@executor-js/sdk 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (80) hide show
  1. package/README.md +21 -29
  2. package/dist/api-errors.d.ts +10 -0
  3. package/dist/api-errors.d.ts.map +1 -0
  4. package/dist/blob.d.ts.map +1 -1
  5. package/dist/chunk-6SQWMOM4.js +51 -0
  6. package/dist/chunk-6SQWMOM4.js.map +1 -0
  7. package/dist/chunk-FPV6KONN.js +78 -0
  8. package/dist/chunk-FPV6KONN.js.map +1 -0
  9. package/dist/chunk-VLVPSIQ4.js +5532 -0
  10. package/dist/chunk-VLVPSIQ4.js.map +1 -0
  11. package/dist/client.d.ts +132 -0
  12. package/dist/client.d.ts.map +1 -0
  13. package/dist/client.js +81 -0
  14. package/dist/client.js.map +1 -0
  15. package/dist/client.test.d.ts +2 -0
  16. package/dist/client.test.d.ts.map +1 -0
  17. package/dist/config.d.ts +17 -7
  18. package/dist/config.d.ts.map +1 -1
  19. package/dist/connections.d.ts +7 -0
  20. package/dist/connections.d.ts.map +1 -1
  21. package/dist/core-schema.d.ts +83 -3
  22. package/dist/core-schema.d.ts.map +1 -1
  23. package/dist/core.js +113 -50
  24. package/dist/core.js.map +1 -1
  25. package/dist/credential-bindings.d.ts +173 -0
  26. package/dist/credential-bindings.d.ts.map +1 -0
  27. package/dist/credential-bindings.test.d.ts +2 -0
  28. package/dist/credential-bindings.test.d.ts.map +1 -0
  29. package/dist/errors.d.ts +27 -5
  30. package/dist/errors.d.ts.map +1 -1
  31. package/dist/executor.d.ts +47 -13
  32. package/dist/executor.d.ts.map +1 -1
  33. package/dist/hosted-http-client.d.ts +17 -0
  34. package/dist/hosted-http-client.d.ts.map +1 -0
  35. package/dist/hosted-http-client.test.d.ts +2 -0
  36. package/dist/hosted-http-client.test.d.ts.map +1 -0
  37. package/dist/ids.d.ts +2 -0
  38. package/dist/ids.d.ts.map +1 -1
  39. package/dist/index.d.ts +17 -10
  40. package/dist/index.d.ts.map +1 -1
  41. package/dist/index.js +16 -18
  42. package/dist/index.js.map +1 -1
  43. package/dist/oauth-discovery.d.ts +19 -4
  44. package/dist/oauth-discovery.d.ts.map +1 -1
  45. package/dist/oauth-helpers.d.ts +21 -0
  46. package/dist/oauth-helpers.d.ts.map +1 -1
  47. package/dist/oauth-popup-types.d.ts.map +1 -1
  48. package/dist/oauth-service.d.ts +16 -5
  49. package/dist/oauth-service.d.ts.map +1 -1
  50. package/dist/oauth.d.ts +19 -16
  51. package/dist/oauth.d.ts.map +1 -1
  52. package/dist/oxlint-plugin-executor.test.d.ts +2 -0
  53. package/dist/oxlint-plugin-executor.test.d.ts.map +1 -0
  54. package/dist/plugin.d.ts +123 -22
  55. package/dist/plugin.d.ts.map +1 -1
  56. package/dist/policies.d.ts +10 -15
  57. package/dist/policies.d.ts.map +1 -1
  58. package/dist/promise-executor.d.ts.map +1 -1
  59. package/dist/promise.d.ts +5 -3
  60. package/dist/promise.d.ts.map +1 -1
  61. package/dist/schema-types.d.ts.map +1 -1
  62. package/dist/scoped-adapter.d.ts +17 -2
  63. package/dist/scoped-adapter.d.ts.map +1 -1
  64. package/dist/secrets.d.ts +12 -0
  65. package/dist/secrets.d.ts.map +1 -1
  66. package/dist/test-config.d.ts +10 -0
  67. package/dist/test-config.d.ts.map +1 -0
  68. package/dist/testing.d.ts +30 -8
  69. package/dist/testing.d.ts.map +1 -1
  70. package/dist/testing.js +56 -0
  71. package/dist/testing.js.map +1 -0
  72. package/dist/types.d.ts +11 -3
  73. package/dist/types.d.ts.map +1 -1
  74. package/dist/usage-visibility.test.d.ts +2 -0
  75. package/dist/usage-visibility.test.d.ts.map +1 -0
  76. package/dist/usages.d.ts +20 -0
  77. package/dist/usages.d.ts.map +1 -0
  78. package/package.json +36 -4
  79. package/dist/chunk-6LMMN2GP.js +0 -4396
  80. package/dist/chunk-6LMMN2GP.js.map +0 -1
package/dist/core.js CHANGED
@@ -1,5 +1,21 @@
1
1
  import {
2
+ SecretBackedMap,
3
+ SecretBackedValue,
4
+ defineExecutorConfig,
5
+ isSecretBackedRef,
6
+ resolveSecretBackedMap
7
+ } from "./chunk-6SQWMOM4.js";
8
+ import {
9
+ definePlugin,
10
+ defineSchema,
11
+ makeTestConfig
12
+ } from "./chunk-FPV6KONN.js";
13
+ import {
14
+ ConfiguredCredentialBinding,
15
+ ConfiguredCredentialValue,
16
+ ConfiguredCredentialValueSchema,
2
17
  ConnectionId,
18
+ ConnectionInUseError,
3
19
  ConnectionNotFoundError,
4
20
  ConnectionProviderNotRegisteredError,
5
21
  ConnectionProviderState,
@@ -8,10 +24,18 @@ import {
8
24
  ConnectionRefreshError,
9
25
  ConnectionRefreshNotSupportedError,
10
26
  CreateConnectionInput,
27
+ CredentialBindingId,
28
+ CredentialBindingKind,
29
+ CredentialBindingRef,
30
+ CredentialBindingResolutionStatus,
31
+ CredentialBindingSlotInput,
32
+ CredentialBindingSourceInput,
33
+ CredentialBindingValue,
11
34
  ElicitationAction,
12
35
  ElicitationDeclinedError,
13
36
  ElicitationResponse,
14
37
  FormElicitation,
38
+ HostedOutboundRequestBlocked,
15
39
  NoHandlerError,
16
40
  OAUTH2_DEFAULT_TIMEOUT_MS,
17
41
  OAUTH2_PROVIDER_KEY,
@@ -33,15 +57,22 @@ import {
33
57
  OAuthStrategy,
34
58
  PluginNotLoadedError,
35
59
  PolicyId,
60
+ RemoveConnectionInput,
61
+ RemoveCredentialBindingInput,
62
+ RemoveSecretInput,
63
+ ReplaceCredentialBindingValue,
64
+ ReplaceCredentialBindingsInput,
65
+ ResolvedCredentialSlot,
36
66
  Scope,
37
67
  ScopeId,
38
- SecretBackedMap,
39
- SecretBackedValue,
68
+ ScopedSecretCredentialInput,
40
69
  SecretId,
70
+ SecretInUseError,
41
71
  SecretNotFoundError,
42
72
  SecretOwnedByConnectionError,
43
73
  SecretRef,
44
74
  SecretResolutionError,
75
+ SetCredentialBindingInput,
45
76
  SetSecretInput,
46
77
  SourceDetectionResult,
47
78
  SourceNotFoundError,
@@ -56,6 +87,8 @@ import {
56
87
  ToolSchema,
57
88
  UpdateConnectionTokensInput,
58
89
  UrlElicitation,
90
+ Usage,
91
+ assertSupportedOAuthEndpointUrl,
59
92
  beginDynamicAuthorization,
60
93
  buildAuthorizationUrl,
61
94
  buildToolTypeScriptPreview,
@@ -64,15 +97,20 @@ import {
64
97
  createExecutor,
65
98
  createPkceCodeChallenge,
66
99
  createPkceCodeVerifier,
67
- defineExecutorConfig,
100
+ credentialBindingId,
101
+ credentialBindingRowToRef,
102
+ credentialBindingValueFromRow,
103
+ credentialSlotKey,
104
+ credentialSlotPart,
68
105
  discoverAuthorizationServerMetadata,
69
106
  discoverProtectedResourceMetadata,
70
107
  effectivePolicyFromSorted,
71
108
  exchangeAuthorizationCode,
72
109
  exchangeClientCredentials,
73
- isSecretBackedRef,
110
+ isSupportedOAuthEndpointUrl,
74
111
  isToolPolicyAction,
75
112
  isValidPattern,
113
+ makeHostedHttpClientLayer,
76
114
  makeInMemoryBlobStore,
77
115
  makeOAuth2Service,
78
116
  matchPattern,
@@ -80,15 +118,25 @@ import {
80
118
  refreshAccessToken,
81
119
  registerDynamicClient,
82
120
  resolveEffectivePolicy,
83
- resolveSecretBackedMap,
84
121
  resolveToolPolicy,
85
122
  rowToToolPolicy,
86
123
  schemaToTypeScriptPreview,
87
124
  schemaToTypeScriptPreviewWithDefs,
88
- shouldRefreshToken
89
- } from "./chunk-6LMMN2GP.js";
125
+ shouldRefreshToken,
126
+ validateHostedOutboundUrl
127
+ } from "./chunk-VLVPSIQ4.js";
90
128
 
91
129
  // src/index.ts
130
+ import { Context, Effect, Layer, Schema as Schema2, Data, Option } from "effect";
131
+ import {
132
+ HttpApi,
133
+ HttpApiBuilder,
134
+ HttpApiClient,
135
+ HttpApiEndpoint,
136
+ HttpApiGroup,
137
+ HttpApiMiddleware,
138
+ HttpApiSchema
139
+ } from "effect/unstable/httpapi";
92
140
  import { typedAdapter } from "@executor-js/storage-core";
93
141
  import { StorageError, UniqueViolationError } from "@executor-js/storage-core";
94
142
 
@@ -96,48 +144,6 @@ import { StorageError, UniqueViolationError } from "@executor-js/storage-core";
96
144
  var OAUTH_POPUP_MESSAGE_TYPE = "executor:oauth-result";
97
145
  var isOAuthPopupResult = (value) => typeof value === "object" && value !== null && value.type === OAUTH_POPUP_MESSAGE_TYPE;
98
146
 
99
- // src/plugin.ts
100
- var defineSchema = (schema) => schema;
101
- function definePlugin(authorFactory) {
102
- return (options) => {
103
- const {
104
- storage: storageOverride,
105
- ...rest
106
- } = options ?? {};
107
- const hasAuthorOptions = Object.keys(rest).length > 0;
108
- const spec = authorFactory(
109
- hasAuthorOptions ? rest : void 0
110
- );
111
- return {
112
- ...spec,
113
- storage: storageOverride ?? spec.storage
114
- };
115
- };
116
- }
117
-
118
- // src/testing.ts
119
- import { makeMemoryAdapter } from "@executor-js/storage-core/testing/memory";
120
- var makeTestConfig = (options) => {
121
- const scopes = options?.scopes ?? [
122
- new Scope({
123
- id: ScopeId.make("test-scope"),
124
- name: options?.scopeName ?? "test",
125
- createdAt: /* @__PURE__ */ new Date()
126
- })
127
- ];
128
- const schema = collectSchemas(options?.plugins ?? []);
129
- return {
130
- scopes,
131
- adapter: makeMemoryAdapter({ schema }),
132
- blobs: makeInMemoryBlobStore(),
133
- plugins: options?.plugins,
134
- // Tests default to auto-accepting elicitation prompts. Override via
135
- // a wrapping spread if a test exercises a real handler:
136
- // { ...makeTestConfig(...), onElicitation: customHandler }
137
- onElicitation: "accept-all"
138
- };
139
- };
140
-
141
147
  // src/schema-refs.ts
142
148
  var REF_PATTERN = /^#\/(?:\$defs|definitions)\/(.+)$/;
143
149
  var parseRefName = (ref) => ref.match(REF_PATTERN)?.[1];
@@ -223,8 +229,24 @@ var reattachDefs = (schema, defs) => {
223
229
  }
224
230
  return { ...schema, $defs: attached };
225
231
  };
232
+
233
+ // src/api-errors.ts
234
+ import { Schema } from "effect";
235
+ var InternalError = class extends Schema.TaggedErrorClass()(
236
+ "InternalError",
237
+ {
238
+ /** Opaque correlation id for backend lookup (Sentry event id, log line, etc.). */
239
+ traceId: Schema.String
240
+ },
241
+ { httpApiStatus: 500 }
242
+ ) {
243
+ };
226
244
  export {
245
+ ConfiguredCredentialBinding,
246
+ ConfiguredCredentialValue,
247
+ ConfiguredCredentialValueSchema,
227
248
  ConnectionId,
249
+ ConnectionInUseError,
228
250
  ConnectionNotFoundError,
229
251
  ConnectionProviderNotRegisteredError,
230
252
  ConnectionProviderState,
@@ -232,11 +254,31 @@ export {
232
254
  ConnectionRef,
233
255
  ConnectionRefreshError,
234
256
