@invect/express 0.0.1

package/dist/router/index.js

@@ -0,0 +1,1105 @@
+import { asyncHandler } from "../middleware/index.js";
+import { Router } from "express";
+import { BatchProvider, GraphNodeType, Invect } from "@invect/core";
+import { ZodError } from "zod";
+//#region src/invect-router.ts
+function createPluginDatabaseApi(core) {
+	const connection = core.getDatabaseConnection();
+	const normalizeSql = (statement) => {
+		if (connection.type !== "postgresql") return statement;
+		let index = 0;
+		return statement.replace(/\?/g, () => `$${++index}`);
+	};
+	const query = async (statement, params = []) => {
+		switch (connection.type) {
+			case "postgresql": return await connection.db.$client.unsafe(normalizeSql(statement), params);
+			case "sqlite": return connection.db.$client.prepare(statement).all(...params);
+			case "mysql": {
+				const [rows] = await connection.db.$client.execute(statement, params);
+				return Array.isArray(rows) ? rows : [];
+			}
+		}
+		throw new Error(`Unsupported database type: ${String(connection.type)}`);
+	};
+	return {
+		type: connection.type,
+		query,
+		async execute(statement, params = []) {
+			switch (connection.type) {
+				case "postgresql":
+					await connection.db.$client.unsafe(normalizeSql(statement), params);
+					return;
+				case "sqlite": {
+					const client = connection.db.$client;
+					const coerced = params.map((p) => typeof p === "boolean" ? p ? 1 : 0 : p);
+					client.prepare(statement).run(...coerced);
+					return;
+				}
+				case "mysql":
+					await connection.db.$client.execute(statement, params);
+					return;
+			}
+			throw new Error(`Unsupported database type: ${String(connection.type)}`);
+		}
+	};
+}
+function parseParamsFromQuery(queryValue) {
+	if (!queryValue) return {};
+	if (typeof queryValue === "string") try {
+		return JSON.parse(queryValue);
+	} catch {
+		return {};
+	}
+	if (Array.isArray(queryValue)) {
+		const last = queryValue[queryValue.length - 1];
+		if (typeof last === "string") try {
+			return JSON.parse(last);
+		} catch {
+			return {};
+		}
+		return {};
+	}
+	if (typeof queryValue === "object") return Object.entries(queryValue).reduce((acc, [key, value]) => {
+		acc[key] = Array.isArray(value) ? value[value.length - 1] : value;
+		return acc;
+	}, {});
+	return {};
+}
+function coerceQueryValue(value) {
+	if (Array.isArray(value)) return value[value.length - 1];
+	return value ?? void 0;
+}
+/**
+* Create Invect Express Router
+*/
+function createInvectRouter(config) {
+	const core = new Invect(config);
+	core.initialize().then(async () => {
+		await core.startBatchPolling();
+		console.log("✅ Invect batch polling started");
+		await core.startCronScheduler();
+		console.log("✅ Invect cron scheduler started");
+	}).catch((error) => {
+		console.error("Failed to initialize Invect Core:", error);
+	});
+	const router = Router();
+	router.use((req, res, next) => {
+		if (!core.isInitialized()) return res.status(503).json({
+			error: "Service Unavailable",
+			message: "Invect Core is still initializing. Please try again in a moment."
+		});
+		next();
+	});
+	/**
+	* Auth middleware - resolves identity from host app and attaches to request.
+	*
+	* The host app provides a `resolveUser` callback in the config that extracts
+	* the user identity from the request (e.g., from JWT, session, API key).
+	*/
+	router.use(async (req, res, next) => {
+		try {
+			const webRequestUrl = `${req.protocol}://${req.get("host")}${req.originalUrl}`;
+			const webRequestInit = {
+				method: req.method,
+				headers: req.headers
+			};
+			const webRequest = new globalThis.Request(webRequestUrl, webRequestInit);
+			const hookContext = {
+				path: req.path,
+				method: req.method,
+				identity: null
+			};
+			const hookResult = await core.getPluginHookRunner().runOnRequest(webRequest, hookContext);
+			if (hookResult.intercepted && hookResult.response) {
+				const arrayBuf = await hookResult.response.arrayBuffer();
+				res.status(hookResult.response.status);
+				hookResult.response.headers.forEach((value, key) => {
+					res.setHeader(key, value);
+				});
+				return res.send(Buffer.from(arrayBuf));
+			}
+			req.invectIdentity = hookContext.identity ?? null;
+		} catch (error) {
+			console.error("Auth resolution error:", error);
+			req.invectIdentity = null;
+		}
+		next();
+	});
+	/**
+	* Create an authorization middleware for a specific permission.
+	* When useFlowAccessTable is enabled, looks up flow access from database.
+	*/
+	function requirePermission(permission, getResourceId) {
+		return asyncHandler(async (req, res, next) => {
+			const identity = req.invectIdentity ?? null;
+			const resourceId = getResourceId ? getResourceId(req) : void 0;
+			const resourceType = permission.split(":")[0];
+			if (core.isFlowAccessTableEnabled() && identity && resourceId && [
+				"flow",
+				"flow-version",
+				"flow-run",
+				"node-execution"
+			].includes(resourceType)) {
+				if (core.hasPermission(identity, "admin:*")) return next();
+				if (!await core.hasFlowAccess(resourceId, identity.id, identity.teamIds || [], getRequiredFlowPermission(permission))) return res.status(403).json({
+					error: "Forbidden",
+					message: `No access to flow '${resourceId}'`
+				});
+				return next();
+			} else {
+				const result = await core.authorize({
+					identity,
+					action: permission,
+					resource: resourceId ? {
+						type: resourceType,
+						id: resourceId
+					} : void 0
+				});
+				if (!result.allowed) {
+					const status = identity ? 403 : 401;
+					return res.status(status).json({
+						error: status === 403 ? "Forbidden" : "Unauthorized",
+						message: result.reason || "Access denied"
+					});
+				}
+			}
+			next();
+		});
+	}
+	/**
+	* Map permission to required flow access level.
