npm - @codemation/host - Versions diffs - 0.6.0 → 0.8.0 - Mend

@codemation/host 0.6.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (226) hide show

package/dist/{CodemationPluginListMerger-B-W5Fa_X.js.map → CodemationPluginListMerger-D1B1IEbt.js.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"CodemationPluginListMerger-~~B-W5Fa_X~~.js","names":["packageMetadata: CodemationPluginPackageMetadata","result: CodemationPlugin[]"],"sources":["../src/bootstrap/CodemationBootstrapRequest.ts","../src/presentation/config/CodemationPluginListMerger.ts"],"sourcesContent":["export class CodemationBootstrapRequest {\n readonly consumerRoot: string;\n readonly repoRoot: string;\n readonly workflowSources: ReadonlyArray<string>;\n readonly env?: Readonly<NodeJS.ProcessEnv>;\n\n constructor(\n args: Readonly<{\n consumerRoot: string;\n repoRoot: string;\n workflowSources?: ReadonlyArray<string>;\n env?: Readonly<NodeJS.ProcessEnv>;\n }>,\n ) {\n this.consumerRoot = args.consumerRoot;\n this.repoRoot = args.repoRoot;\n this.workflowSources = [...(args.workflowSources ?? [])];\n this.env = args.env;\n }\n\n resolveEnvironment(): NodeJS.ProcessEnv {\n return {\n ...process.env,\n ...(this.env ?? {}),\n };\n }\n}\n","import { CodemationPluginPackageMetadata, type CodemationPlugin } from \"./CodemationPlugin\";\n\n/*\n Merges explicitly configured plugins with auto-discovered plugins.\n * Configured plugins are applied first; discovered plugins fill in gaps.\n * Plugins discovered from package.json manifests are deduped by npm package name so the same package is not\n * registered twice when the consumer config lists a discovered plugin explicitly and auto-discovery also finds it.\n */\nexport class CodemationPluginListMerger {\n constructor(private readonly packageMetadata: CodemationPluginPackageMetadata) {}\n\n merge(\n configuredPlugins: ReadonlyArray<CodemationPlugin>,\n discoveredPlugins: ReadonlyArray<CodemationPlugin>,\n ): ReadonlyArray<CodemationPlugin> {\n const pluginsByPackageId = new Map<string, CodemationPlugin>();\n const pluginsByReference = new Set<CodemationPlugin>();\n const result: CodemationPlugin[] = [];\n\n for (const plugin of configuredPlugins) {\n this.tryAdd(plugin, pluginsByPackageId, pluginsByReference, result);\n }\n for (const plugin of discoveredPlugins) {\n this.tryAdd(plugin, pluginsByPackageId, pluginsByReference, result);\n }\n return result;\n }\n\n private tryAdd(\n plugin: CodemationPlugin,\n pluginsByPackageId: Map<string, CodemationPlugin>,\n pluginsByReference: Set<CodemationPlugin>,\n result: CodemationPlugin[],\n ): void {\n const packageId = this.packageMetadata.readPackageName(plugin);\n if (packageId) {\n if (pluginsByPackageId.has(packageId)) {\n return;\n }\n pluginsByPackageId.set(packageId, plugin);\n result.push(plugin);\n return;\n }\n if (pluginsByReference.has(plugin)) {\n return;\n }\n pluginsByReference.add(plugin);\n result.push(plugin);\n }\n}\n"],"mappings":";AAAA,IAAa,6BAAb,MAAwC;CACtC,AAAS;CACT,AAAS;CACT,AAAS;CACT,AAAS;CAET,YACE,MAMA;AACA,OAAK,eAAe,KAAK;AACzB,OAAK,WAAW,KAAK;AACrB,OAAK,kBAAkB,CAAC,GAAI,KAAK,mBAAmB,EAAE,CAAE;AACxD,OAAK,MAAM,KAAK;;CAGlB,qBAAwC;AACtC,SAAO;GACL,GAAG,QAAQ;GACX,GAAI,KAAK,OAAO,EAAE;GACnB;;;;;;;;;;;;AChBL,IAAa,6BAAb,MAAwC;CACtC,YAAY,AAAiBA,iBAAkD;EAAlD;;CAE7B,MACE,mBACA,mBACiC;EACjC,MAAM,qCAAqB,IAAI,KAA+B;EAC9D,MAAM,qCAAqB,IAAI,KAAuB;EACtD,MAAMC,SAA6B,EAAE;AAErC,OAAK,MAAM,UAAU,kBACnB,MAAK,OAAO,QAAQ,oBAAoB,oBAAoB,OAAO;AAErE,OAAK,MAAM,UAAU,kBACnB,MAAK,OAAO,QAAQ,oBAAoB,oBAAoB,OAAO;AAErE,SAAO;;CAGT,AAAQ,OACN,QACA,oBACA,oBACA,QACM;EACN,MAAM,YAAY,KAAK,gBAAgB,gBAAgB,OAAO;AAC9D,MAAI,WAAW;AACb,OAAI,mBAAmB,IAAI,UAAU,CACnC;AAEF,sBAAmB,IAAI,WAAW,OAAO;AACzC,UAAO,KAAK,OAAO;AACnB;;AAEF,MAAI,mBAAmB,IAAI,OAAO,CAChC;AAEF,qBAAmB,IAAI,OAAO;AAC9B,SAAO,KAAK,OAAO"}
1	+ {"version":3,"file":"CodemationPluginListMerger-D1B1IEbt.js","names":["packageMetadata: CodemationPluginPackageMetadata","result: CodemationPlugin[]"],"sources":["../src/bootstrap/CodemationBootstrapRequest.ts","../src/presentation/config/CodemationPluginListMerger.ts"],"sourcesContent":["export class CodemationBootstrapRequest {\n readonly consumerRoot: string;\n readonly repoRoot: string;\n readonly workflowSources: ReadonlyArray<string>;\n readonly env?: Readonly<NodeJS.ProcessEnv>;\n\n constructor(\n args: Readonly<{\n consumerRoot: string;\n repoRoot: string;\n workflowSources?: ReadonlyArray<string>;\n env?: Readonly<NodeJS.ProcessEnv>;\n }>,\n ) {\n this.consumerRoot = args.consumerRoot;\n this.repoRoot = args.repoRoot;\n this.workflowSources = [...(args.workflowSources ?? [])];\n this.env = args.env;\n }\n\n resolveEnvironment(): NodeJS.ProcessEnv {\n return {\n ...process.env,\n ...(this.env ?? {}),\n };\n }\n}\n","import { CodemationPluginPackageMetadata, type CodemationPlugin } from \"./CodemationPlugin\";\n\n/*\n Merges explicitly configured plugins with auto-discovered plugins.\n * Configured plugins are applied first; discovered plugins fill in gaps.\n * Plugins discovered from package.json manifests are deduped by npm package name so the same package is not\n * registered twice when the consumer config lists a discovered plugin explicitly and auto-discovery also finds it.