@executor-js/plugin-openapi 1.4.33 → 1.5.0

package/dist/sdk/google-discovery.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sdk/google-oauth-batches.d.ts

@@ -0,0 +1,13 @@
+import type { GoogleOpenApiOAuthAudience } from "./google-presets";
+export type GoogleOAuthBatchInput = {
+    readonly id: string;
+    readonly name: string;
+    readonly oauthAudience: GoogleOpenApiOAuthAudience;
+    readonly scopes: readonly string[];
+};
+export type GoogleOAuthConsentBatch = {
+    readonly id: string;
+    readonly label: string;
+    readonly apiScopes: readonly string[];
+};
+export declare const googleOAuthConsentBatches: (items: readonly GoogleOAuthBatchInput[]) => readonly GoogleOAuthConsentBatch[];

package/dist/sdk/google-oauth-batches.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sdk/google-oauth-scopes.d.ts

@@ -0,0 +1,3 @@
+export declare const isGoogleUserConsentOAuthScope: (scope: string) => boolean;
+export declare const filterGoogleUserConsentOAuthScopes: (scopes: Iterable<string>) => string[];
+export declare const compactGoogleOAuthScopes: (scopes: Iterable<string>) => string[];

package/dist/sdk/google-oauth-scopes.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sdk/google-presets.d.ts

@@ -0,0 +1,16 @@
+import type { OpenApiPreset } from "./presets";
+export type GoogleOpenApiOAuthAudience = "standard-user" | "advanced-user" | "workspace-admin" | "unsupported-user";
+export type GoogleOpenApiPreset = OpenApiPreset & {
+    readonly oauthAudience: GoogleOpenApiOAuthAudience;
+};
+export declare const GOOGLE_BUNDLE_PRESET_ID = "google";
+export declare const googleOpenApiBundlePreset: OpenApiPreset;
+export declare const googleOpenApiPresets: readonly GoogleOpenApiPreset[];
+export declare const googleStandardUserOAuthPresets: GoogleOpenApiPreset[];
+export declare const googleOAuthConsentScopes: Readonly<Record<string, readonly string[]>>;
+export declare const googleOAuthConsentScopesForPreset: (presetId: string) => readonly string[];
+export declare const googlePresetForDiscoveryUrl: (url: string) => GoogleOpenApiPreset | undefined;
+/** The distinct caution-tier audiences (`workspace-admin`, `unsupported-user`)
+ *  among the supplied Discovery URLs — the ones whose consent the user should be
+ *  warned about. Returns `[]` when every URL is a standard/advanced API. */
+export declare const googleAudienceWarningsForUrls: (urls: readonly string[]) => readonly GoogleOpenApiOAuthAudience[];

package/dist/sdk/google-presets.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sdk/google-product-picker-scopes.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sdk/index.d.ts

@@ -1,9 +1,11 @@
 export { parse, resolveSpecText, fetchSpecText } from "./parse";
+export { convertGoogleDiscoveryBundleToOpenApi, convertGoogleDiscoveryToOpenApi, fetchGoogleDiscoveryDocument, isGoogleDiscoveryUrl, type GoogleDiscoveryOpenApiConversion, } from "./google-discovery";
 export { extract } from "./extract";
-export { invoke, invokeWithLayer, resolveHeaders, annotationsForOperation } from "./invoke";
-export { openApiPlugin, type OpenApiSpecConfig, type OpenApiConfigureCredentialInput, type OpenApiConfigureInput, type OpenApiPluginExtension, type OpenApiPluginOptions, type OpenApiSourceRef, } from "./plugin";
-export { openapiSchema, type OpenapiSchema, type OpenapiStore, type StoredOperation, type StoredSource, type SourceConfig, makeDefaultOpenapiStore, } from "./store";
+export { invoke, invokeWithLayer, annotationsForOperation } from "./invoke";
+export { openApiPlugin, type OpenApiSpecConfig, type OpenApiConfigureInput, type OpenApiSpecInput, type OpenApiPreviewInput, type OpenApiPluginExtension, type OpenApiPluginOptions, } from "./plugin";
+export { type OpenapiStore, type StoredOperation, makeDefaultOpenapiStore } from "./store";
+export { decodeOpenApiIntegrationConfig, renderAuthTemplate, AuthenticationSchema, OpenApiIntegrationConfigSchema, type OpenApiIntegrationConfig, type RenderedAuth, } from "./config";
 export { previewSpec, SecurityScheme, AuthStrategy, HeaderPreset, OAuth2Preset, OAuth2Flows, OAuth2AuthorizationCodeFlow, OAuth2ClientCredentialsFlow, PreviewOperation, SpecPreview, } from "./preview";
 export { DocResolver, resolveBaseUrl, substituteUrlVariables, preferredContent, } from "./openapi-utils";
-export { OpenApiParseError, OpenApiExtractionError, OpenApiInvocationError, OpenApiOAuthError, } from "./errors";
-export { EncodingObject, ExtractedOperation, ExtractionResult, InvocationResult, MediaBinding, OAuth2SourceConfig, OperationBinding, OperationParameter, OperationRequestBody, ServerInfo, ServerVariable, OperationId, HttpMethod, ParameterLocation, } from "./types";
+export { OpenApiParseError, OpenApiExtractionError, OpenApiInvocationError, OpenApiOAuthError, OpenApiAuthRequiredError, } from "./errors";
+export { EncodingObject, ExtractedOperation, ExtractionResult, InvocationResult, MediaBinding, OperationBinding, OperationParameter, OperationRequestBody, ServerInfo, ServerVariable, OperationId, HttpMethod, ParameterLocation, variable, type Authentication, type APIKeyAuthentication, type AuthenticationVariable, type AuthenticationTemplateValue, } from "./types";

