrackingPriceQuote {
-  readonly currency: string;
-  readonly currencyScale: number;
-  readonly estimatedAmountMinor: number;
-  readonly estimateKind: "catalog";
+//#region ../core/src/contracts/agentMcpTypes.d.ts
+/**
+ * An opaque MCP tool map: keyed by serverId → (toolName → tool definition).
+ * Typed as unknown so core does not depend on the AI SDK's ToolSet type.
+ * AIAgentNode (in core-nodes, which does depend on ai) casts this to
+ * ReadonlyMap<string, ToolSet> before passing to DeferredMetaToolStrategyFactory.
+ */
+type AgentMcpToolMap = ReadonlyMap<string, Readonly<Record<string, unknown>>>;
+/**
+ * Contract implemented by the host. Resolves MCP server bindings for an agent run
+ * via the standard credential-binding table (one slot per declared server, keyed
+ * by `(workflowId, mcpConnectionNodeId, "credential")`), and returns a ready-to-use
+ * tool map with wrapped execute callbacks for telemetry and 403 detection.
+ * Core-nodes imports this interface so AIAgentNode can inject it without
+ * depending on the host.
+ */
+interface AgentMcpIntegration {
+  /**
+   * Look up the credential binding per server, validate scopes, open pool
+   * connections, and return a tool map keyed by serverId. Each tool's
+   * execute callback includes:
+   * - Telemetry child span (mcp.server_id, mcp.tool_name attributes)
+   * - 403/permission error detection → emits a NeedsReconsentEvent span event
+   *
+   * Throws `AgentBindError` on validation failures (missing server, unbound
+   * credential slot, missing credential instance, insufficient scopes).
+   */
+  prepareMcpTools(args: {
+    readonly workflowId: WorkflowId;
+    readonly agentNodeId: NodeId;
+    readonly serverIds: ReadonlyArray<string>;
+    readonly pinnedMcpTools: readonly string[];
+    readonly emitSpanEvent: (event: TelemetrySpanEventRecord) => void;
+    readonly startChildSpan: (args: {
+      readonly name: string;
+      readonly attributes?: Record<string, string>;
+    }) => {
+      readonly end: (args?: {
+        status?: "ok" | "error";
+        statusMessage?: string;
+      }) => void;
+    };
+    /** Per-MCP-tool-call invocation appender. Optional; when omitted the wrapper emits only telemetry spans. */
+    readonly appendMcpInvocation?: (args: ConnectionInvocationAppendArgs) => Promise<void>;
+    /** Agent activation id to attach to each invocation record (used by canvas + inspector grouping). */
+    readonly parentAgentActivationId?: NodeActivationId;
+    /** Per-item iteration id when the agent runs inside a per-item loop. */
+    readonly iterationId?: NodeIterationId;
+    /** Item index (0-based) of the iteration that owns these tool calls. */
+    readonly itemIndex?: number;
+    /** Parent invocation id when this agent is itself executing as a sub-agent. */
+    readonly parentInvocationId?: ConnectionInvocationId;
+  }): Promise<AgentMcpToolMap>;
 }
-interface CostTrackingTelemetry {
-  captureUsage(args: CostTrackingUsageRecord): Promise<CostTrackingPriceQuote | undefined>;
-  forScope(scope: TelemetryScope): CostTrackingTelemetry;
+//#endregion
+//#region ../core/src/contracts/assertionTypes.d.ts
+/**
+ * One assertion emitted by an assertion-emitting node (a node whose config sets
+ * `emitsAssertions: true`). Each emitted item on `main` carries one of these as `item.json`.
+ *
+ * Pass/fail is derived from `score >= (passThreshold ?? 0.5)` — see {@link deriveAssertionPassed}.
+ * The `errored` marker is for cases where the assertion code itself threw (distinct from
+ * "the assertion was evaluated and the score was low") and is treated as a hard fail in rollups
+ * regardless of `score`.
+ */
+interface AssertionResult {
+  readonly name: string;
+  /** 0..1 score. Source of truth for pass/fail (compared against `passThreshold`). */
+  readonly score: number;
+  /** 0..1 threshold for "passed". When omitted, consumers default to 0.5. */
+  readonly passThreshold?: number;
+  /** True when evaluating the assertion threw — treated as fail regardless of `score`. */
+  readonly errored?: true;
+  /** What the assertion expected. Free-form JSON; UIs render with a JSON viewer. */
+  readonly expected?: JsonValue;
+  /** What the workflow actually produced. */
+  readonly actual?: JsonValue;
+  /** Short human-readable explanation, especially for fails / errors. */
+  readonly message?: string;
+  /** Bag of supplemental fields (e.g. judge prompt, judge raw response, comparison method). */
+  readonly details?: Readonly<Record<string, JsonValue>>;
 }
 //#endregion
 //#region ../core/src/contracts/webhookTypes.d.ts
@@ -767,6 +844,35 @@ interface TriggerInstanceId {
   nodeId: NodeId;
 }
 //#endregion
+//#region ../core/src/contracts/mcpTypes.d.ts
+type McpServerTransport = "http";
+interface McpServerDeclaration {
+  /** Globally unique slug, e.g. "gmail". Workflow authors reference this. */
+  id: string;
+  displayName: string;
+  description: string;
+  transport: McpServerTransport;
+  url: string;
+  /**
+   * Credential types accepted by this MCP server, matching CredentialRequirement.acceptedTypes.