\n */\nexport class CodemationPluginListMerger {\n constructor(private readonly packageMetadata: CodemationPluginPackageMetadata) {}\n\n merge(\n configuredPlugins: ReadonlyArray<CodemationPlugin>,\n discoveredPlugins: ReadonlyArray<CodemationPlugin>,\n ): ReadonlyArray<CodemationPlugin> {\n const pluginsByPackageId = new Map<string, CodemationPlugin>();\n const pluginsByReference = new Set<CodemationPlugin>();\n const result: CodemationPlugin[] = [];\n\n for (const plugin of configuredPlugins) {\n this.tryAdd(plugin, pluginsByPackageId, pluginsByReference, result);\n }\n for (const plugin of discoveredPlugins) {\n this.tryAdd(plugin, pluginsByPackageId, pluginsByReference, result);\n }\n return result;\n }\n\n private tryAdd(\n plugin: CodemationPlugin,\n pluginsByPackageId: Map<string, CodemationPlugin>,\n pluginsByReference: Set<CodemationPlugin>,\n result: CodemationPlugin[],\n ): void {\n const packageId = this.packageMetadata.readPackageName(plugin);\n if (packageId) {\n if (pluginsByPackageId.has(packageId)) {\n return;\n }\n pluginsByPackageId.set(packageId, plugin);\n result.push(plugin);\n return;\n }\n if (pluginsByReference.has(plugin)) {\n return;\n }\n pluginsByReference.add(plugin);\n result.push(plugin);\n }\n}\n"],"mappings":";AAAA,IAAa,6BAAb,MAAwC;CACtC,AAAS;CACT,AAAS;CACT,AAAS;CACT,AAAS;CAET,YACE,MAMA;AACA,OAAK,eAAe,KAAK;AACzB,OAAK,WAAW,KAAK;AACrB,OAAK,kBAAkB,CAAC,GAAI,KAAK,mBAAmB,EAAE,CAAE;AACxD,OAAK,MAAM,KAAK;;CAGlB,qBAAwC;AACtC,SAAO;GACL,GAAG,QAAQ;GACX,GAAI,KAAK,OAAO,EAAE;GACnB;;;;;;;;;;;;AChBL,IAAa,6BAAb,MAAwC;CACtC,YAAY,AAAiBA,iBAAkD;EAAlD;;CAE7B,MACE,mBACA,mBACiC;EACjC,MAAM,qCAAqB,IAAI,KAA+B;EAC9D,MAAM,qCAAqB,IAAI,KAAuB;EACtD,MAAMC,SAA6B,EAAE;AAErC,OAAK,MAAM,UAAU,kBACnB,MAAK,OAAO,QAAQ,oBAAoB,oBAAoB,OAAO;AAErE,OAAK,MAAM,UAAU,kBACnB,MAAK,OAAO,QAAQ,oBAAoB,oBAAoB,OAAO;AAErE,SAAO;;CAGT,AAAQ,OACN,QACA,oBACA,oBACA,QACM;EACN,MAAM,YAAY,KAAK,gBAAgB,gBAAgB,OAAO;AAC9D,MAAI,WAAW;AACb,OAAI,mBAAmB,IAAI,UAAU,CACnC;AAEF,sBAAmB,IAAI,WAAW,OAAO;AACzC,UAAO,KAAK,OAAO;AACnB;;AAEF,MAAI,mBAAmB,IAAI,OAAO,CAChC;AAEF,qBAAmB,IAAI,OAAO;AAC9B,SAAO,KAAK,OAAO"}

package/dist/{CodemationPluginListMerger-DGc-jfa2.d.ts → CodemationPluginListMerger-DP7djJ9S.d.ts} RENAMED Viewed

@@ -1,13 +1,16 @@
-import { n as Engine, r as CollectionDefinition, s as Clock } from "./index-BbBk26m0.js";
-import { $ as RunCurrentState, Dt as WorkflowId, J as WorkflowDefinition, U as PersistedRunPolicySnapshot, W as RunId, Z as PersistedRunState, at as RunSummary, b as TestCaseRunStatus, ct as AnyCredentialType, d as NodeExecutionRequestHandler, f as NodeExecutionScheduler, g as TypeToken, h as Container, k as WorkflowRunDetailDto, o as BinaryStorage, p as WorkflowRepository, tt as RunPruneCandidate, v as RunEvent, w as WorkflowActivationPolicy, y as RunEventBus } from "./ItemsInputNormalizer-C-KHg9Mo.js";
-import { C as CodemationContainerRegistration, l as CodemationPluginPackageMetadata, o as CodemationPlugin, r as AppConfig } from "./CodemationAppContext-DRu1Dpri.js";
-import { a as CodemationAuthConfig, l as Logger, t as CodemationWhitelabelConfig, u as LoggerFactory } from "./CodemationWhitelabelConfig-CWbcyQqn.js";
-import { t as LogLevelPolicyFactory } from "./LogLevelPolicyFactory-CampWO0l.js";
-import { t as CredentialStore } from "./CredentialServices-UfvHB-rN.js";
-import { i as TelemetryMetricPointStore, n as TelemetryArtifactStore, o as TelemetrySpanStore, r as TelemetryExporter, t as RunTraceContextRepository } from "./TelemetryContracts-DbaNomrH.js";
-import { n as PrismaMigrationDeployer, r as PrismaDatabaseClient } from "./AppConfigFactory-YnveXE9k.js";
+import { c as Clock, i as CollectionDefinition, r as Engine, t as OAuthFlowExecutor } from "./index-DilAYwnH.js";
+import { $ as PersistedRunState, A as WorkflowRunDetailDto, G as PersistedRunPolicySnapshot, K as RunId, T as McpServerDeclaration, X as WorkflowDefinition, b as TestCaseRunStatus, d as NodeExecutionRequestHandler, f as NodeExecutionScheduler, g as TypeToken, h as Container, kt as WorkflowId, o as BinaryStorage, p as WorkflowRepository, rt as RunPruneCandidate, st as RunSummary, tt as RunCurrentState, ut as AnyCredentialType, v as RunEvent, w as WorkflowActivationPolicy, y as RunEventBus } from "./ItemsInputNormalizer-_RwIfRIQ.js";
+import { C as CodemationContainerRegistration, l as CodemationPluginPackageMetadata, o as CodemationPlugin, r as AppConfig } from "./CodemationAppContext-CGFYVcSb.js";
+import { a as CodemationAuthConfig, l as Logger, t as CodemationWhitelabelConfig, u as LoggerFactory } from "./CodemationWhitelabelConfig-Ca2mCUeC.js";
+import { t as LogLevelPolicyFactory } from "./LogLevelPolicyFactory-ewCHLDLn.js";
+import { t as CredentialStore } from "./CredentialServices-BLloBztI.js";
+import { i as TelemetryMetricPointStore, n as TelemetryArtifactStore, o as TelemetrySpanStore, r as TelemetryExporter, s as TelemetrySpanUpsert, t as RunTraceContextRepository } from "./TelemetryContracts-BtDx84Cp.js";
+import { n as PrismaMigrationDeployer, r as PrismaDatabaseClient } from "./AppConfigFactory-BT0y0LVC.js";
+import { t as InternalHonoApiRouteRegistrar } from "./InternalHonoApiRouteRegistrar-c7t3KnV_.js";
+import { s as ProcessRunner } from "./PublicFrontendBootstrapFactory-Dv04tJ-6.js";
 import "reflect-metadata";
-import { Hono } from "hono";
+import { Hono, MiddlewareHandler } from "hono";
+import "jose";
 //#region src/application/bus/Command.d.ts
 declare abstract class Command<TResult> {
@@ -37,6 +40,7 @@ declare class CodemationPluginRegistrar {
     appConfig: AppConfig;
     registerCredentialType: (type: AnyCredentialType) => void;
     registerCollection: (definition: CollectionDefinition) => void;
+    mergeMcpServers: (declarations: ReadonlyArray<McpServerDeclaration>) => void;
     loggerFactory: LoggerFactory;
   }>): Promise<void>;
 }
@@ -60,6 +64,10 @@ type WorkflowWebsocketMessage = Readonly<{
   kind: "devBuildFailed";
   workflowId: string;
   message: string;
+}> | Readonly<{
+  kind: "telemetryEvent";
+  runId: string;
+  span: TelemetrySpanUpsert;
 }>;
 //#endregion
 //#region src/application/websocket/WorkflowWebsocketPublisher.d.ts
@@ -67,16 +75,41 @@ interface WorkflowWebsocketPublisher {
   publishToRoom(roomId: string, message: WorkflowWebsocketMessage): Promise<void>;
 }
 //#endregion
+//#region ../managed-auth/src/types.d.ts
+/**
+ * A successfully verified CP-signed JWT principal.