  ConnectionRefreshNotSupportedError,
257
+ Context,
235
258
  CreateConnectionInput,
259
+ CredentialBindingId,
260
+ CredentialBindingKind,
261
+ CredentialBindingRef,
262
+ CredentialBindingResolutionStatus,
263
+ CredentialBindingSlotInput,
264
+ CredentialBindingSourceInput,
265
+ CredentialBindingValue,
266
+ Data,
267
+ Effect,
236
268
  ElicitationAction,
237
269
  ElicitationDeclinedError,
238
270
  ElicitationResponse,
239
271
  FormElicitation,
272
+ HostedOutboundRequestBlocked,
273
+ HttpApi,
274
+ HttpApiBuilder,
275
+ HttpApiClient,
276
+ HttpApiEndpoint,
277
+ HttpApiGroup,
278
+ HttpApiMiddleware,
279
+ HttpApiSchema,
280
+ InternalError,
281
+ Layer,
240
282
  NoHandlerError,
241
283
  OAUTH2_DEFAULT_TIMEOUT_MS,
242
284
  OAUTH2_PROVIDER_KEY,
@@ -257,17 +299,28 @@ export {
257
299
  OAuthSessionNotFoundError,
258
300
  OAuthStartError,
259
301
  OAuthStrategy as OAuthStrategySchema,
302
+ Option,
260
303
  PluginNotLoadedError,
261
304
  PolicyId,
305
+ RemoveConnectionInput,
306
+ RemoveCredentialBindingInput,
307
+ RemoveSecretInput,
308
+ ReplaceCredentialBindingValue,
309
+ ReplaceCredentialBindingsInput,
310
+ ResolvedCredentialSlot,
311
+ Schema2 as Schema,
262
312
  Scope,
263
313
  ScopeId,
314
+ ScopedSecretCredentialInput,
264
315
  SecretBackedMap,
265
316
  SecretBackedValue,
266
317
  SecretId,
318
+ SecretInUseError,
267
319
  SecretNotFoundError,
268
320
  SecretOwnedByConnectionError,
269
321
  SecretRef,
270
322
  SecretResolutionError,
323
+ SetCredentialBindingInput,
271
324
  SetSecretInput,
272
325
  SourceDetectionResult,
273
326
  SourceNotFoundError,
@@ -284,6 +337,8 @@ export {
284
337
  UniqueViolationError,
285
338
  UpdateConnectionTokensInput,
286
339
  UrlElicitation,
340
+ Usage,
341
+ assertSupportedOAuthEndpointUrl,
287
342
  beginDynamicAuthorization,
288
343
  buildAuthorizationUrl,
289
344
  buildToolTypeScriptPreview,
@@ -293,6 +348,11 @@ export {
293
348
  createExecutor,
294
349
  createPkceCodeChallenge,
295
350
  createPkceCodeVerifier,
351
+ credentialBindingId,
352
+ credentialBindingRowToRef,
353
+ credentialBindingValueFromRow,
354
+ credentialSlotKey,
355
+ credentialSlotPart,
296
356
  defineExecutorConfig,
297
357
  definePlugin,
298
358
  defineSchema,
@@ -304,8 +364,10 @@ export {
304
364
  hoistDefinitions,
305
365
  isOAuthPopupResult,
306
366
  isSecretBackedRef,
367
+ isSupportedOAuthEndpointUrl,
307
368
  isToolPolicyAction,
308
369
  isValidPattern,
370
+ makeHostedHttpClientLayer,
309
371
  makeInMemoryBlobStore,
310
372
  makeOAuth2Service,
311
373
  makeTestConfig,
@@ -322,6 +384,7 @@ export {
322
384
  schemaToTypeScriptPreview,
323
385
  schemaToTypeScriptPreviewWithDefs,
324
386
  shouldRefreshToken,
325
- typedAdapter
387
+ typedAdapter,
388
+ validateHostedOutboundUrl
326
389
  };
327
390
  //# sourceMappingURL=core.js.map
package/dist/core.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/oauth-popup-types.ts","../src/plugin.ts","../src/testing.ts","../src/schema-refs.ts"],"sourcesContent":["// ---------------------------------------------------------------------------\n// @executor-js/sdk — public surface\n// ---------------------------------------------------------------------------\n\n// Storage adapter interface types (re-exported from @executor-js/storage-core\n// so plugin authors can write adapters against a single public surface\n// without depending on storage-core directly).\nexport type {\n DBAdapter,\n DBSchema,\n DBFieldAttribute,\n DBFieldType,\n StorageFailure,\n TypedAdapter,\n Where,\n WhereOperator,\n} from \"@executor-js/storage-core\";\n\nexport { typedAdapter } from \"@executor-js/storage-core\";\n\n// Storage-layer typed errors (re-exported so plugin code can catchTag\n// `UniqueViolationError` without importing storage-core directly).\nexport { StorageError, UniqueViolationError } from \"@executor-js/storage-core\";\n\n// IDs (branded)\nexport { ScopeId, ToolId, SecretId, PolicyId, ConnectionId } from \"./ids\";\n\n// Scope\nexport { Scope } from \"./scope\";\n\n// Errors (tagged)\nexport {\n ToolNotFoundError,\n ToolInvocationError,\n ToolBlockedError,\n NoHandlerError,\n SourceNotFoundError,\n SourceRemovalNotAllowedError,\n PluginNotLoadedError,\n SecretNotFoundError,\n SecretResolutionError,\n SecretOwnedByConnectionError,\n ConnectionNotFoundError,\n ConnectionProviderNotRegisteredError,\n ConnectionRefreshNotSupportedError,\n ConnectionReauthRequiredError,\n type ExecutorError,\n} from \"./errors\";\n\n// Public projections\nexport {\n ToolSchema,\n SourceDetectionResult,\n type Source,\n type Tool,\n type ToolListFilter,\n} from \"./types\";\n\n// Core schema\nexport {\n coreSchema,\n isToolPolicyAction,\n TOOL_POLICY_ACTIONS,\n type CoreSchema,\n type SourceInput,\n type SourceInputTool,\n type SourceRow,\n type ToolRow,\n type DefinitionRow,\n type SecretRow,\n type ConnectionRow,\n type ToolPolicyRow,\n type ToolPolicyAction,\n type DefinitionsInput,\n type ToolAnnotations,\n} from \"./core-schema\";\n\n// Tool policies\nexport {\n matchPattern,\n isValidPattern,\n resolveToolPolicy,\n resolveEffectivePolicy,\n effectivePolicyFromSorted,\n rowToToolPolicy,\n ToolPolicyActionSchema,\n type ToolPolicy,\n type CreateToolPolicyInput,\n type UpdateToolPolicyInput,\n type PolicyMatch,\n type EffectivePolicy,\n type PolicySource,\n} from \"./policies\";\n\n// Secrets\nexport { SecretRef, SetSecretInput, type SecretProvider } from \"./secrets\";\n\nexport {\n SecretBackedMap,\n SecretBackedValue,\n isSecretBackedRef,\n resolveSecretBackedMap,\n type ResolveSecretBackedMapOptions,\n} from \"./secret-backed-value\";\n\n// Connections\nexport {\n ConnectionRef,\n ConnectionProviderState,\n CreateConnectionInput,\n UpdateConnectionTokensInput,\n TokenMaterial,\n ConnectionRefreshError,\n type ConnectionProvider,\n type ConnectionRefreshInput,\n type ConnectionRefreshResult,\n} from \"./connections\";\n\n// Elicitation\nexport {\n FormElicitation,\n UrlElicitation,\n ElicitationAction,\n ElicitationResponse,\n ElicitationDeclinedError,\n type ElicitationRequest,\n type ElicitationHandler,\n type ElicitationContext,\n} from \"./elicitation\";\n\n// Blob store\nexport {\n type BlobStore,\n type PluginBlobStore,\n pluginBlobStore,\n makeInMemoryBlobStore,\n} from \"./blob\";\n\n// OAuth 2.1\nexport {\n type OAuthService,\n type OAuthStrategy,\n type OAuthDynamicDcrStrategy,\n type OAuthAuthorizationCodeStrategy,\n type OAuthClientCredentialsStrategy,\n type OAuthProviderState,\n type OAuthProbeInput,\n type OAuthProbeResult,\n type OAuthStartInput,\n type OAuthStartResult,\n type OAuthCompleteInput,\n type OAuthCompleteResult,\n OAuthProbeError,\n OAuthStartError,\n OAuthCompleteError,\n OAuthSessionNotFoundError,\n OAUTH2_PROVIDER_KEY,\n OAUTH2_SESSION_TTL_MS,\n OAuthStrategy as OAuthStrategySchema,\n OAuthProviderState as OAuthProviderStateSchema,\n OAuthDynamicDcrStrategy as OAuthDynamicDcrStrategySchema,\n OAuthAuthorizationCodeStrategy as OAuthAuthorizationCodeStrategySchema,\n OAuthClientCredentialsStrategy as OAuthClientCredentialsStrategySchema,\n} from \"./oauth\";\n\nexport {\n OAuth2Error,\n OAUTH2_DEFAULT_TIMEOUT_MS,\n OAUTH2_REFRESH_SKEW_MS,\n buildAuthorizationUrl,\n createPkceCodeChallenge,\n createPkceCodeVerifier,\n exchangeAuthorizationCode,\n exchangeClientCredentials,\n refreshAccessToken,\n shouldRefreshToken,\n type OAuth2TokenResponse,\n type BuildAuthorizationUrlInput,\n type ClientAuthMethod,\n type ExchangeAuthorizationCodeInput,\n type ExchangeClientCredentialsInput,\n type RefreshAccessTokenInput,\n} from \"./oauth-helpers\";\n\nexport { makeOAuth2Service, type OAuthServiceDeps } from \"./oauth-service\";\n\nexport {\n OAuthDiscoveryError,\n OAuthAuthorizationServerMetadataSchema,\n OAuthClientInformationSchema,\n OAuthProtectedResourceMetadataSchema,\n beginDynamicAuthorization,\n discoverAuthorizationServerMetadata,\n discoverProtectedResourceMetadata,\n registerDynamicClient,\n type BeginDynamicAuthorizationInput,\n type DiscoveryRequestOptions,\n type DynamicAuthorizationState,\n type DynamicAuthorizationStartResult,\n type DynamicClientMetadata,\n type OAuthAuthorizationServerMetadata,\n type OAuthClientInformation,\n type OAuthProtectedResourceMetadata,\n type RegisterDynamicClientInput,\n} from \"./oauth-discovery\";\n\nexport {\n OAUTH_POPUP_MESSAGE_TYPE,\n type OAuthPopupResult,\n isOAuthPopupResult,\n} from \"./oauth-popup-types\";\n\n// Plugin definition\nexport {\n type Plugin,\n type PluginSpec,\n type PluginCtx,\n type PluginExtensions,\n type ConfiguredPlugin,\n type AnyPlugin,\n type StorageDeps,\n type StaticSourceDecl,\n type StaticToolDecl,\n type StaticToolHandlerInput,\n type InvokeToolInput,\n type SourceLifecycleInput,\n type SecretListEntry,\n type Elicit,\n definePlugin,\n defineSchema,\n} from \"./plugin\";\n\n// Executor\nexport {\n type Executor,\n type ExecutorConfig,\n type OnElicitation,\n type InvokeOptions,\n createExecutor,\n collectSchemas,\n} from \"./executor\";\n\n// CLI config\nexport { defineExecutorConfig, type ExecutorCliConfig, type ExecutorDialect } from \"./config\";\n\n// Test helper\nexport { makeTestConfig } from \"./testing\";\n\n// JSON schema $ref helpers (used by openapi for $defs handling)\nexport { hoistDefinitions, collectRefs, reattachDefs, normalizeRefs } from \"./schema-refs\";\n\n// TypeScript preview generation from JSON schemas\nexport {\n schemaToTypeScriptPreview,\n schemaToTypeScriptPreviewWithDefs,\n buildToolTypeScriptPreview,\n type TypeScriptRenderOptions,\n type TypeScriptSchemaPreview,\n} from \"./schema-types\";\n","// ---------------------------------------------------------------------------\n// OAuth popup result — the message shape exchanged between the popup window\n// (opened during authorization) and the opener (the onboarding UI). Both the\n// server-side HTML generator and the client-side popup opener agree on this\n// shape so that success / failure can be communicated reliably via both\n// `postMessage` and `BroadcastChannel`.