@codemation/host 0.6.0 → 0.7.0

package/dist/{CodemationPluginListMerger-DGc-jfa2.d.ts → CodemationPluginListMerger-DKLAHT2b.d.ts}

@@ -1,13 +1,16 @@
-import { n as Engine, r as CollectionDefinition, s as Clock } from "./index-BbBk26m0.js";
-import { $ as RunCurrentState, Dt as WorkflowId, J as WorkflowDefinition, U as PersistedRunPolicySnapshot, W as RunId, Z as PersistedRunState, at as RunSummary, b as TestCaseRunStatus, ct as AnyCredentialType, d as NodeExecutionRequestHandler, f as NodeExecutionScheduler, g as TypeToken, h as Container, k as WorkflowRunDetailDto, o as BinaryStorage, p as WorkflowRepository, tt as RunPruneCandidate, v as RunEvent, w as WorkflowActivationPolicy, y as RunEventBus } from "./ItemsInputNormalizer-C-KHg9Mo.js";
-import { C as CodemationContainerRegistration, l as CodemationPluginPackageMetadata, o as CodemationPlugin, r as AppConfig } from "./CodemationAppContext-DRu1Dpri.js";
-import { a as CodemationAuthConfig, l as Logger, t as CodemationWhitelabelConfig, u as LoggerFactory } from "./CodemationWhitelabelConfig-CWbcyQqn.js";
-import { t as LogLevelPolicyFactory } from "./LogLevelPolicyFactory-CampWO0l.js";
-import { t as CredentialStore } from "./CredentialServices-UfvHB-rN.js";
-import { i as TelemetryMetricPointStore, n as TelemetryArtifactStore, o as TelemetrySpanStore, r as TelemetryExporter, t as RunTraceContextRepository } from "./TelemetryContracts-DbaNomrH.js";
-import { n as PrismaMigrationDeployer, r as PrismaDatabaseClient } from "./AppConfigFactory-YnveXE9k.js";
+import { c as Clock, i as CollectionDefinition, r as Engine, t as OAuthFlowExecutor } from "./index-DilAYwnH.js";
+import { $ as PersistedRunState, A as WorkflowRunDetailDto, G as PersistedRunPolicySnapshot, K as RunId, T as McpServerDeclaration, X as WorkflowDefinition, b as TestCaseRunStatus, d as NodeExecutionRequestHandler, f as NodeExecutionScheduler, g as TypeToken, h as Container, kt as WorkflowId, o as BinaryStorage, p as WorkflowRepository, rt as RunPruneCandidate, st as RunSummary, tt as RunCurrentState, ut as AnyCredentialType, v as RunEvent, w as WorkflowActivationPolicy, y as RunEventBus } from "./ItemsInputNormalizer-_RwIfRIQ.js";
+import { C as CodemationContainerRegistration, l as CodemationPluginPackageMetadata, o as CodemationPlugin, r as AppConfig } from "./CodemationAppContext-CKVv9W9q.js";
+import { a as CodemationAuthConfig, l as Logger, t as CodemationWhitelabelConfig, u as LoggerFactory } from "./CodemationWhitelabelConfig-Ca2mCUeC.js";
+import { t as LogLevelPolicyFactory } from "./LogLevelPolicyFactory-ewCHLDLn.js";
+import { t as CredentialStore } from "./CredentialServices-Be2I60Th.js";
+import { i as TelemetryMetricPointStore, n as TelemetryArtifactStore, o as TelemetrySpanStore, r as TelemetryExporter, s as TelemetrySpanUpsert, t as RunTraceContextRepository } from "./TelemetryContracts-BtDx84Cp.js";
+import { n as PrismaMigrationDeployer, r as PrismaDatabaseClient } from "./AppConfigFactory-DnLoQ9Li.js";
+import { s as ProcessRunner } from "./PublicFrontendBootstrapFactory-CY2FS-5g.js";
+import { t as InternalHonoApiRouteRegistrar } from "./InternalHonoApiRouteRegistrar-Ce1yxpnO.js";
 import "reflect-metadata";
-import { Hono } from "hono";
+import { Hono, MiddlewareHandler } from "hono";
+import "jose";
 
