@lssm/lib.contracts 0.0.0-canary-20251217052941 → 0.0.0-canary-20251217060433

package/dist/integrations/providers/sms.d.ts

@@ -0,0 +1,34 @@
+//#region src/integrations/providers/sms.d.ts
+interface SmsMessage {
+  id: string;
+  to: string;
+  from: string;
+  body: string;
+  status: 'queued' | 'sending' | 'sent' | 'delivered' | 'undelivered' | 'failed';
+  providerMessageId?: string;
+  carrier?: string;
+  price?: number;
+  priceCurrency?: string;
+  sentAt?: Date;
+  deliveredAt?: Date;
+  errorCode?: string;
+  errorMessage?: string;
+}
+interface SendSmsInput {
+  to: string;
+  from?: string;
+  body: string;
+  metadata?: Record<string, string>;
+}
+interface SmsDeliveryStatus {
+  status: SmsMessage['status'];
+  errorCode?: string;
+  errorMessage?: string;
+  updatedAt: Date;
+}
+interface SmsProvider {
+  sendSms(input: SendSmsInput): Promise<SmsMessage>;
+  getDeliveryStatus(messageId: string): Promise<SmsDeliveryStatus>;
+}
+//#endregion
+export { SendSmsInput, SmsDeliveryStatus, SmsMessage, SmsProvider };

package/dist/integrations/providers/storage.d.ts

@@ -0,0 +1,60 @@
+//#region src/integrations/providers/storage.d.ts
+interface StorageObjectMetadata {
+  bucket: string;
+  key: string;
+  sizeBytes?: number;
+  contentType?: string;
+  etag?: string;
+  checksum?: string;
+  lastModified?: Date;
+  metadata?: Record<string, string>;
+}
+type StorageObjectBody = {
+  data: Uint8Array;
+  stream?: never;
+} | {
+  data?: never;
+  stream: AsyncIterable<Uint8Array>;
+};
+type GetObjectResult = StorageObjectMetadata & StorageObjectBody;
+interface PutObjectInput {
+  bucket: string;
+  key: string;
+  data: Uint8Array | ArrayBuffer;
+  contentType?: string;
+  metadata?: Record<string, string>;
+  makePublic?: boolean;
+}
+interface DeleteObjectInput {
+  bucket: string;
+  key: string;
+}
+interface SignedUrlOptions {
+  bucket: string;
+  key: string;
+  expiresInSeconds: number;
+  method?: 'GET' | 'PUT';
+  contentType?: string;
+}
+interface ListObjectsQuery {
+  bucket: string;
+  prefix?: string;
+  maxResults?: number;
+  pageToken?: string;
+}
+interface ListObjectsResult {
+  objects: StorageObjectMetadata[];
+  nextPageToken?: string;
+}
+interface ObjectStorageProvider {
+  putObject(input: PutObjectInput): Promise<StorageObjectMetadata>;
+  getObject(input: DeleteObjectInput): Promise<GetObjectResult | null>;
+  deleteObject(input: DeleteObjectInput): Promise<void>;
+  generateSignedUrl(options: SignedUrlOptions): Promise<{
+    url: string;
+    expiresAt: Date;
+  }>;
+  listObjects(query: ListObjectsQuery): Promise<ListObjectsResult>;
+}
+//#endregion
+export { DeleteObjectInput, GetObjectResult, ListObjectsQuery, ListObjectsResult, ObjectStorageProvider, PutObjectInput, SignedUrlOptions, StorageObjectBody, StorageObjectMetadata };

package/dist/integrations/providers/stripe.d.ts

@@ -0,0 +1,7 @@
+import { IntegrationSpec, IntegrationSpecRegistry } from "../spec.js";
+
+//#region src/integrations/providers/stripe.d.ts
+declare const stripeIntegrationSpec: IntegrationSpec;
+declare function registerStripeIntegration(registry: IntegrationSpecRegistry): IntegrationSpecRegistry;
+//#endregion
+export { registerStripeIntegration, stripeIntegrationSpec };

