@jaimevalasek/aioson 1.30.0 → 1.30.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/CHANGELOG.md +18 -0
  2. package/docs/design-previews/cognitive-core-ui-auth.html +95 -0
  3. package/docs/design-previews/cognitive-core-ui-kanban.html +231 -0
  4. package/docs/design-previews/cognitive-core-ui-list-detail.html +174 -0
  5. package/docs/design-previews/cognitive-core-ui-preview.css +1315 -0
  6. package/docs/design-previews/cognitive-core-ui-settings.html +142 -0
  7. package/docs/design-previews/cognitive-core-ui-website.html +190 -1009
  8. package/docs/design-previews/cognitive-core-ui.html +281 -463
  9. package/docs/design-previews/index.html +83 -31
  10. package/package.json +1 -1
  11. package/src/constants.js +578 -514
  12. package/template/.aioson/docs/integrations/dashboard-app-form-publish-mapping.md +183 -0
  13. package/template/.aioson/docs/play/README.md +74 -0
  14. package/template/.aioson/docs/play/agent-usage-guide.md +112 -0
  15. package/template/.aioson/docs/play/app-compatibility-guide.md +117 -0
  16. package/template/.aioson/docs/play/auth-services-and-testing.md +235 -0
  17. package/template/.aioson/docs/play/llm-data-and-bindings.md +238 -0
  18. package/template/.aioson/docs/play/manifest-and-runtime.md +267 -0
  19. package/template/.aioson/docs/play/source-map.md +104 -0
  20. package/template/.aioson/skills/design/aurora-command-ui/SKILL.md +266 -243
  21. package/template/.aioson/skills/design/aurora-command-ui/references/art-direction.md +293 -293
  22. package/template/.aioson/skills/design/aurora-command-ui/references/components.md +827 -827
  23. package/template/.aioson/skills/design/aurora-command-ui/references/dashboards.md +250 -250
  24. package/template/.aioson/skills/design/aurora-command-ui/references/design-tokens.md +585 -585
  25. package/template/.aioson/skills/design/aurora-command-ui/references/motion.md +365 -365
  26. package/template/.aioson/skills/design/aurora-command-ui/references/patterns.md +485 -482
  27. package/template/.aioson/skills/design/aurora-command-ui/references/websites.md +386 -387
  28. package/template/.aioson/skills/design/bold-editorial-ui/SKILL.md +228 -205
  29. package/template/.aioson/skills/design/bold-editorial-ui/references/art-direction.md +338 -338
  30. package/template/.aioson/skills/design/bold-editorial-ui/references/components.md +977 -977
  31. package/template/.aioson/skills/design/bold-editorial-ui/references/dashboards.md +218 -218
  32. package/template/.aioson/skills/design/bold-editorial-ui/references/design-tokens.md +326 -326
  33. package/template/.aioson/skills/design/bold-editorial-ui/references/motion.md +461 -461
  34. package/template/.aioson/skills/design/bold-editorial-ui/references/patterns.md +293 -293
  35. package/template/.aioson/skills/design/bold-editorial-ui/references/websites.md +352 -352
  36. package/template/.aioson/skills/design/clean-saas-ui/SKILL.md +233 -210
  37. package/template/.aioson/skills/design/clean-saas-ui/references/art-direction.md +319 -319
  38. package/template/.aioson/skills/design/clean-saas-ui/references/components.md +365 -365
  39. package/template/.aioson/skills/design/clean-saas-ui/references/dashboards.md +196 -196
  40. package/template/.aioson/skills/design/clean-saas-ui/references/design-tokens.md +244 -244
  41. package/template/.aioson/skills/design/clean-saas-ui/references/motion.md +235 -235
  42. package/template/.aioson/skills/design/clean-saas-ui/references/patterns.md +215 -215
  43. package/template/.aioson/skills/design/clean-saas-ui/references/websites.md +295 -295
  44. package/template/.aioson/skills/design/cognitive-core-ui/SKILL.md +239 -203
  45. package/template/.aioson/skills/design/cognitive-core-ui/references/art-direction.md +339 -339
  46. package/template/.aioson/skills/design/cognitive-core-ui/references/components.md +417 -407
  47. package/template/.aioson/skills/design/cognitive-core-ui/references/dashboards.md +289 -272
  48. package/template/.aioson/skills/design/cognitive-core-ui/references/design-tokens.md +525 -524
  49. package/template/.aioson/skills/design/cognitive-core-ui/references/motion.md +279 -279
  50. package/template/.aioson/skills/design/cognitive-core-ui/references/patterns.md +355 -289
