@everworker/oneringai 0.1.1 → 0.1.3

package/README.md

@@ -6,6 +6,54 @@
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.3-blue.svg)](https://www.typescriptlang.org/)
 [![Node.js](https://img.shields.io/badge/Node.js-18+-green.svg)](https://nodejs.org/)
 
+## Table of Contents
+
+- [Features](#features)
+- [Quick Start](#quick-start) — Installation, basic usage, tools, vision, audio, images, video, search, scraping
+- [Supported Providers](#supported-providers)
+- [Key Features](#key-features)
+  - [1. Agent with Plugins](#1-agent-with-plugins)
+  - [2. Dynamic Tool Management](#2-dynamic-tool-management-new)
+  - [3. Tool Execution Plugins](#3-tool-execution-plugins-new)
+  - [4. Session Persistence](#4-session-persistence)
+  - [5. Working Memory](#5-working-memory)
+  - [6. Research with Search Tools](#6-research-with-search-tools)
+  - [6. Context Management](#6-context-management)
+  - [7. InContextMemory](#7-incontextmemory)
+  - [8. Persistent Instructions](#8-persistent-instructions)
+  - [9. Direct LLM Access](#9-direct-llm-access)
+  - [11. Audio Capabilities](#11-audio-capabilities)
+  - [12. Model Registry](#12-model-registry)
+  - [13. Streaming](#13-streaming)
+  - [14. OAuth for External APIs](#14-oauth-for-external-apis)
+  - [15. Developer Tools](#15-developer-tools)
+  - [16. External API Integration](#16-external-api-integration) — Scoped Registry, Vendor Templates, Tool Discovery
+- [MCP Integration](#mcp-model-context-protocol-integration)
+- [Documentation](#documentation)
+- [Examples](#examples)
+- [Development](#development)
+- [Architecture](#architecture)
+- [Troubleshooting](#troubleshooting)
+- [Contributing](#contributing)
+- [License](#license)
+
+<!-- For in-depth guides and full API reference, see the docs section below -->
+
+## Documentation
+
+> **Start here if you're looking for detailed docs or the full API reference.**
+
+| Document | Description |
+|----------|-------------|
+| **[User Guide](./USER_GUIDE.md)** | Comprehensive guide covering every feature with examples — connectors, agents, context, plugins, audio, video, search, MCP, OAuth, and more |
+| **[API Reference](./API_REFERENCE.md)** | Auto-generated reference for all 600+ public exports — classes, interfaces, types, and functions with signatures |
+| [CHANGELOG](./CHANGELOG.md) | Version history and migration notes |
+| [MCP Integration](./MCP_INTEGRATION.md) | Model Context Protocol setup and usage |
+| [Architecture (CLAUDE.md)](./CLAUDE.md) | Internal architecture guide |
+| [Testing Guide](./TESTING.md) | How to run and write tests |
+
+---
+
 ## Features
 
