@devosurf/tesser-server 0.1.0-alpha.0

package/src/http/connect-view.ts

@@ -0,0 +1,290 @@
+// Rendering for the connect pages — pure functions from view data to HTML.
+// Styled by @devosurf/tesser-brand; no styling decisions live in this file beyond
+// composing the t- primitives. The requirement cards are manifest-driven, so a
+// custom connector renders exactly like a built-in one: a monogram tile, the
+// modes its manifest declares, and nothing hardcoded per provider.
+
+import { inlineCss, markSvg } from "@devosurf/tesser-brand";
+import type { ConnectionRequirement, Requirement } from "../broker/connect.js";
+
+export const esc = (s: unknown): string =>
+  String(s ?? "").replace(/[&<>"']/g, (ch) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[ch]!);
+
+const CSS = inlineCss();
+
+const ARROW = `<svg width="14" height="14" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"><path d="M5 12h14M13 6l6 6-6 6" fill="none" stroke="currentColor" stroke-width="2.3" stroke-linecap="round" stroke-linejoin="round"/></svg>`;
+const SHIELD = `<svg width="15" height="15" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"><path d="M12 3l7 3v5c0 4.5-3 7.5-7 9-4-1.5-7-4.5-7-9V6l7-3Z" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linejoin="round"/><path d="M9 12l2 2 4-4" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/></svg>`;
+
+export interface ShellOptions {
+  /** Browser tab title; the page headline carries the brand, the tab gets "· tesser". */
+  title: string;
+  /** Instance host shown in the top bar. */
+  host: string;
+  /** Link-state chip in the top bar. */
+  chip?: { dot: "positive" | "warning" | "danger"; label: string };
+  headline: string;
+  /** May contain markup; callers escape interpolations. */
+  lead?: string;
+  body?: string;
+  /** The encrypted-store footnote; on for pages that accept values. */
+  securityNote?: boolean;
+}
+
+export function shell(o: ShellOptions): string {
+  const chip = o.chip
+    ? `<span class="t-chip"><span class="t-dot t-dot--${o.chip.dot}"></span>${esc(o.chip.label)}</span>`
+    : "";
+  return `<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>${esc(o.title)} · tesser</title>
+<style>${CSS}</style></head><body class="t-page">
+<header class="t-bar">
+  <span class="t-brand">${markSvg({ size: 22 })}<span class="t-wordmark">tesser</span></span>
+  <span class="t-bar-meta">${chip}<span class="t-host">${esc(o.host)}</span></span>
+</header>
+<main class="t-main"><div class="t-col">
+  <h1 class="t-page-title">${esc(o.headline)}</h1>
+  ${o.lead ? `<p class="t-lead">${o.lead}</p>` : ""}
+  ${o.body ?? ""}
+  ${o.securityNote ? `<p class="t-footnote">${SHIELD}<span>Single use and expiring. Values go to the encrypted store. The agent holds a handle, never the value.</span></p>` : ""}
+</div></main>
+</body></html>`;
+}
+
+/* requirement cards ----------------------------------------------------- */
+
+export interface RequirementView {
+  requirement: Requirement;
+  satisfied: boolean;
+}
+
+/** Monogram tile glyph: the first character of the thing's own name, any connector. */
+const glyph = (id: string): string => (id.trim().charAt(0) || "?").toUpperCase();
+
+const status = (satisfied: boolean, pendingLabel: string, readyLabel: string): string =>
+  satisfied
+    ? `<span class="t-status t-status--ready t-right"><span class="t-dot t-dot--positive"></span>${esc(readyLabel)}</span>`
+    : `<span class="t-status t-status--pending t-right"><span class="t-dot t-dot--warning"></span>${esc(pendingLabel)}</span>`;
+
+const head = (o: { glyph: string; title: string; mono?: boolean; kind: string; meta: string; status: string }): string =>
+  `<div class="t-card-head">
+    <span class="t-tile" aria-hidden="true">${esc(o.glyph)}</span>