\n// ---------------------------------------------------------------------------\n\n/** Message type literal used to identify our popup results. */\nexport const OAUTH_POPUP_MESSAGE_TYPE = \"executor:oauth-result\" as const;\n\nexport type OAuthPopupResult<TAuth> =\n | ({\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: true;\n readonly sessionId: string;\n } & TAuth)\n | {\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: false;\n readonly sessionId: string | null;\n readonly error: string;\n };\n\nexport const isOAuthPopupResult = <TAuth>(\n value: unknown,\n): value is OAuthPopupResult<TAuth> =>\n typeof value === \"object\" &&\n value !== null &&\n (value as { type?: unknown }).type === OAUTH_POPUP_MESSAGE_TYPE;\n","import type { Effect } from \"effect\";\nimport type {\n DBAdapter,\n DBSchema,\n StorageFailure,\n TypedAdapter,\n} from \"@executor-js/storage-core\";\n\nimport type { PluginBlobStore } from \"./blob\";\nimport type {\n ConnectionProvider,\n ConnectionRef,\n ConnectionRefreshError,\n CreateConnectionInput,\n UpdateConnectionTokensInput,\n} from \"./connections\";\nimport type {\n DefinitionsInput,\n SourceInput,\n ToolAnnotations,\n ToolRow,\n} from \"./core-schema\";\nimport type { SourceDetectionResult } from \"./types\";\nimport type {\n ElicitationDeclinedError,\n ElicitationHandler,\n ElicitationRequest,\n ElicitationResponse,\n} from \"./elicitation\";\nimport type {\n ConnectionNotFoundError,\n ConnectionProviderNotRegisteredError,\n ConnectionReauthRequiredError,\n ConnectionRefreshNotSupportedError,\n SecretOwnedByConnectionError,\n} from \"./errors\";\nimport type { OAuthService } from \"./oauth\";\nimport type { Scope } from \"./scope\";\nimport type { SecretProvider, SecretRef, SetSecretInput } from \"./secrets\";\n\n// ---------------------------------------------------------------------------\n// StorageDeps — backing passed to a plugin's `storage` factory. The only\n// place a plugin ever sees storage; `PluginCtx` does not carry it. The\n// `adapter` field is a `TypedAdapter<TSchema>` view narrowed by the\n// plugin's own declared `schema` — plugins never import or construct\n// a typed adapter themselves, the executor infers TSchema from the\n// `schema` field on their spec and hands back a typed view.\n//\n// Plugins with no schema (secret-provider-only plugins, etc.) get a\n// bare `DBAdapter` they can ignore.\n// ---------------------------------------------------------------------------\n\nexport interface StorageDeps<TSchema extends DBSchema | undefined = undefined> {\n /**\n * Precedence-ordered scope stack visible to this executor. Innermost\n * first. Reads on scoped tables walk every scope; writes require the\n * plugin to name a target scope explicitly (via `scope_id` on the\n * adapter payload, via `options.scope` on the blob store).\n */\n readonly scopes: readonly Scope[];\n /**\n * Plugin-facing typed adapter. Failures surface as raw `StorageFailure`\n * (`StorageError` | `UniqueViolationError`). Plugins can\n * `catchTag(\"UniqueViolationError\", …)` to translate to their own\n * user-facing errors. `StorageError` bubbles up; the HTTP edge (see\n * `@executor-js/api` `withCapture`) is the one place that\n * translates it to the opaque `InternalError({ traceId })`.\n */\n readonly adapter: TSchema extends DBSchema\n ? TypedAdapter<TSchema, StorageFailure>\n : DBAdapter;\n readonly blobs: PluginBlobStore;\n}\n\n// ---------------------------------------------------------------------------\n// defineSchema — sugar around `as const satisfies DBSchema`. Preserves\n// literal types via the `const` type parameter modifier so plugins can\n// just write `const mySchema = defineSchema({ ... })` without annotation\n// ceremony.\n// ---------------------------------------------------------------------------\n\nexport const defineSchema = <const S extends DBSchema>(schema: S): S => schema;\n\n// ---------------------------------------------------------------------------\n// Elicit — suspends the fiber, calls the invoke-time elicitation\n// handler, resumes with the user's response. Available on both static\n// tool handlers and dynamic `invokeTool` handlers. Threaded through\n// the executor from `createExecutor({ onElicitation })`.\n// ---------------------------------------------------------------------------\n\nexport type Elicit = (\n request: ElicitationRequest,\n) => Effect.Effect<ElicitationResponse, ElicitationDeclinedError>;\n\n// ---------------------------------------------------------------------------\n// PluginCtx — threaded into every extension method, static tool handler,\n// and dynamic tool handler. No raw adapter, no raw blobs. Core writes\n// go through `core.sources.register` / `core.definitions.register`.\n// ---------------------------------------------------------------------------\n\nexport interface PluginCtx<TStore = unknown> {\n /**\n * Precedence-ordered scope stack visible to this executor. Innermost\n * first. Plugins that write scoped rows must pick an element of\n * `scopes` as the `scope`/`scope_id` they stamp; reads through the\n * adapter or `ctx.secrets` automatically fall through the stack.\n */\n readonly scopes: readonly Scope[];\n readonly storage: TStore;\n\n readonly core: {\n readonly sources: {\n readonly register: (\n input: SourceInput,\n ) => Effect.Effect<void, StorageFailure>;\n readonly unregister: (\n sourceId: string,\n ) => Effect.Effect<void, StorageFailure>;\n readonly update: (input: {\n readonly id: string;\n readonly scope: string;\n readonly name?: string;\n readonly url?: string | null;\n }) => Effect.Effect<void, StorageFailure>;\n };\n /** Register shared JSON-schema `$defs` for a source. Tool\n * input/output schemas registered via `sources.register` can carry\n * `$ref: \"#/$defs/X\"` pointers; `executor.tools.schema(toolId)`\n * attaches matching defs to the returned schema. Call inside the\n * same `ctx.transaction` as `sources.register` for atomicity.\n * Replaces any existing defs for the given sourceId. */\n readonly definitions: {\n readonly register: (\n input: DefinitionsInput,\n ) => Effect.Effect<void, StorageFailure>;\n };\n };\n\n readonly secrets: {\n readonly get: (\n id: string,\n ) => Effect.Effect<string | null, SecretOwnedByConnectionError | StorageFailure>;\n /** List user-visible secrets. Connection-owned secrets (rows with\n * `owned_by_connection_id` set) are filtered out so they don't\n * clutter the UI — users see the Connection instead. */\n readonly list: () => Effect.Effect<\n readonly { readonly id: string; readonly name: string; readonly provider: string }[],\n StorageFailure\n >;\n /** Write a secret value through a provider. Used by plugins that\n * mint secrets on behalf of the user (OAuth2 token storage,\n * interactive onboarding flows). Normally writes go through\n * `executor.secrets.set` on the host surface, but OAuth2 refresh\n * and one-shot token capture from plugin-owned flows need it here\n * too. Same routing rules as the host-level setter. */\n readonly set: (\n input: SetSecretInput,\n ) => Effect.Effect<SecretRef, StorageFailure>;\n /** Delete a secret from its pinned provider and the core table.\n * Rejects with `SecretOwnedByConnectionError` if the row is owned\n * by a connection — callers must go through `connections.remove`\n * to drop the whole sign-in. */\n readonly remove: (\n id: string,\n ) => Effect.Effect<void, SecretOwnedByConnectionError | StorageFailure>;\n };\n\n /** Connections — product-level sign-in state. Owns backing secret\n * rows via `secret.owned_by_connection_id`. Plugins call\n * `connections.accessToken(id)` at invoke time to get a guaranteed-\n * fresh token (the SDK handles refresh via the registered provider\n * keyed by `connection.provider`). */\n readonly connections: {\n readonly get: (\n id: string,\n ) => Effect.Effect<ConnectionRef | null, StorageFailure>;\n readonly list: () => Effect.Effect<readonly ConnectionRef[], StorageFailure>;\n readonly create: (\n input: CreateConnectionInput,\n ) => Effect.Effect<\n ConnectionRef,\n ConnectionProviderNotRegisteredError | StorageFailure\n >;\n readonly updateTokens: (\n input: UpdateConnectionTokensInput,\n ) => Effect.Effect<\n ConnectionRef,\n ConnectionNotFoundError | StorageFailure\n >;\n readonly setIdentityLabel: (\n id: string,\n label: string | null,\n ) => Effect.Effect<void, ConnectionNotFoundError | StorageFailure>;\n /** Get a guaranteed-fresh access token. Calls the provider's\n * `refresh` handler if `expires_at` is in the past / within the\n * refresh skew window. */\n readonly accessToken: (\n id: string,\n ) => Effect.Effect<\n string,\n | ConnectionNotFoundError\n | ConnectionProviderNotRegisteredError\n | ConnectionRefreshNotSupportedError\n | ConnectionReauthRequiredError\n | ConnectionRefreshError\n | StorageFailure\n >;\n readonly remove: (id: string) => Effect.Effect<void, StorageFailure>;\n };\n\n /** Shared OAuth service. Plugins use this to probe/start/complete OAuth\n * flows; invocation should still resolve tokens via `connections.accessToken`. */\n readonly oauth: OAuthService;\n\n /** Run `effect` inside a database transaction. Wraps the underlying\n * adapter's transaction method. Use this in extension methods that\n * need atomicity across plugin storage writes AND core source/tool\n * registration. */\n readonly transaction: <A, E>(\n effect: Effect.Effect<A, E>,\n ) => Effect.Effect<A, E | StorageFailure>;\n}\n\n// ---------------------------------------------------------------------------\n// Static tool / source declarations. Pure data + handlers declared at\n// plugin-definition time.\n//\n// Importantly, `StaticToolDecl.handler` does NOT reference TExtension.\n// If it did, the nested generic would break inference for the whole\n// PluginSpec (TS would fall back to the `object` constraint on TExtension).\n// `self: NoInfer<TExtension>` lives on `staticSources` one level up\n// instead, and plugin authors close over it via the arrow-function\n// closure when they write their handler.