@codemation/host 0.6.0 → 0.7.0

package/dist/{CredentialServices-CgxwguAv.js → CredentialServices-Dk8yypeL.js}

@@ -1,7 +1,7 @@
 import { n as __decorateMetadata, t as __decorateParam } from "./decorateParam-BWxkAUSj.js";
 import { t as __decorate } from "./decorate-CXWmflG_.js";
 import { AgentConfigInspector, AgentConnectionNodeCollector, ConnectionNodeIdFactory, CoreTokens, CredentialUnboundError, inject, injectable } from "@codemation/core";
-import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID } from "node:crypto";
+import { createCipheriv, createDecipheriv, createHash, hkdfSync, randomBytes, randomUUID } from "node:crypto";
 
 //#region src/infrastructure/credentials/OpenAiApiKeyCredentialHealthTester.ts
 /**
@@ -116,42 +116,6 @@ var OpenAiApiKeyCredentialTypeFactory = class {
 	}
 };
 
-//#endregion
-//#region src/domain/credentials/CredentialTypeRegistryImpl.ts
-let CredentialTypeRegistryImpl = class CredentialTypeRegistryImpl$1 {
-	credentialTypesById = /* @__PURE__ */ new Map();
-	register(type) {
-		if (this.credentialTypesById.has(type.definition.typeId)) throw new Error(`Credential type already registered: ${type.definition.typeId}`);
-		this.credentialTypesById.set(type.definition.typeId, type);
-	}
-	listTypes() {
-		return [...this.credentialTypesById.values()].map((entry) => entry.definition);
-	}
-	getType(typeId) {
-		return this.credentialTypesById.get(typeId)?.definition;
-	}
-	getCredentialType(typeId) {
-		return this.credentialTypesById.get(typeId);
-	}
-};
-CredentialTypeRegistryImpl = __decorate([injectable()], CredentialTypeRegistryImpl);
-
-//#endregion
-//#region src/application/ApplicationRequestError.ts
-var ApplicationRequestError = class extends Error {
-	status;
-	payload;
-	constructor(status, message, errors) {
-		super(message);
-		this.name = "ApplicationRequestError";
-		this.status = status;
-		this.payload = errors && errors.length > 0 ? {
-			error: message,
-			errors
-		} : { error: message };
-	}
-};
-
 //#endregion
 //#region src/applicationTokens.ts
 const ApplicationTokens = {
@@ -167,7 +131,11 @@ const ApplicationTokens = {
 	CommandHandler: Symbol.for("codemation.application.CommandHandler"),
 	DomainEventHandler: Symbol.for("codemation.application.DomainEventHandler"),
 	HonoApiRouteRegistrar: Symbol.for("codemation.application.HonoApiRouteRegistrar"),
+	InternalHonoApiRouteRegistrar: Symbol.for("codemation.application.InternalHonoApiRouteRegistrar"),
+	ManagedCorsMiddleware: Symbol.for("codemation.application.ManagedCorsMiddleware"),
+	WebsocketAuthenticator: Symbol.for("codemation.application.WebsocketAuthenticator"),
 	WorkflowWebsocketPublisher: Symbol.for("codemation.application.WorkflowWebsocketPublisher"),
+	TelemetrySpanPublisher: Symbol.for("codemation.application.TelemetrySpanPublisher"),
 	WorkerRuntimeScheduler: Symbol.for("codemation.application.WorkerRuntimeScheduler"),
 	WorkflowDefinitionRepository: Symbol.for("codemation.application.WorkflowDefinitionRepository"),
 	WorkflowActivationRepository: Symbol.for("codemation.application.WorkflowActivationRepository"),
@@ -183,12 +151,218 @@ const ApplicationTokens = {
 	TelemetryExporter: Symbol.for("codemation.application.TelemetryExporter"),
 	PrismaClient: Symbol.for("codemation.application.PrismaClient"),
 	SessionVerifier: Symbol.for("codemation.application.SessionVerifier"),
-	Clock: Symbol.for("codemation.application.Clock")
+	Clock: Symbol.for("codemation.application.Clock"),
+	WorkflowAuditEmitter: Symbol.for("codemation.application.WorkflowAuditEmitter"),
+	ProcessRunner: Symbol.for("codemation.application.ProcessRunner"),
+	OAuthFlowExecutor: Symbol.for("codemation.application.OAuthFlowExecutor")
