@executor-js/sdk 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (102) hide show
  1. package/README.md +125 -107
  2. package/dist/blob.d.ts +48 -0
  3. package/dist/blob.d.ts.map +1 -0
  4. package/dist/blob.test.d.ts +2 -0
  5. package/dist/blob.test.d.ts.map +1 -0
  6. package/dist/chunk-2WV7VSNL.js +4440 -0
  7. package/dist/chunk-2WV7VSNL.js.map +1 -0
  8. package/dist/client.d.ts +135 -0
  9. package/dist/client.d.ts.map +1 -0
  10. package/dist/client.js +87 -0
  11. package/dist/client.js.map +1 -0
  12. package/dist/client.test.d.ts +2 -0
  13. package/dist/client.test.d.ts.map +1 -0
  14. package/dist/config.d.ts +24 -0
  15. package/dist/config.d.ts.map +1 -0
  16. package/dist/connections.d.ts +107 -0
  17. package/dist/connections.d.ts.map +1 -0
  18. package/dist/connections.test.d.ts +2 -0
  19. package/dist/connections.test.d.ts.map +1 -0
  20. package/dist/core-schema.d.ts +372 -0
  21. package/dist/core-schema.d.ts.map +1 -0
  22. package/dist/core.js +296 -57
  23. package/dist/core.js.map +1 -1
  24. package/dist/elicitation.d.ts +18 -34
  25. package/dist/elicitation.d.ts.map +1 -1
  26. package/dist/error-handling.test.d.ts +2 -0
  27. package/dist/error-handling.test.d.ts.map +1 -0
  28. package/dist/errors.d.ts +95 -24
  29. package/dist/errors.d.ts.map +1 -1
  30. package/dist/executor.d.ts +107 -48
  31. package/dist/executor.d.ts.map +1 -1
  32. package/dist/executor.test.d.ts +2 -0
  33. package/dist/executor.test.d.ts.map +1 -0
  34. package/dist/ids.d.ts +6 -4
  35. package/dist/ids.d.ts.map +1 -1
  36. package/dist/index.d.ts +24 -16
  37. package/dist/index.d.ts.map +1 -1
  38. package/dist/index.js +80 -308
  39. package/dist/index.js.map +1 -1
  40. package/dist/oauth-discovery.d.ts +138 -0
  41. package/dist/oauth-discovery.d.ts.map +1 -0
  42. package/dist/oauth-discovery.test.d.ts +2 -0
  43. package/dist/oauth-discovery.test.d.ts.map +1 -0
  44. package/dist/oauth-helpers.d.ts +89 -0
  45. package/dist/oauth-helpers.d.ts.map +1 -0
  46. package/dist/oauth-helpers.test.d.ts +2 -0
  47. package/dist/oauth-helpers.test.d.ts.map +1 -0
  48. package/dist/oauth-popup-types.d.ts +14 -0
  49. package/dist/oauth-popup-types.d.ts.map +1 -0
  50. package/dist/oauth-service.d.ts +33 -0
  51. package/dist/oauth-service.d.ts.map +1 -0
  52. package/dist/oauth.d.ts +275 -0
  53. package/dist/oauth.d.ts.map +1 -0
  54. package/dist/plugin.d.ts +318 -28
  55. package/dist/plugin.d.ts.map +1 -1
  56. package/dist/policies.d.ts +56 -64
  57. package/dist/policies.d.ts.map +1 -1
  58. package/dist/policies.test.d.ts +2 -0
  59. package/dist/policies.test.d.ts.map +1 -0
  60. package/dist/promise-executor.d.ts +26 -128
  61. package/dist/promise-executor.d.ts.map +1 -1
  62. package/dist/promise.d.ts +12 -6
  63. package/dist/promise.d.ts.map +1 -1
  64. package/dist/promise.test.d.ts +2 -0
  65. package/dist/promise.test.d.ts.map +1 -0
  66. package/dist/schema-types.d.ts +6 -5
  67. package/dist/schema-types.d.ts.map +1 -1
  68. package/dist/scope.d.ts +5 -15
  69. package/dist/scope.d.ts.map +1 -1
  70. package/dist/scoped-adapter.d.ts +13 -0
  71. package/dist/scoped-adapter.d.ts.map +1 -0
  72. package/dist/scoped-adapter.test.d.ts +2 -0
  73. package/dist/scoped-adapter.test.d.ts.map +1 -0
  74. package/dist/secret-backed-value.d.ts +27 -0
  75. package/dist/secret-backed-value.d.ts.map +1 -0
  76. package/dist/secrets.d.ts +52 -106
  77. package/dist/secrets.d.ts.map +1 -1
  78. package/dist/testing.d.ts +5 -3
  79. package/dist/testing.d.ts.map +1 -1
  80. package/dist/types.d.ts +84 -0
  81. package/dist/types.d.ts.map +1 -0
  82. package/package.json +28 -4
  83. package/dist/chunk-D7CT3UMO.js +0 -1386
  84. package/dist/chunk-D7CT3UMO.js.map +0 -1
  85. package/dist/in-memory/policy-engine.d.ts +0 -10
  86. package/dist/in-memory/policy-engine.d.ts.map +0 -1
  87. package/dist/in-memory/secret-store.d.ts +0 -16
  88. package/dist/in-memory/secret-store.d.ts.map +0 -1
  89. package/dist/in-memory/tool-registry.d.ts +0 -35
  90. package/dist/in-memory/tool-registry.d.ts.map +0 -1
  91. package/dist/index.test.d.ts +0 -2
  92. package/dist/index.test.d.ts.map +0 -1
  93. package/dist/plugin-kv.d.ts +0 -48
  94. package/dist/plugin-kv.d.ts.map +0 -1
  95. package/dist/plugins/in-memory-tools.d.ts +0 -42
  96. package/dist/plugins/in-memory-tools.d.ts.map +0 -1
  97. package/dist/runtime-tools.d.ts +0 -41
  98. package/dist/runtime-tools.d.ts.map +0 -1
  99. package/dist/sources.d.ts +0 -130
  100. package/dist/sources.d.ts.map +0 -1
  101. package/dist/tools.d.ts +0 -219
  102. package/dist/tools.d.ts.map +0 -1
package/dist/plugin.d.ts CHANGED
@@ -1,35 +1,325 @@
1
- import type { Effect } from "effect";
2
- import type { ToolRegistry } from "./tools";
3
- import type { SecretStore } from "./secrets";
4
- import type { PolicyEngine } from "./policies";
5
- import type { SourceRegistry } from "./sources";
1
+ import type { Context, Effect, Layer } from "effect";
2
+ import type { HttpApiGroup } from "effect/unstable/httpapi";
3
+ import type { DBAdapter, DBSchema, StorageFailure, TypedAdapter } from "@executor-js/storage-core";
4
+ import type { PluginBlobStore } from "./blob";
5
+ import type { ConnectionProvider, ConnectionRef, ConnectionRefreshError, CreateConnectionInput, UpdateConnectionTokensInput } from "./connections";
6
+ import type { DefinitionsInput, SourceInput, ToolAnnotations, ToolRow } from "./core-schema";
7
+ import type { SourceDetectionResult } from "./types";
8
+ import type { ElicitationDeclinedError, ElicitationHandler, ElicitationRequest, ElicitationResponse } from "./elicitation";
9
+ import type { ConnectionNotFoundError, ConnectionProviderNotRegisteredError, ConnectionReauthRequiredError, ConnectionRefreshNotSupportedError, SecretOwnedByConnectionError } from "./errors";
10
+ import type { OAuthService } from "./oauth";
6
11
  import type { Scope } from "./scope";
7
- export interface PluginContext {
8
- readonly scope: Scope;
9
- readonly tools: Context.Tag.Service<typeof ToolRegistry>;
10
- readonly sources: Context.Tag.Service<typeof SourceRegistry>;
11
- readonly secrets: Context.Tag.Service<typeof SecretStore>;
12
- readonly policies: Context.Tag.Service<typeof PolicyEngine>;
13
- }
14
- export interface ExecutorPlugin<TKey extends string = string, TExtension extends object = object> {
15
- /** Unique plugin key — becomes a property on the Executor type */
16
- readonly key: TKey;
12
+ import type { SecretProvider, SecretRef, SetSecretInput } from "./secrets";
13
+ export interface StorageDeps<TSchema extends DBSchema | undefined = undefined> {
17
14
  /**
18
- * Called when the executor starts. The plugin should register its tools
19
- * and return any cleanup logic + its public extension API.