+    <span class="t-card-id">
+      <span class="t-card-title-row"><span class="t-card-title${o.mono ? " t-card-title--mono" : ""}">${esc(o.title)}</span><span class="t-kind">${esc(o.kind)}</span></span>
+      <span class="t-meta">${esc(o.meta)}</span>
+    </span>
+    ${o.status}
+  </div>`;
+
+const neededBy = (automations: string[]): string => `Needed by ${automations.join(", ")}`;
+
+const fieldInput = (name: string, label: string): string => {
+  const type = /key|token|password|secret/i.test(label) ? "password" : "text";
+  return `<label class="t-field"><span class="t-field-label">${esc(label.replace(/_/g, " "))}</span><input class="t-input" name="${esc(name)}" type="${type}" required autocomplete="off"></label>`;
+};
+
+function endUserInput(req: ConnectionRequirement): string {
+  return req.scope === "per_user" ? fieldInput("end_user_id", "end user id") : "";
+}
+
+function connectionBands(token: string, req: ConnectionRequirement): string {
+  return req.modes
+    .map((mode) => {
+      if (mode.kind === "oauth2") {
+        const note = mode.scopes?.length ? `scopes · ${mode.scopes.join(" · ")}` : `mode · ${mode.name}`;
+        return `<form class="t-card-band${req.scope === "per_user" ? " t-card-band--stacked" : ""}" method="get" action="/connect/${esc(token)}/oauth/start">
+          <input type="hidden" name="connector" value="${esc(req.connector)}">
+          <input type="hidden" name="mode" value="${esc(mode.name)}">
+          <input type="hidden" name="scope" value="${esc(req.scope)}">
+          <span class="t-scopes">${esc(note)}${req.scope === "per_user" ? " · end user required" : ""}</span>
+          ${endUserInput(req)}
+          <button class="t-btn t-btn--accent${req.scope === "per_user" ? "" : " t-right"}">Connect with OAuth ${ARROW}</button>
+        </form>`;
+      }
+      const hidden = `<input type="hidden" name="connector" value="${esc(req.connector)}">
+        <input type="hidden" name="mode" value="${esc(mode.name)}">
+        <input type="hidden" name="scope" value="${esc(req.scope)}">`;
+      if (mode.fields.length === 0) {
+        return `<form class="t-card-band${req.scope === "per_user" ? " t-card-band--stacked" : ""}" method="post" action="/connect/${esc(token)}/connection">
+          ${hidden}
+          <span class="t-scopes">mode · ${esc(mode.name)}${req.scope === "per_user" ? " · end user required" : ""}</span>
+          ${endUserInput(req)}
+          <button class="t-btn t-btn--primary${req.scope === "per_user" ? "" : " t-right"}">Create connection</button>
+        </form>`;
+      }
+      return `<div class="t-card-band t-card-band--stacked">
+        <span class="t-scopes">mode · ${esc(mode.name)}${mode.describe ? ` · ${esc(mode.describe)}` : ""}</span>
+        <form class="t-form-col" method="post" action="/connect/${esc(token)}/connection">
+          ${hidden}
+          ${endUserInput(req)}
+          ${mode.fields.map((f) => fieldInput(`field_${f}`, f)).join("\n")}
+          <button class="t-btn t-btn--primary">Save credential</button>
+        </form>
+      </div>`;
+    })
+    .join("");
+}
+
+export function requirementCard(token: string, view: RequirementView): string {
+  const { requirement: req, satisfied } = view;
+
+  if (req.type === "connection") {
+    const scope = req.scope === "per_user" ? "per user" : req.scope;
+    const top = head({
+      glyph: glyph(req.connector),
+      title: req.connector,
+      kind: "connection",
+      meta: `${satisfied ? "Connected · " : ""}${neededBy(req.automations)} · ${scope}`,
+      status: status(satisfied, "pending", "ready"),
+    });
+    return `<div class="t-card">${top}${satisfied ? "" : connectionBands(token, req)}</div>`;
+  }
+
+  if (req.type === "secret") {