+};
+
+//#endregion
+//#region src/domain/credentials/CredentialTypeRegistryImpl.ts
+const SOURCE_PRIORITY$1 = {
+	plugin: 0,
+	config: 1,
+	controlPlane: 2
+};
+let CredentialTypeRegistryImpl = class CredentialTypeRegistryImpl$1 {
+	entries = /* @__PURE__ */ new Map();
+	bySource = /* @__PURE__ */ new Map();
+	constructor(loggers) {
+		this.loggers = loggers;
+	}
+	merge(source, types) {
+		const logger = this.loggers.create("CredentialTypeRegistryImpl");
+		for (const type of types) this.insert(source, type, logger);
+	}
+	mergeDefinitions(source, definitions) {
+		const logger = this.loggers.create("CredentialTypeRegistryImpl");
+		for (const definition of definitions) {
+			const existing = this.entries.get(definition.typeId);
+			const sourcePriority = SOURCE_PRIORITY$1[source];
+			if (existing) {
+				if (sourcePriority < SOURCE_PRIORITY$1[existing.source]) {
+					logger.warn(`CredentialTypeRegistryImpl: id collision — lower-priority source "${source}" ignored for typeId "${definition.typeId}" (current source: "${existing.source}")`);
+					continue;
+				}
+				if (sourcePriority > SOURCE_PRIORITY$1[existing.source]) {
+					logger.warn(`CredentialTypeRegistryImpl: typeId "${definition.typeId}" shadowed — "${existing.source}" overridden by higher-priority source "${source}"`);
+					this.bySource.get(existing.source)?.delete(definition.typeId);
+				}
+				const nextType = sourcePriority === SOURCE_PRIORITY$1[existing.source] ? {
+					...existing.type,
+					definition
+				} : {
+					definition,
+					createSession: this.createUnsupportedSessionFactory(definition.typeId, source),
+					test: this.createUnsupportedHealthTester(definition.typeId, source)
+				};
+				this.recordEntry(definition.typeId, {
+					type: nextType,
+					source
+				});
+				continue;
+			}
+			const stubType = {
+				definition,
+				createSession: this.createUnsupportedSessionFactory(definition.typeId, source),
+				test: this.createUnsupportedHealthTester(definition.typeId, source)
+			};
+			this.recordEntry(definition.typeId, {
+				type: stubType,
+				source
+			});
+		}
+	}
+	clear(source) {
+		const ids = this.bySource.get(source);
+		if (!ids) return;
+		for (const id of ids) this.entries.delete(id);
+		this.bySource.delete(source);
+	}
+	listTypes() {
+		return [...this.entries.values()].map((entry) => entry.type.definition);
+	}
+	getType(typeId) {
+		return this.entries.get(typeId)?.type.definition;
+	}
+	getCredentialType(typeId) {
+		return this.entries.get(typeId)?.type;
+	}
+	insert(source, type, logger) {
+		const typeId = type.definition.typeId;
+		const existing = this.entries.get(typeId);
+		const sourcePriority = SOURCE_PRIORITY$1[source];
+		if (existing) {
+			if (sourcePriority < SOURCE_PRIORITY$1[existing.source]) {
+				logger.warn(`CredentialTypeRegistryImpl: id collision — lower-priority source "${source}" ignored for typeId "${typeId}" (current source: "${existing.source}")`);
+				return;
+			}
+			if (sourcePriority > SOURCE_PRIORITY$1[existing.source]) {
+				logger.warn(`CredentialTypeRegistryImpl: typeId "${typeId}" shadowed — "${existing.source}" overridden by higher-priority source "${source}"`);
+				this.bySource.get(existing.source)?.delete(typeId);
+			}
+		}
+		this.recordEntry(typeId, {
+			type,
+			source
+		});
+	}
+	recordEntry(typeId, entry) {
+		this.entries.set(typeId, entry);
+		if (!this.bySource.has(entry.source)) this.bySource.set(entry.source, /* @__PURE__ */ new Set());
+		this.bySource.get(entry.source).add(typeId);
+	}
+	createUnsupportedSessionFactory(typeId, source) {
+		return async () => {
