@executor-js/sdk 0.1.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/README.md +21 -29
  2. package/dist/api-errors.d.ts +10 -0
  3. package/dist/api-errors.d.ts.map +1 -0
  4. package/dist/blob.d.ts.map +1 -1
  5. package/dist/chunk-6SQWMOM4.js +51 -0
  6. package/dist/chunk-6SQWMOM4.js.map +1 -0
  7. package/dist/chunk-NPWV4R3N.js +5563 -0
  8. package/dist/chunk-NPWV4R3N.js.map +1 -0
  9. package/dist/chunk-QQK7X3DM.js +103 -0
  10. package/dist/chunk-QQK7X3DM.js.map +1 -0
  11. package/dist/client.d.ts +2 -5
  12. package/dist/client.d.ts.map +1 -1
  13. package/dist/client.js +12 -18
  14. package/dist/client.js.map +1 -1
  15. package/dist/connections.d.ts +7 -0
  16. package/dist/connections.d.ts.map +1 -1
  17. package/dist/core-schema.d.ts +83 -3
  18. package/dist/core-schema.d.ts.map +1 -1
  19. package/dist/core.js +94 -52
  20. package/dist/core.js.map +1 -1
  21. package/dist/credential-bindings.d.ts +173 -0
  22. package/dist/credential-bindings.d.ts.map +1 -0
  23. package/dist/credential-bindings.test.d.ts +2 -0
  24. package/dist/credential-bindings.test.d.ts.map +1 -0
  25. package/dist/errors.d.ts +27 -5
  26. package/dist/errors.d.ts.map +1 -1
  27. package/dist/executor.d.ts +47 -13
  28. package/dist/executor.d.ts.map +1 -1
  29. package/dist/hosted-http-client.d.ts +17 -0
  30. package/dist/hosted-http-client.d.ts.map +1 -0
  31. package/dist/hosted-http-client.test.d.ts +2 -0
  32. package/dist/hosted-http-client.test.d.ts.map +1 -0
  33. package/dist/ids.d.ts +2 -0
  34. package/dist/ids.d.ts.map +1 -1
  35. package/dist/index.d.ts +15 -10
  36. package/dist/index.d.ts.map +1 -1
  37. package/dist/index.js +16 -18
  38. package/dist/index.js.map +1 -1
  39. package/dist/oauth-discovery.d.ts +19 -4
  40. package/dist/oauth-discovery.d.ts.map +1 -1
  41. package/dist/oauth-helpers.d.ts +21 -0
  42. package/dist/oauth-helpers.d.ts.map +1 -1
  43. package/dist/oauth-popup-types.d.ts.map +1 -1
  44. package/dist/oauth-service.d.ts +16 -5
  45. package/dist/oauth-service.d.ts.map +1 -1
  46. package/dist/oauth.d.ts +19 -16
  47. package/dist/oauth.d.ts.map +1 -1
  48. package/dist/oxlint-plugin-executor.test.d.ts +2 -0
  49. package/dist/oxlint-plugin-executor.test.d.ts.map +1 -0
  50. package/dist/plugin.d.ts +84 -19
  51. package/dist/plugin.d.ts.map +1 -1
  52. package/dist/policies.d.ts +10 -15
  53. package/dist/policies.d.ts.map +1 -1
  54. package/dist/promise-executor.d.ts.map +1 -1
  55. package/dist/promise.d.ts +5 -3
  56. package/dist/promise.d.ts.map +1 -1
  57. package/dist/schema-types.d.ts.map +1 -1
  58. package/dist/scoped-adapter.d.ts +17 -2
  59. package/dist/scoped-adapter.d.ts.map +1 -1
  60. package/dist/secrets.d.ts +12 -0
  61. package/dist/secrets.d.ts.map +1 -1
  62. package/dist/test-config.d.ts +10 -0
  63. package/dist/test-config.d.ts.map +1 -0
  64. package/dist/testing.d.ts +30 -8
  65. package/dist/testing.d.ts.map +1 -1
  66. package/dist/testing.js +56 -0
  67. package/dist/testing.js.map +1 -0
  68. package/dist/types.d.ts +11 -3
  69. package/dist/types.d.ts.map +1 -1
  70. package/dist/usage-visibility.test.d.ts +2 -0
  71. package/dist/usage-visibility.test.d.ts.map +1 -0
  72. package/dist/usages.d.ts +20 -0
  73. package/dist/usages.d.ts.map +1 -0
  74. package/package.json +26 -14
  75. package/dist/chunk-2WV7VSNL.js +0 -4440
  76. package/dist/chunk-2WV7VSNL.js.map +0 -1
package/dist/core.js CHANGED
@@ -1,5 +1,22 @@
1
1
  import {
2
+ SecretBackedMap,
3
+ SecretBackedValue,
4
+ defineExecutorConfig,
5
+ isSecretBackedRef,
6
+ resolveSecretBackedMap
7
+ } from "./chunk-6SQWMOM4.js";
8
+ import {
9
+ definePlugin,
10
+ defineSchema,
11
+ makeTestConfig,
12
+ tool
13
+ } from "./chunk-QQK7X3DM.js";
14
+ import {
15
+ ConfiguredCredentialBinding,
16
+ ConfiguredCredentialValue,
17
+ ConfiguredCredentialValueSchema,
2
18
  ConnectionId,
19
+ ConnectionInUseError,
3
20
  ConnectionNotFoundError,
4
21
  ConnectionProviderNotRegisteredError,
5
22
  ConnectionProviderState,
@@ -8,10 +25,18 @@ import {
8
25
  ConnectionRefreshError,
9
26
  ConnectionRefreshNotSupportedError,
10
27
  CreateConnectionInput,
28
+ CredentialBindingId,
29
+ CredentialBindingKind,
30
+ CredentialBindingRef,
31
+ CredentialBindingResolutionStatus,
32
+ CredentialBindingSlotInput,
33
+ CredentialBindingSourceInput,
34
+ CredentialBindingValue,
11
35
  ElicitationAction,
12
36
  ElicitationDeclinedError,
13
37
  ElicitationResponse,
14
38
  FormElicitation,
39
+ HostedOutboundRequestBlocked,
15
40
  NoHandlerError,
16
41
  OAUTH2_DEFAULT_TIMEOUT_MS,
17
42
  OAUTH2_PROVIDER_KEY,
@@ -33,15 +58,22 @@ import {
33
58
  OAuthStrategy,
34
59
  PluginNotLoadedError,
35
60
  PolicyId,
61
+ RemoveConnectionInput,
62
+ RemoveCredentialBindingInput,
63
+ RemoveSecretInput,
64
+ ReplaceCredentialBindingValue,
65
+ ReplaceCredentialBindingsInput,
66
+ ResolvedCredentialSlot,
36
67
  Scope,
37
68
  ScopeId,
38
- SecretBackedMap,
39
- SecretBackedValue,
69
+ ScopedSecretCredentialInput,
40
70
  SecretId,
71
+ SecretInUseError,
41
72
  SecretNotFoundError,
42
73
  SecretOwnedByConnectionError,
43
74
  SecretRef,
44
75
  SecretResolutionError,
76
+ SetCredentialBindingInput,
45
77
  SetSecretInput,
46
78
  SourceDetectionResult,
47
79
  SourceNotFoundError,
@@ -56,6 +88,8 @@ import {
56
88
  ToolSchema,
57
89
  UpdateConnectionTokensInput,
58
90
  UrlElicitation,
91
+ Usage,
92
+ assertSupportedOAuthEndpointUrl,
59
93
  beginDynamicAuthorization,
60
94
  buildAuthorizationUrl,
61
95
  buildToolTypeScriptPreview,
@@ -64,15 +98,20 @@ import {
64
98
  createExecutor,
65
99
  createPkceCodeChallenge,
66
100
  createPkceCodeVerifier,
67
- defineExecutorConfig,
101
+ credentialBindingId,
102
+ credentialBindingRowToRef,
103
+ credentialBindingValueFromRow,
104
+ credentialSlotKey,
105
+ credentialSlotPart,
68
106
  discoverAuthorizationServerMetadata,
69
107
  discoverProtectedResourceMetadata,
70
108
  effectivePolicyFromSorted,
71
109
  exchangeAuthorizationCode,
72
110
  exchangeClientCredentials,
73
- isSecretBackedRef,
111
+ isSupportedOAuthEndpointUrl,
74
112
  isToolPolicyAction,
75
113
  isValidPattern,
114
+ makeHostedHttpClientLayer,
76
115
  makeInMemoryBlobStore,
77
116
  makeOAuth2Service,
78
117
  matchPattern,
@@ -80,16 +119,16 @@ import {
80
119
  refreshAccessToken,
81
120
  registerDynamicClient,
82
121
  resolveEffectivePolicy,
83
- resolveSecretBackedMap,
84
122
  resolveToolPolicy,
85
123
  rowToToolPolicy,
86
124
  schemaToTypeScriptPreview,
87
125
  schemaToTypeScriptPreviewWithDefs,
88
- shouldRefreshToken
89
- } from "./chunk-2WV7VSNL.js";
126
+ shouldRefreshToken,
127
+ validateHostedOutboundUrl
128
+ } from "./chunk-NPWV4R3N.js";
90
129
 
91
130
  // src/index.ts
92
- import { Context, Effect, Layer, Schema, Data, Option } from "effect";
131
+ import { Context, Effect, Layer, Schema as Schema2, Data, Option } from "effect";
93
132
  import {
94
133
  HttpApi,
95
134
  HttpApiBuilder,
@@ -106,48 +145,6 @@ import { StorageError, UniqueViolationError } from "@executor-js/storage-core";
106
145
  var OAUTH_POPUP_MESSAGE_TYPE = "executor:oauth-result";
107
146
  var isOAuthPopupResult = (value) => typeof value === "object" && value !== null && value.type === OAUTH_POPUP_MESSAGE_TYPE;
108
147
 
109
- // src/plugin.ts
110
- var defineSchema = (schema) => schema;
111
- function definePlugin(authorFactory) {
112
- return (options) => {
113
- const {
114
- storage: storageOverride,
115
- ...rest
116
- } = options ?? {};
117
- const hasAuthorOptions = Object.keys(rest).length > 0;
118
- const spec = authorFactory(
119
- hasAuthorOptions ? rest : void 0
120
- );
121
- return {
122
- ...spec,
123
- storage: storageOverride ?? spec.storage
124
- };
125
- };
126
- }
127
-
128
- // src/testing.ts
129
- import { makeMemoryAdapter } from "@executor-js/storage-core/testing/memory";
130
- var makeTestConfig = (options) => {
131
- const scopes = options?.scopes ?? [
132
- new Scope({
133
- id: ScopeId.make("test-scope"),
134
- name: options?.scopeName ?? "test",
135
- createdAt: /* @__PURE__ */ new Date()
136
- })
137
- ];
138
- const schema = collectSchemas(options?.plugins ?? []);
139
- return {
140
- scopes,
141
- adapter: makeMemoryAdapter({ schema }),
142
- blobs: makeInMemoryBlobStore(),
143
- plugins: options?.plugins,
144
- // Tests default to auto-accepting elicitation prompts. Override via
145
- // a wrapping spread if a test exercises a real handler:
146
- // { ...makeTestConfig(...), onElicitation: customHandler }
147
- onElicitation: "accept-all"
148
- };
149
- };
150
-
151
148
  // src/schema-refs.ts
152
149
  var REF_PATTERN = /^#\/(?:\$defs|definitions)\/(.+)$/;
153
150
  var parseRefName = (ref) => ref.match(REF_PATTERN)?.[1];
@@ -233,8 +230,24 @@ var reattachDefs = (schema, defs) => {
233
230
  }
234
231
  return { ...schema, $defs: attached };
235
232
  };
233
+
234
+ // src/api-errors.ts
235
+ import { Schema } from "effect";
236
+ var InternalError = class extends Schema.TaggedErrorClass()(
237
+ "InternalError",
238
+ {
239
+ /** Opaque correlation id for backend lookup (Sentry event id, log line, etc.). */
240
+ traceId: Schema.String
241
+ },
242
+ { httpApiStatus: 500 }
243
+ ) {
244
+ };
236
245
  export {
246
+ ConfiguredCredentialBinding,
247
+ ConfiguredCredentialValue,
248
+ ConfiguredCredentialValueSchema,
237
249
  ConnectionId,
250
+ ConnectionInUseError,
238
251
  ConnectionNotFoundError,
239
252
  ConnectionProviderNotRegisteredError,
240
253
  ConnectionProviderState,
@@ -244,12 +257,20 @@ export {
244
257
  ConnectionRefreshNotSupportedError,
245
258
  Context,
246
259
  CreateConnectionInput,
260
+ CredentialBindingId,
261
+ CredentialBindingKind,
262
+ CredentialBindingRef,
263
+ CredentialBindingResolutionStatus,
264
+ CredentialBindingSlotInput,
265
+ CredentialBindingSourceInput,
266
+ CredentialBindingValue,
247
267
  Data,
248
268
  Effect,
249
269
  ElicitationAction,
250
270
  ElicitationDeclinedError,
251
271
  ElicitationResponse,
252
272
  FormElicitation,
273
+ HostedOutboundRequestBlocked,
253
274
  HttpApi,
254
275
  HttpApiBuilder,
255
276
  HttpApiClient,
@@ -257,6 +278,7 @@ export {
257
278
  HttpApiGroup,
258
279
  HttpApiMiddleware,
259
280
  HttpApiSchema,
281
+ InternalError,
260
282
  Layer,
261
283
  NoHandlerError,
262
284
  OAUTH2_DEFAULT_TIMEOUT_MS,
@@ -281,16 +303,25 @@ export {
281
303
  Option,
282
304
  PluginNotLoadedError,
283
305
  PolicyId,
284
- Schema,
306
+ RemoveConnectionInput,
307
+ RemoveCredentialBindingInput,
308
+ RemoveSecretInput,
309
+ ReplaceCredentialBindingValue,
310
+ ReplaceCredentialBindingsInput,
311
+ ResolvedCredentialSlot,
312
+ Schema2 as Schema,
285
313
  Scope,
286
314
  ScopeId,
315
+ ScopedSecretCredentialInput,
287
316
  SecretBackedMap,
288