package/dist/sdk/invoke.d.ts

@@ -1,20 +1,16 @@
 import { Effect, Layer, Option } from "effect";
 import { HttpClient } from "effect/unstable/http";
-import type { SecretOwnedByConnectionError, StorageFailure } from "@executor-js/sdk/core";
 import { OpenApiInvocationError } from "./errors";
-import { type HeaderValue, type OperationBinding } from "./types";
-export declare const resolveHeaders: (headers: Record<string, HeaderValue>, secrets: {
-    readonly get: (id: string) => Effect.Effect<string | null, SecretOwnedByConnectionError | StorageFailure>;
-}) => Effect.Effect<Record<string, string>, OpenApiInvocationError | StorageFailure>;
+import { type OperationBinding } from "./types";
 export declare const invoke: (operation: {
-    readonly method: "post" | "options" | "delete" | "get" | "put" | "head" | "patch" | "trace";
+    readonly method: "post" | "options" | "delete" | "get" | "put" | "patch" | "head" | "trace";
     readonly parameters: readonly {
         readonly name: string;
         readonly required: boolean;
         readonly description: Option.Option<string>;
         readonly schema: Option.Option<unknown>;
         readonly style: Option.Option<string>;
-        readonly location: "query" | "header" | "path" | "cookie";
+        readonly location: "header" | "query" | "path" | "cookie";
         readonly explode: Option.Option<boolean>;
         readonly allowReserved: Option.Option<boolean>;
     }[];
@@ -36,21 +32,22 @@ export declare const invoke: (operation: {
         }[]>;
     }>;
     readonly pathTemplate: string;
+    readonly baseUrl?: string | undefined;
 }, args: Record<string, unknown>, resolvedHeaders: Record<string, string>, sourceQueryParams?: Record<string, string> | undefined) => Effect.Effect<{
     readonly error: unknown;
+    readonly data: unknown;
     readonly status: number;
     readonly headers: {
         readonly [x: string]: string;
     };
-    readonly data: unknown;
 }, OpenApiInvocationError, HttpClient.HttpClient>;
 export declare const invokeWithLayer: (operation: OperationBinding, args: Record<string, unknown>, baseUrl: string, resolvedHeaders: Record<string, string>, sourceQueryParams: Record<string, string>, httpClientLayer: Layer.Layer<HttpClient.HttpClient, never, never>) => Effect.Effect<{
     readonly error: unknown;
+    readonly data: unknown;
     readonly status: number;
     readonly headers: {
         readonly [x: string]: string;
     };
-    readonly data: unknown;
 }, OpenApiInvocationError, never>;
 export declare const annotationsForOperation: (method: string, pathTemplate: string) => {
     requiresApproval?: boolean;