\n// ---------------------------------------------------------------------------\n\nexport interface StaticToolHandlerInput<TStore = unknown> {\n readonly ctx: PluginCtx<TStore>;\n readonly args: unknown;\n /** Suspend the fiber to request user input. The handler passed to\n * `createExecutor({ onElicitation })` is called. */\n readonly elicit: Elicit;\n}\n\nexport interface StaticToolDecl<TStore = unknown> {\n readonly name: string;\n readonly description: string;\n readonly inputSchema?: unknown;\n readonly outputSchema?: unknown;\n /** Default-policy annotations — `requiresApproval`, `approvalDescription`,\n * `mayElicit`. Enforced by the executor before the handler runs.\n * Inline because static tools have no plugin storage to resolve from;\n * the plugin author literally writes this at definition time. */\n readonly annotations?: ToolAnnotations;\n readonly handler: (\n input: StaticToolHandlerInput<TStore>,\n ) => Effect.Effect<unknown, unknown>;\n}\n\nexport interface StaticSourceDecl<TStore = unknown> {\n readonly id: string;\n readonly kind: string;\n readonly name: string;\n readonly url?: string;\n /** Static sources default to `canRemove: false` — they represent\n * plugin-provided control surfaces and shouldn't be user-removable.\n * Override only if you really want that. */\n readonly canRemove?: boolean;\n readonly canRefresh?: boolean;\n readonly canEdit?: boolean;\n readonly tools: readonly StaticToolDecl<TStore>[];\n}\n\n// ---------------------------------------------------------------------------\n// Dynamic invoke / source lifecycle inputs.\n// ---------------------------------------------------------------------------\n\nexport interface InvokeToolInput<TStore = unknown> {\n readonly ctx: PluginCtx<TStore>;\n /** Already-loaded tool row. Plugin doesn't need to re-fetch or parse\n * the tool id. Carries source_id, name, input/output schemas,\n * annotations. */\n readonly toolRow: ToolRow;\n readonly args: unknown;\n /** Elicitation handle for plugins that need mid-invocation user input\n * (onepassword auth prompt, interactive MCP tools, etc.). */\n readonly elicit: Elicit;\n}\n\nexport interface SourceLifecycleInput<TStore = unknown> {\n readonly ctx: PluginCtx<TStore>;\n readonly sourceId: string;\n /**\n * Scope of the source row being removed/refreshed — resolved by the\n * SDK's `sources.remove` / `sources.refresh` via innermost-wins lookup\n * across the executor's scope stack. Plugins that own a side table\n * keyed by (id, scope_id) must pin their own cleanup to this scope;\n * relying on the scoped adapter's `scope_id IN (stack)` fall-through\n * would widen the mutation across the whole stack and wipe a\n * shadowed outer-scope row.\n */\n readonly scope: string;\n}\n\n// ---------------------------------------------------------------------------\n// PluginSpec — what a `definePlugin(factory)` call returns.\n// ---------------------------------------------------------------------------\n\nexport interface PluginSpec<\n TId extends string = string,\n TExtension extends object = Record<string, never>,\n TStore = unknown,\n TSchema extends DBSchema | undefined = DBSchema | undefined,\n> {\n readonly id: TId;\n /** Plugin-declared schema. Merged with coreSchema and other plugins'\n * schemas at executor startup via `collectSchemas`. The type flows\n * into the `storage` factory's `deps.adapter` as a `TypedAdapter<TSchema>`\n * so plugins get narrowed model names + typed rows for free. */\n readonly schema?: TSchema;\n /** Build the plugin's typed store from backing. `deps.adapter` is\n * already narrowed to this plugin's schema; `deps.blobs` is already\n * scoped to the plugin id so key collisions across plugins are\n * structurally impossible. */\n readonly storage: (deps: StorageDeps<TSchema>) => TStore;\n\n /** Build the plugin's extension API. The returned object becomes\n * `executor[plugin.id]` and is also the `self` passed to\n * `staticSources`. Field order matters: `extension` MUST appear\n * before `staticSources` so TS infers TExtension from this\n * factory's return BEFORE type-checking `self: NoInfer<TExtension>`. */\n readonly extension?: (ctx: PluginCtx<TStore>) => TExtension;\n\n /** Static sources contributed by this plugin with inline tool\n * handlers. Lives entirely in memory — no DB writes at startup.\n * Handlers close over `self` via the closure, so a control tool\n * that delegates to the plugin's real API is a one-liner:\n * `({ args }) => self.addSpec(args)`. */\n readonly staticSources?: (\n self: NoInfer<TExtension>,\n ) => readonly StaticSourceDecl<TStore>[];\n\n /** Invoke a dynamic tool. Called when the executor's static-handler\n * map doesn't have the toolId. The plugin reads its own enrichment\n * via `ctx.storage` and returns the result. Optional — plugins with\n * only static tools can omit it. */\n readonly invokeTool?: (\n input: InvokeToolInput<TStore>,\n ) => Effect.Effect<unknown, unknown>;\n\n /** Bulk resolve annotations (requiresApproval, approvalDescription,\n * mayElicit) for a set of tool rows under a single source. Called\n * by the executor:\n * - at invoke time with a single-element `toolRows` array, to\n * enforce approval on the about-to-run tool\n * - at list time with every dynamic tool row under each source,\n * grouped by source_id, to populate `Tool.annotations` for UI\n *\n * The expected implementation for most plugins is: read plugin\n * storage once for the given source/rows, derive annotations from\n * the same data that was used to build the tool (HTTP method +\n * path for openapi, introspection kind for graphql, etc.), return\n * a map keyed by tool id.\n *\n * Omit if the plugin has no annotations to contribute — executor\n * treats tools from that plugin as auto-approved with no\n * elicitation. */\n readonly resolveAnnotations?: (input: {\n readonly ctx: PluginCtx<TStore>;\n readonly sourceId: string;\n readonly toolRows: readonly ToolRow[];\n }) => Effect.Effect<Record<string, ToolAnnotations>, unknown>;\n\n /** Called when `executor.sources.remove(id)` targets a source owned\n * by this plugin. Plugin-side cleanup only; the executor deletes\n * the core source/tool rows after this callback returns, inside\n * the same transaction. */\n readonly removeSource?: (\n input: SourceLifecycleInput<TStore>,\n ) => Effect.Effect<void, unknown>;\n\n readonly refreshSource?: (\n input: SourceLifecycleInput<TStore>,\n ) => Effect.Effect<void, unknown>;\n\n /** URL autodetection hook. When the user pastes a URL in the\n * onboarding UI, `executor.sources.detect(url)` fans out to every\n * plugin's `detect`. Return a `SourceDetectionResult` if you\n * recognize the URL, `null` otherwise. Implementations should be\n * defensive — swallow fetch errors and return null rather than\n * throwing. First high-confidence match wins. */\n readonly detect?: (input: {\n readonly ctx: PluginCtx<TStore>;\n readonly url: string;\n }) => Effect.Effect<SourceDetectionResult | null, unknown>;\n\n /** Secret providers contributed by this plugin. Either a static\n * array, a function of ctx (for providers that need per-instance\n * state like the keychain's scope-derived service name), or a\n * function returning an Effect so plugins can probe for backend\n * availability at startup and register conditionally. Called once\n * at executor startup after `storage` and `extension` have been\n * built. */\n readonly secretProviders?:\n | readonly SecretProvider[]\n | ((ctx: PluginCtx<TStore>) => readonly SecretProvider[])\n | ((\n ctx: PluginCtx<TStore>,\n ) => Effect.Effect<readonly SecretProvider[]>);\n\n /** Connection providers contributed by this plugin. Same registration\n * shape as `secretProviders`. Each provider's `key` is what\n * `connection.provider` references in the core table; the `refresh`\n * handler is the SDK's single entry point for token lifecycle —\n * plugins don't run their own refresh loops anymore. */\n readonly connectionProviders?:\n | readonly ConnectionProvider[]\n | ((ctx: PluginCtx<TStore>) => readonly ConnectionProvider[])\n | ((\n ctx: PluginCtx<TStore>,\n ) => Effect.Effect<readonly ConnectionProvider[]>);\n\n readonly close?: () => Effect.Effect<void, unknown>;\n}\n\nexport interface Plugin<\n TId extends string = string,\n TExtension extends object = Record<string, never>,\n TStore = unknown,\n TSchema extends DBSchema | undefined = DBSchema | undefined,\n> extends PluginSpec<TId, TExtension, TStore, TSchema> {}\n\n// ---------------------------------------------------------------------------\n// definePlugin — factory-returning-spec. Options from the author factory\n// are merged with a storage override so consumers can swap the default\n// store implementation without touching plugin internals.\n// ---------------------------------------------------------------------------\n\nexport type ConfiguredPlugin<\n TId extends string,\n TExtension extends object,\n TStore,\n TOptions extends object,\n TSchema extends DBSchema | undefined,\n> = (\n options?: TOptions & {\n readonly storage?: (deps: StorageDeps<TSchema>) => TStore;\n },\n) => Plugin<TId, TExtension, TStore, TSchema>;\n\n// eslint-disable-next-line @typescript-eslint/ban-types\nexport function definePlugin<\n TId extends string,\n TExtension extends object,\n TStore,\n TSchema extends DBSchema | undefined = undefined,\n TOptions extends object = {},\n>(\n authorFactory: (\n options?: TOptions,\n ) => PluginSpec<TId, TExtension, TStore, TSchema>,\n): ConfiguredPlugin<TId, TExtension, TStore, TOptions, TSchema> {\n return (options) => {\n const {\n storage: storageOverride,\n ...rest\n }: {\n storage?: (deps: StorageDeps<TSchema>) => TStore;\n [key: string]: unknown;\n } = options ?? {};\n\n const hasAuthorOptions = Object.keys(rest).length > 0;\n const spec = authorFactory(\n hasAuthorOptions ? (rest as TOptions) : undefined,\n );\n\n return {\n ...spec,\n storage: storageOverride ?? spec.storage,\n };\n };\n}\n\n// ---------------------------------------------------------------------------\n// AnyPlugin / PluginExtensions — type-level glue for the Executor surface.