+    const top = head({
+      glyph: glyph(req.name),
+      title: req.name,
+      mono: true,
+      kind: "secret",
+      meta: `${req.describe ? `${req.describe} · ` : ""}${neededBy(req.automations)}`,
+      status: status(satisfied, "pending", "set"),
+    });
+    const band = satisfied
+      ? ""
+      : `<form class="t-card-band" method="post" action="/connect/${esc(token)}/secret">
+          <input type="hidden" name="name" value="${esc(req.name)}">
+          <input class="t-input t-grow" name="value" type="password" placeholder="value" required autocomplete="off" aria-label="value for ${esc(req.name)}">
+          <button class="t-btn t-btn--primary">Save</button>
+        </form>`;
+    return `<div class="t-card">${top}${band}</div>`;
+  }
+
+  const top = head({
+    glyph: glyph(req.connector),
+    title: `${req.connector}.${req.trigger}`,
+    mono: true,
+    kind: "webhook",
+    meta: `Register with the provider · needed by ${req.automation}`,
+    status: status(satisfied, "action needed", "registered"),
+  });
+  const band = satisfied
+    ? ""
+    : `<div class="t-card-band t-card-band--stacked">
+        <pre class="t-pre">${esc(req.instructions)}</pre>
+        <form class="t-form-row" method="post" action="/connect/${esc(token)}/webhook/${esc(req.registrationId)}">
+          <input class="t-input t-grow" name="signing_secret" type="password" placeholder="signing secret" required autocomplete="off" aria-label="signing secret">
+          <button class="t-btn t-btn--primary">Save and mark registered</button>
+        </form>
+      </div>`;
+  return `<div class="t-card">${top}${band}</div>`;
+}
+
+/* the link page ---------------------------------------------------------- */
+
+const COUNT_WORDS = ["Zero", "One", "Two", "Three", "Four", "Five", "Six", "Seven", "Eight", "Nine"];
+
+export function linkHeadline(total: number, done: boolean): string {
+  if (done) return "All set.";
+  const count = COUNT_WORDS[total] ?? String(total);
+  return `${count} ${total === 1 ? "thing" : "things"} to connect.`;
+}
+
+/** Maps the ?done= redirect param to a human notice. */
+export function noticeLabel(done: string): string {
+  if (done.startsWith("secret:")) return `Saved ${done.slice("secret:".length)}.`;
+  if (done === "webhook") return "Webhook registered.";
+  return `Connected ${done}.`;
+}
+
+export function linkPage(o: {
+  host: string;
+  token: string;
+  requirements: RequirementView[];
+  completed: boolean;
+  notice?: string | undefined;
+}): string {
+  const total = o.requirements.length;
+  const ready = o.requirements.filter((r) => r.satisfied).length;
+  const pending = total - ready;
+  const done = o.completed || (total > 0 && pending === 0);
+
+  const progress =
+    total === 0
+      ? ""
+      : `<div class="t-progress t-gap-top-32">
+          <div class="t-progress-meta"><span>${ready} of ${total} ready</span><span class="is-remaining">${pending > 0 ? `${pending} pending` : "complete"}</span></div>
+          <div class="t-progress-track"><div class="t-progress-fill" style="width:${Math.round((ready / total) * 100)}%"></div></div>
+        </div>`;
+
+  const notice = o.notice
+    ? `<div class="t-notice t-gap-top-24"><span class="t-dot t-dot--positive"></span>${esc(noticeLabel(o.notice))}</div>`
+    : "";
+
+  const cards = total === 0 ? "" : `<div class="t-stack t-gap-top-32">${o.requirements.map((r) => requirementCard(o.token, r)).join("\n")}</div>`;
+
+  return shell({
+    title: done ? "All set" : "Connect",
+    host: o.host,
+    chip: { dot: "positive", label: "single-use link" },
+    headline: linkHeadline(total, done),
+    lead: done
+      ? "Everything this deploy needs is in place. You can close this page. The agent picks it up from here."