+	*/
+	function getRequiredFlowPermission(permission) {
+		if (permission.includes(":delete")) return "owner";
+		if (permission.startsWith("flow-run:") || permission === "node:test") return "operator";
+		if (permission.includes(":create") || permission.includes(":update") || permission.includes(":publish")) return "editor";
+		return "viewer";
+	}
+	/**
+	* GET /dashboard/stats - Get dashboard statistics
+	* Core method: ✅ getDashboardStats()
+	* Returns: DashboardStats (flow counts, run counts by status, recent activity)
+	*/
+	router.get("/dashboard/stats", asyncHandler(async (_req, res) => {
+		const stats = await core.getDashboardStats();
+		res.json(stats);
+	}));
+	/**
+	* GET /flows/list - List all flows (simple GET endpoint)
+	* Core method: ✅ listFlows()
+	* Permission: flow:read
+	*/
+	router.get("/flows/list", requirePermission("flow:read"), asyncHandler(async (_req, res) => {
+		const flows = await core.listFlows();
+		res.json(flows);
+	}));
+	/**
+	* POST /flows/list - List flows with optional filtering and pagination
+	* Core method: ✅ listFlows(options?: QueryOptions<Flow>)
+	* Body: QueryOptions<Flow>
+	* Permission: flow:read
+	*/
+	router.post("/flows/list", requirePermission("flow:read"), asyncHandler(async (req, res) => {
+		const flows = await core.listFlows(req.body);
+		res.json(flows);
+	}));
+	/**
+	* POST /flows - Create a new flow
+	* Core method: ✅ createFlow(flowData: CreateFlowRequest)
+	* Permission: flow:create
+	*/
+	router.post("/flows", requirePermission("flow:create"), asyncHandler(async (req, res) => {
+		const flow = await core.createFlow(req.body);
+		res.status(201).json(flow);
+	}));
+	/**
+	* GET /flows/:id - Get flow by ID
+	* Core method: ✅ getFlow(flowId: string)
+	* Permission: flow:read (with resource check)
+	*/
+	router.get("/flows/:id", requirePermission("flow:read", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const flow = await core.getFlow(req.params.id);
+		res.json(flow);
+	}));
+	/**
+	* PUT /flows/:id - Update flow
+	* Core method: ✅ updateFlow(flowId: string, updateData: UpdateFlowInput)
+	* Permission: flow:update (with resource check)
+	*/
+	router.put("/flows/:id", requirePermission("flow:update", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const flow = await core.updateFlow(req.params.id, req.body);
+		res.json(flow);
+	}));
+	/**
+	* DELETE /flows/:id - Delete flow
+	* Core method: ✅ deleteFlow(flowId: string)
+	* Permission: flow:delete (with resource check)
+	*/
+	router.delete("/flows/:id", requirePermission("flow:delete", (req) => req.params.id), asyncHandler(async (req, res) => {
+		await core.deleteFlow(req.params.id);
+		res.status(204).send();
+	}));
+	/**
+	* POST /validate-flow - Validate flow definition
+	* Core method: ✅ validateFlowDefinition(flowId: string, flowDefinition: InvectDefinition)
+	* Permission: flow:read
+	*/
+	router.post("/validate-flow", requirePermission("flow:read"), asyncHandler(async (req, res) => {
+		const { flowId, flowDefinition } = req.body;
+		const result = await core.validateFlowDefinition(flowId, flowDefinition);
+		res.json(result);
+	}));
+	/**
+	* GET /flows/:flowId/react-flow - Get flow data in React Flow format
+	* Core method: ✅ renderToReactFlow(flowId: string, options)
+	* Query params: version, flowRunId
+	*/
+	router.get("/flows/:flowId/react-flow", asyncHandler(async (req, res) => {
+		const queryParams = req.query;
+		const options = {};
+		if (queryParams.version) options.version = queryParams.version;
+		if (queryParams.flowRunId) options.flowRunId = queryParams.flowRunId;
+		const result = await core.renderToReactFlow(req.params.flowId, options);
+		res.json(result);
+	}));
+	/**
+	* POST /flows/:id/versions/list - Get flow versions with optional filtering and pagination
+	* Core method: ✅ listFlowVersions(flowId: string, options?: QueryOptions<FlowVersion>)
+	* Body: QueryOptions<FlowVersion>
+	*/
+	router.post("/flows/:id/versions/list", asyncHandler(async (req, res) => {
+		const versions = await core.listFlowVersions(req.params.id, req.body);
+		res.json(versions);
+	}));
+	/**
+	* POST /flows/:id/versions - Create flow version
+	* Core method: ✅ createFlowVersion(flowId: string, versionData: CreateFlowVersionRequest)
+	* Permission: flow-version:create (with resource check on flow)
+	*/
+	router.post("/flows/:id/versions", requirePermission("flow-version:create", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const version = await core.createFlowVersion(req.params.id, req.body);
+		res.status(201).json(version);
+	}));
+	/**
+	* GET /flows/:id/versions/:version - Get specific flow version (supports 'latest')
+	* Core method: ✅ getFlowVersion(flowId: string, version: string | number | "latest")
+	* Permission: flow-version:read (with resource check on flow)
+	*/
+	router.get("/flows/:id/versions/:version", requirePermission("flow-version:read", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const version = await core.getFlowVersion(req.params.id, req.params.version);
+		if (!version) return res.status(404).json({
+			error: "Not Found",
+			message: `Version ${req.params.version} not found for flow ${req.params.id}`
+		});
+		res.json(version);
+	}));
+	/**
+	* POST /flows/:flowId/run - Start flow execution (async - returns immediately)
+	* Core method: ✅ startFlowRunAsync(flowId: string, inputs: FlowInputs, options?: ExecuteFlowOptions)
+	* Returns immediately with flow run ID. The flow executes in the background.
