@mondaydotcomorg/atp-protocol 0.19.7 → 0.19.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.cjs +553 -0
  2. package/dist/index.cjs.map +1 -0
  3. package/dist/index.js +533 -6
  4. package/dist/index.js.map +1 -1
  5. package/package.json +9 -5
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,iBAAiB,CAAC;AAChC,cAAc,WAAW,CAAC;AAC1B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC"}
1
+ {"version":3,"sources":["../src/types.ts","../src/schemas.ts","../src/validation.ts","../src/auth.ts","../src/providers.ts"],"names":["CallbackType","ToolOperation","ToolOperationType","ToolSensitivityLevel","ExecutionStatus","ExecutionErrorCode","ExecutionConfigSchema","type","properties","timeout","minimum","maximum","maxMemory","maxLLMCalls","allowedAPIs","items","allowLLMCalls","required","SearchOptionsSchema","query","minLength","apiGroups","maxResults","useEmbeddings","embeddingModel","AgentToolProtocolRequestSchema","jsonrpc","enum","id","method","params","AgentToolProtocolResponseSchema","result","error","code","message","data","MAX_CODE_SIZE","ConfigValidationError","Error","constructor","field","value","name","SecurityViolationError","violations","sanitizeInput","input","maxLength","sanitized","replace","length","substring","frameCodeExecution","userCode","cleaned","trim","executionConfigSchema","z","object","number","invalid_type_error","positive","max","optional","nonnegative","array","string","refine","val","boolean","progressCallback","function","customLLMHandler","clientServices","any","provenanceMode","securityPolicies","provenanceHints","validateExecutionConfig","config","parse","ZodError","errors","map","err","join","validateClientId","clientId","test","CredentialResolver","providers","Map","registerProvider","provider","set","resolve","authConfig","get","scheme","resolveAPIKey","resolveBearer","resolveBasic","resolveOAuth2","resolveCustom","resolveComposite","getValue","in","headers","queryParams","token","Authorization","username","usernameEnvVar","process","env","password","passwordEnvVar","credentials","Buffer","from","toString","clientIdEnvVar","clientSecret","clientSecretEnvVar","undefined","flow","fetchOAuth2Token","tokenUrl","scopes","Object","assign","headerEnvVars","headerName","envVar","entries","queryParamEnvVars","paramName","keys","credName","credConfig","injectAs","queryParamName","URLSearchParams","grant_type","client_id","client_secret","append","response","fetch","body","ok","statusText","json","access_token","MultiAuditSink","sinks","write","event","Promise","all","sink","writeBatch","events","filter","disconnect"],"mappings":";;;;;;UAMYA,aAAAA,EAAAA;;;;;GAAAA,YAAAA,KAAAA,YAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAUAC,cAAAA,EAAAA;;GAAAA,aAAAA,KAAAA,aAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UA0IAC,kBAAAA,EAAAA;AACmB,EAAAA,kBAAAA,CAAA,MAAA,CAAA,GAAA,MAAA;AAEE,EAAAA,kBAAAA,CAAA,OAAA,CAAA,GAAA,OAAA;AAEW,EAAAA,kBAAAA,CAAA,aAAA,CAAA,GAAA,aAAA;GALhCA,iBAAAA,KAAAA,iBAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAYAC,qBAAAA,EAAAA;AAC8B,EAAAA,qBAAAA,CAAA,QAAA,CAAA,GAAA,QAAA;AAEE,EAAAA,qBAAAA,CAAA,UAAA,CAAA,GAAA,UAAA;AAEI,EAAAA,qBAAAA,CAAA,WAAA,CAAA,GAAA,WAAA;GALpCA,oBAAAA,KAAAA,oBAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAsHAC,gBAAAA,EAAAA;;;;;;;;;;;;;;GAAAA,eAAAA,KAAAA,eAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAmBAC,mBAAAA,EAAAA;;;;;;;;;;;;;;;;;;;;;GAAAA,kBAAAA,KAAAA,kBAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;;AC7SL,IAAMC,qBAAAA,GAAoC;EAChDC,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXC,OAAAA,EAAS;MAAEF,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,GAAA;MAAMC,OAAAA,EAAS;AAAO,KAAA;IAC1DC,SAAAA,EAAW;MAAEL,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,OAAA;MAASC,OAAAA,EAAS;AAAU,KAAA;IAClEE,WAAAA,EAAa;MAAEN,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,CAAA;MAAGC,OAAAA,EAAS;AAAI,KAAA;IACxDG,WAAAA,EAAa;MAAEP,IAAAA,EAAM,OAAA;MAASQ,KAAAA,EAAO;QAAER,IAAAA,EAAM;AAAS;AAAE,KAAA;IACxDS,aAAAA,EAAe;MAAET,IAAAA,EAAM;AAAU;AAClC,GAAA;EACAU,QAAAA,EAAU;AAAC,IAAA,SAAA;AAAW,IAAA,WAAA;AAAa,IAAA,aAAA;AAAe,IAAA,aAAA;AAAe,IAAA;;AAClE;AAEO,IAAMC,mBAAAA,GAAkC;EAC9CX,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXW,KAAAA,EAAO;MAAEZ,IAAAA,EAAM,QAAA;MAAUa,SAAAA,EAAW;AAAE,KAAA;IACtCC,SAAAA,EAAW;MAAEd,IAAAA,EAAM,OAAA;MAASQ,KAAAA,EAAO;QAAER,IAAAA,EAAM;AAAS;AAAE,KAAA;IACtDe,UAAAA,EAAY;MAAEf,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,CAAA;MAAGC,OAAAA,EAAS;AAAI,KAAA;IACvDY,aAAAA,EAAe;MAAEhB,IAAAA,EAAM;AAAU,KAAA;IACjCiB,cAAAA,EAAgB;MAAEjB,IAAAA,EAAM;AAAS;AAClC,GAAA;EACAU,QAAAA,EAAU;AAAC,IAAA;;AACZ;AAEO,IAAMQ,8BAAAA,GAA6C;EACzDlB,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXkB,OAAAA,EAAS;MAAEnB,IAAAA,EAAM,QAAA;MAAUoB,IAAAA,EAAM;AAAC,QAAA;;AAAO,KAAA;IACzCC,EAAAA,EAAI;MAAErB,IAAAA,EAAM;AAAC,QAAA,QAAA;AAAU,QAAA;;AAAU,KAAA;IACjCsB,MAAAA,EAAQ;MAAEtB,IAAAA,EAAM;AAAS,KAAA;IACzBuB,MAAAA,EAAQ;MAAEvB,IAAAA,EAAM;AAAS;AAC1B,GAAA;EACAU,QAAAA,EAAU;AAAC,IAAA,SAAA;AAAW,IAAA,IAAA;AAAM,IAAA,QAAA;AAAU,IAAA;;AACvC;AAEO,IAAMc,+BAAAA,GAA8C;EAC1DxB,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXkB,OAAAA,EAAS;MAAEnB,IAAAA,EAAM,QAAA;MAAUoB,IAAAA,EAAM;AAAC,QAAA;;AAAO,KAAA;IACzCC,EAAAA,EAAI;MAAErB,IAAAA,EAAM;AAAC,QAAA,QAAA;AAAU,QAAA;;AAAU,KAAA;AACjCyB,IAAAA,MAAAA,EAAQ,EAAC;IACTC,KAAAA,EAAO;MACN1B,IAAAA,EAAM,QAAA;MACNC,UAAAA,EAAY;QACX0B,IAAAA,EAAM;UAAE3B,IAAAA,EAAM;AAAS,SAAA;QACvB4B,OAAAA,EAAS;UAAE5B,IAAAA,EAAM;AAAS,SAAA;AAC1B6B,QAAAA,IAAAA,EAAM;AACP,OAAA;MACAnB,QAAAA,EAAU;AAAC,QAAA,MAAA;AAAQ,QAAA;;AACpB;AACD,GAAA;EACAA,QAAAA,EAAU;AAAC,IAAA,SAAA;AAAW,IAAA;;AACvB;AC5CO,IAAMoB,aAAAA,GAAgB;AAEtB,IAAMC,qBAAAA,GAAN,cAAoCC,KAAAA,CAAAA;EAZ3C;;;;;EAaCC,WAAAA,CACCL,OAAAA,EACgBM,OACAC,KAAAA,EACf;AACD,IAAA,KAAA,CAAMP,OAAAA,CAAAA;SAHUM,KAAAA,GAAAA,KAAAA;SACAC,KAAAA,GAAAA,KAAAA;AAGhB,IAAA,IAAA,CAAKC,IAAAA,GAAO,uBAAA;AACb,EAAA;AACD;AAEO,IAAMC,sBAAAA,GAAN,cAAqCL,KAAAA,CAAAA;EAvB5C;;;;AAwBCC,EAAAA,WAAAA,CACCL,SACgBU,UAAAA,EACf;AACD,IAAA,KAAA,CAAMV,OAAAA,CAAAA;SAFUU,UAAAA,GAAAA,UAAAA;AAGhB,IAAA,IAAA,CAAKF,IAAAA,GAAO,wBAAA;AACb,EAAA;AACD;AAKO,SAASG,aAAAA,CAAcC,KAAAA,EAAeC,SAAAA,GAAYX,aAAAA,EAAa;AACrE,EAAA,IAAI,OAAOU,UAAU,QAAA,EAAU;AAC9B,IAAA,OAAO,EAAA;AACR,EAAA;AAEA,EAAA,IAAIE,SAAAA,GAAYF,KAAAA,CAAMG,OAAAA,CAAQ,oCAAA,EAAsC,EAAA,CAAA;AAEpED,EAAAA,SAAAA,GAAYA,SAAAA,CAAUC,OAAAA,CAAQ,wBAAA,EAA0B,EAAA,CAAA;AAExDD,EAAAA,SAAAA,GAAYA,SAAAA,CAAUC,OAAAA,CAAQ,UAAA,EAAY,QAAA,CAAA;AAE1C,EAAA,IAAID,SAAAA,CAAUE,SAASH,SAAAA,EAAW;AACjCC,IAAAA,SAAAA,GAAYA,SAAAA,CAAUG,SAAAA,CAAU,CAAA,EAAGJ,SAAAA,CAAAA;AACpC,EAAA;AAEA,EAAA,OAAOC,SAAAA;AACR;AAhBgBH,MAAAA,CAAAA,aAAAA,EAAAA,eAAAA,CAAAA;AAsBT,SAASO,mBAAmBC,QAAAA,EAAgB;AAClD,EAAA,MAAMC,OAAAA,GAAUT,cAAcQ,QAAAA,CAAAA;AAE9B,EAAA,OAAO;;;GAGLC,OAAAA;;EAEDC,IAAAA,EAAI;AACN;AATgBH,MAAAA,CAAAA,kBAAAA,EAAAA,oBAAAA,CAAAA;AAcT,IAAMI,qBAAAA,GAAwBC,EAAEC,MAAAA,CAAO;AAC7ClD,EAAAA,OAAAA,EAASiD,EACPE,MAAAA,CAAO;IACPC,kBAAAA,EAAoB;GACrB,CAAA,CACCC,SAAS,0BAAA,CAAA,CACTC,IAAI,GAAA,EAAQ,4CAAA,EACZC,QAAAA,EAAQ;AAEVpD,EAAAA,SAAAA,EAAW8C,EACTE,MAAAA,CAAO;IACPC,kBAAAA,EAAoB;GACrB,CAAA,CACCC,QAAAA,CAAS,4BAAA,CAAA,CACTC,GAAAA,CAAI,MAAM,IAAA,GAAO,IAAA,EAAM,+BAAA,CAAA,CACvBC,QAAAA,EAAQ;AAEVnD,EAAAA,WAAAA,EAAa6C,EACXE,MAAAA,CAAO;IACPC,kBAAAA,EAAoB;GACrB,CAAA,CACCI,YAAY,gCAAA,CAAA,CACZF,IAAI,GAAA,EAAM,gCAAA,EACVC,QAAAA,EAAQ;AAEVlD,EAAAA,WAAAA,EAAa4C,CAAAA,CACXQ,KAAAA,CACAR,CAAAA,CAAES,MAAAA,EAAM,CAAGC,MAAAA,CAAO,CAACC,GAAAA,KAAQA,GAAAA,CAAIb,IAAAA,EAAI,CAAGL,MAAAA,GAAS,CAAA,EAAG;IACjDhB,OAAAA,EAAS;GACV,CAAA,EAEA6B,QAAAA,EAAQ;AAEVhD,EAAAA,aAAAA,EAAe0C,EACbY,OAAAA,CAAQ;IACRT,kBAAAA,EAAoB;AACrB,GAAA,EACCG,QAAAA,EAAQ;EAEVO,gBAAAA,EAAkBb,CAAAA,CAAEc,QAAAA,EAAQ,CAAGR,QAAAA,EAAQ;EACvCS,gBAAAA,EAAkBf,CAAAA,CAAEc,QAAAA,EAAQ,CAAGR,QAAAA,EAAQ;EACvCU,cAAAA,EAAgBhB,CAAAA,CAAEiB,GAAAA,EAAG,CAAGX,QAAAA,EAAQ;EAChCY,cAAAA,EAAgBlB,CAAAA,CAAEiB,GAAAA,EAAG,CAAGX,QAAAA,EAAQ;AAChCa,EAAAA,gBAAAA,EAAkBnB,EAAEQ,KAAAA,CAAMR,CAAAA,CAAEiB,GAAAA,EAAG,EAAIX,QAAAA,EAAQ;AAC3Cc,EAAAA,eAAAA,EAAiBpB,EAAEQ,KAAAA,CAAMR,CAAAA,CAAES,MAAAA,EAAM,EAAIH,QAAAA;AACtC,CAAA;AAKO,SAASe,wBAAwBC,MAAAA,EAAgC;AACvE,EAAA,IAAI;AACHvB,IAAAA,qBAAAA,CAAsBwB,MAAMD,MAAAA,CAAAA;AAC7B,EAAA,CAAA,CAAA,OAAS/C,KAAAA,EAAO;AACf,IAAA,IAAIA,KAAAA,YAAiByB,EAAEwB,QAAAA,EAAU;AAChC,MAAA,MAAMC,SAASlD,KAAAA,CAAMkD,MAAAA,CAAOC,IAAI,CAACC,GAAAA,KAAQA,IAAIlD,OAAO,CAAA;AACpD,MAAA,MAAM,IAAIG,sBACT,CAAA,yBAAA,EAA4B6C,MAAAA,CAAOG,KAAK,IAAA,CAAA,CAAA,CAAA,EACxC,iBAAA,EACAN,MAAAA,CAAAA;AAEF,IAAA;AACA,IAAA,MAAM/C,KAAAA;AACP,EAAA;AACD;AAdgB8C,MAAAA,CAAAA,uBAAAA,EAAAA,yBAAAA,CAAAA;AAmBT,SAASQ,iBAAiBC,QAAAA,EAAgB;AAChD,EAAA,IAAI,OAAOA,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,IAAIlD,qBAAAA,CAAsB,2BAAA,EAA6B,UAAA,EAAYkD,QAAAA,CAAAA;AAC1E,EAAA;AAEA,EAAA,IAAIA,QAAAA,CAAShC,IAAAA,EAAI,CAAGL,MAAAA,KAAW,CAAA,EAAG;AACjC,IAAA,MAAM,IAAIb,qBAAAA,CAAsB,0BAAA,EAA4B,UAAA,EAAYkD,QAAAA,CAAAA;AACzE,EAAA;AAEA,EAAA,IAAIA,QAAAA,CAASrC,SAAS,GAAA,EAAK;AAC1B,IAAA,MAAM,IAAIb,qBAAAA,CAAsB,uCAAA,EAAyC,UAAA,EAAYkD,QAAAA,CAAAA;AACtF,EAAA;AAEA,EAAA,IAAI,CAAC,kBAAA,CAAmBC,IAAAA,CAAKD,QAAAA,CAAAA,EAAW;AACvC,IAAA,MAAM,IAAIlD,qBAAAA,CACT,4EAAA,EACA,UAAA,EACAkD,QAAAA,CAAAA;AAEF,EAAA;AACD;AApBgBD,MAAAA,CAAAA,gBAAAA,EAAAA,kBAAAA,CAAAA;;;ACyBT,IAAMG,qBAAN,MAAMA;EAtKb;;;AAuKSC,EAAAA,SAAAA,uBAAiDC,GAAAA,EAAAA;;;;AAKzDC,EAAAA,gBAAAA,CAAiBC,QAAAA,EAAoC;AACpD,IAAA,IAAA,CAAKH,SAAAA,CAAUI,GAAAA,CAAID,QAAAA,CAASnD,IAAAA,EAAMmD,QAAAA,CAAAA;AACnC,EAAA;;;;AAKA,EAAA,MAAME,QAAQC,UAAAA,EAA8C;AAC3D,IAAA,IAAIA,WAAWH,QAAAA,EAAU;AACxB,MAAA,MAAMA,QAAAA,GAAW,IAAA,CAAKH,SAAAA,CAAUO,GAAAA,CAAID,WAAWH,QAAQ,CAAA;AACvD,MAAA,IAAI,CAACA,QAAAA,EAAU;AACd,QAAA,MAAM,IAAIvD,KAAAA,CAAM,CAAA,qBAAA,EAAwB0D,UAAAA,CAAWH,QAAQ,CAAA,WAAA,CAAa,CAAA;AACzE,MAAA;AACA,MAAA,OAAO,MAAMA,SAASE,OAAAA,EAAO;AAC9B,IAAA;AAEA,IAAA,QAAQC,WAAWE,MAAAA;MAClB,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKC,cAAcH,UAAAA,CAAAA;MAC3B,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKI,cAAcJ,UAAAA,CAAAA;MAC3B,KAAK,OAAA;AACJ,QAAA,OAAO,IAAA,CAAKK,aAAaL,UAAAA,CAAAA;MAC1B,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKM,cAAcN,UAAAA,CAAAA;MAC3B,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKO,cAAcP,UAAAA,CAAAA;MAC3B,KAAK,WAAA;AACJ,QAAA,OAAO,IAAA,CAAKQ,iBAAiBR,UAAAA,CAAAA;AAC9B,MAAA;AACC,QAAA,MAAM,IAAI1D,KAAAA,CAAM,CAAA,yBAAA,EAA6B0D,UAAAA,CAAmBE,MAAM,CAAA,CAAE,CAAA;AAC1E;AACD,EAAA;AAEQC,EAAAA,aAAAA,CAAcpB,MAAAA,EAAuC;AAC5D,IAAA,MAAMtC,KAAAA,GAAQ,IAAA,CAAKgE,QAAAA,CAAS1B,MAAAA,CAAAA;AAC5B,IAAA,IAAI,CAACtC,KAAAA,EAAO;AACX,MAAA,MAAM,IAAIH,KAAAA,CAAM,CAAA,0BAAA,EAA6ByC,MAAAA,CAAOrC,IAAI,CAAA,CAAA,CAAG,CAAA;AAC5D,IAAA;AAEA,IAAA,IAAIqC,MAAAA,CAAO2B,OAAO,QAAA,EAAU;AAC3B,MAAA,OAAO;QAAEC,OAAAA,EAAS;UAAE,CAAC5B,MAAAA,CAAOrC,IAAI,GAAGD;AAAM;AAAE,OAAA;IAC5C,CAAA,MAAO;AACN,MAAA,OAAO;QAAEmE,WAAAA,EAAa;UAAE,CAAC7B,MAAAA,CAAOrC,IAAI,GAAGD;AAAM;AAAE,OAAA;AAChD,IAAA;AACD,EAAA;AAEQ2D,EAAAA,aAAAA,CAAcrB,MAAAA,EAAuC;AAC5D,IAAA,MAAM8B,KAAAA,GAAQ,IAAA,CAAKJ,QAAAA,CAAS1B,MAAAA,CAAAA;AAC5B,IAAA,IAAI,CAAC8B,KAAAA,EAAO;AACX,MAAA,MAAM,IAAIvE,MAAM,2BAAA,CAAA;AACjB,IAAA;AAEA,IAAA,OAAO;MACNqE,OAAAA,EAAS;AACRG,QAAAA,aAAAA,EAAe,UAAUD,KAAAA,CAAAA;AAC1B;AACD,KAAA;AACD,EAAA;AAEQR,EAAAA,YAAAA,CAAatB,MAAAA,EAAsC;AAC1D,IAAA,MAAMgC,QAAAA,GAAWhC,OAAOiC,cAAAA,GAAiBC,OAAAA,CAAQC,IAAInC,MAAAA,CAAOiC,cAAc,IAAIjC,MAAAA,CAAOgC,QAAAA;AACrF,IAAA,MAAMI,QAAAA,GAAWpC,MAAAA,CAAOqC,cAAAA,GACrBH,OAAAA,CAAQC,GAAAA,CAAInC,OAAOqC,cAAc,CAAA,GACjC,IAAA,CAAKX,QAAAA,CAAS1B,MAAAA,CAAAA;AAEjB,IAAA,IAAI,CAACgC,QAAAA,IAAY,CAACI,QAAAA,EAAU;AAC3B,MAAA,MAAM,IAAI7E,MAAM,+CAAA,CAAA;AACjB,IAAA;AAEA,IAAA,MAAM+E,WAAAA,GAAcC,MAAAA,CAAOC,IAAAA,CAAK,CAAA,EAAGR,QAAAA,IAAYI,QAAAA,CAAAA,CAAU,CAAA,CAAEK,QAAAA,CAAS,QAAA,CAAA;AACpE,IAAA,OAAO;MACNb,OAAAA,EAAS;AACRG,QAAAA,aAAAA,EAAe,SAASO,WAAAA,CAAAA;AACzB;AACD,KAAA;AACD,EAAA;AAEA,EAAA,MAAcf,cAAcvB,MAAAA,EAAgD;AAC3E,IAAA,MAAMQ,QAAAA,GAAWR,OAAO0C,cAAAA,GAAiBR,OAAAA,CAAQC,IAAInC,MAAAA,CAAO0C,cAAc,IAAI1C,MAAAA,CAAOQ,QAAAA;AACrF,IAAA,MAAMmC,eAAe3C,MAAAA,CAAO4C,kBAAAA,GACzBV,QAAQC,GAAAA,CAAInC,MAAAA,CAAO4C,kBAAkB,CAAA,GACrCC,MAAAA;AAEH,IAAA,IAAI,CAACrC,QAAAA,IAAY,CAACmC,YAAAA,EAAc;AAC/B,MAAA,MAAM,IAAIpF,MAAM,wCAAA,CAAA;AACjB,IAAA;AAEA,IAAA,IAAIyC,MAAAA,CAAO8C,SAAS,mBAAA,EAAqB;AACxC,MAAA,MAAMhB,MAAAA,GAAQ,MAAM,IAAA,CAAKiB,gBAAAA,CACxB/C,OAAOgD,QAAAA,EACPxC,QAAAA,EACAmC,YAAAA,EACA3C,MAAAA,CAAOiD,MAAM,CAAA;AAEd,MAAA,OAAO;QACNrB,OAAAA,EAAS;AACRG,UAAAA,aAAAA,EAAe,UAAUD,MAAAA,CAAAA;AAC1B;AACD,OAAA;AACD,IAAA;AAEA,IAAA,MAAMA,KAAAA,GAAQ,IAAA,CAAKJ,QAAAA,CAAS1B,MAAAA,CAAAA;AAC5B,IAAA,IAAI8B,KAAAA,EAAO;AACV,MAAA,OAAO;QACNF,OAAAA,EAAS;AACRG,UAAAA,aAAAA,EAAe,UAAUD,KAAAA,CAAAA;AAC1B;AACD,OAAA;AACD,IAAA;AAEA,IAAA,MAAM,IAAIvE,KAAAA,CAAM,CAAA,aAAA,EAAgByC,MAAAA,CAAO8C,IAAI,CAAA,6BAAA,CAA+B,CAAA;AAC3E,EAAA;AAEQtB,EAAAA,aAAAA,CAAcxB,MAAAA,EAAuC;AAC5D,IAAA,MAAM4B,UAAkC,EAAC;AACzC,IAAA,MAAMC,cAAsC,EAAC;AAE7CqB,IAAAA,MAAAA,CAAOC,MAAAA,CAAOvB,OAAAA,EAAS5B,MAAAA,CAAO4B,OAAO,CAAA;AAErC,IAAA,IAAI5B,OAAOoD,aAAAA,EAAe;AACzB,MAAA,KAAA,MAAW,CAACC,YAAYC,MAAAA,CAAAA,IAAWJ,OAAOK,OAAAA,CAAQvD,MAAAA,CAAOoD,aAAa,CAAA,EAAG;AACxE,QAAA,MAAM1F,KAAAA,GAAQwE,OAAAA,CAAQC,GAAAA,CAAImB,MAAAA,CAAAA;AAC1B,QAAA,IAAI5F,KAAAA,EAAO;AACVkE,UAAAA,OAAAA,CAAQyB,UAAAA,CAAAA,GAAc3F,KAAAA;AACvB,QAAA;AACD,MAAA;AACD,IAAA;AAEA,IAAA,IAAIsC,OAAO6B,WAAAA,EAAa;AACvBqB,MAAAA,MAAAA,CAAOC,MAAAA,CAAOtB,WAAAA,EAAa7B,MAAAA,CAAO6B,WAAW,CAAA;AAC9C,IAAA;AAEA,IAAA,IAAI7B,OAAOwD,iBAAAA,EAAmB;AAC7B,MAAA,KAAA,MAAW,CAACC,WAAWH,MAAAA,CAAAA,IAAWJ,OAAOK,OAAAA,CAAQvD,MAAAA,CAAOwD,iBAAiB,CAAA,EAAG;AAC3E,QAAA,MAAM9F,KAAAA,GAAQwE,OAAAA,CAAQC,GAAAA,CAAImB,MAAAA,CAAAA;AAC1B,QAAA,IAAI5F,KAAAA,EAAO;AACVmE,UAAAA,WAAAA,CAAY4B,SAAAA,CAAAA,GAAa/F,KAAAA;AAC1B,QAAA;AACD,MAAA;AACD,IAAA;AAEA,IAAA,OAAO;AACNkE,MAAAA,OAAAA,EAASsB,OAAOQ,IAAAA,CAAK9B,OAAAA,CAAAA,CAASzD,MAAAA,GAAS,IAAIyD,OAAAA,GAAUiB,MAAAA;AACrDhB,MAAAA,WAAAA,EAAaqB,OAAOQ,IAAAA,CAAK7B,WAAAA,CAAAA,CAAa1D,MAAAA,GAAS,IAAI0D,WAAAA,GAAcgB;AAClE,KAAA;AACD,EAAA;AAEQpB,EAAAA,gBAAAA,CAAiBzB,MAAAA,EAA0C;AAClE,IAAA,MAAM4B,UAAkC,EAAC;AACzC,IAAA,MAAMC,cAAsC,EAAC;AAE7C,IAAA,KAAA,MAAW,CAAC8B,UAAUC,UAAAA,CAAAA,IAAeV,OAAOK,OAAAA,CAAQvD,MAAAA,CAAOsC,WAAW,CAAA,EAAG;AACxE,MAAA,MAAM5E,KAAAA,GAAQkG,WAAWN,MAAAA,GAASpB,OAAAA,CAAQC,IAAIyB,UAAAA,CAAWN,MAAM,IAAIM,UAAAA,CAAWlG,KAAAA;AAE9E,MAAA,IAAI,CAACA,KAAAA,EAAO;AACX,QAAA,IAAIkG,UAAAA,CAAW3H,aAAa,KAAA,EAAO;AAClC,UAAA,MAAM,IAAIsB,KAAAA,CAAM,CAAA,qBAAA,EAAwBoG,QAAAA,CAAAA,cAAAA,CAAwB,CAAA;AACjE,QAAA;AACA,QAAA;AACD,MAAA;AAEA,MAAA,MAAME,QAAAA,GAAW7D,OAAO6D,QAAAA,IAAY,QAAA;AAEpC,MAAA,IAAA,CAAKA,QAAAA,KAAa,QAAA,IAAYA,QAAAA,KAAa,MAAA,KAAWD,WAAWP,UAAAA,EAAY;AAC5EzB,QAAAA,OAAAA,CAAQgC,UAAAA,CAAWP,UAAU,CAAA,GAAI3F,KAAAA;AAClC,MAAA;AAEA,MAAA,IAAA,CAAKmG,QAAAA,KAAa,OAAA,IAAWA,QAAAA,KAAa,MAAA,KAAWD,WAAWE,cAAAA,EAAgB;AAC/EjC,QAAAA,WAAAA,CAAY+B,UAAAA,CAAWE,cAAc,CAAA,GAAIpG,KAAAA;AAC1C,MAAA;AAEA,MAAA,IAAI,CAACkG,UAAAA,CAAWP,UAAAA,IAAc,CAACO,WAAWE,cAAAA,EAAgB;AACzD,QAAA,IAAID,QAAAA,KAAa,OAAA,IAAWA,QAAAA,KAAa,MAAA,EAAQ;AAChDhC,UAAAA,WAAAA,CAAY8B,QAAAA,CAAAA,GAAYjG,KAAAA;QACzB,CAAA,MAAO;AACNkE,UAAAA,OAAAA,CAAQ,CAAA,EAAA,EAAK+B,QAAAA,CAAAA,CAAU,CAAA,GAAIjG,KAAAA;AAC5B,QAAA;AACD,MAAA;AACD,IAAA;AAEA,IAAA,OAAO;AACNkE,MAAAA,OAAAA,EAASsB,OAAOQ,IAAAA,CAAK9B,OAAAA,CAAAA,CAASzD,MAAAA,GAAS,IAAIyD,OAAAA,GAAUiB,MAAAA;AACrDhB,MAAAA,WAAAA,EAAaqB,OAAOQ,IAAAA,CAAK7B,WAAAA,CAAAA,CAAa1D,MAAAA,GAAS,IAAI0D,WAAAA,GAAcgB;AAClE,KAAA;AACD,EAAA;;;;AAKQnB,EAAAA,QAAAA,CAAS1B,MAAAA,EAA4C;AAC5D,IAAA,IAAIA,OAAOsD,MAAAA,EAAQ;AAClB,MAAA,OAAOpB,OAAAA,CAAQC,GAAAA,CAAInC,MAAAA,CAAOsD,MAAM,CAAA;AACjC,IAAA;AACA,IAAA,OAAOtD,MAAAA,CAAOtC,KAAAA;AACf,EAAA;;;;AAKA,EAAA,MAAcqF,gBAAAA,CACbC,QAAAA,EACAxC,QAAAA,EACAmC,YAAAA,EACAM,MAAAA,EACkB;AAClB,IAAA,MAAMnG,MAAAA,GAAS,IAAIiH,eAAAA,CAAgB;MAClCC,UAAAA,EAAY,oBAAA;MACZC,SAAAA,EAAWzD,QAAAA;MACX0D,aAAAA,EAAevB;KAChB,CAAA;AAEA,IAAA,IAAIM,MAAAA,IAAUA,MAAAA,CAAO9E,MAAAA,GAAS,CAAA,EAAG;AAChCrB,MAAAA,MAAAA,CAAOqH,MAAAA,CAAO,OAAA,EAASlB,MAAAA,CAAO3C,IAAAA,CAAK,GAAA,CAAA,CAAA;AACpC,IAAA;AAEA,IAAA,MAAM8D,QAAAA,GAAW,MAAMC,KAAAA,CAAMrB,QAAAA,EAAU;MACtCnG,MAAAA,EAAQ,MAAA;MACR+E,OAAAA,EAAS;QACR,cAAA,EAAgB;AACjB,OAAA;AACA0C,MAAAA,IAAAA,EAAMxH,OAAO2F,QAAAA;KACd,CAAA;AAEA,IAAA,IAAI,CAAC2B,SAASG,EAAAA,EAAI;AACjB,MAAA,MAAM,IAAIhH,KAAAA,CAAM,CAAA,2BAAA,EAA8B6G,QAAAA,CAASI,UAAU,CAAA,CAAE,CAAA;AACpE,IAAA;AAEA,IAAA,MAAMpH,IAAAA,GAAQ,MAAMgH,QAAAA,CAASK,IAAAA,EAAI;AACjC,IAAA,OAAOrH,IAAAA,CAAKsH,YAAAA;AACb,EAAA;AACD;;;AC/MO,IAAMC,iBAAN,MAAMA;EApMb;;;EAqMChH,IAAAA,GAAO,OAAA;AACCiH,EAAAA,KAAAA;AAERpH,EAAAA,WAAAA,CAAYoH,KAAAA,EAAoB;AAC/B,IAAA,IAAA,CAAKA,KAAAA,GAAQA,KAAAA;AACd,EAAA;AAEA,EAAA,MAAMC,MAAMC,KAAAA,EAAkC;AAC7C,IAAA,MAAMC,OAAAA,CAAQC,GAAAA,CAAI,IAAA,CAAKJ,KAAAA,CAAMxE,GAAAA,CAAI,CAAC6E,IAAAA,KAASA,IAAAA,CAAKJ,KAAAA,CAAMC,KAAAA,CAAAA,CAAAA,CAAAA;AACvD,EAAA;AAEA,EAAA,MAAMI,WAAWC,MAAAA,EAAqC;AACrD,IAAA,MAAMJ,OAAAA,CAAQC,GAAAA,CAAI,IAAA,CAAKJ,KAAAA,CAAMxE,GAAAA,CAAI,CAAC6E,IAAAA,KAASA,IAAAA,CAAKC,UAAAA,CAAWC,MAAAA,CAAAA,CAAAA,CAAAA;AAC5D,EAAA;AAEA,EAAA,MAAMhJ,MAAMiJ,MAAAA,EAA4C;AACvD,IAAA,KAAA,MAAWH,IAAAA,IAAQ,KAAKL,KAAAA,EAAO;AAC9B,MAAA,IAAIK,KAAK9I,KAAAA,EAAO;AACf,QAAA,OAAO,MAAM8I,IAAAA,CAAK9I,KAAAA,CAAMiJ,MAAAA,CAAAA;AACzB,MAAA;AACD,IAAA;AACA,IAAA,MAAM,IAAI7H,MAAM,mCAAA,CAAA;AACjB,EAAA;AAEA,EAAA,MAAM8H,UAAAA,GAA4B;AACjC,IAAA,MAAMN,OAAAA,CAAQC,GAAAA,CACb,IAAA,CAAKJ,KAAAA,CAAMxE,IAAI,CAAC6E,IAAAA,KAAUA,IAAAA,CAAKI,UAAAA,GAAaJ,KAAKI,UAAAA,EAAU,GAAKN,OAAAA,CAAQ/D,OAAAA,EAAO,CAAA,CAAA;AAEjF,EAAA;AACD","file":"index.js","sourcesContent":["import type { ProvenanceMode, SecurityPolicy } from '@mondaydotcomorg/atp-provenance';\nexport { ProvenanceMode, type SecurityPolicy } from '@mondaydotcomorg/atp-provenance';\n\n/**\n * Callback types that can pause execution\n */\nexport enum CallbackType {\n\tLLM = 'llm',\n\tAPPROVAL = 'approval',\n\tEMBEDDING = 'embedding',\n\tTOOL = 'tool',\n}\n\n/**\n * Tool callback operations\n */\nexport enum ToolOperation {\n\tCALL = 'call',\n}\n\nexport interface AgentToolProtocolRequest {\n\tjsonrpc: '2.0';\n\tid: string | number;\n\tmethod: string;\n\tparams: Record<string, unknown>;\n}\n\nexport interface AgentToolProtocolResponse {\n\tjsonrpc: '2.0';\n\tid: string | number;\n\tresult?: unknown;\n\terror?: {\n\t\tcode: number;\n\t\tmessage: string;\n\t\tdata?: unknown;\n\t};\n}\n\nexport interface AgentToolProtocolNotification {\n\tjsonrpc: '2.0';\n\tmethod: string;\n\tparams: Record<string, unknown>;\n}\n\n/**\n * Client-provided service availability\n */\nexport interface ClientServices {\n\t/** Whether client provides LLM implementation */\n\thasLLM: boolean;\n\t/** Whether client provides approval handler */\n\thasApproval: boolean;\n\t/** Whether client provides embedding model */\n\thasEmbedding: boolean;\n\t/** Whether client provides custom tools */\n\thasTools: boolean;\n\t/** Names of client-provided tools (for discovery) */\n\ttoolNames?: string[];\n}\n\n/**\n * Client-provided LLM handler\n */\nexport interface ClientLLMHandler {\n\tcall: (\n\t\tprompt: string,\n\t\toptions?: {\n\t\t\tcontext?: Record<string, unknown>;\n\t\t\tmodel?: string;\n\t\t\ttemperature?: number;\n\t\t\tsystemPrompt?: string;\n\t\t}\n\t) => Promise<string>;\n\textract?: <T>(\n\t\tprompt: string,\n\t\tschema: Record<string, unknown>,\n\t\toptions?: {\n\t\t\tcontext?: Record<string, unknown>;\n\t\t}\n\t) => Promise<T>;\n\tclassify?: (\n\t\ttext: string,\n\t\tcategories: string[],\n\t\toptions?: {\n\t\t\tcontext?: Record<string, unknown>;\n\t\t}\n\t) => Promise<string>;\n}\n\n/**\n * Client-provided approval handler\n */\nexport interface ClientApprovalHandler {\n\trequest: (\n\t\tmessage: string,\n\t\tcontext?: Record<string, unknown>\n\t) => Promise<{\n\t\tapproved: boolean;\n\t\tresponse?: unknown;\n\t\ttimestamp: number;\n\t}>;\n}\n\n/**\n * Client-provided embedding handler\n */\nexport interface ClientEmbeddingHandler {\n\tembed: (text: string) => Promise<number[]>;\n\tsimilarity?: (text1: string, text2: string) => Promise<number>;\n}\n\n/**\n * Client-provided tool handler\n * Function that executes on the client side when a client tool is invoked\n */\nexport interface ClientToolHandler {\n\t(input: unknown): Promise<unknown>;\n}\n\n/**\n * Client tool definition (metadata sent to server)\n * The actual handler function remains on the client side\n */\nexport interface ClientToolDefinition {\n\t/** Tool name (unique per client session) */\n\tname: string;\n\t/** API namespace (e.g., 'playwright', 'browser'). Defaults to 'client' if not specified */\n\tnamespace?: string;\n\t/** Human-readable description of what the tool does */\n\tdescription: string;\n\t/** JSON Schema for tool input validation */\n\tinputSchema: JSONSchema;\n\t/** JSON Schema for tool output (optional, for documentation) */\n\toutputSchema?: JSONSchema;\n\t/** Tool metadata for security and risk management */\n\tmetadata?: ToolMetadata;\n\t/** Whether this tool supports parallel execution with other tools */\n\tsupportsConcurrency?: boolean;\n\t/** Keywords for search/discovery (optional) */\n\tkeywords?: string[];\n}\n\n/**\n * Client tool with handler (used client-side only)\n * Extends ClientToolDefinition to include the actual handler function\n */\nexport interface ClientTool extends ClientToolDefinition {\n\t/** Handler function that executes on client side */\n\thandler: ClientToolHandler;\n}\n\n/**\n * Tool operation type classification\n */\nexport enum ToolOperationType {\n\t/** Safe read-only operations */\n\tREAD = 'read',\n\t/** Operations that modify data */\n\tWRITE = 'write',\n\t/** Operations that delete or destroy data */\n\tDESTRUCTIVE = 'destructive',\n}\n\n/**\n * Tool sensitivity level\n */\nexport enum ToolSensitivityLevel {\n\t/** Public data, no sensitivity concerns */\n\tPUBLIC = 'public',\n\t/** Internal data, requires authentication */\n\tINTERNAL = 'internal',\n\t/** Sensitive data (PII, financial data, etc.) */\n\tSENSITIVE = 'sensitive',\n}\n\n/**\n * Client-side tool execution rules\n * Allows clients to control which tools can be executed and under what conditions\n */\nexport interface ClientToolRules {\n\t/** Block all tools of specific operation types */\n\tblockOperationTypes?: ToolOperationType[];\n\t/** Block all tools with specific sensitivity levels */\n\tblockSensitivityLevels?: ToolSensitivityLevel[];\n\t/** Require approval for specific operation types */\n\trequireApprovalForOperationTypes?: ToolOperationType[];\n\t/** Require approval for specific sensitivity levels */\n\trequireApprovalForSensitivityLevels?: ToolSensitivityLevel[];\n\t/** Block specific tools by name (e.g., ['deleteDatabase', 'dropTable']) */\n\tblockTools?: string[];\n\t/** Allow only specific tools by name (whitelist mode) */\n\tallowOnlyTools?: string[];\n\t/** Block entire API groups (e.g., ['admin', 'system']) */\n\tblockApiGroups?: string[];\n\t/** Allow only specific API groups (whitelist mode) */\n\tallowOnlyApiGroups?: string[];\n}\n\n/**\n * Tool/API metadata for security and risk management\n *\n * What can clients do with these annotations?