15
+ * Precedence-ordered scope stack visible to this executor. Innermost
16
+ * first. Reads on scoped tables walk every scope; writes require the
17
+ * plugin to name a target scope explicitly (via `scope_id` on the
18
+ * adapter payload, via `options.scope` on the blob store).
20
19
  */
21
- readonly init: (ctx: PluginContext) => Effect.Effect<PluginHandle<TExtension>, Error>;
20
+ readonly scopes: readonly Scope[];
21
+ /**
22
+ * Plugin-facing typed adapter. Failures surface as raw `StorageFailure`
23
+ * (`StorageError` | `UniqueViolationError`). Plugins can
24
+ * `catchTag("UniqueViolationError", …)` to translate to their own
25
+ * user-facing errors. `StorageError` bubbles up; the HTTP edge (see
26
+ * `@executor-js/api` `withCapture`) is the one place that
27
+ * translates it to the opaque `InternalError({ traceId })`.
28
+ */
29
+ readonly adapter: TSchema extends DBSchema ? TypedAdapter<TSchema, StorageFailure> : DBAdapter;
30
+ readonly blobs: PluginBlobStore;
31
+ }
32
+ export declare const defineSchema: <const S extends DBSchema>(schema: S) => S;
33
+ export type Elicit = (request: ElicitationRequest) => Effect.Effect<ElicitationResponse, ElicitationDeclinedError>;
34
+ export interface PluginCtx<TStore = unknown> {
35
+ /**
36
+ * Precedence-ordered scope stack visible to this executor. Innermost
37
+ * first. Plugins that write scoped rows must pick an element of
38
+ * `scopes` as the `scope`/`scope_id` they stamp; reads through the
39
+ * adapter or `ctx.secrets` automatically fall through the stack.
40
+ */
41
+ readonly scopes: readonly Scope[];
42
+ readonly storage: TStore;
43
+ readonly core: {
44
+ readonly sources: {
45
+ readonly register: (input: SourceInput) => Effect.Effect<void, StorageFailure>;
46
+ readonly unregister: (sourceId: string) => Effect.Effect<void, StorageFailure>;
47
+ readonly update: (input: {
48
+ readonly id: string;
49
+ readonly scope: string;
50
+ readonly name?: string;
51
+ readonly url?: string | null;
52
+ }) => Effect.Effect<void, StorageFailure>;
53
+ };
54
+ /** Register shared JSON-schema `$defs` for a source. Tool
55
+ * input/output schemas registered via `sources.register` can carry
56
+ * `$ref: "#/$defs/X"` pointers; `executor.tools.schema(toolId)`
57
+ * attaches matching defs to the returned schema. Call inside the
58
+ * same `ctx.transaction` as `sources.register` for atomicity.
59
+ * Replaces any existing defs for the given sourceId. */
60
+ readonly definitions: {
61
+ readonly register: (input: DefinitionsInput) => Effect.Effect<void, StorageFailure>;
62
+ };
63
+ };
64
+ readonly secrets: {
65
+ readonly get: (id: string) => Effect.Effect<string | null, SecretOwnedByConnectionError | StorageFailure>;
66
+ /** List user-visible secrets. Connection-owned secrets (rows with
67
+ * `owned_by_connection_id` set) are filtered out so they don't
68
+ * clutter the UI — users see the Connection instead. */
69
+ readonly list: () => Effect.Effect<readonly {
70
+ readonly id: string;
71
+ readonly name: string;
72
+ readonly provider: string;
73
+ }[], StorageFailure>;
74
+ /** Write a secret value through a provider. Used by plugins that
75
+ * mint secrets on behalf of the user (OAuth2 token storage,
76
+ * interactive onboarding flows). Normally writes go through
77
+ * `executor.secrets.set` on the host surface, but OAuth2 refresh
78
+ * and one-shot token capture from plugin-owned flows need it here
79
+ * too. Same routing rules as the host-level setter. */
80
+ readonly set: (input: SetSecretInput) => Effect.Effect<SecretRef, StorageFailure>;
81
+ /** Delete a secret from its pinned provider and the core table.