 - ✨ **Unified API** - One interface for 10+ AI providers (OpenAI, Anthropic, Google, Groq, DeepSeek, and more)
@@ -22,7 +70,7 @@
 - 🤖 **Universal Agent** - ⚠️ *Deprecated* - Use `Agent` with plugins instead
 - 🤖 **Task Agents** - ⚠️ *Deprecated* - Use `Agent` with `WorkingMemoryPluginNextGen`
 - 🔬 **Research Agent** - ⚠️ *Deprecated* - Use `Agent` with search tools
-- 🎯 **Context Management** - Smart strategies (proactive, aggressive, lazy, rolling-window, adaptive)
+- 🎯 **Context Management** - Algorithmic compaction with tool-result-to-memory offloading
 - 📌 **InContextMemory** - NEW: Live key-value storage directly in LLM context for instant access
 - 📝 **Persistent Instructions** - NEW: Agent-level custom instructions that persist across sessions on disk
 - 🛠️ **Agentic Workflows** - Built-in tool calling and multi-turn conversations
@@ -30,6 +78,7 @@
 - 🔌 **MCP Integration** - NEW: Model Context Protocol client for seamless tool discovery from local and remote servers
 - 👁️ **Vision Support** - Analyze images with AI across all providers
 - 📋 **Clipboard Integration** - Paste screenshots directly (like Claude Code!)
+- 🔐 **Scoped Connector Registry** - NEW: Pluggable access control for multi-tenant connector isolation
 - 🔐 **OAuth 2.0** - Full OAuth support for external APIs with encrypted token storage
 - 📦 **Vendor Templates** - NEW: Pre-configured auth templates for 43+ services (GitHub, Slack, Stripe, etc.)
 - 🔄 **Streaming** - Real-time responses with event streams
@@ -578,7 +627,6 @@ const agent = Agent.create({
   connector: 'openai',
   model: 'gpt-4',
   context: {
-    strategy: 'balanced', // proactive, balanced, lazy
     features: { workingMemory: true },
   },
 });
@@ -621,7 +669,7 @@ const agent = Agent.create({
 |---------|---------|--------|------------------|
 | `workingMemory` | `true` | WorkingMemoryPluginNextGen | `memory_store/retrieve/delete/list` |
 | `inContextMemory` | `false` | InContextMemoryPluginNextGen | `context_set/delete/list` |
-| `persistentInstructions` | `false` | PersistentInstructionsPluginNextGen | `instructions_set/get/append/clear` |
+| `persistentInstructions` | `false` | PersistentInstructionsPluginNextGen | `instructions_set/remove/list/clear` |
 
 **AgentContextNextGen architecture:**
 - **Plugin-first design** - All features are composable plugins
@@ -629,10 +677,8 @@ const agent = Agent.create({
 - **Single system message** - All context components combined
 - **Smart compaction** - Happens once, right before LLM call
 
-**Three compaction strategies:**
-- **proactive** - Compact at 70% usage
-- **balanced** (default) - Compact at 80% usage
-- **lazy** - Compact at 90% usage
+**Compaction strategy:**
+- **algorithmic** (default) - Moves large tool results to Working Memory, limits tool pairs, applies rolling window. Triggers at 75% context usage.
 
 **Context preparation:**
 ```typescript
@@ -694,8 +740,8 @@ const agent = Agent.create({
   },
 });
 
-// LLM can now use instructions_set/append/get/clear tools
-// Instructions persist to ~/.oneringai/agents/my-assistant/custom_instructions.md
+// LLM can now use instructions_set/remove/list/clear tools
+// Instructions persist to ~/.oneringai/agents/my-assistant/custom_instructions.json
 ```
 
 **Key Features:**
@@ -705,9 +751,9 @@ const agent = Agent.create({
 - 🛡️ **Never Compacted** - Critical instructions always preserved in context
 
 **Available Tools:**
-- `instructions_set` - Replace all custom instructions
-- `instructions_append` - Add a new section to existing instructions
-- `instructions_get` - Read current instructions
+- `instructions_set` - Add or update a single instruction by key
+- `instructions_remove` - Remove a single instruction by key
+- `instructions_list` - List all instructions with keys and content
 - `instructions_clear` - Remove all instructions (requires confirmation)
 