  51. package/template/.aioson/skills/design/cognitive-core-ui/references/websites.md +443 -437
  52. package/template/.aioson/skills/design/glassmorphism-ui/SKILL.md +245 -222
  53. package/template/.aioson/skills/design/glassmorphism-ui/references/art-direction.md +159 -159
  54. package/template/.aioson/skills/design/glassmorphism-ui/references/components.md +498 -498
  55. package/template/.aioson/skills/design/glassmorphism-ui/references/dashboards.md +236 -236
  56. package/template/.aioson/skills/design/glassmorphism-ui/references/design-tokens.md +274 -274
  57. package/template/.aioson/skills/design/glassmorphism-ui/references/motion.md +355 -355
  58. package/template/.aioson/skills/design/glassmorphism-ui/references/patterns.md +198 -198
  59. package/template/.aioson/skills/design/glassmorphism-ui/references/websites.md +307 -307
  60. package/template/.aioson/skills/design/interface-design/SKILL.md +68 -47
  61. package/template/.aioson/skills/design/interface-design/references/components-and-states.md +105 -105
  62. package/template/.aioson/skills/design/interface-design/references/design-directions.md +101 -101
  63. package/template/.aioson/skills/design/interface-design/references/handoff-and-quality.md +92 -71
  64. package/template/.aioson/skills/design/interface-design/references/intent-and-domain.md +74 -74
  65. package/template/.aioson/skills/design/interface-design/references/tokens-and-depth.md +173 -173
  66. package/template/.aioson/skills/design/neo-brutalist-ui/SKILL.md +236 -213
  67. package/template/.aioson/skills/design/neo-brutalist-ui/references/art-direction.md +228 -228
  68. package/template/.aioson/skills/design/neo-brutalist-ui/references/components.md +855 -855
  69. package/template/.aioson/skills/design/neo-brutalist-ui/references/dashboards.md +334 -334
  70. package/template/.aioson/skills/design/neo-brutalist-ui/references/design-tokens.md +342 -342
  71. package/template/.aioson/skills/design/neo-brutalist-ui/references/motion.md +286 -286
  72. package/template/.aioson/skills/design/neo-brutalist-ui/references/patterns.md +458 -458
  73. package/template/.aioson/skills/design/neo-brutalist-ui/references/websites.md +723 -723
  74. package/template/.aioson/skills/design/premium-command-center-ui/SKILL.md +83 -62
  75. package/template/.aioson/skills/design/premium-command-center-ui/references/operations.md +74 -74
  76. package/template/.aioson/skills/design/premium-command-center-ui/references/patterns.md +116 -116
  77. package/template/.aioson/skills/design/premium-command-center-ui/references/validation.md +47 -47
  78. package/template/.aioson/skills/design/premium-command-center-ui/references/visual-system.md +215 -215
  79. package/template/.aioson/skills/design/pt.squarespace.com/.skill-meta.json +31 -31
  80. package/template/.aioson/skills/design/pt.squarespace.com/SKILL.md +94 -66
  81. package/template/.aioson/skills/design/pt.squarespace.com/references/components.md +366 -366
  82. package/template/.aioson/skills/design/pt.squarespace.com/references/design-tokens.md +150 -150
  83. package/template/.aioson/skills/design/pt.squarespace.com/references/motion.md +270 -270
  84. package/template/.aioson/skills/design/pt.squarespace.com/references/patterns.md +189 -189
  85. package/template/.aioson/skills/design/pt.squarespace.com/references/websites.md +161 -161
  86. package/template/.aioson/skills/design/warm-craft-ui/SKILL.md +232 -209
  87. package/template/.aioson/skills/design/warm-craft-ui/references/art-direction.md +324 -324
  88. package/template/.aioson/skills/design/warm-craft-ui/references/components.md +508 -508
  89. package/template/.aioson/skills/design/warm-craft-ui/references/dashboards.md +223 -223
  90. package/template/.aioson/skills/design/warm-craft-ui/references/design-tokens.md +374 -374
  91. package/template/.aioson/skills/design/warm-craft-ui/references/motion.md +356 -356
  92. package/template/.aioson/skills/design/warm-craft-ui/references/patterns.md +288 -288
  93. package/template/.aioson/skills/design/warm-craft-ui/references/websites.md +289 -289
@@ -0,0 +1,235 @@
1
+ ---
2
+ description: "AIOSON Play auth, cloud owner token, local operator auth, Play Services, requires_services, dev-link, symlink installs, and smoke testing."