\n *\n * 1. **Block Execution**:\n * - Block all WRITE operations: blockOperationTypes: [ToolOperationType.WRITE]\n * - Block all DESTRUCTIVE operations: blockOperationTypes: [ToolOperationType.DESTRUCTIVE]\n * - Block SENSITIVE data access: blockSensitivityLevels: [ToolSensitivityLevel.SENSITIVE]\n *\n * 2. **Require Approval**:\n * - Require approval for WRITE: requireApprovalForOperationTypes: [ToolOperationType.WRITE]\n * - Require approval for DESTRUCTIVE: requireApprovalForOperationTypes: [ToolOperationType.DESTRUCTIVE]\n * - Require approval for SENSITIVE: requireApprovalForSensitivityLevels: [ToolSensitivityLevel.SENSITIVE]\n *\n * 3. **Whitelist/Blacklist**:\n * - Block specific tools: blockTools: ['deleteDatabase', 'dropTable']\n * - Allow only safe tools: allowOnlyTools: ['getUser', 'listItems']\n * - Block admin APIs: blockApiGroups: ['admin', 'system']\n *\n * 4. **Audit & Logging**:\n * - Log all DESTRUCTIVE operations\n * - Track access to SENSITIVE data\n * - Monitor WRITE operations\n *\n * Granularity levels:\n * - Operation Type: READ, WRITE, DESTRUCTIVE (coarse-grained)\n * - Sensitivity Level: PUBLIC, INTERNAL, SENSITIVE (data classification)\n * - Tool Name: Specific function names (fine-grained)\n * - API Group: Entire namespaces (medium-grained)\n */\nexport interface ToolMetadata {\n\t/** Operation type classification */\n\toperationType?: ToolOperationType;\n\t/** Sensitivity level of data handled */\n\tsensitivityLevel?: ToolSensitivityLevel;\n\t/** Require explicit approval before execution (server-side enforcement) */\n\trequiresApproval?: boolean;\n\t/** Category for grouping/filtering (e.g., 'database', 'user-management') */\n\tcategory?: string;\n\t/** Additional tags for classification */\n\ttags?: string[];\n\t/** Human-readable description of potential impact */\n\timpactDescription?: string;\n\t/**\n\t * Required OAuth scopes to use this tool\n\t * Used for scope-based filtering when user credentials have limited permissions\n\t * @example ['repo', 'read:user'] for GitHub\n\t * @example ['https://www.googleapis.com/auth/calendar'] for Google\n\t */\n\trequiredScopes?: string[];\n\t/**\n\t * Generic permissions required (for non-OAuth providers)\n\t * @example ['admin', 'write:users']\n\t */\n\trequiredPermissions?: string[];\n}\n\n/**\n * Client service providers\n */\nexport interface ClientServiceProviders {\n\tllm?: ClientLLMHandler;\n\tapproval?: ClientApprovalHandler;\n\tembedding?: ClientEmbeddingHandler;\n\t/** Client-provided tools that execute locally */\n\ttools?: ClientTool[];\n}\n\nexport interface ExecutionConfig {\n\ttimeout: number;\n\tmaxMemory: number;\n\tmaxLLMCalls: number;\n\tallowedAPIs: string[];\n\tallowLLMCalls: boolean;\n\tprogressCallback?: (message: string, fraction: number) => void;\n\tcustomLLMHandler?: (prompt: string, options?: any) => Promise<string>;\n\tclientServices?: ClientServices;\n\tprovenanceMode?: ProvenanceMode;\n\tsecurityPolicies?: SecurityPolicy[];\n\tprovenanceHints?: string[];\n}\n\n/**\n * Execution status codes for fine-grained error reporting\n */\nexport enum ExecutionStatus {\n\tCOMPLETED = 'completed',\n\tFAILED = 'failed',\n\tTIMEOUT = 'timeout',\n\tCANCELLED = 'cancelled',\n\tPAUSED = 'paused',\n\tMEMORY_EXCEEDED = 'memory_exceeded',\n\tLLM_CALLS_EXCEEDED = 'llm_calls_exceeded',\n\tSECURITY_VIOLATION = 'security_violation',\n\tVALIDATION_FAILED = 'validation_failed',\n\tLOOP_DETECTED = 'loop_detected',\n\tRATE_LIMITED = 'rate_limited',\n\tNETWORK_ERROR = 'network_error',\n\tPARSE_ERROR = 'parse_error',\n}\n\n/**\n * Execution error codes for categorizing failures\n */\nexport enum ExecutionErrorCode {\n\tUNKNOWN_ERROR = 'UNKNOWN_ERROR',\n\tEXECUTION_FAILED = 'EXECUTION_FAILED',\n\tTIMEOUT_ERROR = 'TIMEOUT_ERROR',\n\n\tMEMORY_LIMIT_EXCEEDED = 'MEMORY_LIMIT_EXCEEDED',\n\tLLM_CALL_LIMIT_EXCEEDED = 'LLM_CALL_LIMIT_EXCEEDED',\n\tHTTP_CALL_LIMIT_EXCEEDED = 'HTTP_CALL_LIMIT_EXCEEDED',\n\n\tSECURITY_VIOLATION = 'SECURITY_VIOLATION',\n\tVALIDATION_FAILED = 'VALIDATION_FAILED',\n\tFORBIDDEN_OPERATION = 'FORBIDDEN_OPERATION',\n\n\tPARSE_ERROR = 'PARSE_ERROR',\n\tSYNTAX_ERROR = 'SYNTAX_ERROR',\n\tTYPE_ERROR = 'TYPE_ERROR',\n\tREFERENCE_ERROR = 'REFERENCE_ERROR',\n\n\tINFINITE_LOOP_DETECTED = 'INFINITE_LOOP_DETECTED',\n\tLOOP_TIMEOUT = 'LOOP_TIMEOUT',\n\n\tNETWORK_ERROR = 'NETWORK_ERROR',\n\tHTTP_ERROR = 'HTTP_ERROR',\n\tDNS_ERROR = 'DNS_ERROR',\n\n\tRATE_LIMIT_EXCEEDED = 'RATE_LIMIT_EXCEEDED',\n\tCONCURRENT_LIMIT_EXCEEDED = 'CONCURRENT_LIMIT_EXCEEDED',\n}\n\nexport interface ExecutionResult {\n\texecutionId: string;\n\tstatus: ExecutionStatus;\n\tresult?: unknown;\n\terror?: {\n\t\tmessage: string;\n\t\tcode?: ExecutionErrorCode;\n\t\tstack?: string;\n\t\tline?: number;\n\t\tcontext?: Record<string, unknown>;\n\t\tretryable?: boolean;\n\t\tsuggestion?: string;\n\t};\n\tstats: {\n\t\tduration: number;\n\t\tmemoryUsed: number;\n\t\tllmCallsCount: number;\n\t\tapprovalCallsCount: number;\n\t\tstatementsExecuted?: number;\n\t\tstatementsCached?: number;\n\t};\n\tneedsCallback?: {\n\t\ttype: CallbackType;\n\t\toperation: string;\n\t\tpayload: Record<string, unknown>;\n\t};\n\tneedsCallbacks?: BatchCallbackRequest[];\n\tcallbackHistory?: Array<{\n\t\ttype: CallbackType;\n\t\toperation: string;\n\t\tpayload: Record<string, unknown>;\n\t\tresult?: unknown;\n\t\ttimestamp: number;\n\t\tsequenceNumber: number;\n\t}>;\n\ttransformedCode?: string;\n\tprovenanceSnapshot?: unknown;\n\tprovenanceTokens?: Array<{\n\t\tpath: string;\n\t\ttoken: string;\n\t}>;\n}\n\n/**\n * Batch callback request for parallel execution\n */\nexport interface BatchCallbackRequest {\n\t/** Unique callback ID */\n\tid: string;\n\t/** Callback type */\n\ttype: CallbackType;\n\t/** Operation name */\n\toperation: string;\n\t/** Operation payload */\n\tpayload: Record<string, unknown>;\n}\n\n/**\n * Batch callback result from client\n */\nexport interface BatchCallbackResult {\n\t/** Callback ID (matches BatchCallbackRequest.id) */\n\tid: string;\n\t/** Callback result */\n\tresult: unknown;\n}\n\nexport interface SearchOptions {\n\tquery: string;\n\tapiGroups?: string[];\n\tmaxResults?: number;\n\tuseEmbeddings?: boolean;\n\tembeddingModel?: string;\n}\n\nexport interface SearchResult {\n\tapiGroup: string;\n\tfunctionName: string;\n\tdescription: string;\n\tsignature: string;\n\texample?: string;\n\trelevanceScore: number;\n}\n\nexport interface ExploreRequest {\n\tpath: string;\n}\n\nexport interface ExploreDirectoryResult {\n\ttype: 'directory';\n\tpath: string;\n\titems: Array<{ name: string; type: 'directory' | 'function' }>;\n}\n\nexport interface ExploreFunctionResult {\n\ttype: 'function';\n\tpath: string;\n\tname: string;\n\tdescription: string;\n\tdefinition: string;\n\tgroup: string;\n}\n\nexport type ExploreResult = ExploreDirectoryResult | ExploreFunctionResult;\n\nexport interface ValidationResult {\n\tvalid: boolean;\n\terrors?: ValidationError[];\n\twarnings?: ValidationError[];\n\tsecurityIssues?: SecurityIssue[];\n}\n\nexport interface ValidationError {\n\tline: number;\n\tmessage: string;\n\tseverity: 'error' | 'warning';\n}\n\nexport interface SecurityIssue {\n\tline: number;\n\tissue: string;\n\trisk: 'low' | 'medium' | 'high';\n}\n\nexport interface APISource {\n\ttype: 'mcp' | 'openapi' | 'custom';\n\tname: string;\n\turl?: string;\n\tspec?: unknown;\n}\n\nexport interface ServerConfig {\n\tapiGroups: APIGroupConfig[];\n\tsecurity: SecurityConfig;\n\texecution: ExecutionLimits;\n\tsearch: SearchConfig;\n\tlogging: LoggingConfig;\n}\n\nexport interface APIGroupConfig {\n\tname: string;\n\ttype: 'mcp' | 'openapi' | 'graphql' | 'custom';\n\turl?: string;\n\tspec?: unknown;\n\tfunctions?: CustomFunctionDef[];\n\t/** Authentication configuration for this API group */\n\tauth?: import('./auth.js').AuthConfig;\n}\n\nexport interface SecurityConfig {\n\tallowedOrigins: string[];\n\tapiKeyRequired: boolean;\n\trateLimits: {\n\t\trequestsPerMinute: number;\n\t\texecutionsPerHour: number;\n\t};\n}\n\nexport interface ExecutionLimits {\n\tdefaultTimeout: number;\n\tmaxTimeout: number;\n\tdefaultMemoryLimit: number;\n\tmaxMemoryLimit: number;\n\tdefaultLLMCallLimit: number;\n\tmaxLLMCallLimit: number;\n}\n\nexport interface SearchConfig {\n\tenableEmbeddings: boolean;\n\tembeddingProvider?: 'openai' | 'cohere' | 'custom';\n\tcustomSearcher?: (query: string) => Promise<SearchResult[]>;\n}\n\nexport interface LoggingConfig {\n\tlevel: 'debug' | 'info' | 'warn' | 'error';\n\tdestination: 'console' | 'file' | 'remote';\n\tauditEnabled: boolean;\n}\n\nexport interface CustomFunctionDef {\n\tname: string;\n\tdescription: string;\n\tinputSchema: JSONSchema;\n\toutputSchema?: JSONSchema;\n\thandler: (params: unknown) => Promise<unknown>;\n\tkeywords?: string[];\n\tmetadata?: ToolMetadata; // NEW: Tool metadata for security\n\trequiredScopes?: string[]; // OAuth scopes required to use this function\n\tauth?: {\n\t\tsource?: 'server' | 'user';\n\t\toauthProvider?: string;\n\t};\n}\n\nexport interface JSONSchema {\n\ttype: string;\n\tproperties?: Record<string, unknown>;\n\trequired?: string[];\n\t[key: string]: unknown;\n}\n\nexport interface ClientConfig {\n\tserverUrl: string;\n\tapiKey: string;\n\ttimeout?: number;\n\tllmProvider: 'anthropic' | 'openai' | 'custom';\n\tllmModel?: string;\n\ttemperature?: number;\n\tdefaultExecutionConfig?: Partial<ExecutionConfig>;\n\tsearchPreferences?: {\n\t\tuseEmbeddings?: boolean;\n\t\tembeddingModel?: string;\n\t\tmaxResults?: number;\n\t};\n}\n\nexport interface RuntimeMethodParam {\n\tname: string;\n\ttype: string;\n\tdescription: string;\n\toptional: boolean;\n}\n\nexport interface RuntimeMethod {\n\tname: string;\n\tdescription: string;\n\tparams: RuntimeMethodParam[];\n\treturns: string;\n}\n\nexport interface RuntimeAPI {\n\tname: string;\n\tdescription: string;\n\tmethods: RuntimeMethod[];\n}\n\nexport interface RuntimeDefinitions {\n\tversion: string;\n\truntimeAPIs: RuntimeAPI[];\n\tdescription: string;\n\tusage: { example: string };\n}\n","import type { JSONSchema } from './types.js';\n\nexport const ExecutionConfigSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\ttimeout: { type: 'number', minimum: 1000, maximum: 300000 },\n\t\tmaxMemory: { type: 'number', minimum: 1048576, maximum: 536870912 },\n\t\tmaxLLMCalls: { type: 'number', minimum: 0, maximum: 100 },\n\t\tallowedAPIs: { type: 'array', items: { type: 'string' } },\n\t\tallowLLMCalls: { type: 'boolean' },\n\t},\n\trequired: ['timeout', 'maxMemory', 'maxLLMCalls', 'allowedAPIs', 'allowLLMCalls'],\n};\n\nexport const SearchOptionsSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\tquery: { type: 'string', minLength: 1 },\n\t\tapiGroups: { type: 'array', items: { type: 'string' } },\n\t\tmaxResults: { type: 'number', minimum: 1, maximum: 100 },\n\t\tuseEmbeddings: { type: 'boolean' },\n\t\tembeddingModel: { type: 'string' },\n\t},\n\trequired: ['query'],\n};\n\nexport const AgentToolProtocolRequestSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\tjsonrpc: { type: 'string', enum: ['2.0'] },\n\t\tid: { type: ['string', 'number'] },\n\t\tmethod: { type: 'string' },\n\t\tparams: { type: 'object' },\n\t},\n\trequired: ['jsonrpc', 'id', 'method', 'params'],\n};\n\nexport const AgentToolProtocolResponseSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\tjsonrpc: { type: 'string', enum: ['2.0'] },\n\t\tid: { type: ['string', 'number'] },\n\t\tresult: {},\n\t\terror: {\n\t\t\ttype: 'object',\n\t\t\tproperties: {\n\t\t\t\tcode: { type: 'number' },\n\t\t\t\tmessage: { type: 'string' },\n\t\t\t\tdata: {},\n\t\t\t},\n\t\t\trequired: ['code', 'message'],\n\t\t},\n\t},\n\trequired: ['jsonrpc', 'id'],\n};\n","/**\n * Input validation utilities for ExecutionConfig and other types\n */\n\nimport { z } from 'zod';\nimport type { ExecutionConfig } from './types.js';\n\n/**\n * Maximum allowed code size (1MB)\n */\nexport const MAX_CODE_SIZE = 1000000;\n\nexport class ConfigValidationError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic readonly field: string,\n\t\tpublic readonly value: unknown\n\t) {\n\t\tsuper(message);\n\t\tthis.name = 'ConfigValidationError';\n\t}\n}\n\nexport class SecurityViolationError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic readonly violations: string[]\n\t) {\n\t\tsuper(message);\n\t\tthis.name = 'SecurityViolationError';\n\t}\n}\n\n/**\n * Sanitizes input string by removing control characters and normalizing whitespace\n */\nexport function sanitizeInput(input: string, maxLength = MAX_CODE_SIZE): string {\n\tif (typeof input !