+   * Absent or empty means no credential is required.
+   */
+  acceptedCredentialTypes?: ReadonlyArray<string>;
+  /**
+   * Documentation only in MVP. The bind-time validator checks
+   * requiredScopes ⊆ CredentialInstance.scopesGranted.
+   */
+  requiredScopes?: string[];
+  /** Non-secret static headers merged onto every MCP request. */
+  staticHeaders?: Record<string, string>;
+  /**
+   * Overrides for tool descriptions advertised by the MCP server.
+   * Applied by the connection pool after tools/list.
+   * Key: exact tool name as returned by the server.
+   */
+  toolDescriptionOverrides?: Record<string, string>;
+}
+//#endregion
 //#region ../core/src/contracts/collectionTypes.d.ts
 /**
  * Represents a typed store for a single collection.
@@ -1330,6 +1436,9 @@ interface AgentNodeConfig<TInputJson$1 = unknown, TOutputJson$1 = unknown> exten
   readonly outputSchema?: ZodType<TOutputJson$1>;
 }
 //#endregion
+//#region ../core/src/ai/AgentConnectionNodeCollector.d.ts
+type McpServerResolver = (id: string) => McpServerDeclaration | undefined;
+//#endregion
 //#region ../core/src/execution/ChildExecutionScopeFactory.d.ts
 /**
  * Builds a re-rooted child execution context for sub-agent (and other deeply-nested) invocations.
@@ -1456,6 +1565,12 @@ type HttpRequestSpec = Readonly<{
   responseBinarySlot?: string;
   /** Maximum allowed response size in bytes (checked against Content-Length before allocating). Defaults to 100 MiB. */
   responseSizeCapBytes?: number;
+  /**
+   * When `false` (default), requests whose target host resolves to an RFC-1918,
+   * link-local (169.254/16), or loopback address are blocked to prevent SSRF attacks.
+   * Set to `true` only for workflows that intentionally reach private infrastructure.
+   */
+  allowPrivateNetworkTargets?: boolean;
   /** Execution context — needed for binary attach. */
   ctx: NodeExecutionContext<RunnableNodeConfig<unknown, unknown>>;
 }>;
@@ -1620,6 +1735,58 @@ declare const oauth2ClientCredentialsType: Readonly<{
   readonly key: string;
 };
 //#endregion
+//#region src/http/SSRFBlockedError.d.ts
+/**
+ * Thrown when an HTTP request target resolves to a private, link-local, or
+ * loopback address and `allowPrivateNetworkTargets` is not set.
+ */
+declare class SSRFBlockedError extends Error {
+  readonly resolvedIp: string;
+  constructor(host: string, resolvedIp: string);
+}
+//#endregion
+//#region src/http/SsrfGuard.d.ts
+/**
+ * Guards HTTP requests against Server-Side Request Forgery (SSRF) by
+ * DNS-resolving the target host and rejecting private/link-local/loopback
+ * addresses.
+ *
+ * Blocked ranges:
+ * - RFC-1918: 10/8, 172.16/12, 192.168/16
+ * - Link-local: 169.254/16
+ * - Loopback: 127/8, ::1
+ *
+ * When `allowedOutboundHosts` is set, every resolved DNS target must match
+ * at least one entry in the list (exact hostname or `*.example.com` wildcard).
+ * When unset, existing behaviour applies: private ranges blocked, public allowed.
+ *
+ * Call {@link check} before making any outbound HTTP request.
+ * Pass `allowPrivate: true` to bypass the private-network guard for trusted workflows
+ * (allowedOutboundHosts allowlist is still applied when set).
+ */
+declare class SsrfGuard {
+  private readonly allowedOutboundHosts?;
+  constructor(allowedOutboundHosts?: ReadonlyArray<string> | undefined);
+  /**
+   * Resolves the host of `url` via DNS and throws {@link SSRFBlockedError}
+   * if any resolved address falls in a blocked range, or if the host does not
+   * match the operator-configured allowlist (when set).
+   *
+   * @param url - Fully-qualified URL of the intended request target.
+   * @param allowPrivate - When `true`, the private-network check is skipped.
+   *   The allowedOutboundHosts check is still applied when set.
+   */
+  check(url: string, allowPrivate: boolean): Promise<void>;
+  /**
+   * Returns true when `host` matches at least one entry in `allowedOutboundHosts`.
+   * Supports exact hostnames (`api.example.com`) and wildcard prefixes (`*.example.com`).
+   */
+  private isHostAllowed;
+  private isPrivateAddress;
+  private isPrivateIPv4;
+  private isPrivateIPv6;
+}
+//#endregion
 //#region src/authoring/defineRestNode.types.d.ts
 type MaybePromise<T> = T | Promise<T>;
 /**
@@ -1705,6 +1872,14 @@ interface DefineRestNodeOptions<TKey$1 extends string, TCredentials extends Defi
    * @default "throw"
    */
   readonly errorPolicy?: RestNodeErrorPolicy;
+  /**
+   * Static configuration summary surfaced in the workflow inspector.