317
  SecretBackedValue,
289
318
  SecretId,
319
+ SecretInUseError,
290
320
  SecretNotFoundError,
291
321
  SecretOwnedByConnectionError,
292
322
  SecretRef,
293
323
  SecretResolutionError,
324
+ SetCredentialBindingInput,
294
325
  SetSecretInput,
295
326
  SourceDetectionResult,
296
327
  SourceNotFoundError,
@@ -307,6 +338,8 @@ export {
307
338
  UniqueViolationError,
308
339
  UpdateConnectionTokensInput,
309
340
  UrlElicitation,
341
+ Usage,
342
+ assertSupportedOAuthEndpointUrl,
310
343
  beginDynamicAuthorization,
311
344
  buildAuthorizationUrl,
312
345
  buildToolTypeScriptPreview,
@@ -316,6 +349,11 @@ export {
316
349
  createExecutor,
317
350
  createPkceCodeChallenge,
318
351
  createPkceCodeVerifier,
352
+ credentialBindingId,
353
+ credentialBindingRowToRef,
354
+ credentialBindingValueFromRow,
355
+ credentialSlotKey,
356
+ credentialSlotPart,
319
357
  defineExecutorConfig,
320
358
  definePlugin,
321
359
  defineSchema,
@@ -327,8 +365,10 @@ export {
327
365
  hoistDefinitions,
328
366
  isOAuthPopupResult,
329
367
  isSecretBackedRef,
368
+ isSupportedOAuthEndpointUrl,
330
369
  isToolPolicyAction,
331
370
  isValidPattern,
371
+ makeHostedHttpClientLayer,
332
372
  makeInMemoryBlobStore,
333
373
  makeOAuth2Service,
334
374
  makeTestConfig,
@@ -345,6 +385,8 @@ export {
345
385
  schemaToTypeScriptPreview,
346
386
  schemaToTypeScriptPreviewWithDefs,
347
387
  shouldRefreshToken,
348
- typedAdapter
388
+ tool,
389
+ typedAdapter,
390
+ validateHostedOutboundUrl
349
391
  };
350
392
  //# sourceMappingURL=core.js.map
package/dist/core.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/oauth-popup-types.ts","../src/plugin.ts","../src/testing.ts","../src/schema-refs.ts"],"sourcesContent":["// ---------------------------------------------------------------------------\n// @executor-js/sdk — public surface\n// ---------------------------------------------------------------------------\n\n// Re-export the Effect/Schema/HttpApi primitives plugin authors need so a\n// plugin can be written importing only from `@executor-js/sdk`. Authors who\n// want to reach for additional Effect APIs keep importing from `effect/*`\n// directly — these re-exports are the curated minimum.\nexport { Context, Effect, Layer, Schema, Data, Option } from \"effect\";\nexport {\n HttpApi,\n HttpApiBuilder,\n HttpApiClient,\n HttpApiEndpoint,\n HttpApiGroup,\n HttpApiMiddleware,\n HttpApiSchema,\n} from \"effect/unstable/httpapi\";\n\n// Storage adapter interface types (re-exported from @executor-js/storage-core\n// so plugin authors can write adapters against a single public surface\n// without depending on storage-core directly).\nexport type {\n DBAdapter,\n DBSchema,\n DBFieldAttribute,\n DBFieldType,\n StorageFailure,\n TypedAdapter,\n Where,\n WhereOperator,\n} from \"@executor-js/storage-core\";\n\nexport { typedAdapter } from \"@executor-js/storage-core\";\n\n// Storage-layer typed errors (re-exported so plugin code can catchTag\n// `UniqueViolationError` without importing storage-core directly).\nexport { StorageError, UniqueViolationError } from \"@executor-js/storage-core\";\n\n// IDs (branded)\nexport { ScopeId, ToolId, SecretId, PolicyId, ConnectionId } from \"./ids\";\n\n// Scope\nexport { Scope } from \"./scope\";\n\n// Errors (tagged)\nexport {\n ToolNotFoundError,\n ToolInvocationError,\n ToolBlockedError,\n NoHandlerError,\n SourceNotFoundError,\n SourceRemovalNotAllowedError,\n PluginNotLoadedError,\n SecretNotFoundError,\n SecretResolutionError,\n SecretOwnedByConnectionError,\n ConnectionNotFoundError,\n ConnectionProviderNotRegisteredError,\n ConnectionRefreshNotSupportedError,\n ConnectionReauthRequiredError,\n type ExecutorError,\n} from \"./errors\";\n\n// Public projections\nexport {\n ToolSchema,\n SourceDetectionResult,\n type Source,\n type Tool,\n type ToolListFilter,\n} from \"./types\";\n\n// Core schema\nexport {\n coreSchema,\n isToolPolicyAction,\n TOOL_POLICY_ACTIONS,\n type CoreSchema,\n type SourceInput,\n type SourceInputTool,\n type SourceRow,\n type ToolRow,\n type DefinitionRow,\n type SecretRow,\n type ConnectionRow,\n type ToolPolicyRow,\n type ToolPolicyAction,\n type DefinitionsInput,\n type ToolAnnotations,\n} from \"./core-schema\";\n\n// Tool policies\nexport {\n matchPattern,\n isValidPattern,\n resolveToolPolicy,\n resolveEffectivePolicy,\n effectivePolicyFromSorted,\n rowToToolPolicy,\n ToolPolicyActionSchema,\n type ToolPolicy,\n type CreateToolPolicyInput,\n type UpdateToolPolicyInput,\n type PolicyMatch,\n type EffectivePolicy,\n type PolicySource,\n} from \"./policies\";\n\n// Secrets\nexport { SecretRef, SetSecretInput, type SecretProvider } from \"./secrets\";\n\nexport {\n SecretBackedMap,\n SecretBackedValue,\n isSecretBackedRef,\n resolveSecretBackedMap,\n type ResolveSecretBackedMapOptions,\n} from \"./secret-backed-value\";\n\n// Connections\nexport {\n ConnectionRef,\n ConnectionProviderState,\n CreateConnectionInput,\n UpdateConnectionTokensInput,\n TokenMaterial,\n ConnectionRefreshError,\n type ConnectionProvider,\n type ConnectionRefreshInput,\n type ConnectionRefreshResult,\n} from \"./connections\";\n\n// Elicitation\nexport {\n FormElicitation,\n UrlElicitation,\n ElicitationAction,\n ElicitationResponse,\n ElicitationDeclinedError,\n type ElicitationRequest,\n type ElicitationHandler,\n type ElicitationContext,\n} from \"./elicitation\";\n\n// Blob store\nexport {\n type BlobStore,\n type PluginBlobStore,\n pluginBlobStore,\n makeInMemoryBlobStore,\n} from \"./blob\";\n\n// OAuth 2.1\nexport {\n type OAuthService,\n type OAuthStrategy,\n type OAuthDynamicDcrStrategy,\n type OAuthAuthorizationCodeStrategy,\n type OAuthClientCredentialsStrategy,\n type OAuthProviderState,\n type OAuthProbeInput,\n type OAuthProbeResult,\n type OAuthStartInput,\n type OAuthStartResult,\n type OAuthCompleteInput,\n type OAuthCompleteResult,\n OAuthProbeError,\n OAuthStartError,\n OAuthCompleteError,\n OAuthSessionNotFoundError,\n OAUTH2_PROVIDER_KEY,\n OAUTH2_SESSION_TTL_MS,\n OAuthStrategy as OAuthStrategySchema,\n OAuthProviderState as OAuthProviderStateSchema,\n OAuthDynamicDcrStrategy as OAuthDynamicDcrStrategySchema,\n OAuthAuthorizationCodeStrategy as OAuthAuthorizationCodeStrategySchema,\n OAuthClientCredentialsStrategy as OAuthClientCredentialsStrategySchema,\n} from \"./oauth\";\n\nexport {\n OAuth2Error,\n OAUTH2_DEFAULT_TIMEOUT_MS,\n OAUTH2_REFRESH_SKEW_MS,\n buildAuthorizationUrl,\n createPkceCodeChallenge,\n createPkceCodeVerifier,\n exchangeAuthorizationCode,\n exchangeClientCredentials,\n refreshAccessToken,\n shouldRefreshToken,\n type OAuth2TokenResponse,\n type BuildAuthorizationUrlInput,\n type ClientAuthMethod,\n type ExchangeAuthorizationCodeInput,\n type ExchangeClientCredentialsInput,\n type RefreshAccessTokenInput,\n} from \"./oauth-helpers\";\n\nexport { makeOAuth2Service, type OAuthServiceDeps } from \"./oauth-service\";\n\nexport {\n OAuthDiscoveryError,\n OAuthAuthorizationServerMetadataSchema,\n OAuthClientInformationSchema,\n OAuthProtectedResourceMetadataSchema,\n beginDynamicAuthorization,\n discoverAuthorizationServerMetadata,\n discoverProtectedResourceMetadata,\n registerDynamicClient,\n type BeginDynamicAuthorizationInput,\n type DiscoveryRequestOptions,\n type DynamicAuthorizationState,\n type DynamicAuthorizationStartResult,\n type DynamicClientMetadata,\n type OAuthAuthorizationServerMetadata,\n type OAuthClientInformation,\n type OAuthProtectedResourceMetadata,\n type RegisterDynamicClientInput,\n} from \"./oauth-discovery\";\n\nexport {\n OAUTH_POPUP_MESSAGE_TYPE,\n type OAuthPopupResult,\n isOAuthPopupResult,\n} from \"./oauth-popup-types\";\n\n// Plugin definition\nexport {\n type Plugin,\n type PluginSpec,\n type PluginCtx,\n type PluginExtensions,\n type ConfiguredPlugin,\n type AnyPlugin,\n type StorageDeps,\n type StaticSourceDecl,\n type StaticToolDecl,\n type StaticToolHandlerInput,\n type InvokeToolInput,\n type SourceLifecycleInput,\n type SecretListEntry,\n type Elicit,\n definePlugin,\n defineSchema,\n} from \"./plugin\";\n\n// Executor\nexport {\n type Executor,\n type ExecutorConfig,\n type OnElicitation,\n type InvokeOptions,\n createExecutor,\n collectSchemas,\n} from \"./executor\";\n\n// CLI / runtime config\nexport {\n defineExecutorConfig,\n type ExecutorCliConfig,\n type ExecutorDialect,\n type ExecutorPluginsFactory,\n} from \"./config\";\n\n// Test helper\nexport { makeTestConfig } from \"./testing\";\n\n// JSON schema $ref helpers (used by openapi for $defs handling)\nexport { hoistDefinitions, collectRefs, reattachDefs, normalizeRefs } from \"./schema-refs\";\n\n// TypeScript preview generation from JSON schemas\nexport {\n schemaToTypeScriptPreview,\n schemaToTypeScriptPreviewWithDefs,\n buildToolTypeScriptPreview,\n type TypeScriptRenderOptions,\n type TypeScriptSchemaPreview,\n} from \"./schema-types\";\n","// ---------------------------------------------------------------------------\n// OAuth popup result — the message shape exchanged between the popup window\n// (opened during authorization) and the opener (the onboarding UI). Both the\n// server-side HTML generator and the client-side popup opener agree on this\n// shape so that success / failure can be communicated reliably via both\n// `postMessage` and `BroadcastChannel`.\n// ---------------------------------------------------------------------------\n\n/** Message type literal used to identify our popup results. */\nexport const OAUTH_POPUP_MESSAGE_TYPE = \"executor:oauth-result\" as const;\n\nexport type OAuthPopupResult<TAuth> =\n | ({\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: true;\n readonly sessionId: string;\n } & TAuth)\n | {\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: false;\n readonly sessionId: string | null;\n readonly error: string;\n };\n\nexport const isOAuthPopupResult = <TAuth>(\n value: unknown,\n): value is OAuthPopupResult<TAuth> =>\n typeof value === \"object\" &&\n value !