82
+ * Rejects with `SecretOwnedByConnectionError` if the row is owned
83
+ * by a connection — callers must go through `connections.remove`
84
+ * to drop the whole sign-in. */
85
+ readonly remove: (id: string) => Effect.Effect<void, SecretOwnedByConnectionError | StorageFailure>;
86
+ };
87
+ /** Connections — product-level sign-in state. Owns backing secret
88
+ * rows via `secret.owned_by_connection_id`. Plugins call
89
+ * `connections.accessToken(id)` at invoke time to get a guaranteed-
90
+ * fresh token (the SDK handles refresh via the registered provider
91
+ * keyed by `connection.provider`). */
92
+ readonly connections: {
93
+ readonly get: (id: string) => Effect.Effect<ConnectionRef | null, StorageFailure>;
94
+ readonly list: () => Effect.Effect<readonly ConnectionRef[], StorageFailure>;
95
+ readonly create: (input: CreateConnectionInput) => Effect.Effect<ConnectionRef, ConnectionProviderNotRegisteredError | StorageFailure>;
96
+ readonly updateTokens: (input: UpdateConnectionTokensInput) => Effect.Effect<ConnectionRef, ConnectionNotFoundError | StorageFailure>;
97
+ readonly setIdentityLabel: (id: string, label: string | null) => Effect.Effect<void, ConnectionNotFoundError | StorageFailure>;
98
+ /** Get a guaranteed-fresh access token. Calls the provider's
99
+ * `refresh` handler if `expires_at` is in the past / within the
100
+ * refresh skew window. */
101
+ readonly accessToken: (id: string) => Effect.Effect<string, ConnectionNotFoundError | ConnectionProviderNotRegisteredError | ConnectionRefreshNotSupportedError | ConnectionReauthRequiredError | ConnectionRefreshError | StorageFailure>;
102
+ readonly remove: (id: string) => Effect.Effect<void, StorageFailure>;
103
+ };
104
+ /** Shared OAuth service. Plugins use this to probe/start/complete OAuth
105
+ * flows; invocation should still resolve tokens via `connections.accessToken`. */
106
+ readonly oauth: OAuthService;
107
+ /** Run `effect` inside a database transaction. Wraps the underlying
108
+ * adapter's transaction method. Use this in extension methods that
109
+ * need atomicity across plugin storage writes AND core source/tool
110
+ * registration. */
111
+ readonly transaction: <A, E>(effect: Effect.Effect<A, E>) => Effect.Effect<A, E | StorageFailure>;
112
+ }
113
+ export interface StaticToolHandlerInput<TStore = unknown> {
114
+ readonly ctx: PluginCtx<TStore>;
115
+ readonly args: unknown;
116
+ /** Suspend the fiber to request user input. The handler passed to
117
+ * `createExecutor({ onElicitation })` is called. */
118
+ readonly elicit: Elicit;
119
+ }
120
+ export interface StaticToolDecl<TStore = unknown> {
121
+ readonly name: string;
122
+ readonly description: string;
123
+ readonly inputSchema?: unknown;
124
+ readonly outputSchema?: unknown;
125
+ /** Default-policy annotations — `requiresApproval`, `approvalDescription`,
126
+ * `mayElicit`. Enforced by the executor before the handler runs.
127
+ * Inline because static tools have no plugin storage to resolve from;
128
+ * the plugin author literally writes this at definition time. */
129
+ readonly annotations?: ToolAnnotations;
130
+ readonly handler: (input: StaticToolHandlerInput<TStore>) => Effect.Effect<unknown, unknown>;
22
131
  }
23
- export interface PluginHandle<TExtension extends object = object> {
24
- /** Plugin's public API — exposed on the executor as `executor[plugin.key]` */
25
- readonly extension: TExtension;
26
- /** Called when the executor shuts down */
27
- readonly close?: () => Effect.Effect<void>;
132
+ export interface StaticSourceDecl<TStore = unknown> {
133
+ readonly id: string;
134
+ readonly kind: string;
135
+ readonly name: string;
136
+ readonly url?: string;
137
+ /** Static sources default to `canRemove: false` — they represent
138
+ * plugin-provided control surfaces and shouldn't be user-removable.
139
+ * Override only if you really want that. */
140
+ readonly canRemove?: boolean;
141
+ readonly canRefresh?: boolean;
142
+ readonly canEdit?: boolean;
143
+ readonly tools: readonly StaticToolDecl<TStore>[];
28
144
  }
29
- /** Maps a tuple of plugins to their extensions keyed by plugin key */
30
- export type PluginExtensions<TPlugins extends readonly ExecutorPlugin<string, object>[]> = {
31
- readonly [P in TPlugins[number] as P["key"]]: P extends ExecutorPlugin<string, infer TExt> ? TExt : never;
145
+ export interface InvokeToolInput<TStore = unknown> {
146
+ readonly ctx: PluginCtx<TStore>;
147
+ /** Already-loaded tool row. Plugin doesn't need to re-fetch or parse
148
+ * the tool id. Carries source_id, name, input/output schemas,
149
+ * annotations. */
150
+ readonly toolRow: ToolRow;
151
+ readonly args: unknown;
152
+ /** Elicitation handle for plugins that need mid-invocation user input
153
+ * (onepassword auth prompt, interactive MCP tools, etc.). */
154
+ readonly elicit: Elicit;
155
+ }
156
+ export interface SourceLifecycleInput<TStore = unknown> {
157
+ readonly ctx: PluginCtx<TStore>;
158
+ readonly sourceId: string;
159
+ /**
160
+ * Scope of the source row being removed/refreshed — resolved by the
161
+ * SDK's `sources.remove` / `sources.refresh` via innermost-wins lookup
162
+ * across the executor's scope stack. Plugins that own a side table
163
+ * keyed by (id, scope_id) must pin their own cleanup to this scope;
164
+ * relying on the scoped adapter's `scope_id IN (stack)` fall-through
165
+ * would widen the mutation across the whole stack and wipe a
166
+ * shadowed outer-scope row.
167
+ */
168
+ readonly scope: string;
169
+ }
170
+ export interface PluginSpec<TId extends string = string, TExtension extends object = any, TStore = any, TSchema extends DBSchema | undefined = any, TExtensionService extends Context.Service<any, any> | undefined = any, THandlersLayer extends Layer.Layer<any, any, any> = any, TGroup extends HttpApiGroup.Any = HttpApiGroup.Any> {
171
+ readonly id: TId;
172
+ /** npm package name. The Vite plugin uses this to derive the
173
+ * `./client` import path for the frontend bundle (so the same
174
+ * `executor.config.ts` drives both server and client) — `${packageName}/client`
175
+ * is what gets bundled. The author writes the same string they
176
+ * publish to npm; no transforms, no scope conventions. Required for
177
+ * plugins that ship a `./client` entry; can be omitted for SDK-only
178
+ * plugins (no client bundle = nothing to resolve). */
179
+ readonly packageName?: string;
180
+ /** Plugin-declared schema. Merged with coreSchema and other plugins'
181
+ * schemas at executor startup via `collectSchemas`. The type flows
182
+ * into the `storage` factory's `deps.adapter` as a `TypedAdapter<TSchema>`
183
+ * so plugins get narrowed model names + typed rows for free. */
184
+ readonly schema?: TSchema;
185
+ /** Build the plugin's typed store from backing. `deps.adapter` is
186
+ * already narrowed to this plugin's schema; `deps.blobs` is already
187
+ * scoped to the plugin id so key collisions across plugins are
188
+ * structurally impossible. */
189
+ readonly storage: (deps: StorageDeps<TSchema>) => TStore;
190
+ /** Build the plugin's extension API. The returned object becomes
191
+ * `executor[plugin.id]` and is also the `self` passed to
192
+ * `staticSources`. Field order matters: `extension` MUST appear
193
+ * before `staticSources` so TS infers TExtension from this
194
+ * factory's return BEFORE type-checking `self: NoInfer<TExtension>`. */
195
+ readonly extension?: (ctx: PluginCtx<TStore>) => TExtension;
196
+ /** Static sources contributed by this plugin with inline tool
197
+ * handlers. Lives entirely in memory — no DB writes at startup.