3
+ scope: "global"
4
+ agents: [dev, deyvin, architect, qa, tester, pentester]
5
+ task_types: [aioson-play-app, auth, service-integration, testing]
6
+ triggers: [aioson-auth, AIOSON_COM_TOKEN, requires_services, service.json, dev-link, Play Services, smoke test]
7
+ ---
8
+
9
+ # Auth, Services, And Testing
10
+
11
+ ## Auth systems
12
+
13
+ AIOSON Play has two different auth surfaces:
14
+
15
+ | Surface | Purpose | App receives |
16
+ |---|---|---|
17
+ | `aioson.com` cloud auth | Owner identity, trial, billing, license/status | `AIOSON_COM_TOKEN` |
18
+ | `aioson-auth` Play Service | Local operators, login, RBAC, permissions | service URL and binding id |
19
+
20
+ Do not mix them.
21
+
22
+ Use `aioson.com` when the app needs subscription/trial/license state.
23
+ Use `aioson-auth` when the app needs operators, roles, permissions, 2FA, or local RBAC.
24
+
25
+ ## Cloud owner/trial auth
26
+
27
+ When the owner is logged into AIOSON Play, Play can inject:
28
+
29
+ ```text
30
+ AIOSON_COM_TOKEN=<bearer token>
31
+ ```
32
+
33
+ The app should read it on backend startup and persist it in local settings if needed. If absent, the app should fall back to manual login or a disconnected state.
34
+
35
+ Do not call `https://aioson.com` directly from browser code with this token. Use backend proxy routes.
36
+
37
+ Recommended backend proxy routes:
38
+
39
+ | App route | Purpose |
40
+ |---|---|
41
+ | `GET /api/aioson/connection` | Check local token state |
42
+ | `GET /api/aioson/status?projectId={id}` | Proxy app subscription/trial status |
43
+ | `POST /api/aioson/login` | Manual cloud login fallback |
44
+ | `DELETE /api/aioson/logout` | Clear local token |
45
+
46
+ Cloud endpoints the backend may call:
47
+
48
+ | Endpoint | Purpose |
49
+ |---|---|
50
+ | `POST /api/app-auth/token` | Manual token acquisition |
51
+ | `POST /api/apps/{slug}/install` | Idempotent install/trial registration |
52
+ | `GET /api/apps/{slug}/status?projectId={id}` | Subscription/trial status |
53
+
54
+ ## Local operator auth and RBAC
55
+
56
+ For operator login and RBAC, depend on `aioson-auth`:
57
+
58
+ ```json
59
+ {
60
+ "requires_services": ["aioson-auth"],
61
+ "auth": {
62
+ "version": 1,
63
+ "permissions": ["orders:read", "orders:create"],
64
+ "policies": [
65
+ { "id": "page:orders", "kind": "route", "path": "/orders", "requires": ["orders:read"] }
66
+ ]
67
+ }
68
+ }
69
+ ```
70
+
71
+ `auth.permissions[]` is the app-owned permission catalog. Play syncs it through
72
+ the owner-only app inventory; `aioson-auth` registers it on the existing binding
73
+ so the admin can assign permissions to global roles. Do not rely on Auth scanning
74
+ app source code.
