npm - @newhomestar/sdk - Versions diffs - 0.7.18 → 0.7.20 - Mend

@newhomestar/sdk 0.7.18 → 0.7.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/credentials.d.ts CHANGED Viewed

@@ -6,25 +6,13 @@ export interface ResolvedCredentials {
     accessToken: string;
     /** When the token expires */
     expiresAt: Date;
-    /** The app_integrations.id UUID */
+    /** The app_integrations.id UUID (or "http:{slug}" in HTTP mode) */
     integrationId: string;
     /** Auth mode used */
     authMode: AuthMode;
     /** mTLS agent (if auth_mode = 'mtls') — use for ALL API requests to that provider */
     httpsAgent?: https.Agent;
 }
-export interface IntegrationConfig {
-    id: string;
-    slug: string;
-    name: string;
-    auth_mode: AuthMode;
-    client_id: string | null;
-    client_secret_vault_id: string | null;
-    token_endpoint: string | null;
-    mtls_cert_vault_id: string | null;
-    mtls_key_vault_id: string | null;
-    is_active: boolean;
-}
 export declare class IntegrationNotFoundError extends Error {
     constructor(slug: string);
 }
@@ -43,6 +31,9 @@ export declare class TokenExchangeError extends Error {
 /**
  * Creates / returns the singleton Platform DB client.
  * Reads from PLATFORM_SUPABASE_URL + PLATFORM_SUPABASE_SERVICE_ROLE_KEY.
+ *
+ * NOTE: This client is used exclusively for PGMQ event emission (emitPlatformEvent).
+ * Credential resolution uses the HTTP callback strategy (AUTH_ISSUER_BASE_URL).
  */
 export declare function createPlatformClient(): SupabaseClient;
 /**
@@ -52,19 +43,32 @@ export declare function createPlatformClient(): SupabaseClient;
  */
 export declare function clearTokenCache(slug: string, userId?: string): void;
 /**
- * Resolves an access token for an integration, handling all auth modes.
+ * Resolve credentials for an integration using the HTTP callback strategy.
  *
- * Flow:
- * 1. Look up integration config from app_integrations (by slug)
- * 2. Check auth_mode → route to server or user flow
- * 3. Check in-memory cache → DB (user_app_connections) → exchange if needed
- * 4. Cache the result and return
+ * Resolution order:
+ * 1. In-memory cache (hot path — no I/O)
+ * 2. Client-side refresh_token grant (if refresh metadata is cached)
+ * 3. Fetch decrypted credentials from the auth server via HTTP
+ * 4. OAuth token exchange (client_credentials / mTLS)
+ * 5. Cache result + refresh metadata in memory
  *
- * @param platformDB  - Platform Supabase client (project-starfleet-auth)
- * @param slug        - Integration slug (e.g., 'adp', 'salesforce')
- * @param userId      - User ID for standard OAuth; optional for server flows
+ * @param authBaseUrl - Auth server base URL (AUTH_ISSUER_BASE_URL)
+ * @param slug        - Integration slug (e.g., "jira", "adp")
+ * @param bearerToken - JWT from the inbound request (to authenticate with auth server)
+ * @param userId      - Optional user ID for cache key differentiation (standard auth flows)
+ * @param options     - forceRefresh: true → skip cache + signal auth server to refresh
  */
-export declare function resolveCredentials(platformDB: SupabaseClient, slug: string, userId?: string): Promise<ResolvedCredentials>;
+export declare function resolveCredentialsViaHttp(authBaseUrl: string, slug: string, bearerToken: string, userId?: string, options?: {
+    forceRefresh?: boolean;
+}): Promise<ResolvedCredentials>;
+/**
+ * Detect which credential resolution strategy to use.
+ * Returns 'http' if AUTH_ISSUER_BASE_URL is set, or 'none' if not configured.
+ *
+ * NOTE: The legacy 'db' strategy (PLATFORM_SUPABASE_*) has been removed.
+ * All credential resolution now goes through the HTTP callback strategy.
+ */
+export declare function detectCredentialStrategy(): "http" | "none";
 /**
  * Generic mTLS-aware fetch for integration API calls.
  * If the resolved credentials include an httpsAgent (mTLS), uses node:https.
@@ -80,28 +84,8 @@ export declare function integrationFetch(url: string, credentials: ResolvedCrede
 /**
  * Emit a PGMQ event to the platform database.
  * Used for cross-service communication (e.g., sync complete, webhook received).
- */
-export declare function emitPlatformEvent(platformDB: SupabaseClient, topic: string, integrationSlug: string, payload: Record<string, unknown>): Promise<void>;
-/**
- * Resolve credentials for an integration using the HTTP callback strategy.
  *
- * This is the main entry point for Strategy B. It:
- * 1. Checks the in-memory cache
- * 2. Fetches decrypted credentials from the auth server via HTTP
- * 3. Performs the OAuth token exchange (client_credentials or mTLS)
- * 4. Caches the resulting access token in memory
- *
- * @param authBaseUrl - Auth server base URL
- * @param slug        - Integration slug
- * @param bearerToken - JWT to authenticate with the auth server
- * @param userId      - Optional user ID (for cache key differentiation)
+ * NOTE: This uses the platform Supabase client (PLATFORM_SUPABASE_*), which is
+ * separate from credential resolution. Credential resolution uses HTTP (AUTH_ISSUER_BASE_URL).
  */
-export declare function resolveCredentialsViaHttp(authBaseUrl: string, slug: string, bearerToken: string, userId?: string, options?: {
-    forceRefresh?: boolean;
-}): Promise<ResolvedCredentials>;
-/**
- * Detect which credential resolution strategy to use.
- * Returns 'db' if PLATFORM_SUPABASE_* are available, 'http' if AUTH_ISSUER_BASE_URL
- * is set, or 'none' if neither is configured.