 **Use cases:** Agent personality/behavior, user preferences, learned rules, tool usage patterns.
@@ -966,6 +1012,51 @@ const metrics = connector.getMetrics();
 console.log(`Success rate: ${metrics.successCount / metrics.requestCount * 100}%`);
 ```
 
+#### Scoped Connector Registry (NEW)
+
+Limit connector visibility by user, group, or tenant in multi-user systems:
+
+```typescript
+import { Connector, ScopedConnectorRegistry } from '@everworker/oneringai';
+import type { IConnectorAccessPolicy } from '@everworker/oneringai';
+
+// Define an access policy
+const policy: IConnectorAccessPolicy = {
+  canAccess: (connector, context) => {
+    const tags = connector.config.tags as string[] | undefined;
+    return !!tags && tags.includes(context.tenantId as string);
+  },
+};
+
+// Set the global policy
+Connector.setAccessPolicy(policy);
+
+// Create a scoped view for a specific tenant
+const registry = Connector.scoped({ tenantId: 'acme-corp' });
+
+// Only connectors tagged with 'acme-corp' are visible
+registry.list();           // ['acme-openai', 'acme-slack']
+registry.get('other-co');  // throws "not found" (no info leakage)
+
+// Use with Agent
+const agent = Agent.create({
+  connector: 'acme-openai',
+  model: 'gpt-4',
+  registry,  // Agent resolves connectors through the scoped view
+});
+
+// Use with ConnectorTools
+const tools = ConnectorTools.for('acme-slack', undefined, { registry });
+const allTools = ConnectorTools.discoverAll(undefined, { registry });
+```
+
+**Features:**
+- Pluggable `IConnectorAccessPolicy` interface — bring your own access logic
+- Opaque context object (`{ userId, tenantId, roles, ... }`) — library imposes no structure
+- Denied connectors get the same "not found" error — no information leakage
+- Zero changes to existing API — scoping is entirely opt-in
+- Works with `Agent.create()`, `ConnectorTools.for()`, and `ConnectorTools.discoverAll()`
+
 #### Vendor Templates (NEW)
 
 Quickly set up connectors for 43+ services with pre-configured authentication templates:
@@ -1130,18 +1221,6 @@ await agent.run('List files and analyze them');
 
 See [MCP_INTEGRATION.md](./MCP_INTEGRATION.md) for complete documentation.
 
-## Documentation
-
-📖 **[Complete User Guide](./USER_GUIDE.md)** - Comprehensive guide covering all features
-
-### Additional Resources
-
-- **[MCP_INTEGRATION.md](./MCP_INTEGRATION.md)** - Model Context Protocol integration guide
-- **[CLAUDE.md](./CLAUDE.md)** - Architecture guide for AI assistants
-- **[MULTIMODAL_ARCHITECTURE.md](./MULTIMODAL_ARCHITECTURE.md)** - Multimodal implementation details
-- **[MICROSOFT_GRAPH_SETUP.md](./MICROSOFT_GRAPH_SETUP.md)** - Microsoft Graph OAuth setup
-- **[TESTING.md](./TESTING.md)** - Testing guide for contributors
-
 ## Examples
 
 ```bash
@@ -1196,6 +1275,7 @@ User Code → Connector Registry → Agent → Provider → LLM
 - ✅ Named connectors for easy reference
 - ✅ No API key management in agent code
 - ✅ Same pattern for AI providers AND external APIs
+- ✅ Scoped registry for multi-tenant access control
 
 ## Troubleshooting
 
@@ -1221,9 +1301,4 @@ MIT License - See [LICENSE](./LICENSE) file.
 
 ---
 
-**Version:** 0.1.0
-**Last Updated:** 2026-02-05
-
-For detailed documentation on all features, see the **[Complete User Guide](./USER_GUIDE.md)**.
-
-For internal development and architecture improvement plans, see **[IMPROVEMENT_PLAN.md](./IMPROVEMENT_PLAN.md)**.
+**Version:** 0.1.3 | **Last Updated:** 2026-02-07 | **[User Guide](./USER_GUIDE.md)** | **[API Reference](./API_REFERENCE.md)** | **[Changelog](./CHANGELOG.md)**

package/dist/{ImageModel-C7EyUfU0.d.ts → ImageModel-BkAX5Rr5.d.ts}

@@ -227,6 +227,57 @@ interface ITokenStorage {
     hasToken(key: string): Promise<boolean>;
 }
 
