@elizaos/plugin-google 2.0.3-beta.6 → 2.0.3-beta.7

package/dist/connector-account-provider.js

@@ -0,0 +1,361 @@
+/**
+ * Google ConnectorAccountManager provider.
+ *
+ * Bridges plugin-google to the @elizaos/core ConnectorAccountManager so the
+ * generic HTTP CRUD + OAuth surface (packages/agent/src/api/connector-account-routes.ts)
+ * can list, create, patch, delete, and run the OAuth flow for Google accounts
+ * using a single consolidated grant covering Gmail, Calendar, Drive, and Meet.
+ *
+ * Single OAuth grant per account: callers may pass `scopes` to the manager's
+ * startOAuth to limit which capabilities are requested. By default all
+ * capabilities (gmail.read+send+manage, calendar.read+write, drive.read+write,
+ * meet.create+read) are requested; granted capabilities are recorded on the
+ * returned account so downstream consumers know which surfaces are usable.
+ */
+import { createHash, randomBytes } from "node:crypto";
+import { logger, } from "@elizaos/core";
+import { GOOGLE_OAUTH_PROVIDER_METADATA } from "./auth.js";
+import { persistConnectorCredentialRefs } from "./connector-credential-refs.js";
+import { GOOGLE_CAPABILITIES, GOOGLE_IDENTITY_SCOPES, isGoogleCapability, scopesForGoogleCapabilities, } from "./scopes.js";
+import { GOOGLE_SERVICE_NAME } from "./types.js";
+const GOOGLE_USERINFO_ENDPOINT = "https://openidconnect.googleapis.com/v1/userinfo";
+const GROUP_PURPOSE = {
+    gmail: "messaging",
+    calendar: "calendar",
+    drive: "drive",
+    meet: "meet",
+};
+function createCodeVerifier() {
+    return randomBytes(64).toString("base64url");
+}
+function createCodeChallenge(codeVerifier) {
+    return createHash("sha256").update(codeVerifier).digest("base64url");
+}
+function nonEmptyString(value) {
+    if (typeof value !== "string")
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function readSetting(runtime, key) {
+    return nonEmptyString(runtime.getSetting?.(key));
+}
+function readClientConfig(runtime) {
+    const clientId = readSetting(runtime, "GOOGLE_CLIENT_ID");
+    const clientSecret = readSetting(runtime, "GOOGLE_CLIENT_SECRET");
+    const redirectUri = readSetting(runtime, "GOOGLE_REDIRECT_URI");
+    if (!clientId || !clientSecret || !redirectUri) {
+        throw new Error("Google OAuth requires GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and GOOGLE_REDIRECT_URI to be configured.");
+    }
+    return { clientId, clientSecret, redirectUri };
+}
+function normalizeRequestedCapabilities(scopes) {
+    if (!scopes || scopes.length === 0) {
+        return [...GOOGLE_CAPABILITIES];
+    }
+    // The caller passes either capability identifiers (e.g. "gmail.read") OR raw
+    // OAuth scope URLs. Both shapes are accepted so the manager's startOAuth API
+    // surface stays uniform with other providers (which use raw scopes).
+    const requested = new Set();
+    for (const value of scopes) {
+        if (isGoogleCapability(value)) {
+            requested.add(value);
+            continue;
+        }
+        const matched = matchCapabilityFromScope(value);
+        if (matched) {
+            requested.add(matched);
+        }
+    }
+    if (requested.size === 0) {
+        return [...GOOGLE_CAPABILITIES];
+    }
+    return [...requested];
+}
+function matchCapabilityFromScope(scope) {
+    // Scope URL → capability ID mapping. Pulls from the canonical capability
+    // metadata so additions to scopes.ts propagate automatically.
+    const trimmed = scope.trim().toLowerCase();
+    for (const capability of GOOGLE_CAPABILITIES) {
+        const capabilityScopes = scopesForGoogleCapabilities([capability], {
+            includeIdentityScopes: false,
+        });
+        if (capabilityScopes.some((value) => value.toLowerCase() === trimmed)) {
+            return capability;
+        }
+    }
+    return undefined;
+}
+function purposesForCapabilities(capabilities) {
+    const groups = new Set();
+    for (const capability of capabilities) {
+        groups.add(capability.split(".")[0]);
+    }
+    return [...groups].map((group) => GROUP_PURPOSE[group]);
+}
+function parseScopeString(value) {
+    if (!value)
+        return [];
+    return value
+        .split(/\s+/)
+        .map((scope) => scope.trim())
+        .filter(Boolean);
+}
+function roleFromMetadata(metadata) {
+    const record = metadata && typeof metadata === "object" && !Array.isArray(metadata)
+        ? metadata
+        : {};
+    // Cloud OAuth writes `connectionRole` (uppercase canonical) and a legacy
+    // lowercase `agentGoogleSide`. Local UI flows pass `role`/`accountRole`/
+    // `requestedRole`. Accept all five shapes so the role survives whichever
+    // path the OAuth start metadata came through.