+	* Permission: flow-run:create (with resource check on flow)
+	*/
+	router.post("/flows/:flowId/run", requirePermission("flow-run:create", (req) => req.params.flowId), asyncHandler(async (req, res) => {
+		const { inputs = {}, options } = req.body;
+		const result = await core.startFlowRunAsync(req.params.flowId, inputs, options);
+		res.status(201).json(result);
+	}));
+	/**
+	* POST /flows/:flowId/run-to-node/:nodeId - Execute flow up to a specific node
+	* Only executes the upstream nodes required to produce output for the target node.
+	* Core method: ✅ executeFlowToNode(flowId, targetNodeId, inputs, options)
+	* Permission: flow-run:create (with resource check on flow)
+	*/
+	router.post("/flows/:flowId/run-to-node/:nodeId", requirePermission("flow-run:create", (req) => req.params.flowId), asyncHandler(async (req, res) => {
+		const { inputs = {}, options } = req.body;
+		const result = await core.executeFlowToNode(req.params.flowId, req.params.nodeId, inputs, options);
+		res.status(201).json(result);
+	}));
+	/**
+	* POST /flow-runs/list - Get all flow runs with optional filtering and pagination
+	* Core method: ✅ listFlowRuns(options?: QueryOptions<FlowRun>)
+	* Body: QueryOptions<FlowRun>
+	* Permission: flow-run:read
+	*/
+	router.post("/flow-runs/list", requirePermission("flow-run:read"), asyncHandler(async (req, res) => {
+		const flowRuns = await core.listFlowRuns(req.body);
+		res.json(flowRuns);
+	}));
+	/**
+	* GET /flow-runs/:flowRunId - Get specific flow run by ID
+	* Core method: ✅ getFlowRunById(flowRunId: string)
+	*/
+	router.get("/flow-runs/:flowRunId", asyncHandler(async (req, res) => {
+		const flowRun = await core.getFlowRunById(req.params.flowRunId);
+		res.json(flowRun);
+	}));
+	/**
+	* GET /flows/:flowId/flow-runs - Get flow runs for a specific flow
+	* Core method: ✅ listFlowRunsByFlowId(flowId: string)
+	*/
+	router.get("/flows/:flowId/flow-runs", asyncHandler(async (req, res) => {
+		const flowRuns = await core.listFlowRunsByFlowId(req.params.flowId);
+		res.json(flowRuns);
+	}));
+	/**
+	* POST /flow-runs/:flowRunId/resume - Resume paused flow execution
+	* Core method: ✅ resumeExecution(executionId: string)
+	*/
+	router.post("/flow-runs/:flowRunId/resume", asyncHandler(async (req, res) => {
+		const result = await core.resumeExecution(req.params.flowRunId);
+		res.json(result);
+	}));
+	/**
+	* POST /flow-runs/:flowRunId/cancel - Cancel flow execution
+	* Core method: ✅ cancelFlowRun(flowRunId: string)
+	*/
+	router.post("/flow-runs/:flowRunId/cancel", asyncHandler(async (req, res) => {
+		const result = await core.cancelFlowRun(req.params.flowRunId);
+		res.json(result);
+	}));
+	/**
+	* POST /flow-runs/:flowRunId/pause - Pause flow execution
+	* Core method: ✅ pauseFlowRun(flowRunId: string, reason?: string)
+	*/
+	router.post("/flow-runs/:flowRunId/pause", asyncHandler(async (req, res) => {
+		const { reason } = req.body;
+		const result = await core.pauseFlowRun(req.params.flowRunId, reason);
+		res.json(result);
+	}));
+	/**
+	* GET /flow-runs/:flowRunId/node-executions - Get node executions for a flow run
+	* Core method: ✅ getNodeExecutionsByRunId(flowRunId: string)
+	*/
+	router.get("/flow-runs/:flowRunId/node-executions", asyncHandler(async (req, res) => {
+		const nodeExecutions = await core.getNodeExecutionsByRunId(req.params.flowRunId);
+		res.json(nodeExecutions);
+	}));
+	/**
+	* GET /flow-runs/:flowRunId/stream - SSE stream of execution events
+	* Core method: ✅ createFlowRunEventStream(flowRunId: string)
+	*
+	* Streams node-execution and flow-run updates in real time.
+	* First event is a "snapshot", then incremental updates, ending with "end".