== null &&\n (value as { type?: unknown }).type === OAUTH_POPUP_MESSAGE_TYPE;\n","import type { Context, Effect, Layer } from \"effect\";\nimport type { HttpApiGroup } from \"effect/unstable/httpapi\";\nimport type {\n DBAdapter,\n DBSchema,\n StorageFailure,\n TypedAdapter,\n} from \"@executor-js/storage-core\";\n\nimport type { PluginBlobStore } from \"./blob\";\nimport type {\n ConnectionProvider,\n ConnectionRef,\n ConnectionRefreshError,\n CreateConnectionInput,\n UpdateConnectionTokensInput,\n} from \"./connections\";\nimport type {\n DefinitionsInput,\n SourceInput,\n ToolAnnotations,\n ToolRow,\n} from \"./core-schema\";\nimport type { SourceDetectionResult } from \"./types\";\nimport type {\n ElicitationDeclinedError,\n ElicitationHandler,\n ElicitationRequest,\n ElicitationResponse,\n} from \"./elicitation\";\nimport type {\n ConnectionNotFoundError,\n ConnectionProviderNotRegisteredError,\n ConnectionReauthRequiredError,\n ConnectionRefreshNotSupportedError,\n SecretOwnedByConnectionError,\n} from \"./errors\";\nimport type { OAuthService } from \"./oauth\";\nimport type { Scope } from \"./scope\";\nimport type { SecretProvider, SecretRef, SetSecretInput } from \"./secrets\";\n\n// ---------------------------------------------------------------------------\n// StorageDeps — backing passed to a plugin's `storage` factory. The only\n// place a plugin ever sees storage; `PluginCtx` does not carry it. The\n// `adapter` field is a `TypedAdapter<TSchema>` view narrowed by the\n// plugin's own declared `schema` — plugins never import or construct\n// a typed adapter themselves, the executor infers TSchema from the\n// `schema` field on their spec and hands back a typed view.\n//\n// Plugins with no schema (secret-provider-only plugins, etc.) get a\n// bare `DBAdapter` they can ignore.\n// ---------------------------------------------------------------------------\n\nexport interface StorageDeps<TSchema extends DBSchema | undefined = undefined> {\n /**\n * Precedence-ordered scope stack visible to this executor. Innermost\n * first. Reads on scoped tables walk every scope; writes require the\n * plugin to name a target scope explicitly (via `scope_id` on the\n * adapter payload, via `options.scope` on the blob store).\n */\n readonly scopes: readonly Scope[];\n /**\n * Plugin-facing typed adapter. Failures surface as raw `StorageFailure`\n * (`StorageError` | `UniqueViolationError`). Plugins can\n * `catchTag(\"UniqueViolationError\", …)` to translate to their own\n * user-facing errors. `StorageError` bubbles up; the HTTP edge (see\n * `@executor-js/api` `withCapture`) is the one place that\n * translates it to the opaque `InternalError({ traceId })`.\n */\n readonly adapter: TSchema extends DBSchema\n ? TypedAdapter<TSchema, StorageFailure>\n : DBAdapter;\n readonly blobs: PluginBlobStore;\n}\n\n// ---------------------------------------------------------------------------\n// defineSchema — sugar around `as const satisfies DBSchema`. Preserves\n// literal types via the `const` type parameter modifier so plugins can\n// just write `const mySchema = defineSchema({ ... })` without annotation\n// ceremony.\n// ---------------------------------------------------------------------------\n\nexport const defineSchema = <const S extends DBSchema>(schema: S): S => schema;\n\n// ---------------------------------------------------------------------------\n// Elicit — suspends the fiber, calls the invoke-time elicitation\n// handler, resumes with the user's response. Available on both static\n// tool handlers and dynamic `invokeTool` handlers. Threaded through\n// the executor from `createExecutor({ onElicitation })`.\n// ---------------------------------------------------------------------------\n\nexport type Elicit = (\n request: ElicitationRequest,\n) => Effect.Effect<ElicitationResponse, ElicitationDeclinedError>;\n\n// ---------------------------------------------------------------------------\n// PluginCtx — threaded into every extension method, static tool handler,\n// and dynamic tool handler. No raw adapter, no raw blobs. Core writes\n// go through `core.sources.register` / `core.definitions.register`.\n// ---------------------------------------------------------------------------\n\nexport interface PluginCtx<TStore = unknown> {\n /**\n * Precedence-ordered scope stack visible to this executor. Innermost\n * first. Plugins that write scoped rows must pick an element of\n * `scopes` as the `scope`/`scope_id` they stamp; reads through the\n * adapter or `ctx.secrets` automatically fall through the stack.\n */\n readonly scopes: readonly Scope[];\n readonly storage: TStore;\n\n readonly core: {\n readonly sources: {\n readonly register: (\n input: SourceInput,\n ) => Effect.Effect<void, StorageFailure>;\n readonly unregister: (\n sourceId: string,\n ) => Effect.Effect<void, StorageFailure>;\n readonly update: (input: {\n readonly id: string;\n readonly scope: string;\n readonly name?: string;\n readonly url?: string | null;\n }) => Effect.Effect<void, StorageFailure>;\n };\n /** Register shared JSON-schema `$defs` for a source. Tool\n * input/output schemas registered via `sources.register` can carry\n * `$ref: \"#/$defs/X\"` pointers; `executor.tools.schema(toolId)`\n * attaches matching defs to the returned schema. Call inside the\n * same `ctx.transaction` as `sources.register` for atomicity.\n * Replaces any existing defs for the given sourceId. */\n readonly definitions: {\n readonly register: (\n input: DefinitionsInput,\n ) => Effect.Effect<void, StorageFailure>;\n };\n };\n\n readonly secrets: {\n readonly get: (\n id: string,\n ) => Effect.Effect<string | null, SecretOwnedByConnectionError | StorageFailure>;\n /** List user-visible secrets. Connection-owned secrets (rows with\n * `owned_by_connection_id` set) are filtered out so they don't\n * clutter the UI — users see the Connection instead. */\n readonly list: () => Effect.Effect<\n readonly { readonly id: string; readonly name: string; readonly provider: string }[],\n StorageFailure\n >;\n /** Write a secret value through a provider. Used by plugins that\n * mint secrets on behalf of the user (OAuth2 token storage,\n * interactive onboarding flows). Normally writes go through\n * `executor.secrets.set` on the host surface, but OAuth2 refresh\n * and one-shot token capture from plugin-owned flows need it here\n * too. Same routing rules as the host-level setter. */\n readonly set: (\n input: SetSecretInput,\n ) => Effect.Effect<SecretRef, StorageFailure>;\n /** Delete a secret from its pinned provider and the core table.\n * Rejects with `SecretOwnedByConnectionError` if the row is owned\n * by a connection — callers must go through `connections.remove`\n * to drop the whole sign-in. */\n readonly remove: (\n id: string,\n ) => Effect.Effect<void, SecretOwnedByConnectionError | StorageFailure>;\n };\n\n /** Connections — product-level sign-in state. Owns backing secret\n * rows via `secret.owned_by_connection_id`. Plugins call\n * `connections.accessToken(id)` at invoke time to get a guaranteed-\n * fresh token (the SDK handles refresh via the registered provider\n * keyed by `connection.provider`). */\n readonly connections: {\n readonly get: (\n id: string,\n ) => Effect.Effect<ConnectionRef | null, StorageFailure>;\n readonly list: () => Effect.Effect<readonly ConnectionRef[], StorageFailure>;\n readonly create: (\n input: CreateConnectionInput,\n ) => Effect.Effect<\n ConnectionRef,\n ConnectionProviderNotRegisteredError | StorageFailure\n >;\n readonly updateTokens: (\n input: UpdateConnectionTokensInput,\n ) => Effect.Effect<\n ConnectionRef,\n ConnectionNotFoundError | StorageFailure\n >;\n readonly setIdentityLabel: (\n id: string,\n label: string | null,\n ) => Effect.Effect<void, ConnectionNotFoundError | StorageFailure>;\n /** Get a guaranteed-fresh access token. Calls the provider's\n * `refresh` handler if `expires_at` is in the past / within the\n * refresh skew window. */\n readonly accessToken: (\n id: string,\n ) => Effect.Effect<\n string,\n | ConnectionNotFoundError\n | ConnectionProviderNotRegisteredError\n | ConnectionRefreshNotSupportedError\n | ConnectionReauthRequiredError\n | ConnectionRefreshError\n | StorageFailure\n >;\n readonly remove: (id: string) => Effect.Effect<void, StorageFailure>;\n };\n\n /** Shared OAuth service. Plugins use this to probe/start/complete OAuth\n * flows; invocation should still resolve tokens via `connections.accessToken`. */\n readonly oauth: OAuthService;\n\n /** Run `effect` inside a database transaction. Wraps the underlying\n * adapter's transaction method. Use this in extension methods that\n * need atomicity across plugin storage writes AND core source/tool\n * registration. */\n readonly transaction: <A, E>(\n effect: Effect.Effect<A, E>,\n ) => Effect.Effect<A, E | StorageFailure>;\n}\n\n// ---------------------------------------------------------------------------\n// Static tool / source declarations. Pure data + handlers declared at\n// plugin-definition time.\n//\n// Importantly, `StaticToolDecl.handler` does NOT reference TExtension.\n// If it did, the nested generic would break inference for the whole\n// PluginSpec (TS would fall back to the `object` constraint on TExtension).\n// `self: NoInfer<TExtension>` lives on `staticSources` one level up\n// instead, and plugin authors close over it via the arrow-function\n// closure when they write their handler.\n// ---------------------------------------------------------------------------\n\nexport interface StaticToolHandlerInput<TStore = unknown> {\n readonly ctx: PluginCtx<TStore>;\n readonly args: unknown;\n /** Suspend the fiber to request user input. The handler passed to\n * `createExecutor({ onElicitation })` is called. */\n readonly elicit: Elicit;\n}\n\nexport interface StaticToolDecl<TStore = unknown> {\n readonly name: string;\n readonly description: string;\n readonly inputSchema?: unknown;\n readonly outputSchema?: unknown;\n /** Default-policy annotations — `requiresApproval`, `approvalDescription`,\n * `mayElicit`. Enforced by the executor before the handler runs.\n * Inline because static tools have no plugin storage to resolve from;\n * the plugin author literally writes this at definition time. */\n readonly annotations?: ToolAnnotations;\n readonly handler: (\n input: StaticToolHandlerInput<TStore>,\n ) => Effect.Effect<unknown, unknown>;\n}\n\nexport interface StaticSourceDecl<TStore = unknown> {\n readonly id: string;\n readonly kind: string;\n readonly name: string;\n readonly url?: string;\n /** Static sources default to `canRemove: false` — they represent\n * plugin-provided control surfaces and shouldn't be user-removable.\n * Override only if you really want that. */\n readonly canRemove?: boolean;\n readonly canRefresh?: boolean;\n readonly canEdit?: boolean;\n readonly tools: readonly StaticToolDecl<TStore>[];\n}\n\n// ---------------------------------------------------------------------------\n// Dynamic invoke / source lifecycle inputs.