198
+ * Handlers close over `self` via the closure, so a control tool
199
+ * that delegates to the plugin's real API is a one-liner:
200
+ * `({ args }) => self.addSpec(args)`. */
201
+ readonly staticSources?: (self: NoInfer<TExtension>) => readonly StaticSourceDecl<TStore>[];
202
+ /** HttpApiGroup contributed by this plugin. Composed into the host's
203
+ * `HttpApi` via the `addGroup` helper at runtime. The host mounts
204
+ * the group at `/_executor/plugins/{id}/...` (or wherever the
205
+ * plugin declares its base path) with the host's auth + scope
206
+ * middleware applied. Endpoints automatically appear in the
207
+ * executor OpenAPI doc and the typed reactive client.
208
+ *
209
+ * TGroup is inferred from the plugin's own group declaration so the
210
+ * precise group identity flows through `composePluginApi(plugins)` —
211
+ * the host's typed `HttpApi<"executor", CoreGroups | PluginGroups>`
212
+ * is derived from the plugin tuple alone, with no per-plugin Group
213
+ * imports at the host. Per-endpoint typing already lives inside the
214
+ * plugin — its `handlers` Layer is built against its own bundled
215
+ * `HttpApi.make("foo").add(FooApi)` for full `.handle("name", ...)`
216
+ * inference, and its client imports the same group directly. */
217
+ readonly routes?: () => TGroup;
218
+ /** Handlers Layer for this plugin's group. Built by the plugin against
219
+ * its own bundled API for full type safety on `.handle("name", ...)`,
220
+ * composes into the host's runtime `FullApi` because
221
+ * `HttpApiBuilder.group` keys the layer by group identity, not by the
222
+ * surrounding API.
223
+ *
224
+ * Late-binding: the layer leaves the plugin's extension as a Service
225
+ * Tag requirement (see `extensionService` below). The host satisfies
226
+ * it however its runtime wants:
227
+ * - local: at boot via `Layer.succeed(extensionService)(executor[id])`
228
+ * (see `composePluginHandlers`)
229
+ * - cloud: per-request via `Effect.provideService(extensionService,
230
+ * requestExecutor[id])` in the auth middleware
231
+ *
232
+ * The Layer's channels are typed `any` because `Layer<RIn, E, ROut>`'s
233
+ * `ROut` is contravariant — the host accepts any layer here and merges
234
+ * them; per-plugin requirements flow through the merge. */
235
+ readonly handlers?: () => THandlersLayer;
236
+ /** Service tag the plugin's `handlers` layer requires. Set by plugins
237
+ * whose handlers consume their extension via a `Context.Service` tag
238
+ * (the established pattern: `*Handlers` reads `*ExtensionService`).
239
+ * The host binds the tag to the live extension — at boot for local,
240
+ * per request for cloud. Pairs with `handlers`; either both fields
241
+ * are set or neither.
242
+ *
243
+ * Inferred via the `TExtensionService` generic so the per-plugin
244
+ * Service class identity propagates through `composePluginHandlers`,
245
+ * `composePluginHandlerLayer`, and `providePluginExtensions` —
246
+ * cloud's per-request middleware needs the precise tag for layer
247
+ * satisfaction. */
248
+ readonly extensionService?: TExtensionService;
249
+ /** Invoke a dynamic tool. Called when the executor's static-handler
250
+ * map doesn't have the toolId. The plugin reads its own enrichment
251
+ * via `ctx.storage` and returns the result. Optional — plugins with
252
+ * only static tools can omit it. */
253
+ readonly invokeTool?: (input: InvokeToolInput<TStore>) => Effect.Effect<unknown, unknown>;
254
+ /** Bulk resolve annotations (requiresApproval, approvalDescription,
255
+ * mayElicit) for a set of tool rows under a single source. Called
256
+ * by the executor:
257
+ * - at invoke time with a single-element `toolRows` array, to
258
+ * enforce approval on the about-to-run tool
259
+ * - at list time with every dynamic tool row under each source,
260
+ * grouped by source_id, to populate `Tool.annotations` for UI
261
+ *
262
+ * The expected implementation for most plugins is: read plugin
263
+ * storage once for the given source/rows, derive annotations from
264
+ * the same data that was used to build the tool (HTTP method +
265
+ * path for openapi, introspection kind for graphql, etc.), return
266
+ * a map keyed by tool id.
267
+ *
268
+ * Omit if the plugin has no annotations to contribute — executor
269
+ * treats tools from that plugin as auto-approved with no
270
+ * elicitation. */
271
+ readonly resolveAnnotations?: (input: {
272
+ readonly ctx: PluginCtx<TStore>;
273
+ readonly sourceId: string;
274
+ readonly toolRows: readonly ToolRow[];
275
+ }) => Effect.Effect<Record<string, ToolAnnotations>, unknown>;
276
+ /** Called when `executor.sources.remove(id)` targets a source owned
277
+ * by this plugin. Plugin-side cleanup only; the executor deletes
278
+ * the core source/tool rows after this callback returns, inside
279
+ * the same transaction. */
280
+ readonly removeSource?: (input: SourceLifecycleInput<TStore>) => Effect.Effect<void, unknown>;
281
+ readonly refreshSource?: (input: SourceLifecycleInput<TStore>) => Effect.Effect<void, unknown>;
282
+ /** URL autodetection hook. When the user pastes a URL in the
283
+ * onboarding UI, `executor.sources.detect(url)` fans out to every
284
+ * plugin's `detect`. Return a `SourceDetectionResult` if you
285
+ * recognize the URL, `null` otherwise. Implementations should be
286
+ * defensive — swallow fetch errors and return null rather than
287
+ * throwing. First high-confidence match wins. */
288
+ readonly detect?: (input: {
289
+ readonly ctx: PluginCtx<TStore>;
290