package/dist/integrations/providers/twilio-sms.d.ts

@@ -0,0 +1,7 @@
+import { IntegrationSpec, IntegrationSpecRegistry } from "../spec.js";
+
+//#region src/integrations/providers/twilio-sms.d.ts
+declare const twilioSmsIntegrationSpec: IntegrationSpec;
+declare function registerTwilioSmsIntegration(registry: IntegrationSpecRegistry): IntegrationSpecRegistry;
+//#endregion
+export { registerTwilioSmsIntegration, twilioSmsIntegrationSpec };

package/dist/integrations/providers/vector-store.d.ts

@@ -0,0 +1,43 @@
+import { EmbeddingVector } from "./embedding.js";
+
+//#region src/integrations/providers/vector-store.d.ts
+interface VectorDocument {
+  id: string;
+  vector: EmbeddingVector;
+  payload?: Record<string, unknown>;
+  namespace?: string;
+  expiresAt?: Date;
+}
+interface VectorUpsertRequest {
+  collection: string;
+  documents: VectorDocument[];
+  waitForSync?: boolean;
+}
+interface VectorDeleteRequest {
+  collection: string;
+  ids: string[];
+  namespace?: string;
+}
+interface VectorSearchQuery {
+  collection: string;
+  vector: EmbeddingVector;
+  topK: number;
+  namespace?: string;
+  filter?: Record<string, unknown>;
+  scoreThreshold?: number;
+  consistent?: boolean;
+}
+interface VectorSearchResult {
+  id: string;
+  score: number;
+  payload?: Record<string, unknown>;
+  vector?: EmbeddingVector;
+  namespace?: string;
+}
+interface VectorStoreProvider {
+  upsert(request: VectorUpsertRequest): Promise<void>;
+  search(query: VectorSearchQuery): Promise<VectorSearchResult[]>;
+  delete(request: VectorDeleteRequest): Promise<void>;
+}
+//#endregion
+export { VectorDeleteRequest, VectorDocument, VectorSearchQuery, VectorSearchResult, VectorStoreProvider, VectorUpsertRequest };

package/dist/integrations/providers/voice.d.ts

@@ -0,0 +1,34 @@
+//#region src/integrations/providers/voice.d.ts
+interface Voice {
+  id: string;
+  name: string;
+  description?: string;
+  language?: string;
+  gender?: 'male' | 'female' | 'neutral';
+  previewUrl?: string;
+  metadata?: Record<string, string>;
+}
+interface VoiceSynthesisInput {
+  text: string;
+  voiceId?: string;
+  language?: string;
+  style?: number;
+  stability?: number;
+  similarityBoost?: number;
+  format?: 'mp3' | 'wav' | 'ogg' | 'pcm';
+  sampleRateHz?: number;
+  metadata?: Record<string, string>;
+}
+interface VoiceSynthesisResult {
+  audio: Uint8Array;
+  format: string;
+  sampleRateHz: number;
+  durationSeconds?: number;
+  url?: string;
+}
+interface VoiceProvider {
+  listVoices(): Promise<Voice[]>;
+  synthesize(input: VoiceSynthesisInput): Promise<VoiceSynthesisResult>;
+}
+//#endregion
+export { Voice, VoiceProvider, VoiceSynthesisInput, VoiceSynthesisResult };