\n// ---------------------------------------------------------------------------\n\nexport interface InvokeToolInput<TStore = unknown> {\n readonly ctx: PluginCtx<TStore>;\n /** Already-loaded tool row. Plugin doesn't need to re-fetch or parse\n * the tool id. Carries source_id, name, input/output schemas,\n * annotations. */\n readonly toolRow: ToolRow;\n readonly args: unknown;\n /** Elicitation handle for plugins that need mid-invocation user input\n * (onepassword auth prompt, interactive MCP tools, etc.). */\n readonly elicit: Elicit;\n}\n\nexport interface SourceLifecycleInput<TStore = unknown> {\n readonly ctx: PluginCtx<TStore>;\n readonly sourceId: string;\n /**\n * Scope of the source row being removed/refreshed — resolved by the\n * SDK's `sources.remove` / `sources.refresh` via innermost-wins lookup\n * across the executor's scope stack. Plugins that own a side table\n * keyed by (id, scope_id) must pin their own cleanup to this scope;\n * relying on the scoped adapter's `scope_id IN (stack)` fall-through\n * would widen the mutation across the whole stack and wipe a\n * shadowed outer-scope row.\n */\n readonly scope: string;\n}\n\n// ---------------------------------------------------------------------------\n// PluginSpec — what a `definePlugin(factory)` call returns.\n// ---------------------------------------------------------------------------\n\n// Defaults are `any` for slots that surface in contravariant positions\n// (storage/extension callbacks consume `TStore`/`TSchema`; `staticSources`\n// closes over `TExtension` via `NoInfer`). `any` is bivariant, so\n// `Plugin<string>` is a structural supertype of every concrete plugin\n// — `AnyPlugin = Plugin<string>` keeps the generic explosion contained\n// to this single declaration. Concrete specs ignore the defaults; TS\n// infers each slot from the literal returned by the author factory.\n//\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport interface PluginSpec<\n TId extends string = string,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TExtension extends object = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TStore = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TSchema extends DBSchema | undefined = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TExtensionService extends Context.Service<any, any> | undefined = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n THandlersLayer extends Layer.Layer<any, any, any> = any,\n TGroup extends HttpApiGroup.Any = HttpApiGroup.Any,\n> {\n readonly id: TId;\n /** npm package name. The Vite plugin uses this to derive the\n * `./client` import path for the frontend bundle (so the same\n * `executor.config.ts` drives both server and client) — `${packageName}/client`\n * is what gets bundled. The author writes the same string they\n * publish to npm; no transforms, no scope conventions. Required for\n * plugins that ship a `./client` entry; can be omitted for SDK-only\n * plugins (no client bundle = nothing to resolve). */\n readonly packageName?: string;\n /** Plugin-declared schema. Merged with coreSchema and other plugins'\n * schemas at executor startup via `collectSchemas`. The type flows\n * into the `storage` factory's `deps.adapter` as a `TypedAdapter<TSchema>`\n * so plugins get narrowed model names + typed rows for free. */\n readonly schema?: TSchema;\n /** Build the plugin's typed store from backing. `deps.adapter` is\n * already narrowed to this plugin's schema; `deps.blobs` is already\n * scoped to the plugin id so key collisions across plugins are\n * structurally impossible. */\n readonly storage: (deps: StorageDeps<TSchema>) => TStore;\n\n /** Build the plugin's extension API. The returned object becomes\n * `executor[plugin.id]` and is also the `self` passed to\n * `staticSources`. Field order matters: `extension` MUST appear\n * before `staticSources` so TS infers TExtension from this\n * factory's return BEFORE type-checking `self: NoInfer<TExtension>`. */\n readonly extension?: (ctx: PluginCtx<TStore>) => TExtension;\n\n /** Static sources contributed by this plugin with inline tool\n * handlers. Lives entirely in memory — no DB writes at startup.\n * Handlers close over `self` via the closure, so a control tool\n * that delegates to the plugin's real API is a one-liner:\n * `({ args }) => self.addSpec(args)`. */\n readonly staticSources?: (\n self: NoInfer<TExtension>,\n ) => readonly StaticSourceDecl<TStore>[];\n\n /** HttpApiGroup contributed by this plugin. Composed into the host's\n * `HttpApi` via the `addGroup` helper at runtime. The host mounts\n * the group at `/_executor/plugins/{id}/...` (or wherever the\n * plugin declares its base path) with the host's auth + scope\n * middleware applied. Endpoints automatically appear in the\n * executor OpenAPI doc and the typed reactive client.\n *\n * TGroup is inferred from the plugin's own group declaration so the\n * precise group identity flows through `composePluginApi(plugins)` —\n * the host's typed `HttpApi<\"executor\", CoreGroups | PluginGroups>`\n * is derived from the plugin tuple alone, with no per-plugin Group\n * imports at the host. Per-endpoint typing already lives inside the\n * plugin — its `handlers` Layer is built against its own bundled\n * `HttpApi.make(\"foo\").add(FooApi)` for full `.handle(\"name\", ...)`\n * inference, and its client imports the same group directly. */\n readonly routes?: () => TGroup;\n\n /** Handlers Layer for this plugin's group. Built by the plugin against\n * its own bundled API for full type safety on `.handle(\"name\", ...)`,\n * composes into the host's runtime `FullApi` because\n * `HttpApiBuilder.group` keys the layer by group identity, not by the\n * surrounding API.\n *\n * Late-binding: the layer leaves the plugin's extension as a Service\n * Tag requirement (see `extensionService` below). The host satisfies\n * it however its runtime wants:\n * - local: at boot via `Layer.succeed(extensionService)(executor[id])`\n * (see `composePluginHandlers`)\n * - cloud: per-request via `Effect.provideService(extensionService,\n * requestExecutor[id])` in the auth middleware\n *\n * The Layer's channels are typed `any` because `Layer<RIn, E, ROut>`'s\n * `ROut` is contravariant — the host accepts any layer here and merges\n * them; per-plugin requirements flow through the merge. */\n readonly handlers?: () => THandlersLayer;\n\n /** Service tag the plugin's `handlers` layer requires. Set by plugins\n * whose handlers consume their extension via a `Context.Service` tag\n * (the established pattern: `*Handlers` reads `*ExtensionService`).\n * The host binds the tag to the live extension — at boot for local,\n * per request for cloud. Pairs with `handlers`; either both fields\n * are set or neither.\n *\n * Inferred via the `TExtensionService` generic so the per-plugin\n * Service class identity propagates through `composePluginHandlers`,\n * `composePluginHandlerLayer`, and `providePluginExtensions` —\n * cloud's per-request middleware needs the precise tag for layer\n * satisfaction. */\n readonly extensionService?: TExtensionService;\n\n /** Invoke a dynamic tool. Called when the executor's static-handler\n * map doesn't have the toolId. The plugin reads its own enrichment\n * via `ctx.storage` and returns the result. Optional — plugins with\n * only static tools can omit it. */\n readonly invokeTool?: (\n input: InvokeToolInput<TStore>,\n ) => Effect.Effect<unknown, unknown>;\n\n /** Bulk resolve annotations (requiresApproval, approvalDescription,\n * mayElicit) for a set of tool rows under a single source. Called\n * by the executor:\n * - at invoke time with a single-element `toolRows` array, to\n * enforce approval on the about-to-run tool\n * - at list time with every dynamic tool row under each source,\n * grouped by source_id, to populate `Tool.annotations` for UI\n *\n * The expected implementation for most plugins is: read plugin\n * storage once for the given source/rows, derive annotations from\n * the same data that was used to build the tool (HTTP method +\n * path for openapi, introspection kind for graphql, etc.), return\n * a map keyed by tool id.\n *\n * Omit if the plugin has no annotations to contribute — executor\n * treats tools from that plugin as auto-approved with no\n * elicitation. */\n readonly resolveAnnotations?: (input: {\n readonly ctx: PluginCtx<TStore>;\n readonly sourceId: string;\n readonly toolRows: readonly ToolRow[];\n }) => Effect.Effect<Record<string, ToolAnnotations>, unknown>;\n\n /** Called when `executor.sources.remove(id)` targets a source owned\n * by this plugin. Plugin-side cleanup only; the executor deletes\n * the core source/tool rows after this callback returns, inside\n * the same transaction. */\n readonly removeSource?: (\n input: SourceLifecycleInput<TStore>,\n ) => Effect.Effect<void, unknown>;\n\n readonly refreshSource?: (\n input: SourceLifecycleInput<TStore>,\n ) => Effect.Effect<void, unknown>;\n\n /** URL autodetection hook. When the user pastes a URL in the\n * onboarding UI, `executor.sources.detect(url)` fans out to every\n * plugin's `detect`. Return a `SourceDetectionResult` if you\n * recognize the URL, `null` otherwise. Implementations should be\n * defensive — swallow fetch errors and return null rather than\n * throwing. First high-confidence match wins. */\n readonly detect?: (input: {\n readonly ctx: PluginCtx<TStore>;\n readonly url: string;\n }) => Effect.Effect<SourceDetectionResult | null, unknown>;\n\n /** Secret providers contributed by this plugin. Either a static\n * array, a function of ctx (for providers that need per-instance\n * state like the keychain's scope-derived service name), or a\n * function returning an Effect so plugins can probe for backend\n * availability at startup and register conditionally. Called once\n * at executor startup after `storage` and `extension` have been\n * built. */\n readonly secretProviders?:\n | readonly SecretProvider[]\n | ((ctx: PluginCtx<TStore>) => readonly SecretProvider[])\n | ((\n ctx: PluginCtx<TStore>,\n ) => Effect.Effect<readonly SecretProvider[]>);\n\n /** Connection providers contributed by this plugin. Same registration\n * shape as `secretProviders`. Each provider's `key` is what\n * `connection.provider` references in the core table; the `refresh`\n * handler is the SDK's single entry point for token lifecycle —\n * plugins don't run their own refresh loops anymore. */\n readonly connectionProviders?:\n | readonly ConnectionProvider[]\n | ((ctx: PluginCtx<TStore>) => readonly ConnectionProvider[])\n | ((\n ctx: PluginCtx<TStore>,\n ) => Effect.Effect<readonly ConnectionProvider[]>);\n\n readonly close?: () => Effect.Effect<void, unknown>;\n}\n\nexport interface Plugin<\n TId extends string = string,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TExtension extends object = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TStore = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TSchema extends DBSchema | undefined = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TExtensionService extends Context.Service<any, any> | undefined = any,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n THandlersLayer extends Layer.Layer<any, any, any> = any,\n TGroup extends HttpApiGroup.Any = HttpApiGroup.Any,\n> extends PluginSpec<\n TId,\n TExtension,\n TStore,\n TSchema,\n TExtensionService,\n THandlersLayer,\n TGroup\n > {}\n\n// ---------------------------------------------------------------------------\n// definePlugin — factory-returning-spec. Options from the author factory\n// are merged with a storage override so consumers can swap the default\n// store implementation without touching plugin internals.