+ * `userId` maps to the JWT `sub` claim; `workspaceId` maps to `aud`.
+ */
+interface VerifiedManagedPrincipal {
+  readonly userId: string;
+  readonly workspaceId: string;
+}
+//#endregion
+//#region src/presentation/websocket/WebsocketAuthenticator.types.d.ts
+/**
+ * Authenticates an incoming WebSocket upgrade request.
+ *
+ * Implementations parse the upgrade URL (e.g. `?token=<jwt>`) and verify the
+ * credential.  Returns the verified principal on success, or `null` when the
+ * request must be rejected with close-code 4401.
+ */
+interface WebsocketAuthenticator {
+  authenticate(requestUrl: string | undefined): Promise<VerifiedManagedPrincipal | null>;
+}
+//#endregion
 //#region src/presentation/websocket/WorkflowWebsocketServer.d.ts
 declare class WorkflowWebsocketServer implements WorkflowWebsocketPublisher {
   private readonly port;
   private readonly bindHost;
   private readonly logger;
+  private readonly authenticator;
   private websocketServer;
   private readonly sockets;
   private readonly roomIdsBySocket;
   private started;
-  constructor(port: number, bindHost: string, logger: Logger);
+  constructor(port: number, bindHost: string, logger: Logger, authenticator?: WebsocketAuthenticator | null);
+  /** Returns the actual port the server is listening on (useful when constructed with port 0). */
+  get listeningPort(): number;
   start(): Promise<void>;
   stop(): Promise<void>;
   publishToRoom(roomId: string, message: WorkflowWebsocketMessage): Promise<void>;
@@ -109,14 +142,20 @@ declare class AppContainerFactory {
   constructor(containerRegistrationRegistrar?: CodemationContainerRegistrationRegistrar, pluginRegistrar?: CodemationPluginRegistrar);
   create(inputs: AppContainerInputs): Promise<Container>;
   private collectCredentialTypes;
+  private registerMcpCatalog;
+  private mergeConfigMcpServers;
   private applyPlugins;
   private registerCredentialTypes;
+  private registerControlPlaneCatalogFetcher;
   private registerConfiguredRegistrations;
   private registerCollectionsInfrastructure;
   private registerCoreInfrastructure;
   private registerRepositoriesAndBuses;
   private registerApplicationServicesAndRoutes;
+  private registerManagedAuthInfrastructure;
+  private registerPairingInfrastructure;
   private registerOperationalInfrastructure;
+  private registerWorkflowAuditWriter;
   private registerRuntimeInfrastructure;
   private resolvePrismaOwnership;
   private registerRuntimeNodeActivationScheduler;
@@ -133,6 +172,8 @@ declare class AppContainerLifecycle {
   private readonly container;
   private readonly ownedPrismaClient;
   constructor(container: Container, ownedPrismaClient: PrismaDatabaseClient | null);
+  start(): Promise<void>;
+  startWorkerSubscribers(): Promise<void>;
   stop(args?: Readonly<{
     stopWebsocketServer?: boolean;
   }>): Promise<void>;
@@ -406,10 +447,16 @@ declare class TelemetryEnricherChain {
 //#endregion
 //#region src/application/telemetry/TelemetryRetentionTimestampFactory.d.ts
 declare class TelemetryRetentionTimestampFactory {
-  createSpanExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
-  createArtifactExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
-  createMetricExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
-  createTraceContextExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string | undefined;
+  /** Default span retention: 7 days (overridden by policySnapshot). */
+  static readonly defaultSpanRetentionSeconds: number;
+  /** Default artifact retention: 3 days (overridden by policySnapshot). */
+  static readonly defaultArtifactRetentionSeconds: number;
+  /** Default metric retention: 30 days (overridden by policySnapshot). */
+  static readonly defaultMetricRetentionSeconds: number;
+  createSpanExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
+  createArtifactExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
+  createMetricExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
+  createTraceContextExpiry(policySnapshot: PersistedRunPolicySnapshot | undefined, observedAt: Date): string;
   private createExpiry;
 }
 //#endregion
@@ -542,6 +589,10 @@ type AuthenticatedPrincipal = Readonly<{
   id: string;
   email: string | null;
   name: string | null;
+  /** Set to "managed-jwt" when the principal was verified from a CP-signed bearer token. */
+  source?: "managed-jwt";
+  /** The workspace ID from the JWT `aud` claim. Present when source === "managed-jwt". */
+  workspaceId?: string;
 }>;
 //#endregion
 //#region src/application/auth/SessionVerifier.d.ts
@@ -549,6 +600,49 @@ interface SessionVerifier {
   verify(request: Request): Promise<AuthenticatedPrincipal | null>;
 }
 //#endregion
+//#region src/presentation/http/ServerHttpRouteParams.d.ts
+type ServerHttpRouteParams = Readonly<Record<string, string>>;
+//#endregion
+//#region src/presentation/http/routeHandlers/BinaryHttpRouteHandlerFactory.d.ts
+declare class BinaryHttpRouteHandler {
+  private readonly queryBus;
+  private readonly commandBus;
+  private readonly binaryStorage;
+  constructor(queryBus: QueryBus, commandBus: CommandBus, binaryStorage: BinaryStorage);
+  getRunBinaryContent(_: Request, params: ServerHttpRouteParams): Promise<Response>;
+  getWorkflowOverlayBinaryContent(_: Request, params: ServerHttpRouteParams): Promise<Response>;
+  postWorkflowDebuggerOverlayBinaryUpload(request: Request, params: ServerHttpRouteParams): Promise<Response>;
+  private createBinaryResponse;
+  private createContentDisposition;
+  private escapeFilename;
+}
+//#endregion
+//#region src/presentation/http/hono/HonoApiRouteRegistrar.d.ts
+interface HonoApiRouteRegistrar {
+  register(app: Hono): void;
+}
+//#endregion
+//#region src/auth/managed/ManagedCorsMiddleware.d.ts
+/**
+ * CORS allowlist middleware for managed mode.