\n// ---------------------------------------------------------------------------\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport type AnyPlugin = Plugin<string, any, any, any>;\n\nexport type PluginExtensions<TPlugins extends readonly AnyPlugin[]> = {\n readonly [P in TPlugins[number] as P[\"id\"]]: P extends Plugin<\n string,\n infer TExt,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n any\n >\n ? TExt\n : never;\n};\n\n/** Lightweight projection of a secret entry as returned by `ctx.secrets.list`. */\nexport interface SecretListEntry {\n readonly id: string;\n readonly name: string;\n readonly provider: string;\n}\n\n// Re-exported for consumers that check the elicitation handler type.\nexport type { ElicitationHandler };\n","import { makeMemoryAdapter } from \"@executor-js/storage-core/testing/memory\";\n\nimport { makeInMemoryBlobStore } from \"./blob\";\nimport type { ExecutorConfig } from \"./executor\";\nimport { collectSchemas } from \"./executor\";\nimport { ScopeId } from \"./ids\";\nimport type { AnyPlugin } from \"./plugin\";\nimport { Scope } from \"./scope\";\n\n// ---------------------------------------------------------------------------\n// makeTestConfig — build an ExecutorConfig backed by in-memory adapter +\n// blob store. For unit tests, plugin authors validating their plugin,\n// REPL experimentation. No persistence.\n//\n// Defaults to a single-element scope stack (\"test-scope\") — tests that\n// need multi-scope behavior can pass `scopes` explicitly.\n// ---------------------------------------------------------------------------\n\nexport const makeTestConfig = <\n const TPlugins extends readonly AnyPlugin[] = [],\n>(options?: {\n readonly scopeName?: string;\n readonly scopes?: readonly Scope[];\n readonly plugins?: TPlugins;\n}): ExecutorConfig<TPlugins> => {\n const scopes =\n options?.scopes ?? [\n new Scope({\n id: ScopeId.make(\"test-scope\"),\n name: options?.scopeName ?? \"test\",\n createdAt: new Date(),\n }),\n ];\n\n const schema = collectSchemas(options?.plugins ?? []);\n\n return {\n scopes,\n adapter: makeMemoryAdapter({ schema }),\n blobs: makeInMemoryBlobStore(),\n plugins: options?.plugins,\n // Tests default to auto-accepting elicitation prompts. Override via\n // a wrapping spread if a test exercises a real handler:\n // { ...makeTestConfig(...), onElicitation: customHandler }\n onElicitation: \"accept-all\",\n };\n};\n","// ---------------------------------------------------------------------------\n// JSON Schema $ref hoisting and re-attachment\n//\n// Core logic for deduplicating shared definitions across tools.\n// Used by any ToolRegistry implementation (in-memory, database-backed, etc.)\n//\n// Only handles standard JSON Schema formats ($defs, definitions).\n// Plugin-specific formats (e.g. OpenAPI components/schemas) must be\n// normalized by the plugin before calling registerDefinitions/register.\n// ---------------------------------------------------------------------------\n\ntype Obj = Record<string, unknown>;\n\n/** Standard JSON Schema $ref patterns. */\nconst REF_PATTERN = /^#\\/(?:\\$defs|definitions)\\/(.+)$/;\n\n/** Extract the definition name from a standard $ref pointer. */\nconst parseRefName = (ref: string): string | undefined => ref.match(REF_PATTERN)?.[1];\n\n/**\n * Recursively rewrite `#/definitions/<name>` pointers to `#/$defs/<name>`.\n * Returns the input unchanged if no rewrites are needed.\n */\nexport const normalizeRefs = (node: unknown): unknown => {\n if (node == null || typeof node !== \"object\") return node;\n if (Array.isArray(node)) {\n let changed = false;\n const out = node.map((item) => {\n const n = normalizeRefs(item);\n if (n !== item) changed = true;\n return n;\n });\n return changed ? out : node;\n }\n\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name) {\n const canonical = `#/$defs/${name}`;\n return canonical !== obj.$ref ? { ...obj, $ref: canonical } : obj;\n }\n return obj;\n }\n\n let changed = false;\n const result: Obj = {};\n for (const [k, v] of Object.entries(obj)) {\n const n = normalizeRefs(v);\n if (n !== v) changed = true;\n result[k] = n;\n }\n return changed ? result : obj;\n};\n\n/**\n * Extract `$defs` and `definitions` from a JSON Schema,\n * returning { stripped, defs } where `stripped` is the schema without local\n * definitions and `defs` is a flat map of definition name → schema.\n */\nexport const hoistDefinitions = (\n schema: unknown,\n): { stripped: unknown; defs: Record<string, unknown> } => {\n if (schema == null || typeof schema !== \"object\") {\n return { stripped: schema, defs: {} };\n }\n const obj = schema as Obj;\n const defs: Record<string, unknown> = {};\n\n if (obj.$defs && typeof obj.$defs === \"object\") {\n for (const [k, v] of Object.entries(obj.$defs as Obj)) {\n defs[k] = v;\n }\n }\n\n if (obj.definitions && typeof obj.definitions === \"object\") {\n for (const [k, v] of Object.entries(obj.definitions as Obj)) {\n defs[k] = v;\n }\n }\n\n const { $defs: _a, definitions: _b, ...rest } = obj;\n return { stripped: rest, defs };\n};\n\n/**\n * Walk a schema and collect all $ref target names transitively.\n * e.g. \"#/$defs/Address\" → \"Address\", and if Address references City, both.\n */\nexport const collectRefs = (\n node: unknown,\n defs: ReadonlyMap<string, unknown>,\n found: Set<string> = new Set(),\n): Set<string> => {\n if (node == null || typeof node !== \"object\") return found;\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name && !found.has(name)) {\n found.add(name);\n const def = defs.get(name);\n if (def) collectRefs(def, defs, found);\n }\n return found;\n }\n\n for (const v of Object.values(obj)) {\n if (v && typeof v === \"object\") {\n if (Array.isArray(v)) {\n for (const item of v) collectRefs(item, defs, found);\n } else {\n collectRefs(v, defs, found);\n }\n }\n }\n return found;\n};\n\n/**\n * Re-attach only the referenced shared definitions into a schema,\n * so the caller gets a self-contained, usable JSON Schema.\n *\n * Assumes all `$ref` pointers and definitions have already been normalized\n * to `#/$defs/<name>` form at registration time.\n */\nexport const reattachDefs = (schema: unknown, defs: ReadonlyMap<string, unknown>): unknown => {\n if (schema == null || typeof schema !== \"object\") return schema;\n const refs = collectRefs(schema, defs);\n if (refs.size === 0) return schema;\n\n const attached: Record<string, unknown> = {};\n for (const name of refs) {\n const def = defs.get(name);\n if (def) attached[name] = def;\n }\n\n return { ...(schema as Record<string, unknown>), $defs: attached };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkBA,SAAS,oBAAoB;AAI7B,SAAS,cAAc,4BAA4B;;;ACb5C,IAAM,2BAA2B;AAejC,IAAM,qBAAqB,CAChC,UAEA,OAAO,UAAU,YACjB,UAAU,QACT,MAA6B,SAAS;;;ACoDlC,IAAM,eAAe,CAA2B,WAAiB;AAiXjE,SAAS,aAOd,eAG8D;AAC9D,SAAO,CAAC,YAAY;AAClB,UAAM;AAAA,MACJ,SAAS;AAAA,MACT,GAAG;AAAA,IACL,IAGI,WAAW,CAAC;AAEhB,UAAM,mBAAmB,OAAO,KAAK,IAAI,EAAE,SAAS;AACpD,UAAM,OAAO;AAAA,MACX,mBAAoB,OAAoB;AAAA,IAC1C;AAEA,WAAO;AAAA,MACL,GAAG;AAAA,MACH,SAAS,mBAAmB,KAAK;AAAA,IACnC;AAAA,EACF;AACF;;;ACheA,SAAS,yBAAyB;AAkB3B,IAAM,iBAAiB,CAE5B,YAI8B;AAC9B,QAAM,SACJ,SAAS,UAAU;AAAA,IACjB,IAAI,MAAM;AAAA,MACR,IAAI,QAAQ,KAAK,YAAY;AAAA,MAC7B,MAAM,SAAS,aAAa;AAAA,MAC5B,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH;AAEF,QAAM,SAAS,eAAe,SAAS,WAAW,CAAC,CAAC;AAEpD,SAAO;AAAA,IACL;AAAA,IACA,SAAS,kBAAkB,EAAE,OAAO,CAAC;AAAA,IACrC,OAAO,sBAAsB;AAAA,IAC7B,SAAS,SAAS;AAAA;AAAA;AAAA;AAAA,IAIlB,eAAe;AAAA,EACjB;AACF;;;AChCA,IAAM,cAAc;AAGpB,IAAM,eAAe,CAAC,QAAoC,IAAI,MAAM,WAAW,IAAI,CAAC;AAM7E,IAAM,gBAAgB,CAAC,SAA2B;AACvD,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,MAAI,MAAM,QAAQ,IAAI,GAAG;AACvB,QAAIA,WAAU;AACd,UAAM,MAAM,KAAK,IAAI,CAAC,SAAS;AAC7B,YAAM,IAAI,cAAc,IAAI;AAC5B,UAAI,MAAM,KAAM,CAAAA,WAAU;AAC1B,aAAO;AAAA,IACT,CAAC;AACD,WAAOA,WAAU,MAAM;AAAA,EACzB;AAEA,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,MAAM;AACR,YAAM,YAAY,WAAW,IAAI;AACjC,aAAO,cAAc,IAAI,OAAO,EAAE,GAAG,KAAK,MAAM,UAAU,IAAI;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAEA,MAAI,UAAU;AACd,QAAM,SAAc,CAAC;AACrB,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,GAAG,GAAG;AACxC,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,MAAM,EAAG,WAAU;AACvB,WAAO,CAAC,IAAI;AAAA,EACd;AACA,SAAO,UAAU,SAAS;AAC5B;AAOO,IAAM,mBAAmB,CAC9B,WACyD;AACzD,MAAI,UAAU,QAAQ,OAAO,WAAW,UAAU;AAChD,WAAO,EAAE,UAAU,QAAQ,MAAM,CAAC,EAAE;AAAA,EACtC;AACA,QAAM,MAAM;AACZ,QAAM,OAAgC,CAAC;AAEvC,MAAI,IAAI,SAAS,OAAO,IAAI,UAAU,UAAU;AAC9C,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,KAAY,GAAG;AACrD,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,MAAI,IAAI,eAAe,OAAO,IAAI,gBAAgB,UAAU;AAC1D,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,WAAkB,GAAG;AAC3D,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,EAAE,OAAO,IAAI,aAAa,IAAI,GAAG,KAAK,IAAI;AAChD,SAAO,EAAE,UAAU,MAAM,KAAK;AAChC;AAMO,IAAM,cAAc,CACzB,MACA,MACA,QAAqB,oBAAI,IAAI,MACb;AAChB,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,QAAQ,CAAC,MAAM,IAAI,IAAI,GAAG;AAC5B,YAAM,IAAI,IAAI;AACd,YAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAI,IAAK,aAAY,KAAK,MAAM,KAAK;AAAA,IACvC;AACA,WAAO;AAAA,EACT;AAEA,aAAW,KAAK,OAAO,OAAO,GAAG,GAAG;AAClC,QAAI,KAAK,OAAO,MAAM,UAAU;AAC9B,UAAI,MAAM,QAAQ,CAAC,GAAG;AACpB,mBAAW,QAAQ,EAAG,aAAY,MAAM,MAAM,KAAK;AAAA,MACrD,OAAO;AACL,oBAAY,GAAG,MAAM,KAAK;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AASO,IAAM,eAAe,CAAC,QAAiB,SAAgD;AAC5F,MAAI,UAAU,QAAQ,OAAO,WAAW,SAAU,QAAO;AACzD,QAAM,OAAO,YAAY,QAAQ,IAAI;AACrC,MAAI,KAAK,SAAS,EAAG,QAAO;AAE5B,QAAM,WAAoC,CAAC;AAC3C,aAAW,QAAQ,MAAM;AACvB,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,QAAI,IAAK,UAAS,IAAI,IAAI;AAAA,EAC5B;AAEA,SAAO,EAAE,GAAI,QAAoC,OAAO,SAAS;AACnE;","names":["changed"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/oauth-popup-types.ts","../src/schema-refs.ts","../src/api-errors.ts"],"sourcesContent":["// ---------------------------------------------------------------------------\n// @executor-js/sdk — public surface\n// ---------------------------------------------------------------------------\n\n// Re-export the Effect/Schema/HttpApi primitives plugin authors need so a\n// plugin can be written importing only from `@executor-js/sdk`. Authors who\n// want to reach for additional Effect APIs keep importing from `effect/*`\n// directly — these re-exports are the curated minimum.