+      : "Your agent halted this deploy until these are in place. The agent takes it from there.",
+    body: `${notice}${progress}${cards}`,
+    securityNote: true,
+  });
+}
+
+/* secondary pages --------------------------------------------------------- */
+
+export function oauthAppPage(o: { host: string; token: string; provider: string; connector: string; mode: string; scope: string; endUserId?: string | undefined; callbackUrl: string }): string {
+  const top = head({
+    glyph: glyph(o.provider),
+    title: o.provider,
+    kind: "oauth app",
+    meta: "Bring your own app: the instance stores the client credentials, encrypted",
+    status: status(false, "action needed", "ready"),
+  });
+  const body = `<div class="t-card t-gap-top-32">${top}
+    <div class="t-card-band t-card-band--stacked">
+      <span class="t-scopes">callback url</span>
+      <pre class="t-pre">${esc(o.callbackUrl)}</pre>
+      <form class="t-form-col" method="post" action="/connect/${esc(o.token)}/oauth/app">
+        <input type="hidden" name="provider" value="${esc(o.provider)}">
+        <input type="hidden" name="connector" value="${esc(o.connector)}">
+        <input type="hidden" name="mode" value="${esc(o.mode)}">
+        <input type="hidden" name="scope" value="${esc(o.scope)}">
+        ${o.endUserId ? `<input type="hidden" name="end_user_id" value="${esc(o.endUserId)}">` : ""}
+        ${fieldInput("client_id", "client id")}
+        ${fieldInput("client_secret", "client secret")}
+        <button class="t-btn t-btn--accent">Connect with OAuth ${ARROW}</button>
+      </form>
+    </div>
+  </div>`;
+  return shell({
+    title: `OAuth app for ${o.provider}`,
+    host: o.host,
+    chip: { dot: "warning", label: "setup needed" },
+    headline: "One app to register.",
+    lead: `This instance has no OAuth app for <code class="t-code">${esc(o.provider)}</code> yet. Create one in the provider's developer console with the callback URL below, then continue to consent.`,
+    body,
+    securityNote: true,
+  });
+}
+
+export function messagePage(o: {
+  host: string;
+  title: string;
+  chip: NonNullable<ShellOptions["chip"]>;
+  headline: string;
+  lead: string;
+  pre?: string;
+}): string {
+  return shell({
+    title: o.title,
+    host: o.host,
+    chip: o.chip,
+    headline: o.headline,
+    lead: o.lead,
+    body: o.pre ? `<pre class="t-pre t-gap-top-24">${esc(o.pre)}</pre>` : "",
+  });
+}

package/src/http/connect.ts

@@ -0,0 +1,351 @@
+// The connect pages (ADR-0005): the human's browser is where values enter the system.
+// Single-use links; OAuth consent and secret paste both land directly in the encrypted
+// store; the agent only polls /api/connect-links/:token/status. Plain HTML forms,
+// rendered by connect-view.ts in the @devosurf/tesser-brand system.
+
+import { randomBytes } from "node:crypto";
+import { Hono } from "hono";
+import type { Db } from "../db/db.js";
+import type { Broker } from "../broker/broker.js";
+import {
+  connectLinkStatus,
+  getConnectLink,
+  type ConnectionRequirement,
+  type ConnectLinkRow,
+} from "../broker/connect.js";
+import { buildAuthorizeUrl, exchangeCode, generatePkce } from "../broker/oauth.js";
+import { hashWebhookSetupToken } from "../gitsync/deploy-keys.js";
+import { esc, linkPage, messagePage, oauthAppPage, shell } from "./connect-view.js";
+
+export interface ConnectDeps {
+  db: Db;
+  broker: Broker;
+  baseUrl: string;
+}
+
+function hostOf(baseUrl: string): string {
+  try {
+    return new URL(baseUrl).host;
+  } catch {
+    return baseUrl;
+  }
+}
+
+async function renderLink(deps: ConnectDeps, link: ConnectLinkRow, notice?: string): Promise<string> {
+  const status = await connectLinkStatus(deps.db, deps.broker, link);
+  return linkPage({
+    host: hostOf(deps.baseUrl),
+    token: link.token,
+    requirements: status.requirements,
+    completed: status.status === "completed",
+    notice,
+  });
+}
+
+export function createConnectRoutes(deps: ConnectDeps): Hono {
+  const app = new Hono();
+  const host = hostOf(deps.baseUrl);
+
+  app.get("/setup/git/:token", async (c) => {
+    const tokenHash = hashWebhookSetupToken(c.req.param("token"));
+    const { rows } = await deps.db.query<{
+      id: string;
+      name: string;
+      workspace_id: string;
+      deploy_key_public: string | null;