 //#region src/application/bus/Command.d.ts
 declare abstract class Command<TResult> {
@@ -37,6 +40,7 @@ declare class CodemationPluginRegistrar {
     appConfig: AppConfig;
     registerCredentialType: (type: AnyCredentialType) => void;
     registerCollection: (definition: CollectionDefinition) => void;
+    mergeMcpServers: (declarations: ReadonlyArray<McpServerDeclaration>) => void;
     loggerFactory: LoggerFactory;
   }>): Promise<void>;
 }
@@ -60,6 +64,10 @@ type WorkflowWebsocketMessage = Readonly<{
   kind: "devBuildFailed";
   workflowId: string;
   message: string;
+}> | Readonly<{
+  kind: "telemetryEvent";
+  runId: string;
+  span: TelemetrySpanUpsert;
 }>;
 //#endregion
 //#region src/application/websocket/WorkflowWebsocketPublisher.d.ts
@@ -67,16 +75,41 @@ interface WorkflowWebsocketPublisher {
   publishToRoom(roomId: string, message: WorkflowWebsocketMessage): Promise<void>;
 }
 //#endregion
+//#region ../managed-auth/src/types.d.ts
+/**
+ * A successfully verified CP-signed JWT principal.
+ * `userId` maps to the JWT `sub` claim; `workspaceId` maps to `aud`.
+ */
+interface VerifiedManagedPrincipal {
+  readonly userId: string;
+  readonly workspaceId: string;
+}
+//#endregion
+//#region src/presentation/websocket/WebsocketAuthenticator.types.d.ts
+/**
+ * Authenticates an incoming WebSocket upgrade request.
+ *
+ * Implementations parse the upgrade URL (e.g. `?token=<jwt>`) and verify the
+ * credential.  Returns the verified principal on success, or `null` when the
+ * request must be rejected with close-code 4401.
+ */
+interface WebsocketAuthenticator {
+  authenticate(requestUrl: string | undefined): Promise<VerifiedManagedPrincipal | null>;
+}
+//#endregion
 //#region src/presentation/websocket/WorkflowWebsocketServer.d.ts
 declare class WorkflowWebsocketServer implements WorkflowWebsocketPublisher {
   private readonly port;
   private readonly bindHost;
   private readonly logger;
+  private readonly authenticator;
   private websocketServer;
   private readonly sockets;
   private readonly roomIdsBySocket;
   private started;
-  constructor(port: number, bindHost: string, logger: Logger);
+  constructor(port: number, bindHost: string, logger: Logger, authenticator?: WebsocketAuthenticator | null);
+  /** Returns the actual port the server is listening on (useful when constructed with port 0). */
+  get listeningPort(): number;
   start(): Promise<void>;
   stop(): Promise<void>;
   publishToRoom(roomId: string, message: WorkflowWebsocketMessage): Promise<void>;
@@ -109,14 +142,20 @@ declare class AppContainerFactory {
   constructor(containerRegistrationRegistrar?: CodemationContainerRegistrationRegistrar, pluginRegistrar?: CodemationPluginRegistrar);
   create(inputs: AppContainerInputs): Promise<Container>;
   private collectCredentialTypes;
+  private registerMcpCatalog;
+  private mergeConfigMcpServers;
   private applyPlugins;
   private registerCredentialTypes;
+  private registerControlPlaneCatalogFetcher;
   private registerConfiguredRegistrations;
   private registerCollectionsInfrastructure;
   private registerCoreInfrastructure;
   private registerRepositoriesAndBuses;
   private registerApplicationServicesAndRoutes;
+  private registerManagedAuthInfrastructure;
+  private registerPairingInfrastructure;
   private registerOperationalInfrastructure;
+  private registerWorkflowAuditWriter;
   private registerRuntimeInfrastructure;
   private resolvePrismaOwnership;
   private registerRuntimeNodeActivationScheduler;
@@ -133,6 +172,8 @@ declare class AppContainerLifecycle {
   private readonly container;
   private readonly ownedPrismaClient;
   constructor(container: Container, ownedPrismaClient: PrismaDatabaseClient | null);
+  start(): Promise<void>;
+  startWorkerSubscribers(): Promise<void>;
   stop(args?: Readonly<{
     stopWebsocketServer?: boolean;
   }>): Promise<void>;
@@ -406,10 +447,16 @@ declare class TelemetryEnricherChain {
 //#endregion
 //#region src/application/telemetry/TelemetryRetentionTimestampFactory.d.ts
 declare class TelemetryRetentionTimestampFactory {
-  createSpanExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
-  createArtifactExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
-  createMetricExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
-  createTraceContextExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
+  /** Default span retention: 7 days (overridden by policySnapshot). */
+  static readonly defaultSpanRetentionSeconds: number;
+  /** Default artifact retention: 3 days (overridden by policySnapshot). */
+  static readonly defaultArtifactRetentionSeconds: number;
+  /** Default metric retention: 30 days (overridden by policySnapshot). */
+  static readonly defaultMetricRetentionSeconds: number;
+  createSpanExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
+  createArtifactExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
+  createMetricExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
+  createTraceContextExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
   private createExpiry;
 }
 //#endregion
@@ -542,6 +589,10 @@ type AuthenticatedPrincipal = Readonly<{