package/dist/integrations/runtime.d.ts

@@ -0,0 +1,99 @@
+import { IntegrationSpec } from "./spec.js";
+import { ConnectionStatus, IntegrationConnection } from "./connection.js";
+import { ResolvedAppConfig, ResolvedIntegration } from "../app-config/runtime.js";
+import { SecretProvider } from "./secrets/provider.js";
+
+//#region src/integrations/runtime.d.ts
+interface IntegrationTraceMetadata {
+  blueprintName: string;
+  blueprintVersion: number;
+  configVersion: number;
+}
+interface IntegrationTelemetryEvent {
+  tenantId: string;
+  appId: string;
+  environment?: string;
+  slotId?: string;
+  integrationKey: string;
+  integrationVersion: number;
+  connectionId: string;
+  status: 'success' | 'error';
+  durationMs?: number;
+  errorCode?: string;
+  errorMessage?: string;
+  occurredAt: Date;
+  metadata?: Record<string, string | number | boolean>;
+}
+interface IntegrationTelemetryEmitter {
+  record(event: IntegrationTelemetryEvent): Promise<void> | void;
+}
+type IntegrationInvocationStatus = 'success' | 'error';
+interface IntegrationContext {
+  tenantId: string;
+  appId: string;
+  environment?: string;
+  slotId?: string;
+  spec: IntegrationSpec;
+  connection: IntegrationConnection;
+  secretProvider: SecretProvider;
+  secretReference: string;
+  trace: IntegrationTraceMetadata;
+  config?: Record<string, unknown>;
+}
+interface IntegrationCallContext {
+  tenantId: string;
+  appId: string;
+  environment?: string;
+  blueprintName: string;
+  blueprintVersion: number;
+  configVersion: number;
+  slotId: string;
+  operation: string;
+}
+interface IntegrationCallError {
+  code: string;
+  message: string;
+  retryable: boolean;
+  cause?: unknown;
+}
+interface IntegrationCallResult<T> {
+  success: boolean;
+  data?: T;
+  error?: IntegrationCallError;
+  metadata: {
+    latencyMs: number;
+    connectionId: string;
+    ownershipMode: IntegrationConnection['ownershipMode'];
+    attempts: number;
+  };
+}
+interface IntegrationCallGuardOptions {
+  telemetry?: IntegrationTelemetryEmitter;
+  maxAttempts?: number;
+  backoffMs?: number;
+  shouldRetry?: (error: unknown, attempt: number) => boolean;
+  sleep?: (ms: number) => Promise<void>;
+  now?: () => Date;
+}
+declare class IntegrationCallGuard {
+  private readonly secretProvider;
+  private readonly telemetry?;
+  private readonly maxAttempts;
+  private readonly backoffMs;
+  private readonly shouldRetry;
+  private readonly sleep;
+  private readonly now;
+  constructor(secretProvider: SecretProvider, options?: IntegrationCallGuardOptions);
+  executeWithGuards<T>(slotId: string, operation: string, input: unknown, resolvedConfig: ResolvedAppConfig, executor: (connection: IntegrationConnection, secrets: Record<string, string>) => Promise<T>): Promise<IntegrationCallResult<T>>;
+  private findIntegration;
+  private fetchSecrets;
+  private parseSecret;
+  private emitTelemetry;
+  private failure;
+  private makeContext;
+  private errorCodeFor;
+}
+declare function ensureConnectionReady(integration: ResolvedIntegration): void;
+declare function connectionStatusLabel(status: ConnectionStatus): string;
+//#endregion
+export { IntegrationCallContext, IntegrationCallError, IntegrationCallGuard, IntegrationCallGuardOptions, IntegrationCallResult, IntegrationContext, IntegrationInvocationStatus, IntegrationTelemetryEmitter, IntegrationTelemetryEvent, IntegrationTraceMetadata, connectionStatusLabel, ensureConnectionReady };

package/dist/integrations/secrets/aws-secret-manager.d.ts

@@ -0,0 +1,31 @@
+import { SecretFetchOptions, SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+
+//#region src/integrations/secrets/aws-secret-manager.d.ts
+type AwsSecretsManagerClient = Pick<SecretsManagerClient, 'send'>;
+type AwsSecretsManagerClientConfig = ConstructorParameters<typeof SecretsManagerClient>[0];
+interface AwsSecretsManagerProviderOptions {
+  region?: string;
+  client?: AwsSecretsManagerClient;
+  clientConfig?: AwsSecretsManagerClientConfig;
+}
+declare class AwsSecretsManagerProvider implements SecretProvider {
+  readonly id = "aws-secrets-manager";
+  private readonly explicitRegion?;
+  private readonly injectedClient?;
+  private readonly clientConfig?;
+  private readonly clientsByRegion;
+  constructor(options?: AwsSecretsManagerProviderOptions);
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
+  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private getClient;
+  private parseReference;
+  private resolveRegion;
+  private buildVersionSelector;
+  private buildReference;
+}
+//#endregion
+export { AwsSecretsManagerProvider };