+	*/
+	router.get("/flow-runs/:flowRunId/stream", asyncHandler(async (req, res) => {
+		res.setHeader("Content-Type", "text/event-stream");
+		res.setHeader("Cache-Control", "no-cache");
+		res.setHeader("Connection", "keep-alive");
+		res.setHeader("X-Accel-Buffering", "no");
+		res.flushHeaders();
+		try {
+			const stream = core.createFlowRunEventStream(req.params.flowRunId);
+			for await (const event of stream) {
+				if (res.destroyed) break;
+				const data = JSON.stringify(event);
+				res.write(`event: ${event.type}\ndata: ${data}\n\n`);
+			}
+		} catch (error) {
+			const message = error instanceof Error ? error.message : "Stream failed";
+			if (res.headersSent) res.write(`event: error\ndata: ${JSON.stringify({
+				type: "error",
+				message
+			})}\n\n`);
+			else return res.status(500).json({
+				error: "Internal Server Error",
+				message
+			});
+		} finally {
+			res.end();
+		}
+	}));
+	/**
+	* POST /node-executions/list - Get all node executions with optional filtering and pagination
+	* Core method: ✅ listNodeExecutions(options?: QueryOptions<NodeExecution>)
+	* Body: QueryOptions<NodeExecution>
+	*/
+	router.post("/node-executions/list", asyncHandler(async (req, res) => {
+		const nodeExecutions = await core.listNodeExecutions(req.body);
+		res.json(nodeExecutions);
+	}));
+	/**
+	* POST /node-data/sql-query - Execute SQL query for testing
+	* Core method: ✅ executeSqlQuery(request: SubmitSQLQueryRequest)
+	*/
+	router.post("/node-data/sql-query", asyncHandler(async (req, res) => {
+		const result = await core.executeSqlQuery(req.body);
+		res.json(result);
+	}));
+	/**
+	* POST /node-data/test-expression - Test a JS expression in the QuickJS sandbox
+	* Core method: ✅ testJsExpression({ expression, context })
+	*/
+	router.post("/node-data/test-expression", asyncHandler(async (req, res) => {
+		const result = await core.testJsExpression(req.body);
+		res.json(result);
+	}));
+	/**
+	* POST /node-data/test-mapper - Test a mapper expression with mode semantics
+	* Core method: ✅ testMapper({ expression, incomingData, mode? })
+	*/
+	router.post("/node-data/test-mapper", asyncHandler(async (req, res) => {
+		const result = await core.testMapper(req.body);
+		res.json(result);
+	}));
+	/**
+	* POST /node-data/model-query - Test model prompt
+	* Core method: ✅ testModelPrompt(request: SubmitPromptRequest)
+	*/
+	router.post("/node-data/model-query", asyncHandler(async (req, res) => {
+		const result = await core.testModelPrompt(req.body);
+		res.json(result);
+	}));
+	/**
+	* GET /node-data/models - Get available AI models
+	* Core method: ✅ getAvailableModels()
+	*/
+	router.get("/node-data/models", asyncHandler(async (req, res) => {
+		const credentialId = typeof req.query.credentialId === "string" ? req.query.credentialId.trim() : "";
+		const providerQuery = typeof req.query.provider === "string" ? req.query.provider.trim().toUpperCase() : "";
+		if (credentialId) {
+			const response = await core.getModelsForCredential(credentialId);
+			res.json(response);
+			return;
+		}
+		if (providerQuery) {
+			if (!Object.values(BatchProvider).includes(providerQuery)) {
+				res.status(400).json({
+					error: "INVALID_PROVIDER",
+					message: `Unsupported provider '${providerQuery}'. Expected one of: ${Object.values(BatchProvider).join(", ")}`
+				});
+				return;
+			}
+			const provider = providerQuery;
+			const response = await core.getModelsForProvider(provider);
+			res.json(response);
+			return;
+		}
+		const models = await core.getAvailableModels();
+		res.json(models);
+	}));
+	/**
+	* GET /node-data/databases - Get available databases
+	* Core method: ✅ getAvailableDatabases()
+	*/
+	router.get("/node-data/databases", asyncHandler(async (req, res) => {
+		const databases = core.getAvailableDatabases();
+		res.json(databases);
+	}));
+	/**
+	* POST /node-config/update - Generic node configuration updates
+	* Core method: ✅ handleNodeConfigUpdate(event: NodeConfigUpdateEvent)
+	*/
+	router.post("/node-config/update", asyncHandler(async (req, res) => {
+		const response = await core.handleNodeConfigUpdate(req.body);
+		res.json(response);
+	}));
+	router.get("/node-definition/:nodeType", asyncHandler(async (req, res) => {
+		const rawNodeType = req.params.nodeType ?? "";
+		const nodeTypeParam = rawNodeType.includes(".") ? rawNodeType : rawNodeType.toUpperCase();
+		const isLegacyEnum = !rawNodeType.includes(".") && nodeTypeParam in GraphNodeType;
+		const isActionId = rawNodeType.includes(".");
+		if (!isLegacyEnum && !isActionId) {
+			res.status(400).json({
+				error: "INVALID_NODE_TYPE",
+				message: `Unknown node type '${req.params.nodeType}'`
+			});
+			return;
+		}
+		const params = parseParamsFromQuery(req.query.params);
+		const changeField = typeof req.query.changeField === "string" ? req.query.changeField : void 0;
+		const changeValue = coerceQueryValue(req.query.changeValue);
+		const nodeId = typeof req.query.nodeId === "string" ? req.query.nodeId : void 0;
+		const flowId = typeof req.query.flowId === "string" ? req.query.flowId : void 0;
+		const response = await core.handleNodeConfigUpdate({
+			nodeType: nodeTypeParam,
+			nodeId: nodeId ?? `definition-${nodeTypeParam.toLowerCase()}`,
+			flowId,
+			params,
+			change: changeField ? {
+				field: changeField,
+				value: changeValue
+			} : void 0
+		});
+		res.json(response);
+	}));
+	/**
+	* GET /nodes - Get available node definitions
+	* Core method: ✅ getAvailableNodes()
+	*/
+	router.get("/nodes", asyncHandler(async (req, res) => {
+		const nodes = core.getAvailableNodes();
+		res.json(nodes);
+	}));
+	/**
+	* GET /actions/:actionId/fields/:fieldName/options - Load dynamic field options
+	* Core method: ✅ resolveFieldOptions(actionId, fieldName, deps)
+	*
+	* Query params:
+	*   deps - JSON-encoded object of dependency field values
+	*/
+	router.get("/actions/:actionId/fields/:fieldName/options", asyncHandler(async (req, res) => {
+		const { actionId, fieldName } = req.params;
+		let dependencyValues = {};
+		if (typeof req.query.deps === "string") try {
+			dependencyValues = JSON.parse(req.query.deps);
+		} catch {
+			res.status(400).json({ error: "Invalid deps JSON" });
+			return;
+		}
+		const result = await core.resolveFieldOptions(actionId, fieldName, dependencyValues);
+		res.json(result);
+	}));
+	/**
+	* POST /nodes/test - Test/execute a single node in isolation
+	* Core method: ✅ testNode(nodeType, params, inputData)
+	* Body: { nodeType: string, params: Record<string, unknown>, inputData?: Record<string, unknown> }
+	*/
+	router.post("/nodes/test", asyncHandler(async (req, res) => {
+		const { nodeType, params, inputData } = req.body;
+		if (!nodeType || typeof nodeType !== "string") return res.status(400).json({ error: "nodeType is required and must be a string" });
+		if (!params || typeof params !== "object") return res.status(400).json({ error: "params is required and must be an object" });
+		const result = await core.testNode(nodeType, params, inputData || {});
+		res.json(result);
+	}));
+	/**
+	* POST /credentials - Create a new credential
+	* Core method: ✅ createCredential(input: CreateCredentialInput)
+	* Permission: credential:create
+	*/
+	router.post("/credentials", requirePermission("credential:create"), asyncHandler(async (req, res) => {
+		const resolvedUserId = req.invectIdentity?.id || req.user?.id || req.body.userId || req.header("x-user-id") || "anonymous";
+		const credential = await core.createCredential({
+			...req.body,
+			userId: resolvedUserId
+		});
+		res.status(201).json(credential);
+	}));
+	/**
+	* GET /credentials - List credentials with optional filtering and pagination
+	* Core method: ✅ listCredentials(filters?: CredentialFilters, options?: QueryOptions)
+	* Query params: type?, authType?, isActive?, page?, limit?