- */
-export declare function detectCredentialStrategy(): "db" | "http" | "none";
+export declare function emitPlatformEvent(platformDB: SupabaseClient, topic: string, integrationSlug: string, payload: Record<string, unknown>): Promise<void>;

package/dist/credentials.js CHANGED Viewed

@@ -6,14 +6,15 @@
 //   - 'client_credentials' → client_credentials grant (server-to-server)
 //   - 'standard'           → authorization_code (per-user OAuth redirect)
 //
-// Two credential resolution strategies:
-//   A. Direct DB (PLATFORM_SUPABASE_*) — container has direct DB access
-//   B. HTTP callback (AUTH_ISSUER_BASE_URL) — container calls auth server with JWT
+// Credential resolution strategy:
+//   HTTP callback (AUTH_ISSUER_BASE_URL) — container calls auth server with JWT
+//   The container receives a JWT from the inbound request, forwards it to the
+//   auth server, which decrypts credentials from Vault and returns them.
 //
-// Tokens are cached:
+// Tokens are cached in-memory with client-side refresh_token support:
 //   1. In-memory Map (hot path — no I/O)
-//   2. user_app_connections DB rows (durable — vault-encrypted) [strategy A only]
-//   3. Fresh token exchange (cold path — network + vault I/O)
+//   2. Client-side refresh_token grant (if refresh metadata is cached)
+//   3. Fresh credentials fetch from auth server + token exchange (cold path)
 //
 // Every integration gets this for free via ctx.resolveCredentials() / ctx.fetch().
 import { createClient } from "@supabase/supabase-js";
@@ -54,6 +55,9 @@ let _platformClient = null;
 /**
  * Creates / returns the singleton Platform DB client.
  * Reads from PLATFORM_SUPABASE_URL + PLATFORM_SUPABASE_SERVICE_ROLE_KEY.
+ *
+ * NOTE: This client is used exclusively for PGMQ event emission (emitPlatformEvent).
+ * Credential resolution uses the HTTP callback strategy (AUTH_ISSUER_BASE_URL).
  */
 export function createPlatformClient() {
     if (!_platformClient) {
@@ -90,78 +94,45 @@ export function clearTokenCache(slug, userId) {
 }
 function getCachedToken(key) {
     const cached = _tokenCache.get(key);
-    if (!cached)
+    if (!cached) {
+        console.log(`[nova-sdk] 💭 Cache miss for key="${key}"`);
         return null;
+    }
     if (new Date().getTime() >= cached.expiresAt.getTime() - TOKEN_EXPIRY_BUFFER_MS) {
-        console.log(`[nova-sdk] 🔄 In-memory cached token expired for ${key}`);
+        console.log(`[nova-sdk] 🔄 In-memory cached token expired for key="${key}" (expired at ${cached.expiresAt.toISOString()})`);
         _tokenCache.delete(key);
         return null;
     }
+    console.log(`[nova-sdk] ⚡ Cache hit for key="${key}" (expires ${cached.expiresAt.toISOString()})`);
     return cached;
 }
-// ─── Vault Helpers ──────────────────────────────────────────────────────────
-async function getVaultSecret(platformDB, vaultId, label) {
-    if (!vaultId)
-        return null;
-    console.log(`[nova-sdk] 🔐 Reading vault secret: ${label} (${vaultId.slice(0, 8)}...)`);
-    const { data, error } = await platformDB.rpc("get_vault_secret", { p_id: vaultId });
-    if (error) {
-        if (error.code === "PGRST116")
-            return null;
-        throw new Error(`[nova-sdk] Vault read failed for ${label}: ${error.message}`);
-    }
-    return data ?? null;
-}
-async function storeVaultSecret(platformDB, name, value, description) {
-    console.log(`[nova-sdk] 🔐 Storing vault secret: ${name}`);
-    const { data, error } = await platformDB.rpc("create_vault_secret", {
-        p_secret: value,
-        p_name: name,
-        p_description: description ?? `Nova integration credential: ${name}`,
-    });
-    if (error) {
-        throw new Error(`[nova-sdk] Vault store failed for ${name}: ${error.message}`);
-    }
-    return data;
-}
-async function updateVaultSecret(platformDB, vaultId, newValue) {
-    const { error } = await platformDB.rpc("update_vault_secret", {
-        p_id: vaultId,
-        p_secret: newValue,
-    });
-    if (error) {
-        throw new Error(`[nova-sdk] Vault update failed for ${vaultId}: ${error.message}`);
-    }
-}
-// ─── mTLS Agent Builder ─────────────────────────────────────────────────────
+// ─── mTLS Agent Cache ───────────────────────────────────────────────────────
 // Cache mTLS agents per integration slug (cert/key don't change during container lifetime)
 const _mtlsAgents = new Map();
-async function buildMtlsAgent(platformDB, config) {
-    const existing = _mtlsAgents.get(config.slug);
+/**
+ * Build an mTLS agent from PEM strings (received via HTTP, not from vault).
+ * Cached per slug — cert/key don't change during container lifetime.