+    //
+    // Precedence: most-explicit cloud field first, then the original local
+    // fields in their original order (`role` first, `requestedRole` last so a
+    // stale earlier-step value can't override a later correction), then the
+    // legacy `agentGoogleSide` as the final fallback.
+    const raw = nonEmptyString(record.connectionRole ??
+        record.role ??
+        record.accountRole ??
+        record.requestedRole ??
+        record.agentGoogleSide);
+    if (!raw)
+        return "OWNER";
+    const normalized = raw.toUpperCase();
+    if (normalized === "OWNER" || normalized === "AGENT" || normalized === "TEAM") {
+        return normalized;
+    }
+    return "OWNER";
+}
+function parseIdTokenClaims(idToken) {
+    if (!idToken)
+        return {};
+    const segments = idToken.split(".");
+    if (segments.length < 2)
+        return {};
+    try {
+        const payload = Buffer.from(segments[1] ?? "", "base64url").toString("utf-8");
+        const parsed = JSON.parse(payload);
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+    }
+    catch {
+        return {};
+    }
+}
+async function fetchGoogleUserInfo(accessToken) {
+    const response = await fetch(GOOGLE_USERINFO_ENDPOINT, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!response.ok) {
+        throw new Error(`Google userinfo request failed with ${response.status}`);
+    }
+    const parsed = (await response.json());
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("Google userinfo returned an invalid payload.");
+    }
+    return parsed;
+}
+async function exchangeAuthorizationCode(args) {
+    const params = new URLSearchParams({
+        client_id: args.clientId,
+        client_secret: args.clientSecret,
+        redirect_uri: args.redirectUri,
+        grant_type: "authorization_code",
+        code: args.code,
+    });
+    if (args.codeVerifier) {
+        params.set("code_verifier", args.codeVerifier);
+    }
+    const response = await fetch(GOOGLE_OAUTH_PROVIDER_METADATA.tokenEndpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const body = await response.text();
+        throw new Error(`Google token exchange failed with ${response.status}: ${body}`);
+    }
+    const parsed = (await response.json());
+    if (!parsed.access_token || !Number.isFinite(parsed.expires_in)) {
+        throw new Error("Google token exchange returned an invalid payload.");
+    }
+    return parsed;
+}
+/**
+ * Build the Google ConnectorAccountManager provider. Exposes listAccounts (from
+ * manager-owned storage), CRUD adapters, and a single consolidated PKCE OAuth
+ * flow that returns a Google account hydrated with the granted capabilities,
+ * scopes, and userinfo identity.
+ */
+export function createGoogleConnectorAccountProvider(runtime) {
+    return {
+        provider: GOOGLE_SERVICE_NAME,
+        label: GOOGLE_OAUTH_PROVIDER_METADATA.label,
+        listAccounts: async (manager) => {
+            return manager.getStorage().listAccounts(GOOGLE_SERVICE_NAME);
+        },
+        createAccount: async (input, _manager) => {
+            // Persistence is owned by the manager; this adapter just normalizes the
+            // patch into a Google-shaped account so role/purpose/status defaults are
+            // sensible when an upstream caller creates the row before OAuth runs.
+            return {
+                ...input,
+                provider: GOOGLE_SERVICE_NAME,
+                role: input.role ?? "OWNER",
+                purpose: input.purpose ?? ["messaging", "calendar", "drive", "meet"],
+                accessGate: input.accessGate ?? "open",
+                status: input.status ?? "pending",
+            };
+        },
+        patchAccount: async (_accountId, patch, _manager) => {
+            return { ...patch, provider: GOOGLE_SERVICE_NAME };
+        },
+        deleteAccount: async (_accountId, _manager) => {
+            // Credential cleanup is the credential store's responsibility; the
+            // manager removes the account row after this resolves.
+        },
+        startOAuth: async (request, _manager) => {
+            const config = readClientConfig(runtime);
+            const redirectUri = request.redirectUri ?? config.redirectUri;
+            const capabilities = normalizeRequestedCapabilities(request.scopes);
+            const oauthScopes = scopesForGoogleCapabilities(capabilities);
+            const codeVerifier = createCodeVerifier();
+            const codeChallenge = createCodeChallenge(codeVerifier);
+            const params = new URLSearchParams({
+                client_id: config.clientId,
+                redirect_uri: redirectUri,
+                response_type: "code",
+                scope: oauthScopes.join(" "),
+                state: request.flow.state,
+                access_type: "offline",
+                prompt: "consent",
+                code_challenge: codeChallenge,
+                code_challenge_method: "S256",
+                include_granted_scopes: "true",
+            });
+            return {
+                authUrl: `${GOOGLE_OAUTH_PROVIDER_METADATA.authorizationEndpoint}?${params.toString()}`,
+                codeVerifier,
+                metadata: {
+                    ...request.metadata,
+                    requestedCapabilities: capabilities,
+                    requestedScopes: oauthScopes,
+                    redirectUri,
+                },
+            };
+        },
+        completeOAuth: async (request, manager) => {
+            const code = nonEmptyString(request.code);
+            if (!code) {
+                throw new Error("Google OAuth callback is missing an authorization code.");
+            }
+            const config = readClientConfig(runtime);
+            const redirectUri = nonEmptyString(request.flow.redirectUri) ??