package/dist/integrations/secrets/env-secret-provider.d.ts

@@ -0,0 +1,31 @@
+import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+
+//#region src/integrations/secrets/env-secret-provider.d.ts
+interface EnvSecretProviderOptions {
+  /**
+   * Optional map to alias secret references to environment variable names.
+   * Useful when referencing secrets from other providers (e.g. gcp://...)
+   * while still allowing local overrides.
+   */
+  aliases?: Record<string, string>;
+}
+/**
+ * Environment-variable backed secret provider. Read-only by design.
+ * Allows overriding other secret providers by deriving environment variable
+ * names from secret references (or by using explicit aliases).
+ */
+declare class EnvSecretProvider implements SecretProvider {
+  readonly id = "env";
+  private readonly aliases;
+  constructor(options?: EnvSecretProviderOptions);
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference): Promise<SecretValue>;
+  setSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private resolveEnvKey;
+  private deriveEnvKey;
+  private forbiddenError;
+}
+//#endregion
+export { EnvSecretProvider };

package/dist/integrations/secrets/gcp-secret-manager.d.ts

@@ -0,0 +1,32 @@
+import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
+import { CallOptions } from "google-gax";
+
+//#region src/integrations/secrets/gcp-secret-manager.d.ts
+type SecretManagerClient = SecretManagerServiceClient;
+interface GcpSecretManagerProviderOptions {
+  projectId?: string;
+  client?: SecretManagerClient;
+  clientOptions?: ConstructorParameters<typeof SecretManagerServiceClient>[0];
+  defaultReplication?: protos.google.cloud.secretmanager.v1.IReplication;
+}
+declare class GcpSecretManagerProvider implements SecretProvider {
+  readonly id = "gcp-secret-manager";
+  private readonly client;
+  private readonly explicitProjectId?;
+  private readonly replication;
+  constructor(options?: GcpSecretManagerProviderOptions);
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference, options?: {
+    version?: string;
+  }, callOptions?: CallOptions): Promise<SecretValue>;
+  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private parseReference;
+  private buildNames;
+  private buildVersionName;
+  private ensureSecretExists;
+}
+//#endregion
+export { GcpSecretManagerProvider };