+ *
+ * Only the single `CP_WEB_ORIGIN` value (provisioner-injected) is permitted.
+ * All other origins are refused on preflight with a 403.
+ */
+declare class ManagedCorsMiddleware {
+  private readonly allowedOrigin;
+  constructor(allowedOrigin: string);
+  handle(): MiddlewareHandler;
+}
+//#endregion
+//#region src/presentation/http/hono/CodemationHonoApiAppFactory.d.ts
+declare class CodemationHonoApiApp {
+  private readonly app;
+  constructor(sessionVerifier: SessionVerifier, registrars: ReadonlyArray<HonoApiRouteRegistrar>, binaryHttpRouteHandler: BinaryHttpRouteHandler, internalRegistrars: ReadonlyArray<InternalHonoApiRouteRegistrar>, corsMiddlewareList: ReadonlyArray<ManagedCorsMiddleware>);
+  getHono(): Hono;
+  fetch(request: Request): Response | Promise<Response>;
+}
+//#endregion
 //#region src/application/bus/CommandHandler.d.ts
 declare abstract class CommandHandler<TCommand extends Command<TResult>, TResult> {
   abstract execute(command: TCommand): Promise<TResult>;
@@ -572,6 +666,11 @@ declare abstract class QueryHandler<TQuery extends Query<TResult>, TResult> {
   abstract execute(query: TQuery): Promise<TResult>;
 }
 //#endregion
+//#region src/application/telemetry/TelemetrySpanPublisher.d.ts
+interface TelemetrySpanPublisher {
+  publishSpan(span: TelemetrySpanUpsert): Promise<void>;
+}
+//#endregion
 //#region src/domain/workflows/WorkflowDebuggerOverlayState.d.ts
 type WorkflowDebuggerOverlayState = Readonly<{
   workflowId: string;
@@ -586,9 +685,35 @@ interface WorkflowDebuggerOverlayRepository {
   save(state: WorkflowDebuggerOverlayState): Promise<void>;
 }
 //#endregion
-//#region src/presentation/http/hono/HonoApiRouteRegistrar.d.ts
-interface HonoApiRouteRegistrar {
-  register(app: Hono): void;
+//#region src/audit/IAuditEmitter.d.ts
+/**
+ * Workspace-local audit emitter contract.
+ * Mirror of the CP-side IAuditEmitter shape; kept separate to avoid cross-repo coupling.
+ */
+interface WorkflowAuditActor {
+  readonly userId: string;
+  readonly sessionId?: string;
+}
+interface WorkflowAuditResource {
+  readonly type: string;
+  readonly id: string;
+}
+interface WorkflowAuditEntry {
+  readonly id: string;
+  readonly occurredAt: string;
+  readonly actor: WorkflowAuditActor;
+  readonly action: string;
+  readonly resource: WorkflowAuditResource;
+  readonly outcome: "success" | "failure";
+  readonly errorCode?: string;
+  readonly correlationId?: string;
+  /** Denormalised on every row for query convenience. */
+  readonly workflowId: string;
+  readonly runId?: string;
+  readonly nodeId?: string;
+}
+interface IWorkflowAuditEmitter {
+  emit(entry: WorkflowAuditEntry): Promise<void>;
 }
 //#endregion
 //#region src/applicationTokens.d.ts
@@ -605,7 +730,11 @@ declare const ApplicationTokens: {
   readonly CommandHandler: TypeToken<CommandHandler<Command<unknown>, unknown>>;
   readonly DomainEventHandler: TypeToken<DomainEventHandler<DomainEvent>>;
   readonly HonoApiRouteRegistrar: TypeToken<HonoApiRouteRegistrar>;
+  readonly InternalHonoApiRouteRegistrar: TypeToken<InternalHonoApiRouteRegistrar>;
+  readonly ManagedCorsMiddleware: TypeToken<ManagedCorsMiddleware>;
+  readonly WebsocketAuthenticator: TypeToken<WebsocketAuthenticator | null>;
   readonly WorkflowWebsocketPublisher: TypeToken<WorkflowWebsocketPublisher>;
+  readonly TelemetrySpanPublisher: TypeToken<TelemetrySpanPublisher>;
   readonly WorkerRuntimeScheduler: TypeToken<WorkerRuntimeScheduler>;
   readonly WorkflowDefinitionRepository: TypeToken<WorkflowDefinitionRepository>;
   readonly WorkflowActivationRepository: TypeToken<WorkflowActivationRepository>;
@@ -625,6 +754,9 @@ declare const ApplicationTokens: {
   readonly PrismaClient: TypeToken<PrismaDatabaseClient>;
   readonly SessionVerifier: TypeToken<SessionVerifier>;
   readonly Clock: TypeToken<Clock>;
+  readonly WorkflowAuditEmitter: TypeToken<IWorkflowAuditEmitter>;
+  readonly ProcessRunner: TypeToken<ProcessRunner>;
+  readonly OAuthFlowExecutor: TypeToken<OAuthFlowExecutor>;
 };
 //#endregion
 //#region src/bootstrap/CodemationBootstrapRequest.d.ts
@@ -656,5 +788,5 @@ declare class CodemationPluginListMerger {
   private tryAdd;
 }
 //#endregion
-export { WorkflowWebsocketServer as _, WorkflowDebuggerOverlayRepository as a, CommandBus as b, FrontendRuntime as c, LogFilter as d, WorkflowRunRepository as f, AppContainerFactory as g, AppContainerLifecycle as h, HonoApiRouteRegistrar as i, WorkflowRunRetentionPruneScheduler as l, DatabaseMigrations as m, CodemationBootstrapRequest as n, SessionVerifier as o, CollectionSchemaSyncerHolder as p, ApplicationTokens as r, WorkerRuntime as s, CodemationPluginListMerger as t, ServerLoggerFactory as u, QueryBus as v, Command as x, Query as y };
-//# sourceMappingURL=CodemationPluginListMerger-DGc-jfa2.d.ts.map
+export { Command as C, CommandBus as S, AppContainerLifecycle as _, CodemationHonoApiApp as a, QueryBus as b, SessionVerifier as c, WorkflowRunRetentionPruneScheduler as d, ServerLoggerFactory as f, DatabaseMigrations as g, CollectionSchemaSyncerHolder as h, WorkflowDebuggerOverlayRepository as i, WorkerRuntime as l, WorkflowRunRepository as m, CodemationBootstrapRequest as n, BinaryHttpRouteHandler as o, LogFilter as p, ApplicationTokens as r, ServerHttpRouteParams as s, CodemationPluginListMerger as t, FrontendRuntime as u, AppContainerFactory as v, Query as x, WorkflowWebsocketServer as y };
+//# sourceMappingURL=CodemationPluginListMerger-DP7djJ9S.d.ts.map

package/dist/CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js ADDED Viewed

@@ -0,0 +1,97 @@
+//#region src/presentation/server/CodemationTsyringeParamInfoReader.ts
+var CodemationTsyringeParamInfoReader = class {
+	static injectionTokenMetadataKey = "injectionTokens";
+	static designParamTypesMetadataKey = "design:paramtypes";