   id: string;
   email: string | null;
   name: string | null;
+  /** Set to "managed-jwt" when the principal was verified from a CP-signed bearer token. */
+  source?: "managed-jwt";
+  /** The workspace ID from the JWT `aud` claim. Present when source === "managed-jwt". */
+  workspaceId?: string;
 }>;
 //#endregion
 //#region src/application/auth/SessionVerifier.d.ts
@@ -572,6 +623,11 @@ declare abstract class QueryHandler<TQuery extends Query<TResult>, TResult> {
   abstract execute(query: TQuery): Promise<TResult>;
 }
 //#endregion
+//#region src/application/telemetry/TelemetrySpanPublisher.d.ts
+interface TelemetrySpanPublisher {
+  publishSpan(span: TelemetrySpanUpsert): Promise<void>;
+}
+//#endregion
 //#region src/domain/workflows/WorkflowDebuggerOverlayState.d.ts
 type WorkflowDebuggerOverlayState = Readonly<{
   workflowId: string;
@@ -591,6 +647,50 @@ interface HonoApiRouteRegistrar {
   register(app: Hono): void;
 }
 //#endregion
+//#region src/auth/managed/ManagedCorsMiddleware.d.ts
+/**
+ * CORS allowlist middleware for managed mode.
+ *
+ * Only the single `CP_WEB_ORIGIN` value (provisioner-injected) is permitted.
+ * All other origins are refused on preflight with a 403.
+ */
+declare class ManagedCorsMiddleware {
+  private readonly allowedOrigin;
+  constructor(allowedOrigin: string);
+  handle(): MiddlewareHandler;
+}
+//#endregion
+//#region src/audit/IAuditEmitter.d.ts
+/**
+ * Workspace-local audit emitter contract.
+ * Mirror of the CP-side IAuditEmitter shape; kept separate to avoid cross-repo coupling.
+ */
+interface WorkflowAuditActor {
+  readonly userId: string;
+  readonly sessionId?: string;
+}
+interface WorkflowAuditResource {
+  readonly type: string;
+  readonly id: string;
+}
+interface WorkflowAuditEntry {
+  readonly id: string;
+  readonly occurredAt: string;
+  readonly actor: WorkflowAuditActor;
+  readonly action: string;
+  readonly resource: WorkflowAuditResource;
+  readonly outcome: "success" | "failure";
+  readonly errorCode?: string;
+  readonly correlationId?: string;
+  /** Denormalised on every row for query convenience. */
+  readonly workflowId: string;
+  readonly runId?: string;
+  readonly nodeId?: string;
+}
+interface IWorkflowAuditEmitter {
+  emit(entry: WorkflowAuditEntry): Promise<void>;
+}
+//#endregion
 //#region src/applicationTokens.d.ts
 declare const ApplicationTokens: {
   readonly CodemationAuthConfig: TypeToken<CodemationAuthConfig | undefined>;
@@ -605,7 +705,11 @@ declare const ApplicationTokens: {
   readonly CommandHandler: TypeToken<CommandHandler<Command<unknown>, unknown>>;
   readonly DomainEventHandler: TypeToken<DomainEventHandler<DomainEvent>>;
   readonly HonoApiRouteRegistrar: TypeToken<HonoApiRouteRegistrar>;
+  readonly InternalHonoApiRouteRegistrar: TypeToken<InternalHonoApiRouteRegistrar>;
+  readonly ManagedCorsMiddleware: TypeToken<ManagedCorsMiddleware>;
+  readonly WebsocketAuthenticator: TypeToken<WebsocketAuthenticator | null>;
   readonly WorkflowWebsocketPublisher: TypeToken<WorkflowWebsocketPublisher>;
+  readonly TelemetrySpanPublisher: TypeToken<TelemetrySpanPublisher>;
   readonly WorkerRuntimeScheduler: TypeToken<WorkerRuntimeScheduler>;
   readonly WorkflowDefinitionRepository: TypeToken<WorkflowDefinitionRepository>;
   readonly WorkflowActivationRepository: TypeToken<WorkflowActivationRepository>;
@@ -625,6 +729,9 @@ declare const ApplicationTokens: {
   readonly PrismaClient: TypeToken<PrismaDatabaseClient>;
   readonly SessionVerifier: TypeToken<SessionVerifier>;
   readonly Clock: TypeToken<Clock>;
+  readonly WorkflowAuditEmitter: TypeToken<IWorkflowAuditEmitter>;
+  readonly ProcessRunner: TypeToken<ProcessRunner>;
+  readonly OAuthFlowExecutor: TypeToken<OAuthFlowExecutor>;
 };
 //#endregion
 //#region src/bootstrap/CodemationBootstrapRequest.d.ts
@@ -656,5 +763,5 @@ declare class CodemationPluginListMerger {
   private tryAdd;
 }
 //#endregion
-export { WorkflowWebsocketServer as _, WorkflowDebuggerOverlayRepository as a, CommandBus as b, FrontendRuntime as c, LogFilter as d, WorkflowRunRepository as f, AppContainerFactory as g, AppContainerLifecycle as h, HonoApiRouteRegistrar as i, WorkflowRunRetentionPruneScheduler as l, DatabaseMigrations as m, CodemationBootstrapRequest as n, SessionVerifier as o, CollectionSchemaSyncerHolder as p, ApplicationTokens as r, WorkerRuntime as s, CodemationPluginListMerger as t, ServerLoggerFactory as u, QueryBus as v, Command as x, Query as y };
-//# sourceMappingURL=CodemationPluginListMerger-DGc-jfa2.d.ts.map
+export { Command as S, AppContainerFactory as _, HonoApiRouteRegistrar as a, Query as b, WorkerRuntime as c, ServerLoggerFactory as d, LogFilter as f, AppContainerLifecycle as g, DatabaseMigrations as h, ManagedCorsMiddleware as i, FrontendRuntime as l, CollectionSchemaSyncerHolder as m, CodemationBootstrapRequest as n, WorkflowDebuggerOverlayRepository as o, WorkflowRunRepository as p, ApplicationTokens as r, SessionVerifier as s, CodemationPluginListMerger as t, WorkflowRunRetentionPruneScheduler as u, WorkflowWebsocketServer as v, CommandBus as x, QueryBus as y };
+//# sourceMappingURL=CodemationPluginListMerger-DKLAHT2b.d.ts.map