+			throw new Error(`Credential type "${typeId}" (source "${source}") was registered with definition only — no createSession implementation is available in this runtime.`);
+		};
+	}
+	createUnsupportedHealthTester(typeId, source) {
+		return async () => ({
+			status: "unknown",
+			message: `Credential type "${typeId}" (source "${source}") has no local test implementation.`
+		});
+	}
+};
+CredentialTypeRegistryImpl = __decorate([
+	injectable(),
+	__decorateParam(0, inject(ApplicationTokens.LoggerFactory)),
+	__decorateMetadata("design:paramtypes", [Object])
+], CredentialTypeRegistryImpl);
+
+//#endregion
+//#region src/application/ApplicationRequestError.ts
+var ApplicationRequestError = class extends Error {
+	status;
+	payload;
+	constructor(status, message, errors) {
+		super(message);
+		this.name = "ApplicationRequestError";
+		this.status = status;
+		this.payload = errors && errors.length > 0 ? {
+			error: message,
+			errors
+		} : { error: message };
+	}
 };
 
+//#endregion
+//#region src/mcp/McpServerCatalog.ts
+const SOURCE_PRIORITY = {
+	plugin: 0,
+	config: 1,
+	controlPlane: 2
+};
+const ID_PATTERN = /^[a-z0-9-]+$/;
+let McpServerCatalog = class McpServerCatalog$1 {
+	entries = /* @__PURE__ */ new Map();
+	bySource = /* @__PURE__ */ new Map();
+	env;
+	constructor(loggers, appConfig) {
+		this.loggers = loggers;
+		this.env = appConfig.env;
+	}
+	merge(source, declarations) {
+		const logger = this.loggers.create("McpServerCatalog");
+		for (const decl of declarations) {
+			if (!this.validate(decl, source, logger)) continue;
+			const existing = this.entries.get(decl.id);
+			if (existing) {
+				if (SOURCE_PRIORITY[source] <= SOURCE_PRIORITY[existing.source]) {
+					logger.warn(`McpServerCatalog: id collision — lower-priority source "${source}" ignored for id "${decl.id}" (current source: "${existing.source}")`);
+					continue;
+				}
+				logger.warn(`McpServerCatalog: id "${decl.id}" shadowed — "${existing.source}" overridden by higher-priority source "${source}"`);
+				this.bySource.get(existing.source)?.delete(decl.id);
+			}
+			this.entries.set(decl.id, {
+				decl,
+				source
+			});
+			if (!this.bySource.has(source)) this.bySource.set(source, /* @__PURE__ */ new Set());
+			this.bySource.get(source).add(decl.id);
+		}
+	}
+	get(id) {
+		return this.entries.get(id)?.decl;
+	}
+	getAll() {
+		return [...this.entries.values()].map((entry) => entry.decl);
+	}
+	clear(source) {
+		const ids = this.bySource.get(source);
+		if (!ids) return;
+		for (const id of ids) this.entries.delete(id);
+		this.bySource.delete(source);
+	}
+	validate(decl, source, logger) {
+		if (!ID_PATTERN.test(decl.id)) {
+			logger.warn(`McpServerCatalog: declaration from "${source}" has invalid id "${decl.id}" (must match /^[a-z0-9-]+$/) — skipped`);
+			return false;
+		}
+		if (decl.transport === "stdio") {
+			if (this.env.CODEMATION_ALLOW_STDIO_MCP !== "true") {
+				logger.warn(`McpServerCatalog: declaration "${decl.id}" from "${source}" uses stdio transport which is disabled (set CODEMATION_ALLOW_STDIO_MCP=true to allow) — skipped`);
+				return false;
+			}
+		}
+		return true;
+	}
+};
+McpServerCatalog = __decorate([
+	injectable(),
+	__decorateParam(0, inject(ApplicationTokens.LoggerFactory)),
+	__decorateParam(1, inject(ApplicationTokens.AppConfig)),
+	__decorateMetadata("design:paramtypes", [Object, Object])
+], McpServerCatalog);
+
 //#endregion
 //#region src/domain/credentials/WorkflowCredentialNodeResolver.ts
+var _ref$6;
 let WorkflowCredentialNodeResolver = class WorkflowCredentialNodeResolver$1 {
+	constructor(mcpCatalog) {
+		this.mcpCatalog = mcpCatalog;
+	}
 	/**
 	* Human-readable label for credential errors (workflow node name or agent › attachment).