package/dist/sdk/openapi-utils.d.ts

@@ -7,6 +7,7 @@ export type PathItemObject = OpenAPIV3.PathItemObject | OpenAPIV3_1.PathItemObje
 export type RequestBodyObject = OpenAPIV3.RequestBodyObject | OpenAPIV3_1.RequestBodyObject;
 export type ResponseObject = OpenAPIV3.ResponseObject | OpenAPIV3_1.ResponseObject;
 export type MediaTypeObject = OpenAPIV3.MediaTypeObject | OpenAPIV3_1.MediaTypeObject;
+export type ServerObject = OpenAPIV3.ServerObject | OpenAPIV3_1.ServerObject;
 export declare class DocResolver {
     readonly doc: ParsedDocument;
     constructor(doc: ParsedDocument);

package/dist/sdk/plugin.d.ts

@@ -1,84 +1,60 @@
 import { Effect, Option, Schema } from "effect";
 import type { Layer } from "effect";
 import { HttpClient } from "effect/unstable/http";
-import { CredentialBindingRef, type StorageFailure } from "@executor-js/sdk/core";
-import { type ConfigFileSink } from "@executor-js/config";
+import { IntegrationAlreadyExistsError, IntegrationSlug, type AuthMethodDescriptor, type Integration, type IntegrationRecord, type StorageFailure } from "@executor-js/sdk/core";
+import { type OpenApiIntegrationConfig } from "./config";
 import { OpenApiExtractionError, OpenApiOAuthError, OpenApiParseError } from "./errors";
 import { type SpecPreview } from "./preview";
-import { type OpenapiStore, type SourceConfig, type StoredSource } from "./store";
-import { OAuth2SourceConfig, type ConfiguredHeaderValue as ConfiguredHeaderValueValue, type HeaderValue as HeaderValueValue } from "./types";
-export type HeaderValue = HeaderValueValue;
-export type ConfiguredHeaderValue = ConfiguredHeaderValueValue;
-export type OpenApiOAuthInput = OAuth2SourceConfig;
+import { type OpenapiStore } from "./store";
+import type { Authentication } from "./types";
 export type OpenApiSpecInput = typeof OpenApiSpecInputSchema.Type;
-export type OpenApiSecretShapeInput = typeof OpenApiSecretShapeInputSchema.Type;
-export type OpenApiConfiguredValueInput = string | OpenApiSecretShapeInput | ConfiguredHeaderValueValue;
-export interface OpenApiSpecFetchCredentialsInput {
-    readonly headers?: Record<string, OpenApiConfiguredValueInput>;
-    readonly queryParams?: Record<string, OpenApiConfiguredValueInput>;
-}
-export interface OpenApiPreviewSpecFetchCredentialsInput {
-    readonly headers?: Record<string, HeaderValue>;
-    readonly queryParams?: Record<string, HeaderValue>;
-}
 export interface OpenApiPreviewInput {
     readonly spec: string;
-    readonly specFetchCredentials?: OpenApiPreviewSpecFetchCredentialsInput;
 }
+/** Add an OpenAPI integration to the catalog. The integration is the API
+ *  surface; connections (the credentials) are attached separately and resolve
+ *  their value through the declared `authenticationTemplate`. */
 export interface OpenApiSpecConfig {
     readonly spec: OpenApiSpecInput;
-    readonly specFetchCredentials?: OpenApiSpecFetchCredentialsInput;
-    /**
-     * Executor scope id that owns this source row. Must be one of the
-     * executor's configured scopes. Typical shape: an admin adds the
-     * source at the outermost (organization) scope so it's visible to
-     * every inner (per-user) scope via fall-through reads.
-     */
-    readonly scope: string;
-    readonly name: string;
-    readonly baseUrl: string;
-    readonly namespace: string;
-    readonly headers?: Record<string, OpenApiConfiguredValueInput>;
-    readonly queryParams?: Record<string, OpenApiConfiguredValueInput>;
-    readonly oauth2?: OpenApiOAuthInput;
+    /** The catalog slug for the new integration (the `<integration>` segment). */
+    readonly slug: string;
+    /** Human description (defaults to the spec title). */
+    readonly description?: string;
+    readonly baseUrl?: string;
+    /** Static headers applied to every request (no secret material). */
+    readonly headers?: Record<string, string>;
+    /** Static query params applied to every request. */
+    readonly queryParams?: Record<string, string>;
+    /** Auth methods a connection's value renders through. */
+    readonly authenticationTemplate?: readonly Authentication[];
 }
-export interface OpenApiSourceRef {