+ */
+function buildMtlsAgentFromPem(slug, certPem, keyPem) {
+    const existing = _mtlsAgents.get(slug);
     if (existing)
         return existing;
-    if (!config.mtls_cert_vault_id || !config.mtls_key_vault_id) {
-        throw new CredentialsNotConfiguredError(config.slug, "mTLS cert and/or key not stored in vault. Upload PEM files via admin dashboard.");
-    }
-    const [certPem, keyPem] = await Promise.all([
-        getVaultSecret(platformDB, config.mtls_cert_vault_id, "mtls_cert"),
-        getVaultSecret(platformDB, config.mtls_key_vault_id, "mtls_key"),
-    ]);
-    if (!certPem || !keyPem) {
-        throw new CredentialsNotConfiguredError(config.slug, "mTLS cert or key vault entries are empty. Re-upload PEM files.");
-    }
-    console.log(`[nova-sdk] 🔒 Built mTLS agent for "${config.slug}" (cert: ${certPem.length} bytes, key: ${keyPem.length} bytes)`);
+    console.log(`[nova-sdk] 🔒 Built mTLS agent for "${slug}" from HTTP response (cert: ${certPem.length} bytes, key: ${keyPem.length} bytes)`);
     const agent = new https.Agent({ cert: certPem, key: keyPem, keepAlive: true });
-    _mtlsAgents.set(config.slug, agent);
+    _mtlsAgents.set(slug, agent);
     return agent;
 }
 async function performTokenExchange(slug, params) {
-    const { tokenEndpoint, clientId, clientSecret, httpsAgent, grantType = "client_credentials", } = params;
+    const { tokenEndpoint, clientId, clientSecret, httpsAgent, grantType = "client_credentials", refreshToken, } = params;
     const body = new URLSearchParams({
         grant_type: grantType,
         client_id: clientId,
         client_secret: clientSecret,
     });
+    if (grantType === "refresh_token" && refreshToken) {
+        body.set("refresh_token", refreshToken);
+    }
+    console.log(`[nova-sdk] 🔄 Token exchange: grant_type=${grantType} endpoint=${tokenEndpoint} slug="${slug}"`);
     // For mTLS, we must use node:https directly because global fetch()
     // doesn't support custom TLS agents.
     if (httpsAgent) {
@@ -218,311 +189,285 @@ async function performTokenExchange(slug, params) {
     }
     return res.json();
 }
-// ─── Main: resolveCredentials() ─────────────────────────────────────────────
+// ─── Client-Side Refresh Grant ──────────────────────────────────────────────
 /**
- * Resolves an access token for an integration, handling all auth modes.
+ * Attempt a client-side refresh_token grant using cached refresh metadata.
+ * Returns null if refresh metadata is not available (caller should fall through
+ * to fetching fresh credentials from the auth server).
  *
- * Flow:
- * 1. Look up integration config from app_integrations (by slug)
- * 2. Check auth_mode → route to server or user flow
- * 3. Check in-memory cache → DB (user_app_connections) → exchange if needed
- * 4. Cache the result and return
- *
- * @param platformDB  - Platform Supabase client (project-starfleet-auth)
- * @param slug        - Integration slug (e.g., 'adp', 'salesforce')
- * @param userId      - User ID for standard OAuth; optional for server flows
+ * This avoids a round-trip to the auth server when we already have a valid
+ * refresh token — reducing latency and auth server load.
  */
-export async function resolveCredentials(platformDB, slug, userId) {
-    console.log(`[nova-sdk] 🔑 Resolving credentials for "${slug}" (userId: ${userId ?? "system"})`);
-    // ── Step 1: Look up integration config ────────────────────────────────
-    const { data: integration, error: intError } = await platformDB
-        .from("app_integrations")
-        .select("id, slug, name, auth_mode, client_id, client_secret_vault_id, token_endpoint, mtls_cert_vault_id, mtls_key_vault_id, is_active")
-        .eq("slug", slug)
-        .single();
-    if (intError || !integration) {
-        console.error(`[nova-sdk] ❌ Integration "${slug}" not found:`, intError?.message);
-        throw new IntegrationNotFoundError(slug);
+async function performRefreshGrant(slug, cacheKey, cachedEntry) {
+    const { refreshToken, tokenEndpoint, clientId, clientSecret, httpsAgent, authMode } = cachedEntry;
+    if (!refreshToken || !tokenEndpoint || !clientId || !clientSecret) {
+        console.log(`[nova-sdk] 💭 No refresh metadata cached for "${slug}" — skipping client-side refresh`);
+        return null;
     }
-    if (!integration.is_active) {
-        console.error(`[nova-sdk] ❌ Integration "${slug}" is disabled`);
-        throw new IntegrationDisabledError(slug);
+    console.log(`[nova-sdk] 🔄 Attempting client-side refresh_token grant for "${slug}" (endpoint: ${tokenEndpoint})`);
+    try {
+        const tokenResponse = await performTokenExchange(slug, {
+            tokenEndpoint,
+            clientId,
+            clientSecret,
+            httpsAgent,
+            grantType: "refresh_token",
+            refreshToken,
+        });
+        const expiresAt = new Date(Date.now() + tokenResponse.expires_in * 1000);
+        const effectiveAuthMode = authMode ?? "client_credentials";
+        console.log(`[nova-sdk] ✅ Client-side refresh successful for "${slug}" — expires ${expiresAt.toISOString()} (${tokenResponse.expires_in}s)`);
+        // Update cache with new access token (and new refresh token if rotated)
+        _tokenCache.set(cacheKey, {
+            accessToken: tokenResponse.access_token,
+            expiresAt,
+            httpsAgent,
+            authMode: effectiveAuthMode,
+            refreshToken: tokenResponse.refresh_token ?? refreshToken, // use new RT if provider rotated it
+            tokenEndpoint,
+            clientId,
+            clientSecret,
+        });
+        return {
+            accessToken: tokenResponse.access_token,
+            expiresAt,
+            integrationId: `http:${slug}`,
+            authMode: effectiveAuthMode,
+            httpsAgent,
+        };
     }
-    const config = integration;
-    console.log(`[nova-sdk] 📋 Integration: ${config.name} | auth_mode=${config.auth_mode} | id=${config.id}`);
-    // ── Step 2: Route by auth_mode ────────────────────────────────────────
-    switch (config.auth_mode) {
-        case "mtls":
-        case "client_credentials":
-            return resolveServerCredentials(platformDB, config, userId);
-        case "standard":
-            if (!userId) {
-                throw new Error(`[nova-sdk] userId is required for standard OAuth (authorization_code) flow on "${slug}"`);
-            }
-            return resolveUserCredentials(platformDB, config, userId);
-        default:
-            throw new Error(`[nova-sdk] Unknown auth_mode: ${config.auth_mode}`);
+    catch (err) {
+        console.warn(`[nova-sdk] ⚠️ Client-side refresh failed for "${slug}": ${err.message} — will re-fetch from auth server`);
+        // Clear stale cached entry so we fall through to auth server fetch
+        _tokenCache.delete(cacheKey);
+        return null;
     }
 }
-// ─── Server Credentials (client_credentials / mTLS) ─────────────────────────
-async function resolveServerCredentials(platformDB, config, userId) {
-    const effectiveUserId = userId ?? SYSTEM_USER_ID;
-    const cacheKey = getCacheKey(config.slug, effectiveUserId);
-    // ── Check in-memory cache ─────────────────────────────────────────────
-    const cached = getCachedToken(cacheKey);
-    if (cached) {
-        console.log(`[nova-sdk] ⚡ Using in-memory cached token (expires ${cached.expiresAt.toISOString()})`);
-        return {
-            accessToken: cached.accessToken,
-            expiresAt: cached.expiresAt,
-            integrationId: config.id,
-            authMode: config.auth_mode,
-            httpsAgent: cached.httpsAgent,
-        };
+/**
+ * Fetch integration credentials from the auth server over HTTP.