+	* Permission: credential:read
+	*/
+	router.get("/credentials", requirePermission("credential:read"), asyncHandler(async (req, res) => {
+		const filters = {
+			type: req.query.type,
+			authType: req.query.authType,
+			isActive: req.query.isActive === "true" ? true : req.query.isActive === "false" ? false : void 0
+		};
+		const credentials = await core.listCredentials(filters);
+		res.json(credentials);
+	}));
+	/**
+	* GET /credentials/:id - Get credential by ID
+	* Core method: ✅ getCredential(id: string)
+	* Permission: credential:read (with resource check)
+	*/
+	router.get("/credentials/:id", requirePermission("credential:read", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const credential = await core.getCredential(req.params.id);
+		res.json(credential);
+	}));
+	/**
+	* PUT /credentials/:id - Update credential
+	* Core method: ✅ updateCredential(id: string, input: UpdateCredentialInput)
+	* Permission: credential:update (with resource check)
+	*/
+	router.put("/credentials/:id", requirePermission("credential:update", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const credential = await core.updateCredential(req.params.id, req.body);
+		res.json(credential);
+	}));
+	/**
+	* DELETE /credentials/:id - Delete credential
+	* Core method: ✅ deleteCredential(id: string)
+	* Permission: credential:delete (with resource check)
+	*/
+	router.delete("/credentials/:id", requirePermission("credential:delete", (req) => req.params.id), asyncHandler(async (req, res) => {
+		await core.deleteCredential(req.params.id);
+		res.status(204).send();
+	}));
+	/**
+	* POST /credentials/:id/test - Test credential validity
+	* Core method: ✅ testCredential(id: string)
+	* Permission: credential:read (with resource check)
+	*/
+	router.post("/credentials/:id/test", requirePermission("credential:read", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const result = await core.testCredential(req.params.id);
+		res.json(result);
+	}));
+	/**
+	* POST /credentials/:id/track-usage - Update credential last used timestamp
+	* Core method: ✅ updateCredentialLastUsed(id: string)
+	* Permission: credential:read (with resource check)
+	*/
+	router.post("/credentials/:id/track-usage", requirePermission("credential:read", (req) => req.params.id), asyncHandler(async (req, res) => {
+		await core.updateCredentialLastUsed(req.params.id);
+		res.status(204).send();
+	}));
+	/**
+	* GET /credentials/:id/webhook - Get webhook info for a credential
+	* Core method: ✅ CredentialsService.getWebhookInfo(id)
+	* Permission: credential:read (with resource check)
+	*/
+	router.get("/credentials/:id/webhook", requirePermission("credential:read", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const webhookInfo = await core.getCredentialsService().getWebhookInfo(req.params.id);
+		if (!webhookInfo) return res.status(404).json({ error: "Webhook not enabled for credential" });
+		res.json(webhookInfo);
+	}));
+	/**
+	* GET /credentials/:id/webhook-info - Backwards-compatible alias for webhook info
+	*/
+	router.get("/credentials/:id/webhook-info", requirePermission("credential:read", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const webhookInfo = await core.getCredentialsService().getWebhookInfo(req.params.id);
+		if (!webhookInfo) return res.status(404).json({ error: "Webhook not enabled for credential" });
+		res.json(webhookInfo);
+	}));
+	/**
+	* POST /credentials/:id/webhook - Enable webhook for a credential
+	* Core method: ✅ CredentialsService.enableWebhook(id)
+	* Permission: credential:update (with resource check)
+	*/
+	router.post("/credentials/:id/webhook", requirePermission("credential:update", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const webhookInfo = await core.getCredentialsService().enableWebhook(req.params.id);
+		res.json(webhookInfo);
+	}));
+	/**
+	* POST /credentials/:id/webhook/enable - Backwards-compatible alias for enabling webhooks
+	*/
+	router.post("/credentials/:id/webhook/enable", requirePermission("credential:update", (req) => req.params.id), asyncHandler(async (req, res) => {
+		const webhookInfo = await core.getCredentialsService().enableWebhook(req.params.id);
+		res.json(webhookInfo);
+	}));
+	/**
+	* POST /webhooks/credentials/:webhookPath - Public credential webhook ingestion endpoint
+	* Core methods: ✅ CredentialsService.findByWebhookPath(webhookPath), updateCredentialLastUsed(id)
+	*/
+	router.post("/webhooks/credentials/:webhookPath", asyncHandler(async (req, res) => {
+		const credential = await core.getCredentialsService().findByWebhookPath(req.params.webhookPath);
+		if (!credential) return res.status(404).json({
+			ok: false,
+			error: "Credential webhook not found"
+		});
+		res.json({
+			ok: true,
+			credentialId: credential.id,
+			triggeredFlows: 0,
+			runs: [],
+			body: req.body ?? null
+		});
+	}));
+	/**
+	* GET /credentials/expiring - Get credentials expiring soon
+	* Core method: ✅ getExpiringCredentials(daysUntilExpiry?: number)
+	* Query params: daysUntilExpiry (default: 7)