-    readonly id: string;
-    readonly scope: string;
+export interface OpenApiExtensionFailure {
+    readonly _tag: string;
+}
+/** Add / merge custom auth methods onto an existing OpenAPI integration's
+ *  `authenticationTemplate`. Mirrors the GraphQL plugin's `configure`. */
+export interface OpenApiConfigureInput {
+    /** The auth methods to add. Each entry is appended to (or, when its `slug`
+     *  already exists, replaces) the integration's existing template array. A
+     *  custom apiKey method with no `slug` is assigned a generated `custom_<id>`
+     *  slug that is collision-checked against the existing template. */
+    readonly authenticationTemplate: readonly Authentication[];
+    readonly mode?: "merge" | "replace";
 }
-export type OpenApiConfigureCredentialInput = string | {
-    readonly kind: "text";
-    readonly text: string;
-    readonly prefix?: string;
-} | {
-    readonly kind: "secret";
-    readonly secretId: string;
-    readonly secretScope?: string;
-    readonly prefix?: string;
-} | {
-    readonly kind: "connection";
-    readonly connectionId: string;
-};
-/**
- * Errors any OpenAPI extension method may surface. The first three are
- * plugin-domain tagged errors that flow directly to clients (4xx, each
- * carrying its own `HttpApiSchema` status). `StorageFailure` covers
- * raw backend failures (`StorageError`) plus `UniqueViolationError`;
- * the HTTP edge (`@executor-js/api`'s `withCapture`) translates
- * `StorageError` to the opaque `InternalError({ traceId })` at Layer
- * composition. `UniqueViolationError` passes through — plugins can
- * `Effect.catchTag` it if they want a friendlier user-facing error.
- */
-export type OpenApiExtensionFailure = OpenApiParseError | OpenApiExtractionError | OpenApiOAuthError | StorageFailure;
 export interface OpenApiPluginExtension {
     readonly previewSpec: (input: string | OpenApiPreviewInput) => Effect.Effect<SpecPreview, OpenApiParseError | OpenApiExtractionError | OpenApiOAuthError | StorageFailure>;
     readonly addSpec: (config: OpenApiSpecConfig) => Effect.Effect<{
-        readonly sourceId: string;
+        readonly slug: IntegrationSlug;
         readonly toolCount: number;
-    }, OpenApiParseError | OpenApiExtractionError | OpenApiOAuthError | StorageFailure>;
-    readonly removeSpec: (namespace: string, scope: string) => Effect.Effect<void, StorageFailure>;
-    readonly getSource: (namespace: string, scope: string) => Effect.Effect<StoredSource | null, StorageFailure>;
-    readonly configure: (source: OpenApiSourceRef, input: OpenApiConfigureInput) => Effect.Effect<readonly CredentialBindingRef[], StorageFailure>;
+    }, OpenApiParseError | OpenApiExtractionError | OpenApiOAuthError | IntegrationAlreadyExistsError | StorageFailure>;
+    readonly removeSpec: (slug: string) => Effect.Effect<void, StorageFailure>;
+    readonly getIntegration: (slug: string) => Effect.Effect<Integration | null, StorageFailure>;
+    /** Read the integration's full opaque config, including its
+     *  `authenticationTemplate`. Returns null when the integration is absent. */
+    readonly getConfig: (slug: string) => Effect.Effect<OpenApiIntegrationConfig | null, StorageFailure>;
+    /** Add / merge custom auth methods onto the integration's
+     *  `authenticationTemplate`. Returns the resulting template array. */
+    readonly configure: (slug: string, input: OpenApiConfigureInput) => Effect.Effect<readonly Authentication[], StorageFailure>;
 }
 declare const OpenApiSpecInputSchema: Schema.Union<readonly [Schema.Struct<{
     readonly kind: Schema.Literal<"url">;
@@ -86,145 +62,36 @@ declare const OpenApiSpecInputSchema: Schema.Union<readonly [Schema.Struct<{
 }>, Schema.Struct<{
     readonly kind: Schema.Literal<"blob">;
     readonly value: Schema.String;
+}>, Schema.Struct<{
+    readonly kind: Schema.Literal<"googleDiscovery">;
+    readonly url: Schema.String;
+}>, Schema.Struct<{
+    readonly kind: Schema.Literal<"googleDiscoveryBundle">;
+    readonly urls: Schema.$Array<Schema.String>;
 }>]>;
-declare const OpenApiSecretShapeInputSchema: Schema.Struct<{
-    readonly kind: Schema.Literal<"secret">;