\n// ---------------------------------------------------------------------------\n\nexport type ConfiguredPlugin<\n TId extends string,\n TExtension extends object,\n TStore,\n TOptions extends object,\n TSchema extends DBSchema | undefined,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TExtensionService extends Context.Service<any, any> | undefined = undefined,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n THandlersLayer extends Layer.Layer<any, any, any> = Layer.Layer<unknown, never, never>,\n TGroup extends HttpApiGroup.Any = HttpApiGroup.Any,\n> = (\n options?: TOptions & {\n readonly storage?: (deps: StorageDeps<TSchema>) => TStore;\n },\n) => Plugin<\n TId,\n TExtension,\n TStore,\n TSchema,\n TExtensionService,\n THandlersLayer,\n TGroup\n>;\n\n// eslint-disable-next-line @typescript-eslint/ban-types\nexport function definePlugin<\n TId extends string,\n TExtension extends object,\n TStore,\n TSchema extends DBSchema | undefined = undefined,\n TOptions extends object = {},\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n TExtensionService extends Context.Service<any, any> | undefined = undefined,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n THandlersLayer extends Layer.Layer<any, any, any> = Layer.Layer<unknown, never, never>,\n TGroup extends HttpApiGroup.Any = HttpApiGroup.Any,\n>(\n authorFactory: (\n options?: TOptions,\n ) => PluginSpec<\n TId,\n TExtension,\n TStore,\n TSchema,\n TExtensionService,\n THandlersLayer,\n TGroup\n >,\n): ConfiguredPlugin<\n TId,\n TExtension,\n TStore,\n TOptions,\n TSchema,\n TExtensionService,\n THandlersLayer,\n TGroup\n> {\n return (options) => {\n const {\n storage: storageOverride,\n ...rest\n }: {\n storage?: (deps: StorageDeps<TSchema>) => TStore;\n [key: string]: unknown;\n } = options ?? {};\n\n const hasAuthorOptions = Object.keys(rest).length > 0;\n const spec = authorFactory(\n hasAuthorOptions ? (rest as TOptions) : undefined,\n );\n\n return {\n ...spec,\n storage: storageOverride ?? spec.storage,\n };\n };\n}\n\n// ---------------------------------------------------------------------------\n// AnyPlugin / PluginExtensions — type-level glue for the Executor surface.\n// ---------------------------------------------------------------------------\n\n// `Plugin<string>` (with all subsequent slots taking their wide defaults)\n// is structurally any concrete plugin — the `any` cascade stays inside\n// the spec's defaults instead of leaking into every consumer.\nexport type AnyPlugin = Plugin<string>;\n\nexport type PluginExtensions<TPlugins extends readonly AnyPlugin[]> = {\n readonly [P in TPlugins[number] as P[\"id\"]]: P extends Plugin<\n string,\n infer TExt\n >\n ? TExt\n : never;\n};\n\n/** Lightweight projection of a secret entry as returned by `ctx.secrets.list`. */\nexport interface SecretListEntry {\n readonly id: string;\n readonly name: string;\n readonly provider: string;\n}\n\n// Re-exported for consumers that check the elicitation handler type.\nexport type { ElicitationHandler };\n","import { makeMemoryAdapter } from \"@executor-js/storage-core/testing/memory\";\n\nimport { makeInMemoryBlobStore } from \"./blob\";\nimport type { ExecutorConfig } from \"./executor\";\nimport { collectSchemas } from \"./executor\";\nimport { ScopeId } from \"./ids\";\nimport type { AnyPlugin } from \"./plugin\";\nimport { Scope } from \"./scope\";\n\n// ---------------------------------------------------------------------------\n// makeTestConfig — build an ExecutorConfig backed by in-memory adapter +\n// blob store. For unit tests, plugin authors validating their plugin,\n// REPL experimentation. No persistence.\n//\n// Defaults to a single-element scope stack (\"test-scope\") — tests that\n// need multi-scope behavior can pass `scopes` explicitly.\n// ---------------------------------------------------------------------------\n\nexport const makeTestConfig = <\n const TPlugins extends readonly AnyPlugin[] = [],\n>(options?: {\n readonly scopeName?: string;\n readonly scopes?: readonly Scope[];\n readonly plugins?: TPlugins;\n}): ExecutorConfig<TPlugins> => {\n const scopes =\n options?.scopes ?? [\n new Scope({\n id: ScopeId.make(\"test-scope\"),\n name: options?.scopeName ?? \"test\",\n createdAt: new Date(),\n }),\n ];\n\n const schema = collectSchemas(options?.plugins ?? []);\n\n return {\n scopes,\n adapter: makeMemoryAdapter({ schema }),\n blobs: makeInMemoryBlobStore(),\n plugins: options?.plugins,\n // Tests default to auto-accepting elicitation prompts. Override via\n // a wrapping spread if a test exercises a real handler:\n // { ...makeTestConfig(...), onElicitation: customHandler }\n onElicitation: \"accept-all\",\n };\n};\n","// ---------------------------------------------------------------------------\n// JSON Schema $ref hoisting and re-attachment\n//\n// Core logic for deduplicating shared definitions across tools.\n// Used by any ToolRegistry implementation (in-memory, database-backed, etc.)\n//\n// Only handles standard JSON Schema formats ($defs, definitions).\n// Plugin-specific formats (e.g. OpenAPI components/schemas) must be\n// normalized by the plugin before calling registerDefinitions/register.\n// ---------------------------------------------------------------------------\n\ntype Obj = Record<string, unknown>;\n\n/** Standard JSON Schema $ref patterns. */\nconst REF_PATTERN = /^#\\/(?:\\$defs|definitions)\\/(.+)$/;\n\n/** Extract the definition name from a standard $ref pointer. */\nconst parseRefName = (ref: string): string | undefined => ref.match(REF_PATTERN)?.[1];\n\n/**\n * Recursively rewrite `#/definitions/<name>` pointers to `#/$defs/<name>`.\n * Returns the input unchanged if no rewrites are needed.\n */\nexport const normalizeRefs = (node: unknown): unknown => {\n if (node == null || typeof node !== \"object\") return node;\n if (Array.isArray(node)) {\n let changed = false;\n const out = node.map((item) => {\n const n = normalizeRefs(item);\n if (n !== item) changed = true;\n return n;\n });\n return changed ? out : node;\n }\n\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name) {\n const canonical = `#/$defs/${name}`;\n return canonical !== obj.$ref ? { ...obj, $ref: canonical } : obj;\n }\n return obj;\n }\n\n let changed = false;\n const result: Obj = {};\n for (const [k, v] of Object.entries(obj)) {\n const n = normalizeRefs(v);\n if (n !== v) changed = true;\n result[k] = n;\n }\n return changed ? result : obj;\n};\n\n/**\n * Extract `$defs` and `definitions` from a JSON Schema,\n * returning { stripped, defs } where `stripped` is the schema without local\n * definitions and `defs` is a flat map of definition name → schema.\n */\nexport const hoistDefinitions = (\n schema: unknown,\n): { stripped: unknown; defs: Record<string, unknown> } => {\n if (schema == null || typeof schema !== \"object\") {\n return { stripped: schema, defs: {} };\n }\n const obj = schema as Obj;\n const defs: Record<string, unknown> = {};\n\n if (obj.$defs && typeof obj.$defs === \"object\") {\n for (const [k, v] of Object.entries(obj.$defs as Obj)) {\n defs[k] = v;\n }\n }\n\n if (obj.definitions && typeof obj.definitions === \"object\") {\n for (const [k, v] of Object.entries(obj.definitions as Obj)) {\n defs[k] = v;\n }\n }\n\n const { $defs: _a, definitions: _b, ...rest } = obj;\n return { stripped: rest, defs };\n};\n\n/**\n * Walk a schema and collect all $ref target names transitively.\n * e.g. \"#/$defs/Address\" → \"Address\", and if Address references City, both.\n */\nexport const collectRefs = (\n node: unknown,\n defs: ReadonlyMap<string, unknown>,\n found: Set<string> = new Set(),\n): Set<string> => {\n if (node == null || typeof node !== \"object\") return found;\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name && !found.has(name)) {\n found.add(name);\n const def = defs.get(name);\n if (def) collectRefs(def, defs, found);\n }\n return found;\n }\n\n for (const v of Object.values(obj)) {\n if (v && typeof v === \"object\") {\n if (Array.isArray(v)) {\n for (const item of v) collectRefs(item, defs, found);\n } else {\n collectRefs(v, defs, found);\n }\n }\n }\n return found;\n};\n\n/**\n * Re-attach only the referenced shared definitions into a schema,\n * so the caller gets a self-contained, usable JSON Schema.\n *\n * Assumes all `$ref` pointers and definitions have already been normalized\n * to `#/$defs/<name>` form at registration time.\n */\nexport const reattachDefs = (schema: unknown, defs: ReadonlyMap<string, unknown>): unknown => {\n if (schema == null || typeof schema !== \"object\") return schema;\n const refs = collectRefs(schema, defs);\n if (refs.size === 0) return schema;\n\n const attached: Record<string, unknown> = {};\n for (const name of refs) {\n const def = defs.get(name);\n if (def) attached[name] = def;\n }\n\n return { ...