package/dist/CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js

@@ -0,0 +1,97 @@
+//#region src/presentation/server/CodemationTsyringeParamInfoReader.ts
+var CodemationTsyringeParamInfoReader = class {
+	static injectionTokenMetadataKey = "injectionTokens";
+	static designParamTypesMetadataKey = "design:paramtypes";
+	static read(target) {
+		const designParamTypes = this.readDesignParamTypes(target);
+		const injectionTokens = this.readInjectionTokens(target);
+		Object.keys(injectionTokens).forEach((key) => {
+			designParamTypes[Number(key)] = injectionTokens[key];
+		});
+		return designParamTypes;
+	}
+	static readDesignParamTypes(target) {
+		const reflected = Reflect.getMetadata?.(this.designParamTypesMetadataKey, target);
+		return Array.isArray(reflected) ? [...reflected] : [];
+	}
+	static readInjectionTokens(target) {
+		const reflected = Reflect.getOwnMetadata?.(this.injectionTokenMetadataKey, target);
+		if (!reflected || typeof reflected !== "object") return {};
+		return reflected;
+	}
+};
+
+//#endregion
+//#region src/presentation/server/CodemationTsyringeTypeInfoRegistrar.ts
+var CodemationTsyringeTypeInfoRegistrar = class {
+	visitedTokens = /* @__PURE__ */ new Set();
+	visitedConfigObjects = /* @__PURE__ */ new Set();
+	constructor(container) {
+		this.container = container;
+	}
+	registerWorkflowDefinitions(workflows) {
+		for (const workflow of workflows) for (const node of workflow.nodes) {
+			this.registerTypeToken(node.type);
+			this.registerConfigTokens(node.config);
+		}
+	}
+	registerTypeToken(token) {
+		if (typeof token !== "function" || this.visitedTokens.has(token)) return;
+		this.visitedTokens.add(token);
+		const paramInfo = CodemationTsyringeParamInfoReader.read(token);
+		for (const dependency of paramInfo) this.registerDependency(dependency);
+		this.registerFactoryProvider(token, paramInfo);
+	}
+	registerDependency(dependency) {
+		const token = this.resolveDependencyToken(dependency);
+		if (typeof token !== "function") return;
+		if (!this.container.isRegistered(token, true)) return;
+		this.registerTypeToken(token);
+	}
+	registerConfigTokens(value) {
+		if (Array.isArray(value)) {
+			value.forEach((entry) => this.registerConfigTokens(entry));
+			return;
+		}
+		if (!value || typeof value !== "object") return;
+		if (this.visitedConfigObjects.has(value)) return;
+		this.visitedConfigObjects.add(value);
+		if ("type" in value && typeof value.type === "function") this.registerTypeToken(value.type);
+		Object.values(value).forEach((entry) => this.registerConfigTokens(entry));
+	}
+	registerFactoryProvider(token, paramInfo) {
+		if (this.container.isRegistered(token, true)) return;
+		const classToken = token;
+		const constructorToken = token;
+		this.container.register(classToken, { useFactory: (dependencyContainer) => {
+			return new constructorToken(...paramInfo.map((dependency) => this.resolveFactoryDependency(dependencyContainer, dependency)));
+		} });
+	}
+	resolveDependencyToken(dependency) {
+		if (this.isInjectionDescriptor(dependency)) return dependency.token;
+		return dependency;
+	}
+	resolveFactoryDependency(dependencyContainer, dependency) {
+		const token = this.resolveDependencyToken(dependency);
+		if (typeof token === "function") {
+			if (dependencyContainer.isRegistered(token, true)) try {
+				return dependencyContainer.resolve(token);
+			} catch (error) {
+				if (!this.isMissingTypeInfoError(error)) throw error;
+			}
+			this.registerTypeToken(token);
+			return new token(...CodemationTsyringeParamInfoReader.read(token).map((entry) => this.resolveFactoryDependency(dependencyContainer, entry)));
+		}
+		return dependencyContainer.resolve(token);
+	}
+	isInjectionDescriptor(value) {
+		return value !== null && typeof value === "object" && "token" in value;
+	}
+	isMissingTypeInfoError(error) {
+		return error instanceof Error && error.message.includes("TypeInfo not known for");
+	}
+};
+
+//#endregion
+export { CodemationTsyringeParamInfoReader as n, CodemationTsyringeTypeInfoRegistrar as t };
+//# sourceMappingURL=CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js.map