-    readonly prefix: Schema.optional<Schema.String>;
-}>;
-declare const OpenApiConfigureInputSchema: Schema.Struct<{
-    readonly scope: Schema.String;
-    readonly name: Schema.optional<Schema.String>;
-    readonly baseUrl: Schema.optional<Schema.String>;
-    readonly headers: Schema.optional<Schema.$Record<Schema.String, Schema.Union<readonly [Schema.String, Schema.Struct<{
-        readonly kind: Schema.Literal<"text">;
-        readonly text: Schema.String;
-        readonly prefix: Schema.optional<Schema.String>;
-    }>, Schema.Struct<{
-        readonly kind: Schema.Literal<"secret">;
-        readonly secretId: Schema.String;
-        readonly secretScope: Schema.optional<Schema.String>;
-        readonly prefix: Schema.optional<Schema.String>;
-    }>, Schema.Struct<{
-        readonly kind: Schema.Literal<"connection">;
-        readonly connectionId: Schema.String;
-    }>]>>>;
-    readonly queryParams: Schema.optional<Schema.$Record<Schema.String, Schema.Union<readonly [Schema.String, Schema.Struct<{
-        readonly kind: Schema.Literal<"text">;
-        readonly text: Schema.String;
-        readonly prefix: Schema.optional<Schema.String>;
-    }>, Schema.Struct<{
-        readonly kind: Schema.Literal<"secret">;
-        readonly secretId: Schema.String;
-        readonly secretScope: Schema.optional<Schema.String>;
-        readonly prefix: Schema.optional<Schema.String>;
-    }>, Schema.Struct<{
-        readonly kind: Schema.Literal<"connection">;
-        readonly connectionId: Schema.String;
-    }>]>>>;
-    readonly specFetchCredentials: Schema.optional<Schema.Struct<{
-        readonly headers: Schema.optional<Schema.$Record<Schema.String, Schema.Union<readonly [Schema.String, Schema.Struct<{
-            readonly kind: Schema.Literal<"text">;
-            readonly text: Schema.String;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"secret">;
-            readonly secretId: Schema.String;
-            readonly secretScope: Schema.optional<Schema.String>;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"connection">;
-            readonly connectionId: Schema.String;
-        }>]>>>;
-        readonly queryParams: Schema.optional<Schema.$Record<Schema.String, Schema.Union<readonly [Schema.String, Schema.Struct<{
-            readonly kind: Schema.Literal<"text">;
-            readonly text: Schema.String;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"secret">;
-            readonly secretId: Schema.String;
-            readonly secretScope: Schema.optional<Schema.String>;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"connection">;
-            readonly connectionId: Schema.String;
-        }>]>>>;
-    }>>;
-    readonly oauth2: Schema.optional<Schema.Struct<{
-        readonly clientId: Schema.optional<Schema.Union<readonly [Schema.String, Schema.Struct<{
-            readonly kind: Schema.Literal<"text">;
-            readonly text: Schema.String;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"secret">;
-            readonly secretId: Schema.String;
-            readonly secretScope: Schema.optional<Schema.String>;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"connection">;
-            readonly connectionId: Schema.String;
-        }>]>>;
-        readonly clientSecret: Schema.optional<Schema.Union<readonly [Schema.String, Schema.Struct<{
-            readonly kind: Schema.Literal<"text">;
-            readonly text: Schema.String;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"secret">;
-            readonly secretId: Schema.String;
-            readonly secretScope: Schema.optional<Schema.String>;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"connection">;
-            readonly connectionId: Schema.String;
-        }>]>>;
-        readonly connection: Schema.optional<Schema.Union<readonly [Schema.String, Schema.Struct<{
-            readonly kind: Schema.Literal<"text">;
-            readonly text: Schema.String;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"secret">;
-            readonly secretId: Schema.String;
-            readonly secretScope: Schema.optional<Schema.String>;