package/dist/integrations/secrets/gcp-secret-manager.js

@@ -1 +1 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{SecretManagerServiceClient as r}from"@google-cloud/secret-manager";const i={automatic:{}};var a=class{id=`gcp-secret-manager`;client;explicitProjectId;replication;constructor(e={}){this.client=e.client??new r(e.clientOptions??{}),this.explicitProjectId=e.projectId,this.replication=e.defaultReplication??i}canHandle(e){try{return n(e).provider===`gcp`}catch{return!1}}async getSecret(t,n,r){let i=this.parseReference(t),a=this.buildVersionName(i,n?.version);try{let[n]=await this.client.accessSecretVersion({name:a},r??{}),i=n.payload;if(!i?.data)throw new e({message:`Secret payload empty for ${a}`,provider:this.id,reference:t,code:`UNKNOWN`});let s=o(n.name??a);return{data:i.data,version:s,metadata:i.dataCrc32c?{crc32c:i.dataCrc32c.toString()}:void 0,retrievedAt:new Date}}catch(e){throw s({error:e,provider:this.id,reference:t,operation:`access`})}}async setSecret(n,r){let i=this.parseReference(n),{secretName:a}=this.buildNames(i),c=t(r);await this.ensureSecretExists(i,r);try{let t=await this.client.addSecretVersion({parent:a,payload:{data:c}});if(!t)throw new e({message:`No version returned when adding secret version for ${a}`,provider:this.id,reference:n,code:`UNKNOWN`});let[r]=t,i=r?.name??`${a}/versions/latest`;return{reference:`gcp://${i}`,version:o(i)??`latest`}}catch(e){throw s({error:e,provider:this.id,reference:n,operation:`addSecretVersion`})}}async rotateSecret(e,t){return this.setSecret(e,t)}async deleteSecret(e){let t=this.parseReference(e),{secretName:n}=this.buildNames(t);try{await this.client.deleteSecret({name:n})}catch(t){throw s({error:t,provider:this.id,reference:e,operation:`delete`})}}parseReference(t){let r=n(t);if(r.provider!==`gcp`)throw new e({message:`Unsupported secret provider: ${r.provider}`,provider:this.id,reference:t,code:`INVALID`});let i=r.path.split(`/`).filter(Boolean);if(i.length<4||i[0]!==`projects`)throw new e({message:`Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let a=i[1]??this.explicitProjectId;if(!a)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let o=i.indexOf(`secrets`);if(o===-1||o+1>=i.length)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let s=a,c=i[o+1];if(!c)throw new e({message:`Unable to resolve secret ID from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let l=c,u=i.indexOf(`versions`);return{projectId:s,secretId:l,version:r.extras?.version??(u!==-1&&u+1<i.length?i[u+1]:void 0)}}buildNames(t){let n=t.projectId??this.explicitProjectId;if(!n)throw new e({message:`Project ID must be provided either in reference or provider configuration`,provider:this.id,reference:`gcp://projects//secrets/${t.secretId}`,code:`INVALID`});let r=`projects/${n}`;return{projectParent:r,secretName:`${r}/secrets/${t.secretId}`}}buildVersionName(e,t){let{secretName:n}=this.buildNames(e);return`${n}/versions/${t??e.version??`latest`}`}async ensureSecretExists(e,t){let{secretName:n,projectParent:r}=this.buildNames(e);try{await this.client.getSecret({name:n})}catch(i){let a=s({error:i,provider:this.id,reference:`gcp://${n}`,operation:`getSecret`,suppressThrow:!0});if(!a||a.code!==`NOT_FOUND`)throw a||i;try{await this.client.createSecret({parent:r,secretId:e.secretId,secret:{replication:this.replication,labels:t.labels}})}catch(e){throw s({error:e,provider:this.id,reference:`gcp://${n}`,operation:`createSecret`})}}}};function o(e){let t=e.split(`/`).filter(Boolean),n=t.indexOf(`versions`);if(!(n===-1||n+1>=t.length))return t[n+1]}function s(t){let{error:n,provider:r,reference:i,operation:a,suppressThrow:o}=t;if(n instanceof e)return n;let s=c(n),l=new e({message:n instanceof Error?n.message:`Unknown error during ${a}`,provider:r,reference:i,code:s,cause:n});if(o)return l;throw l}function c(e){if(typeof e!=`object`||!e)return`UNKNOWN`;let t=e.code;return t===5||t===`NOT_FOUND`?`NOT_FOUND`:t===6||t===`ALREADY_EXISTS`?`INVALID`:t===7||t===`PERMISSION_DENIED`||t===403?`FORBIDDEN`:t===3||t===`INVALID_ARGUMENT`?`INVALID`:`UNKNOWN`}export{a as GcpSecretManagerProvider};