+	* Permission: credential:read
+	*/
+	router.get("/credentials/expiring", requirePermission("credential:read"), asyncHandler(async (req, res) => {
+		const daysUntilExpiry = req.query.daysUntilExpiry ? parseInt(req.query.daysUntilExpiry) : 7;
+		const credentials = await core.getExpiringCredentials(daysUntilExpiry);
+		res.json(credentials);
+	}));
+	/**
+	* POST /credentials/test-request - Test a credential by making an HTTP request
+	* This endpoint proxies HTTP requests to avoid CORS issues when testing credentials
+	* Body: { url, method, headers, body }
+	*/
+	router.post("/credentials/test-request", asyncHandler(async (req, res) => {
+		const { url, method = "GET", headers = {}, body } = req.body;
+		if (!url) {
+			res.status(400).json({ error: "URL is required" });
+			return;
+		}
+		try {
+			const fetchOptions = {
+				method,
+				headers
+			};
+			if (body && [
+				"POST",
+				"PUT",
+				"PATCH"
+			].includes(method)) fetchOptions.body = typeof body === "string" ? body : JSON.stringify(body);
+			const response = await fetch(url, fetchOptions);
+			const responseText = await response.text();
+			let responseBody;
+			try {
+				responseBody = JSON.parse(responseText);
+			} catch {
+				responseBody = responseText;
+			}
+			res.json({
+				status: response.status,
+				statusText: response.statusText,
+				ok: response.ok,
+				body: responseBody
+			});
+		} catch (error) {
+			res.status(500).json({
+				error: "Request failed",
+				message: error instanceof Error ? error.message : "Unknown error"
+			});
+		}
+	}));
+	/**
+	* GET /credentials/oauth2/providers - List all available OAuth2 providers
+	*/
+	router.get("/credentials/oauth2/providers", asyncHandler(async (_req, res) => {
+		const providers = core.getOAuth2Providers();
+		res.json(providers);
+	}));
+	/**
+	* GET /credentials/oauth2/providers/:providerId - Get a specific OAuth2 provider
+	*/
+	router.get("/credentials/oauth2/providers/:providerId", asyncHandler(async (req, res) => {
+		const provider = core.getOAuth2Provider(req.params.providerId);
+		if (!provider) {
+			res.status(404).json({ error: "OAuth2 provider not found" });
+			return;
+		}
+		res.json(provider);
+	}));
+	/**
+	* POST /credentials/oauth2/start - Start OAuth2 authorization flow
+	* Body: { providerId, clientId, clientSecret, redirectUri, scopes?, returnUrl?, credentialName? }
+	* Returns: { authorizationUrl, state }
+	*/
+	router.post("/credentials/oauth2/start", asyncHandler(async (req, res) => {
+		const { providerId, clientId, clientSecret, redirectUri, scopes, returnUrl, credentialName } = req.body;
+		if (!providerId || !clientId || !clientSecret || !redirectUri) {
+			res.status(400).json({ error: "Missing required fields: providerId, clientId, clientSecret, redirectUri" });
+			return;
+		}
+		const result = core.startOAuth2Flow(providerId, {
+			clientId,
+			clientSecret,
+			redirectUri
+		}, {
+			scopes,
+			returnUrl,
+			credentialName
+		});
+		res.json(result);
+	}));
+	/**
+	* POST /credentials/oauth2/callback - Handle OAuth2 callback and exchange code for tokens
+	* Body: { code, state, clientId, clientSecret, redirectUri }
+	* Creates a new credential with the obtained tokens
+	*/
+	router.post("/credentials/oauth2/callback", asyncHandler(async (req, res) => {
+		const { code, state, clientId, clientSecret, redirectUri } = req.body;
+		if (!code || !state || !clientId || !clientSecret || !redirectUri) {
+			res.status(400).json({ error: "Missing required fields: code, state, clientId, clientSecret, redirectUri" });
+			return;
+		}
+		const credential = await core.handleOAuth2Callback(code, state, {
+			clientId,
+			clientSecret,
+			redirectUri
+		});
+		res.json(credential);
+	}));
+	/**
+	* GET /credentials/oauth2/callback - Handle OAuth2 callback (for redirect-based flows)
+	* Query: code, state
+	* Redirects to the return URL with credential ID or error
+	*/
+	router.get("/credentials/oauth2/callback", asyncHandler(async (req, res) => {
+		const { code, state, error, error_description } = req.query;
+		if (error) {
+			const errorMsg = error_description || error;
+			const returnUrl = core.getOAuth2PendingState(state)?.returnUrl || "/";
+			const separator = returnUrl.includes("?") ? "&" : "?";
+			res.redirect(`${returnUrl}${separator}oauth_error=${encodeURIComponent(errorMsg)}`);
+			return;
+		}
+		if (!code || !state) {
+			res.status(400).json({ error: "Missing code or state parameter" });
+			return;
+		}
+		const pendingState = core.getOAuth2PendingState(state);
+		if (!pendingState) {
+			res.status(400).json({ error: "Invalid or expired OAuth state" });
+			return;
+		}
+		res.json({
+			message: "OAuth callback received. Use POST /credentials/oauth2/callback to exchange the code.",
+			code,
+			state,
+			providerId: pendingState.providerId,
+			returnUrl: pendingState.returnUrl
+		});
+	}));
+	/**
+	* POST /credentials/:id/refresh - Manually refresh an OAuth2 credential's access token
+	*/
+	router.post("/credentials/:id/refresh", asyncHandler(async (req, res) => {