 	*/
@@ -236,7 +410,9 @@ let WorkflowCredentialNodeResolver = class WorkflowCredentialNodeResolver$1 {
 		};
 	}
 	addRecursiveAgentSlots(workflowId, rootAgentNodeId, agentConfig, slotsByKey) {
-		for (const entry of AgentConnectionNodeCollector.collect(rootAgentNodeId, agentConfig)) this.addSlotsForRequirements(workflowId, entry.nodeId, entry.name, entry.credentialSource.getCredentialRequirements?.() ?? [], slotsByKey);
+		const mcpResolver = this.mcpCatalog ? (id) => this.mcpCatalog.get(id) : void 0;
+		const descriptors = AgentConnectionNodeCollector.collect(rootAgentNodeId, agentConfig, mcpResolver);
+		for (const entry of descriptors) this.addSlotsForRequirements(workflowId, entry.nodeId, entry.name, entry.credentialSource.getCredentialRequirements?.() ?? [], slotsByKey);
 	}
 	addSlotsForRequirements(workflowId, nodeId, nodeName, requirements, slotsByKey) {
 		for (const requirement of requirements) {
@@ -251,10 +427,11 @@ let WorkflowCredentialNodeResolver = class WorkflowCredentialNodeResolver$1 {
 		}
 	}
 	findRecursiveConnectionNode(workflow, nodeId) {
-		if (!ConnectionNodeIdFactory.isLanguageModelConnectionNodeId(nodeId) && !ConnectionNodeIdFactory.isToolConnectionNodeId(nodeId)) return;
+		if (!ConnectionNodeIdFactory.isLanguageModelConnectionNodeId(nodeId) && !ConnectionNodeIdFactory.isToolConnectionNodeId(nodeId) && !ConnectionNodeIdFactory.isMcpConnectionNodeId(nodeId)) return;
+		const mcpResolver = this.mcpCatalog ? (id) => this.mcpCatalog.get(id) : void 0;
 		for (const node of workflow.nodes) {
 			if (!AgentConfigInspector.isAgentNodeConfig(node.config)) continue;
-			const entries = AgentConnectionNodeCollector.collect(node.id, node.config);
+			const entries = AgentConnectionNodeCollector.collect(node.id, node.config, mcpResolver);
 			const entriesById = new Map(entries.map((entry$1) => [entry$1.nodeId, entry$1]));
 			const entry = entriesById.get(nodeId);
 			if (!entry) continue;
@@ -282,7 +459,11 @@ let WorkflowCredentialNodeResolver = class WorkflowCredentialNodeResolver$1 {
 		}
 	}
 };
-WorkflowCredentialNodeResolver = __decorate([injectable()], WorkflowCredentialNodeResolver);
+WorkflowCredentialNodeResolver = __decorate([
+	injectable(),
+	__decorateParam(0, inject(McpServerCatalog)),
+	__decorateMetadata("design:paramtypes", [typeof (_ref$6 = typeof McpServerCatalog !== "undefined" && McpServerCatalog) === "function" ? _ref$6 : Object])
+], WorkflowCredentialNodeResolver);
 
 //#endregion
 //#region src/domain/credentials/CredentialFieldEnvOverlayService.ts
@@ -324,6 +505,27 @@ CredentialFieldEnvOverlayService = __decorate([
 	__decorateMetadata("design:paramtypes", [Object])
 ], CredentialFieldEnvOverlayService);
 
+//#endregion
+//#region src/domain/credentials/CredentialKeyRotatedError.ts
+/**
+* Thrown by {@link CredentialSecretCipher.decrypt} when the credential's stored
+* `encryptionKeyId` does not match the current master key's id.