75
+
76
+ Use `@aioson/auth-sdk` as the client layer when available. Avoid handwritten calls to auth endpoints unless the SDK cannot cover the specific case.
77
+
78
+ Env vars Play injects for auth (only these exist):
79
+
80
+ ```text
81
+ VITE_AIOSON_AUTH_URL=http://localhost:3001
82
+ VITE_AIOSON_AUTH_BINDING_ID=<binding-id>
83
+ ```
84
+
85
+ Play injects only the `VITE_`-prefixed auth vars. There is no `AIOSON_AUTH_URL` or `AIOSON_AUTH_BINDING_ID` without the prefix — do not read those, they will be `undefined`. Backend Node code reads the same injected vars through `process.env.VITE_AIOSON_AUTH_URL` and `process.env.VITE_AIOSON_AUTH_BINDING_ID`; the `VITE_` prefix does not stop Node from reading them at runtime. The app slug is the only auth-relevant value injected in both forms: `AIOSON_APP_SLUG` and `VITE_AIOSON_APP_SLUG`.
86
+
87
+ Bearer header is preferred for auth calls:
88
+
89
+ ```http
90
+ Authorization: Bearer <jwt>
91
+ ```
92
+
93
+ Legacy `?token=` may still work in older paths, but new app code should prefer Bearer.
94
+
95
+ Current implemented auth expectations from the Play docs:
96
+
97
+ - JWT can include `binding_id` and `permissions`.
98
+ - App permissions are declared in `manifest.json` `auth.permissions[]` and implemented by the app with SDK gates.
99
+ - `/me/permissions` exists in `aioson-auth`.
100
+ - `@aioson/auth-sdk` MVP exists.
101
+ - Operator SSO token injection from Play keyring is planned in docs, not safe to rely on unless the local code confirms it.
102
+
103
+ ## Owner bypass
104
+
105
+ Some flows allow owner-implicit behavior through the owner cloud identity. Do not use that as a replacement for operator RBAC when the app has real multi-user operator roles.
106
+
107
+ ## Play Services
108
+
109
+ A Play Service is infrastructure, not an app webview.
110
+
111
+ Service shape:
112
+
113
+ ```text
114
+ service/
115
+ service.json
116
+ package.json
117
+ dist/
118
+ ```
119
+
120
+ `service.json`:
121
+
122
+ ```json
123
+ {
124
+ "slug": "aioson-auth",
125
+ "name": "AIOSON Auth",
126
+ "version": "1.0.0",
127
+ "description": "Servico de autenticacao para apps do AIOSON Play.",
128
+ "port": 3001,
129
+ "autostart": true,
130
+ "dev_command": "node dist/server.js",
131
+ "health_check": "/health"
132
+ }
133
+ ```
134
+
135
+ Rules:
136
+
137
+ - Use ports in `3001-3099`.
138
+ - Read `process.env.PORT` in the service.
139
+ - Implement `GET /health`.
140
+ - Configure CORS for localhost app origins.
141
+ - Do not depend on Tauri APIs inside a Play Service.
142
+ - Build to `dist/` before publishing or local symlink service testing.
143
+
144
+ ## Dev-link install
145
+
146
+ Use dev-link for active app development:
147
+
148
+ ```text
149
+ AIOSON Play -> Instalar App -> Linkar pasta (dev) -> select app folder with manifest.json
150
+ ```
151
+
152
+ Dev-link creates a symlink from Play's app data directory to the source folder. It allows fast iteration, but it is not a production publish validation.
153
+
154
+ Windows note: symlink creation normally needs Developer Mode enabled or elevated privileges.
155
+
156
+ When `manifest.json` changes during dev-link, stop and reopen the app in Play to force manifest reload.
157
+
158
+ ## Local symlink layout
159
+
160
+ Common Play data locations:
161
+
162
+ ```text
163
+ Windows: %LOCALAPPDATA%\com.aioson.play\
164
+ Linux: ~/.local/share/com.aioson.play/
165
+ ```
166
+
167
+ Inside:
168
+
169
+ ```text
170
+ apps/{slug}/
171
+ services/{slug}/
172
+ ```
173
+
174
+ For manual local testing, symlink app or service folders there. Prefer the Play UI dev-link flow when available.