== 'string') {\n\t\treturn '';\n\t}\n\n\tlet sanitized = input.replace(/[\\x00-\\x08\\x0B-\\x0C\\x0E-\\x1F\\x7F]/g, '');\n\n\tsanitized = sanitized.replace(/[\\u200B-\\u200D\\uFEFF]/g, '');\n\n\tsanitized = sanitized.replace(/\\n{10,}/g, '\\n\\n\\n');\n\n\tif (sanitized.length > maxLength) {\n\t\tsanitized = sanitized.substring(0, maxLength);\n\t}\n\n\treturn sanitized;\n}\n\n/**\n * Frames user code in a secure execution context to prevent injection attacks\n * Similar to SQL parameterized queries - treats user code as data within a safe boundary\n */\nexport function frameCodeExecution(userCode: string): string {\n\tconst cleaned = sanitizeInput(userCode);\n\n\treturn `\n(async function __user_code_context__() {\n\t\"use strict\";\n\t${cleaned}\n})();\n`.trim();\n}\n\n/**\n * Zod schema for ExecutionConfig validation\n */\nexport const executionConfigSchema = z.object({\n\ttimeout: z\n\t\t.number({\n\t\t\tinvalid_type_error: 'timeout must be a number',\n\t\t})\n\t\t.positive('timeout must be positive')\n\t\t.max(300000, 'timeout cannot exceed 300000ms (5 minutes)')\n\t\t.optional(),\n\n\tmaxMemory: z\n\t\t.number({\n\t\t\tinvalid_type_error: 'maxMemory must be a number',\n\t\t})\n\t\t.positive('maxMemory must be positive')\n\t\t.max(512 * 1024 * 1024, 'maxMemory cannot exceed 512MB')\n\t\t.optional(),\n\n\tmaxLLMCalls: z\n\t\t.number({\n\t\t\tinvalid_type_error: 'maxLLMCalls must be a number',\n\t\t})\n\t\t.nonnegative('maxLLMCalls cannot be negative')\n\t\t.max(1000, 'maxLLMCalls cannot exceed 1000')\n\t\t.optional(),\n\n\tallowedAPIs: z\n\t\t.array(\n\t\t\tz.string().refine((val) => val.trim().length > 0, {\n\t\t\t\tmessage: 'allowedAPIs must contain non-empty strings',\n\t\t\t})\n\t\t)\n\t\t.optional(),\n\n\tallowLLMCalls: z\n\t\t.boolean({\n\t\t\tinvalid_type_error: 'allowLLMCalls must be a boolean',\n\t\t})\n\t\t.optional(),\n\n\tprogressCallback: z.function().optional(),\n\tcustomLLMHandler: z.function().optional(),\n\tclientServices: z.any().optional(),\n\tprovenanceMode: z.any().optional(),\n\tsecurityPolicies: z.array(z.any()).optional(),\n\tprovenanceHints: z.array(z.string()).optional(),\n});\n\n/**\n * Validates ExecutionConfig parameters using Zod\n */\nexport function validateExecutionConfig(config: Partial<ExecutionConfig>): void {\n\ttry {\n\t\texecutionConfigSchema.parse(config);\n\t} catch (error) {\n\t\tif (error instanceof z.ZodError) {\n\t\t\tconst errors = error.errors.map((err) => err.message);\n\t\t\tthrow new ConfigValidationError(\n\t\t\t\t`Invalid ExecutionConfig: ${errors.join(', ')}`,\n\t\t\t\t'ExecutionConfig',\n\t\t\t\tconfig\n\t\t\t);\n\t\t}\n\t\tthrow error;\n\t}\n}\n\n/**\n * Validates client ID format\n */\nexport function validateClientId(clientId: string): void {\n\tif (typeof clientId !== 'string') {\n\t\tthrow new ConfigValidationError('clientId must be a string', 'clientId', clientId);\n\t}\n\n\tif (clientId.trim().length === 0) {\n\t\tthrow new ConfigValidationError('clientId cannot be empty', 'clientId', clientId);\n\t}\n\n\tif (clientId.length > 256) {\n\t\tthrow new ConfigValidationError('clientId cannot exceed 256 characters', 'clientId', clientId);\n\t}\n\n\tif (!/^[a-zA-Z0-9_-]+$/.test(clientId)) {\n\t\tthrow new ConfigValidationError(\n\t\t\t'clientId can only contain alphanumeric characters, dashes, and underscores',\n\t\t\t'clientId',\n\t\t\tclientId\n\t\t);\n\t}\n}\n","/**\n * Authentication and credential management types for Agent Tool Protocol\n */\n\n/**\n * Supported authentication schemes\n */\nexport type AuthScheme = 'apiKey' | 'bearer' | 'basic' | 'oauth2' | 'custom' | 'composite';\n\n/**\n * Base authentication configuration\n */\nexport interface BaseAuthConfig {\n\tscheme: AuthScheme;\n\t/** Environment variable name to read credentials from */\n\tenvVar?: string;\n\t/** Direct credential value (not recommended for production) */\n\tvalue?: string;\n\t/**\n\t * Credential source: 'server' for server-level env vars (default), 'user' for user-scoped OAuth\n\t */\n\tsource?: 'server' | 'user';\n\t/**\n\t * OAuth provider name for user-scoped credentials (e.g., 'github', 'google')\n\t * Required when source='user'. Used to look up user's OAuth token from AuthProvider.\n\t * Note: This is different from the 'provider' field which is for runtime credential providers.\n\t */\n\toauthProvider?: string;\n\t/** Runtime credential provider function name */\n\tprovider?: string;\n}\n\n/**\n * API Key authentication (in header or query param)\n */\nexport interface APIKeyAuthConfig extends BaseAuthConfig {\n\tscheme: 'apiKey';\n\t/** Where to send the API key */\n\tin: 'header' | 'query';\n\t/** Parameter/header name */\n\tname: string;\n}\n\n/**\n * Bearer token authentication\n */\nexport interface BearerAuthConfig extends BaseAuthConfig {\n\tscheme: 'bearer';\n\t/** Optional bearer format (e.g., 'JWT') */\n\tbearerFormat?: string;\n}\n\n/**\n * HTTP Basic authentication\n */\nexport interface BasicAuthConfig extends BaseAuthConfig {\n\tscheme: 'basic';\n\t/** Username (can use envVar for dynamic value) */\n\tusername?: string;\n\t/** Username environment variable */\n\tusernameEnvVar?: string;\n\t/** Password environment variable */\n\tpasswordEnvVar?: string;\n}\n\n/**\n * OAuth2 authentication with automatic token refresh\n */\nexport interface OAuth2AuthConfig extends BaseAuthConfig {\n\tscheme: 'oauth2';\n\t/** OAuth2 flow type */\n\tflow: 'clientCredentials' | 'authorizationCode' | 'implicit' | 'password';\n\t/** Token endpoint URL */\n\ttokenUrl: string;\n\t/** Authorization endpoint (for authorizationCode/implicit) */\n\tauthorizationUrl?: string;\n\t/** Client ID */\n\tclientId?: string;\n\t/** Client ID environment variable */\n\tclientIdEnvVar?: string;\n\t/** Client secret environment variable */\n\tclientSecretEnvVar?: string;\n\t/** Scopes required */\n\tscopes?: string[];\n\t/** Refresh token environment variable (for token refresh) */\n\trefreshTokenEnvVar?: string;\n}\n\n/**\n * Custom authentication with arbitrary headers\n */\nexport interface CustomAuthConfig extends BaseAuthConfig {\n\tscheme: 'custom';\n\t/** Custom headers to inject */\n\theaders: Record<string, string>;\n\t/** Environment variables to use for header values */\n\theaderEnvVars?: Record<string, string>;\n\t/** Query parameters to inject */\n\tqueryParams?: Record<string, string>;\n\t/** Environment variables to use for query parameter values */\n\tqueryParamEnvVars?: Record<string, string>;\n}\n\n/**\n * Composite authentication - combines multiple auth mechanisms\n * Useful for APIs that require multiple credentials (e.g., projectId + apiKey + secret)\n */\nexport interface CompositeAuthConfig extends BaseAuthConfig {\n\tscheme: 'composite';\n\t/**\n\t * Multiple credentials to combine\n\t * Example: { projectId: { envVar: 'PROJECT_ID' }, apiKey: { envVar: 'API_KEY' }, secret: { envVar: 'API_SECRET' } }\n\t */\n\tcredentials: Record<string, CredentialConfig>;\n\t/** How to inject credentials: 'header', 'query', or 'both' */\n\tinjectAs?: 'header' | 'query' | 'both';\n}\n\n/**\n * Individual credential configuration for composite auth\n */\nexport interface CredentialConfig {\n\t/** Environment variable to read from */\n\tenvVar?: string;\n\t/** Direct value (not recommended) */\n\tvalue?: string;\n\t/** Header name if injecting as header */\n\theaderName?: string;\n\t/** Query param name if injecting as query */\n\tqueryParamName?: string;\n\t/** Whether this credential is required */\n\trequired?: boolean;\n}\n\n/**\n * Union type of all auth configurations\n */\nexport type AuthConfig =\n\t| APIKeyAuthConfig\n\t| BearerAuthConfig\n\t| BasicAuthConfig\n\t| OAuth2AuthConfig\n\t| CustomAuthConfig\n\t| CompositeAuthConfig;\n\n/**\n * Runtime credential provider\n * Allows dynamic credential resolution at runtime\n */\nexport interface CredentialProvider {\n\tname: string;\n\t/** Resolves credentials dynamically */\n\tresolve: () => Promise<Credentials> | Credentials;\n}\n\n/**\n * Resolved credentials ready to be injected into requests\n */\nexport interface Credentials {\n\theaders?: Record<string, string>;\n\tqueryParams?: Record<string, string>;\n}\n\n/**\n * Credential resolver - resolves auth config to actual credentials\n */\nexport class CredentialResolver {\n\tprivate providers: Map<string, CredentialProvider> = new Map();\n\n\t/**\n\t * Registers a runtime credential provider\n\t */\n\tregisterProvider(provider: CredentialProvider): void {\n\t\tthis.providers.set(provider.name, provider);\n\t}\n\n\t/**\n\t * Resolves auth configuration to credentials\n\t */\n\tasync resolve(authConfig: AuthConfig): Promise<Credentials> {\n\t\tif (authConfig.provider) {\n\t\t\tconst provider = this.providers.get(authConfig.provider);\n\t\t\tif (!provider) {\n\t\t\t\tthrow new Error(`Credential provider '${authConfig.provider}' not found`);\n\t\t\t}\n\t\t\treturn await provider.resolve();\n\t\t}\n\n\t\tswitch (authConfig.scheme) {\n\t\t\tcase 'apiKey':\n\t\t\t\treturn this.resolveAPIKey(authConfig);\n\t\t\tcase 'bearer':\n\t\t\t\treturn this.resolveBearer(authConfig);\n\t\t\tcase 'basic':\n\t\t\t\treturn this.resolveBasic(authConfig);\n\t\t\tcase 'oauth2':\n\t\t\t\treturn this.resolveOAuth2(authConfig);\n\t\t\tcase 'custom':\n\t\t\t\treturn this.resolveCustom(authConfig);\n\t\t\tcase 'composite':\n\t\t\t\treturn this.resolveComposite(authConfig);\n\t\t\tdefault:\n\t\t\t\tthrow new Error(`Unsupported auth scheme: ${(authConfig as any).scheme}`);\n\t\t}\n\t}\n\n\tprivate resolveAPIKey(config: APIKeyAuthConfig): Credentials {\n\t\tconst value = this.getValue(config);\n\t\tif (!value) {\n\t\t\tthrow new Error(`API key not provided for '${config.name}'`);\n\t\t}\n\n\t\tif (config.in === 'header') {\n\t\t\treturn { headers: { [config.name]: value } };\n\t\t} else {\n\t\t\treturn { queryParams: { [config.name]: value } };\n\t\t}\n\t}\n\n\tprivate resolveBearer(config: BearerAuthConfig): Credentials {\n\t\tconst token = this.getValue(config);\n\t\tif (!token) {\n\t\t\tthrow new Error('Bearer token not provided');\n\t\t}\n\n\t\treturn {\n\t\t\theaders: {\n\t\t\t\tAuthorization: `Bearer ${token}`,\n\t\t\t},\n\t\t};\n\t}\n\n\tprivate resolveBasic(config: BasicAuthConfig): Credentials {\n\t\tconst username = config.usernameEnvVar ? process.env[config.usernameEnvVar] : config.username;\n\t\tconst password = config.passwordEnvVar\n\t\t\t? process.env[config.passwordEnvVar]\n\t\t\t: this.getValue(config);\n\n\t\tif (!username || !password) {\n\t\t\tthrow new Error('Basic auth username and password not provided');\n\t\t}\n\n\t\tconst credentials = Buffer.from(`${username}:${password}`).toString('base64');\n\t\treturn {\n\t\t\theaders: {\n\t\t\t\tAuthorization: `Basic ${credentials}`,\n\t\t\t},\n\t\t};\n\t}\n\n\tprivate async resolveOAuth2(config: OAuth2AuthConfig): Promise<Credentials> {\n\t\tconst clientId = config.clientIdEnvVar ? process.env[config.clientIdEnvVar] : config.clientId;\n\t\tconst clientSecret = config.clientSecretEnvVar\n\t\t\t? process.env[config.clientSecretEnvVar]\n\t\t\t: undefined;\n\n\t\tif (!clientId || !clientSecret) {\n\t\t\tthrow new Error('OAuth2 client credentials not provided');\n\t\t}\n\n\t\tif (config.flow === 'clientCredentials') {\n\t\t\tconst token = await this.fetchOAuth2Token(\n\t\t\t\tconfig.tokenUrl,\n\t\t\t\tclientId,\n\t\t\t\tclientSecret,\n\t\t\t\tconfig.scopes\n\t\t\t);\n\t\t\treturn {\n\t\t\t\theaders: {\n\t\t\t\t\tAuthorization: `Bearer ${token}`,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst token = this.getValue(config);\n\t\tif (token) {\n\t\t\treturn {\n\t\t\t\theaders: {\n\t\t\t\t\tAuthorization: `Bearer ${token}`,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tthrow new Error(`OAuth2 flow '${config.flow}' requires manual token setup`);\n\t}\n\n\tprivate resolveCustom(config: CustomAuthConfig): Credentials {\n\t\tconst headers: Record<string, string> = {};\n\t\tconst queryParams: Record<string, string> = {};\n\n\t\tObject.assign(headers, config.headers);\n\n\t\tif (config.headerEnvVars) {\n\t\t\tfor (const [headerName, envVar] of Object.entries(config.headerEnvVars)) {\n\t\t\t\tconst value = process.env[envVar];\n\t\t\t\tif (value) {\n\t\t\t\t\theaders[headerName] = value;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (config.queryParams) {\n\t\t\tObject.assign(queryParams, config.queryParams);\n\t\t}\n\n\t\tif (config.queryParamEnvVars) {\n\t\t\tfor (const [paramName, envVar] of Object.entries(config.queryParamEnvVars)) {\n\t\t\t\tconst value = process.env[envVar];\n\t\t\t\tif (value) {\n\t\t\t\t\tqueryParams[paramName] = value;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\theaders: Object.keys(headers).length > 0 ? headers : undefined,\n\t\t\tqueryParams: Object.keys(queryParams).length > 0 ? queryParams : undefined,\n\t\t};\n\t}\n\n\tprivate resolveComposite(config: CompositeAuthConfig): Credentials {\n\t\tconst headers: Record<string, string> = {};\n\t\tconst queryParams: Record<string, string> = {};\n\n\t\tfor (const [credName, credConfig] of Object.entries(config.credentials)) {\n\t\t\tconst value = credConfig.envVar ? process.env[credConfig.envVar] : credConfig.value;\n\n\t\t\tif (!value) {\n\t\t\t\tif (credConfig.required !== false) {\n\t\t\t\t\tthrow new Error(`Required credential '${credName}' not provided`);\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tconst injectAs = config.injectAs || 'header';\n\n\t\t\tif ((injectAs === 'header' || injectAs === 'both') && credConfig.headerName) {\n\t\t\t\theaders[credConfig.headerName] = value;\n\t\t\t}\n\n\t\t\tif ((injectAs === 'query' || injectAs === 'both') && credConfig.queryParamName) {\n\t\t\t\tqueryParams[credConfig.queryParamName] = value;\n\t\t\t}\n\n\t\t\tif (!credConfig.headerName && !credConfig.queryParamName) {\n\t\t\t\tif (injectAs === 'query' || injectAs === 'both') {\n\t\t\t\t\tqueryParams[credName] = value;\n\t\t\t\t} else {\n\t\t\t\t\theaders[`X-${credName}`] = value;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\theaders: Object.keys(headers).length > 0 ? headers : undefined,\n\t\t\tqueryParams: Object.keys(queryParams).length > 0 ? queryParams : undefined,\n\t\t};\n\t}\n\n\t/**\n\t * Gets credential value from config (env var or direct value)\n\t */\n\tprivate getValue(config: BaseAuthConfig): string | undefined {\n\t\tif (config.envVar) {\n\t\t\treturn process.env[config.envVar];\n\t\t}\n\t\treturn config.value;\n\t}\n\n\t/**\n\t * Fetches OAuth2 token using client credentials flow\n\t */\n\tprivate async fetchOAuth2Token(\n\t\ttokenUrl: string,\n\t\tclientId: string,\n\t\tclientSecret: string,\n\t\tscopes?: string[]\n\t): Promise<string> {\n\t\tconst params = new URLSearchParams({\n\t\t\tgrant_type: 'client_credentials',\n\t\t\tclient_id: clientId,\n\t\t\tclient_secret: clientSecret,\n\t\t});\n\n\t\tif (scopes && scopes.length > 0) {\n\t\t\tparams.append('scope', scopes.join(' '));\n\t\t}\n\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t},\n\t\t\tbody: params.toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`OAuth2 token fetch failed: ${response.statusText}`);\n\t\t}\n\n\t\tconst data = (await response.json()) as { access_token: string };\n\t\treturn data.access_token;\n\t}\n}\n","/**\n * Provider interfaces for dependency injection\n * These allow users to inject their own implementations for cache, auth, and audit\n */\n\n/**\n * Cache provider interface\n * Allows pluggable caching backends (Memory, Redis, FileSystem, etc.)