+*
+* This indicates the `CODEMATION_CREDENTIALS_MASTER_KEY` environment variable has
+* been rotated since the credential was encrypted. The operator must re-bind the
+* affected credential (which re-encrypts it with the new key).
+*
+* See {@link docs/security-boundary.md} for the key rotation contract.
+*/
+var CredentialKeyRotatedError = class extends Error {
+	storedKeyId;
+	constructor(storedKeyId) {
+		super(`Credential was encrypted with key "${storedKeyId}" but the current master key produces a different id. Re-bind the credential to re-encrypt it with the active key.`);
+		this.name = "CredentialKeyRotatedError";
+		this.storedKeyId = storedKeyId;
+	}
+};
+
 //#endregion
 //#region src/domain/credentials/CredentialSecretCipher.ts
 var _CredentialSecretCipher;
@@ -332,14 +534,16 @@ let CredentialSecretCipher = class CredentialSecretCipher$1 {
 		_CredentialSecretCipher = this;
 	}
 	static algorithm = "aes-256-gcm";
-	static schemaVersion = 1;
+	static currentSchemaVersion = 2;
 	static ivLength = 12;
+	static HKDF_SALT = "codemation/credential-cipher/v1";
+	static HKDF_INFO = "aes-256-gcm-key";
 	constructor(appConfig) {
 		this.appConfig = appConfig;
 	}
 	encrypt(value) {
 		const iv = randomBytes(_CredentialSecretCipher.ivLength);
-		const cipher = createCipheriv(_CredentialSecretCipher.algorithm, this.resolveKeyMaterial(), iv);
+		const cipher = createCipheriv(_CredentialSecretCipher.algorithm, this.resolveKeyMaterialV2(), iv);
 		const plaintext = Buffer.from(JSON.stringify(value), "utf8");
 		const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
 		const authTag = cipher.getAuthTag();
@@ -350,24 +554,50 @@ let CredentialSecretCipher = class CredentialSecretCipher$1 {
 				encrypted
 			]).toString("base64"),
 			encryptionKeyId: this.resolveKeyId(),
-			schemaVersion: _CredentialSecretCipher.schemaVersion
+			schemaVersion: _CredentialSecretCipher.currentSchemaVersion
 		};
 	}
 	decrypt(record) {
+		const keyMaterial = (record.schemaVersion ?? 1) >= 2 ? this.resolveKeyMaterialV2() : this.resolveKeyMaterialV1();
+		const currentKeyId = this.resolveKeyId();
+		if (record.encryptionKeyId !== currentKeyId) throw new CredentialKeyRotatedError(record.encryptionKeyId);
 		const packed = Buffer.from(record.encryptedJson, "base64");
 		const iv = packed.subarray(0, _CredentialSecretCipher.ivLength);
 		const authTag = packed.subarray(_CredentialSecretCipher.ivLength, _CredentialSecretCipher.ivLength + 16);
 		const encrypted = packed.subarray(_CredentialSecretCipher.ivLength + 16);
-		const decipher = createDecipheriv(_CredentialSecretCipher.algorithm, this.resolveKeyMaterial(), iv);
+		const decipher = createDecipheriv(_CredentialSecretCipher.algorithm, keyMaterial, iv);
 		decipher.setAuthTag(authTag);
 		const plaintext = Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
 		return JSON.parse(plaintext);
 	}
-	resolveKeyMaterial() {
+	/**
+	* Current (v2) key derivation: HKDF-SHA-256 with a fixed application salt and info label.