+/**
+ * IConnectorRegistry - Read-only interface for connector lookup
+ *
+ * Covers the read-only subset of Connector static methods.
+ * Used by ScopedConnectorRegistry to provide filtered views
+ * and by consumers that only need to read from the registry.
+ */
+
+interface IConnectorRegistry {
+    /** Get a connector by name. Throws if not found (or not accessible). */
+    get(name: string): Connector;
+    /** Check if a connector exists (and is accessible) */
+    has(name: string): boolean;
+    /** List all accessible connector names */
+    list(): string[];
+    /** List all accessible connector instances */
+    listAll(): Connector[];
+    /** Get number of accessible connectors */
+    size(): number;
+    /** Get connector descriptions formatted for tool parameters */
+    getDescriptionsForTools(): string;
+    /** Get connector info map */
+    getInfo(): Record<string, {
+        displayName: string;
+        description: string;
+        baseURL: string;
+    }>;
+}
+
+/**
+ * IConnectorAccessPolicy - Pluggable access control for connector registry
+ *
+ * Policies are sync-only for performance — access checks must be fast
+ * and policy data should be in-memory.
+ */
+
+/**
+ * Opaque context passed to access policy checks.
+ * Library imposes no structure — consumers define their own shape
+ * (e.g., { userId, tenantId, roles }).
+ */
+type ConnectorAccessContext = Record<string, unknown>;
+interface IConnectorAccessPolicy {
+    /**
+     * Check if a connector is accessible in the given context.
+     * Receives the full Connector instance so it can inspect
+     * config.tags, vendor, serviceType, etc.
+     */
+    canAccess(connector: Connector, context: ConnectorAccessContext): boolean;
+}
+
 /**
  * Connector - The single source of truth for authentication
  *
@@ -305,6 +356,30 @@ declare class Connector {
      * Get number of registered connectors
      */
     static size(): number;
+    private static _accessPolicy;
+    /**
+     * Set a global access policy for connector scoping.
+     * Pass null to clear the policy.
+     */
+    static setAccessPolicy(policy: IConnectorAccessPolicy | null): void;
+    /**
+     * Get the current global access policy (or null if none set).
+     */
+    static getAccessPolicy(): IConnectorAccessPolicy | null;
+    /**
+     * Create a scoped (filtered) view of the connector registry.
+     * Requires a global access policy to be set via setAccessPolicy().
+     *
+     * @param context - Opaque context passed to the policy (e.g., { userId, tenantId })
+     * @returns IConnectorRegistry that only exposes accessible connectors
+     * @throws Error if no access policy is set
+     */
+    static scoped(context: ConnectorAccessContext): IConnectorRegistry;
+    /**
+     * Return the static Connector methods as an IConnectorRegistry object (unfiltered).
+     * Useful when code accepts the interface but you want the full admin view.
+     */
+    static asRegistry(): IConnectorRegistry;
     /**
      * Get connector descriptions formatted for tool parameters
      * Useful for generating dynamic tool descriptions
@@ -760,4 +835,4 @@ declare function getImageModelsWithFeature(feature: keyof IImageModelDescription
  */
 declare function calculateImageCost(modelName: string, imageCount: number, quality?: 'standard' | 'hd'): number | null;
 