+	static read(target) {
+		const designParamTypes = this.readDesignParamTypes(target);
+		const injectionTokens = this.readInjectionTokens(target);
+		Object.keys(injectionTokens).forEach((key) => {
+			designParamTypes[Number(key)] = injectionTokens[key];
+		});
+		return designParamTypes;
+	}
+	static readDesignParamTypes(target) {
+		const reflected = Reflect.getMetadata?.(this.designParamTypesMetadataKey, target);
+		return Array.isArray(reflected) ? [...reflected] : [];
+	}
+	static readInjectionTokens(target) {
+		const reflected = Reflect.getOwnMetadata?.(this.injectionTokenMetadataKey, target);
+		if (!reflected || typeof reflected !== "object") return {};
+		return reflected;
+	}
+};
+//#endregion
+//#region src/presentation/server/CodemationTsyringeTypeInfoRegistrar.ts
+var CodemationTsyringeTypeInfoRegistrar = class {
+	visitedTokens = /* @__PURE__ */ new Set();
+	visitedConfigObjects = /* @__PURE__ */ new Set();
+	constructor(container) {
+		this.container = container;
+	}
+	registerWorkflowDefinitions(workflows) {
+		for (const workflow of workflows) for (const node of workflow.nodes) {
+			this.registerTypeToken(node.type);
+			this.registerConfigTokens(node.config);
+		}
+	}
+	registerTypeToken(token) {
+		if (typeof token !== "function" || this.visitedTokens.has(token)) return;
+		this.visitedTokens.add(token);
+		const paramInfo = CodemationTsyringeParamInfoReader.read(token);
+		for (const dependency of paramInfo) this.registerDependency(dependency);
+		this.registerFactoryProvider(token, paramInfo);
+	}
+	registerDependency(dependency) {
+		const token = this.resolveDependencyToken(dependency);
+		if (typeof token !== "function") return;
+		if (!this.container.isRegistered(token, true)) return;
+		this.registerTypeToken(token);
+	}
+	registerConfigTokens(value) {
+		if (Array.isArray(value)) {
+			value.forEach((entry) => this.registerConfigTokens(entry));
+			return;
+		}
+		if (!value || typeof value !== "object") return;
+		if (this.visitedConfigObjects.has(value)) return;
+		this.visitedConfigObjects.add(value);
+		if ("type" in value && typeof value.type === "function") this.registerTypeToken(value.type);
+		Object.values(value).forEach((entry) => this.registerConfigTokens(entry));
+	}
+	registerFactoryProvider(token, paramInfo) {
+		if (this.container.isRegistered(token, true)) return;
+		const classToken = token;
+		const constructorToken = token;
+		this.container.register(classToken, { useFactory: (dependencyContainer) => {
+			return new constructorToken(...paramInfo.map((dependency) => this.resolveFactoryDependency(dependencyContainer, dependency)));
+		} });
+	}
+	resolveDependencyToken(dependency) {
+		if (this.isInjectionDescriptor(dependency)) return dependency.token;
+		return dependency;
+	}
+	resolveFactoryDependency(dependencyContainer, dependency) {
+		const token = this.resolveDependencyToken(dependency);
+		if (typeof token === "function") {
+			if (dependencyContainer.isRegistered(token, true)) try {
+				return dependencyContainer.resolve(token);
+			} catch (error) {
+				if (!this.isMissingTypeInfoError(error)) throw error;
+			}
+			this.registerTypeToken(token);
+			return new token(...CodemationTsyringeParamInfoReader.read(token).map((entry) => this.resolveFactoryDependency(dependencyContainer, entry)));
+		}
+		return dependencyContainer.resolve(token);
+	}
+	isInjectionDescriptor(value) {
+		return value !== null && typeof value === "object" && "token" in value;
+	}
+	isMissingTypeInfoError(error) {
+		return error instanceof Error && error.message.includes("TypeInfo not known for");
+	}
+};
+//#endregion
+export { CodemationTsyringeParamInfoReader as n, CodemationTsyringeTypeInfoRegistrar as t };
+//# sourceMappingURL=CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js.map

package/dist/CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"CodemationTsyringeTypeInfoRegistrar-Bj6FJYFz.js","names":["container: Container"],"sources":["../src/presentation/server/CodemationTsyringeParamInfoReader.ts","../src/presentation/server/CodemationTsyringeTypeInfoRegistrar.ts"],"sourcesContent":["export class CodemationTsyringeParamInfoReader {\n private static readonly injectionTokenMetadataKey = \"injectionTokens\";\n private static readonly designParamTypesMetadataKey = \"design:paramtypes\";\n\n static read(target: object): ReadonlyArray<unknown> {\n const designParamTypes = this.readDesignParamTypes(target);\n const injectionTokens = this.readInjectionTokens(target);\n Object.keys(injectionTokens).forEach((key: string) => {\n designParamTypes[Number(key)] = injectionTokens[key];\n });\n return designParamTypes;\n }\n\n private static readDesignParamTypes(target: object): unknown[] {\n const reflected = Reflect.getMetadata?.(this.designParamTypesMetadataKey, target);\n return Array.isArray(reflected) ? [...reflected] : [];\n }\n\n private static readInjectionTokens(target: object): Record<string, unknown> {\n const reflected = Reflect.getOwnMetadata?.(this.injectionTokenMetadataKey, target);\n if (!reflected || typeof reflected !== \"object\") {\n return {};\n }\n return reflected as Record<string, unknown>;\n }\n}\n","import type { Container, TypeToken, WorkflowDefinition } from \"@codemation/core\";\n\nimport { CodemationTsyringeParamInfoReader } from \"./CodemationTsyringeParamInfoReader\";\n\ntype InjectionDescriptor = Readonly<{\n token?: unknown;\n}>;\n\nexport class CodemationTsyringeTypeInfoRegistrar {\n private readonly visitedTokens = new Set<unknown>();\n private readonly visitedConfigObjects = new Set<object>();\n\n constructor(private readonly container: Container) {}\n\n registerWorkflowDefinitions(workflows: ReadonlyArray<WorkflowDefinition>): void {\n for (const workflow of workflows) {\n for (const node of workflow.nodes) {\n this.registerTypeToken(node.type);\n this.registerConfigTokens(node.config);\n }\n }\n }\n\n registerTypeToken(token: unknown): void {\n if (typeof token !