@mastra/client-js 1.22.0-alpha.3 → 1.22.0-alpha.4

package/CHANGELOG.md

@@ -1,5 +1,102 @@
 # @mastra/client-js
 
+## 1.22.0-alpha.4
+
+### Minor Changes
+
+- Added the v1 ToolProvider runtime, server routes, client SDK methods, and editor wiring that power OAuth-backed integrations on stored agents. ([#17248](https://github.com/mastra-ai/mastra/pull/17248))
+
+  **Stored agents can now pin OAuth connections per toolkit**
+
+  A stored agent's config accepts a new `toolProviders` shape that tells the runtime which connection to bind for each toolkit at execution time. Connections can be scoped per-author, shared across an org, or supplied by the caller.
+
+  ```ts
+  {
+    toolProviders: {
+      composio: {
+        connections: {
+          gmail: [{ kind: 'author', toolkit: 'gmail', connectionId: 'auth_abc', scope: 'per-author' }],
+        },
+        tools: {
+          GMAIL_FETCH_EMAILS: { toolkit: 'gmail' },
+        },
+      },
+    },
+  }
+  ```
+
+  **New client SDK surface for managing connections**
+
+  ```ts
+  import { MastraClient } from '@mastra/client-js';
+
+  const client = new MastraClient({ baseUrl: '…' });
+  const composio = client.toolProvider('composio');
+
+  const { items } = await composio.listConnections({ toolkit: 'gmail' });
+  await composio.disconnectConnection('auth_abc');
+  ```
+
+  **New `ToolProvider` interface for custom providers**
+
+  Providers implement a VNext surface (`listToolkitsVNext`, `listToolsVNext`, `resolveToolsVNext`) plus the auth round-trip (`authorize`, `getAuthStatus`, `listConnections`, `disconnectConnection`, `listConnectionFields`, `health`). The Composio provider has been rewritten on this surface; the older catalog methods remain as `@deprecated` shims for back-compat.
+
+  Connections list responses use `page`/`perPage` pagination, matching the rest of the server surface.
+
+  Both stored agents (`editor.agent.getById(...)`) and code-defined agents with stored overrides (`editor.agent.applyStoredOverrides(...)`) resolve `toolProviders` at request time, merging provider-resolved tools alongside code/registry/MCP/integration tools.
+
+  Stored agents that don't set `toolProviders` continue to work unchanged. The Studio/Builder UI ships separately.
+
+### Patch Changes
+
+- Hardened v1 ToolProvider connection routes and SDK forwarding. ([#17248](https://github.com/mastra-ai/mastra/pull/17248))
+
+  **Fail closed on unknown `connectionId`**
+
+  `DELETE /tool-providers/:providerId/connections/:connectionId` and
+  `GET …/usage` now return `403` when storage is configured but no persisted
+  row matches the supplied `connectionId` and the caller isn't an admin.
+  Previously these routes fell through to the caller's own `authorId`, which
+  let non-admin callers probe (and trigger provider-side `revokeConnection`