+ readonly url: string;
291
+ }) => Effect.Effect<SourceDetectionResult | null, unknown>;
292
+ /** Secret providers contributed by this plugin. Either a static
293
+ * array, a function of ctx (for providers that need per-instance
294
+ * state like the keychain's scope-derived service name), or a
295
+ * function returning an Effect so plugins can probe for backend
296
+ * availability at startup and register conditionally. Called once
297
+ * at executor startup after `storage` and `extension` have been
298
+ * built. */
299
+ readonly secretProviders?: readonly SecretProvider[] | ((ctx: PluginCtx<TStore>) => readonly SecretProvider[]) | ((ctx: PluginCtx<TStore>) => Effect.Effect<readonly SecretProvider[]>);
300
+ /** Connection providers contributed by this plugin. Same registration
301
+ * shape as `secretProviders`. Each provider's `key` is what
302
+ * `connection.provider` references in the core table; the `refresh`
303
+ * handler is the SDK's single entry point for token lifecycle —
304
+ * plugins don't run their own refresh loops anymore. */
305
+ readonly connectionProviders?: readonly ConnectionProvider[] | ((ctx: PluginCtx<TStore>) => readonly ConnectionProvider[]) | ((ctx: PluginCtx<TStore>) => Effect.Effect<readonly ConnectionProvider[]>);
306
+ readonly close?: () => Effect.Effect<void, unknown>;
307
+ }
308
+ export interface Plugin<TId extends string = string, TExtension extends object = any, TStore = any, TSchema extends DBSchema | undefined = any, TExtensionService extends Context.Service<any, any> | undefined = any, THandlersLayer extends Layer.Layer<any, any, any> = any, TGroup extends HttpApiGroup.Any = HttpApiGroup.Any> extends PluginSpec<TId, TExtension, TStore, TSchema, TExtensionService, THandlersLayer, TGroup> {
309
+ }
310
+ export type ConfiguredPlugin<TId extends string, TExtension extends object, TStore, TOptions extends object, TSchema extends DBSchema | undefined, TExtensionService extends Context.Service<any, any> | undefined = undefined, THandlersLayer extends Layer.Layer<any, any, any> = Layer.Layer<unknown, never, never>, TGroup extends HttpApiGroup.Any = HttpApiGroup.Any> = (options?: TOptions & {
311
+ readonly storage?: (deps: StorageDeps<TSchema>) => TStore;
312
+ }) => Plugin<TId, TExtension, TStore, TSchema, TExtensionService, THandlersLayer, TGroup>;
313
+ export declare function definePlugin<TId extends string, TExtension extends object, TStore, TSchema extends DBSchema | undefined = undefined, TOptions extends object = {}, TExtensionService extends Context.Service<any, any> | undefined = undefined, THandlersLayer extends Layer.Layer<any, any, any> = Layer.Layer<unknown, never, never>, TGroup extends HttpApiGroup.Any = HttpApiGroup.Any>(authorFactory: (options?: TOptions) => PluginSpec<TId, TExtension, TStore, TSchema, TExtensionService, THandlersLayer, TGroup>): ConfiguredPlugin<TId, TExtension, TStore, TOptions, TSchema, TExtensionService, THandlersLayer, TGroup>;
314
+ export type AnyPlugin = Plugin<string>;
315
+ export type PluginExtensions<TPlugins extends readonly AnyPlugin[]> = {
316
+ readonly [P in TPlugins[number] as P["id"]]: P extends Plugin<string, infer TExt> ? TExt : never;
32
317
  };
33
- import type { Context } from "effect";
34
- export declare const definePlugin: <const TKey extends string, TExtension extends object>(plugin: ExecutorPlugin<TKey, TExtension>) => ExecutorPlugin<TKey, TExtension>;
318
+ /** Lightweight projection of a secret entry as returned by `ctx.secrets.list`. */
319
+ export interface SecretListEntry {
320
+ readonly id: string;
321
+ readonly name: string;
322
+ readonly provider: string;
323
+ }
324
+ export type { ElicitationHandler };
35
325
  //# sourceMappingURL=plugin.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAErC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAMrC,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,YAAY,CAAC,CAAC;IACzD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,cAAc,CAAC,CAAC;IAC7D,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,WAAW,CAAC,CAAC;IAC1D,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,YAAY,CAAC,CAAC;CAC7D;AAMD,MAAM,WAAW,cAAc,CAAC,IAAI,SAAS,MAAM,GAAG,MAAM,EAAE,UAAU,SAAS,MAAM,GAAG,MAAM;IAC9F,kEAAkE;IAClE,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC;IAEnB;;;OAGG;IACH,QAAQ,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,aAAa,KAAK,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;CACvF;AAED,MAAM,WAAW,YAAY,CAAC,UAAU,SAAS,MAAM,GAAG,MAAM;IAC9D,8EAA8E;IAC9E,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC;IAC/B,0CAA0C;IAC1C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;CAC5C;AAMD,sEAAsE;AACtE,MAAM,MAAM,gBAAgB,CAAC,QAAQ,SAAS,SAAS,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,IAAI;IACzF,QAAQ,EAAE,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,cAAc,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,GACtF,IAAI,GACJ,KAAK;CACV,CAAC;AAGF,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAMtC,eAAO,MAAM,YAAY,GAAI,KAAK,CAAC,IAAI,SAAS,MAAM,EAAE,UAAU,SAAS,MAAM,EAC/E,QAAQ,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,KACvC,cAAc,CAAC,IAAI,EAAE,UAAU,CAAW,CAAC"}
1