+import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{SecretManagerServiceClient as r,protos as i}from"@google-cloud/secret-manager";const a={automatic:{}};var o=class{id=`gcp-secret-manager`;client;explicitProjectId;replication;constructor(e={}){this.client=e.client??new r(e.clientOptions??{}),this.explicitProjectId=e.projectId,this.replication=e.defaultReplication??a}canHandle(e){try{return n(e).provider===`gcp`}catch{return!1}}async getSecret(t,n,r){let i=this.parseReference(t),a=this.buildVersionName(i,n?.version);try{let[n]=await this.client.accessSecretVersion({name:a},r??{}),i=n.payload;if(!i?.data)throw new e({message:`Secret payload empty for ${a}`,provider:this.id,reference:t,code:`UNKNOWN`});let o=s(n.name??a);return{data:i.data,version:o,metadata:i.dataCrc32c?{crc32c:i.dataCrc32c.toString()}:void 0,retrievedAt:new Date}}catch(e){throw c({error:e,provider:this.id,reference:t,operation:`access`})}}async setSecret(n,r){let i=this.parseReference(n),{secretName:a}=this.buildNames(i),o=t(r);await this.ensureSecretExists(i,r);try{let t=await this.client.addSecretVersion({parent:a,payload:{data:o}});if(!t)throw new e({message:`No version returned when adding secret version for ${a}`,provider:this.id,reference:n,code:`UNKNOWN`});let[r]=t,i=r?.name??`${a}/versions/latest`;return{reference:`gcp://${i}`,version:s(i)??`latest`}}catch(e){throw c({error:e,provider:this.id,reference:n,operation:`addSecretVersion`})}}async rotateSecret(e,t){return this.setSecret(e,t)}async deleteSecret(e){let t=this.parseReference(e),{secretName:n}=this.buildNames(t);try{await this.client.deleteSecret({name:n})}catch(t){throw c({error:t,provider:this.id,reference:e,operation:`delete`})}}parseReference(t){let r=n(t);if(r.provider!==`gcp`)throw new e({message:`Unsupported secret provider: ${r.provider}`,provider:this.id,reference:t,code:`INVALID`});let i=r.path.split(`/`).filter(Boolean);if(i.length<4||i[0]!==`projects`)throw new e({message:`Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let a=i[1]??this.explicitProjectId;if(!a)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let o=i.indexOf(`secrets`);if(o===-1||o+1>=i.length)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let s=a,c=i[o+1];if(!c)throw new e({message:`Unable to resolve secret ID from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let l=c,u=i.indexOf(`versions`);return{projectId:s,secretId:l,version:r.extras?.version??(u!==-1&&u+1<i.length?i[u+1]:void 0)}}buildNames(t){let n=t.projectId??this.explicitProjectId;if(!n)throw new e({message:`Project ID must be provided either in reference or provider configuration`,provider:this.id,reference:`gcp://projects//secrets/${t.secretId}`,code:`INVALID`});let r=`projects/${n}`;return{projectParent:r,secretName:`${r}/secrets/${t.secretId}`}}buildVersionName(e,t){let{secretName:n}=this.buildNames(e);return`${n}/versions/${t??e.version??`latest`}`}async ensureSecretExists(e,t){let{secretName:n,projectParent:r}=this.buildNames(e);try{await this.client.getSecret({name:n})}catch(i){let a=c({error:i,provider:this.id,reference:`gcp://${n}`,operation:`getSecret`,suppressThrow:!0});if(!a||a.code!==`NOT_FOUND`)throw a||i;try{await this.client.createSecret({parent:r,secretId:e.secretId,secret:{replication:this.replication,labels:t.labels}})}catch(e){throw c({error:e,provider:this.id,reference:`gcp://${n}`,operation:`createSecret`})}}}};function s(e){let t=e.split(`/`).filter(Boolean),n=t.indexOf(`versions`);if(!(n===-1||n+1>=t.length))return t[n+1]}function c(t){let{error:n,provider:r,reference:i,operation:a,suppressThrow:o}=t;if(n instanceof e)return n;let s=l(n),c=new e({message:n instanceof Error?n.message:`Unknown error during ${a}`,provider:r,reference:i,code:s,cause:n});if(o)return c;throw c}function l(e){if(typeof e!=`object`||!e)return`UNKNOWN`;let t=e.code;return t===5||t===`NOT_FOUND`?`NOT_FOUND`:t===6||t===`ALREADY_EXISTS`?`INVALID`:t===7||t===`PERMISSION_DENIED`||t===403?`FORBIDDEN`:t===3||t===`INVALID_ARGUMENT`?`INVALID`:`UNKNOWN`}export{o as GcpSecretManagerProvider};