(schema as Record<string, unknown>), $defs: attached };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAQA,SAAS,SAAS,QAAQ,OAAO,QAAQ,MAAM,cAAc;AAC7D;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAgBP,SAAS,oBAAoB;AAI7B,SAAS,cAAc,4BAA4B;;;AC5B5C,IAAM,2BAA2B;AAejC,IAAM,qBAAqB,CAChC,UAEA,OAAO,UAAU,YACjB,UAAU,QACT,MAA6B,SAAS;;;ACqDlC,IAAM,eAAe,CAA2B,WAAiB;AAydjE,SAAS,aAYd,eAoBA;AACA,SAAO,CAAC,YAAY;AAClB,UAAM;AAAA,MACJ,SAAS;AAAA,MACT,GAAG;AAAA,IACL,IAGI,WAAW,CAAC;AAEhB,UAAM,mBAAmB,OAAO,KAAK,IAAI,EAAE,SAAS;AACpD,UAAM,OAAO;AAAA,MACX,mBAAoB,OAAoB;AAAA,IAC1C;AAEA,WAAO;AAAA,MACL,GAAG;AAAA,MACH,SAAS,mBAAmB,KAAK;AAAA,IACnC;AAAA,EACF;AACF;;;AC/lBA,SAAS,yBAAyB;AAkB3B,IAAM,iBAAiB,CAE5B,YAI8B;AAC9B,QAAM,SACJ,SAAS,UAAU;AAAA,IACjB,IAAI,MAAM;AAAA,MACR,IAAI,QAAQ,KAAK,YAAY;AAAA,MAC7B,MAAM,SAAS,aAAa;AAAA,MAC5B,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH;AAEF,QAAM,SAAS,eAAe,SAAS,WAAW,CAAC,CAAC;AAEpD,SAAO;AAAA,IACL;AAAA,IACA,SAAS,kBAAkB,EAAE,OAAO,CAAC;AAAA,IACrC,OAAO,sBAAsB;AAAA,IAC7B,SAAS,SAAS;AAAA;AAAA;AAAA;AAAA,IAIlB,eAAe;AAAA,EACjB;AACF;;;AChCA,IAAM,cAAc;AAGpB,IAAM,eAAe,CAAC,QAAoC,IAAI,MAAM,WAAW,IAAI,CAAC;AAM7E,IAAM,gBAAgB,CAAC,SAA2B;AACvD,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,MAAI,MAAM,QAAQ,IAAI,GAAG;AACvB,QAAIA,WAAU;AACd,UAAM,MAAM,KAAK,IAAI,CAAC,SAAS;AAC7B,YAAM,IAAI,cAAc,IAAI;AAC5B,UAAI,MAAM,KAAM,CAAAA,WAAU;AAC1B,aAAO;AAAA,IACT,CAAC;AACD,WAAOA,WAAU,MAAM;AAAA,EACzB;AAEA,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,MAAM;AACR,YAAM,YAAY,WAAW,IAAI;AACjC,aAAO,cAAc,IAAI,OAAO,EAAE,GAAG,KAAK,MAAM,UAAU,IAAI;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAEA,MAAI,UAAU;AACd,QAAM,SAAc,CAAC;AACrB,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,GAAG,GAAG;AACxC,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,MAAM,EAAG,WAAU;AACvB,WAAO,CAAC,IAAI;AAAA,EACd;AACA,SAAO,UAAU,SAAS;AAC5B;AAOO,IAAM,mBAAmB,CAC9B,WACyD;AACzD,MAAI,UAAU,QAAQ,OAAO,WAAW,UAAU;AAChD,WAAO,EAAE,UAAU,QAAQ,MAAM,CAAC,EAAE;AAAA,EACtC;AACA,QAAM,MAAM;AACZ,QAAM,OAAgC,CAAC;AAEvC,MAAI,IAAI,SAAS,OAAO,IAAI,UAAU,UAAU;AAC9C,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,KAAY,GAAG;AACrD,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,MAAI,IAAI,eAAe,OAAO,IAAI,gBAAgB,UAAU;AAC1D,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,WAAkB,GAAG;AAC3D,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,EAAE,OAAO,IAAI,aAAa,IAAI,GAAG,KAAK,IAAI;AAChD,SAAO,EAAE,UAAU,MAAM,KAAK;AAChC;AAMO,IAAM,cAAc,CACzB,MACA,MACA,QAAqB,oBAAI,IAAI,MACb;AAChB,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,QAAQ,CAAC,MAAM,IAAI,IAAI,GAAG;AAC5B,YAAM,IAAI,IAAI;AACd,YAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAI,IAAK,aAAY,KAAK,MAAM,KAAK;AAAA,IACvC;AACA,WAAO;AAAA,EACT;AAEA,aAAW,KAAK,OAAO,OAAO,GAAG,GAAG;AAClC,QAAI,KAAK,OAAO,MAAM,UAAU;AAC9B,UAAI,MAAM,QAAQ,CAAC,GAAG;AACpB,mBAAW,QAAQ,EAAG,aAAY,MAAM,MAAM,KAAK;AAAA,MACrD,OAAO;AACL,oBAAY,GAAG,MAAM,KAAK;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AASO,IAAM,eAAe,CAAC,QAAiB,SAAgD;AAC5F,MAAI,UAAU,QAAQ,OAAO,WAAW,SAAU,QAAO;AACzD,QAAM,OAAO,YAAY,QAAQ,IAAI;AACrC,MAAI,KAAK,SAAS,EAAG,QAAO;AAE5B,QAAM,WAAoC,CAAC;AAC3C,aAAW,QAAQ,MAAM;AACvB,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,QAAI,IAAK,UAAS,IAAI,IAAI;AAAA,EAC5B;AAEA,SAAO,EAAE,GAAI,QAAoC,OAAO,SAAS;AACnE;","names":["changed"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/oauth-popup-types.ts","../src/schema-refs.ts","../src/api-errors.ts"],"sourcesContent":["// ---------------------------------------------------------------------------\n// @executor-js/sdk — public surface\n// ---------------------------------------------------------------------------\n\n// Re-export the Effect/Schema/HttpApi primitives plugin authors need so a\n// plugin can be written importing only from `@executor-js/sdk`. Authors who\n// want to reach for additional Effect APIs keep importing from `effect/*`\n// directly — these re-exports are the curated minimum.\nexport { Context, Effect, Layer, Schema, Data, Option } from \"effect\";\nexport {\n HttpApi,\n HttpApiBuilder,\n HttpApiClient,\n HttpApiEndpoint,\n HttpApiGroup,\n HttpApiMiddleware,\n HttpApiSchema,\n} from \"effect/unstable/httpapi\";\n\n// Storage adapter interface types (re-exported from @executor-js/storage-core\n// so plugin authors can write adapters against a single public surface\n// without depending on storage-core directly).\nexport type {\n DBAdapter,\n DBSchema,\n DBFieldAttribute,\n DBFieldType,\n StorageFailure,\n TypedAdapter,\n Where,\n WhereOperator,\n} from \"@executor-js/storage-core\";\n\nexport { typedAdapter } from \"@executor-js/storage-core\";\n\n// Storage-layer typed errors (re-exported so plugin code can catchTag\n// `UniqueViolationError` without importing storage-core directly).\nexport { StorageError, UniqueViolationError } from \"@executor-js/storage-core\";\n\n// IDs (branded)\nexport { ScopeId, ToolId, SecretId, PolicyId, ConnectionId, CredentialBindingId } from \"./ids\";\n\n// Scope\nexport { Scope } from \"./scope\";\n\n// Errors (tagged)\nexport {\n ToolNotFoundError,\n ToolInvocationError,\n ToolBlockedError,\n NoHandlerError,\n SourceNotFoundError,\n SourceRemovalNotAllowedError,\n PluginNotLoadedError,\n SecretNotFoundError,\n SecretResolutionError,\n SecretOwnedByConnectionError,\n SecretInUseError,\n ConnectionNotFoundError,\n ConnectionProviderNotRegisteredError,\n ConnectionRefreshNotSupportedError,\n ConnectionReauthRequiredError,\n ConnectionInUseError,\n type ExecutorError,\n} from \"./errors\";\n\n// Public projections\nexport {\n ToolSchema,\n SourceDetectionResult,\n type RefreshSourceInput,\n type RemoveSourceInput,\n type Source,\n type Tool,\n type ToolListFilter,\n} from \"./types\";\n\n// Core schema\nexport {\n coreSchema,\n isToolPolicyAction,\n TOOL_POLICY_ACTIONS,\n type CoreSchema,\n type SourceInput,\n type SourceInputTool,\n type SourceRow,\n type ToolRow,\n type DefinitionRow,\n type SecretRow,\n type ConnectionRow,\n type CredentialBindingRow,\n type ToolPolicyRow,\n type ToolPolicyAction,\n type DefinitionsInput,\n type ToolAnnotations,\n} from \"./core-schema\";\n\n// Tool policies\nexport {\n matchPattern,\n isValidPattern,\n resolveToolPolicy,\n resolveEffectivePolicy,\n effectivePolicyFromSorted,\n rowToToolPolicy,\n ToolPolicyActionSchema,\n type ToolPolicy,\n type CreateToolPolicyInput,\n type UpdateToolPolicyInput,\n type RemoveToolPolicyInput,\n type PolicyMatch,\n type EffectivePolicy,\n type PolicySource,\n} from \"./policies\";\n\n// Secrets\nexport { SecretRef, SetSecretInput, RemoveSecretInput, type SecretProvider } from \"./secrets\";\n\nexport {\n SecretBackedMap,\n SecretBackedValue,\n isSecretBackedRef,\n resolveSecretBackedMap,\n type ResolveSecretBackedMapOptions,\n} from \"./secret-backed-value\";\n\nexport {\n CredentialBindingKind,\n CredentialBindingValue,\n ConfiguredCredentialBinding,\n ConfiguredCredentialValue,\n ConfiguredCredentialValueSchema,\n ScopedSecretCredentialInput,\n CredentialBindingRef,\n SetCredentialBindingInput,\n CredentialBindingSourceInput,\n CredentialBindingSlotInput,\n RemoveCredentialBindingInput,\n ReplaceCredentialBindingValue,\n ReplaceCredentialBindingsInput,\n CredentialBindingResolutionStatus,\n ResolvedCredentialSlot,\n credentialBindingId,\n credentialSlotKey,\n credentialSlotPart,\n credentialBindingRowToRef,\n credentialBindingValueFromRow,\n type CredentialBindingsFacade,\n} from \"./credential-bindings\";\n\n// Usage tracking — secret/connection refs across plugins\nexport { Usage, type UsagesForSecretInput, type UsagesForConnectionInput } from \"./usages\";\n\n// Connections\nexport {\n ConnectionRef,\n ConnectionProviderState,\n CreateConnectionInput,\n RemoveConnectionInput,\n UpdateConnectionTokensInput,\n TokenMaterial,\n ConnectionRefreshError,\n type ConnectionProvider,\n type ConnectionRefreshInput,\n type ConnectionRefreshResult,\n} from \"./connections\";\n\n// Elicitation\nexport {\n FormElicitation,\n UrlElicitation,\n ElicitationAction,\n ElicitationResponse,\n ElicitationDeclinedError,\n type ElicitationRequest,\n type ElicitationHandler,\n type ElicitationContext,\n} from \"./elicitation\";\n\n// Blob store\nexport {\n type BlobStore,\n type PluginBlobStore,\n pluginBlobStore,\n makeInMemoryBlobStore,\n} from \"./blob\";\n\n// OAuth 2.1\nexport {\n type OAuthService,\n type OAuthStrategy,\n type OAuthDynamicDcrStrategy,\n type OAuthAuthorizationCodeStrategy,\n type OAuthClientCredentialsStrategy,\n type OAuthProviderState,\n type OAuthProbeInput,\n type OAuthProbeResult,\n type OAuthStartInput,\n type OAuthStartResult,\n type OAuthCompleteInput,\n type OAuthCompleteResult,\n OAuthProbeError,\n OAuthStartError,\n OAuthCompleteError,\n OAuthSessionNotFoundError,\n OAUTH2_PROVIDER_KEY,\n OAUTH2_SESSION_TTL_MS,\n OAuthStrategy as OAuthStrategySchema,\n OAuthProviderState as OAuthProviderStateSchema,\n OAuthDynamicDcrStrategy as OAuthDynamicDcrStrategySchema,\n OAuthAuthorizationCodeStrategy as OAuthAuthorizationCodeStrategySchema,\n OAuthClientCredentialsStrategy as OAuthClientCredentialsStrategySchema,\n} from \"./oauth\";\n\nexport {\n OAuth2Error,\n OAUTH2_DEFAULT_TIMEOUT_MS,\n OAUTH2_REFRESH_SKEW_MS,\n assertSupportedOAuthEndpointUrl,\n buildAuthorizationUrl,\n createPkceCodeChallenge,\n createPkceCodeVerifier,\n exchangeAuthorizationCode,\n exchangeClientCredentials,\n isSupportedOAuthEndpointUrl,\n refreshAccessToken,\n shouldRefreshToken,\n type OAuth2TokenResponse,\n type BuildAuthorizationUrlInput,\n type ClientAuthMethod,\n type ExchangeAuthorizationCodeInput,\n type ExchangeClientCredentialsInput,\n type RefreshAccessTokenInput,\n} from \"./oauth-helpers\";\n\nexport { makeOAuth2Service, type OAuthServiceDeps } from \"./oauth-service\";\nexport type { ScopedDBAdapter, ScopedTypedAdapter } from \"./scoped-adapter\";\n\nexport {\n HostedOutboundRequestBlocked,\n makeHostedHttpClientLayer,\n validateHostedOutboundUrl,\n type HostedHttpClientOptions,\n} from \"./hosted-http-client\";\n\nexport {\n OAuthDiscoveryError,\n OAuthAuthorizationServerMetadataSchema,\n OAuthClientInformationSchema,\n OAuthProtectedResourceMetadataSchema,\n beginDynamicAuthorization,\n discoverAuthorizationServerMetadata,\n discoverProtectedResourceMetadata,\n registerDynamicClient,\n type BeginDynamicAuthorizationInput,\n type DiscoveryRequestOptions,\n type DynamicAuthorizationState,\n type DynamicAuthorizationStartResult,\n type DynamicClientMetadata,\n type OAuthAuthorizationServerMetadata,\n type OAuthClientInformation,\n type OAuthProtectedResourceMetadata,\n type RegisterDynamicClientInput,\n} from \"./oauth-discovery\";\n\nexport {\n OAUTH_POPUP_MESSAGE_TYPE,\n type OAuthPopupResult,\n isOAuthPopupResult,\n} from \"./oauth-popup-types\";\n\n// Plugin definition\nexport {\n type Plugin,\n type PluginSpec,\n type PluginCtx,\n type PluginExtensions,\n type ConfiguredPlugin,\n type AnyPlugin,\n type StorageDeps,\n type StaticSourceDecl,\n type StaticToolDecl,\n type StaticToolExecuteContext,\n type StaticToolHandlerInput,\n type StaticToolInput,\n type InvokeToolInput,\n type SourceLifecycleInput,\n type SecretListEntry,\n type Elicit,\n definePlugin,\n defineSchema,\n tool,\n} from \"./plugin\";\n\n// Executor\nexport {\n type Executor,\n type ExecutorConfig,\n type OnElicitation,\n type InvokeOptions,\n createExecutor,\n collectSchemas,\n} from \"./executor\";\n\n// CLI / runtime config\nexport {\n defineExecutorConfig,\n type ExecutorCliConfig,\n type ExecutorDialect,\n type ExecutorPluginsFactory,\n} from \"./config\";\n\n// Test helper\nexport { makeTestConfig } from \"./test-config\";\n\n// JSON schema $ref helpers (used by openapi for $defs handling)\nexport { hoistDefinitions, collectRefs, reattachDefs, normalizeRefs } from \"./schema-refs\";\n\n// TypeScript preview generation from JSON schemas\nexport {\n schemaToTypeScriptPreview,\n schemaToTypeScriptPreviewWithDefs,\n buildToolTypeScriptPreview,\n type TypeScriptRenderOptions,\n type TypeScriptSchemaPreview,\n} from \"./schema-types\";\n\n// Wire-level HTTP error schemas usable by plugin HttpApiGroup definitions.