+      push_webhook_secret_cipher: string | null;
+    }>(
+      `SELECT id, name, workspace_id, deploy_key_public, push_webhook_secret_cipher
+       FROM projects WHERE push_webhook_setup_token_hash=$1`,
+      [tokenHash],
+    );
+    const project = rows[0];
+    if (!project || !project.push_webhook_secret_cipher || !project.deploy_key_public) {
+      return c.html(
+        messagePage({
+          host,
+          title: "Unknown setup link",
+          chip: { dot: "danger", label: "unknown setup" },
+          headline: "Unknown setup link.",
+          lead: "This Project git setup link does not exist. Ask the agent to run <code class=\"t-code\">tesser link</code> again.",
+        }),
+        404,
+      );
+    }
+    const webhookSecret = await deps.broker.decryptValue(
+      project.workspace_id,
+      project.push_webhook_secret_cipher,
+      "project.webhook.signing",
+    );
+    const webhookUrl = `${deps.baseUrl.replace(/\/$/, "")}/hooks/git/${project.id}/push`;
+    return c.html(
+      shell({
+        title: `Git setup for ${project.name}`,
+        host,
+        chip: { dot: "warning", label: "human setup" },
+        headline: "Configure git deploy access.",
+        lead: `Add the deploy key and push webhook below in your git host for Project <code class=\"t-code\">${esc(project.name)}</code>. The private key and webhook signing secret are stored encrypted by this Instance and never returned by the CLI/API JSON.`,
+        body: `<div class="t-stack t-gap-top-32">
+          <div class="t-card"><div class="t-card-band t-card-band--stacked">
+            <span class="t-scopes">deploy key (public)</span>
+            <pre class="t-pre">${esc(project.deploy_key_public)}</pre>
+          </div></div>
+          <div class="t-card"><div class="t-card-band t-card-band--stacked">
+            <span class="t-scopes">push webhook url</span>
+            <pre class="t-pre">${esc(webhookUrl)}</pre>
+            <span class="t-scopes">signing secret</span>
+            <pre class="t-pre">${esc(webhookSecret)}</pre>
+            <span class="t-scopes">signature header</span>
+            <pre class="t-pre">X-Hub-Signature-256: sha256=&lt;hmac-sha256 body with signing secret&gt;</pre>
+          </div></div>
+        </div>`,
+      }),
+    );
+  });
+
+  app.get("/connect/:token", async (c) => {
+    const link = await getConnectLink(deps.db, c.req.param("token"));
+    if (!link) {
+      return c.html(
+        messagePage({
+          host,
+          title: "Unknown link",
+          chip: { dot: "danger", label: "unknown link" },
+          headline: "Unknown link.",
+          lead: "This connect link does not exist.",
+        }),
+        404,
+      );
+    }
+    if (link.status === "expired") {
+      return c.html(
+        messagePage({
+          host,
+          title: "Link expired",
+          chip: { dot: "warning", label: "link expired" },
+          headline: "Link expired.",
+          lead: `Connect links are single use and short-lived. Ask the agent to mint a new one with <code class="t-code">tesser connect</code>.`,
+        }),
+        410,
+      );
+    }
+    const notice = c.req.query("done");
+    return c.html(await renderLink(deps, link, notice));
+  });
+
+  app.post("/connect/:token/secret", async (c) => {
+    const link = await getConnectLink(deps.db, c.req.param("token"));
+    if (!link || link.status !== "pending") return c.text("link not active", 410);
+    const form = await c.req.parseBody();
+    const name = String(form["name"] ?? "");
+    const value = String(form["value"] ?? "");
+    if (!link.requirements.some((r) => r.type === "secret" && r.name === name)) {
+      return c.text("secret not part of this link", 400);
+    }
+    if (value.length === 0) return c.text("empty value", 400);
+    await deps.broker.setSecret(link.workspace_id, name, value);
+    return c.redirect(`/connect/${link.token}?done=secret:${encodeURIComponent(name)}`);
+  });
+
+  app.post("/connect/:token/connection", async (c) => {
+    const link = await getConnectLink(deps.db, c.req.param("token"));
+    if (!link || link.status !== "pending") return c.text("link not active", 410);
+    const form = await c.req.parseBody();
+    const connector = String(form["connector"] ?? "");
+    const modeName = String(form["mode"] ?? "");