package/dist/integrations/secrets/index.d.ts

@@ -0,0 +1,7 @@
+import { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { AwsSecretsManagerProvider } from "./aws-secret-manager.js";
+import { EnvSecretProvider } from "./env-secret-provider.js";
+import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
+import { ScalewaySecretManagerProvider } from "./scaleway-secret-manager.js";
+import { SecretProviderManager, SecretProviderManagerOptions } from "./manager.js";
+export { AwsSecretsManagerProvider, EnvSecretProvider, GcpSecretManagerProvider, ParsedSecretUri, ScalewaySecretManagerProvider, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretProviderManager, SecretProviderManagerOptions, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };

package/dist/integrations/secrets/manager.d.ts

@@ -0,0 +1,47 @@
+import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+
+//#region src/integrations/secrets/manager.d.ts
+interface RegisterOptions {
+  /**
+   * Larger priority values are attempted first. Defaults to 0.
+   */
+  priority?: number;
+}
+interface SecretProviderManagerOptions {
+  /**
+   * Override manager identifier. Defaults to "secret-provider-manager".
+   */
+  id?: string;
+  /**
+   * Providers to pre-register. They are registered in array order with
+   * descending priority (first entry wins ties).
+   */
+  providers?: {
+    provider: SecretProvider;
+    priority?: number;
+  }[];
+}
+/**
+ * Composite secret provider that delegates to registered providers.
+ * Providers are attempted in order of descending priority, respecting the
+ * registration order for ties. This enables privileged overrides (e.g.
+ * environment variables) while still supporting durable backends like GCP
+ * Secret Manager.
+ */
+declare class SecretProviderManager implements SecretProvider {
+  readonly id: string;
+  private readonly providers;
+  private registrationCounter;
+  constructor(options?: SecretProviderManagerOptions);
+  register(provider: SecretProvider, options?: RegisterOptions): this;
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
+  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private delegateToFirst;
+  private composeError;
+}
+type SecretFetchOptions = Parameters<SecretProvider['getSecret']>[1];
+//#endregion
+export { SecretProviderManager, SecretProviderManagerOptions };

package/dist/integrations/secrets/provider.d.ts

@@ -0,0 +1,52 @@
+//#region src/integrations/secrets/provider.d.ts
+type SecretReference = string;
+interface SecretValue {
+  data: Uint8Array;
+  version?: string;
+  metadata?: Record<string, string>;
+  retrievedAt: Date;
+}
+interface SecretFetchOptions {
+  version?: string;
+}
+type SecretPayloadEncoding = 'utf-8' | 'base64' | 'binary';
+interface SecretWritePayload {
+  data: string | Uint8Array;
+  encoding?: SecretPayloadEncoding;
+  contentType?: string;
+  labels?: Record<string, string>;
+}
+interface SecretRotationResult {
+  reference: SecretReference;
+  version: string;
+}
+interface SecretProvider {
+  readonly id: string;
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
+  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+}
+interface ParsedSecretUri {
+  provider: string;
+  path: string;
+  extras?: Record<string, string>;
+}
+declare class SecretProviderError extends Error {
+  readonly provider: string;
+  readonly reference: SecretReference;
+  readonly code: 'NOT_FOUND' | 'FORBIDDEN' | 'INVALID' | 'UNKNOWN';
+  readonly cause?: unknown;
+  constructor(params: {
+    message: string;
+    provider: string;
+    reference: SecretReference;
+    code?: SecretProviderError['code'];
+    cause?: unknown;
+  });
+}
+declare function parseSecretUri(reference: SecretReference): ParsedSecretUri;
+declare function normalizeSecretPayload(payload: SecretWritePayload): Uint8Array;
+//#endregion
+export { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };

package/dist/integrations/secrets/scaleway-secret-manager.d.ts

@@ -0,0 +1,38 @@
+import { SecretFetchOptions, SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+
+//#region src/integrations/secrets/scaleway-secret-manager.d.ts
+interface ScalewaySecretManagerProviderOptions {
+  /**
+   * Scaleway API token (SCW secret key). If omitted, uses env vars.
+   * Header: X-Auth-Token
+   */
+  token?: string;
+  /** Default region when not present in reference (e.g. fr-par). */
+  defaultRegion?: string;
+  /** Default project id used when creating secrets by name. */
+  defaultProjectId?: string;
+  /** Override API base url (defaults to https://api.scaleway.com). */
+  baseUrl?: string;
+  /** Inject fetch for tests. */
+  fetch?: typeof fetch;
+}
+declare class ScalewaySecretManagerProvider implements SecretProvider {
+  readonly id = "scaleway-secret-manager";
+  private readonly token;
+  private readonly defaultRegion?;
+  private readonly defaultProjectId?;
+  private readonly baseUrl;
+  private readonly fetchFn;
+  constructor(options?: ScalewaySecretManagerProviderOptions);
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
+  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private parseReference;
+  private createSecret;
+  private createSecretVersion;
+  private buildReference;
+}
+//#endregion
+export { ScalewaySecretManagerProvider };