+ * Requires a valid JWT Bearer token (the same one that authenticated the
+ * inbound request to this container).
+ *
+ * @param authBaseUrl  - Auth server base URL (e.g., "http://localhost:3001")
+ * @param slug         - Integration slug (e.g., "adp")
+ * @param bearerToken  - JWT to forward as Authorization header
+ * @param forceRefresh - When true, sends X-Nova-Token-Invalid: true to trigger a forced refresh on the auth server
+ */
+async function fetchCredentialsFromAuthServer(authBaseUrl, slug, bearerToken, forceRefresh = false) {
+    const url = `${authBaseUrl}/api/integrations/${encodeURIComponent(slug)}/credentials`;
+    console.log(`[nova-sdk] 🌐 Fetching credentials via HTTP: GET ${url}${forceRefresh ? " (force-refresh)" : ""}`);
+    const headers = {
+        Authorization: `Bearer ${bearerToken}`,
+        Accept: "application/json",
+    };
+    // Signal the auth server to discard its stored token and force a fresh exchange
+    if (forceRefresh) {
+        headers["X-Nova-Token-Invalid"] = "true";
+        console.log(`[nova-sdk] 🚨 Sending X-Nova-Token-Invalid: true — auth server will discard cached token`);
     }
-    // ── Check DB cache (user_app_connections) ─────────────────────────────
-    const { data: existingConn } = await platformDB
-        .from("user_app_connections")
-        .select("id, access_token_vault_id, refresh_token_vault_id, token_expires_at, is_active")
-        .eq("integration_id", config.id)
-        .eq("user_id", effectiveUserId)
-        .eq("is_active", true)
-        .single();
-    if (existingConn?.access_token_vault_id && existingConn.token_expires_at) {
-        const expiresAt = new Date(existingConn.token_expires_at);
-        const now = new Date();
-        if (expiresAt.getTime() - TOKEN_EXPIRY_BUFFER_MS > now.getTime()) {
-            console.log(`[nova-sdk] 📦 Found valid cached token in DB (expires ${expiresAt.toISOString()})`);
-            const accessToken = await getVaultSecret(platformDB, existingConn.access_token_vault_id, "cached_access_token");
-            if (accessToken) {
-                const httpsAgent = config.auth_mode === "mtls"
-                    ? await buildMtlsAgent(platformDB, config)
-                    : undefined;
-                _tokenCache.set(cacheKey, { accessToken, expiresAt, httpsAgent });
-                return {
-                    accessToken,
-                    expiresAt,
-                    integrationId: config.id,
-                    authMode: config.auth_mode,
-                    httpsAgent,
-                };
-            }
-            console.warn(`[nova-sdk] ⚠️ Vault secret missing for cached token — will re-exchange`);
+    const res = await fetch(url, { method: "GET", headers });
+    if (!res.ok) {
+        const errBody = await res.text().catch(() => "");
+        console.error(`[nova-sdk] ❌ Credential fetch failed for "${slug}": HTTP ${res.status}`, errBody.slice(0, 300));
+        if (res.status === 401) {
+            throw new Error(`[nova-sdk] Auth server rejected JWT for credential fetch (401). ` +
+                `Ensure the JWT is valid and signed by the auth server. ${errBody}`);
+        }
+        if (res.status === 404) {
+            throw new IntegrationNotFoundError(slug);
+        }
+        throw new Error(`[nova-sdk] Credential fetch failed: HTTP ${res.status} ${errBody.slice(0, 300)}`);
+    }
+    const data = (await res.json());
+    console.log(`[nova-sdk] ✅ Received credentials for "${slug}" via HTTP (authMode: ${data.authMode}, hasAccessToken: ${!!data.accessToken}, hasRefreshToken: ${!!data.refreshToken})`);
+    return data;
+}
+/**
+ * Resolve credentials for an integration using the HTTP callback strategy.