+ {"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,QAAQ,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,KAAK,EACV,SAAS,EACT,QAAQ,EACR,cAAc,EACd,YAAY,EACb,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,KAAK,EACV,kBAAkB,EAClB,aAAa,EACb,sBAAsB,EACtB,qBAAqB,EACrB,2BAA2B,EAC5B,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EACV,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,OAAO,EACR,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,KAAK,EACV,wBAAwB,EACxB,kBAAkB,EAClB,kBAAkB,EAClB,mBAAmB,EACpB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EACV,uBAAuB,EACvB,oCAAoC,EACpC,6BAA6B,EAC7B,kCAAkC,EAClC,4BAA4B,EAC7B,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,KAAK,EAAE,cAAc,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAc3E,MAAM,WAAW,WAAW,CAAC,OAAO,SAAS,QAAQ,GAAG,SAAS,GAAG,SAAS;IAC3E;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,EAAE,SAAS,KAAK,EAAE,CAAC;IAClC;;;;;;;OAOG;IACH,QAAQ,CAAC,OAAO,EAAE,OAAO,SAAS,QAAQ,GACtC,YAAY,CAAC,OAAO,EAAE,cAAc,CAAC,GACrC,SAAS,CAAC;IACd,QAAQ,CAAC,KAAK,EAAE,eAAe,CAAC;CACjC;AASD,eAAO,MAAM,YAAY,GAAI,KAAK,CAAC,CAAC,SAAS,QAAQ,EAAE,QAAQ,CAAC,KAAG,CAAW,CAAC;AAS/E,MAAM,MAAM,MAAM,GAAG,CACnB,OAAO,EAAE,kBAAkB,KACxB,MAAM,CAAC,MAAM,CAAC,mBAAmB,EAAE,wBAAwB,CAAC,CAAC;AAQlE,MAAM,WAAW,SAAS,CAAC,MAAM,GAAG,OAAO;IACzC;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,EAAE,SAAS,KAAK,EAAE,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAEzB,QAAQ,CAAC,IAAI,EAAE;QACb,QAAQ,CAAC,OAAO,EAAE;YAChB,QAAQ,CAAC,QAAQ,EAAE,CACjB,KAAK,EAAE,WAAW,KACf,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACzC,QAAQ,CAAC,UAAU,EAAE,CACnB,QAAQ,EAAE,MAAM,KACb,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACzC,QAAQ,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;gBACvB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;gBACvB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;aAC9B,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;SAC3C,CAAC;QACF;;;;;iEAKyD;QACzD,QAAQ,CAAC,WAAW,EAAE;YACpB,QAAQ,CAAC,QAAQ,EAAE,CACjB,KAAK,EAAE,gBAAgB,KACpB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;SAC1C,CAAC;KACH,CAAC;IAEF,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,GAAG,EAAE,CACZ,EAAE,EAAE,MAAM,KACP,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,EAAE,4BAA4B,GAAG,cAAc,CAAC,CAAC;QACjF;;iEAEyD;QACzD,QAAQ,CAAC,IAAI,EAAE,MAAM,MAAM,CAAC,MAAM,CAChC,SAAS;YAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;SAAE,EAAE,EACpF,cAAc,CACf,CAAC;QACF;;;;;gEAKwD;QACxD,QAAQ,CAAC,GAAG,EAAE,CACZ,KAAK,EAAE,cAAc,KAClB,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAC9C;;;yCAGiC;QACjC,QAAQ,CAAC,MAAM,EAAE,CACf,EAAE,EAAE,MAAM,KACP,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,4BAA4B,GAAG,cAAc,CAAC,CAAC;KACzE,CAAC;IAEF;;;;2CAIuC;IACvC,QAAQ,CAAC,WAAW,EAAE;QACpB,QAAQ,CAAC,GAAG,EAAE,CACZ,EAAE,EAAE,MAAM,KACP,MAAM,CAAC,MAAM,CAAC,aAAa,GAAG,IAAI,EAAE,cAAc,CAAC,CAAC;QACzD,QAAQ,CAAC,IAAI,EAAE,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,aAAa,EAAE,EAAE,cAAc,CAAC,CAAC;QAC7E,QAAQ,CAAC,MAAM,EAAE,CACf,KAAK,EAAE,qBAAqB,KACzB,MAAM,CAAC,MAAM,CAChB,aAAa,EACb,oCAAoC,GAAG,cAAc,CACtD,CAAC;QACF,QAAQ,CAAC,YAAY,EAAE,CACrB,KAAK,EAAE,2BAA2B,KAC/B,MAAM,CAAC,MAAM,CAChB,aAAa,EACb,uBAAuB,GAAG,cAAc,CACzC,CAAC;QACF,QAAQ,CAAC,gBAAgB,EAAE,CACzB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,MAAM,GAAG,IAAI,KACjB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,uBAAuB,GAAG,cAAc,CAAC,CAAC;QACnE;;mCAE2B;QAC3B,QAAQ,CAAC,WAAW,EAAE,CACpB,EAAE,EAAE,MAAM,KACP,MAAM,CAAC,MAAM,CAChB,MAAM,EACJ,uBAAuB,GACvB,oCAAoC,GACpC,kCAAkC,GAClC,6BAA6B,GAC7B,sBAAsB,GACtB,cAAc,CACjB,CAAC;QACF,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;KACtE,CAAC;IAEF;uFACmF;IACnF,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;IAE7B;;;wBAGoB;IACpB,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC,EACzB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,KACxB,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,CAAC;CAC3C;AAcD,MAAM,WAAW,sBAAsB,CAAC,MAAM,GAAG,OAAO;IACtD,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB;yDACqD;IACrD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,cAAc,CAAC,MAAM,GAAG,OAAO;IAC9C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC;;;sEAGkE;IAClE,QAAQ,CAAC,WAAW,CAAC,EAAE,eAAe,CAAC;IACvC,QAAQ,CAAC,OAAO,EAAE,CAChB,KAAK,EAAE,sBAAsB,CAAC,MAAM,CAAC,KAClC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,gBAAgB,CAAC,MAAM,GAAG,OAAO;IAChD,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;iDAE6C;IAC7C,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,SAAS,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;CACnD;AAMD,MAAM,WAAW,eAAe,CAAC,MAAM,GAAG,OAAO;IAC/C,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC;;uBAEmB;IACnB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB;kEAC8D;IAC9D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB,CAAC,MAAM,GAAG,OAAO;IACpD,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;;;;;;;;OAQG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAeD,MAAM,WAAW,UAAU,CACzB,GAAG,SAAS,MAAM,GAAG,MAAM,EAE3B,UAAU,SAAS,MAAM,GAAG,GAAG,EAE/B,MAAM,GAAG,GAAG,EAEZ,OAAO,SAAS,QAAQ,GAAG,SAAS,GAAG,GAAG,EAE1C,iBAAiB,SAAS,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,SAAS,GAAG,GAAG,EAErE,cAAc,SAAS,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,EACvD,MAAM,SAAS,YAAY,CAAC,GAAG,GAAG,YAAY,CAAC,GAAG;IAElD,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC;IACjB;;;;;;2DAMuD;IACvD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B;;;qEAGiE;IACjE,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;;mCAG+B;IAC/B,QAAQ,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,MAAM,CAAC;IAEzD;;;;6EAIyE;IACzE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK,UAAU,CAAC;IAE5D;;;;8CAI0C;IAC1C,QAAQ,CAAC,aAAa,CAAC,EAAE,CACvB,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,KACtB,SAAS,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;IAEzC;;;;;;;;;;;;;;qEAciE;IACjE,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,MAAM,CAAC;IAE/B;;;;;;;;;;;;;;;;gEAgB4D;IAC5D,