+   * Receives the static config (empty record for defineRestNode — config lives on item input).
+   * Most callers return rows based on the static `api` descriptor instead.
+   */
+  readonly inspectorSummary?: (args: Readonly<{
+    config: Record<string, never>;
+  }>) => ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 /**
  * Declarative helper for creating thin API-wrapper nodes.
@@ -1868,6 +2043,77 @@ declare class OpenAiChatModelPresets {
 }
 declare const openAiChatModelPresets: OpenAiChatModelPresets;
 //#endregion
+//#region src/chatModels/CodemationChatModelConfig.d.ts
+/**
+ * A platform-managed model entry as returned by GET /api/llm/managed-models.
+ */
+interface ManagedModelDto {
+  id: string;
+  modelId: string;
+  displayName: string;
+  providerKey: string;
+  inputCostPerMTok: number;
+  outputCostPerMTok: number;
+  contextWindow: number;
+  tier: string;
+}
+/**
+ * Bifrost-namespaced model ID. Kept as `string` so runtime-fetched model IDs
+ * (from the CP allowlist) work without compile-time enumeration.
+ * Story C replaced the prior hardcoded union with this open type.
+ */
+type CodemationManagedModel = string;
+declare class CodemationChatModelConfig implements ChatModelConfig {
+  readonly name: string;
+  readonly model: CodemationManagedModel;
+  readonly options?: Readonly<{
+    temperature?: number;
+    maxTokens?: number;
+  }> | undefined;
+  readonly type: typeof CodemationChatModelFactory;
+  readonly presentation: AgentCanvasPresentation<CanvasIconName>;
+  readonly provider = "codemation-managed";
+  readonly modelName: string;
+  constructor(name: string, model: CodemationManagedModel, presentationIn?: AgentCanvasPresentation<CanvasIconName>, options?: Readonly<{
+    temperature?: number;
+    maxTokens?: number;
+  }> | undefined);
+}
+//#endregion
+//#region src/chatModels/CodemationChatModelFactory.d.ts
+declare class CodemationChatModelFactory implements ChatModelFactory<CodemationChatModelConfig> {
+  create(args: Readonly<{
+    config: CodemationChatModelConfig;
+    ctx: NodeExecutionContext<any>;
+  }>): Promise<ChatLanguageModel>;
+  /**
+   * Creates an HMAC-signed fetch wrapper for use with AI SDK's createOpenAI.
+   * Each call signs the request body with the workspace pairing secret so the
+   * LLM broker can authenticate the workspace without a user-managed API key.
+   *
+   * Mirrors HmacRequestSigner from @codemation/host/pairing without importing
+   * that package (which would create a circular dependency since @codemation/host
+   * depends on @codemation/core-nodes).
+   */
+  private buildHmacSignedFetch;
+  /**
+   * Produces a Codemation-Hmac v1 Authorization header value.
+   * The algorithm must match HmacVerifier.computeSignature() in the control-plane.
+   */
+  private buildHmacAuthHeader;
+}
+//#endregion
+//#region src/chatModels/ManagedModelFetcher.d.ts
+/**
+ * Fetches the active platform-managed model allowlist from the CP.
+ * Reads CONTROL_PLANE_URL from the workspace process env.
+ * Returns an empty array if the env var is absent or the fetch fails.
+ * Cache the result per session — the allowlist changes infrequently.
+ */
+declare class ManagedModelFetcher {
+  fetch(): Promise<ManagedModelDto[]>;
+}
+//#endregion
 //#region src/nodes/aiAgentSupport.types.d.ts
 declare class AgentItemPortMap {
   static fromItem(item: Item): NodeInputsByPort;
@@ -2060,6 +2306,30 @@ interface AIAgentOptions<TInputJson$1 = unknown, _TOutputJson = unknown> {
   /** Engine applies with {@link RunnableNodeConfig.inputSchema} before {@link AIAgentNode.execute}. */
   readonly inputSchema?: ZodType<TInputJson$1>;
   readonly outputSchema?: ZodType<_TOutputJson>;
+  /**
+   * MCP servers to connect for this agent run. Each entry is the server id from
+   * the MCP catalog (e.g. `"gmail"`). Credential instances are bound via the
+   * standard credential-binding flow — each server materializes an MCP connection
+   * node and the slot lives on that node, keyed by
+   * `(workflowId, mcpConnectionNodeId, "credential")` (same shape as ChatModel and
+   * Tool connection nodes). There is no inline credential field; bind through the
+   * canvas credential dropdown before activation.
+   */
+  readonly mcpServers?: ReadonlyArray<string>;
+  /**
+   * Tool ids to always include without going through `find_tools`.
+   * Format: `"serverId:toolName"` (e.g. `"gmail:send_message"`). Max 16.
+   */
+  readonly pinnedMcpTools?: readonly string[];
+  /**
+   * Source identifiers that should be treated as untrusted external content.