+ *
+ * Resolution order:
+ * 1. In-memory cache (hot path — no I/O)
+ * 2. Client-side refresh_token grant (if refresh metadata is cached)
+ * 3. Fetch decrypted credentials from the auth server via HTTP
+ * 4. OAuth token exchange (client_credentials / mTLS)
+ * 5. Cache result + refresh metadata in memory
+ *
+ * @param authBaseUrl - Auth server base URL (AUTH_ISSUER_BASE_URL)
+ * @param slug        - Integration slug (e.g., "jira", "adp")
+ * @param bearerToken - JWT from the inbound request (to authenticate with auth server)
+ * @param userId      - Optional user ID for cache key differentiation (standard auth flows)
+ * @param options     - forceRefresh: true → skip cache + signal auth server to refresh
+ */
+export async function resolveCredentialsViaHttp(authBaseUrl, slug, bearerToken, userId, options) {
+    const effectiveUserId = userId ?? SYSTEM_USER_ID;
+    const cacheKey = getCacheKey(slug, effectiveUserId);
+    const forceRefresh = options?.forceRefresh ?? false;
+    console.log(`[nova-sdk] 🔑 resolveCredentialsViaHttp: slug="${slug}" userId="${effectiveUserId}" forceRefresh=${forceRefresh} authBaseUrl="${authBaseUrl}"`);
+    // ── Step 1: Check in-memory cache (skip on forceRefresh) ─────────────
+    if (!forceRefresh) {
+        const cached = getCachedToken(cacheKey);
+        if (cached) {
+            const cachedAuthMode = cached.authMode ?? (cached.httpsAgent ? "mtls" : "client_credentials");
+            console.log(`[nova-sdk] ⚡ Cache hit for "${slug}" — returning cached token (authMode: ${cachedAuthMode}, expires: ${cached.expiresAt.toISOString()})`);
+            return {
+                accessToken: cached.accessToken,
+                expiresAt: cached.expiresAt,
+                integrationId: `http:${slug}`,
+                authMode: cachedAuthMode,
+                httpsAgent: cached.httpsAgent,
+            };
         }
-        else {
-            console.log(`[nova-sdk] 🔄 Cached token expired (was ${expiresAt.toISOString()}) — re-exchanging`);
+        // ── Step 2: Try client-side refresh_token grant ───────────────────
+        // The cached entry was evicted (expired), but it may have left refresh metadata
+        // behind if we stored it before eviction. Check the map directly (bypassing
+        // the expiry check) to get refresh metadata from the evicted entry.
+        // Actually, since getCachedToken deletes the entry on expiry, we need to
+        // try a refresh using data we stored before the eviction. If the map no
+        // longer has the entry, we fall through to the auth server.
+        //
+        // Alternative: keep an expired entry temporarily for refresh metadata.
+        // For simplicity, we store a "refresh-only" entry under a separate key.
+        const refreshKey = `${cacheKey}:refresh`;
+        const refreshEntry = _tokenCache.get(refreshKey);
+        if (refreshEntry) {
+            console.log(`[nova-sdk] 🔄 Found refresh metadata for "${slug}" — attempting client-side refresh`);
+            const refreshed = await performRefreshGrant(slug, cacheKey, refreshEntry);
+            if (refreshed) {
+                // Store updated refresh metadata under the refresh key too
+                const updatedEntry = _tokenCache.get(cacheKey);
+                if (updatedEntry) {
+                    _tokenCache.set(refreshKey, {
+                        ...updatedEntry,
+                        // Extend expiry of refresh key far out (refresh tokens are long-lived)
+                        expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
+                    });
+                }
+                return refreshed;
+            }
+            // Refresh failed — fall through to auth server
+            _tokenCache.delete(refreshKey);
         }
     }
     else {
-        console.log(`[nova-sdk] 📭 No cached token found in DB — performing initial token exchange`);
+        // Force refresh — clear cache and refresh entry
+        _tokenCache.delete(cacheKey);
+        _tokenCache.delete(`${cacheKey}:refresh`);
+        console.log(`[nova-sdk] 🗑️  Force refresh: cleared cache for "${slug}" (key=${cacheKey})`);
     }
-    // ── Exchange for new token ────────────────────────────────────────────
-    return exchangeAndCacheServerToken(platformDB, config, effectiveUserId, existingConn?.id);
-}
-async function exchangeAndCacheServerToken(platformDB, config, userId, existingConnectionId) {
-    // Validate required fields
-    if (!config.client_id) {
-        throw new CredentialsNotConfiguredError(config.slug, "client_id is not set");
+    // ── Step 3: Fetch credentials from auth server ────────────────────────
+    console.log(`[nova-sdk] 📡 Fetching fresh credentials from auth server for "${slug}"`);
+    const creds = await fetchCredentialsFromAuthServer(authBaseUrl, slug, bearerToken, forceRefresh);
+    // ── Step 3b: Standard auth — use pre-resolved access token ───────────
+    if (creds.authMode === "standard") {
+        if (creds.accessToken) {
+            const expiresAt = creds.expiresAt
+                ? new Date(creds.expiresAt)
+                : new Date(Date.now() + 3600 * 1000); // default 1h if not provided
+            console.log(`[nova-sdk] ✅ Standard auth: using pre-resolved access token for "${slug}" — expires ${expiresAt.toISOString()}`);
+            // Cache access token
+            const cacheEntry = {
+                accessToken: creds.accessToken,
+                expiresAt,
+                authMode: "standard",
+                // Cache refresh metadata if provided — enables client-side refresh next time
+                refreshToken: creds.refreshToken ?? undefined,
+                tokenEndpoint: creds.tokenEndpoint ?? undefined,
+                clientId: creds.clientId ?? undefined,
+                clientSecret: creds.clientSecret ?? undefined,
+            };
+            _tokenCache.set(cacheKey, cacheEntry);