-            readonly prefix: Schema.optional<Schema.String>;
-        }>, Schema.Struct<{
-            readonly kind: Schema.Literal<"connection">;
-            readonly connectionId: Schema.String;
-        }>]>>;
-    }>>;
-    readonly oauth2Source: Schema.optional<Schema.Struct<{
-        readonly kind: Schema.Literal<"oauth2">;
-        readonly securitySchemeName: Schema.String;
-        readonly flow: Schema.Literals<readonly ["authorizationCode", "clientCredentials"]>;
-        readonly tokenUrl: Schema.String;
-        readonly authorizationUrl: Schema.withDecodingDefault<Schema.optional<Schema.NullOr<Schema.String>>>;
-        readonly issuerUrl: Schema.optional<Schema.NullOr<Schema.String>>;
-        readonly clientIdSlot: Schema.String;
-        readonly clientSecretSlot: Schema.NullOr<Schema.String>;
-        readonly connectionSlot: Schema.String;
-        readonly scopes: Schema.$Array<Schema.String>;
-    }>>;
-}>;
-export type OpenApiConfigureInput = typeof OpenApiConfigureInputSchema.Type;
+export declare const describeOpenApiAuthMethods: (record: IntegrationRecord) => readonly AuthMethodDescriptor[];
+export declare const describeOpenApiIntegrationDisplay: (record: IntegrationRecord) => {
+    readonly url?: string;
+};
 export interface OpenApiPluginOptions {
     readonly httpClientLayer?: Layer.Layer<HttpClient.HttpClient, never, never>;
-    /** If provided, source add/remove is mirrored to executor.jsonc
-     *  (best-effort — file errors are logged, not raised). */
-    readonly configFile?: ConfigFileSink;
 }
 export declare const openApiPlugin: import("@executor-js/sdk/core").ConfiguredPlugin<"openapi", {
     previewSpec: (input: string | OpenApiPreviewInput) => Effect.Effect<{
         readonly version: Option.Option<string>;
         readonly operations: readonly {
-            readonly summary: Option.Option<string>;
-            readonly method: "post" | "options" | "delete" | "get" | "put" | "head" | "patch" | "trace";
+            readonly method: "post" | "options" | "delete" | "get" | "put" | "patch" | "head" | "trace";
             readonly deprecated: boolean;
             readonly path: string;
+            readonly summary: Option.Option<string>;
             readonly tags: readonly string[];
             readonly operationId: string;
         }[];
         readonly title: Option.Option<string>;
+        readonly tags: readonly string[];
         readonly servers: readonly {
-            readonly url: string;
             readonly description: Option.Option<string>;
+            readonly url: string;
             readonly variables: Option.Option<{
                 readonly [x: string]: {
                     readonly default: string;
@@ -233,29 +100,28 @@ export declare const openApiPlugin: import("@executor-js/sdk/core").ConfiguredPl
                 };
             }>;
         }[];
-        readonly tags: readonly string[];
         readonly securitySchemes: readonly {
             readonly name: string;
             readonly type: "oauth2" | "http" | "apiKey" | "openIdConnect";
-            readonly in: Option.Option<"query" | "header" | "cookie">;
+            readonly in: Option.Option<"header" | "query" | "cookie">;
             readonly description: Option.Option<string>;
-            readonly headerName: Option.Option<string>;
             readonly scheme: Option.Option<string>;
             readonly bearerFormat: Option.Option<string>;
+            readonly headerName: Option.Option<string>;
             readonly flows: Option.Option<{
                 readonly authorizationCode: Option.Option<{
+                    readonly authorizationUrl: string;
+                    readonly tokenUrl: string;
                     readonly scopes: {
                         readonly [x: string]: string;
                     };
-                    readonly authorizationUrl: string;
-                    readonly tokenUrl: string;
                     readonly refreshUrl: Option.Option<string>;
                 }>;
                 readonly clientCredentials: Option.Option<{
+                    readonly tokenUrl: string;
                     readonly scopes: {