+   * When an incoming `Item.json.__source` matches one of these values, every
+   * user-role message is wrapped with an untrusted-source preamble so the LLM
+   * treats the content as data rather than instructions (prompt-injection defense).
+   *
+   * Defaults to `["gmail", "ocr", "webhook"]` when unset.
+   */
+  readonly untrustedSources?: ReadonlyArray<string>;
 }
 /**
  * AI agent: credential bindings are keyed to connection-owned LLM/tool node ids (ConnectionNodeIdFactory),
@@ -2081,7 +2351,11 @@ declare class AIAgent<TInputJson$1 = unknown, TOutputJson$1 = unknown> implement
   readonly guardrails?: AgentGuardrailConfig;
   readonly inputSchema?: ZodType<TInputJson$1>;
   readonly outputSchema?: ZodType<TOutputJson$1>;
+  readonly mcpServers?: ReadonlyArray<string>;
+  readonly pinnedMcpTools?: readonly string[];
+  readonly untrustedSources?: ReadonlyArray<string>;
   constructor(options: AIAgentOptions<TInputJson$1, TOutputJson$1>);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/AgentToolRepairPolicy.d.ts
@@ -2154,6 +2428,41 @@ declare class NodeBackedToolRuntime {
   private isMultiInputNode;
 }
 //#endregion
+//#region src/nodes/ToolLoadingStrategy.d.ts
+interface FindToolsResult {
+  readonly serverId: string;
+  readonly toolName: string;
+  readonly description: string;
+  readonly inputSchema: unknown;
+}
+interface ToolLoadingStrategyTurnContext {
+  readonly turnIndex: number;
+  readonly previousFoundToolIds?: ReadonlyArray<string>;
+}
+interface ToolLoadingStrategyInitInput {
+  readonly nodeBackedTools: ToolSet;
+  readonly mcpToolsByServer: ReadonlyMap<string, ToolSet>;
+  readonly pinnedMcpTools?: ReadonlyArray<string>;
+}
+interface ToolLoadingStrategy {
+  initialize(input: ToolLoadingStrategyInitInput): Promise<void>;
+  getToolsForTurn(context: ToolLoadingStrategyTurnContext): ToolSet;
+  ownsToolName(toolName: string): boolean;
+  executeMetaTool(toolName: string, input: unknown): Promise<unknown>;
+  recordFoundTools(results: ReadonlyArray<FindToolsResult>): void;
+  getFoundToolIds(): ReadonlyArray<string>;
+}
+//#endregion
+//#region src/nodes/DeferredMetaToolStrategyFactory.d.ts
+/**
+ * Factory for creating and initializing a DeferredMetaToolStrategy per agent execution.
+ * Injected into AIAgentNode; each agent call creates its own initialized strategy instance.
+ * BM25Index is constructed here (this file is a composition root via the Factory suffix).
+ */
+declare class DeferredMetaToolStrategyFactory {
+  create(input: ToolLoadingStrategyInitInput): Promise<ToolLoadingStrategy>;
+}
+//#endregion
 //#region src/nodes/AIAgentNode.d.ts
 declare class AIAgentNode implements RunnableNode<AIAgent<any, any>> {
   private readonly nodeResolver;
@@ -2161,15 +2470,18 @@ declare class AIAgentNode implements RunnableNode<AIAgent<any, any>> {
   private readonly executionHelpers;
   private readonly structuredOutputRunner;
   private readonly toolExecutionCoordinator;
+  private readonly toolLoadingStrategyFactory;
+  private readonly agentMcpIntegration;
   kind: "node";
   outputPorts: readonly ["main"];
   readonly inputSchema: z.ZodUnknown;
   private readonly connectionCredentialExecutionContextFactory;
   private readonly preparedByExecutionContext;
-  constructor(nodeResolver: NodeResolver, credentialSessions: CredentialSessionService, nodeBackedToolRuntime: NodeBackedToolRuntime, executionHelpers: AIAgentExecutionHelpersFactory, structuredOutputRunner: AgentStructuredOutputRunner, toolExecutionCoordinator: AgentToolExecutionCoordinator);
+  constructor(nodeResolver: NodeResolver, credentialSessions: CredentialSessionService, nodeBackedToolRuntime: NodeBackedToolRuntime, executionHelpers: AIAgentExecutionHelpersFactory, structuredOutputRunner: AgentStructuredOutputRunner, toolExecutionCoordinator: AgentToolExecutionCoordinator, toolLoadingStrategyFactory: DeferredMetaToolStrategyFactory, agentMcpIntegration: AgentMcpIntegration);
   execute(args: RunnableNodeExecuteArgs<AIAgent<any, any>>): Promise<unknown>;
   private getOrPrepareExecution;
   private prepareExecution;
+  private prepareMcpToolsByServer;
   private runAgentForItem;
   /**
    * Multi-turn loop:
@@ -2178,6 +2490,8 @@ declare class AIAgentNode implements RunnableNode<AIAgent<any, any>> {
    *   connection-invocation recording / transient-error handling exactly like before).
    * - When the model returns no tool calls the loop ends with the model's text as the final answer.
    * - Respects `guardrails.maxTurns` and `guardrails.onTurnLimitReached`.