+            // Also store refresh metadata in the long-lived refresh key
+            if (creds.refreshToken && creds.tokenEndpoint) {
+                _tokenCache.set(`${cacheKey}:refresh`, {
+                    ...cacheEntry,
+                    expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
+                });
+                console.log(`[nova-sdk] 💾 Cached refresh metadata for "${slug}" (standard auth)`);
+            }
+            return {
+                accessToken: creds.accessToken,
+                expiresAt,
+                integrationId: `http:${slug}`,
+                authMode: "standard",
+            };
+        }
+        // Standard auth but no access token returned — user hasn't authorized yet
+        console.error(`[nova-sdk] ❌ Standard auth: no access token returned for "${slug}" — user must authorize via OAuth popup`);
+        throw new ConnectionNotFoundError(slug, `${effectiveUserId} (no stored access token — user must authorize via OAuth popup first)`);
     }
-    if (!config.client_secret_vault_id) {
-        throw new CredentialsNotConfiguredError(config.slug, "client_secret is not stored in vault");
+    // ── Step 4: Validate required fields (client_credentials / mTLS only) ──
+    if (!creds.clientId) {
+        throw new CredentialsNotConfiguredError(slug, "client_id is not set");
     }
-    if (!config.token_endpoint) {
-        throw new CredentialsNotConfiguredError(config.slug, "token_endpoint is not set");
+    if (!creds.clientSecret) {
+        throw new CredentialsNotConfiguredError(slug, "client_secret not available");
     }
-    // Decrypt client_secret from vault
-    const clientSecret = await getVaultSecret(platformDB, config.client_secret_vault_id, "client_secret");
-    if (!clientSecret) {
-        throw new CredentialsNotConfiguredError(config.slug, "client_secret vault entry is empty");
+    if (!creds.tokenEndpoint) {
+        throw new CredentialsNotConfiguredError(slug, "token_endpoint is not set");
     }
-    // Build mTLS agent if needed
+    console.log(`[nova-sdk] 🔧 Credentials received: authMode=${creds.authMode} clientId=${creds.clientId?.slice(0, 8)}... tokenEndpoint=${creds.tokenEndpoint}`);
+    // ── Step 5: Build mTLS agent if needed ────────────────────────────────
     let httpsAgent;
-    if (config.auth_mode === "mtls") {
-        httpsAgent = await buildMtlsAgent(platformDB, config);
+    if (creds.authMode === "mtls") {
+        if (!creds.mtlsCert || !creds.mtlsKey) {
+            throw new CredentialsNotConfiguredError(slug, "mTLS cert/key not returned by auth server");
+        }
+        httpsAgent = buildMtlsAgentFromPem(slug, creds.mtlsCert, creds.mtlsKey);
     }
-    console.log(`[nova-sdk] 🔄 Exchanging client_credentials at ${config.token_endpoint} for "${config.slug}"`);
-    const tokenResponse = await performTokenExchange(config.slug, {
-        tokenEndpoint: config.token_endpoint,
-        clientId: config.client_id,
-        clientSecret,
+    // ── Step 6: Perform token exchange (client_credentials / mTLS) ────────
+    console.log(`[nova-sdk] 🔄 Performing ${creds.authMode} token exchange at ${creds.tokenEndpoint} for "${slug}"`);
+    const tokenResponse = await performTokenExchange(slug, {
+        tokenEndpoint: creds.tokenEndpoint,
+        clientId: creds.clientId,
+        clientSecret: creds.clientSecret,
         httpsAgent,
     });
     const expiresAt = new Date(Date.now() + tokenResponse.expires_in * 1000);
-    const cacheKey = getCacheKey(config.slug, userId);
-    console.log(`[nova-sdk] ✅ Token exchange successful for "${config.slug}" — expires ${expiresAt.toISOString()} (${tokenResponse.expires_in}s)`);
-    // ── Store token in vault + user_app_connections ───────────────────────
-    const vaultName = `connection:${userId}:${config.slug}:access_token`;
-    let accessTokenVaultId;
-    if (existingConnectionId) {
-        const { data: conn } = await platformDB
-            .from("user_app_connections")
-            .select("access_token_vault_id")
-            .eq("id", existingConnectionId)
-            .single();
-        if (conn?.access_token_vault_id) {
-            await updateVaultSecret(platformDB, conn.access_token_vault_id, tokenResponse.access_token);
-            accessTokenVaultId = conn.access_token_vault_id;
-        }
-        else {
-            accessTokenVaultId = await storeVaultSecret(platformDB, vaultName, tokenResponse.access_token);
-        }
-        await platformDB
-            .from("user_app_connections")
-            .update({
-            access_token_vault_id: accessTokenVaultId,
-            token_expires_at: expiresAt.toISOString(),
-            token_scope: tokenResponse.scope ?? null,
-            last_used_at: new Date().toISOString(),
-            is_active: true,
-        })
-            .eq("id", existingConnectionId);
-        console.log(`[nova-sdk] 📦 Updated existing connection ${existingConnectionId}`);
-    }
-    else {
-        accessTokenVaultId = await storeVaultSecret(platformDB, vaultName, tokenResponse.access_token);
-        const { error: insertError } = await platformDB
-            .from("user_app_connections")
-            .upsert({
-            user_id: userId,
-            integration_id: config.id,
-            access_token_vault_id: accessTokenVaultId,
-            token_expires_at: expiresAt.toISOString(),
-            token_scope: tokenResponse.scope ?? null,
-            is_active: true,
-            last_used_at: new Date().toISOString(),
-            metadata: { auth_mode: config.auth_mode, grant_type: "client_credentials" },
-        }, { onConflict: "user_id,integration_id" });
-        if (insertError) {
-            console.error(`[nova-sdk] ⚠️ Failed to cache connection:`, insertError.message);
-        }
-        else {
-            console.log(`[nova-sdk] 📦 Created new connection for user ${userId}`);