+                nonEmptyString(request.flow.metadata?.redirectUri) ??
+                config.redirectUri;
+            const tokens = await exchangeAuthorizationCode({
+                clientId: config.clientId,
+                clientSecret: config.clientSecret,
+                redirectUri,
+                code,
+                codeVerifier: request.flow.codeVerifier,
+            });
+            const grantedScopes = parseScopeString(tokens.scope);
+            const grantedCapabilities = normalizeRequestedCapabilities(grantedScopes.length > 0
+                ? grantedScopes
+                : request.flow.metadata?.requestedScopes);
+            const purposes = purposesForCapabilities(grantedCapabilities);
+            let identity = parseIdTokenClaims(tokens.id_token);
+            if (!identity.email) {
+                identity = { ...identity, ...(await fetchGoogleUserInfo(tokens.access_token)) };
+            }
+            const externalId = nonEmptyString(identity.sub) ?? nonEmptyString(identity.email);
+            if (!externalId) {
+                throw new Error("Google identity payload did not include sub or email.");
+            }
+            const expiresAt = Date.now() + tokens.expires_in * 1000;
+            const oauthCredentialVersion = String(Date.now());
+            const accountMetadata = {
+                email: identity.email ?? null,
+                emailVerified: identity.email_verified ?? null,
+                name: identity.name ?? null,
+                picture: identity.picture ?? null,
+                locale: identity.locale ?? null,
+                grantedCapabilities,
+                grantedScopes: grantedScopes.length > 0
+                    ? grantedScopes
+                    : scopesForGoogleCapabilities(grantedCapabilities),
+                identityScopes: [...GOOGLE_IDENTITY_SCOPES],
+                tokenType: tokens.token_type ?? "Bearer",
+                hasRefreshToken: Boolean(tokens.refresh_token),
+                expiresAt,
+                oauthCredentialVersion,
+            };
+            const pendingAccount = await manager.upsertAccount(GOOGLE_SERVICE_NAME, {
+                provider: GOOGLE_SERVICE_NAME,
+                role: roleFromMetadata(request.flow.metadata),
+                purpose: purposes,
+                accessGate: "open",
+                status: "pending",
+                externalId,
+                displayHandle: nonEmptyString(identity.email) ?? nonEmptyString(identity.name),
+                label: nonEmptyString(identity.name) ??
+                    nonEmptyString(identity.email) ??
+                    GOOGLE_OAUTH_PROVIDER_METADATA.label,
+                metadata: accountMetadata,
+            }, request.flow.accountId);
+            const credentialPersist = await persistConnectorCredentialRefs({
+                runtime,
+                manager,
+                provider: GOOGLE_SERVICE_NAME,
+                accountIdForRef: pendingAccount.id,
+                storageAccountId: pendingAccount.id,
+                caller: "plugin-google",
+                credentials: [
+                    {
+                        credentialType: "oauth.tokens",
+                        value: JSON.stringify({
+                            access_token: tokens.access_token,
+                            ...(tokens.refresh_token ? { refresh_token: tokens.refresh_token } : {}),
+                            ...(tokens.id_token ? { id_token: tokens.id_token } : {}),
+                            token_type: tokens.token_type ?? "Bearer",
+                            scope: grantedScopes.length > 0
+                                ? grantedScopes.join(" ")
+                                : scopesForGoogleCapabilities(grantedCapabilities).join(" "),
+                            expiry_date: expiresAt,
+                        }),
+                        expiresAt,
+                        metadata: {
+                            provider: GOOGLE_SERVICE_NAME,
+                            hasRefreshToken: Boolean(tokens.refresh_token),
+                        },
+                    },
+                ],
+            });
+            const accountPatch = {
+                ...pendingAccount,
+                id: pendingAccount.id,
+                provider: GOOGLE_SERVICE_NAME,
+                status: "connected",
+                metadata: {
+                    ...accountMetadata,