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,cAAc,CAAC;IAEzC;;;;;;;;;;;wBAWoB;IACpB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,iBAAiB,CAAC;IAE9C;;;yCAGqC;IACrC,QAAQ,CAAC,UAAU,CAAC,EAAE,CACpB,KAAK,EAAE,eAAe,CAAC,MAAM,CAAC,KAC3B,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAErC;;;;;;;;;;;;;;;;uBAgBmB;IACnB,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE;QACpC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;QAC1B,QAAQ,CAAC,QAAQ,EAAE,SAAS,OAAO,EAAE,CAAC;KACvC,KAAK,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,EAAE,OAAO,CAAC,CAAC;IAE9D;;;gCAG4B;IAC5B,QAAQ,CAAC,YAAY,CAAC,EAAE,CACtB,KAAK,EAAE,oBAAoB,CAAC,MAAM,CAAC,KAChC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAElC,QAAQ,CAAC,aAAa,CAAC,EAAE,CACvB,KAAK,EAAE,oBAAoB,CAAC,MAAM,CAAC,KAChC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAElC;;;;;sDAKkD;IAClD,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE;QACxB,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;KACtB,KAAK,MAAM,CAAC,MAAM,CAAC,qBAAqB,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IAE3D;;;;;;iBAMa;IACb,QAAQ,CAAC,eAAe,CAAC,EACrB,SAAS,cAAc,EAAE,GACzB,CAAC,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK,SAAS,cAAc,EAAE,CAAC,GACvD,CAAC,CACC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,KACnB,MAAM,CAAC,MAAM,CAAC,SAAS,cAAc,EAAE,CAAC,CAAC,CAAC;IAEnD;;;;6DAIyD;IACzD,QAAQ,CAAC,mBAAmB,CAAC,EACzB,SAAS,kBAAkB,EAAE,GAC7B,CAAC,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK,SAAS,kBAAkB,EAAE,CAAC,GAC3D,CAAC,CACC,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,KACnB,MAAM,CAAC,MAAM,CAAC,SAAS,kBAAkB,EAAE,CAAC,CAAC,CAAC;IAEvD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;CACrD;AAED,MAAM,WAAW,MAAM,CACrB,GAAG,SAAS,MAAM,GAAG,MAAM,EAE3B,UAAU,SAAS,MAAM,GAAG,GAAG,EAE/B,MAAM,GAAG,GAAG,EAEZ,OAAO,SAAS,QAAQ,GAAG,SAAS,GAAG,GAAG,EAE1C,iBAAiB,SAAS,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,SAAS,GAAG,GAAG,EAErE,cAAc,SAAS,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,EACvD,MAAM,SAAS,YAAY,CAAC,GAAG,GAAG,YAAY,CAAC,GAAG,CAClD,SAAQ,UAAU,CAChB,GAAG,EACH,UAAU,EACV,MAAM,EACN,OAAO,EACP,iBAAiB,EACjB,cAAc,EACd,MAAM,CACP;CAAG;AAQN,MAAM,MAAM,gBAAgB,CAC1B,GAAG,SAAS,MAAM,EAClB,UAAU,SAAS,MAAM,EACzB,MAAM,EACN,QAAQ,SAAS,MAAM,EACvB,OAAO,SAAS,QAAQ,GAAG,SAAS,EAEpC,iBAAiB,SAAS,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,SAAS,GAAG,SAAS,EAE3E,cAAc,SAAS,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,EACtF,MAAM,SAAS,YAAY,CAAC,GAAG,GAAG,YAAY,CAAC,GAAG,IAChD,CACF,OAAO,CAAC,EAAE,QAAQ,GAAG;IACnB,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,MAAM,CAAC;CAC3D,KACE,MAAM,CACT,GAAG,EACH,UAAU,EACV,MAAM,EACN,OAAO,EACP,iBAAiB,EACjB,cAAc,EACd,MAAM,CACP,CAAC;AAGF,wBAAgB,YAAY,CAC1B,GAAG,SAAS,MAAM,EAClB,UAAU,SAAS,MAAM,EACzB,MAAM,EACN,OAAO,SAAS,QAAQ,GAAG,SAAS,GAAG,SAAS,EAChD,QAAQ,SAAS,MAAM,GAAG,EAAE,EAE5B,iBAAiB,SAAS,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,SAAS,GAAG,SAAS,EAE3E,cAAc,SAAS,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,EACtF,MAAM,SAAS,YAAY,CAAC,GAAG,GAAG,YAAY,CAAC,GAAG,EAElD,aAAa,EAAE,CACb,OAAO,CAAC,EAAE,QAAQ,KACf,UAAU,CACb,GAAG,EACH,UAAU,EACV,MAAM,EACN,OAAO,EACP,iBAAiB,EACjB,cAAc,EACd,MAAM,CACP,GACA,gBAAgB,CACjB,GAAG,EACH,UAAU,EACV,MAAM,EACN,QAAQ,EACR,OAAO,EACP,iBAAiB,EACjB,cAAc,EACd,MAAM,CACP,CAoBA;AASD,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AAEvC,MAAM,MAAM,gBAAgB,CAAC,QAAQ,SAAS,SAAS,SAAS,EAAE,IAAI;IACpE,QAAQ,EAAE,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,MAAM,CAC3D,MAAM,EACN,MAAM,IAAI,CACX,GACG,IAAI,GACJ,KAAK;CACV,CAAC;AAEF,kFAAkF;AAClF,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAGD,YAAY,EAAE,kBAAkB,EAAE,CAAC"}
@@ -1,70 +1,62 @@
1
- import { Context, Effect, Schema } from "effect";
1
+ import { Schema } from "effect";
2
+ import type { ToolPolicyAction, ToolPolicyRow } from "./core-schema";
2
3
  import { PolicyId, ScopeId } from "./ids";
3
- import { PolicyDeniedError } from "./errors";
4
- export declare const PolicyAction: Schema.Literal<["allow", "deny", "require_approval"]>;
5
- export type PolicyAction = typeof PolicyAction.Type;
6
- declare const Policy_base: Schema.Class<Policy, {
7
- id: Schema.brand<typeof Schema.String, "PolicyId">;
8
- scopeId: Schema.brand<typeof Schema.String, "ScopeId">;
9
- name: typeof Schema.String;
10
- action: Schema.Literal<["allow", "deny", "require_approval"]>;
11
- match: Schema.Struct<{
12
- toolPattern: Schema.optional<typeof Schema.String>;
13
- sourceId: Schema.optional<typeof Schema.String>;
14
- }>;
15
- priority: typeof Schema.Number;
16
- createdAt: typeof Schema.DateFromNumber;
17
- }, Schema.Struct.Encoded<{
18
- id: Schema.brand<typeof Schema.String, "PolicyId">;
19
- scopeId: Schema.brand<typeof Schema.String, "ScopeId">;
20
- name: typeof Schema.String;
21
- action: Schema.Literal<["allow", "deny", "require_approval"]>;
22
- match: Schema.Struct<{
23
- toolPattern: Schema.optional<typeof Schema.String>;
24
- sourceId: Schema.optional<typeof Schema.String>;
25
- }>;
26
- priority: typeof Schema.Number;
27
- createdAt: typeof Schema.DateFromNumber;
28
- }>, never, {
29
- readonly action: "allow" | "deny" | "require_approval";
30
- } & {
31
- readonly id: string & import("effect/Brand").Brand<"PolicyId">;
32
- } & {
33
- readonly scopeId: string & import("effect/Brand").Brand<"ScopeId">;
34
- } & {
35
- readonly name: string;
36
- } & {
4
+ export interface ToolPolicy {
5
+ readonly id: PolicyId;
6
+ readonly scopeId: ScopeId;
7
+ readonly pattern: string;
8
+ readonly action: ToolPolicyAction;
9
+ /** Fractional-indexing key. Lower lex order = higher precedence.