-        }
-    }
-    // Populate in-memory cache
-    _tokenCache.set(cacheKey, {
+    console.log(`[nova-sdk] ✅ Token exchange successful for "${slug}" — expires ${expiresAt.toISOString()} (${tokenResponse.expires_in}s, hasRefreshToken: ${!!tokenResponse.refresh_token})`);
+    // ── Step 7: Cache in memory with refresh metadata ─────────────────────
+    const cacheEntry = {
         accessToken: tokenResponse.access_token,
         expiresAt,
         httpsAgent,
-    });
+        authMode: creds.authMode,
+        // Store refresh metadata for client-side refresh next time
+        refreshToken: tokenResponse.refresh_token ?? undefined,
+        tokenEndpoint: creds.tokenEndpoint,
+        clientId: creds.clientId,
+        clientSecret: creds.clientSecret,
+    };
+    _tokenCache.set(cacheKey, cacheEntry);
+    // Also persist refresh metadata in a long-lived key (survives access token expiry)
+    if (tokenResponse.refresh_token) {
+        _tokenCache.set(`${cacheKey}:refresh`, {
+            ...cacheEntry,
+            expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
+        });
+        console.log(`[nova-sdk] 💾 Cached refresh metadata for "${slug}"`);
+    }
     return {
         accessToken: tokenResponse.access_token,
         expiresAt,
-        integrationId: config.id,
-        authMode: config.auth_mode,
+        integrationId: `http:${slug}`,
+        authMode: creds.authMode,
         httpsAgent,
     };
 }
-// ─── User Credentials (authorization_code / standard) ───────────────────────
-async function resolveUserCredentials(platformDB, config, userId) {
-    const cacheKey = getCacheKey(config.slug, userId);
-    // Check in-memory cache
-    const cached = getCachedToken(cacheKey);
-    if (cached) {
-        console.log(`[nova-sdk] ⚡ Using in-memory cached user token (expires ${cached.expiresAt.toISOString()})`);
-        return {
-            accessToken: cached.accessToken,
-            expiresAt: cached.expiresAt,
-            integrationId: config.id,
-            authMode: "standard",
-        };
-    }
-    // Look up user's connection
-    const { data: conn, error: connError } = await platformDB
-        .from("user_app_connections")
-        .select("id, access_token_vault_id, refresh_token_vault_id, token_expires_at, is_active")
-        .eq("integration_id", config.id)
-        .eq("user_id", userId)
-        .eq("is_active", true)
-        .single();
-    if (connError || !conn) {
-        throw new ConnectionNotFoundError(config.slug, userId);
-    }
-    if (!conn.access_token_vault_id) {
-        throw new ConnectionNotFoundError(config.slug, userId);
-    }
-    const expiresAt = conn.token_expires_at ? new Date(conn.token_expires_at) : new Date(0);
-    const now = new Date();
-    // Check if token is still valid
-    if (expiresAt.getTime() - TOKEN_EXPIRY_BUFFER_MS > now.getTime()) {
-        const accessToken = await getVaultSecret(platformDB, conn.access_token_vault_id, "user_access_token");
-        if (accessToken) {
-            _tokenCache.set(cacheKey, { accessToken, expiresAt });
-            console.log(`[nova-sdk] ✅ User token valid (expires ${expiresAt.toISOString()})`);
-            return {
-                accessToken,
-                expiresAt,
-                integrationId: config.id,
-                authMode: "standard",
-            };
-        }
-    }
-    // Token expired — try refresh
-    if (conn.refresh_token_vault_id) {
-        console.log(`[nova-sdk] 🔄 User token expired — refreshing...`);
-        return refreshUserToken(platformDB, config, userId, conn.id, conn.refresh_token_vault_id);
-    }
-    throw new ConnectionNotFoundError(config.slug, `${userId} (token expired and no refresh token available — user must re-authorize)`);
-}
-async function refreshUserToken(platformDB, config, userId, connectionId, refreshTokenVaultId) {
-    if (!config.token_endpoint) {
-        throw new CredentialsNotConfiguredError(config.slug, "token_endpoint not set — cannot refresh");
-    }
-    const refreshToken = await getVaultSecret(platformDB, refreshTokenVaultId, "refresh_token");
-    if (!refreshToken) {
-        throw new ConnectionNotFoundError(config.slug, `${userId} (refresh token missing from vault)`);
-    }
-    const clientSecret = config.client_secret_vault_id
-        ? await getVaultSecret(platformDB, config.client_secret_vault_id, "client_secret")
-        : null;
-    const body = new URLSearchParams({
-        grant_type: "refresh_token",
-        refresh_token: refreshToken,
-        client_id: config.client_id ?? "",
-        ...(clientSecret ? { client_secret: clientSecret } : {}),
-    });
-    const res = await fetch(config.token_endpoint, {
-        method: "POST",
-        headers: { "Content-Type": "application/x-www-form-urlencoded" },
-        body: body.toString(),
-    });
-    if (!res.ok) {
-        const errText = await res.text();
-        console.error(`[nova-sdk] ❌ Refresh token exchange failed for "${config.slug}": ${res.status}`, errText);
-        throw new TokenExchangeError(config.slug, `refresh failed: ${res.status} ${errText}`);
-    }
-    const tokenData = (await res.json());
-    const expiresAt = new Date(Date.now() + (tokenData.expires_in ?? 3600) * 1000);
-    // Update vault + connection
-    const { data: existingConn } = await platformDB
-        .from("user_app_connections")
-        .select("access_token_vault_id, refresh_token_vault_id")
-        .eq("id", connectionId)
-        .single();
-    if (existingConn?.access_token_vault_id) {
-        await updateVaultSecret(platformDB, existingConn.access_token_vault_id, tokenData.access_token);
-    }
-    if (tokenData.refresh_token && existingConn?.refresh_token_vault_id) {
-        await updateVaultSecret(platformDB, existingConn.refresh_token_vault_id, tokenData.refresh_token);
+/**
+ * Detect which credential resolution strategy to use.