package/dist/CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js","names":["container: Container"],"sources":["../src/presentation/server/CodemationTsyringeParamInfoReader.ts","../src/presentation/server/CodemationTsyringeTypeInfoRegistrar.ts"],"sourcesContent":["export class CodemationTsyringeParamInfoReader {\n  private static readonly injectionTokenMetadataKey = \"injectionTokens\";\n  private static readonly designParamTypesMetadataKey = \"design:paramtypes\";\n\n  static read(target: object): ReadonlyArray<unknown> {\n    const designParamTypes = this.readDesignParamTypes(target);\n    const injectionTokens = this.readInjectionTokens(target);\n    Object.keys(injectionTokens).forEach((key: string) => {\n      designParamTypes[Number(key)] = injectionTokens[key];\n    });\n    return designParamTypes;\n  }\n\n  private static readDesignParamTypes(target: object): unknown[] {\n    const reflected = Reflect.getMetadata?.(this.designParamTypesMetadataKey, target);\n    return Array.isArray(reflected) ? [...reflected] : [];\n  }\n\n  private static readInjectionTokens(target: object): Record<string, unknown> {\n    const reflected = Reflect.getOwnMetadata?.(this.injectionTokenMetadataKey, target);\n    if (!reflected || typeof reflected !== \"object\") {\n      return {};\n    }\n    return reflected as Record<string, unknown>;\n  }\n}\n","import type { Container, TypeToken, WorkflowDefinition } from \"@codemation/core\";\n\nimport { CodemationTsyringeParamInfoReader } from \"./CodemationTsyringeParamInfoReader\";\n\ntype InjectionDescriptor = Readonly<{\n  token?: unknown;\n}>;\n\nexport class CodemationTsyringeTypeInfoRegistrar {\n  private readonly visitedTokens = new Set<unknown>();\n  private readonly visitedConfigObjects = new Set<object>();\n\n  constructor(private readonly container: Container) {}\n\n  registerWorkflowDefinitions(workflows: ReadonlyArray<WorkflowDefinition>): void {\n    for (const workflow of workflows) {\n      for (const node of workflow.nodes) {\n        this.registerTypeToken(node.type);\n        this.registerConfigTokens(node.config);\n      }\n    }\n  }\n\n  registerTypeToken(token: unknown): void {\n    if (typeof token !== \"function\" || this.visitedTokens.has(token)) {\n      return;\n    }\n    this.visitedTokens.add(token);\n    const paramInfo = CodemationTsyringeParamInfoReader.read(token);\n    for (const dependency of paramInfo) {\n      this.registerDependency(dependency);\n    }\n    this.registerFactoryProvider(token as new (...args: ReadonlyArray<unknown>) => unknown, paramInfo);\n  }\n\n  private registerDependency(dependency: unknown): void {\n    const token = this.resolveDependencyToken(dependency);\n    if (typeof token !== \"function\") {\n      return;\n    }\n    if (!this.container.isRegistered(token as TypeToken<unknown>, true)) {\n      return;\n    }\n    this.registerTypeToken(token);\n  }\n\n  private registerConfigTokens(value: unknown): void {\n    if (Array.isArray(value)) {\n      value.forEach((entry: unknown) => this.registerConfigTokens(entry));\n      return;\n    }\n    if (!value || typeof value !== \"object\") {\n      return;\n    }\n    if (this.visitedConfigObjects.has(value)) {\n      return;\n    }\n    this.visitedConfigObjects.add(value);\n    if (\"type\" in value && typeof value.type === \"function\") {\n      this.registerTypeToken(value.type);\n    }\n    Object.values(value).forEach((entry: unknown) => this.registerConfigTokens(entry));\n  }\n\n  private registerFactoryProvider(\n    token: new (...args: ReadonlyArray<unknown>) => unknown,\n    paramInfo: ReadonlyArray<unknown>,\n  ): void {\n    if (this.container.isRegistered(token as TypeToken<unknown>, true)) {\n      return;\n    }\n    const classToken = token as unknown as TypeToken<unknown>;\n    const constructorToken = token as unknown as new (...args: ReadonlyArray<unknown>) => unknown;\n    this.container.register(classToken, {\n      useFactory: (dependencyContainer) => {\n        const dependencies = paramInfo.map((dependency: unknown) =>\n          this.resolveFactoryDependency(dependencyContainer, dependency),\n        );\n        return new constructorToken(...dependencies);\n      },\n    });\n  }\n\n  private resolveDependencyToken(dependency: unknown): unknown {\n    if (this.isInjectionDescriptor(dependency)) {\n      return dependency.token;\n    }\n    return dependency;\n  }\n\n  private resolveFactoryDependency(dependencyContainer: Container, dependency: unknown): unknown {\n    const token = this.resolveDependencyToken(dependency);\n    if (typeof token === \"function\") {\n      if (dependencyContainer.isRegistered(token as TypeToken<unknown>, true)) {\n        try {\n          return dependencyContainer.resolve(token as TypeToken<unknown>);\n        } catch (error) {\n          if (!this.isMissingTypeInfoError(error)) {\n            throw error;\n          }\n        }\n      }\n      this.registerTypeToken(token);\n      const constructorToken = token as unknown as new (...args: ReadonlyArray<unknown>) => unknown;\n      const paramInfo = CodemationTsyringeParamInfoReader.read(token);\n      const nestedDependencies = paramInfo.map((entry: unknown) =>\n        this.resolveFactoryDependency(dependencyContainer, entry),\n      );\n      return new constructorToken(...nestedDependencies);\n    }\n    return dependencyContainer.resolve(token as TypeToken<unknown>);\n  }\n\n  private isInjectionDescriptor(value: unknown): value is InjectionDescriptor {\n    return value !== null && typeof value === \"object\" && \"token\" in value;\n  }\n\n  private isMissingTypeInfoError(error: unknown): boolean {\n    return error instanceof Error && error.message.includes(\"TypeInfo not known for\");\n  }\n}\n"],"mappings":";AAAA,IAAa,oCAAb,MAA+C;CAC7C,OAAwB,4BAA4B;CACpD,OAAwB,8BAA8B;CAEtD,OAAO,KAAK,QAAwC;EAClD,MAAM,mBAAmB,KAAK,qBAAqB,OAAO;EAC1D,MAAM,kBAAkB,KAAK,oBAAoB,OAAO;AACxD,SAAO,KAAK,gBAAgB,CAAC,SAAS,QAAgB;AACpD,oBAAiB,OAAO,IAAI,IAAI,gBAAgB;IAChD;AACF,SAAO;;CAGT,OAAe,qBAAqB,QAA2B;EAC7D,MAAM,YAAY,QAAQ,cAAc,KAAK,6BAA6B,OAAO;AACjF,SAAO,MAAM,QAAQ,UAAU,GAAG,CAAC,GAAG,UAAU,GAAG,EAAE;;CAGvD,OAAe,oBAAoB,QAAyC;EAC1E,MAAM,YAAY,QAAQ,iBAAiB,KAAK,2BAA2B,OAAO;AAClF,MAAI,CAAC,aAAa,OAAO,cAAc,SACrC,QAAO,EAAE;AAEX,SAAO;;;;;;ACfX,IAAa,sCAAb,MAAiD;CAC/C,AAAiB,gCAAgB,IAAI,KAAc;CACnD,AAAiB,uCAAuB,IAAI,KAAa;CAEzD,YAAY,AAAiBA,WAAsB;EAAtB;;CAE7B,4BAA4B,WAAoD;AAC9E,OAAK,MAAM,YAAY,UACrB,MAAK,MAAM,QAAQ,SAAS,OAAO;AACjC,QAAK,kBAAkB,KAAK,KAAK;AACjC,QAAK,qBAAqB,KAAK,OAAO;;;CAK5C,kBAAkB,OAAsB;AACtC,MAAI,OAAO,UAAU,cAAc,KAAK,cAAc,IAAI,MAAM,CAC9D;AAEF,OAAK,cAAc,IAAI,MAAM;EAC7B,MAAM,YAAY,kCAAkC,KAAK,MAAM;AAC/D,OAAK,MAAM,cAAc,UACvB,MAAK,mBAAmB,WAAW;AAErC,OAAK,wBAAwB,OAA2D,UAAU;;CAGpG,AAAQ,mBAAmB,YAA2B;EACpD,MAAM,QAAQ,KAAK,uBAAuB,WAAW;AACrD,MAAI,OAAO,UAAU,WACnB;AAEF,MAAI,CAAC,KAAK,UAAU,aAAa,OAA6B,KAAK,CACjE;AAEF,OAAK,kBAAkB,MAAM;;CAG/B,AAAQ,qBAAqB,OAAsB;AACjD,MAAI,MAAM,QAAQ,MAAM,EAAE;AACxB,SAAM,SAAS,UAAmB,KAAK,qBAAqB,MAAM,CAAC;AACnE;;AAEF,MAAI,CAAC,SAAS,OAAO,UAAU,SAC7B;AAEF,MAAI,KAAK,qBAAqB,IAAI,MAAM,CACtC;AAEF,OAAK,qBAAqB,IAAI,MAAM;AACpC,MAAI,UAAU,SAAS,OAAO,MAAM,SAAS,WAC3C,MAAK,kBAAkB,MAAM,KAAK;AAEpC,SAAO,OAAO,MAAM,CAAC,SAAS,UAAmB,KAAK,qBAAqB,MAAM,CAAC;;CAGpF,AAAQ,wBACN,OACA,WACM;AACN,MAAI,KAAK,UAAU,aAAa,OAA6B,KAAK,CAChE;EAEF,MAAM,aAAa;EACnB,MAAM,mBAAmB;AACzB,OAAK,UAAU,SAAS,YAAY,EAClC,aAAa,wBAAwB;AAInC,UAAO,IAAI,iBAAiB,GAHP,UAAU,KAAK,eAClC,KAAK,yBAAyB,qBAAqB,WAAW,CAC/D,CAC2C;KAE/C,CAAC;;CAGJ,AAAQ,uBAAuB,YAA8B;AAC3D,MAAI,KAAK,sBAAsB,WAAW,CACxC,QAAO,WAAW;AAEpB,SAAO;;CAGT,AAAQ,yBAAyB,qBAAgC,YAA8B;EAC7F,MAAM,QAAQ,KAAK,uBAAuB,WAAW;AACrD,MAAI,OAAO,UAAU,YAAY;AAC/B,OAAI,oBAAoB,aAAa,OAA6B,KAAK,CACrE,KAAI;AACF,WAAO,oBAAoB,QAAQ,MAA4B;YACxD,OAAO;AACd,QAAI,CAAC,KAAK,uBAAuB,MAAM,CACrC,OAAM;;AAIZ,QAAK,kBAAkB,MAAM;AAM7B,UAAO,IALkB,MAKG,GAJV,kCAAkC,KAAK,MAAM,CAC1B,KAAK,UACxC,KAAK,yBAAyB,qBAAqB,MAAM,CAC1D,CACiD;;AAEpD,SAAO,oBAAoB,QAAQ,MAA4B;;CAGjE,AAAQ,sBAAsB,OAA8C;AAC1E,SAAO,UAAU,QAAQ,OAAO,UAAU,YAAY,WAAW;;CAGnE,AAAQ,uBAAuB,OAAyB;AACtD,SAAO,iBAAiB,SAAS,MAAM,QAAQ,SAAS,yBAAyB"}