175
+
176
+ ## Testing an app
177
+
178
+ Standalone smoke:
179
+
180
+ ```bash
181
+ PORT=3399 pnpm dev
182
+ curl http://localhost:3399/api/health
183
+ curl http://localhost:3399/api/aioson-play
184
+ ```
185
+
186
+ Play smoke:
187
+
188
+ ```text
189
+ 1. Start AIOSON Play.
190
+ 2. Dev-link the app folder.
191
+ 3. Open the app from the Play shell.
192
+ 4. Confirm badge/running state.
193
+ 5. Confirm webview renders.
194
+ 6. Confirm ProductBridge calls to :5180 work.
195
+ 7. Confirm missing auth/bindings show clear degraded states.
196
+ ```
197
+
198
+ Data binding smoke:
199
+
200
+ ```bash
201
+ curl http://localhost:5180/api/registry
202
+ curl http://localhost:5180/api/connectors
203
+ curl http://localhost:5180/api/bindings/meu-app
204
+ ```
205
+
206
+ Service smoke:
207
+
208
+ ```bash
209
+ curl http://localhost:3001/health
210
+ ```
211
+
212
+ ## QA checklist
213
+
214
+ - [ ] `requires_services` matches actual service use.
215
+ - [ ] Apps using `aioson-auth` declare `auth.permissions[]` in `manifest.json`.
216
+ - [ ] Frontend and backend gates use `@aioson/auth-sdk` or a Bearer-compatible server check for those permissions.
217
+ - [ ] Missing service does not produce a confusing crash.
218
+ - [ ] `AIOSON_COM_TOKEN` is never exposed to frontend code.
219
+ - [ ] Operator auth uses SDK or Bearer-compatible client.
220
+ - [ ] `VITE_AIOSON_AUTH_BINDING_ID` absence is handled.
221
+ - [ ] Service uses `process.env.PORT`.
222
+ - [ ] Service has `/health`.
223
+ - [ ] App dev-link reload was tested after manifest changes.
224
+ - [ ] ProductBridge `:5180` endpoints are called only when Play is running or with a fallback/degraded path.
225
+
226
+ ## Source docs
227
+
228
+ Canonical sources:
229
+
230
+ - `app-cloud-auth.md`
231
+ - `auth-integration-gaps.md`
232
+ - `play-service-protocol.md`
233
+ - `dev-link-install.md`
234
+ - `local-dev-testing.md`
235
+ - `platform-architecture.md`
@@ -0,0 +1,238 @@
1
+ ---
2
+ description: "How AIOSON Play apps should consume LLM connections, app-owned databases, Data Bindings, Global Connectors, MCPI, REST connectors, MCP tools, and ProductBridge."
3
+ scope: "global"
4
+ agents: [dev, deyvin, architect, analyst, qa, tester]
5
+ task_types: [aioson-play-app, data-integration, llm-integration]
6
+ triggers: [LLM connections, DATABASE_URL, data_bindings, Global Connectors, MCPI, MCP tools, ProductBridge]
7
+ ---
8
+
9
+ # LLM, Data, And Bindings
10
+
11
+ ## Three separate surfaces
12
+
13
+ Do not mix these:
14
+
15
+ | Surface | Owner | App does |
16
+ |---|---|---|
17
+ | LLM connections | AIOSON Play Settings | Reads injected env vars or metadata and lazy-inits clients |
18
+ | Operational app DB | The app | Reads `DATABASE_URL`, runs migrations, owns data |
19
+ | External/domain data | Play Global Connectors | Declares `data_bindings`, binds aliases, calls ProductBridge |
20
+
21
+ ## LLM connections
22
+
23
+ Play manages global LLM connections in Settings:
24
+
25
+ - one API key per provider
26
+ - models validated by operation
27
+ - fallback order by operation
28
+ - capabilities such as vision/audio inferred from validated models
29
+
30
+ Apps should not store Play LLM secrets in repository files or frontend code.