\nexport { Context, Effect, Layer, Schema, Data, Option } from \"effect\";\nexport {\n HttpApi,\n HttpApiBuilder,\n HttpApiClient,\n HttpApiEndpoint,\n HttpApiGroup,\n HttpApiMiddleware,\n HttpApiSchema,\n} from \"effect/unstable/httpapi\";\n\n// Storage adapter interface types (re-exported from @executor-js/storage-core\n// so plugin authors can write adapters against a single public surface\n// without depending on storage-core directly).\nexport type {\n DBAdapter,\n DBSchema,\n DBFieldAttribute,\n DBFieldType,\n StorageFailure,\n TypedAdapter,\n Where,\n WhereOperator,\n} from \"@executor-js/storage-core\";\n\nexport { typedAdapter } from \"@executor-js/storage-core\";\n\n// Storage-layer typed errors (re-exported so plugin code can catchTag\n// `UniqueViolationError` without importing storage-core directly).\nexport { StorageError, UniqueViolationError } from \"@executor-js/storage-core\";\n\n// IDs (branded)\nexport { ScopeId, ToolId, SecretId, PolicyId, ConnectionId, CredentialBindingId } from \"./ids\";\n\n// Scope\nexport { Scope } from \"./scope\";\n\n// Errors (tagged)\nexport {\n ToolNotFoundError,\n ToolInvocationError,\n ToolBlockedError,\n NoHandlerError,\n SourceNotFoundError,\n SourceRemovalNotAllowedError,\n PluginNotLoadedError,\n SecretNotFoundError,\n SecretResolutionError,\n SecretOwnedByConnectionError,\n SecretInUseError,\n ConnectionNotFoundError,\n ConnectionProviderNotRegisteredError,\n ConnectionRefreshNotSupportedError,\n ConnectionReauthRequiredError,\n ConnectionInUseError,\n type ExecutorError,\n} from \"./errors\";\n\n// Public projections\nexport {\n ToolSchema,\n SourceDetectionResult,\n type RefreshSourceInput,\n type RemoveSourceInput,\n type Source,\n type Tool,\n type ToolListFilter,\n} from \"./types\";\n\n// Core schema\nexport {\n coreSchema,\n isToolPolicyAction,\n TOOL_POLICY_ACTIONS,\n type CoreSchema,\n type SourceInput,\n type SourceInputTool,\n type SourceRow,\n type ToolRow,\n type DefinitionRow,\n type SecretRow,\n type ConnectionRow,\n type CredentialBindingRow,\n type ToolPolicyRow,\n type ToolPolicyAction,\n type DefinitionsInput,\n type ToolAnnotations,\n} from \"./core-schema\";\n\n// Tool policies\nexport {\n matchPattern,\n isValidPattern,\n resolveToolPolicy,\n resolveEffectivePolicy,\n effectivePolicyFromSorted,\n rowToToolPolicy,\n ToolPolicyActionSchema,\n type ToolPolicy,\n type CreateToolPolicyInput,\n type UpdateToolPolicyInput,\n type RemoveToolPolicyInput,\n type PolicyMatch,\n type EffectivePolicy,\n type PolicySource,\n} from \"./policies\";\n\n// Secrets\nexport { SecretRef, SetSecretInput, RemoveSecretInput, type SecretProvider } from \"./secrets\";\n\nexport {\n SecretBackedMap,\n SecretBackedValue,\n isSecretBackedRef,\n resolveSecretBackedMap,\n type ResolveSecretBackedMapOptions,\n} from \"./secret-backed-value\";\n\nexport {\n CredentialBindingKind,\n CredentialBindingValue,\n ConfiguredCredentialBinding,\n ConfiguredCredentialValue,\n ConfiguredCredentialValueSchema,\n ScopedSecretCredentialInput,\n CredentialBindingRef,\n SetCredentialBindingInput,\n CredentialBindingSourceInput,\n CredentialBindingSlotInput,\n RemoveCredentialBindingInput,\n ReplaceCredentialBindingValue,\n ReplaceCredentialBindingsInput,\n CredentialBindingResolutionStatus,\n ResolvedCredentialSlot,\n credentialBindingId,\n credentialSlotKey,\n credentialSlotPart,\n credentialBindingRowToRef,\n credentialBindingValueFromRow,\n type CredentialBindingsFacade,\n} from \"./credential-bindings\";\n\n// Usage tracking — secret/connection refs across plugins\nexport { Usage, type UsagesForSecretInput, type UsagesForConnectionInput } from \"./usages\";\n\n// Connections\nexport {\n ConnectionRef,\n ConnectionProviderState,\n CreateConnectionInput,\n RemoveConnectionInput,\n UpdateConnectionTokensInput,\n TokenMaterial,\n ConnectionRefreshError,\n type ConnectionProvider,\n type ConnectionRefreshInput,\n type ConnectionRefreshResult,\n} from \"./connections\";\n\n// Elicitation\nexport {\n FormElicitation,\n UrlElicitation,\n ElicitationAction,\n ElicitationResponse,\n ElicitationDeclinedError,\n type ElicitationRequest,\n type ElicitationHandler,\n type ElicitationContext,\n} from \"./elicitation\";\n\n// Blob store\nexport {\n type BlobStore,\n type PluginBlobStore,\n pluginBlobStore,\n makeInMemoryBlobStore,\n} from \"./blob\";\n\n// OAuth 2.1\nexport {\n type OAuthService,\n type OAuthStrategy,\n type OAuthDynamicDcrStrategy,\n type OAuthAuthorizationCodeStrategy,\n type OAuthClientCredentialsStrategy,\n type OAuthProviderState,\n type OAuthProbeInput,\n type OAuthProbeResult,\n type OAuthStartInput,\n type OAuthStartResult,\n type OAuthCompleteInput,\n type OAuthCompleteResult,\n OAuthProbeError,\n OAuthStartError,\n OAuthCompleteError,\n OAuthSessionNotFoundError,\n OAUTH2_PROVIDER_KEY,\n OAUTH2_SESSION_TTL_MS,\n OAuthStrategy as OAuthStrategySchema,\n OAuthProviderState as OAuthProviderStateSchema,\n OAuthDynamicDcrStrategy as OAuthDynamicDcrStrategySchema,\n OAuthAuthorizationCodeStrategy as OAuthAuthorizationCodeStrategySchema,\n OAuthClientCredentialsStrategy as OAuthClientCredentialsStrategySchema,\n} from \"./oauth\";\n\nexport {\n OAuth2Error,\n OAUTH2_DEFAULT_TIMEOUT_MS,\n OAUTH2_REFRESH_SKEW_MS,\n assertSupportedOAuthEndpointUrl,\n buildAuthorizationUrl,\n createPkceCodeChallenge,\n createPkceCodeVerifier,\n exchangeAuthorizationCode,\n exchangeClientCredentials,\n isSupportedOAuthEndpointUrl,\n refreshAccessToken,\n shouldRefreshToken,\n type OAuth2TokenResponse,\n type BuildAuthorizationUrlInput,\n type ClientAuthMethod,\n type ExchangeAuthorizationCodeInput,\n type ExchangeClientCredentialsInput,\n type RefreshAccessTokenInput,\n} from \"./oauth-helpers\";\n\nexport { makeOAuth2Service, type OAuthServiceDeps } from \"./oauth-service\";\nexport type { ScopedDBAdapter, ScopedTypedAdapter } from \"./scoped-adapter\";\n\nexport {\n HostedOutboundRequestBlocked,\n makeHostedHttpClientLayer,\n validateHostedOutboundUrl,\n type HostedHttpClientOptions,\n} from \"./hosted-http-client\";\n\nexport {\n OAuthDiscoveryError,\n OAuthAuthorizationServerMetadataSchema,\n OAuthClientInformationSchema,\n OAuthProtectedResourceMetadataSchema,\n beginDynamicAuthorization,\n discoverAuthorizationServerMetadata,\n discoverProtectedResourceMetadata,\n registerDynamicClient,\n type BeginDynamicAuthorizationInput,\n type DiscoveryRequestOptions,\n type DynamicAuthorizationState,\n type DynamicAuthorizationStartResult,\n type DynamicClientMetadata,\n type OAuthAuthorizationServerMetadata,\n type OAuthClientInformation,\n type OAuthProtectedResourceMetadata,\n type RegisterDynamicClientInput,\n} from \"./oauth-discovery\";\n\nexport {\n OAUTH_POPUP_MESSAGE_TYPE,\n type OAuthPopupResult,\n isOAuthPopupResult,\n} from \"./oauth-popup-types\";\n\n// Plugin definition\nexport {\n type Plugin,\n type PluginSpec,\n type PluginCtx,\n type PluginExtensions,\n type ConfiguredPlugin,\n type AnyPlugin,\n type StorageDeps,\n type StaticSourceDecl,\n type StaticToolDecl,\n type StaticToolHandlerInput,\n type InvokeToolInput,\n type SourceLifecycleInput,\n type SecretListEntry,\n type Elicit,\n definePlugin,\n defineSchema,\n} from \"./plugin\";\n\n// Executor\nexport {\n type Executor,\n type ExecutorConfig,\n type OnElicitation,\n type InvokeOptions,\n createExecutor,\n collectSchemas,\n} from \"./executor\";\n\n// CLI / runtime config\nexport {\n defineExecutorConfig,\n type ExecutorCliConfig,\n type ExecutorDialect,\n type ExecutorPluginsFactory,\n} from \"./config\";\n\n// Test helper\nexport { makeTestConfig } from \"./test-config\";\n\n// JSON schema $ref helpers (used by openapi for $defs handling)\nexport { hoistDefinitions, collectRefs, reattachDefs, normalizeRefs } from \"./schema-refs\";\n\n// TypeScript preview generation from JSON schemas\nexport {\n schemaToTypeScriptPreview,\n schemaToTypeScriptPreviewWithDefs,\n buildToolTypeScriptPreview,\n type TypeScriptRenderOptions,\n type TypeScriptSchemaPreview,\n} from \"./schema-types\";\n\n// Wire-level HTTP error schemas usable by plugin HttpApiGroup definitions.\nexport { InternalError } from \"./api-errors\";\n","// ---------------------------------------------------------------------------\n// OAuth popup result — the message shape exchanged between the popup window\n// (opened during authorization) and the opener (the onboarding UI). Both the\n// server-side HTML generator and the client-side popup opener agree on this\n// shape so that success / failure can be communicated reliably via both\n// `postMessage` and `BroadcastChannel`.\n// ---------------------------------------------------------------------------\n\n/** Message type literal used to identify our popup results. */\nexport const OAUTH_POPUP_MESSAGE_TYPE = \"executor:oauth-result\" as const;\n\nexport type OAuthPopupResult<TAuth> =\n | ({\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: true;\n readonly sessionId: string;\n } & TAuth)\n | {\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: false;\n readonly sessionId: string | null;\n readonly error: string;\n };\n\nexport const isOAuthPopupResult = <TAuth>(value: unknown): value is OAuthPopupResult<TAuth> =>\n typeof value === \"object\" &&\n value !== null &&\n (value as { type?: unknown }).type === OAUTH_POPUP_MESSAGE_TYPE;\n","// ---------------------------------------------------------------------------\n// JSON Schema $ref hoisting and re-attachment\n//\n// Core logic for deduplicating shared definitions across tools.\n// Used by any ToolRegistry implementation (in-memory, database-backed, etc.)