+                    credentialRefs: credentialPersist.refs,
+                    credentialRefStorage: {
+                        vaultAvailable: credentialPersist.vaultAvailable,
+                        storageAvailable: credentialPersist.storageAvailable,
+                    },
+                },
+            };
+            logger.info({
+                src: "plugin:google:connector",
+                externalId,
+                capabilities: grantedCapabilities,
+            }, "Google OAuth completed");
+            return {
+                account: accountPatch,
+                flow: { status: "completed" },
+            };
+        },
+    };
+}
+//# sourceMappingURL=connector-account-provider.js.map

package/dist/connector-account-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connector-account-provider.js","sourceRoot":"","sources":["../src/connector-account-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAYL,MAAM,GACP,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,8BAA8B,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAC;AAChF,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EAGtB,kBAAkB,EAClB,2BAA2B,GAC5B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,wBAAwB,GAAG,kDAAkD,CAAC;AAEpF,MAAM,aAAa,GAA2D;IAC5E,KAAK,EAAE,WAAsC;IAC7C,QAAQ,EAAE,UAAqC;IAC/C,KAAK,EAAE,OAAkC;IACzC,IAAI,EAAE,MAAiC;CACxC,CAAC;AAsBF,SAAS,kBAAkB;IACzB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,mBAAmB,CAAC,YAAoB;IAC/C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAChD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;AAClD,CAAC;AAED,SAAS,WAAW,CAAC,OAAsB,EAAE,GAAW;IACtD,OAAO,cAAc,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAsB;IAK9C,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;IAC1D,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC;IAClE,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CACb,yGAAyG,CAC1G,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;AACjD,CAAC;AAED,SAAS,8BAA8B,CAAC,MAAqC;IAC3E,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,GAAG,mBAAmB,CAAC,CAAC;IAClC,CAAC;IACD,6EAA6E;IAC7E,6EAA6E;IAC7E,qEAAqE;IACrE,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC9C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACrB,SAAS;QACX,CAAC;QACD,MAAM,OAAO,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;QAChD,IAAI,OAAO,EAAE,CAAC;YACZ,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,mBAAmB,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAa;IAC7C,yEAAyE;IACzE,8DAA8D;IAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,KAAK,MAAM,UAAU,IAAI,mBAAmB,EAAE,CAAC;QAC7C,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,CAAC,UAAU,CAAC,EAAE;YACjE,qBAAqB,EAAE,KAAK;SAC7B,CAAC,CAAC;QACH,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,EAAE,CAAC;YACtE,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,uBAAuB,CAC9B,YAAyC;IAEzC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAChD,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;QACtC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAA0B,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAyB;IACjD,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,OAAO,KAAK;SACT,KAAK,CAAC,KAAK,CAAC;SACZ,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAiB;IACzC,MAAM,MAAM,GACV,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;QAClE,CAAC,CAAE,QAAoC;QACvC,CAAC,CAAC,EAAE,CAAC;IACT,yEAAyE;IACzE,yEAAyE;IACzE,yEAAyE;IACzE,8CAA8C;IAC9C,EAAE;IACF,uEAAuE;IACvE,0EAA0E;IAC1E,wEAAwE;IACxE,kDAAkD;IAClD,MAAM,GAAG,GAAG,cAAc,CACxB,MAAM,CAAC,cAAc;QACnB,MAAM,CAAC,IAAI;QACX,MAAM,CAAC,WAAW;QAClB,MAAM,CAAC,aAAa;QACpB,MAAM,CAAC,eAAe,CACzB,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,OAAO,CAAC;IACzB,MAAM,UAAU,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;QAC9E,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAA2B;IACrD,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IACxB,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC9E,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAmB,CAAC;QACrD,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IACtF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,WAAmB;IACpD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,wBAAwB,EAAE;QACrD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,uCAAuC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmB,CAAC;IACzD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,yBAAyB,CAAC,IAMxC;IACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