+   * - Strategy-owned tool calls (e.g. `find_tools`) are dispatched via the strategy, not the
+   *   coordinator; their results are tracked so subsequent turns receive the discovered tools.
    */
   private runTurnLoopUntilFinalAnswer;
   private cannotExecuteAnotherToolRound;
@@ -2187,6 +2501,22 @@ declare class AIAgentNode implements RunnableNode<AIAgent<any, any>> {
   private buildOutputItem;
   private resolveTools;
   private createItemScopedTools;
+  /**
+   * Invoke a text turn using the merged tool set from item-scoped tools (coordinator-managed)
+   * and strategy tools (find_tools + discovered MCP tools).
+   * Strategy tools take precedence for names that overlap.
+   */
+  private invokeTextTurnWithStrategyTools;
+  /**
+   * Removes `execute` properties from ToolSet entries so the AI SDK does not
+   * auto-execute them within `generateText`. Codemation owns all tool dispatch.
+   */
+  private stripExecuteCallbacks;
+  /**
+   * Builds a ToolSet from resolved tools for strategy initialization.
+   * The strategy uses this for its "always-included" node-backed tool descriptions.
+   */
+  private buildToolSetFromResolved;
   /**
    * Builds an AI SDK {@link ToolSet} where every tool ships a pre-converted JSON Schema (via
    * {@link jsonSchema}) — not the raw Zod schema — and carries **no** `execute`. Two reasons:
@@ -2204,9 +2534,9 @@ declare class AIAgentNode implements RunnableNode<AIAgent<any, any>> {
   private buildToolSet;
   /**
    * One `generateText` turn (no auto tool execution) with Codemation-owned child-span telemetry
-   * and connection-invocation state recording.
+   * and connection-invocation state recording. Accepts a pre-built ToolSet.
    */
-  private invokeTextTurn;
+  private invokeTextTurnWithToolSet;
   /**
    * Structured-output turn: runs `generateText({ output: Output.object({ schema }) })` via the
    * structured-output runner.  We keep this as a separate helper because the runner needs the raw
@@ -2237,6 +2567,13 @@ declare class AIAgentNode implements RunnableNode<AIAgent<any, any>> {
   private summarizeLlmMessages;
   private resultToJsonValue;
   private createPromptMessages;
+  /**
+   * When `item.json.__source` matches an entry in `config.untrustedSources`
+   * (default: `["gmail", "ocr", "webhook"]`), wraps every user-role message
+   * content with an untrusted-external-source preamble so the LLM treats the
+   * content as data, not instructions.
+   */
+  private wrapUntrustedSourceMessages;
   private resolveToolRuntime;
   private isNodeBackedToolConfig;
   private isCallableToolConfig;
@@ -2245,6 +2582,61 @@ declare class AIAgentNode implements RunnableNode<AIAgent<any, any>> {
   private extractErrorDetails;
 }
 //#endregion
+//#region src/nodes/BM25Index.d.ts
+/**
+ * Minimal BM25 (Okapi BM25) implementation for indexing MCP tool descriptions.
+ *
+ * Parameters: k1=1.5, b=0.75 (standard defaults).
+ * Tokenisation: lowercase, split on non-alphanumerics, filter empties.
+ */
+declare class BM25Index {
+  private readonly k1;
+  private readonly b;
+  private readonly tf;
+  private readonly df;
+  private avgDocLen;
+  /**
+   * Add all documents at once. After calling this, search is available.
+   * Documents are indexed in insertion order; search returns their indices.
+   */
+  add(docs: ReadonlyArray<string>): void;
+  /**
+   * Returns up to `limit` document indices ranked by BM25 score (highest first).
+   * Returns an empty array if the index is empty or the query matches nothing.
+   */
+  search(query: string, limit: number): ReadonlyArray<number>;
+  tokenize(text: string): string[];
+  private docLen;
+}
+//#endregion
+//#region src/nodes/DeferredMetaToolStrategy.d.ts
+/**
+ * Default tool-loading strategy: BM25-indexed MCP tool deferral via a `find_tools` meta-tool.
+ *
+ * - Node-backed tools and pinned MCP tools are always included in every turn.
+ * - `find_tools(query, limit?)` is added to the tool set when MCP tools are indexed.
+ * - Tools surfaced by `find_tools` are included in subsequent turns.
+ *
+ * Not DI-managed; instantiated per agent execution by DeferredMetaToolStrategyFactory.