package/dist/{CodemationWhitelabelConfig-CWbcyQqn.d.ts → CodemationWhitelabelConfig-Ca2mCUeC.d.ts}

@@ -16,7 +16,7 @@ interface LoggerFactory {
  * Consumer-declared authentication profile for the hosted UI + HTTP API.
  * Social provider ids intentionally match Better Auth's provider ids so config stays 1:1 with the auth runtime.
  */
-type CodemationAuthKind = "local" | "oauth" | "oidc";
+type CodemationAuthKind = "local" | "oauth" | "oidc" | "managed";
 type CodemationAuthOAuthProviderId = Extract<keyof NonNullable<BetterAuthOptions["socialProviders"]>, "github" | "google" | "microsoft">;
 interface CodemationAuthOAuthProviderConfig {
   readonly provider: CodemationAuthOAuthProviderId;
@@ -78,4 +78,4 @@ interface CodemationWhitelabelConfig {
 }
 //#endregion
 export { CodemationAuthConfig as a, CodemationAuthOidcProviderConfig as c, CodemationLogRule as i, Logger as l, CodemationLogConfig as n, CodemationAuthKind as o, CodemationLogLevelName as r, CodemationAuthOAuthProviderConfig as s, CodemationWhitelabelConfig as t, LoggerFactory as u };
-//# sourceMappingURL=CodemationWhitelabelConfig-CWbcyQqn.d.ts.map
+//# sourceMappingURL=CodemationWhitelabelConfig-Ca2mCUeC.d.ts.map

package/dist/{CollectionContracts.types-DdpHft0i.d.ts → CollectionContracts.types-DDyFYT_D.d.ts}

@@ -84,4 +84,4 @@ interface SyncCollectionsResponseDto {
 }
 //#endregion
 export { withInviteUserResponseLoginMethodsDefaults as _, CollectionSummaryDto as a, AcceptUserInviteRequestDto as c, UpdateUserAccountStatusRequestDto as d, UpsertLocalBootstrapUserResultDto as f, VerifyUserInviteResponseDto as g, UserAccountStatus as h, CollectionRowDto as i, InviteUserRequestDto as l, UserAccountDtoInput as m, CollectionFieldDto as n, ListCollectionRowsResponseDto as o, UserAccountDto as p, CollectionIndexDto as r, SyncCollectionsResponseDto as s, CollectionDetailDto as t, InviteUserResponseDto as u, withUserAccountLoginMethodsDefaults as v };
-//# sourceMappingURL=CollectionContracts.types-DdpHft0i.d.ts.map
+//# sourceMappingURL=CollectionContracts.types-DDyFYT_D.d.ts.map

package/dist/{CredentialContractsRegistry-DrMIDSw8.d.ts → CredentialContractsRegistry-Bq2bq28t.d.ts}