package/dist/integrations/spec.d.ts

@@ -0,0 +1,79 @@
+import { OwnerShipMeta } from "../ownership.js";
+import { CapabilityRef, CapabilityRequirement } from "../capabilities.js";
+
+//#region src/integrations/spec.d.ts
+type IntegrationCategory = 'payments' | 'email' | 'calendar' | 'sms' | 'ai-llm' | 'ai-voice' | 'speech-to-text' | 'vector-db' | 'storage' | 'accounting' | 'crm' | 'helpdesk' | 'open-banking' | 'custom';
+type IntegrationOwnershipMode = 'managed' | 'byok';
+interface IntegrationMeta extends OwnerShipMeta {
+  /** Stable provider slug (e.g., "stripe", "openai"). */
+  key: string;
+  /** Provider version (increment on breaking API changes). */
+  version: number;
+  category: IntegrationCategory;
+  displayName: string;
+}
+interface IntegrationCapabilityMapping {
+  /** Which CapabilitySpec this integration provides. */
+  provides: CapabilityRef[];
+  /** Optional: which capabilities it requires (e.g., storage for caching). */
+  requires?: CapabilityRequirement[];
+}
+interface IntegrationConfigSchema {
+  /** JSON Schema or SchemaModel defining required config fields. */
+  schema: unknown;
+  /** Example configuration (for docs/UI). */
+  example?: Record<string, unknown>;
+}
+interface IntegrationSecretSchema {
+  /** JSON Schema or SchemaModel describing secret fields. */
+  schema: unknown;
+  /** Redacted example for documentation/UI. */
+  example?: Record<string, string>;
+}
+interface IntegrationByokSetup {
+  /** Human-readable instructions for tenants configuring BYOK accounts. */
+  setupInstructions?: string;
+  /** Required scopes/permissions for BYOK accounts. */
+  requiredScopes?: string[];
+}
+interface IntegrationHealthCheck {
+  /** Endpoint or method to validate connection health. */
+  method?: 'ping' | 'list' | 'custom';
+  /** Timeout in ms for health check. */
+  timeoutMs?: number;
+}
+interface IntegrationSpec {
+  meta: IntegrationMeta;
+  /** Supported ownership modes for this provider. */
+  supportedModes: IntegrationOwnershipMode[];
+  /** Which capabilities this integration provides/requires. */
+  capabilities: IntegrationCapabilityMapping;
+  /** Configuration schema (API keys, endpoints, etc.). */
+  configSchema: IntegrationConfigSchema;
+  /** Secret schema (API/key material stored via secretRef). */
+  secretSchema: IntegrationSecretSchema;
+  /** Optional health check configuration. */
+  healthCheck?: IntegrationHealthCheck;
+  /** Documentation URL. */
+  docsUrl?: string;
+  /** Rate limits or usage constraints. */
+  constraints?: {
+    rateLimit?: {
+      rpm?: number;
+      rph?: number;
+    };
+    quotas?: Record<string, number>;
+  };
+  /** Provider-specific metadata for BYOK setup flows. */
+  byokSetup?: IntegrationByokSetup;
+}
+declare class IntegrationSpecRegistry {
+  private readonly items;
+  register(spec: IntegrationSpec): this;
+  list(): IntegrationSpec[];
+  get(key: string, version?: number): IntegrationSpec | undefined;
+  getByCategory(category: IntegrationCategory): IntegrationSpec[];
+}
+declare function makeIntegrationSpecKey(meta: IntegrationMeta): string;
+//#endregion
+export { IntegrationByokSetup, IntegrationCapabilityMapping, IntegrationCategory, IntegrationConfigSchema, IntegrationHealthCheck, IntegrationMeta, IntegrationOwnershipMode, IntegrationSecretSchema, IntegrationSpec, IntegrationSpecRegistry, makeIntegrationSpecKey };

package/dist/jobs/define-job.d.ts

@@ -0,0 +1,18 @@
+import { Job, JobQueue } from "./queue.js";
+import { ZodSchema } from "zod";
+
+//#region src/jobs/define-job.d.ts
+interface DefinedJob<TPayload> {
+  type: string;
+  schema: ZodSchema<TPayload>;
+  handler: (payload: TPayload, job: Job<TPayload>) => Promise<void>;
+}
+/**
+ * Register a `DefinedJob` on a queue with payload validation.
+ *
+ * - Parses and validates payload via the job's Zod schema
+ * - Invokes the defined handler with the validated payload
+ */
+declare function registerDefinedJob<TPayload>(queue: JobQueue, job: DefinedJob<TPayload>): void;
+//#endregion
+export { DefinedJob, registerDefinedJob };