                         readonly [x: string]: string;
                     };
-                    readonly tokenUrl: string;
                     readonly refreshUrl: Option.Option<string>;
                 }>;
             }>;
@@ -265,56 +131,33 @@ export declare const openApiPlugin: import("@executor-js/sdk/core").ConfiguredPl
             readonly schemes: readonly string[];
         }[];
         readonly headerPresets: readonly {
+            readonly label: string;
             readonly headers: {
                 readonly [x: string]: string | null;
             };
             readonly secretHeaders: readonly string[];
-            readonly label: string;
         }[];
         readonly oauth2Presets: readonly {
+            readonly label: string;
+            readonly authorizationUrl: Option.Option<string>;
+            readonly tokenUrl: string;
             readonly scopes: {
                 readonly [x: string]: string;
             };
-            readonly authorizationUrl: Option.Option<string>;
-            readonly securitySchemeName: string;
-            readonly flow: "authorizationCode" | "clientCredentials";
-            readonly tokenUrl: string;
             readonly refreshUrl: Option.Option<string>;
-            readonly label: string;
+            readonly flow: "authorizationCode" | "clientCredentials";
+            readonly identityScopes: false | "auto" | readonly string[];
+            readonly securitySchemeName: string;
         }[];
         readonly operationCount: number;
-    }, StorageFailure | OpenApiParseError | OpenApiExtractionError | OpenApiOAuthError, never>;
+    }, OpenApiParseError | OpenApiExtractionError, never>;
     addSpec: (config: OpenApiSpecConfig) => Effect.Effect<{
-        sourceId: string;
+        slug: string & import("effect/Brand").Brand<"IntegrationSlug">;
         toolCount: number;
-    }, StorageFailure | OpenApiParseError | OpenApiExtractionError | OpenApiOAuthError, never>;
-    removeSpec: (namespace: string, scope: string) => Effect.Effect<void, StorageFailure, never>;
-    getSource: (namespace: string, scope: string) => Effect.Effect<{
-        config: SourceConfig;
-        namespace: string;
-        scope: string;
-        name: string;
-    } | null, StorageFailure, never>;
-    configure: (source: OpenApiSourceRef, input: OpenApiConfigureInput) => Effect.Effect<readonly {
-        readonly value: {
-            readonly text: string;
-            readonly kind: "text";
-        } | {
-            readonly secretId: string & import("effect/Brand").Brand<"SecretId">;
-            readonly kind: "secret";
-            readonly secretScopeId?: (string & import("effect/Brand").Brand<"ScopeId">) | undefined;
-        } | {
-            readonly connectionId: string & import("effect/Brand").Brand<"ConnectionId">;
-            readonly kind: "connection";
-        };
-        readonly id: string & import("effect/Brand").Brand<"CredentialBindingId">;
-        readonly scopeId: string & import("effect/Brand").Brand<"ScopeId">;
-        readonly createdAt: Date;
-        readonly updatedAt: Date;
-        readonly pluginId: string;
-        readonly sourceId: string;
-        readonly sourceScopeId: string & import("effect/Brand").Brand<"ScopeId">;
-        readonly slotKey: string;
-    }[], StorageFailure, never>;
-}, OpenapiStore, OpenApiPluginOptions, {}, undefined, Layer.Layer<unknown, never, never>, import("effect/unstable/httpapi/HttpApiGroup").Any>;
+    }, StorageFailure | IntegrationAlreadyExistsError | OpenApiParseError | OpenApiExtractionError | OpenApiOAuthError, never>;
+    removeSpec: (slug: string) => Effect.Effect<void, StorageFailure, never>;
+    getIntegration: (slug: string) => Effect.Effect<Integration | null, StorageFailure, never>;
+    getConfig: (slug: string) => Effect.Effect<OpenApiIntegrationConfig | null, StorageFailure>;
+    configure: (slug: string, input: OpenApiConfigureInput) => Effect.Effect<readonly Authentication[], StorageFailure>;
+}, OpenapiStore, OpenApiPluginOptions, undefined, Layer.Layer<unknown, never, never>, import("effect/unstable/httpapi/HttpApiGroup").Any>;
 export {};