\n//\n// Only handles standard JSON Schema formats ($defs, definitions).\n// Plugin-specific formats (e.g. OpenAPI components/schemas) must be\n// normalized by the plugin before calling registerDefinitions/register.\n// ---------------------------------------------------------------------------\n\ntype Obj = Record<string, unknown>;\n\n/** Standard JSON Schema $ref patterns. */\nconst REF_PATTERN = /^#\\/(?:\\$defs|definitions)\\/(.+)$/;\n\n/** Extract the definition name from a standard $ref pointer. */\nconst parseRefName = (ref: string): string | undefined => ref.match(REF_PATTERN)?.[1];\n\n/**\n * Recursively rewrite `#/definitions/<name>` pointers to `#/$defs/<name>`.\n * Returns the input unchanged if no rewrites are needed.\n */\nexport const normalizeRefs = (node: unknown): unknown => {\n if (node == null || typeof node !== \"object\") return node;\n if (Array.isArray(node)) {\n let changed = false;\n const out = node.map((item) => {\n const n = normalizeRefs(item);\n if (n !== item) changed = true;\n return n;\n });\n return changed ? out : node;\n }\n\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name) {\n const canonical = `#/$defs/${name}`;\n return canonical !== obj.$ref ? { ...obj, $ref: canonical } : obj;\n }\n return obj;\n }\n\n let changed = false;\n const result: Obj = {};\n for (const [k, v] of Object.entries(obj)) {\n const n = normalizeRefs(v);\n if (n !== v) changed = true;\n result[k] = n;\n }\n return changed ? result : obj;\n};\n\n/**\n * Extract `$defs` and `definitions` from a JSON Schema,\n * returning { stripped, defs } where `stripped` is the schema without local\n * definitions and `defs` is a flat map of definition name → schema.\n */\nexport const hoistDefinitions = (\n schema: unknown,\n): { stripped: unknown; defs: Record<string, unknown> } => {\n if (schema == null || typeof schema !== \"object\") {\n return { stripped: schema, defs: {} };\n }\n const obj = schema as Obj;\n const defs: Record<string, unknown> = {};\n\n if (obj.$defs && typeof obj.$defs === \"object\") {\n for (const [k, v] of Object.entries(obj.$defs as Obj)) {\n defs[k] = v;\n }\n }\n\n if (obj.definitions && typeof obj.definitions === \"object\") {\n for (const [k, v] of Object.entries(obj.definitions as Obj)) {\n defs[k] = v;\n }\n }\n\n const { $defs: _a, definitions: _b, ...rest } = obj;\n return { stripped: rest, defs };\n};\n\n/**\n * Walk a schema and collect all $ref target names transitively.\n * e.g. \"#/$defs/Address\" → \"Address\", and if Address references City, both.\n */\nexport const collectRefs = (\n node: unknown,\n defs: ReadonlyMap<string, unknown>,\n found: Set<string> = new Set(),\n): Set<string> => {\n if (node == null || typeof node !== \"object\") return found;\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name && !found.has(name)) {\n found.add(name);\n const def = defs.get(name);\n if (def) collectRefs(def, defs, found);\n }\n return found;\n }\n\n for (const v of Object.values(obj)) {\n if (v && typeof v === \"object\") {\n if (Array.isArray(v)) {\n for (const item of v) collectRefs(item, defs, found);\n } else {\n collectRefs(v, defs, found);\n }\n }\n }\n return found;\n};\n\n/**\n * Re-attach only the referenced shared definitions into a schema,\n * so the caller gets a self-contained, usable JSON Schema.\n *\n * Assumes all `$ref` pointers and definitions have already been normalized\n * to `#/$defs/<name>` form at registration time.\n */\nexport const reattachDefs = (schema: unknown, defs: ReadonlyMap<string, unknown>): unknown => {\n if (schema == null || typeof schema !== \"object\") return schema;\n const refs = collectRefs(schema, defs);\n if (refs.size === 0) return schema;\n\n const attached: Record<string, unknown> = {};\n for (const name of refs) {\n const def = defs.get(name);\n if (def) attached[name] = def;\n }\n\n return { ...(schema as Record<string, unknown>), $defs: attached };\n};\n","// ---------------------------------------------------------------------------\n// Wire-level HTTP errors. Lives in the SDK so plugin `HttpApiGroup`\n// definitions (which sit on the SDK side of the dependency graph and\n// must stay publishable) can declare them without dragging in the\n// server-only `@executor-js/api` package. The HTTP edge in\n// `@executor-js/api` re-exports these and pairs them with the\n// translation/capture helpers used by handlers.\n// ---------------------------------------------------------------------------\n\nimport { Schema } from \"effect\";\n\n/** Public 500 surface. Opaque by schema — only `traceId` crosses the wire. */\nexport class InternalError extends Schema.TaggedErrorClass<InternalError>()(\n \"InternalError\",\n {\n /** Opaque correlation id for backend lookup (Sentry event id, log line, etc.). */\n traceId: Schema.String,\n },\n { httpApiStatus: 500 },\n) {}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAQA,SAAS,SAAS,QAAQ,OAAO,UAAAA,SAAQ,MAAM,cAAc;AAC7D;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAgBP,SAAS,oBAAoB;AAI7B,SAAS,cAAc,4BAA4B;;;AC5B5C,IAAM,2BAA2B;AAejC,IAAM,qBAAqB,CAAQ,UACxC,OAAO,UAAU,YACjB,UAAU,QACT,MAA6B,SAAS;;;ACbzC,IAAM,cAAc;AAGpB,IAAM,eAAe,CAAC,QAAoC,IAAI,MAAM,WAAW,IAAI,CAAC;AAM7E,IAAM,gBAAgB,CAAC,SAA2B;AACvD,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,MAAI,MAAM,QAAQ,IAAI,GAAG;AACvB,QAAIC,WAAU;AACd,UAAM,MAAM,KAAK,IAAI,CAAC,SAAS;AAC7B,YAAM,IAAI,cAAc,IAAI;AAC5B,UAAI,MAAM,KAAM,CAAAA,WAAU;AAC1B,aAAO;AAAA,IACT,CAAC;AACD,WAAOA,WAAU,MAAM;AAAA,EACzB;AAEA,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,MAAM;AACR,YAAM,YAAY,WAAW,IAAI;AACjC,aAAO,cAAc,IAAI,OAAO,EAAE,GAAG,KAAK,MAAM,UAAU,IAAI;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAEA,MAAI,UAAU;AACd,QAAM,SAAc,CAAC;AACrB,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,GAAG,GAAG;AACxC,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,MAAM,EAAG,WAAU;AACvB,WAAO,CAAC,IAAI;AAAA,EACd;AACA,SAAO,UAAU,SAAS;AAC5B;AAOO,IAAM,mBAAmB,CAC9B,WACyD;AACzD,MAAI,UAAU,QAAQ,OAAO,WAAW,UAAU;AAChD,WAAO,EAAE,UAAU,QAAQ,MAAM,CAAC,EAAE;AAAA,EACtC;AACA,QAAM,MAAM;AACZ,QAAM,OAAgC,CAAC;AAEvC,MAAI,IAAI,SAAS,OAAO,IAAI,UAAU,UAAU;AAC9C,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,KAAY,GAAG;AACrD,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,MAAI,IAAI,eAAe,OAAO,IAAI,gBAAgB,UAAU;AAC1D,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,WAAkB,GAAG;AAC3D,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,EAAE,OAAO,IAAI,aAAa,IAAI,GAAG,KAAK,IAAI;AAChD,SAAO,EAAE,UAAU,MAAM,KAAK;AAChC;AAMO,IAAM,cAAc,CACzB,MACA,MACA,QAAqB,oBAAI,IAAI,MACb;AAChB,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,QAAQ,CAAC,MAAM,IAAI,IAAI,GAAG;AAC5B,YAAM,IAAI,IAAI;AACd,YAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAI,IAAK,aAAY,KAAK,MAAM,KAAK;AAAA,IACvC;AACA,WAAO;AAAA,EACT;AAEA,aAAW,KAAK,OAAO,OAAO,GAAG,GAAG;AAClC,QAAI,KAAK,OAAO,MAAM,UAAU;AAC9B,UAAI,MAAM,QAAQ,CAAC,GAAG;AACpB,mBAAW,QAAQ,EAAG,aAAY,MAAM,MAAM,KAAK;AAAA,MACrD,OAAO;AACL,oBAAY,GAAG,MAAM,KAAK;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AASO,IAAM,eAAe,CAAC,QAAiB,SAAgD;AAC5F,MAAI,UAAU,QAAQ,OAAO,WAAW,SAAU,QAAO;AACzD,QAAM,OAAO,YAAY,QAAQ,IAAI;AACrC,MAAI,KAAK,SAAS,EAAG,QAAO;AAE5B,QAAM,WAAoC,CAAC;AAC3C,aAAW,QAAQ,MAAM;AACvB,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,QAAI,IAAK,UAAS,IAAI,IAAI;AAAA,EAC5B;AAEA,SAAO,EAAE,GAAI,QAAoC,OAAO,SAAS;AACnE;;;AClIA,SAAS,cAAc;AAGhB,IAAM,gBAAN,cAA4B,OAAO,iBAAgC;AAAA,EACxE;AAAA,EACA;AAAA;AAAA,IAEE,SAAS,OAAO;AAAA,EAClB;AAAA,EACA,EAAE,eAAe,IAAI;AACvB,EAAE;AAAC;","names":["Schema","changed"]}
@@ -0,0 +1,173 @@
1
+ import { Effect, Schema } from "effect";
2
+ import type { StorageFailure } from "@executor-js/storage-core";
3
+ import { type CredentialBindingRow } from "./core-schema";
4
+ import { CredentialBindingId } from "./ids";
5
+ import type { Usage } from "./usages";
6
+ export declare const CredentialBindingKind: Schema.Literals<["text", "secret", "connection"]>;
7
+ export type CredentialBindingKind = typeof CredentialBindingKind.Type;
8
+ export declare const CredentialBindingValue: Schema.Union<readonly [Schema.Struct<{
9
+ readonly kind: Schema.Literal<"text">;
10
+ readonly text: Schema.String;
11
+ }>, Schema.Struct<{
12
+ readonly kind: Schema.Literal<"secret">;
13
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
14
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
15
+ }>, Schema.Struct<{
16
+ readonly kind: Schema.Literal<"connection">;
17
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
18
+ }>]>;
19
+ export type CredentialBindingValue = typeof CredentialBindingValue.Type;
20
+ export declare const ConfiguredCredentialBindingSchema: Schema.Struct<{
21
+ readonly kind: Schema.Literal<"binding">;
22
+ readonly slot: Schema.String;
23
+ readonly prefix: Schema.optional<Schema.String>;
24
+ }>;
25
+ declare const ConfiguredCredentialBinding_base: Schema.Class<ConfiguredCredentialBinding, Schema.Struct<{
26
+ readonly kind: Schema.Literal<"binding">;
27
+ readonly slot: Schema.String;
28
+ readonly prefix: Schema.optional<Schema.String>;
29
+ }>, {}>;
30
+ export declare class ConfiguredCredentialBinding extends ConfiguredCredentialBinding_base {
31
+ }
32
+ export declare const ConfiguredCredentialValue: Schema.Union<readonly [Schema.String, typeof ConfiguredCredentialBinding]>;
33
+ export type ConfiguredCredentialValue = typeof ConfiguredCredentialValue.Type;
34
+ export declare const ConfiguredCredentialValueSchema: Schema.Union<readonly [Schema.String, Schema.Struct<{
35
+ readonly kind: Schema.Literal<"binding">;
36
+ readonly slot: Schema.String;
37
+ readonly prefix: Schema.optional<Schema.String>;
38
+ }>]>;
39
+ export declare const ScopedSecretCredentialInput: Schema.Struct<{
40
+ readonly secretId: Schema.String;
41
+ readonly prefix: Schema.optional<Schema.String>;
42
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
43
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
44
+ }>;
45
+ export type ScopedSecretCredentialInput = typeof ScopedSecretCredentialInput.Type;
46