== \"function\" || this.visitedTokens.has(token)) {\n return;\n }\n this.visitedTokens.add(token);\n const paramInfo = CodemationTsyringeParamInfoReader.read(token);\n for (const dependency of paramInfo) {\n this.registerDependency(dependency);\n }\n this.registerFactoryProvider(token as new (...args: ReadonlyArray<unknown>) => unknown, paramInfo);\n }\n\n private registerDependency(dependency: unknown): void {\n const token = this.resolveDependencyToken(dependency);\n if (typeof token !== \"function\") {\n return;\n }\n if (!this.container.isRegistered(token as TypeToken<unknown>, true)) {\n return;\n }\n this.registerTypeToken(token);\n }\n\n private registerConfigTokens(value: unknown): void {\n if (Array.isArray(value)) {\n value.forEach((entry: unknown) => this.registerConfigTokens(entry));\n return;\n }\n if (!value || typeof value !== \"object\") {\n return;\n }\n if (this.visitedConfigObjects.has(value)) {\n return;\n }\n this.visitedConfigObjects.add(value);\n if (\"type\" in value && typeof value.type === \"function\") {\n this.registerTypeToken(value.type);\n }\n Object.values(value).forEach((entry: unknown) => this.registerConfigTokens(entry));\n }\n\n private registerFactoryProvider(\n token: new (...args: ReadonlyArray<unknown>) => unknown,\n paramInfo: ReadonlyArray<unknown>,\n ): void {\n if (this.container.isRegistered(token as TypeToken<unknown>, true)) {\n return;\n }\n const classToken = token as unknown as TypeToken<unknown>;\n const constructorToken = token as unknown as new (...args: ReadonlyArray<unknown>) => unknown;\n this.container.register(classToken, {\n useFactory: (dependencyContainer) => {\n const dependencies = paramInfo.map((dependency: unknown) =>\n this.resolveFactoryDependency(dependencyContainer, dependency),\n );\n return new constructorToken(...dependencies);\n },\n });\n }\n\n private resolveDependencyToken(dependency: unknown): unknown {\n if (this.isInjectionDescriptor(dependency)) {\n return dependency.token;\n }\n return dependency;\n }\n\n private resolveFactoryDependency(dependencyContainer: Container, dependency: unknown): unknown {\n const token = this.resolveDependencyToken(dependency);\n if (typeof token === \"function\") {\n if (dependencyContainer.isRegistered(token as TypeToken<unknown>, true)) {\n try {\n return dependencyContainer.resolve(token as TypeToken<unknown>);\n } catch (error) {\n if (!this.isMissingTypeInfoError(error)) {\n throw error;\n }\n }\n }\n this.registerTypeToken(token);\n const constructorToken = token as unknown as new (...args: ReadonlyArray<unknown>) => unknown;\n const paramInfo = CodemationTsyringeParamInfoReader.read(token);\n const nestedDependencies = paramInfo.map((entry: unknown) =>\n this.resolveFactoryDependency(dependencyContainer, entry),\n );\n return new constructorToken(...nestedDependencies);\n }\n return dependencyContainer.resolve(token as TypeToken<unknown>);\n }\n\n private isInjectionDescriptor(value: unknown): value is InjectionDescriptor {\n return value !== null && typeof value === \"object\" && \"token\" in value;\n }\n\n private isMissingTypeInfoError(error: unknown): boolean {\n return error instanceof Error && error.message.includes(\"TypeInfo not known for\");\n }\n}\n"],"mappings":";AAAA,IAAa,oCAAb,MAA+C;CAC7C,OAAwB,4BAA4B;CACpD,OAAwB,8BAA8B;CAEtD,OAAO,KAAK,QAAwC;EAClD,MAAM,mBAAmB,KAAK,qBAAqB,OAAO;EAC1D,MAAM,kBAAkB,KAAK,oBAAoB,OAAO;AACxD,SAAO,KAAK,gBAAgB,CAAC,SAAS,QAAgB;AACpD,oBAAiB,OAAO,IAAI,IAAI,gBAAgB;IAChD;AACF,SAAO;;CAGT,OAAe,qBAAqB,QAA2B;EAC7D,MAAM,YAAY,QAAQ,cAAc,KAAK,6BAA6B,OAAO;AACjF,SAAO,MAAM,QAAQ,UAAU,GAAG,CAAC,GAAG,UAAU,GAAG,EAAE;;CAGvD,OAAe,oBAAoB,QAAyC;EAC1E,MAAM,YAAY,QAAQ,iBAAiB,KAAK,2BAA2B,OAAO;AAClF,MAAI,CAAC,aAAa,OAAO,cAAc,SACrC,QAAO,EAAE;AAEX,SAAO;;;;;;ACfX,IAAa,sCAAb,MAAiD;CAC/C,AAAiB,gCAAgB,IAAI,KAAc;CACnD,AAAiB,uCAAuB,IAAI,KAAa;CAEzD,YAAY,AAAiBA,WAAsB;EAAtB;;CAE7B,4BAA4B,WAAoD;AAC9E,OAAK,MAAM,YAAY,UACrB,MAAK,MAAM,QAAQ,SAAS,OAAO;AACjC,QAAK,kBAAkB,KAAK,KAAK;AACjC,QAAK,qBAAqB,KAAK,OAAO;;;CAK5C,kBAAkB,OAAsB;AACtC,MAAI,OAAO,UAAU,cAAc,KAAK,cAAc,IAAI,MAAM,CAC9D;AAEF,OAAK,cAAc,IAAI,MAAM;EAC7B,MAAM,YAAY,kCAAkC,KAAK,MAAM;AAC/D,OAAK,MAAM,cAAc,UACvB,MAAK,mBAAmB,WAAW;AAErC,OAAK,wBAAwB,OAA2D,UAAU;;CAGpG,AAAQ,mBAAmB,YAA2B;EACpD,MAAM,QAAQ,KAAK,uBAAuB,WAAW;AACrD,MAAI,OAAO,UAAU,WACnB;AAEF,MAAI,CAAC,KAAK,UAAU,aAAa,OAA6B,KAAK,CACjE;AAEF,OAAK,kBAAkB,MAAM;;CAG/B,AAAQ,qBAAqB,OAAsB;AACjD,MAAI,MAAM,QAAQ,MAAM,EAAE;AACxB,SAAM,SAAS,UAAmB,KAAK,qBAAqB,MAAM,CAAC;AACnE;;AAEF,MAAI,CAAC,SAAS,OAAO,UAAU,SAC7B;AAEF,MAAI,KAAK,qBAAqB,IAAI,MAAM,CACtC;AAEF,OAAK,qBAAqB,IAAI,MAAM;AACpC,MAAI,UAAU,SAAS,OAAO,MAAM,SAAS,WAC3C,MAAK,kBAAkB,MAAM,KAAK;AAEpC,SAAO,OAAO,MAAM,CAAC,SAAS,UAAmB,KAAK,qBAAqB,MAAM,CAAC;;CAGpF,AAAQ,wBACN,OACA,WACM;AACN,MAAI,KAAK,UAAU,aAAa,OAA6B,KAAK,CAChE;EAEF,MAAM,aAAa;EACnB,MAAM,mBAAmB;AACzB,OAAK,UAAU,SAAS,YAAY,EAClC,aAAa,wBAAwB;AAInC,UAAO,IAAI,iBAAiB,GAHP,UAAU,KAAK,eAClC,KAAK,yBAAyB,qBAAqB,WAAW,CAC/D,CAC2C;KAE/C,CAAC;;CAGJ,AAAQ,uBAAuB,YAA8B;AAC3D,MAAI,KAAK,sBAAsB,WAAW,CACxC,QAAO,WAAW;AAEpB,SAAO;;CAGT,AAAQ,yBAAyB,qBAAgC,YAA8B;EAC7F,MAAM,QAAQ,KAAK,uBAAuB,WAAW;AACrD,MAAI,OAAO,UAAU,YAAY;AAC/B,OAAI,oBAAoB,aAAa,OAA6B,KAAK,CACrE,KAAI;AACF,WAAO,oBAAoB,QAAQ,MAA4B;YACxD,OAAO;AACd,QAAI,CAAC,KAAK,uBAAuB,MAAM,CACrC,OAAM;;AAIZ,QAAK,kBAAkB,MAAM;AAM7B,UAAO,IALkB,MAKG,GAJV,kCAAkC,KAAK,MAAM,CAC1B,KAAK,UACxC,KAAK,yBAAyB,qBAAqB,MAAM,CAC1D,CACiD;;AAEpD,SAAO,oBAAoB,QAAQ,MAA4B;;CAGjE,AAAQ,sBAAsB,OAA8C;AAC1E,SAAO,UAAU,QAAQ,OAAO,UAAU,YAAY,WAAW;;CAGnE,AAAQ,uBAAuB,OAAyB;AACtD,SAAO,iBAAiB,SAAS,MAAM,QAAQ,SAAS,yBAAyB"}

package/dist/{CodemationWhitelabelConfig-CWbcyQqn.d.ts → CodemationWhitelabelConfig-Ca2mCUeC.d.ts} RENAMED Viewed

@@ -16,7 +16,7 @@ interface LoggerFactory {
  * Consumer-declared authentication profile for the hosted UI + HTTP API.