\n */\nexport interface CacheProvider {\n\t/** Provider name for identification */\n\tname: string;\n\n\t/** Get a value from cache */\n\tget<T>(key: string): Promise<T | null>;\n\n\t/** Set a value in cache with optional TTL (in seconds) */\n\tset(key: string, value: unknown, ttl?: number): Promise<void>;\n\n\t/** Delete a value from cache */\n\tdelete(key: string): Promise<void>;\n\n\t/** Check if a key exists in cache */\n\thas(key: string): Promise<boolean>;\n\n\t/** Clear cache entries matching a pattern (e.g., 'user:*') */\n\tclear(pattern?: string): Promise<void>;\n\n\t/** Get multiple values at once (optional, for performance) */\n\tmget?(keys: string[]): Promise<Array<unknown | null>>;\n\n\t/** Set multiple values at once (optional, for performance) */\n\tmset?(entries: Array<[string, unknown, number?]>): Promise<void>;\n\n\t/** Disconnect/cleanup (optional) */\n\tdisconnect?(): Promise<void>;\n}\n\n/**\n * User credential data stored per provider\n */\nexport interface UserCredentialData {\n\t/** Access token */\n\ttoken: string;\n\n\t/** OAuth scopes granted (if applicable) */\n\tscopes?: string[];\n\n\t/** Token expiration timestamp (milliseconds since epoch) */\n\texpiresAt?: number;\n\n\t/** Refresh token for automatic token refresh */\n\trefreshToken?: string;\n\n\t/** Additional provider-specific metadata */\n\tmetadata?: Record<string, unknown>;\n}\n\n/**\n * Auth provider interface\n * Allows pluggable credential storage (Env vars, AWS Secrets Manager, Vault, etc.)\n */\nexport interface AuthProvider {\n\t/** Provider name for identification */\n\tname: string;\n\n\t/** Get a credential by key (server-level credentials) */\n\tgetCredential(key: string): Promise<string | null>;\n\n\t/** Set a credential (for OAuth tokens, etc.) */\n\tsetCredential(key: string, value: string, ttl?: number): Promise<void>;\n\n\t/** Delete a credential */\n\tdeleteCredential(key: string): Promise<void>;\n\n\t/** List all credential keys (optional, for admin/debugging) */\n\tlistCredentials?(): Promise<string[]>;\n\n\t/**\n\t * Get user-scoped credential for a specific provider\n\t * @param userId - User identifier\n\t * @param provider - Provider name (e.g., 'github', 'google', 'stripe')\n\t * @returns User credential data or null if not found\n\t */\n\tgetUserCredential?(userId: string, provider: string): Promise<UserCredentialData | null>;\n\n\t/**\n\t * Set user-scoped credential for a specific provider\n\t * @param userId - User identifier\n\t * @param provider - Provider name\n\t * @param data - Credential data including token, scopes, etc.\n\t */\n\tsetUserCredential?(userId: string, provider: string, data: UserCredentialData): Promise<void>;\n\n\t/**\n\t * Delete user's credential for a specific provider\n\t * @param userId - User identifier\n\t * @param provider - Provider name\n\t */\n\tdeleteUserCredential?(userId: string, provider: string): Promise<void>;\n\n\t/**\n\t * List all providers a user has connected\n\t * @param userId - User identifier\n\t * @returns Array of provider names\n\t */\n\tlistUserProviders?(userId: string): Promise<string[]>;\n\n\t/** Disconnect/cleanup (optional) */\n\tdisconnect?(): Promise<void>;\n}\n\n/**\n * Audit event structure\n * Comprehensive logging of all operations for security and compliance\n */\nexport interface AuditEvent {\n\teventId: string;\n\ttimestamp: number;\n\n\tclientId: string;\n\tuserId?: string;\n\tipAddress?: string;\n\tuserAgent?: string;\n\n\teventType: 'execution' | 'tool_call' | 'llm_call' | 'approval' | 'auth' | 'error' | 'client_init';\n\taction: string;\n\tresource?: string;\n\tresourceId?: string;\n\n\tcode?: string;\n\ttoolName?: string;\n\tapiGroup?: string;\n\tinput?: unknown;\n\toutput?: unknown;\n\terror?: {\n\t\tmessage: string;\n\t\tcode?: string;\n\t\tstack?: string;\n\t};\n\n\tsecurityEvents?: string[];\n\triskScore?: number;\n\tannotations?: Record<string, unknown>;\n\n\tduration?: number;\n\tmemoryUsed?: number;\n\tllmCallsCount?: number;\n\thttpCallsCount?: number;\n\n\tstatus: 'success' | 'failed' | 'timeout' | 'cancelled' | 'paused';\n\n\tmetadata?: Record<string, unknown>;\n}\n\n/**\n * Audit filter for querying events\n */\nexport interface AuditFilter {\n\tclientId?: string;\n\tuserId?: string;\n\teventType?: string | string[];\n\tfrom?: number;\n\tto?: number;\n\tresource?: string;\n\tstatus?: string | string[];\n\tminRiskScore?: number;\n\tlimit?: number;\n\toffset?: number;\n}\n\n/**\n * Audit sink interface\n * Allows pluggable audit destinations (JSONL, PostgreSQL, Elasticsearch, S3, etc.)\n */\nexport interface AuditSink {\n\t/** Sink name for identification */\n\tname: string;\n\n\t/** Write a single audit event */\n\twrite(event: AuditEvent): Promise<void>;\n\n\t/** Write multiple audit events (for performance) */\n\twriteBatch(events: AuditEvent[]): Promise<void>;\n\n\t/** Query audit events (optional, for queryable sinks) */\n\tquery?(filter: AuditFilter): Promise<AuditEvent[]>;\n\n\t/** Disconnect/cleanup (optional) */\n\tdisconnect?(): Promise<void>;\n}\n\n/**\n * Multi-sink audit wrapper\n * Allows writing to multiple audit sinks simultaneously\n */\nexport class MultiAuditSink implements AuditSink {\n\tname = 'multi';\n\tprivate sinks: AuditSink[];\n\n\tconstructor(sinks: AuditSink[]) {\n\t\tthis.sinks = sinks;\n\t}\n\n\tasync write(event: AuditEvent): Promise<void> {\n\t\tawait Promise.all(this.sinks.map((sink) => sink.write(event)));\n\t}\n\n\tasync writeBatch(events: AuditEvent[]): Promise<void> {\n\t\tawait Promise.all(this.sinks.map((sink) => sink.writeBatch(events)));\n\t}\n\n\tasync query(filter: AuditFilter): Promise<AuditEvent[]> {\n\t\tfor (const sink of this.sinks) {\n\t\t\tif (sink.query) {\n\t\t\t\treturn await sink.query(filter);\n\t\t\t}\n\t\t}\n\t\tthrow new Error('No queryable audit sink available');\n\t}\n\n\tasync disconnect(): Promise<void> {\n\t\tawait Promise.all(\n\t\t\tthis.sinks.map((sink) => (sink.disconnect ? sink.disconnect() : Promise.resolve()))\n\t\t);\n\t}\n}\n"]}
package/package.json CHANGED
@@ -1,14 +1,16 @@
1
1
  {
2
2
  "name": "@mondaydotcomorg/atp-protocol",
3
- "version": "0.19.7",
3
+ "version": "0.19.8",
4
4
  "description": "Core protocol types and interfaces for Agent Tool Protocol",
5
5
  "type": "module",
6
- "main": "./dist/index.js",
6
+ "main": "./dist/index.cjs",
7
+ "module": "./dist/index.js",
7
8
  "types": "./dist/index.d.ts",
8
9
  "exports": {
9
10
  ".": {
10
11
  "types": "./dist/index.d.ts",
11
- "import": "./dist/index.js"
12
+ "import": "./dist/index.js",
13
+ "require": "./dist/index.cjs"
12
14
  }
13
15
  },
14
16
  "files": [
@@ -16,7 +18,8 @@
16
18
  "src"
17
19
  ],
18
20
  "scripts": {
19
- "build": "tsc -p tsconfig.json",
21
+ "build": "npx tsc --build tsconfig.json && tsup",
22
+ "build:tsc": "tsc -p tsconfig.json",
20
23
  "dev": "tsc -p tsconfig.json --watch",
21
24
  "clean": "rm -rf dist *.tsbuildinfo",
22
25
  "test": "vitest run",
@@ -37,7 +40,7 @@
37
40
  },
38
41
  "license": "MIT",
39
42
  "dependencies": {
40
- "@mondaydotcomorg/atp-provenance": "0.19.7"
43
+ "@mondaydotcomorg/atp-provenance": "0.19.8"
41
44
  },
42
45
  "peerDependencies": {
43
46
  "zod": "^3.25.0"
@@ -46,6 +49,7 @@
46
49
  "access": "public"
47
50
  },
48
51
  "devDependencies": {
52
+ "tsup": "^8.5.1",
49
53
  "typescript": "^5.3.3",
50
54
  "vitest": "^1.2.1",
51
55
  "zod": "^3.25.0"