+  for) IDs that didn't belong to them.
+
+  **Aligned authorize label validation with stored label rules**
+
+  `POST /tool-providers/:providerId/authorize` now enforces the same label
+  rules the stored `toolProviders` config uses (`min(1)`, `max(32)`,
+  `/^[A-Za-z0-9 _-]+$/`). Labels that pass `authorize` are now guaranteed to
+  pass downstream stored-agent validation.
+
+  **SDK forwards `toolkit` on connection-scoped operations**
+
+  `@mastra/client-js`:
+
+  ```ts
+  await client.toolProviders.get('composio').disconnectConnection('ca_xxx', {
+    toolkit: 'gmail',
+    force: true,
+  });
+
+  const usage = await client.toolProviders.get('composio').getConnectionUsage('ca_xxx', { toolkit: 'gmail' });
+  ```
+
+  `disconnectConnection` now forwards `params.toolkit` (previously dropped)
+  and `getConnectionUsage` accepts an optional `{ toolkit }` parameter so
+  toolkit-scoped connection lookups disambiguate correctly server-side.
+
+- Improved observability and error isolation in the v1 ToolProvider runtime. ([#17248](https://github.com/mastra-ai/mastra/pull/17248))
+
+  **Better visibility into connection-scope misconfiguration**
+
+  When an agent runs with a stored ToolProvider connection whose scope cannot be resolved from the request context, the runtime now logs a one-shot warning and falls back to a shared bucket instead of silently routing every caller to the same OAuth account. Multi-tenant deployments get a clear signal when their identity wiring isn't reaching the runtime.
+
+  **One bad toolkit no longer disables sibling providers**
+
+  If a provider returns more connections for a toolkit than its declared capabilities allow, the runtime now logs and skips that toolkit instead of throwing. Other providers and other toolkits on the same agent continue to resolve normally.
+
+- Updated dependencies [[`50ed00c`](https://github.com/mastra-ai/mastra/commit/50ed00caa914a85969b33de83f26b48e328ef641), [`9283971`](https://github.com/mastra-ai/mastra/commit/928397157009b4aef4d5fdf3a0a273cb371beb55), [`0bf2d93`](https://github.com/mastra-ai/mastra/commit/0bf2d932d20e2936f2d9abb8c0a86e24fbc97ec6), [`94dfef6`](https://github.com/mastra-ai/mastra/commit/94dfef6e2bf19a88467ea3940afcbce88a433f0f), [`a122f79`](https://github.com/mastra-ai/mastra/commit/a122f79427ae225ec79c7b2ed46278da48d04b17), [`4c02027`](https://github.com/mastra-ai/mastra/commit/4c020277235eaa6b1dc957c90ad0639eef213992), [`6855012`](https://github.com/mastra-ai/mastra/commit/685501247cc4717506f3e89beed03509d63a5370), [`7fef31c`](https://github.com/mastra-ai/mastra/commit/7fef31c0d2a6d362a43a647a8a4f6ab893758a23), [`7fef31c`](https://github.com/mastra-ai/mastra/commit/7fef31c0d2a6d362a43a647a8a4f6ab893758a23)]:
+  - @mastra/core@1.38.0-alpha.4
+
 ## 1.22.0-alpha.3
 