  * Social provider ids intentionally match Better Auth's provider ids so config stays 1:1 with the auth runtime.
  */
-type CodemationAuthKind = "local" | "oauth" | "oidc";
+type CodemationAuthKind = "local" | "oauth" | "oidc" | "managed";
 type CodemationAuthOAuthProviderId = Extract<keyof NonNullable<BetterAuthOptions["socialProviders"]>, "github" | "google" | "microsoft">;
 interface CodemationAuthOAuthProviderConfig {
   readonly provider: CodemationAuthOAuthProviderId;
@@ -78,4 +78,4 @@ interface CodemationWhitelabelConfig {
 }
 //#endregion
 export { CodemationAuthConfig as a, CodemationAuthOidcProviderConfig as c, CodemationLogRule as i, Logger as l, CodemationLogConfig as n, CodemationAuthKind as o, CodemationLogLevelName as r, CodemationAuthOAuthProviderConfig as s, CodemationWhitelabelConfig as t, LoggerFactory as u };
-//# sourceMappingURL=CodemationWhitelabelConfig-CWbcyQqn.d.ts.map
+//# sourceMappingURL=CodemationWhitelabelConfig-Ca2mCUeC.d.ts.map

package/dist/{CollectionContracts.types-DdpHft0i.d.ts → CollectionContracts.types-DDyFYT_D.d.ts} RENAMED Viewed

@@ -84,4 +84,4 @@ interface SyncCollectionsResponseDto {
 }
 //#endregion
 export { withInviteUserResponseLoginMethodsDefaults as _, CollectionSummaryDto as a, AcceptUserInviteRequestDto as c, UpdateUserAccountStatusRequestDto as d, UpsertLocalBootstrapUserResultDto as f, VerifyUserInviteResponseDto as g, UserAccountStatus as h, CollectionRowDto as i, InviteUserRequestDto as l, UserAccountDtoInput as m, CollectionFieldDto as n, ListCollectionRowsResponseDto as o, UserAccountDto as p, CollectionIndexDto as r, SyncCollectionsResponseDto as s, CollectionDetailDto as t, InviteUserResponseDto as u, withUserAccountLoginMethodsDefaults as v };
-//# sourceMappingURL=CollectionContracts.types-DdpHft0i.d.ts.map
+//# sourceMappingURL=CollectionContracts.types-DDyFYT_D.d.ts.map

package/dist/{CredentialContractsRegistry-DrMIDSw8.d.ts → CredentialContractsRegistry-Bq2bq28t.d.ts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { ft as CredentialHealth, gt as CredentialMaterialSourceKind, pt as CredentialInstanceId, vt as CredentialRequirement, wt as CredentialTypeId, xt as CredentialSetupStatus } from "./ItemsInputNormalizer-C-KHg9Mo.js";
+import { Ct as CredentialSetupStatus, Et as CredentialTypeId, bt as CredentialRequirement, ht as CredentialInstanceId, mt as CredentialHealth, vt as CredentialMaterialSourceKind } from "./ItemsInputNormalizer-_RwIfRIQ.js";
 //#region src/application/contracts/CredentialContractsRegistry.d.ts
 type CredentialInstanceDto = Readonly<{
@@ -67,4 +67,4 @@ type UpsertCredentialBindingRequest = Readonly<{
 }>;
 //#endregion
 export { UpdateCredentialInstanceRequest as a, WorkflowCredentialHealthSlotDto as c, CredentialOAuth2ConnectionDto as i, CredentialInstanceDto as n, UpsertCredentialBindingRequest as o, CredentialInstanceWithSecretsDto as r, WorkflowCredentialHealthDto as s, CreateCredentialInstanceRequest as t };
-//# sourceMappingURL=CredentialContractsRegistry-DrMIDSw8.d.ts.map
+//# sourceMappingURL=CredentialContractsRegistry-Bq2bq28t.d.ts.map

package/dist/{CredentialServices-UfvHB-rN.d.ts → CredentialServices-BLloBztI.d.ts} RENAMED Viewed

@@ -1,14 +1,40 @@
-import { Ct as CredentialTypeDefinition, J as WorkflowDefinition, St as CredentialType, Tt as CredentialTypeRegistry, _t as CredentialOAuth2AuthDefinition, bt as CredentialSessionService, ct as AnyCredentialType, dt as CredentialFieldSchema, ft as CredentialHealth, ht as CredentialJsonRecord, lt as CredentialBinding, mt as CredentialInstanceRecord, p as WorkflowRepository, pt as CredentialInstanceId, ut as CredentialBindingKey, vt as CredentialRequirement, wt as CredentialTypeId } from "./ItemsInputNormalizer-C-KHg9Mo.js";
-import { r as AppConfig } from "./CodemationAppContext-DRu1Dpri.js";
-import { a as UpdateCredentialInstanceRequest, n as CredentialInstanceDto, r as CredentialInstanceWithSecretsDto, s as WorkflowCredentialHealthDto, t as CreateCredentialInstanceRequest } from "./CredentialContractsRegistry-DrMIDSw8.js";
+import { Dt as CredentialTypeRegistry, Et as CredentialTypeId, St as CredentialSessionService, T as McpServerDeclaration, Tt as CredentialTypeDefinition, X as WorkflowDefinition, _t as CredentialJsonRecord, bt as CredentialRequirement, dt as CredentialBinding, ft as CredentialBindingKey, gt as CredentialInstanceRecord, ht as CredentialInstanceId, mt as CredentialHealth, p as WorkflowRepository, pt as CredentialFieldSchema, ut as AnyCredentialType, wt as CredentialType, yt as CredentialOAuth2AuthDefinition } from "./ItemsInputNormalizer-_RwIfRIQ.js";
+import { r as AppConfig } from "./CodemationAppContext-CGFYVcSb.js";
+import { u as LoggerFactory } from "./CodemationWhitelabelConfig-Ca2mCUeC.js";
+import { a as UpdateCredentialInstanceRequest, n as CredentialInstanceDto, r as CredentialInstanceWithSecretsDto, s as WorkflowCredentialHealthDto, t as CreateCredentialInstanceRequest } from "./CredentialContractsRegistry-Bq2bq28t.js";
 //#region src/domain/credentials/CredentialTypeRegistryImpl.d.ts
+type CredentialTypeSource = "plugin" | "config" | "controlPlane";
 declare class CredentialTypeRegistryImpl implements CredentialTypeRegistry {
-  private readonly credentialTypesById;
-  register(type: CredentialType$1<any, any, unknown>): void;
+  private readonly loggers;
+  private readonly entries;
+  private readonly bySource;
+  constructor(loggers: LoggerFactory);
+  merge(source: CredentialTypeSource, types: ReadonlyArray<AnyCredentialType>): void;
+  mergeDefinitions(source: CredentialTypeSource, definitions: ReadonlyArray<CredentialTypeDefinition>): void;
+  clear(source: CredentialTypeSource): void;
   listTypes(): ReadonlyArray<CredentialTypeDefinition>;
   getType(typeId: CredentialTypeId): CredentialTypeDefinition | undefined;
   getCredentialType(typeId: CredentialTypeId): AnyCredentialType | undefined;
+  private insert;
+  private recordEntry;
+  private createUnsupportedSessionFactory;
+  private createUnsupportedHealthTester;
+}
+//#endregion
+//#region src/mcp/McpServerCatalog.d.ts
+type McpServerDeclarationSource = "plugin" | "config" | "controlPlane";
+declare class McpServerCatalog {
+  private readonly loggers;
+  private readonly entries;
+  private readonly bySource;
+  private readonly env;
+  constructor(loggers: LoggerFactory, appConfig: AppConfig);
+  merge(source: McpServerDeclarationSource, declarations: ReadonlyArray<McpServerDeclaration>): void;
+  get(id: string): McpServerDeclaration | undefined;
+  getAll(): readonly McpServerDeclaration[];
+  clear(source: McpServerDeclarationSource): void;
+  private validate;
 }
 //#endregion
 //#region src/domain/credentials/WorkflowCredentialNodeResolver.d.ts
@@ -22,6 +48,8 @@ type WorkflowCredentialSlotRef = Readonly<{
  * Resolves credential requirements for workflow node ids, including connection-owned LLM/tool children.