-export { type AudioFormat as A, type ImageResponse as B, Connector as C, type AspectRatio$1 as D, type OutputFormat as E, type ISourceLinks as F, DEFAULT_CONNECTOR_TIMEOUT as G, DEFAULT_MAX_RETRIES as H, type IBaseModelDescription as I, type JWTConnectorAuth as J, DEFAULT_RETRYABLE_STATUSES as K, DEFAULT_BASE_DELAY_MS as L, DEFAULT_MAX_DELAY_MS as M, type OAuthConnectorAuth as O, type QualityLevel as Q, type StoredToken as S, type VendorOptionSchema as V, Vendor as a, type IImageProvider as b, type ConnectorFetchOptions as c, type ITokenStorage as d, type ConnectorConfig as e, type ConnectorAuth as f, type ConnectorConfigResult as g, VENDORS as h, isVendor as i, ImageGeneration as j, type ImageGenerationCreateOptions as k, type SimpleGenerateOptions as l, type APIKeyConnectorAuth as m, type IImageModelDescription as n, type ImageModelCapabilities as o, type ImageModelPricing as p, IMAGE_MODELS as q, IMAGE_MODEL_REGISTRY as r, getImageModelInfo as s, getImageModelsByVendor as t, getActiveImageModels as u, getImageModelsWithFeature as v, calculateImageCost as w, type ImageGenerateOptions as x, type ImageEditOptions as y, type ImageVariationOptions as z };
+export { type AudioFormat as A, type ImageGenerateOptions as B, type ConnectorAccessContext as C, type ImageEditOptions as D, type ImageVariationOptions as E, type ImageResponse as F, type AspectRatio$1 as G, type OutputFormat as H, type IConnectorRegistry as I, type JWTConnectorAuth as J, type ISourceLinks as K, DEFAULT_CONNECTOR_TIMEOUT as L, DEFAULT_MAX_RETRIES as M, DEFAULT_RETRYABLE_STATUSES as N, type OAuthConnectorAuth as O, DEFAULT_BASE_DELAY_MS as P, type QualityLevel as Q, DEFAULT_MAX_DELAY_MS as R, type StoredToken as S, type VendorOptionSchema as V, type IConnectorAccessPolicy as a, Connector as b, type IBaseModelDescription as c, Vendor as d, type IImageProvider as e, type ConnectorFetchOptions as f, type ITokenStorage as g, type ConnectorConfig as h, type ConnectorAuth as i, type ConnectorConfigResult as j, VENDORS as k, isVendor as l, ImageGeneration as m, type ImageGenerationCreateOptions as n, type SimpleGenerateOptions as o, type APIKeyConnectorAuth as p, type IImageModelDescription as q, type ImageModelCapabilities as r, type ImageModelPricing as s, IMAGE_MODELS as t, IMAGE_MODEL_REGISTRY as u, getImageModelInfo as v, getImageModelsByVendor as w, getActiveImageModels as x, getImageModelsWithFeature as y, calculateImageCost as z };

package/dist/{ImageModel-B-uH3JEz.d.cts → ImageModel-DtN780fU.d.cts}

@@ -227,6 +227,57 @@ interface ITokenStorage {
     hasToken(key: string): Promise<boolean>;
 }
 
+/**
+ * IConnectorRegistry - Read-only interface for connector lookup
+ *
+ * Covers the read-only subset of Connector static methods.
+ * Used by ScopedConnectorRegistry to provide filtered views
+ * and by consumers that only need to read from the registry.
+ */
+
+interface IConnectorRegistry {
+    /** Get a connector by name. Throws if not found (or not accessible). */
+    get(name: string): Connector;
+    /** Check if a connector exists (and is accessible) */
+    has(name: string): boolean;
+    /** List all accessible connector names */
+    list(): string[];
+    /** List all accessible connector instances */
+    listAll(): Connector[];
+    /** Get number of accessible connectors */
+    size(): number;
+    /** Get connector descriptions formatted for tool parameters */
+    getDescriptionsForTools(): string;
+    /** Get connector info map */
+    getInfo(): Record<string, {
+        displayName: string;
+        description: string;
+        baseURL: string;
+    }>;
+}
+
+/**
+ * IConnectorAccessPolicy - Pluggable access control for connector registry
+ *
+ * Policies are sync-only for performance — access checks must be fast
+ * and policy data should be in-memory.
+ */
+
+/**
+ * Opaque context passed to access policy checks.
+ * Library imposes no structure — consumers define their own shape
+ * (e.g., { userId, tenantId, roles }).
+ */
+type ConnectorAccessContext = Record<string, unknown>;
+interface IConnectorAccessPolicy {
+    /**
+     * Check if a connector is accessible in the given context.
+     * Receives the full Connector instance so it can inspect
+     * config.tags, vendor, serviceType, etc.
+     */
+    canAccess(connector: Connector, context: ConnectorAccessContext): boolean;
+}
+
 /**
  * Connector - The single source of truth for authentication
  *
@@ -305,6 +356,30 @@ declare class Connector {
      * Get number of registered connectors
      */
     static size(): number;
+    private static _accessPolicy;
+    /**
+     * Set a global access policy for connector scoping.
+     * Pass null to clear the policy.
+     */
+    static setAccessPolicy(policy: IConnectorAccessPolicy | null): void;
+    /**
+     * Get the current global access policy (or null if none set).
+     */
+    static getAccessPolicy(): IConnectorAccessPolicy | null;
+    /**
+     * Create a scoped (filtered) view of the connector registry.
+     * Requires a global access policy to be set via setAccessPolicy().
+     *
+     * @param context - Opaque context passed to the policy (e.g., { userId, tenantId })
+     * @returns IConnectorRegistry that only exposes accessible connectors
+     * @throws Error if no access policy is set
+     */
+    static scoped(context: ConnectorAccessContext): IConnectorRegistry;
+    /**
+     * Return the static Connector methods as an IConnectorRegistry object (unfiltered).
+     * Useful when code accepts the interface but you want the full admin view.
+     */
+    static asRegistry(): IConnectorRegistry;
     /**
      * Get connector descriptions formatted for tool parameters
      * Useful for generating dynamic tool descriptions
@@ -760,4 +835,4 @@ declare function getImageModelsWithFeature(feature: keyof IImageModelDescription
  */
 declare function calculateImageCost(modelName: string, imageCount: number, quality?: 'standard' | 'hd'): number | null;
 