@@ -1,4 +1,4 @@
-import { ft as CredentialHealth, gt as CredentialMaterialSourceKind, pt as CredentialInstanceId, vt as CredentialRequirement, wt as CredentialTypeId, xt as CredentialSetupStatus } from "./ItemsInputNormalizer-C-KHg9Mo.js";
+import { Ct as CredentialSetupStatus, Et as CredentialTypeId, bt as CredentialRequirement, ht as CredentialInstanceId, mt as CredentialHealth, vt as CredentialMaterialSourceKind } from "./ItemsInputNormalizer-_RwIfRIQ.js";
 
 //#region src/application/contracts/CredentialContractsRegistry.d.ts
 type CredentialInstanceDto = Readonly<{
@@ -67,4 +67,4 @@ type UpsertCredentialBindingRequest = Readonly<{
 }>;
 //#endregion
 export { UpdateCredentialInstanceRequest as a, WorkflowCredentialHealthSlotDto as c, CredentialOAuth2ConnectionDto as i, CredentialInstanceDto as n, UpsertCredentialBindingRequest as o, CredentialInstanceWithSecretsDto as r, WorkflowCredentialHealthDto as s, CreateCredentialInstanceRequest as t };
-//# sourceMappingURL=CredentialContractsRegistry-DrMIDSw8.d.ts.map
+//# sourceMappingURL=CredentialContractsRegistry-Bq2bq28t.d.ts.map

package/dist/{CredentialServices-UfvHB-rN.d.ts → CredentialServices-Be2I60Th.d.ts}

@@ -1,14 +1,40 @@
-import { Ct as CredentialTypeDefinition, J as WorkflowDefinition, St as CredentialType, Tt as CredentialTypeRegistry, _t as CredentialOAuth2AuthDefinition, bt as CredentialSessionService, ct as AnyCredentialType, dt as CredentialFieldSchema, ft as CredentialHealth, ht as CredentialJsonRecord, lt as CredentialBinding, mt as CredentialInstanceRecord, p as WorkflowRepository, pt as CredentialInstanceId, ut as CredentialBindingKey, vt as CredentialRequirement, wt as CredentialTypeId } from "./ItemsInputNormalizer-C-KHg9Mo.js";
-import { r as AppConfig } from "./CodemationAppContext-DRu1Dpri.js";
-import { a as UpdateCredentialInstanceRequest, n as CredentialInstanceDto, r as CredentialInstanceWithSecretsDto, s as WorkflowCredentialHealthDto, t as CreateCredentialInstanceRequest } from "./CredentialContractsRegistry-DrMIDSw8.js";
+import { Dt as CredentialTypeRegistry, Et as CredentialTypeId, St as CredentialSessionService, T as McpServerDeclaration, Tt as CredentialTypeDefinition, X as WorkflowDefinition, _t as CredentialJsonRecord, bt as CredentialRequirement, dt as CredentialBinding, ft as CredentialBindingKey, gt as CredentialInstanceRecord, ht as CredentialInstanceId, mt as CredentialHealth, p as WorkflowRepository, pt as CredentialFieldSchema, ut as AnyCredentialType, wt as CredentialType, yt as CredentialOAuth2AuthDefinition } from "./ItemsInputNormalizer-_RwIfRIQ.js";
+import { r as AppConfig } from "./CodemationAppContext-CKVv9W9q.js";
+import { u as LoggerFactory } from "./CodemationWhitelabelConfig-Ca2mCUeC.js";
+import { a as UpdateCredentialInstanceRequest, n as CredentialInstanceDto, r as CredentialInstanceWithSecretsDto, s as WorkflowCredentialHealthDto, t as CreateCredentialInstanceRequest } from "./CredentialContractsRegistry-Bq2bq28t.js";
 