+ */
+declare class DeferredMetaToolStrategy implements ToolLoadingStrategy {
+  private readonly bm25;
+  private readonly warnFn;
+  private nodeBackedTools;
+  private pinnedTools;
+  private mcpEntries;
+  private toolsByServerId;
+  private foundToolIds;
+  constructor(bm25: BM25Index, warnFn: (message: string) => void);
+  initialize(input: ToolLoadingStrategyInitInput): Promise<void>;
+  getToolsForTurn(context: ToolLoadingStrategyTurnContext): ToolSet;
+  ownsToolName(toolName: string): boolean;
+  executeMetaTool(toolName: string, input: unknown): Promise<unknown>;
+  recordFoundTools(results: ReadonlyArray<FindToolsResult>): void;
+  getFoundToolIds(): ReadonlyArray<string>;
+  private buildFindToolsDefinition;
+}
+//#endregion
 //#region src/nodes/AssertionNode.d.ts
 /**
  * Runs the author's `assertions` callback for each input item and emits one workflow `Item` per
@@ -2289,6 +2681,7 @@ declare class Assertion<TInputJson$1 = unknown> implements RunnableNodeConfig<TI
   readonly emitsAssertions: true;
   readonly assertions: AssertionOptions<TInputJson$1>["assertions"];
   constructor(options: AssertionOptions<TInputJson$1>);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/CallbackNode.d.ts
@@ -2327,6 +2720,7 @@ declare class Callback<TInputJson$1 = unknown, TOutputJson$1 = TInputJson$1> imp
   readonly declaredOutputPorts?: ReadonlyArray<string>;
   constructor(name?: string, callback?: CallbackHandler<TInputJson$1, TOutputJson$1>, idOrOptions?: string | CallbackOptions, options?: CallbackOptions);
   private static defaultCallback;
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/HttpRequestNodeFactory.d.ts
@@ -2396,11 +2790,22 @@ declare class HttpRequest<TInputJson$1 = Readonly<{
     /** Request body specification. For canvas use, pass a JSON string in `body.data`. */
     body?: HttpBodySpec;
     /**
-     * Credential slot key. When set, the node resolves a credential via
-     * `ctx.getCredential(credentialSlot)` and applies it to the request.
-     * The slot must be declared in `getCredentialRequirements()`.
+     * Credential slot.
+     *
+     * **String shorthand** (existing): `credentialSlot: "auth"` — the slot accepts all four
+     * default HTTP credential types (bearer, API-key, basic, OAuth2).
+     *
+     * **Object form** (new): narrows the accepted types to the caller-supplied list, useful
+     * when only a subset of credential types makes sense for a specific endpoint.
+     * ```ts
+     * credentialSlot: { name: "auth", acceptedTypes: [bearerTokenCredentialType] }
+     * ```
+     * The slot must be declared in `getCredentialRequirements()`, which is wired automatically.
      */
-    credentialSlot?: string;
+    credentialSlot?: string | Readonly<{
+      name: string;
+      acceptedTypes?: ReadonlyArray<AnyCredentialType>;
+    }>;
     binaryName?: string;
     downloadMode?: HttpRequestDownloadMode;
     /**
@@ -2424,6 +2829,23 @@ declare class HttpRequest<TInputJson$1 = Readonly<{
      * Requests whose `Content-Length` exceeds this cap are rejected before the body is read.
      */
     responseSizeCapBytes?: number;
+    /**
+     * Operator-configurable outbound host allowlist.
+     *
+     * When set, every HTTP request target must match an entry in this list before the
+     * request is made — requests to any other host are rejected with {@link SSRFBlockedError}.
+     * Supports exact hostnames (`api.example.com`) and wildcard subdomain patterns
+     * (`*.example.com` matches `sub.example.com` but not `example.com` itself).
+     *
+     * When unset (default), the existing SSRF private-network guard applies:
+     * public hosts are allowed and private/loopback ranges are blocked.
+     *
+     * **Production warning**: when `NODE_ENV === "production"` and this is unset, a one-time
+     * warning is logged at workflow startup.
+     *
+     * Setting this to an empty array `[]` is equivalent to "block everything".
+     */
+    allowedOutboundHosts?: ReadonlyArray<string>;
     id?: string;
   }>;
   readonly retryPolicy: RetryPolicySpec;
@@ -2450,11 +2872,22 @@ declare class HttpRequest<TInputJson$1 = Readonly<{
     /** Request body specification. For canvas use, pass a JSON string in `body.data`. */
     body?: HttpBodySpec;
     /**
-     * Credential slot key. When set, the node resolves a credential via
-     * `ctx.getCredential(credentialSlot)` and applies it to the request.
-     * The slot must be declared in `getCredentialRequirements()`.
+     * Credential slot.
+     *
+     * **String shorthand** (existing): `credentialSlot: "auth"` — the slot accepts all four
+     * default HTTP credential types (bearer, API-key, basic, OAuth2).
+     *
+     * **Object form** (new): narrows the accepted types to the caller-supplied list, useful
+     * when only a subset of credential types makes sense for a specific endpoint.
+     * ```ts
+     * credentialSlot: { name: "auth", acceptedTypes: [bearerTokenCredentialType] }
+     * ```
+     * The slot must be declared in `getCredentialRequirements()`, which is wired automatically.
      */
-    credentialSlot?: string;
+    credentialSlot?: string | Readonly<{
+      name: string;
+      acceptedTypes?: ReadonlyArray<AnyCredentialType>;
+    }>;
     binaryName?: string;
     downloadMode?: HttpRequestDownloadMode;
     /**
@@ -2478,6 +2911,23 @@ declare class HttpRequest<TInputJson$1 = Readonly<{
      * Requests whose `Content-Length` exceeds this cap are rejected before the body is read.
      */
     responseSizeCapBytes?: number;
+    /**
+     * Operator-configurable outbound host allowlist.