10
+ * Use `generateKeyBetween(a, b)` from the `fractional-indexing`
11
+ * package to produce a key that sits between two existing rows. */
12
+ readonly position: string;
37
13
  readonly createdAt: Date;
38
- } & {
39
- readonly priority: number;
40
- } & {
41
- readonly match: {
42
- readonly sourceId?: string | undefined;
43
- readonly toolPattern?: string | undefined;
44
- };
45
- }, {}, {}>;
46
- export declare class Policy extends Policy_base {
14
+ readonly updatedAt: Date;
47
15
  }
48
- declare const PolicyCheckInput_base: Schema.Class<PolicyCheckInput, {
49
- scopeId: Schema.brand<typeof Schema.String, "ScopeId">;
50
- toolId: Schema.brand<typeof Schema.String, "ToolId">;
51
- }, Schema.Struct.Encoded<{
52
- scopeId: Schema.brand<typeof Schema.String, "ScopeId">;
53
- toolId: Schema.brand<typeof Schema.String, "ToolId">;
54
- }>, never, {
55
- readonly toolId: string & import("effect/Brand").Brand<"ToolId">;
56
- } & {
57
- readonly scopeId: string & import("effect/Brand").Brand<"ScopeId">;
58
- }, {}, {}>;
59
- export declare class PolicyCheckInput extends PolicyCheckInput_base {
16
+ export interface CreateToolPolicyInput {
17
+ readonly scope: string;
18
+ readonly pattern: string;
19
+ readonly action: ToolPolicyAction;
20
+ /** Optional explicit position. Defaults to a key above the current
21
+ * minimum (top of the scope's list; highest precedence). */
22
+ readonly position?: string;
60
23
  }
61
- declare const PolicyEngine_base: Context.TagClass<PolicyEngine, "@executor-js/sdk/PolicyEngine", {
62
- readonly list: (scopeId: ScopeId) => Effect.Effect<readonly Policy[]>;
63
- readonly check: (input: PolicyCheckInput) => Effect.Effect<void, PolicyDeniedError>;
64
- readonly add: (policy: Omit<Policy, "id" | "createdAt">) => Effect.Effect<Policy>;
65
- readonly remove: (policyId: PolicyId) => Effect.Effect<boolean>;
66
- }>;
67
- export declare class PolicyEngine extends PolicyEngine_base {
24
+ export interface UpdateToolPolicyInput {
25
+ readonly id: string;
26
+ readonly pattern?: string;
27
+ readonly action?: ToolPolicyAction;
28
+ readonly position?: string;
68
29
  }
69
- export {};
30
+ export interface PolicyMatch {
31
+ readonly action: ToolPolicyAction;
32
+ readonly pattern: string;
33
+ readonly policyId: string;
34
+ }
35
+ export type PolicySource = "user" | "plugin-default";
36
+ export interface EffectivePolicy {
37
+ readonly action: ToolPolicyAction;
38
+ readonly source: PolicySource;
39
+ /** Matched pattern; populated only when `source === "user"`. */
40
+ readonly pattern?: string;
41
+ /** Policy row id; populated only when `source === "user"`. */
42
+ readonly policyId?: string;
43
+ }
44
+ export declare const matchPattern: (pattern: string, toolId: string) => boolean;
45
+ export declare const isValidPattern: (pattern: string) => boolean;
46
+ export declare const comparePolicyRow: (a: {
47
+ position: unknown;
48
+ id: unknown;
49
+ }, b: {
50
+ position: unknown;
51
+ id: unknown;
52
+ }) => number;
53
+ export declare const resolveToolPolicy: (toolId: string, policies: readonly ToolPolicyRow[], scopeRank: (row: {
54
+ scope_id: unknown;
55
+ }) => number) => PolicyMatch | undefined;
56
+ export declare const resolveEffectivePolicy: (toolId: string, policies: readonly ToolPolicyRow[], scopeRank: (row: {
57
+ scope_id: unknown;
58
+ }) => number, defaultRequiresApproval?: boolean) => EffectivePolicy;
59
+ export declare const effectivePolicyFromSorted: (toolId: string, sortedPolicies: readonly Pick<ToolPolicy, "pattern" | "action" | "id">[], defaultRequiresApproval?: boolean) => EffectivePolicy;
60
+ export declare const rowToToolPolicy: (row: ToolPolicyRow) => ToolPolicy;
61
+ export declare const ToolPolicyActionSchema: Schema.Literals<readonly ["approve", "require_approval", "block"]>;
70
62
  //# sourceMappingURL=policies.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"policies.d.ts","sourceRoot":"","sources":["../src/policies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEjD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAU,MAAM,OAAO,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAE7C,eAAO,MAAM,YAAY,uDAAsD,CAAC;AAChF,MAAM,MAAM,YAAY,GAAG,OAAO,YAAY,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEpD,qBAAa,MAAO,SAAQ,WAW1B;CAAG;;;;;;;;;;;;AAEL,qBAAa,gBAAiB,SAAQ,qBAGpC;CAAG;;mBAKc,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,MAAM,EAAE,CAAC;oBACrD,CAAC,KAAK,EAAE,gBAAgB,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,iBAAiB,CAAC;kBACrE,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,GAAG,WAAW,CAAC,KAAK,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;qBAChE,CAAC,QAAQ,EAAE,QAAQ,KAAK,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;;AANnE,qBAAa,YAAa,SAAQ,iBAQ/B;CAAG"}
1
+ {"version":3,"file":"policies.d.ts","sourceRoot":"","sources":["../src/policies.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACrE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC;AAQ1C,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC;;wEAEoE;IACpE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC;iEAC6D;IAC7D,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC;IACnC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAQD,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAaD,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,gBAAgB,CAAC;AAErD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,gEAAgE;IAChE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,8DAA8D;IAC9D,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAYD,eAAO,MAAM,YAAY,GAAI,SAAS,MAAM,EAAE,QAAQ,MAAM,KAAG,OAS9D,CAAC;AAOF,eAAO,MAAM,cAAc,GAAI,SAAS,MAAM,KAAG,OAehD,CAAC;AAcF,eAAO,MAAM,gBAAgB,GAC3B,GAAG;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,EAAE,EAAE,OAAO,CAAA;CAAE,EACrC,GAAG;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,EAAE,EAAE,OAAO,CAAA;CAAE,KACpC,MAQF,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,QAAQ,MAAM,EACd,UAAU,SAAS,aAAa,EAAE,EAClC,WAAW,CAAC,GAAG,EAAE;IAAE,QAAQ,EAAE,OAAO,CAAA;CAAE,KAAK,MAAM,KAChD,WAAW,GAAG,SAkBhB,CAAC;AA8BF,eAAO,MAAM,sBAAsB,GACjC,QAAQ,MAAM,EACd,UAAU,SAAS,aAAa,EAAE,EAClC,WAAW,CAAC,GAAG,EAAE;IAAE,QAAQ,EAAE,OAAO,CAAA;CAAE,KAAK,MAAM,EACjD,0BAA0B,OAAO,KAChC,eAGF,CAAC;AAEF,eAAO,MAAM,yBAAyB,GACpC,QAAQ,MAAM,EACd,gBAAgB,SAAS,IAAI,CAAC,UAAU,EAAE,SAAS,GAAG,QAAQ,GAAG,IAAI,CAAC,EAAE,EACxE,0BAA0B,OAAO,KAChC,eAYF,CAAC;AAMF,eAAO,MAAM,eAAe,GAAI,KAAK,aAAa,KAAG,UAQnD,CAAC;AAOH,eAAO,MAAM,sBAAsB,oEAIjC,CAAC"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=policies.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"policies.test.d.ts","sourceRoot":"","sources":["../src/policies.test.ts"],"names":[],"mappings":""}