+	* Input must be a base64-encoded 32-byte value (`CODEMATION_CREDENTIALS_MASTER_KEY`).
+	*/
+	resolveKeyMaterialV2() {
+		const ikm = this.resolveBase64Key32Bytes();
+		return Buffer.from(hkdfSync("sha256", ikm, Buffer.from(_CredentialSecretCipher.HKDF_SALT, "utf8"), Buffer.from(_CredentialSecretCipher.HKDF_INFO, "utf8"), 32));
+	}
+	/**
+	* Legacy (v1) key derivation: SHA-256 of the raw env string.
+	* Retained for decrypt-side backward compatibility only.
+	*/
+	resolveKeyMaterialV1() {
 		const rawValue = this.appConfig.env.CODEMATION_CREDENTIALS_MASTER_KEY;
 		if (!rawValue || rawValue.trim().length === 0) throw new Error("CODEMATION_CREDENTIALS_MASTER_KEY is required to encrypt database-managed credentials.");
 		return createHash("sha256").update(rawValue).digest();
 	}
+	/**
+	* Validates and returns the raw 32-byte key material from the env var.
+	* Throws if the env var is absent or does not decode to exactly 32 bytes.
+	*/
+	resolveBase64Key32Bytes() {
+		const rawValue = this.appConfig.env.CODEMATION_CREDENTIALS_MASTER_KEY;
+		if (!rawValue || rawValue.trim().length === 0) throw new Error("CODEMATION_CREDENTIALS_MASTER_KEY is required to encrypt database-managed credentials.");
+		const decoded = Buffer.from(rawValue.trim(), "base64");
+		if (decoded.length !== 32) throw new Error(`CODEMATION_CREDENTIALS_MASTER_KEY must be a base64-encoded 32-byte value (got ${decoded.length} bytes). Generate a valid key with: openssl rand -base64 32`);
+		return decoded;
+	}
 	resolveKeyId() {
 		const rawValue = this.appConfig.env.CODEMATION_CREDENTIALS_MASTER_KEY;
 		return createHash("sha256").update(rawValue ?? "").digest("hex").slice(0, 12);
@@ -713,12 +943,14 @@ CredentialInstanceService = __decorate([
 //#region src/domain/credentials/CredentialBindingService.ts
 var _ref$3, _ref2$3;
 let CredentialBindingService = class CredentialBindingService$1 {
-	constructor(credentialStore, credentialInstanceService, workflowRepository, credentialSessionService, workflowCredentialNodeResolver) {
+	logger;
+	constructor(credentialStore, credentialInstanceService, workflowRepository, credentialSessionService, workflowCredentialNodeResolver, loggerFactory) {
 		this.credentialStore = credentialStore;
 		this.credentialInstanceService = credentialInstanceService;
 		this.workflowRepository = workflowRepository;
 		this.credentialSessionService = credentialSessionService;
 		this.workflowCredentialNodeResolver = workflowCredentialNodeResolver;
+		this.logger = loggerFactory.create("CredentialBindingService");
 	}
 	async upsertBinding(args) {
 		const workflow = this.requireWorkflow(args.workflowId);
@@ -738,6 +970,31 @@ let CredentialBindingService = class CredentialBindingService$1 {
 		this.credentialSessionService.evictBinding(binding.key);
 		return binding;
 	}
+	async assertRequiredCredentialsBound(workflowId) {
+		const workflow = this.requireWorkflow(workflowId);
+		const bindings = await this.credentialStore.listBindingsByWorkflowId(workflowId);
+		const boundKeys = new Set(bindings.map((b) => this.toBindingKeyString(b.key)));
+		const unboundByDb = this.workflowCredentialNodeResolver.listSlots(workflow).filter((slot) => !slot.requirement.optional).filter((slot) => !boundKeys.has(this.toBindingKeyString({