 //#region src/domain/credentials/CredentialTypeRegistryImpl.d.ts
+type CredentialTypeSource = "plugin" | "config" | "controlPlane";
 declare class CredentialTypeRegistryImpl implements CredentialTypeRegistry {
-  private readonly credentialTypesById;
-  register(type: CredentialType$1<any, any, unknown>): void;
+  private readonly loggers;
+  private readonly entries;
+  private readonly bySource;
+  constructor(loggers: LoggerFactory);
+  merge(source: CredentialTypeSource, types: ReadonlyArray<AnyCredentialType>): void;
+  mergeDefinitions(source: CredentialTypeSource, definitions: ReadonlyArray<CredentialTypeDefinition>): void;
+  clear(source: CredentialTypeSource): void;
   listTypes(): ReadonlyArray<CredentialTypeDefinition>;
   getType(typeId: CredentialTypeId): CredentialTypeDefinition | undefined;
   getCredentialType(typeId: CredentialTypeId): AnyCredentialType | undefined;
+  private insert;
+  private recordEntry;
+  private createUnsupportedSessionFactory;
+  private createUnsupportedHealthTester;
+}
+//#endregion
+//#region src/mcp/McpServerCatalog.d.ts
+type McpServerDeclarationSource = "plugin" | "config" | "controlPlane";
+declare class McpServerCatalog {
+  private readonly loggers;
+  private readonly entries;
+  private readonly bySource;
+  private readonly env;
+  constructor(loggers: LoggerFactory, appConfig: AppConfig);
+  merge(source: McpServerDeclarationSource, declarations: ReadonlyArray<McpServerDeclaration>): void;
+  get(id: string): McpServerDeclaration | undefined;
+  getAll(): readonly McpServerDeclaration[];
+  clear(source: McpServerDeclarationSource): void;
+  private validate;
 }
 //#endregion
 //#region src/domain/credentials/WorkflowCredentialNodeResolver.d.ts
@@ -22,6 +48,8 @@ type WorkflowCredentialSlotRef = Readonly<{
  * Resolves credential requirements for workflow node ids, including connection-owned LLM/tool children.
  */
 declare class WorkflowCredentialNodeResolver {
+  private readonly mcpCatalog?;
+  constructor(mcpCatalog?: McpServerCatalog | undefined);
   /**
    * Human-readable label for credential errors (workflow node name or agent › attachment).
    */
@@ -57,11 +85,22 @@ declare class CredentialFieldEnvOverlayService {
 }
 //#endregion
 //#region src/domain/credentials/CredentialSecretCipher.d.ts
+/**
+ * Schema versions:
+ *   1 — key = SHA-256(rawValue)                  (legacy, read-only support retained for migration)
+ *   2 — key = HKDF-SHA-256(rawKey32Bytes, ...)   (current)
+ *
+ * All new encryptions are written as v2. Existing v1 records can still be
+ * decrypted so operators can re-encrypt at their own pace (re-bind the
+ * credential in the UI, or run the one-shot re-encrypt script).
+ */
 declare class CredentialSecretCipher {
   private readonly appConfig;
   private static readonly algorithm;
-  private static readonly schemaVersion;
+  private static readonly currentSchemaVersion;
   private static readonly ivLength;
+  private static readonly HKDF_SALT;
+  private static readonly HKDF_INFO;
   constructor(appConfig: AppConfig);
   encrypt(value: JsonRecord): Readonly<{
     encryptedJson: string;
@@ -73,7 +112,21 @@ declare class CredentialSecretCipher {
     encryptionKeyId: string;
     schemaVersion: number;
   }>): JsonRecord;
-  private resolveKeyMaterial;
+  /**
+   * Current (v2) key derivation: HKDF-SHA-256 with a fixed application salt and info label.
+   * Input must be a base64-encoded 32-byte value (`CODEMATION_CREDENTIALS_MASTER_KEY`).
+   */
+  private resolveKeyMaterialV2;
+  /**
+   * Legacy (v1) key derivation: SHA-256 of the raw env string.
+   * Retained for decrypt-side backward compatibility only.
+   */
+  private resolveKeyMaterialV1;
+  /**
+   * Validates and returns the raw 32-byte key material from the env var.
+   * Throws if the env var is absent or does not decode to exactly 32 bytes.
+   */
+  private resolveBase64Key32Bytes;
   private resolveKeyId;
 }
 //#endregion
@@ -132,29 +185,21 @@ declare class CredentialBindingService {
   private readonly workflowRepository;
   private readonly credentialSessionService;
   private readonly workflowCredentialNodeResolver;
-  constructor(credentialStore: CredentialStore, credentialInstanceService: CredentialInstanceService, workflowRepository: WorkflowRepository, credentialSessionService: MutableCredentialSessionService, workflowCredentialNodeResolver: WorkflowCredentialNodeResolver);
+  private readonly logger;
+  constructor(credentialStore: CredentialStore, credentialInstanceService: CredentialInstanceService, workflowRepository: WorkflowRepository, credentialSessionService: MutableCredentialSessionService, workflowCredentialNodeResolver: WorkflowCredentialNodeResolver, loggerFactory: LoggerFactory);
   upsertBinding(args: Readonly<{
     workflowId: string;
     nodeId: string;
     slotKey: string;
     instanceId: CredentialInstanceId;
   }>): Promise<CredentialBinding>;
+  assertRequiredCredentialsBound(workflowId: string): Promise<void>;
   listWorkflowHealth(workflowId: string): Promise<WorkflowCredentialHealthDto>;
   private requireWorkflow;
   private requireRequirement;
   private toBindingKeyString;
 }
 //#endregion
-//#region src/domain/credentials/CredentialRuntimeMaterialService.d.ts
-declare class CredentialRuntimeMaterialService {
-  private readonly credentialStore;
-  private readonly credentialMaterialResolver;
-  private readonly credentialSecretCipher;
-  private readonly credentialTypeRegistry;
-  constructor(credentialStore: CredentialStore, credentialMaterialResolver: CredentialMaterialResolver, credentialSecretCipher: CredentialSecretCipher, credentialTypeRegistry: CredentialTypeRegistryImpl);
-  compose(instance: CredentialInstanceRecord$1): Promise<JsonRecord>;
-}
-//#endregion
 //#region src/domain/credentials/CredentialServices.d.ts
 type JsonRecord = CredentialJsonRecord;
 type CredentialSecretRef = Readonly<{
@@ -238,5 +283,5 @@ type MutableCredentialSessionService = CredentialSessionService & Readonly<{
   evictBinding(bindingKey: CredentialBindingKey): void;
 }>;
 //#endregion
-export { CredentialInstanceService as a, CredentialSecretCipher as c, CredentialBindingService as i, CredentialFieldEnvOverlayService as l, CredentialType$1 as n, CredentialOAuth2ScopeResolver as o, CredentialRuntimeMaterialService as r, CredentialMaterialResolver as s, CredentialStore as t, CredentialTypeRegistryImpl as u };
-//# sourceMappingURL=CredentialServices-UfvHB-rN.d.ts.map
+export { CredentialSecretCipher as a, CredentialInstanceService as i, CredentialType$1 as n, McpServerCatalog as o, CredentialBindingService as r, CredentialStore as t };
+//# sourceMappingURL=CredentialServices-Be2I60Th.d.ts.map