,aAAa,EAAE,IAAI,CAAC,YAAY;QAChC,YAAY,EAAE,IAAI,CAAC,WAAW;QAC9B,UAAU,EAAE,oBAAoB;QAChC,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,8BAA8B,CAAC,aAAa,EAAE;QACzE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;KACxB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;IAC9D,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oCAAoC,CAClD,OAAsB;IAEtB,OAAO;QACL,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,8BAA8B,CAAC,KAAK;QAE3C,YAAY,EAAE,KAAK,EAAE,OAAgC,EAA+B,EAAE;YACpF,OAAO,OAAO,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC;QAChE,CAAC;QAED,aAAa,EAAE,KAAK,EAAE,KAA4B,EAAE,QAAiC,EAAE,EAAE;YACvF,wEAAwE;YACxE,yEAAyE;YACzE,sEAAsE;YACtE,OAAO;gBACL,GAAG,KAAK;gBACR,QAAQ,EAAE,mBAAmB;gBAC7B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,OAAO;gBAC3B,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,CAAC,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;gBACpE,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,MAAM;gBACtC,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,SAAS;aAClC,CAAC;QACJ,CAAC;QAED,YAAY,EAAE,KAAK,EACjB,UAAkB,EAClB,KAA4B,EAC5B,QAAiC,EACjC,EAAE;YACF,OAAO,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,CAAC;QACrD,CAAC;QAED,aAAa,EAAE,KAAK,EAAE,UAAkB,EAAE,QAAiC,EAAiB,EAAE;YAC5F,mEAAmE;YACnE,uDAAuD;QACzD,CAAC;QAED,UAAU,EAAE,KAAK,EACf,OAAmC,EACnC,QAAiC,EACG,EAAE;YACtC,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;YACzC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC;YAC9D,MAAM,YAAY,GAAG,8BAA8B,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,2BAA2B,CAAC,YAAY,CAAC,CAAC;YAC9D,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;YAC1C,MAAM,aAAa,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;YAExD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,MAAM,CAAC,QAAQ;gBAC1B,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,MAAM;gBACrB,KAAK,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC;gBAC5B,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK;gBACzB,WAAW,EAAE,SAAS;gBACtB,MAAM,EAAE,SAAS;gBACjB,cAAc,EAAE,aAAa;gBAC7B,qBAAqB,EAAE,MAAM;gBAC7B,sBAAsB,EAAE,MAAM;aAC/B,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,GAAG,8BAA8B,CAAC,qBAAqB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE;gBACvF,YAAY;gBACZ,QAAQ,EAAE;oBACR,GAAG,OAAO,CAAC,QAAQ;oBACnB,qBAAqB,EAAE,YAAY;oBACnC,eAAe,EAAE,WAAW;oBAC5B,WAAW;iBACZ;aACF,CAAC;QACJ,CAAC;QAED,aAAa,EAAE,KAAK,EAClB,OAAsC,EACtC,OAAgC,EACO,EAAE;YACzC,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAC7E,CAAC;YAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;YACzC,MAAM,WAAW,GACf,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC;gBACxC,cAAc,CACX,OAAO,CAAC,IAAI,CAAC,QAAgD,EAAE,WAAW,CAC5E;gBACD,MAAM,CAAC,WAAW,CAAC;YAErB,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC;gBAC7C,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,WAAW;gBACX,IAAI;gBACJ,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,YAAY;aACxC,CAAC,CAAC;YAEH,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACrD,MAAM,mBAAmB,GAAG,8BAA8B,CACxD,aAAa,CAAC,MAAM,GAAG,CAAC;gBACtB,CAAC,CAAC,aAAa;gBACf,CAAC,CAAG,OAAO,CAAC,IAAI,CAAC,QAAgD,EAAE,eAEnD,CACnB,CAAC;YACF,MAAM,QAAQ,GAAG,uBAAuB,CAAC,mBAAmB,CAAC,CAAC;YAE9D,IAAI,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACnD,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;gBACpB,QAAQ,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,CAAC,MAAM,mBAAmB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YAClF,CAAC;YAED,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;YAC3E,CAAC;YACD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;YACxD,MAAM,sBAAsB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YAClD,MAAM,eAAe,GAAG;gBACtB,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,IAAI;gBAC7B,aAAa,EAAE,QAAQ,CAAC,cAAc,IAAI,IAAI;gBAC9C,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,IAAI;gBAC3B,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI;gBACjC,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;gBAC/B,mBAAmB;gBACnB,aAAa,EACX,aAAa,CAAC,MAAM,GAAG,CAAC;oBACtB,CAAC,CAAC,aAAa;oBACf,CAAC,CAAC,2BAA2B,CAAC,mBAAmB,CAAC;gBACtD,cAAc,EAAE,CAAC,GAAG,sBAAsB,CAAC;gBAC3C,SAAS,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;gBACxC,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC;gBAC9C,SAAS;gBACT,sBAAsB;aACvB,CAAC;YACF,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,aAAa,CAChD,mBAAmB,EACnB;gBACE,QAAQ,EAAE,mBAAmB;gBAC7B,IAAI,EAAE,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAC7C,OAAO,EAAE,QAAQ;gBACjB,UAAU,EAAE,MAAM;gBAClB,MAAM,EAAE,SAAS;gBACjB,UAAU;gBACV,aAAa,EAAE,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAC9E,KAAK,EACH,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAC7B,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC9B,8BAA8B,CAAC,KAAK;gBACtC,QAAQ,EAAE,eAAe;aAC1B,EACD,OAAO,CAAC,IAAI,CAAC,SAAS,CACvB,CAAC;YACF,MAAM,iBAAiB,GAAG,MAAM,8BAA8B,CAAC;gBAC7D,OAAO;gBACP,OAAO;gBACP,QAAQ,EAAE,mBAAmB;gBAC7B,eAAe,EAAE,cAAc,CAAC,EAAE;gBAClC,gBAAgB,EAAE,cAAc,CAAC,EAAE;gBACnC,MAAM,EAAE,eAAe;gBACvB,WAAW,EAAE;oBACX;wBACE,cAAc,EAAE,cAAc;wBAC9B,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC;4BACpB,YAAY,EAAE,MAAM,CAAC,YAAY;4BACjC,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;4BACxE,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;4BACzD,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;4BACzC,KAAK,EACH,aAAa,CAAC,MAAM,GAAG,CAAC;gCACtB,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;gCACzB,CAAC,CAAC,2BAA2B,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;4BAChE,WAAW,EAAE,SAAS;yBACvB,CAAC;wBACF,SAAS;wBACT,QAAQ,EAAE;4BACR,QAAQ,EAAE,mBAAmB;4BAC7B,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC;yBAC/C;qBACF;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,YAAY,GAGd;gBACF,GAAG,cAAc;gBACjB,EAAE,EAAE,cAAc,CAAC,EAAE;gBACrB,QAAQ,EAAE,mBAAmB;gBAC7B,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR,GAAG,eAAe;oBAClB,cAAc,EAAE,iBAAiB,CAAC,IAAI;oBACtC,oBAAoB,EAAE;wBACpB,cAAc,EAAE,iBAAiB,CAAC,cAAc;wBAChD,gBAAgB,EAAE,iBAAiB,CAAC,gBAAgB;qBACrD;iBACF;aACF,CAAC;YAEF,MAAM,CAAC,IAAI,CACT;gBACE,GAAG,EAAE,yBAAyB;gBAC9B,UAAU;gBACV,YAAY,EAAE,mBAAmB;aAClC,EACD,wBAAwB,CACzB,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,YAAY;gBACrB,IAAI,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE;aAC9B,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/connector-credential-refs.d.ts

@@ -0,0 +1,43 @@
+import { type ConnectorAccountManager, type IAgentRuntime } from "@elizaos/core";
+type JsonValue = string | number | boolean | null | undefined | JsonValue[] | {
+    readonly [key: string]: JsonValue;
+};
+type JsonRecord = Record<string, JsonValue>;
+export interface ConnectorCredentialRefMetadata extends JsonRecord {
+    credentialType: string;
+    vaultRef: string;
+    expiresAt?: number;
+    metadata?: JsonRecord;
+}
+export interface ConnectorCredentialRefRecordLike {
+    credentialType: string;
+    vaultRef?: string | null;
+    metadata?: JsonRecord | null;
+    expiresAt?: number | string | Date | null;
+    updatedAt?: number | string | Date | null;
+    version?: string | number | null;
+}
+export interface ConnectorCredentialPersistResult {
+    refs: ConnectorCredentialRefMetadata[];
+    vaultAvailable: boolean;
+    storageAvailable: boolean;
+}
+interface ConnectorCredentialInput {
+    credentialType: string;
+    value: string;
+    expiresAt?: number;
+    metadata?: JsonRecord;
+}
+interface PersistConnectorCredentialRefsParams {
+    runtime: IAgentRuntime;
+    manager?: ConnectorAccountManager;
+    provider: string;
+    accountIdForRef: string;
+    storageAccountId?: string;
+    credentials: ConnectorCredentialInput[];
+    caller: string;
+}
+export declare function persistConnectorCredentialRefs(params: PersistConnectorCredentialRefsParams): Promise<ConnectorCredentialPersistResult>;
+export declare function credentialRefRecordsFromMetadata(metadata: unknown): ConnectorCredentialRefRecordLike[];
+export {};
+//# sourceMappingURL=connector-credential-refs.d.ts.map

package/dist/connector-credential-refs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connector-credential-refs.d.ts","sourceRoot":"","sources":["../src/connector-credential-refs.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,uBAAuB,EAC5B,KAAK,aAAa,EACnB,MAAM,eAAe,CAAC;AAEvB,KAAK,SAAS,GACV,MAAM,GACN,MAAM,GACN,OAAO,GACP,IAAI,GACJ,SAAS,GACT,SAAS,EAAE,GACX;IAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,SAAS,CAAA;CAAE,CAAC;AAC1C,KAAK,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AAE5C,MAAM,WAAW,8BAA+B,SAAQ,UAAU;IAChE,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,UAAU,CAAC;CACvB;AAED,MAAM,WAAW,gCAAgC;IAC/C,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC;IAC1C,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC;IAC1C,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,gCAAgC;IAC/C,IAAI,EAAE,8BAA8B,EAAE,CAAC;IACvC,cAAc,EAAE,OAAO,CAAC;IACxB,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED,UAAU,wBAAwB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,UAAU,CAAC;CACvB;AAED,UAAU,oCAAoC;IAC5C,OAAO,EAAE,aAAa,CAAC;IACvB,OAAO,CAAC,EAAE,uBAAuB,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,wBAAwB,EAAE,CAAC;IACxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAYD,wBAAsB,8BAA8B,CAClD,MAAM,EAAE,oCAAoC,GAC3C,OAAO,CAAC,gCAAgC,CAAC,CAqD3C;AAED,wBAAgB,gCAAgC,CAC9C,QAAQ,EAAE,OAAO,GAChB,gCAAgC,EAAE,CAUpC"}