+    const scope = String(form["scope"] ?? "workspace");
+    const req = link.requirements.find(
+      (r): r is ConnectionRequirement => r.type === "connection" && r.connector === connector && r.scope === scope,
+    );
+    const mode = req?.modes.find((m) => m.name === modeName);
+    if (!req || !mode || mode.kind === "oauth2") return c.text("unknown connection requirement/mode", 400);
+
+    const endUserId = req.scope === "per_user" ? String(form["end_user_id"] ?? "").trim() : "";
+    if (req.scope === "per_user" && endUserId.length === 0) return c.text("missing end_user_id", 400);
+    const fields: Record<string, string> = {};
+    for (const f of mode.fields) {
+      const v = String(form[`field_${f}`] ?? "");
+      if (v.length === 0) return c.text(`missing field ${f}`, 400);
+      fields[f] = v;
+    }
+    const connectionId = await deps.broker.createConnection({
+      workspaceId: link.workspace_id,
+      connectorId: connector,
+      ...(req.provider !== undefined ? { provider: req.provider } : {}),
+      authMode: modeName,
+      scope: req.scope,
+      ...(req.scope === "per_user" ? { endUserId } : {}),
+      label: `via connect link`,
+    });
+    await deps.broker.setConnectionCredential(connectionId, fields);
+    return c.redirect(`/connect/${link.token}?done=${encodeURIComponent(connector)}`);
+  });
+
+  app.get("/connect/:token/oauth/start", async (c) => {
+    const link = await getConnectLink(deps.db, c.req.param("token"));
+    if (!link || link.status !== "pending") return c.text("link not active", 410);
+    const connector = c.req.query("connector") ?? "";
+    const modeName = c.req.query("mode") ?? "";
+    const scope = c.req.query("scope") ?? "workspace";
+    const req = link.requirements.find(
+      (r): r is ConnectionRequirement => r.type === "connection" && r.connector === connector && r.scope === scope,
+    );
+    const mode = req?.modes.find((m) => m.name === modeName);
+    if (!req || !mode || mode.kind !== "oauth2" || !req.providerFacts?.oauth2) {
+      return c.text("unknown oauth requirement", 400);
+    }
+    const endUserId = req.scope === "per_user" ? (c.req.query("end_user_id") ?? "").trim() : "";
+    if (req.scope === "per_user" && endUserId.length === 0) return c.text("missing end_user_id", 400);
+    const provider = req.provider ?? req.providerFacts.id;
+    const app2 = await deps.broker.getOAuthApp(link.workspace_id, provider);
+    if (!app2) {
+      // BYO OAuth app (ADR-0005): collect the operator's client id/secret first.
+      return c.html(
+        oauthAppPage({
+          host,
+          token: link.token,
+          provider,
+          connector,
+          mode: modeName,
+          scope: req.scope,
+          ...(endUserId ? { endUserId } : {}),
+          callbackUrl: `${deps.baseUrl}/oauth/callback`,
+        }),
+      );
+    }
+
+    const connectionId = await deps.broker.createConnection({
+      workspaceId: link.workspace_id,
+      connectorId: connector,
+      provider,
+      authMode: modeName,
+      scope: req.scope,
+      ...(req.scope === "per_user" ? { endUserId } : {}),
+      label: "via connect link (oauth)",
+    });
+    const state = `st_${randomBytes(16).toString("hex")}`;
+    const facts = req.providerFacts.oauth2;
+    const pkce = facts.pkce === false ? undefined : generatePkce();
+    const redirectUri = `${deps.baseUrl}/oauth/callback`;
+    await deps.db.query(
+      `INSERT INTO oauth_states (state, connect_token, connection_id, provider, code_verifier, redirect_uri, expires_at)
+       VALUES ($1,$2,$3,$4,$5,$6, now() + interval '15 minutes')`,
+      [state, link.token, connectionId, provider, pkce?.verifier ?? null, redirectUri],
+    );
+    const url = buildAuthorizeUrl({
+      facts,
+      clientId: app2.clientId,
+      redirectUri,
+      scopes: mode.scopes ?? [],
+      state,
+      codeChallenge: pkce?.challenge,
+    });
+    return c.redirect(url);
+  });
+
+  app.post("/connect/:token/oauth/app", async (c) => {
+    const link = await getConnectLink(deps.db, c.req.param("token"));
+    if (!link || link.status !== "pending") return c.text("link not active", 410);
+    const form = await c.req.parseBody();
+    const provider = String(form["provider"] ?? "");
+    const clientId = String(form["client_id"] ?? "");