+			workflowId,
+			nodeId: slot.nodeId,
+			slotKey: slot.requirement.slotKey
+		})));
+		if (unboundByDb.length === 0) return;
+		const confirmed = [];
+		for (const slot of unboundByDb) try {
+			await this.credentialSessionService.getSession({
+				workflowId,
+				nodeId: slot.nodeId,
+				slotKey: slot.requirement.slotKey
+			});
+		} catch (error) {
+			if (!(error instanceof CredentialUnboundError)) this.logger.debug(`CredentialBindingService: unexpected error resolving session for slot ${slot.requirement.slotKey} on ${slot.nodeId}`, error instanceof Error ? error : void 0);
+			confirmed.push(slot);
+		}
+		if (confirmed.length === 0) return;
+		const descriptions = confirmed.map((slot) => `"${slot.requirement.label}" on ${slot.nodeName ?? slot.nodeId}`).join(", ");
+		throw new ApplicationRequestError(400, `Cannot run workflow: required credential slot${confirmed.length > 1 ? "s" : ""} not bound: ${descriptions}`);
+	}
 	async listWorkflowHealth(workflowId) {
 		const workflow = this.requireWorkflow(workflowId);
 		const bindings = await this.credentialStore.listBindingsByWorkflowId(workflowId);
@@ -810,12 +1067,14 @@ CredentialBindingService = __decorate([
 	__decorateParam(2, inject(CoreTokens.WorkflowRepository)),
 	__decorateParam(3, inject(CoreTokens.CredentialSessionService)),
 	__decorateParam(4, inject(WorkflowCredentialNodeResolver)),
+	__decorateParam(5, inject(ApplicationTokens.LoggerFactory)),
 	__decorateMetadata("design:paramtypes", [
 		Object,
 		typeof (_ref$3 = typeof CredentialInstanceService !== "undefined" && CredentialInstanceService) === "function" ? _ref$3 : Object,
 		Object,
 		Object,
-		typeof (_ref2$3 = typeof WorkflowCredentialNodeResolver !== "undefined" && WorkflowCredentialNodeResolver) === "function" ? _ref2$3 : Object
+		typeof (_ref2$3 = typeof WorkflowCredentialNodeResolver !== "undefined" && WorkflowCredentialNodeResolver) === "function" ? _ref2$3 : Object,
+		Object
 	])
 ], CredentialBindingService);
 
@@ -1011,5 +1270,5 @@ CredentialTestService = __decorate([
 ], CredentialTestService);
 
 //#endregion
-export { CredentialInstanceService as a, CredentialSecretCipher as c, ApplicationTokens as d, ApplicationRequestError as f, OpenAiApiKeyCredentialHealthTester as h, CredentialBindingService as i, CredentialFieldEnvOverlayService as l, OpenAiApiKeyCredentialTypeFactory as m, CredentialSessionServiceImpl as n, CredentialOAuth2ScopeResolver as o, CredentialTypeRegistryImpl as p, CredentialRuntimeMaterialService as r, CredentialMaterialResolver as s, CredentialTestService as t, WorkflowCredentialNodeResolver as u };
-//# sourceMappingURL=CredentialServices-CgxwguAv.js.map
+export { CredentialInstanceService as a, CredentialSecretCipher as c, McpServerCatalog as d, ApplicationRequestError as f, OpenAiApiKeyCredentialHealthTester as g, OpenAiApiKeyCredentialTypeFactory as h, CredentialBindingService as i, CredentialFieldEnvOverlayService as l, ApplicationTokens as m, CredentialSessionServiceImpl as n, CredentialOAuth2ScopeResolver as o, CredentialTypeRegistryImpl as p, CredentialRuntimeMaterialService as r, CredentialMaterialResolver as s, CredentialTestService as t, WorkflowCredentialNodeResolver as u };
+//# sourceMappingURL=CredentialServices-Dk8yypeL.js.map