-export { type AudioFormat as A, type ImageResponse as B, Connector as C, type AspectRatio$1 as D, type OutputFormat as E, type ISourceLinks as F, DEFAULT_CONNECTOR_TIMEOUT as G, DEFAULT_MAX_RETRIES as H, type IBaseModelDescription as I, type JWTConnectorAuth as J, DEFAULT_RETRYABLE_STATUSES as K, DEFAULT_BASE_DELAY_MS as L, DEFAULT_MAX_DELAY_MS as M, type OAuthConnectorAuth as O, type QualityLevel as Q, type StoredToken as S, type VendorOptionSchema as V, Vendor as a, type IImageProvider as b, type ConnectorFetchOptions as c, type ITokenStorage as d, type ConnectorConfig as e, type ConnectorAuth as f, type ConnectorConfigResult as g, VENDORS as h, isVendor as i, ImageGeneration as j, type ImageGenerationCreateOptions as k, type SimpleGenerateOptions as l, type APIKeyConnectorAuth as m, type IImageModelDescription as n, type ImageModelCapabilities as o, type ImageModelPricing as p, IMAGE_MODELS as q, IMAGE_MODEL_REGISTRY as r, getImageModelInfo as s, getImageModelsByVendor as t, getActiveImageModels as u, getImageModelsWithFeature as v, calculateImageCost as w, type ImageGenerateOptions as x, type ImageEditOptions as y, type ImageVariationOptions as z };
+export { type AudioFormat as A, type ImageGenerateOptions as B, type ConnectorAccessContext as C, type ImageEditOptions as D, type ImageVariationOptions as E, type ImageResponse as F, type AspectRatio$1 as G, type OutputFormat as H, type IConnectorRegistry as I, type JWTConnectorAuth as J, type ISourceLinks as K, DEFAULT_CONNECTOR_TIMEOUT as L, DEFAULT_MAX_RETRIES as M, DEFAULT_RETRYABLE_STATUSES as N, type OAuthConnectorAuth as O, DEFAULT_BASE_DELAY_MS as P, type QualityLevel as Q, DEFAULT_MAX_DELAY_MS as R, type StoredToken as S, type VendorOptionSchema as V, type IConnectorAccessPolicy as a, Connector as b, type IBaseModelDescription as c, Vendor as d, type IImageProvider as e, type ConnectorFetchOptions as f, type ITokenStorage as g, type ConnectorConfig as h, type ConnectorAuth as i, type ConnectorConfigResult as j, VENDORS as k, isVendor as l, ImageGeneration as m, type ImageGenerationCreateOptions as n, type SimpleGenerateOptions as o, type APIKeyConnectorAuth as p, type IImageModelDescription as q, type ImageModelCapabilities as r, type ImageModelPricing as s, IMAGE_MODELS as t, IMAGE_MODEL_REGISTRY as u, getImageModelInfo as v, getImageModelsByVendor as w, getActiveImageModels as x, getImageModelsWithFeature as y, calculateImageCost as z };

package/dist/capabilities/images/index.cjs

@@ -1452,6 +1452,58 @@ var metrics = createMetricsCollector(
   process.env.METRICS_PREFIX || "oneringai"
 );
 