31
+
32
+ Expected app behavior:
33
+
34
+ - Prefer app-local explicit config only when the app intentionally lets the user override provider settings.
35
+ - Otherwise read provider API keys injected by Play during spawn, such as `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, or `OPENROUTER_API_KEY`.
36
+ - Lazy-initialize LLM clients. Do not instantiate SDK clients at module load, because missing keys can crash the backend before the app can render a degraded state.
37
+ - Treat `llm-chain.json` as metadata/order only when present. It must not contain API keys.
38
+ - Treat `aioson-models.json` or `llm-chain.json` in the app cwd as optional/legacy for installed apps, not the primary credential contract.
39
+
40
+ Recommended lazy pattern:
41
+
42
+ ```ts
43
+ let client: OpenAI | null = null;
44
+
45
+ function getOpenAiClient() {
46
+ const apiKey = process.env.OPENAI_API_KEY;
47
+ if (!apiKey) return null;
48
+ client ??= new OpenAI({ apiKey });
49
+ return client;
50
+ }
51
+ ```
52
+
53
+ Supported operation names in current Play docs include:
54
+
55
+ - `text_generation`
56
+ - `code_generation`
57
+ - `image_understanding`
58
+ - `image_generation`
59
+ - `video_understanding`
60
+ - `video_generation`
61
+ - `speech_to_text`
62
+ - `text_to_speech`
63
+ - `audio_understanding`
64
+ - `realtime_voice`
65
+
66
+ ## Operational database of the app
67
+
68
+ The app owns its own operational database. Play does not provide a shared app database.
69
+
70
+ Default recommendation:
71
+
72
+ - SQLite with WAL mode for most local-first apps.
73
+ - Read `DATABASE_URL` from env with fallback to `app-config.yaml`.
74
+ - Declare supported drivers from day 1 even if only SQLite is used.
75
+
76
+ `app-config.yaml` pattern:
77
+
78
+ ```yaml
79
+ database:
80
+ default_url: "sqlite://./data/app.db?mode=rwc"
81
+ supported_drivers: ["sqlite", "postgres"]
82
+ sqlite_pragmas:
83
+ journal_mode: "WAL"
84
+ synchronous: "NORMAL"
85
+ busy_timeout: 5000
86
+ ```
87
+
88
+ App code pattern:
89
+
90
+ ```ts
91
+ const url = process.env.DATABASE_URL ?? config.database.default_url;
92
+ const driver = url.startsWith("postgres://") ? "postgres" : "sqlite";
93
+ const db = await connect(url, driver);
94
+
95
+ if (driver === "sqlite") {
96
+ await db.exec("PRAGMA journal_mode=WAL");
97
+ await db.exec("PRAGMA synchronous=NORMAL");
98
+ await db.exec("PRAGMA busy_timeout=5000");
99
+ }
100
+ ```
101
+
102
+ Only move beyond SQLite when there is an objective need, such as:
103
+
104
+ - persistent `SQLITE_BUSY` after WAL and `busy_timeout`
105
+ - `pgvector`
106
+ - serious JSONB indexing
107
+ - full-text ranking beyond SQLite FTS5
108
+ - multiple app processes writing to the same database
109
+ - pre-existing customer Postgres infrastructure
110
+ - multi-device sync or online-first architecture
111
+
112
+ ## External data through Data Bindings
113
+
114
+ External domain data belongs to Play Global Connectors, not to app-specific connection UIs.
115
+
116
+ The app declares slots in `app-config.yaml`:
117
+
118
+ ```yaml
119
+ data_bindings:
120
+ - id: "busca-produtos"
121
+ description: "Busca produtos no catalogo por nome ou principio ativo"
122
+ accepted_types: ["mcpi", "api", "mcp"]
123
+ required_params:
124
+ - "search"
125
+
126
+ - id: "webhook-pedido"
127
+ description: "Notifica sistema externo quando um pedido e confirmado"
128
+ accepted_types: ["api"]
129
+ required_params:
130
+ - "pedido_json"
131
+ ```
132
+
133
+ Fields:
134
+
135
+ | Field | Meaning |
136
+ |---|---|
137
+ | `id` | Slot slug. Also the binding alias. Prefer kebab-case. |
138
+ | `description` | Human-readable text for the app/admin UI. |
139
+ | `accepted_types` | Canonical array: `mcpi`, `api`, `mcp`. |
140
+ | `required_params` | Placeholder names expected by the connector. |
141
+
142
+ `expected_type` is legacy. Prefer `accepted_types` in new apps.