+		const credential = await core.refreshOAuth2Credential(req.params.id);
+		res.json(credential);
+	}));
+	/**
+	* GET /flows/:flowId/triggers - List all trigger registrations for a flow
+	* Core method: ✅ listTriggersForFlow(flowId)
+	* Permission: flow:read (with resource check)
+	*/
+	router.get("/flows/:flowId/triggers", requirePermission("flow:read", (req) => req.params.flowId), asyncHandler(async (req, res) => {
+		const triggers = await core.listTriggersForFlow(req.params.flowId);
+		res.json(triggers);
+	}));
+	/**
+	* POST /flows/:flowId/triggers - Create a trigger registration for a flow
+	* Core method: ✅ createTrigger(input)
+	* Permission: flow:update (with resource check)
+	*/
+	router.post("/flows/:flowId/triggers", requirePermission("flow:update", (req) => req.params.flowId), asyncHandler(async (req, res) => {
+		const trigger = await core.createTrigger({
+			...req.body,
+			flowId: req.params.flowId
+		});
+		res.status(201).json(trigger);
+	}));
+	/**
+	* POST /flows/:flowId/triggers/sync - Sync triggers from the flow definition
+	* Core method: ✅ syncTriggersForFlow(flowId, definition)
+	* Permission: flow:update (with resource check)
+	*/
+	router.post("/flows/:flowId/triggers/sync", requirePermission("flow:update", (req) => req.params.flowId), asyncHandler(async (req, res) => {
+		const { definition } = req.body;
+		const triggers = await core.syncTriggersForFlow(req.params.flowId, definition);
+		res.json(triggers);
+	}));
+	/**
+	* GET /triggers/:triggerId - Get a single trigger by ID
+	* Core method: ✅ getTrigger(triggerId)
+	*/
+	router.get("/triggers/:triggerId", asyncHandler(async (req, res) => {
+		const trigger = await core.getTrigger(req.params.triggerId);
+		if (!trigger) return res.status(404).json({
+			error: "Not Found",
+			message: `Trigger ${req.params.triggerId} not found`
+		});
+		res.json(trigger);
+	}));
+	/**
+	* PUT /triggers/:triggerId - Update a trigger registration
+	* Core method: ✅ updateTrigger(triggerId, input)
+	*/
+	router.put("/triggers/:triggerId", asyncHandler(async (req, res) => {
+		const trigger = await core.updateTrigger(req.params.triggerId, req.body);
+		if (!trigger) return res.status(404).json({
+			error: "Not Found",
+			message: `Trigger ${req.params.triggerId} not found`
+		});
+		res.json(trigger);
+	}));
+	/**
+	* DELETE /triggers/:triggerId - Delete a trigger registration
+	* Core method: ✅ deleteTrigger(triggerId)
+	*/
+	router.delete("/triggers/:triggerId", asyncHandler(async (req, res) => {
+		await core.deleteTrigger(req.params.triggerId);
+		res.status(204).send();
+	}));
+	/**
+	* GET /agent/tools - List all available agent tools
+	* Core method: ✅ getAgentTools()
+	*/
+	router.get("/agent/tools", asyncHandler(async (_req, res) => {
+		const tools = core.getAgentTools();
+		res.json(tools);
+	}));
+	/**
+	* GET /chat/status - Check if chat assistant is enabled
+	* Core method: ✅ isChatEnabled()
+	*/
+	router.get("/chat/status", asyncHandler(async (_req, res) => {
+		res.json({ enabled: core.isChatEnabled() });
+	}));
+	/**
+	* POST /chat - Streaming chat assistant endpoint (SSE)
+	* Core method: ✅ createChatStream()
+	*
+	* Request body: { messages: ChatMessage[], context: ChatContext }
+	* Response: Server-Sent Events stream of ChatStreamEvents
+	*/
+	router.post("/chat", asyncHandler(async (req, res) => {
+		const { messages, context } = req.body;
+		if (!messages || !Array.isArray(messages)) return res.status(400).json({
+			error: "Validation Error",
+			message: "\"messages\" must be an array of chat messages"
+		});
+		res.setHeader("Content-Type", "text/event-stream");
+		res.setHeader("Cache-Control", "no-cache");
+		res.setHeader("Connection", "keep-alive");
+		res.setHeader("X-Accel-Buffering", "no");
+		res.flushHeaders();
+		const identity = req.__invectIdentity ?? void 0;
+		try {
+			const stream = await core.createChatStream({
+				messages,
+				context: context || {},
+				identity
+			});
+			for await (const event of stream) {
+				if (res.destroyed) break;
+				const data = JSON.stringify(event);
+				res.write(`event: ${event.type}\ndata: ${data}\n\n`);
+			}
+		} catch (error) {
+			const message = error instanceof Error ? error.message : "Chat stream failed";
+			if (res.headersSent) res.write(`event: error\ndata: ${JSON.stringify({
+				type: "error",
+				message,
+				recoverable: false
+			})}\n\n`);
+			else return res.status(500).json({
+				error: "Internal Server Error",
+				message
+			});
+		} finally {
+			res.end();
+		}
+	}));
+	/**
+	* GET /chat/messages/:flowId - Get persisted chat messages for a flow
+	* Core method: ✅ getChatMessages()
+	*/
+	router.get("/chat/messages/:flowId", asyncHandler(async (req, res) => {
+		const messages = await core.getChatMessages(req.params.flowId);
+		res.json(messages);
+	}));
+	/**
+	* PUT /chat/messages/:flowId - Save (replace) chat messages for a flow
+	* Core method: ✅ saveChatMessages()
+	*
+	* Request body: { messages: Array<{ role, content, toolMeta? }> }
+	*/