 ### Minor Changes

package/dist/docs/SKILL.md

@@ -3,7 +3,7 @@ name: mastra-client-js
 description: Documentation for @mastra/client-js. Use when working with @mastra/client-js APIs, configuration, or implementation.
 metadata:
   package: "@mastra/client-js"
-  version: "1.22.0-alpha.3"
+  version: "1.22.0-alpha.4"
 ---
 
 ## When to use

package/dist/docs/assets/SOURCE_MAP.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.22.0-alpha.3",
+  "version": "1.22.0-alpha.4",
   "package": "@mastra/client-js",
   "exports": {
     "RequestContext": {

package/dist/index.cjs

@@ -5243,16 +5243,13 @@ var ToolProvider = class extends BaseResource {
   }
   providerId;
   /**
-   * Lists available toolkits from this provider
-   * @returns Promise containing list of toolkits
+   * Lists available toolkits from this provider.
    */
   listToolkits() {
     return this.request(`/tool-providers/${encodeURIComponent(this.providerId)}/toolkits`);
   }
   /**
-   * Lists available tools from this provider, with optional filtering
-   * @param params - Optional filtering and pagination parameters
-   * @returns Promise containing list of tools
+   * Lists available tools from this provider, with optional filtering.
    */
   listTools(params) {
     const searchParams = new URLSearchParams();
@@ -5274,15 +5271,125 @@ var ToolProvider = class extends BaseResource {
     );
   }
   /**
-   * Gets the input schema for a specific tool
-   * @param toolSlug - The slug of the tool
-   * @returns Promise containing the tool's JSON schema
+   * Gets the input schema for a specific tool.
    */
   getToolSchema(toolSlug) {
     return this.request(
       `/tool-providers/${encodeURIComponent(this.providerId)}/tools/${encodeURIComponent(toolSlug)}/schema`
     );
   }
+  /**
+   * Starts an OAuth flow for a (toolkit, connectionId) pair. Returns a
+   * redirect URL and an opaque auth handle to poll with `getAuthStatus`.
+   */
+  authorize(params) {
+    return this.request(`/tool-providers/${encodeURIComponent(this.providerId)}/authorize`, {
+      method: "POST",
+      body: params
+    });
+  }
+  /**
+   * Polls the OAuth flow status for an outstanding authorize call.
+   */
+  getAuthStatus(authId) {
+    return this.request(
+      `/tool-providers/${encodeURIComponent(this.providerId)}/auth-status/${encodeURIComponent(authId)}`
+    );
+  }
+  /**
+   * Batch-checks whether a set of (connectionId, toolkit) tuples are
+   * currently connected.
+   */
+  getConnectionStatus(params) {
+    return this.request(`/tool-providers/${encodeURIComponent(this.providerId)}/connection-status`, {
+      method: "POST",
+      body: params
+    });
+  }
+  /**
+   * Lists existing provider connections, scoped to a toolkit.
+   *
+   * Default: the connection owner is resolved server-side from the request's
+   * auth context. Admin callers (with `tool-providers:admin` permission) may
+   * pass `authorId` to target a specific author, or omit it to receive
+   * connections across all authors known to `tool_provider_connections` for
+   * this provider/toolkit. Pagination is page-based via `page` (1-indexed)
+   * and `perPage` (default 50, max 200).
+   */
+  listConnections(params) {
+    const searchParams = new URLSearchParams();
+    searchParams.set("toolkit", params.toolkit);
+    if (params.authorId) {
+      searchParams.set("authorId", params.authorId);
+    }
+    if (params.page !== void 0 && params.page !== null) {
+      searchParams.set("page", String(params.page));
+    }
+    if (params.perPage !== void 0 && params.perPage !== null) {
+      searchParams.set("perPage", String(params.perPage));
+    }
+    if (params.scope) {
+      searchParams.set("scope", params.scope);
+    }
+    return this.request(
+      `/tool-providers/${encodeURIComponent(this.providerId)}/connections?${searchParams.toString()}`
+    );
+  }
+  /**
+   * Lists provider-specific fields the picker should collect before
+   * initiating a new connection (e.g. Confluence subdomain). Most toolkits
+   * return an empty array.
+   */
+  listConnectionFields(params) {
+    const searchParams = new URLSearchParams();
+    searchParams.set("toolkit", params.toolkit);
+    return this.request(
+      `/tool-providers/${encodeURIComponent(this.providerId)}/connection-fields?${searchParams.toString()}`
+    );
+  }
+  /**
+   * Disconnects (revokes + deletes) a persisted connection.
+   *
+   * Without `force: true` the server refuses if any agent still pins the
+   * connection. With `force: true` the provider-side revoke is best-effort
+   * (errors are tolerated) and the local row is always removed.
+   */
+  disconnectConnection(connectionId, params) {
+    const searchParams = new URLSearchParams();
+    if (params?.toolkit) {
+      searchParams.set("toolkit", params.toolkit);
+    }
+    if (params?.force) {
+      searchParams.set("force", "true");
+    }
+    const queryString = searchParams.toString();
+    return this.request(
+      `/tool-providers/${encodeURIComponent(this.providerId)}/connections/${encodeURIComponent(connectionId)}${queryString ? `?${queryString}` : ""}`,
+      {
+        method: "DELETE"
+      }
+    );
+  }
+  /**
+   * Lists the agents that currently pin a given connection. Used by the
+   * picker to warn the user before disconnecting a shared account.
+   */
+  getConnectionUsage(connectionId, params) {
+    const searchParams = new URLSearchParams();
+    if (params?.toolkit) {
+      searchParams.set("toolkit", params.toolkit);
+    }
+    const queryString = searchParams.toString();
+    return this.request(
+      `/tool-providers/${encodeURIComponent(this.providerId)}/connections/${encodeURIComponent(connectionId)}/usage${queryString ? `?${queryString}` : ""}`
+    );
+  }
+  /**
+   * Returns provider-level health (config, reachability, etc.).
+   */
+  getHealth() {
+    return this.request(`/tool-providers/${encodeURIComponent(this.providerId)}/health`);
+  }
 };
 
 // src/resources/processor-provider.ts