143
+
144
+ ## What Play owns
145
+
146
+ Play Settings owns:
147
+
148
+ - Database Connections
149
+ - Data Connectors
150
+ - credential/keyring storage for connector auth
151
+ - connector validation status
152
+ - global admin view of App Data Sources
153
+
154
+ For MCPI connectors, only validated Database Connections should be selectable when the driver supports validation.
155
+
156
+ ## What the app owns
157
+
158
+ The app should expose a "Fontes de Dados" or equivalent in-app view when it has `data_bindings`.
159
+
160
+ The app consumes ProductBridge:
161
+
162
+ ```ts
163
+ const PLAY_BASE = import.meta.env.VITE_AIOSON_PLAY_URL || "http://localhost:5180";
164
+ const APP_SLUG = import.meta.env.VITE_AIOSON_APP_SLUG || "meu-app";
165
+
166
+ const connectors = await fetch(`${PLAY_BASE}/api/connectors?type=mcpi`).then(r => r.json());
167
+ const bindings = await fetch(`${PLAY_BASE}/api/bindings/${APP_SLUG}`).then(r => r.json());
168
+
169
+ await fetch(`${PLAY_BASE}/api/bindings/${APP_SLUG}`, {
170
+ method: "POST",
171
+ headers: { "Content-Type": "application/json" },
172
+ body: JSON.stringify({
173
+ connector_id: "<uuid-do-connector>",
174
+ alias: "busca-produtos"
175
+ })
176
+ });
177
+ ```
178
+
179
+ ## Executing connectors
180
+
181
+ After binding, execute through ProductBridge by alias:
182
+
183
+ ```http
184
+ POST http://localhost:5180/api/mcp/execute
185
+ Content-Type: application/json
186
+
187
+ {
188
+ "alias": "busca-produtos",
189
+ "params": {
190
+ "search": "dipirona"
191
+ }
192
+ }
193
+ ```
194
+
195
+ The alias must match both:
196
+
197
+ - `data_bindings[].id`
198
+ - the active binding alias
199
+
200
+ ## Degraded state
201
+
202
+ If a declared binding is absent:
203
+
204
+ - Do not crash.
205
+ - Show a clear degraded state.
206
+ - Link the user to the app's data-source binding UI when possible.
207
+ - For non-optional connectors, block only the affected workflow, not the whole app unless the app cannot function.
208
+
209
+ Boot check:
210
+
211
+ ```ts
212
+ async function getMissingBindings(appSlug: string) {
213
+ const playBase = import.meta.env.VITE_AIOSON_PLAY_URL || "http://localhost:5180";
214
+ const bindings = await fetch(`${playBase}/api/bindings/${appSlug}`).then(r => r.json());
215
+ const activeAliases = new Set(bindings.map((b: { alias: string }) => b.alias));
216
+ return declaredBindings.filter(binding => !activeAliases.has(binding.id));
217
+ }
218
+ ```
219
+
220
+ ## LLM tool injection
221
+
222
+ Global Connectors are only useful to the LLM after they are bound to the app. Play can generate tool metadata from bindings, and the sidecar/orchestrator can use it in LLM payloads.
223
+
224
+ Agent rule:
225
+
226
+ - Keep connector names and descriptions accurate.
227
+ - Do not advertise tools/endpoints that are not implemented.
228
+ - Use prepared statements or connector-side parameterization for MCPI. The LLM must not assemble raw SQL.
229
+
230
+ ## Source docs
231
+
232
+ Canonical sources:
233
+
234
+ - `app-data-bindings.md`
235
+ - `app-database-choice.md`
236
+ - `integration-manual.md`
237
+ - `ai-app-integration.md`
238
+ - `platform-architecture.md`