\nexport { InternalError } from \"./api-errors\";\n","// ---------------------------------------------------------------------------\n// OAuth popup result — the message shape exchanged between the popup window\n// (opened during authorization) and the opener (the onboarding UI). Both the\n// server-side HTML generator and the client-side popup opener agree on this\n// shape so that success / failure can be communicated reliably via both\n// `postMessage` and `BroadcastChannel`.\n// ---------------------------------------------------------------------------\n\n/** Message type literal used to identify our popup results. */\nexport const OAUTH_POPUP_MESSAGE_TYPE = \"executor:oauth-result\" as const;\n\nexport type OAuthPopupResult<TAuth> =\n | ({\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: true;\n readonly sessionId: string;\n } & TAuth)\n | {\n readonly type: typeof OAUTH_POPUP_MESSAGE_TYPE;\n readonly ok: false;\n readonly sessionId: string | null;\n readonly error: string;\n };\n\nexport const isOAuthPopupResult = <TAuth>(value: unknown): value is OAuthPopupResult<TAuth> =>\n typeof value === \"object\" &&\n value !== null &&\n (value as { type?: unknown }).type === OAUTH_POPUP_MESSAGE_TYPE;\n","// ---------------------------------------------------------------------------\n// JSON Schema $ref hoisting and re-attachment\n//\n// Core logic for deduplicating shared definitions across tools.\n// Used by any ToolRegistry implementation (in-memory, database-backed, etc.)\n//\n// Only handles standard JSON Schema formats ($defs, definitions).\n// Plugin-specific formats (e.g. OpenAPI components/schemas) must be\n// normalized by the plugin before calling registerDefinitions/register.\n// ---------------------------------------------------------------------------\n\ntype Obj = Record<string, unknown>;\n\n/** Standard JSON Schema $ref patterns. */\nconst REF_PATTERN = /^#\\/(?:\\$defs|definitions)\\/(.+)$/;\n\n/** Extract the definition name from a standard $ref pointer. */\nconst parseRefName = (ref: string): string | undefined => ref.match(REF_PATTERN)?.[1];\n\n/**\n * Recursively rewrite `#/definitions/<name>` pointers to `#/$defs/<name>`.\n * Returns the input unchanged if no rewrites are needed.\n */\nexport const normalizeRefs = (node: unknown): unknown => {\n if (node == null || typeof node !== \"object\") return node;\n if (Array.isArray(node)) {\n let changed = false;\n const out = node.map((item) => {\n const n = normalizeRefs(item);\n if (n !== item) changed = true;\n return n;\n });\n return changed ? out : node;\n }\n\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name) {\n const canonical = `#/$defs/${name}`;\n return canonical !== obj.$ref ? { ...obj, $ref: canonical } : obj;\n }\n return obj;\n }\n\n let changed = false;\n const result: Obj = {};\n for (const [k, v] of Object.entries(obj)) {\n const n = normalizeRefs(v);\n if (n !== v) changed = true;\n result[k] = n;\n }\n return changed ? result : obj;\n};\n\n/**\n * Extract `$defs` and `definitions` from a JSON Schema,\n * returning { stripped, defs } where `stripped` is the schema without local\n * definitions and `defs` is a flat map of definition name → schema.\n */\nexport const hoistDefinitions = (\n schema: unknown,\n): { stripped: unknown; defs: Record<string, unknown> } => {\n if (schema == null || typeof schema !== \"object\") {\n return { stripped: schema, defs: {} };\n }\n const obj = schema as Obj;\n const defs: Record<string, unknown> = {};\n\n if (obj.$defs && typeof obj.$defs === \"object\") {\n for (const [k, v] of Object.entries(obj.$defs as Obj)) {\n defs[k] = v;\n }\n }\n\n if (obj.definitions && typeof obj.definitions === \"object\") {\n for (const [k, v] of Object.entries(obj.definitions as Obj)) {\n defs[k] = v;\n }\n }\n\n const { $defs: _a, definitions: _b, ...rest } = obj;\n return { stripped: rest, defs };\n};\n\n/**\n * Walk a schema and collect all $ref target names transitively.\n * e.g. \"#/$defs/Address\" → \"Address\", and if Address references City, both.\n */\nexport const collectRefs = (\n node: unknown,\n defs: ReadonlyMap<string, unknown>,\n found: Set<string> = new Set(),\n): Set<string> => {\n if (node == null || typeof node !== \"object\") return found;\n const obj = node as Obj;\n\n if (typeof obj.$ref === \"string\") {\n const name = parseRefName(obj.$ref);\n if (name && !found.has(name)) {\n found.add(name);\n const def = defs.get(name);\n if (def) collectRefs(def, defs, found);\n }\n return found;\n }\n\n for (const v of Object.values(obj)) {\n if (v && typeof v === \"object\") {\n if (Array.isArray(v)) {\n for (const item of v) collectRefs(item, defs, found);\n } else {\n collectRefs(v, defs, found);\n }\n }\n }\n return found;\n};\n\n/**\n * Re-attach only the referenced shared definitions into a schema,\n * so the caller gets a self-contained, usable JSON Schema.\n *\n * Assumes all `$ref` pointers and definitions have already been normalized\n * to `#/$defs/<name>` form at registration time.\n */\nexport const reattachDefs = (schema: unknown, defs: ReadonlyMap<string, unknown>): unknown => {\n if (schema == null || typeof schema !== \"object\") return schema;\n const refs = collectRefs(schema, defs);\n if (refs.size === 0) return schema;\n\n const attached: Record<string, unknown> = {};\n for (const name of refs) {\n const def = defs.get(name);\n if (def) attached[name] = def;\n }\n\n return { ...(schema as Record<string, unknown>), $defs: attached };\n};\n","// ---------------------------------------------------------------------------\n// Wire-level HTTP errors. Lives in the SDK so plugin `HttpApiGroup`\n// definitions (which sit on the SDK side of the dependency graph and\n// must stay publishable) can declare them without dragging in the\n// server-only `@executor-js/api` package. The HTTP edge in\n// `@executor-js/api` re-exports these and pairs them with the\n// translation/capture helpers used by handlers.\n// ---------------------------------------------------------------------------\n\nimport { Schema } from \"effect\";\n\n/** Public 500 surface. Opaque by schema — only `traceId` crosses the wire. */\nexport class InternalError extends Schema.TaggedErrorClass<InternalError>()(\n \"InternalError\",\n {\n /** Opaque correlation id for backend lookup (Sentry event id, log line, etc.). */\n traceId: Schema.String,\n },\n { httpApiStatus: 500 },\n) {}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAQA,SAAS,SAAS,QAAQ,OAAO,UAAAA,SAAQ,MAAM,cAAc;AAC7D;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAgBP,SAAS,oBAAoB;AAI7B,SAAS,cAAc,4BAA4B;;;AC5B5C,IAAM,2BAA2B;AAejC,IAAM,qBAAqB,CAAQ,UACxC,OAAO,UAAU,YACjB,UAAU,QACT,MAA6B,SAAS;;;ACbzC,IAAM,cAAc;AAGpB,IAAM,eAAe,CAAC,QAAoC,IAAI,MAAM,WAAW,IAAI,CAAC;AAM7E,IAAM,gBAAgB,CAAC,SAA2B;AACvD,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,MAAI,MAAM,QAAQ,IAAI,GAAG;AACvB,QAAIC,WAAU;AACd,UAAM,MAAM,KAAK,IAAI,CAAC,SAAS;AAC7B,YAAM,IAAI,cAAc,IAAI;AAC5B,UAAI,MAAM,KAAM,CAAAA,WAAU;AAC1B,aAAO;AAAA,IACT,CAAC;AACD,WAAOA,WAAU,MAAM;AAAA,EACzB;AAEA,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,MAAM;AACR,YAAM,YAAY,WAAW,IAAI;AACjC,aAAO,cAAc,IAAI,OAAO,EAAE,GAAG,KAAK,MAAM,UAAU,IAAI;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAEA,MAAI,UAAU;AACd,QAAM,SAAc,CAAC;AACrB,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,GAAG,GAAG;AACxC,UAAM,IAAI,cAAc,CAAC;AACzB,QAAI,MAAM,EAAG,WAAU;AACvB,WAAO,CAAC,IAAI;AAAA,EACd;AACA,SAAO,UAAU,SAAS;AAC5B;AAOO,IAAM,mBAAmB,CAC9B,WACyD;AACzD,MAAI,UAAU,QAAQ,OAAO,WAAW,UAAU;AAChD,WAAO,EAAE,UAAU,QAAQ,MAAM,CAAC,EAAE;AAAA,EACtC;AACA,QAAM,MAAM;AACZ,QAAM,OAAgC,CAAC;AAEvC,MAAI,IAAI,SAAS,OAAO,IAAI,UAAU,UAAU;AAC9C,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,KAAY,GAAG;AACrD,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,MAAI,IAAI,eAAe,OAAO,IAAI,gBAAgB,UAAU;AAC1D,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAAI,WAAkB,GAAG;AAC3D,WAAK,CAAC,IAAI;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,EAAE,OAAO,IAAI,aAAa,IAAI,GAAG,KAAK,IAAI;AAChD,SAAO,EAAE,UAAU,MAAM,KAAK;AAChC;AAMO,IAAM,cAAc,CACzB,MACA,MACA,QAAqB,oBAAI,IAAI,MACb;AAChB,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,SAAS,UAAU;AAChC,UAAM,OAAO,aAAa,IAAI,IAAI;AAClC,QAAI,QAAQ,CAAC,MAAM,IAAI,IAAI,GAAG;AAC5B,YAAM,IAAI,IAAI;AACd,YAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAI,IAAK,aAAY,KAAK,MAAM,KAAK;AAAA,IACvC;AACA,WAAO;AAAA,EACT;AAEA,aAAW,KAAK,OAAO,OAAO,GAAG,GAAG;AAClC,QAAI,KAAK,OAAO,MAAM,UAAU;AAC9B,UAAI,MAAM,QAAQ,CAAC,GAAG;AACpB,mBAAW,QAAQ,EAAG,aAAY,MAAM,MAAM,KAAK;AAAA,MACrD,OAAO;AACL,oBAAY,GAAG,MAAM,KAAK;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AASO,IAAM,eAAe,CAAC,QAAiB,SAAgD;AAC5F,MAAI,UAAU,QAAQ,OAAO,WAAW,SAAU,QAAO;AACzD,QAAM,OAAO,YAAY,QAAQ,IAAI;AACrC,MAAI,KAAK,SAAS,EAAG,QAAO;AAE5B,QAAM,WAAoC,CAAC;AAC3C,aAAW,QAAQ,MAAM;AACvB,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,QAAI,IAAK,UAAS,IAAI,IAAI;AAAA,EAC5B;AAEA,SAAO,EAAE,GAAI,QAAoC,OAAO,SAAS;AACnE;;;AClIA,SAAS,cAAc;AAGhB,IAAM,gBAAN,cAA4B,OAAO,iBAAgC;AAAA,EACxE;AAAA,EACA;AAAA;AAAA,IAEE,SAAS,OAAO;AAAA,EAClB;AAAA,EACA,EAAE,eAAe,IAAI;AACvB,EAAE;AAAC;","names":["Schema","changed"]}
@@ -0,0 +1,173 @@
1
+ import { Effect, Schema } from "effect";
2
+ import type { StorageFailure } from "@executor-js/storage-core";
3
+ import { type CredentialBindingRow } from "./core-schema";
4
+ import { CredentialBindingId } from "./ids";
5
+ import type { Usage } from "./usages";
6
+ export declare const CredentialBindingKind: Schema.Literals<["text", "secret", "connection"]>;
7
+ export type CredentialBindingKind = typeof CredentialBindingKind.Type;
8
+ export declare const CredentialBindingValue: Schema.Union<readonly [Schema.Struct<{
9
+ readonly kind: Schema.Literal<"text">;
10
+ readonly text: Schema.String;
11
+ }>, Schema.Struct<{
12
+ readonly kind: Schema.Literal<"secret">;
13
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
14
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
15
+ }>, Schema.Struct<{
16
+ readonly kind: Schema.Literal<"connection">;
17
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
18
+ }>]>;
19
+ export type CredentialBindingValue = typeof CredentialBindingValue.Type;
20
+ export declare const ConfiguredCredentialBindingSchema: Schema.Struct<{
21
+ readonly kind: Schema.Literal<"binding">;
22
+ readonly slot: Schema.String;
23
+ readonly prefix: Schema.optional<Schema.String>;
24
+ }>;
25
+ declare const ConfiguredCredentialBinding_base: Schema.Class<ConfiguredCredentialBinding, Schema.Struct<{
26
+ readonly kind: Schema.Literal<"binding">;
27
+ readonly slot: Schema.String;
28
+ readonly prefix: Schema.optional<Schema.String>;
29
+ }>, {}>;
30
+ export declare class ConfiguredCredentialBinding extends ConfiguredCredentialBinding_base {
31
+ }
32
+ export declare const ConfiguredCredentialValue: Schema.Union<readonly [Schema.String, typeof ConfiguredCredentialBinding]>;
33
+ export type ConfiguredCredentialValue = typeof ConfiguredCredentialValue.Type;