package/dist/connector-credential-refs.js

@@ -0,0 +1,252 @@
+import { CONNECTOR_ACCOUNT_STORAGE_SERVICE_TYPE, } from "@elizaos/core";
+export async function persistConnectorCredentialRefs(params) {
+    const refs = [];
+    const vaultWriters = resolveVaultWriters(params.runtime, {
+        provider: params.provider,
+        accountId: params.accountIdForRef,
+        caller: params.caller,
+    });
+    if (vaultWriters.length === 0) {
+        throw new Error(`No durable connector credential store or vault writer is available for ${params.provider} account ${params.accountIdForRef}. Refusing to mark OAuth account connected without persisted credentials.`);
+    }
+    if (!params.storageAccountId) {
+        throw new Error(`No durable connector account id is available for ${params.provider} account ${params.accountIdForRef}. Refusing to mark OAuth account connected without persisted credential refs.`);
+    }
+    const storageWriters = resolveCredentialRefWriters(params.runtime, params.manager, params.storageAccountId);
+    if (storageWriters.length === 0) {
+        throw new Error(`No durable connector credential ref writer is available for ${params.provider} account ${params.storageAccountId}. Refusing to mark OAuth account connected without persisted credential refs.`);
+    }
+    for (const credential of params.credentials) {
+        const plannedRef = buildConnectorCredentialVaultRef({
+            agentId: nonEmptyString(params.runtime.agentId) ?? "agent",
+            provider: params.provider,
+            accountId: params.accountIdForRef,
+            credentialType: credential.credentialType,
+        });
+        const vaultRef = await writeWithFirstAvailableVault(vaultWriters, plannedRef, credential);
+        refs.push({
+            credentialType: credential.credentialType,
+            vaultRef,
+            ...(credential.expiresAt !== undefined ? { expiresAt: credential.expiresAt } : {}),
+            ...(credential.metadata ? { metadata: credential.metadata } : {}),
+        });
+    }
+    if (refs.length > 0) {
+        await writeRefsToStorage(storageWriters, refs);
+    }
+    return {
+        refs,
+        vaultAvailable: vaultWriters.length > 0,
+        storageAvailable: storageWriters.length > 0,
+    };
+}
+export function credentialRefRecordsFromMetadata(metadata) {
+    const record = asRecord(metadata);
+    if (!record)
+        return [];
+    const oauth = asRecord(record.oauth);
+    return [
+        ...credentialRefsFromUnknown(record.credentialRefs),
+        ...credentialRefsFromUnknown(record.oauthCredentialRefs),
+        ...credentialRefsFromUnknown(oauth?.credentialRefs),
+    ];
+}
+function credentialRefsFromUnknown(value) {
+    if (Array.isArray(value)) {
+        return value.flatMap((entry) => {
+            const ref = credentialRefFromRecord(asRecord(entry));
+            return ref ? [ref] : [];
+        });
+    }
+    const record = asRecord(value);
+    if (!record)
+        return [];
+    return Object.entries(record).flatMap(([credentialType, entry]) => {
+        const entryRecord = asRecord(entry);
+        if (entryRecord) {
+            const ref = credentialRefFromRecord({
+                credentialType,
+                ...entryRecord,
+            });
+            return ref ? [ref] : [];
+        }
+        const vaultRef = nonEmptyString(entry);
+        return vaultRef ? [{ credentialType, vaultRef }] : [];
+    });
+}
+function credentialRefFromRecord(record) {
+    if (!record)
+        return null;
+    const credentialType = nonEmptyString(record.credentialType ?? record.type ?? record.name);
+    const vaultRef = nonEmptyString(record.vaultRef ?? record.ref);
+    if (!credentialType || !vaultRef)
+        return null;
+    return {
+        credentialType,
+        vaultRef,
+        metadata: asRecord(record.metadata) ?? null,
+        expiresAt: record.expiresAt,
+        updatedAt: record.updatedAt,
+        version: (record.version ??