+     *
+     * When set, every HTTP request target must match an entry in this list before the
+     * request is made — requests to any other host are rejected with {@link SSRFBlockedError}.
+     * Supports exact hostnames (`api.example.com`) and wildcard subdomain patterns
+     * (`*.example.com` matches `sub.example.com` but not `example.com` itself).
+     *
+     * When unset (default), the existing SSRF private-network guard applies:
+     * public hosts are allowed and private/loopback ranges are blocked.
+     *
+     * **Production warning**: when `NODE_ENV === "production"` and this is unset, a one-time
+     * warning is logged at workflow startup.
+     *
+     * Setting this to an empty array `[]` is equivalent to "block everything".
+     */
+    allowedOutboundHosts?: ReadonlyArray<string>;
     id?: string;
   }>, retryPolicy?: RetryPolicySpec);
   get id(): string | undefined;
@@ -2488,7 +2938,9 @@ declare class HttpRequest<TInputJson$1 = Readonly<{
   get responseFormat(): "json" | "text" | "binary" | undefined;
   get responseBinarySlot(): string;
   get responseSizeCapBytes(): number;
+  get allowedOutboundHosts(): ReadonlyArray<string> | undefined;
   getCredentialRequirements(): ReadonlyArray<CredentialRequirement>;
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/AggregateNode.d.ts
@@ -2511,6 +2963,7 @@ declare class Aggregate<TIn = unknown, TOut = unknown> implements RunnableNodeCo
   readonly keepBinaries: true;
   readonly icon: "builtin:aggregate-rows";
   constructor(name: string, aggregate: (items: Items<TIn>, ctx: NodeExecutionContext<Aggregate<TIn, TOut>>) => TOut | Promise<TOut>, id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/FilterNode.d.ts
@@ -2532,6 +2985,7 @@ declare class Filter<TIn = unknown> implements RunnableNodeConfig<TIn, TIn> {
   };
   readonly icon: "lucide:filter";
   constructor(name: string, predicate: (item: Item<TIn>, index: number, items: Items<TIn>, ctx: NodeExecutionContext<Filter<TIn>>) => boolean, id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/IfNode.d.ts
@@ -2553,6 +3007,7 @@ declare class If<TInputJson$1 = unknown> implements RunnableNodeConfig<TInputJso
   readonly icon: "lucide:split@rot=90";
   readonly declaredOutputPorts: readonly ["true", "false"];
   constructor(name: string, predicate: (item: Item<TInputJson$1>, index: number, items: Items<TInputJson$1>, ctx: NodeExecutionContext<If<TInputJson$1>>) => boolean, id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/IsTestRunNode.d.ts
@@ -2618,6 +3073,7 @@ declare class Switch<TInputJson$1 = unknown> implements RunnableNodeConfig<TInpu
     defaultCase: string;
     resolveCaseKey: SwitchCaseKeyResolver<TInputJson$1>;
   }>, id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/SplitNode.d.ts
@@ -2645,6 +3101,7 @@ declare class Split<TIn = unknown, TElem = unknown> implements RunnableNodeConfi
   readonly continueWhenEmptyOutput: true;
   readonly icon: "builtin:split-rows";
   constructor(name: string, getElements: (item: Item<TIn>, ctx: NodeExecutionContext<Split<TIn, TElem>>) => readonly TElem[], id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/CronTriggerFactory.d.ts
@@ -2675,6 +3132,7 @@ declare class CronTrigger implements TriggerNodeConfig<CronTickJson> {
   get schedule(): string;
   get timezone(): string | undefined;
   createJob(callback: CronCallback): Cron;
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/CronTriggerNode.d.ts
@@ -2716,6 +3174,7 @@ declare class ManualTrigger<TOutputJson$1 = unknown> implements TriggerNodeConfi
   constructor(name: string, defaultItems: ManualTriggerDefaultValue<TOutputJson$1>, id?: string);
   private static resolveDefaultItems;
   private static resolveId;
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/MapDataNode.d.ts
@@ -2746,6 +3205,7 @@ declare class MapData<TInputJson$1 = unknown, TOutputJson$1 = unknown> implement
   readonly keepBinaries: boolean;
   constructor(name: string, map: (item: Item<TInputJson$1>, ctx: NodeExecutionContext<MapData<TInputJson$1, TOutputJson$1>>) => TOutputJson$1, options?: MapDataOptions);
   get id(): string | undefined;
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/MergeNode.d.ts
@@ -2779,6 +3239,7 @@ declare class Merge<TInputJson$1 = unknown, TOutputJson$1 = TInputJson$1> implem
      */
     prefer?: ReadonlyArray<InputPortKey>;
   }>, id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/NoOpNode.d.ts
@@ -2825,6 +3286,7 @@ declare class SubWorkflow<TInputJson$1 = unknown, TOutputJson$1 = unknown> imple
   constructor(name: string, workflowId: string, upstreamRefs?: Array<{
     nodeId: NodeId;
   } | UpstreamRefPlaceholder> | undefined, startAt?: NodeId | undefined, id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/TestTriggerNode.d.ts
@@ -2890,6 +3352,7 @@ declare class TestTrigger<TOutputJson$1 = unknown> implements TestTriggerNodeCon
   private readonly credentialRequirements;