34
+ export declare const ConfiguredCredentialValueSchema: Schema.Union<readonly [Schema.String, Schema.Struct<{
35
+ readonly kind: Schema.Literal<"binding">;
36
+ readonly slot: Schema.String;
37
+ readonly prefix: Schema.optional<Schema.String>;
38
+ }>]>;
39
+ export declare const ScopedSecretCredentialInput: Schema.Struct<{
40
+ readonly secretId: Schema.String;
41
+ readonly prefix: Schema.optional<Schema.String>;
42
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
43
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
44
+ }>;
45
+ export type ScopedSecretCredentialInput = typeof ScopedSecretCredentialInput.Type;
46
+ declare const CredentialBindingRef_base: Schema.Class<CredentialBindingRef, Schema.Struct<{
47
+ readonly id: Schema.brand<Schema.String, "CredentialBindingId">;
48
+ readonly scopeId: Schema.brand<Schema.String, "ScopeId">;
49
+ readonly pluginId: Schema.String;
50
+ readonly sourceId: Schema.String;
51
+ readonly sourceScopeId: Schema.brand<Schema.String, "ScopeId">;
52
+ readonly slotKey: Schema.String;
53
+ readonly value: Schema.Union<readonly [Schema.Struct<{
54
+ readonly kind: Schema.Literal<"text">;
55
+ readonly text: Schema.String;
56
+ }>, Schema.Struct<{
57
+ readonly kind: Schema.Literal<"secret">;
58
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
59
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
60
+ }>, Schema.Struct<{
61
+ readonly kind: Schema.Literal<"connection">;
62
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
63
+ }>]>;
64
+ readonly createdAt: Schema.Date;
65
+ readonly updatedAt: Schema.Date;
66
+ }>, {}>;
67
+ export declare class CredentialBindingRef extends CredentialBindingRef_base {
68
+ }
69
+ declare const SetCredentialBindingInput_base: Schema.Class<SetCredentialBindingInput, Schema.Struct<{
70
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
71
+ readonly pluginId: Schema.String;
72
+ readonly sourceId: Schema.String;
73
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
74
+ readonly slotKey: Schema.String;
75
+ readonly value: Schema.Union<readonly [Schema.Struct<{
76
+ readonly kind: Schema.Literal<"text">;
77
+ readonly text: Schema.String;
78
+ }>, Schema.Struct<{
79
+ readonly kind: Schema.Literal<"secret">;
80
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
81
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
82
+ }>, Schema.Struct<{
83
+ readonly kind: Schema.Literal<"connection">;
84
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
85
+ }>]>;
86
+ }>, {}>;
87
+ export declare class SetCredentialBindingInput extends SetCredentialBindingInput_base {
88
+ }
89
+ declare const CredentialBindingSourceInput_base: Schema.Class<CredentialBindingSourceInput, Schema.Struct<{
90
+ readonly pluginId: Schema.String;
91
+ readonly sourceId: Schema.String;
92
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
93
+ }>, {}>;
94
+ export declare class CredentialBindingSourceInput extends CredentialBindingSourceInput_base {
95
+ }
96
+ declare const CredentialBindingSlotInput_base: Schema.Class<CredentialBindingSlotInput, Schema.Struct<{
97
+ readonly pluginId: Schema.String;
98
+ readonly sourceId: Schema.String;
99
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
100
+ readonly slotKey: Schema.String;
101
+ }>, {}>;
102
+ export declare class CredentialBindingSlotInput extends CredentialBindingSlotInput_base {
103
+ }
104
+ declare const RemoveCredentialBindingInput_base: Schema.Class<RemoveCredentialBindingInput, Schema.Struct<{
105
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
106
+ readonly pluginId: Schema.String;
107
+ readonly sourceId: Schema.String;
108
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
109
+ readonly slotKey: Schema.String;
110
+ }>, {}>;
111
+ export declare class RemoveCredentialBindingInput extends RemoveCredentialBindingInput_base {
112
+ }
113
+ declare const ReplaceCredentialBindingValue_base: Schema.Class<ReplaceCredentialBindingValue, Schema.Struct<{
114
+ readonly slotKey: Schema.String;
115
+ readonly value: Schema.Union<readonly [Schema.Struct<{
116
+ readonly kind: Schema.Literal<"text">;
117
+ readonly text: Schema.String;
118
+ }>, Schema.Struct<{
119
+ readonly kind: Schema.Literal<"secret">;
120
+ readonly secretId: Schema.brand<Schema.String, "SecretId">;
121
+ readonly secretScopeId: Schema.optional<Schema.brand<Schema.String, "ScopeId">>;
122
+ }>, Schema.Struct<{
123
+ readonly kind: Schema.Literal<"connection">;
124
+ readonly connectionId: Schema.brand<Schema.String, "ConnectionId">;
125
+ }>]>;
126
+ }>, {}>;
127
+ export declare class ReplaceCredentialBindingValue extends ReplaceCredentialBindingValue_base {
128
+ }
129
+ declare const ReplaceCredentialBindingsInput_base: Schema.Class<ReplaceCredentialBindingsInput, Schema.Struct<{
130
+ readonly targetScope: Schema.brand<Schema.String, "ScopeId">;
131
+ readonly pluginId: Schema.String;
132
+ readonly sourceId: Schema.String;
133
+ readonly sourceScope: Schema.brand<Schema.String, "ScopeId">;
134
+ readonly slotPrefixes: Schema.$Array<Schema.String>;
135
+ readonly bindings: Schema.$Array<typeof ReplaceCredentialBindingValue>;
136
+ }>, {}>;
137
+ export declare class ReplaceCredentialBindingsInput extends ReplaceCredentialBindingsInput_base {
138
+ }
139
+ export declare const CredentialBindingResolutionStatus: Schema.Literals<readonly ["resolved", "missing", "blocked"]>;
140
+ export type CredentialBindingResolutionStatus = typeof CredentialBindingResolutionStatus.Type;
141
+ declare const ResolvedCredentialSlot_base: Schema.Class<ResolvedCredentialSlot, Schema.Struct<{
142
+ readonly pluginId: Schema.String;
143
+ readonly sourceId: Schema.String;
144
+ readonly sourceScopeId: Schema.brand<Schema.String, "ScopeId">;
145
+ readonly slotKey: Schema.String;
146
+ readonly bindingScopeId: Schema.NullOr<Schema.brand<Schema.String, "ScopeId">>;
147
+ readonly kind: Schema.NullOr<Schema.Literals<["text", "secret", "connection"]>>;
148
+ readonly status: Schema.Literals<readonly ["resolved", "missing", "blocked"]>;
149
+ }>, {}>;
150
+ export declare class ResolvedCredentialSlot extends ResolvedCredentialSlot_base {
151
+ }
152
+ export interface CredentialBindingsFacade {
153
+ readonly listForSource: (input: CredentialBindingSourceInput) => Effect.Effect<readonly CredentialBindingRef[], StorageFailure>;
154
+ readonly resolve: (input: CredentialBindingSlotInput) => Effect.Effect<ResolvedCredentialSlot, StorageFailure>;
155
+ readonly set: (input: SetCredentialBindingInput) => Effect.Effect<CredentialBindingRef, StorageFailure>;
156
+ readonly remove: (input: RemoveCredentialBindingInput) => Effect.Effect<void, StorageFailure>;
157
+ readonly replaceForSource: (input: ReplaceCredentialBindingsInput) => Effect.Effect<readonly CredentialBindingRef[], StorageFailure>;
158
+ readonly removeForSource: (input: CredentialBindingSourceInput) => Effect.Effect<void, StorageFailure>;
159
+ readonly usagesForSecret: (id: string) => Effect.Effect<readonly Usage[], StorageFailure>;
160
+ readonly usagesForConnection: (id: string) => Effect.Effect<readonly Usage[], StorageFailure>;
161
+ }
162
+ export declare const credentialBindingId: (input: {
163
+ readonly pluginId: string;
164
+ readonly sourceId: string;
165
+ readonly sourceScope: string;
166
+ readonly slotKey: string;
167
+ }) => CredentialBindingId;
168
+ export declare const credentialSlotPart: (value: string) => string;
169
+ export declare const credentialSlotKey: (prefix: string, name: string) => string;
170
+ export declare const credentialBindingValueFromRow: (row: CredentialBindingRow) => CredentialBindingValue;
171
+ export declare const credentialBindingRowToRef: (row: CredentialBindingRow) => CredentialBindingRef;
172
+ export {};
173
+ //# sourceMappingURL=credential-bindings.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credential-bindings.d.ts","sourceRoot":"","sources":["../src/credential-bindings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAS,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAEhE,OAAO,EAA0B,KAAK,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAClF,OAAO,EAAgB,mBAAmB,EAAqB,MAAM,OAAO,CAAC;AAC7E,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AAEtC,eAAO,MAAM,qBAAqB,mDAA0C,CAAC;AAC7E,MAAM,MAAM,qBAAqB,GAAG,OAAO,qBAAqB,CAAC,IAAI,CAAC;AAEtE,eAAO,MAAM,sBAAsB;;;;;;;;;;IAcjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,OAAO,sBAAsB,CAAC,IAAI,CAAC;AAExE,eAAO,MAAM,iCAAiC;;;;EAI5C,CAAC;;;;;;AAEH,qBAAa,2BAA4B,SAAQ,gCAEN;CAAG;AAE9C,eAAO,MAAM,yBAAyB,4EAA6D,CAAC;AACpG,MAAM,MAAM,yBAAyB,GAAG,OAAO,yBAAyB,CAAC,IAAI,CAAC;AAE9E,eAAO,MAAM,+BAA+B;;;;IAG1C,CAAC;AAEH,eAAO,MAAM,2BAA2B;;;;;EAKtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,OAAO,2BAA2B,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;AAElF,qBAAa,oBAAqB,SAAQ,yBAYxC;CAAG;;;;;;;;;;;;;;;;;;;AAEL,qBAAa,yBAA0B,SAAQ,8BAS7C;CAAG;;;;;;AAEL,qBAAa,4BAA6B,SAAQ,iCAMhD;CAAG;;;;;;;AAEL,qBAAa,0BAA2B,SAAQ,+BAO9C;CAAG;;;;;;;;AAEL,qBAAa,4BAA6B,SAAQ,iCAQhD;CAAG;;;;;;;;;;;;;;;AAEL,qBAAa,6BAA8B,SAAQ,kCAKjD;CAAG;;;;;;;;;AAEL,qBAAa,8BAA+B,SAAQ,mCASlD;CAAG;AAEL,eAAO,MAAM,iCAAiC,8DAI5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,OAAO,iCAAiC,CAAC,IAAI,CAAC;;;;;;;;;;AAE9F,qBAAa,sBAAuB,SAAQ,2BAU1C;CAAG;AAEL,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,aAAa,EAAE,CACtB,KAAK,EAAE,4BAA4B,KAChC,MAAM,CAAC,MAAM,CAAC,SAAS,oBAAoB,EAAE,EAAE,cAAc,CAAC,CAAC;IACpE,QAAQ,CAAC,OAAO,EAAE,CAChB,KAAK,EAAE,0BAA0B,KAC9B,MAAM,CAAC,MAAM,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAAC;IAC3D,QAAQ,CAAC,GAAG,EAAE,CACZ,KAAK,EAAE,yBAAyB,KAC7B,MAAM,CAAC,MAAM,CAAC,oBAAoB,EAAE,cAAc,CAAC,CAAC;IACzD,QAAQ,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,4BAA4B,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAC9F,QAAQ,CAAC,gBAAgB,EAAE,CACzB,KAAK,EAAE,8BAA8B,KAClC,MAAM,CAAC,MAAM,CAAC,SAAS,oBAAoB,EAAE,EAAE,cAAc,CAAC,CAAC;IACpE,QAAQ,CAAC,eAAe,EAAE,CACxB,KAAK,EAAE,4BAA4B,KAChC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACzC,QAAQ,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,KAAK,EAAE,EAAE,cAAc,CAAC,CAAC;IAC1F,QAAQ,CAAC,mBAAmB,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,KAAK,EAAE,EAAE,cAAc,CAAC,CAAC;CAC/F;AAED,eAAO,MAAM,mBAAmB,GAAI,OAAO;IACzC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B,KAAG,mBAGD,CAAC;AAEJ,eAAO,MAAM,kBAAkB,GAAI,OAAO,MAAM,KAAG,MAKV,CAAC;AAE1C,eAAO,MAAM,iBAAiB,GAAI,QAAQ,MAAM,EAAE,MAAM,MAAM,KAAG,MACxB,CAAC;AAE1C,eAAO,MAAM,6BAA6B,GAAI,KAAK,oBAAoB,KAAG,sBAgBvE,CAAC;AAEJ,eAAO,MAAM,yBAAyB,GAAI,KAAK,oBAAoB,KAAG,oBAarE,CAAC"}
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=credential-bindings.test.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credential-bindings.test.d.ts","sourceRoot":"","sources":["../src/credential-bindings.test.ts"],"names":[],"mappings":""}