+// src/core/ScopedConnectorRegistry.ts
+var ScopedConnectorRegistry = class {
+  constructor(policy, context) {
+    this.policy = policy;
+    this.context = context;
+  }
+  get(name) {
+    if (!Connector.has(name)) {
+      const available = this.list().join(", ") || "none";
+      throw new Error(`Connector '${name}' not found. Available: ${available}`);
+    }
+    const connector = Connector.get(name);
+    if (!this.policy.canAccess(connector, this.context)) {
+      const available = this.list().join(", ") || "none";
+      throw new Error(`Connector '${name}' not found. Available: ${available}`);
+    }
+    return connector;
+  }
+  has(name) {
+    if (!Connector.has(name)) return false;
+    const connector = Connector.get(name);
+    return this.policy.canAccess(connector, this.context);
+  }
+  list() {
+    return this.listAll().map((c) => c.name);
+  }
+  listAll() {
+    return Connector.listAll().filter((c) => this.policy.canAccess(c, this.context));
+  }
+  size() {
+    return this.listAll().length;
+  }
+  getDescriptionsForTools() {
+    const connectors = this.listAll();
+    if (connectors.length === 0) {
+      return "No connectors registered yet.";
+    }
+    return connectors.map((c) => `  - "${c.name}": ${c.displayName} - ${c.config.description || "No description"}`).join("\n");
+  }
+  getInfo() {
+    const info = {};
+    for (const connector of this.listAll()) {
+      info[connector.name] = {
+        displayName: connector.displayName,
+        description: connector.config.description || "",
+        baseURL: connector.baseURL
+      };
+    }
+    return info;
+  }
+};
+
 // src/core/Connector.ts
 var DEFAULT_CONNECTOR_TIMEOUT = 3e4;
 var DEFAULT_MAX_RETRIES = 3;
@@ -1537,6 +1589,50 @@ var Connector = class _Connector {
   static size() {
     return _Connector.registry.size;
   }
+  // ============ Access Control ============
+  static _accessPolicy = null;
+  /**
+   * Set a global access policy for connector scoping.
+   * Pass null to clear the policy.
+   */
+  static setAccessPolicy(policy) {
+    _Connector._accessPolicy = policy;
+  }
+  /**
+   * Get the current global access policy (or null if none set).
+   */
+  static getAccessPolicy() {
+    return _Connector._accessPolicy;
+  }
+  /**
+   * Create a scoped (filtered) view of the connector registry.
+   * Requires a global access policy to be set via setAccessPolicy().
+   *
+   * @param context - Opaque context passed to the policy (e.g., { userId, tenantId })
+   * @returns IConnectorRegistry that only exposes accessible connectors
+   * @throws Error if no access policy is set
+   */
+  static scoped(context) {
+    if (!_Connector._accessPolicy) {
+      throw new Error("No access policy set. Call Connector.setAccessPolicy() first.");
+    }
+    return new ScopedConnectorRegistry(_Connector._accessPolicy, context);
+  }
+  /**
+   * Return the static Connector methods as an IConnectorRegistry object (unfiltered).
+   * Useful when code accepts the interface but you want the full admin view.
+   */
+  static asRegistry() {
+    return {
+      get: (name) => _Connector.get(name),
+      has: (name) => _Connector.has(name),
+      list: () => _Connector.list(),
+      listAll: () => _Connector.listAll(),
+      size: () => _Connector.size(),
+      getDescriptionsForTools: () => _Connector.getDescriptionsForTools(),
+      getInfo: () => _Connector.getInfo()
+    };
+  }
   /**
    * Get connector descriptions formatted for tool parameters
    * Useful for generating dynamic tool descriptions