  */
 declare class WorkflowCredentialNodeResolver {
+  private readonly mcpCatalog?;
+  constructor(mcpCatalog?: McpServerCatalog | undefined);
   /**
    * Human-readable label for credential errors (workflow node name or agent › attachment).
    */
@@ -57,11 +85,22 @@ declare class CredentialFieldEnvOverlayService {
 }
 //#endregion
 //#region src/domain/credentials/CredentialSecretCipher.d.ts
+/**
+ * Schema versions:
+ *   1 — key = SHA-256(rawValue)                  (legacy, read-only support retained for migration)
+ *   2 — key = HKDF-SHA-256(rawKey32Bytes, ...)   (current)
+ *
+ * All new encryptions are written as v2. Existing v1 records can still be
+ * decrypted so operators can re-encrypt at their own pace (re-bind the
+ * credential in the UI, or run the one-shot re-encrypt script).
+ */
 declare class CredentialSecretCipher {
   private readonly appConfig;
   private static readonly algorithm;
-  private static readonly schemaVersion;
+  private static readonly currentSchemaVersion;
   private static readonly ivLength;
+  private static readonly HKDF_SALT;
+  private static readonly HKDF_INFO;
   constructor(appConfig: AppConfig);
   encrypt(value: JsonRecord): Readonly<{
     encryptedJson: string;
@@ -73,7 +112,21 @@ declare class CredentialSecretCipher {
     encryptionKeyId: string;
     schemaVersion: number;
   }>): JsonRecord;
-  private resolveKeyMaterial;
+  /**
+   * Current (v2) key derivation: HKDF-SHA-256 with a fixed application salt and info label.
+   * Input must be a base64-encoded 32-byte value (`CODEMATION_CREDENTIALS_MASTER_KEY`).
+   */
+  private resolveKeyMaterialV2;
+  /**
+   * Legacy (v1) key derivation: SHA-256 of the raw env string.
+   * Retained for decrypt-side backward compatibility only.
+   */
+  private resolveKeyMaterialV1;
+  /**
+   * Validates and returns the raw 32-byte key material from the env var.
+   * Throws if the env var is absent or does not decode to exactly 32 bytes.
+   */
+  private resolveBase64Key32Bytes;
   private resolveKeyId;
 }
 //#endregion
@@ -132,29 +185,21 @@ declare class CredentialBindingService {
   private readonly workflowRepository;
   private readonly credentialSessionService;
   private readonly workflowCredentialNodeResolver;
-  constructor(credentialStore: CredentialStore, credentialInstanceService: CredentialInstanceService, workflowRepository: WorkflowRepository, credentialSessionService: MutableCredentialSessionService, workflowCredentialNodeResolver: WorkflowCredentialNodeResolver);
+  private readonly logger;
+  constructor(credentialStore: CredentialStore, credentialInstanceService: CredentialInstanceService, workflowRepository: WorkflowRepository, credentialSessionService: MutableCredentialSessionService, workflowCredentialNodeResolver: WorkflowCredentialNodeResolver, loggerFactory: LoggerFactory);
   upsertBinding(args: Readonly<{
     workflowId: string;
     nodeId: string;
     slotKey: string;
     instanceId: CredentialInstanceId;
   }>): Promise<CredentialBinding>;
+  assertRequiredCredentialsBound(workflowId: string): Promise<void>;
   listWorkflowHealth(workflowId: string): Promise<WorkflowCredentialHealthDto>;
   private requireWorkflow;
   private requireRequirement;
   private toBindingKeyString;
 }
 //#endregion
-//#region src/domain/credentials/CredentialRuntimeMaterialService.d.ts
-declare class CredentialRuntimeMaterialService {
-  private readonly credentialStore;
-  private readonly credentialMaterialResolver;
-  private readonly credentialSecretCipher;
-  private readonly credentialTypeRegistry;
-  constructor(credentialStore: CredentialStore, credentialMaterialResolver: CredentialMaterialResolver, credentialSecretCipher: CredentialSecretCipher, credentialTypeRegistry: CredentialTypeRegistryImpl);
-  compose(instance: CredentialInstanceRecord$1): Promise<JsonRecord>;
-}
-//#endregion
 //#region src/domain/credentials/CredentialServices.d.ts
 type JsonRecord = CredentialJsonRecord;
 type CredentialSecretRef = Readonly<{
@@ -238,5 +283,5 @@ type MutableCredentialSessionService = CredentialSessionService & Readonly<{
   evictBinding(bindingKey: CredentialBindingKey): void;
 }>;
 //#endregion
-export { CredentialInstanceService as a, CredentialSecretCipher as c, CredentialBindingService as i, CredentialFieldEnvOverlayService as l, CredentialType$1 as n, CredentialOAuth2ScopeResolver as o, CredentialRuntimeMaterialService as r, CredentialMaterialResolver as s, CredentialStore as t, CredentialTypeRegistryImpl as u };
-//# sourceMappingURL=CredentialServices-UfvHB-rN.d.ts.map
+export { CredentialSecretCipher as a, CredentialInstanceService as i, CredentialType$1 as n, McpServerCatalog as o, CredentialBindingService as r, CredentialStore as t };
+//# sourceMappingURL=CredentialServices-BLloBztI.d.ts.map