   constructor(options: TestTriggerOptions<TOutputJson$1>);
   getCredentialRequirements(): ReadonlyArray<CredentialRequirement>;
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 //#endregion
 //#region src/nodes/WaitDurationFactory.d.ts
@@ -2918,6 +3381,7 @@ declare class Wait<TItemJson = unknown> implements RunnableNodeConfig<TItemJson,
   readonly continueWhenEmptyOutput: true;
   readonly icon: "lucide:hourglass";
   constructor(name: string, milliseconds: number, id?: string | undefined);
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/webhookRespondNowAndContinueError.d.ts
@@ -2947,7 +3411,7 @@ declare class WebhookTrigger<TSchema extends WebhookInputSchema | undefined = un
   readonly id?: string | undefined;
   readonly kind: "trigger";
   readonly type: TypeToken<unknown>;
-  readonly icon = "lucide:webhook";
+  readonly icon = "lucide:globe";
   constructor(name: string, args: Readonly<{
     endpointKey: string;
     methods: ReadonlyArray<HttpMethod>;
@@ -2958,6 +3422,7 @@ declare class WebhookTrigger<TSchema extends WebhookInputSchema | undefined = un
   get inputSchema(): TSchema | undefined;
   parseJsonBody(body: unknown): unknown;
   private static defaultHandler;
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow>;
 }
 //#endregion
 //#region src/nodes/webhookTriggerNode.d.ts
@@ -3128,7 +3593,8 @@ declare class ConnectionCredentialNodeConfigFactory {
  */
 declare class AIAgentConnectionWorkflowExpander {
   private readonly connectionCredentialNodeConfigFactory;
-  constructor(connectionCredentialNodeConfigFactory: ConnectionCredentialNodeConfigFactory);
+  private readonly mcpServerResolver?;
+  constructor(connectionCredentialNodeConfigFactory: ConnectionCredentialNodeConfigFactory, mcpServerResolver?: McpServerResolver | undefined);
   expand(workflow: WorkflowDefinition): WorkflowDefinition;
   private createConnectionsByParentAndName;
   private collectExistingChildIds;
@@ -3198,5 +3664,5 @@ declare const collectionDeleteNode: DefinedNode<"collection-delete", {
   id: string;
 }, undefined>;
 //#endregion
-export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, AssertionOptions, BinaryRef, Callback, CallbackHandler, CallbackNode, CallbackOptions, CallbackResultNormalizer, CanvasIconName, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CredentialSession, CronTickJson, CronTrigger, CronTriggerNode, DefineRestNodeOptions, type ExecutedToolCall, Filter, FilterNode, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpBodySpec, HttpCredentialDelta, HttpRequest, HttpRequestDownloadMode, HttpRequestNode, HttpRequestOutputJson, HttpRequestResult, HttpRequestSpec, If, IfNode, IsTestRun, IsTestRunNode, type ItemScopedToolBinding, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, MapDataOptions, Merge, MergeMode, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiCredentialSession, OpenAiStrictJsonSchemaFactory, type PlannedToolCall, type ResolvedTool, RestNodeApi, RestNodeErrorPolicy, RestNodeRequestShape, RestNodeResponseContext, Split, SplitNode, SubWorkflow, SubWorkflowNode, Switch, SwitchCaseKeyResolver, SwitchNode, TestTrigger, TestTriggerNode, TestTriggerOptions, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, type WorkflowAgentMessages, type WorkflowAgentOptions, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
+export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, AssertionOptions, BM25Index, BinaryRef, Callback, CallbackHandler, CallbackNode, CallbackOptions, CallbackResultNormalizer, CanvasIconName, CodemationChatModelConfig, CodemationChatModelFactory, CodemationManagedModel, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CredentialSession, CronTickJson, CronTrigger, CronTriggerNode, DeferredMetaToolStrategy, DeferredMetaToolStrategyFactory, DefineRestNodeOptions, type ExecutedToolCall, Filter, FilterNode, type FindToolsResult, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpBodySpec, HttpCredentialDelta, HttpRequest, HttpRequestDownloadMode, HttpRequestNode, HttpRequestOutputJson, HttpRequestResult, HttpRequestSpec, If, IfNode, IsTestRun, IsTestRunNode, type ItemScopedToolBinding, ManagedModelDto, ManagedModelFetcher, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, MapDataOptions, Merge, MergeMode, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiCredentialSession, OpenAiStrictJsonSchemaFactory, type PlannedToolCall, type ResolvedTool, RestNodeApi, RestNodeErrorPolicy, RestNodeRequestShape, RestNodeResponseContext, SSRFBlockedError, Split, SplitNode, SsrfGuard, SubWorkflow, SubWorkflowNode, Switch, SwitchCaseKeyResolver, SwitchNode, TestTrigger, TestTriggerNode, TestTriggerOptions, type ToolLoadingStrategy, type ToolLoadingStrategyInitInput, type ToolLoadingStrategyTurnContext, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, type WorkflowAgentMessages, type WorkflowAgentOptions, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
 //# sourceMappingURL=index.d.ts.map