+ declare const CredentialBindingRef_base: Schema.Class<CredentialBindingRef, Schema.Struct<{
47
+ readonly id: Schema.brand<Schema.String, "CredentialBindingId">;
48
+ readonly scopeId: Schema.brand<Schema.String, "ScopeId">;
49
+ readonly pluginId: Schema.String;
50
+ readonly sourceId: Schema.String;
51
+ readonly sourceScopeId: Schema.brand<Schema.String, "ScopeId">;
52
+ readonly slotKey: Schema.String;
53
+ readonly value: Schema.Union<readonly [Schema.Struct<{
54
+ readonly kind: Schema.Literal<"text">;
55
+ readonly text: Schema.String;
56
+ }>, Schema.Struct<{
57
+ readonly kind: Schema.Literal<"secret">;
58
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
59
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
60
+ }>, Schema.Struct<{
61
+ readonly kind: Schema.Literal<"connection">;
62
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
63
+ }>]>;
64
+ readonly createdAt: Schema.Date;
65
+ readonly updatedAt: Schema.Date;
66
+ }>, {}>;
67
+ export declare class CredentialBindingRef extends CredentialBindingRef_base {
68
+ }
69
+ declare const SetCredentialBindingInput_base: Schema.Class<SetCredentialBindingInput, Schema.Struct<{
70
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
71
+ readonly pluginId: Schema.String;
72
+ readonly sourceId: Schema.String;
73
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
74
+ readonly slotKey: Schema.String;
75
+ readonly value: Schema.Union<readonly [Schema.Struct<{
76
+ readonly kind: Schema.Literal<"text">;
77
+ readonly text: Schema.String;
78
+ }>, Schema.Struct<{
79
+ readonly kind: Schema.Literal<"secret">;
80
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
81
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
82
+ }>, Schema.Struct<{
83
+ readonly kind: Schema.Literal<"connection">;
84
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
85
+ }>]>;
86
+ }>, {}>;
87
+ export declare class SetCredentialBindingInput extends SetCredentialBindingInput_base {
88
+ }
89
+ declare const CredentialBindingSourceInput_base: Schema.Class<CredentialBindingSourceInput, Schema.Struct<{
90
+ readonly pluginId: Schema.String;
91
+ readonly sourceId: Schema.String;
92
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
93
+ }>, {}>;
94
+ export declare class CredentialBindingSourceInput extends CredentialBindingSourceInput_base {
95
+ }
96
+ declare const CredentialBindingSlotInput_base: Schema.Class<CredentialBindingSlotInput, Schema.Struct<{
97
+ readonly pluginId: Schema.String;
98
+ readonly sourceId: Schema.String;
99
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
100
+ readonly slotKey: Schema.String;
101
+ }>, {}>;
102
+ export declare class CredentialBindingSlotInput extends CredentialBindingSlotInput_base {
103
+ }
104
+ declare const RemoveCredentialBindingInput_base: Schema.Class<RemoveCredentialBindingInput, Schema.Struct<{
105
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
106
+ readonly pluginId: Schema.String;
107
+ readonly sourceId: Schema.String;
108
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
109
+ readonly slotKey: Schema.String;
110
+ }>, {}>;
111
+ export declare class RemoveCredentialBindingInput extends RemoveCredentialBindingInput_base {
112
+ }
113
+ declare const ReplaceCredentialBindingValue_base: Schema.Class<ReplaceCredentialBindingValue, Schema.Struct<{
114
+ readonly slotKey: Schema.String;
115
+ readonly value: Schema.Union<readonly [Schema.Struct<{
116
+ readonly kind: Schema.Literal<"text">;
117
+ readonly text: Schema.String;
118
+ }>, Schema.Struct<{
119
+ readonly kind: Schema.Literal<"secret">;
120
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
121
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
122
+ }>, Schema.Struct<{
123
+ readonly kind: Schema.Literal<"connection">;
124
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
125
+ }>]>;
126
+ }>, {}>;
127
+ export declare class ReplaceCredentialBindingValue extends ReplaceCredentialBindingValue_base {
128
+ }
129
+ declare const ReplaceCredentialBindingsInput_base: Schema.Class<ReplaceCredentialBindingsInput, Schema.Struct<{
130
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
131
+ readonly pluginId: Schema.String;
132
+ readonly sourceId: Schema.String;
133
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
134
+ readonly slotPrefixes: Schema.$Array<Schema.String>;
135
+ readonly bindings: Schema.$Array<typeof ReplaceCredentialBindingValue>;
136
+ }>, {}>;
137
+ export declare class ReplaceCredentialBindingsInput extends ReplaceCredentialBindingsInput_base {
138
+ }
139
+ export declare const CredentialBindingResolutionStatus: Schema.Literals<readonly ["resolved", "missing", "blocked"]>;
140
+ export type CredentialBindingResolutionStatus = typeof CredentialBindingResolutionStatus.Type;
141
+ declare const ResolvedCredentialSlot_base: Schema.Class<ResolvedCredentialSlot, Schema.Struct<{
142
+ readonly pluginId: Schema.String;
143
+ readonly sourceId: Schema.String;
144
+ readonly sourceScopeId: Schema.brand<Schema.String, "ScopeId">;
145
+ readonly slotKey: Schema.String;
146
+ readonly bindingScopeId: Schema.NullOr<Schema.brand<Schema.String, "ScopeId">>;
147
+ readonly kind: Schema.NullOr<Schema.Literals<["text", "secret", "connection"]>>;
148
+ readonly status: Schema.Literals<readonly ["resolved", "missing", "blocked"]>;
149
+ }>, {}>;
150
+ export declare class ResolvedCredentialSlot extends ResolvedCredentialSlot_base {
151
+ }
152
+ export interface CredentialBindingsFacade {
153
+ readonly listForSource: (input: CredentialBindingSourceInput) => Effect.Effect<readonly CredentialBindingRef[], StorageFailure>;
154
+ readonly resolve: (input: CredentialBindingSlotInput) => Effect.Effect<ResolvedCredentialSlot, StorageFailure>;
155
+ readonly set: (input: SetCredentialBindingInput) => Effect.Effect<CredentialBindingRef, StorageFailure>;
156
+ readonly remove: (input: RemoveCredentialBindingInput) => Effect.Effect<void, StorageFailure>;
157
+ readonly replaceForSource: (input: ReplaceCredentialBindingsInput) => Effect.Effect<readonly CredentialBindingRef[], StorageFailure>;
158
+ readonly removeForSource: (input: CredentialBindingSourceInput) => Effect.Effect<void, StorageFailure>;
159
+ readonly usagesForSecret: (id: string) => Effect.Effect<readonly Usage[], StorageFailure>;
160
+ readonly usagesForConnection: (id: string) => Effect.Effect<readonly Usage[], StorageFailure>;
161
+ }
162
+ export declare const credentialBindingId: (input: {
163
+ readonly pluginId: string;
164
+ readonly sourceId: string;
165
+ readonly sourceScope: string;
166
+ readonly slotKey: string;
167
+ }) => CredentialBindingId;
168
+ export declare const credentialSlotPart: (value: string) => string;
169
+ export declare const credentialSlotKey: (prefix: string, name: string) => string;
170
+ export declare const credentialBindingValueFromRow: (row: CredentialBindingRow) => CredentialBindingValue;
171
+ export declare const credentialBindingRowToRef: (row: CredentialBindingRow) => CredentialBindingRef;
172
+ export {};
173
+ //# sourceMappingURL=credential-bindings.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credential-bindings.d.ts","sourceRoot":"","sources":["../src/credential-bindings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAS,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAEhE,OAAO,EAA0B,KAAK,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAClF,OAAO,EAAgB,mBAAmB,EAAqB,MAAM,OAAO,CAAC;AAC7E,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AAEtC,eAAO,MAAM,qBAAqB,mDAA0C,CAAC;AAC7E,MAAM,MAAM,qBAAqB,GAAG,OAAO,qBAAqB,CAAC,IAAI,CAAC;AAEtE,eAAO,MAAM,sBAAsB;;;;;;;;;;IAcjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,OAAO,sBAAsB,CAAC,IAAI,CAAC;AAExE,eAAO,MAAM,iCAAiC;;;;EAI5C,CAAC;;;;;;AAEH,qBAAa,2BAA4B,SAAQ,gCAEN;CAAG;AAE9C,eAAO,MAAM,yBAAyB,4EAA6D,CAAC;AACpG,MAAM,MAAM,yBAAyB,GAAG,OAAO,yBAAyB,CAAC,IAAI,CAAC;AAE9E,eAAO,MAAM,+BAA+B;;;;IAG1C,CAAC;AAEH,eAAO,MAAM,2BAA2B;;;;;EAKtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,OAAO,2BAA2B,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;AAElF,qBAAa,oBAAqB,SAAQ,yBAYxC;CAAG;;;;;;;;;;;;;;;;;;;AAEL,qBAAa,yBAA0B,SAAQ,8BAS7C;CAAG;;;;;;AAEL,qBAAa,4BAA6B,SAAQ,iCAMhD;CAAG;;;;;;;AAEL,qBAAa,0BAA2B,SAAQ,+BAO9C;CAAG;;;;;;;;AAEL,qBAAa,4BAA6B,SAAQ,iCAQhD;CAAG;;;;;;;;;;;;;;;AAEL,qBAAa,6BAA8B,SAAQ,kCAKjD;CAAG;;;;;;;;;AAEL,qBAAa,8BAA+B,SAAQ,mCASlD;CAAG;AAEL,eAAO,MAAM,iCAAiC,8DAI5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,OAAO,iCAAiC,CAAC,IAAI,CAAC;;;;;;;;;;AAE9F,qBAAa,sBAAuB,SAAQ,2BAU1C;CAAG;AAEL,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,aAAa,EAAE,CACtB,KAAK,EAAE,4BAA4B,KAChC,MAAM,CAAC,MAAM,CAAC,SAAS,oBAAoB,EAAE,EAAE,cAAc,CAAC,CAAC;IACpE,QAAQ,CAAC,OAAO,EAAE,CAChB,KAAK,EAAE,0BAA0B,KAC9B,MAAM,CAAC,MAAM,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAAC;IAC3D,QAAQ,CAAC,GAAG,EAAE,CACZ,KAAK,EAAE,yBAAyB,KAC7B,MAAM,CAAC,MAAM,CAAC,oBAAoB,EAAE,cAAc,CAAC,CAAC;IACzD,QAAQ,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,4BAA4B,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAC9F,QAAQ,CAAC,gBAAgB,EAAE,CACzB,KAAK,EAAE,8BAA8B,KAClC,MAAM,CAAC,MAAM,CAAC,SAAS,oBAAoB,EAAE,EAAE,cAAc,CAAC,CAAC;IACpE,QAAQ,CAAC,eAAe,EAAE,CACxB,KAAK,EAAE,4BAA4B,KAChC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACzC,QAAQ,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,KAAK,EAAE,EAAE,cAAc,CAAC,CAAC;IAC1F,QAAQ,CAAC,mBAAmB,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,KAAK,EAAE,EAAE,cAAc,CAAC,CAAC;CAC/F;AAED,eAAO,MAAM,mBAAmB,GAAI,OAAO;IACzC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B,KAAG,mBAGD,CAAC;AAEJ,eAAO,MAAM,kBAAkB,GAAI,OAAO,MAAM,KAAG,MAKV,CAAC;AAE1C,eAAO,MAAM,iBAAiB,GAAI,QAAQ,MAAM,EAAE,MAAM,MAAM,KAAG,MACxB,CAAC;AAE1C,eAAO,MAAM,6BAA6B,GAAI,KAAK,oBAAoB,KAAG,sBAgBvE,CAAC;AAEJ,eAAO,MAAM,yBAAyB,GAAI,KAAK,oBAAoB,KAAG,oBAarE,CAAC"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=credential-bindings.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credential-bindings.test.d.ts","sourceRoot":"","sources":["../src/credential-bindings.test.ts"],"names":[],"mappings":""}