package/dist/sdk/presets.d.ts

@@ -2,8 +2,9 @@ export interface OpenApiPreset {
     readonly id: string;
     readonly name: string;
     readonly summary: string;
-    readonly url: string;
+    readonly url?: string;
     readonly icon?: string;
     readonly featured?: boolean;
 }
+export { googleOpenApiPresets, googleStandardUserOAuthPresets } from "./google-presets";
 export declare const openApiPresets: readonly OpenApiPreset[];

package/dist/sdk/preview.d.ts

@@ -88,6 +88,8 @@ export declare const OAuth2Preset: Schema.Struct<{
     readonly refreshUrl: Schema.OptionFromOptional<Schema.String>;
     /** Declared scopes for this flow: `{ scope: description }`. */
     readonly scopes: Schema.$Record<Schema.String, Schema.String>;
+    /** Identity scopes to request alongside API scopes. `"auto"` discovers standard OIDC scopes. */
+    readonly identityScopes: Schema.Union<readonly [Schema.Literal<"auto">, Schema.Literal<false>, Schema.$Array<Schema.String>]>;
 }>;
 export type OAuth2Preset = typeof OAuth2Preset.Type;
 export declare const PreviewOperation: Schema.Struct<{
@@ -184,6 +186,8 @@ export declare const SpecPreview: Schema.Struct<{
         readonly refreshUrl: Schema.OptionFromOptional<Schema.String>;
         /** Declared scopes for this flow: `{ scope: description }`. */
         readonly scopes: Schema.$Record<Schema.String, Schema.String>;
+        /** Identity scopes to request alongside API scopes. `"auto"` discovers standard OIDC scopes. */
+        readonly identityScopes: Schema.Union<readonly [Schema.Literal<"auto">, Schema.Literal<false>, Schema.$Array<Schema.String>]>;
     }>>;
 }>;
 export type SpecPreview = typeof SpecPreview.Type;
@@ -192,17 +196,18 @@ export type SpecPreview = typeof SpecPreview.Type;
 export declare const previewSpec: (input: string) => Effect.Effect<{
     readonly version: Option.Option<string>;
     readonly operations: readonly {
-        readonly summary: Option.Option<string>;
-        readonly method: "post" | "options" | "delete" | "get" | "put" | "head" | "patch" | "trace";
+        readonly method: "post" | "options" | "delete" | "get" | "put" | "patch" | "head" | "trace";
         readonly deprecated: boolean;
         readonly path: string;
+        readonly summary: Option.Option<string>;
         readonly tags: readonly string[];
         readonly operationId: string;
     }[];
     readonly title: Option.Option<string>;
+    readonly tags: readonly string[];
     readonly servers: readonly {
-        readonly url: string;
         readonly description: Option.Option<string>;
+        readonly url: string;
         readonly variables: Option.Option<{
             readonly [x: string]: {
                 readonly default: string;
@@ -211,29 +216,28 @@ export declare const previewSpec: (input: string) => Effect.Effect<{
             };
         }>;
     }[];
-    readonly tags: readonly string[];
     readonly securitySchemes: readonly {
         readonly name: string;
         readonly type: "oauth2" | "http" | "apiKey" | "openIdConnect";
-        readonly in: Option.Option<"query" | "header" | "cookie">;
+        readonly in: Option.Option<"header" | "query" | "cookie">;
         readonly description: Option.Option<string>;
-        readonly headerName: Option.Option<string>;
         readonly scheme: Option.Option<string>;
         readonly bearerFormat: Option.Option<string>;
+        readonly headerName: Option.Option<string>;
         readonly flows: Option.Option<{
             readonly authorizationCode: Option.Option<{
+                readonly authorizationUrl: string;
+                readonly tokenUrl: string;
                 readonly scopes: {
                     readonly [x: string]: string;
                 };
-                readonly authorizationUrl: string;
-                readonly tokenUrl: string;
                 readonly refreshUrl: Option.Option<string>;
             }>;
             readonly clientCredentials: Option.Option<{
+                readonly tokenUrl: string;
                 readonly scopes: {
                     readonly [x: string]: string;
                 };
-                readonly tokenUrl: string;
                 readonly refreshUrl: Option.Option<string>;
             }>;
         }>;
@@ -243,22 +247,23 @@ export declare const previewSpec: (input: string) => Effect.Effect<{
         readonly schemes: readonly string[];
     }[];
     readonly headerPresets: readonly {
+        readonly label: string;
         readonly headers: {
             readonly [x: string]: string | null;
         };
         readonly secretHeaders: readonly string[];
-        readonly label: string;
     }[];
     readonly oauth2Presets: readonly {
+        readonly label: string;
+        readonly authorizationUrl: Option.Option<string>;
+        readonly tokenUrl: string;
         readonly scopes: {
             readonly [x: string]: string;
         };
-        readonly authorizationUrl: Option.Option<string>;
-        readonly securitySchemeName: string;
-        readonly flow: "authorizationCode" | "clientCredentials";
-        readonly tokenUrl: string;
         readonly refreshUrl: Option.Option<string>;
-        readonly label: string;
+        readonly flow: "authorizationCode" | "clientCredentials";
+        readonly identityScopes: false | "auto" | readonly string[];
+        readonly securitySchemeName: string;
     }[];
     readonly operationCount: number;
 }, import("./errors").OpenApiParseError | import("./errors").OpenApiExtractionError, import("effect/unstable/http/HttpClient").HttpClient>;

package/dist/sdk/query-serialization.test.d.ts

@@ -0,0 +1 @@
+export {};