+    const clientSecret = String(form["client_secret"] ?? "");
+    if (!provider || !clientId || !clientSecret) return c.text("missing fields", 400);
+    await deps.broker.setOAuthApp(link.workspace_id, provider, clientId, clientSecret);
+    const params = new URLSearchParams({
+      connector: String(form["connector"]),
+      mode: String(form["mode"]),
+      scope: String(form["scope"] ?? "workspace"),
+    });
+    const endUserId = String(form["end_user_id"] ?? "").trim();
+    if (endUserId) params.set("end_user_id", endUserId);
+    return c.redirect(`/connect/${link.token}/oauth/start?${params}`);
+  });
+
+  app.get("/oauth/callback", async (c) => {
+    const oauthError = (lead: string, pre?: string): string =>
+      messagePage({
+        host,
+        title: "OAuth error",
+        chip: { dot: "danger", label: "oauth error" },
+        headline: "OAuth error.",
+        lead,
+        ...(pre !== undefined ? { pre } : {}),
+      });
+
+    const state = c.req.query("state") ?? "";
+    const code = c.req.query("code") ?? "";
+    const { rows } = await deps.db.query<{
+      state: string;
+      connect_token: string | null;
+      connection_id: string;
+      provider: string;
+      code_verifier: string | null;
+      redirect_uri: string;
+      expires_at: string;
+    }>(`SELECT * FROM oauth_states WHERE state=$1`, [state]);
+    const st = rows[0];
+    if (!st || new Date(String(st.expires_at)).getTime() < Date.now()) {
+      return c.html(oauthError("State expired or unknown. Restart from the connect page."), 400);
+    }
+    await deps.db.query(`DELETE FROM oauth_states WHERE state=$1`, [state]); // single-use
+    if (!code) return c.html(oauthError(`The provider returned: ${esc(c.req.query("error") ?? "consent denied")}.`), 400);
+
+    const link = st.connect_token ? await getConnectLink(deps.db, st.connect_token) : null;
+    const req = link?.requirements.find(
+      (r): r is ConnectionRequirement =>
+        r.type === "connection" && (r.provider ?? r.providerFacts?.id) === st.provider,
+    );
+    const facts = req?.providerFacts?.oauth2;
+    if (!link || !facts) return c.html(oauthError("Connect link no longer valid."), 400);
+
+    const app2 = await deps.broker.getOAuthApp(link.workspace_id, st.provider);
+    if (!app2) return c.html(oauthError("OAuth app vanished mid-flow."), 400);
+
+    try {
+      const tokens = await exchangeCode({
+        facts,
+        clientId: app2.clientId,
+        clientSecret: app2.clientSecret,
+        code,
+        redirectUri: st.redirect_uri,
+        codeVerifier: st.code_verifier ?? undefined,
+      });
+      await deps.broker.setConnectionCredential(
+        st.connection_id,
+        {
+          access_token: tokens.accessToken,
+          ...(tokens.refreshToken !== undefined ? { refresh_token: tokens.refreshToken } : {}),
+        },
+        {
+          ...(tokens.expiresAt !== undefined ? { expiresAt: tokens.expiresAt } : {}),
+          ...(tokens.scope !== undefined ? { scope: tokens.scope } : {}),
+        },
+      );
+    } catch (err) {
+      return c.html(oauthError("Token exchange failed.", (err as Error).message), 502);
+    }
+    return c.redirect(`/connect/${link.token}?done=${encodeURIComponent(req!.connector)}`);
+  });
+
+  // Manual webhook registration completion (ADR-0013 manual mode).
+  app.post("/connect/:token/webhook/:registrationId", async (c) => {
+    const link = await getConnectLink(deps.db, c.req.param("token"));
+    if (!link || link.status !== "pending") return c.text("link not active", 410);
+    const regId = c.req.param("registrationId");
+    if (!link.requirements.some((r) => r.type === "webhook-manual" && r.registrationId === regId)) {
+      return c.text("registration not part of this link", 400);
+    }
+    const form = await c.req.parseBody();
+    const secret = String(form["signing_secret"] ?? "");
+    if (secret.length === 0) return c.text("empty signing secret", 400);
+    const cipher = await deps.broker.encryptValue(link.workspace_id, secret, "webhook.signing");
+    await deps.db.query(
+      `UPDATE webhook_registrations SET signing_secret_cipher=$2, status='registered', updated_at=now() WHERE id=$1`,
+      [regId, cipher],
+    );
+    return c.redirect(`/connect/${link.token}?done=webhook`);
+  });
+
+  return app;
+}