+            record.credentialVersion),
+    };
+}
+function resolveVaultWriters(runtime, context) {
+    const writers = [];
+    const credentialStore = getFirstService(runtime, [
+        "connector_credential_store",
+        "CONNECTOR_CREDENTIAL_STORE",
+        "connectorCredentialStore",
+        "credential_store",
+    ]);
+    if (typeof credentialStore?.putSecret === "function") {
+        writers.push({
+            name: "connector_credential_store",
+            write: async (vaultRef, credential) => credentialStore.putSecret?.({
+                vaultRef,
+                agentId: nonEmptyString(runtime.agentId) ?? "agent",
+                provider: context.provider,
+                accountId: context.accountId,
+                credentialType: credential.credentialType,
+                value: credential.value,
+                caller: context.caller,
+            }) ?? vaultRef,
+        });
+    }
+    const vault = getFirstService(runtime, ["vault", "VAULT"]);
+    if (typeof vault?.set === "function") {
+        writers.push({
+            name: "vault",
+            write: async (vaultRef, credential) => {
+                await vault.set?.(vaultRef, credential.value, {
+                    sensitive: true,
+                    caller: context.caller,
+                });
+                return vaultRef;
+            },
+        });
+    }
+    const secrets = getService(runtime, "SECRETS");
+    if (typeof secrets?.setGlobal === "function" || typeof secrets?.set === "function") {
+        writers.push({
+            name: "SECRETS",
+            write: async (vaultRef, credential) => {
+                if (typeof secrets.setGlobal === "function") {
+                    await secrets.setGlobal(vaultRef, credential.value, { sensitive: true });
+                    return vaultRef;
+                }
+                await secrets.set?.(vaultRef, credential.value, { level: "global", agentId: runtime.agentId }, { sensitive: true });
+                return vaultRef;
+            },
+        });
+    }
+    return writers;
+}
+function resolveCredentialRefWriters(runtime, manager, accountId) {
+    const candidates = [
+        manager?.getStorage?.(),
+        getService(runtime, CONNECTOR_ACCOUNT_STORAGE_SERVICE_TYPE),
+        runtime.adapter,
+    ].filter(Boolean);
+    const writers = [];
+    for (const candidate of candidates) {
+        const writer = candidate;
+        if (typeof writer.setConnectorAccountCredentialRef === "function") {
+            writers.push({
+                name: "setConnectorAccountCredentialRef",
+                write: async (ref) => {
+                    await writer.setConnectorAccountCredentialRef?.({
+                        accountId,
+                        credentialType: ref.credentialType,
+                        vaultRef: ref.vaultRef,
+                        ...(ref.metadata ? { metadata: ref.metadata } : {}),
+                        ...(ref.expiresAt !== undefined ? { expiresAt: ref.expiresAt } : {}),
+                    });
+                },
+            });
+        }
+        else if (typeof writer.setCredentialRef === "function") {
+            writers.push({
+                name: "setCredentialRef",
+                write: async (ref) => {
+                    await writer.setCredentialRef?.({
+                        accountId,
+                        credentialType: ref.credentialType,
+                        vaultRef: ref.vaultRef,
+                        ...(ref.metadata ? { metadata: ref.metadata } : {}),
+                        ...(ref.expiresAt !== undefined ? { expiresAt: ref.expiresAt } : {}),
+                    });
+                },
+            });
+        }
+    }
+    return writers;
+}
+async function writeWithFirstAvailableVault(writers, plannedRef, credential) {
+    const errors = [];
+    for (const writer of writers) {
+        try {
+            return await writer.write(plannedRef, credential);
+        }
+        catch (error) {
+            errors.push(`${writer.name}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    throw new Error(`Failed to persist connector credential ref ${plannedRef}: ${errors.join("; ")}`);
+}
+async function writeRefsToStorage(writers, refs) {
+    const errors = [];
+    for (const writer of writers) {
+        try {
+            for (const ref of refs) {
+                await writer.write(ref);
+            }
+            return;
+        }
+        catch (error) {
+            errors.push(`${writer.name}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    throw new Error(`Failed to persist connector credential refs: ${errors.join("; ")}`);
+}
+function buildConnectorCredentialVaultRef(params) {
+    return [
+        "connector",
+        normalizeVaultSegment(params.agentId),
+        normalizeVaultSegment(params.provider),
+        normalizeVaultSegment(params.accountId),
+        normalizeVaultSegment(params.credentialType),
+    ].join(".");
+}
+function normalizeVaultSegment(value) {
+    const normalized = value
+        .trim()
+        .replace(/[^a-zA-Z0-9_-]+/g, "_")
+        .replace(/^_+|_+$/g, "");
+    return (normalized || "unknown").slice(0, 64);
+}
+function getFirstService(runtime, serviceTypes) {
+    for (const serviceType of serviceTypes) {
+        const service = getService(runtime, serviceType);
+        if (service)
+            return service;
+    }
+    return null;
+}
+function getService(runtime, serviceType) {
+    try {
+        return runtime.getService?.(serviceType) ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+function asRecord(value) {
+    return value && typeof value === "object" && !Array.isArray(value)
+        ? value
+        : undefined;
+}
+function nonEmptyString(value) {
+    return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+//# sourceMappingURL=connector-credential-refs.js.map