+	router.put("/chat/messages/:flowId", asyncHandler(async (req, res) => {
+		const { messages } = req.body;
+		if (!messages || !Array.isArray(messages)) return res.status(400).json({
+			error: "Validation Error",
+			message: "\"messages\" must be an array"
+		});
+		const saved = await core.saveChatMessages(req.params.flowId, messages);
+		res.json(saved);
+	}));
+	/**
+	* DELETE /chat/messages/:flowId - Delete all chat messages for a flow
+	* Core method: ✅ deleteChatMessages()
+	*/
+	router.delete("/chat/messages/:flowId", asyncHandler(async (req, res) => {
+		await core.deleteChatMessages(req.params.flowId);
+		res.json({ success: true });
+	}));
+	router.all("/plugins/*", asyncHandler(async (req, res) => {
+		const endpoints = core.getPluginEndpoints();
+		const pluginPath = (req.path || "/").replace(/^\/plugins/, "") || "/";
+		const method = req.method.toUpperCase();
+		const matchedEndpoint = endpoints.find((ep) => {
+			if (ep.method !== method) return false;
+			const pattern = ep.path.replace(/\*/g, "(.*)").replace(/:([^/]+)/g, "([^/]+)");
+			return new RegExp(`^${pattern}$`).test(pluginPath);
+		});
+		if (!matchedEndpoint) return res.status(404).json({
+			error: "Not Found",
+			message: `Plugin route ${method} ${pluginPath} not found`
+		});
+		const paramNames = [];
+		const paramPattern = matchedEndpoint.path.replace(/\*/g, "(.*)").replace(/:([^/]+)/g, (_m, name) => {
+			paramNames.push(name);
+			return "([^/]+)";
+		});
+		const paramMatch = new RegExp(`^${paramPattern}$`).exec(pluginPath);
+		const params = {};
+		if (paramMatch) paramNames.forEach((name, i) => {
+			params[name] = paramMatch[i + 1] || "";
+		});
+		if (!matchedEndpoint.isPublic && matchedEndpoint.permission) {
+			const identity = req.invectIdentity ?? null;
+			if (!core.hasPermission(identity, matchedEndpoint.permission)) return res.status(403).json({
+				error: "Forbidden",
+				message: `Missing permission: ${matchedEndpoint.permission}`
+			});
+		}
+		const webRequestUrl = `${req.protocol}://${req.get("host")}${req.originalUrl}`;
+		const webRequestInit = {
+			method: req.method,
+			headers: req.headers
+		};
+		if (req.method !== "GET" && req.method !== "HEAD" && req.method !== "DELETE") webRequestInit.body = JSON.stringify(req.body || {});
+		const webRequest = new globalThis.Request(webRequestUrl, webRequestInit);
+		const result = await matchedEndpoint.handler({
+			body: req.body || {},
+			params,
+			query: req.query || {},
+			headers: req.headers,
+			identity: req.invectIdentity ?? null,
+			database: createPluginDatabaseApi(core),
+			request: webRequest,
+			core: {
+				getPermissions: (identity) => core.getPermissions(identity),
+				getAvailableRoles: () => core.getAvailableRoles(),
+				getResolvedRole: (identity) => core.getAuthService().getResolvedRole(identity),
+				isFlowAccessTableEnabled: () => core.isFlowAccessTableEnabled(),
+				listFlowAccess: (flowId) => core.listFlowAccess(flowId),
+				grantFlowAccess: (input) => core.grantFlowAccess(input),
+				revokeFlowAccess: (accessId) => core.revokeFlowAccess(accessId),
+				getAccessibleFlowIds: (userId, teamIds) => core.getAccessibleFlowIds(userId, teamIds),
+				getFlowPermission: (flowId, userId, teamIds) => core.getFlowPermission(flowId, userId, teamIds),
+				authorize: (context) => core.authorize(context)
+			}
+		});
+		if (result instanceof Response) {
+			const arrayBuf = await result.arrayBuffer();
+			res.status(result.status);
+			result.headers.forEach((value, key) => {
+				if (key.toLowerCase() !== "set-cookie") res.setHeader(key, value);
+			});
+			const setCookies = result.headers.getSetCookie?.();
+			if (setCookies && setCookies.length > 0) res.setHeader("set-cookie", setCookies);
+			res.send(Buffer.from(arrayBuf));
+			return;
+		}
+		if ("stream" in result && result.stream) {
+			res.status(result.status || 200);
+			res.setHeader("Content-Type", "text/event-stream");
+			const reader = result.stream.getReader();
+			const pump = async () => {
+				const { done, value } = await reader.read();
+				if (done) {
+					res.end();
+					return;
+				}
+				res.write(value);
+				await pump();
+			};
+			await pump();
+			return;
+		}
+		const jsonResult = result;
+		res.status(jsonResult.status || 200).json(jsonResult.body);
+	}));
+	router.use((error, _req, res, _next) => {
+		if (error instanceof ZodError) return res.status(400).json({
+			error: "Validation Error",
+			message: "Invalid request data",
+			details: error.errors.map((err) => ({
+				path: err.path.join("."),
+				message: err.message,
+				code: err.code
+			}))
+		});
+		if (error.name === "DatabaseError") return res.status(500).json({
+			error: "Database Error",
+			message: error.message || "A database error occurred"
+		});
+		console.error("Invect Router Error:", error);
+		res.status(500).json({
+			error: "Internal Server Error",
+			message: "An unexpected error occurred"
+		});
+	});
+	return router;
+}
+//#endregion
+export { createInvectRouter };
+
+//# sourceMappingURL=index.js.map