+ * Returns 'http' if AUTH_ISSUER_BASE_URL is set, or 'none' if not configured.
+ *
+ * NOTE: The legacy 'db' strategy (PLATFORM_SUPABASE_*) has been removed.
+ * All credential resolution now goes through the HTTP callback strategy.
+ */
+export function detectCredentialStrategy() {
+    const hasAuth = !!process.env.AUTH_ISSUER_BASE_URL;
+    if (hasAuth) {
+        console.log(`[nova-sdk] 🔍 Credential strategy: http (AUTH_ISSUER_BASE_URL=${process.env.AUTH_ISSUER_BASE_URL})`);
+        return "http";
     }
-    await platformDB
-        .from("user_app_connections")
-        .update({
-        token_expires_at: expiresAt.toISOString(),
-        token_scope: tokenData.scope ?? null,
-        last_used_at: new Date().toISOString(),
-    })
-        .eq("id", connectionId);
-    // Cache it
-    const cacheKey = getCacheKey(config.slug, userId);
-    _tokenCache.set(cacheKey, { accessToken: tokenData.access_token, expiresAt });
-    console.log(`[nova-sdk] ✅ User token refreshed for "${config.slug}" (expires ${expiresAt.toISOString()})`);
-    return {
-        accessToken: tokenData.access_token,
-        expiresAt,
-        integrationId: config.id,
-        authMode: "standard",
-    };
+    console.log(`[nova-sdk] 🔍 Credential strategy: none (AUTH_ISSUER_BASE_URL not set)`);
+    return "none";
 }
 // ─── integrationFetch: mTLS-aware fetch wrapper ─────────────────────────────
 /**
@@ -534,6 +479,7 @@ async function refreshUserToken(platformDB, config, userId, connectionId, refres
  */
 export async function integrationFetch(url, credentials, options = {}) {
     const { accessToken, httpsAgent } = credentials;
+    console.log(`[nova-sdk] 🌐 integrationFetch: ${options.method ?? "GET"} ${url} (mTLS: ${!!httpsAgent}, tokenPreview: ${accessToken.slice(0, 12)}...)`);
     if (httpsAgent) {
         // Use node:https for mTLS
         return new Promise((resolve, reject) => {
@@ -556,6 +502,7 @@ export async function integrationFetch(url, credentials, options = {}) {
                 res.on("data", (chunk) => chunks.push(chunk));
                 res.on("end", () => {
                     const bodyStr = Buffer.concat(chunks).toString("utf-8");
+                    console.log(`[nova-sdk] 📥 mTLS response: HTTP ${res.statusCode} for ${options.method ?? "GET"} ${url}`);
                     resolve(new Response(bodyStr, {
                         status: res.statusCode ?? 500,
                         statusText: res.statusMessage ?? "Unknown",
@@ -570,7 +517,7 @@ export async function integrationFetch(url, credentials, options = {}) {
         });
     }
     // Non-mTLS: regular fetch
-    return fetch(url, {
+    const res = await fetch(url, {
         method: options.method ?? "GET",
         headers: {
             Authorization: `Bearer ${accessToken}`,
@@ -580,11 +527,16 @@ export async function integrationFetch(url, credentials, options = {}) {
         },
         body: options.body,
     });
+    console.log(`[nova-sdk] 📥 Response: HTTP ${res.status} for ${options.method ?? "GET"} ${url}`);
+    return res;
 }
 // ─── emitPlatformEvent: PGMQ event emission ────────────────────────────────
 /**
  * Emit a PGMQ event to the platform database.
  * Used for cross-service communication (e.g., sync complete, webhook received).
+ *
+ * NOTE: This uses the platform Supabase client (PLATFORM_SUPABASE_*), which is
+ * separate from credential resolution. Credential resolution uses HTTP (AUTH_ISSUER_BASE_URL).
  */
 export async function emitPlatformEvent(platformDB, topic, integrationSlug, payload) {
     console.log(`[nova-sdk] 📤 Emitting event: ${topic} (integration: ${integrationSlug})`);
@@ -605,164 +557,3 @@ export async function emitPlatformEvent(platformDB, topic, integrationSlug, payl
         console.log(`[nova-sdk] ✅ Event emitted: ${topic}`);
     }
 }
-/**
- * Build an mTLS agent from PEM strings (received via HTTP, not from vault).
- * Cached per slug — cert/key don't change during container lifetime.
- */
-function buildMtlsAgentFromPem(slug, certPem, keyPem) {
-    const existing = _mtlsAgents.get(slug);
-    if (existing)
-        return existing;
-    console.log(`[nova-sdk] 🔒 Built mTLS agent for "${slug}" from HTTP response (cert: ${certPem.length} bytes, key: ${keyPem.length} bytes)`);
-    const agent = new https.Agent({ cert: certPem, key: keyPem, keepAlive: true });
-    _mtlsAgents.set(slug, agent);
-    return agent;
-}
-/**
- * Fetch integration credentials from the auth server over HTTP.
- * Requires a valid JWT Bearer token (the same one that authenticated the
- * inbound request to this container).
- *
- * @param authBaseUrl  - Auth server base URL (e.g., "http://localhost:3001")
- * @param slug         - Integration slug (e.g., "adp")
- * @param bearerToken  - JWT to forward as Authorization header
- * @param forceRefresh - When true, sends X-Nova-Token-Invalid: true to trigger a forced refresh
- */
-async function fetchCredentialsFromAuthServer(authBaseUrl, slug, bearerToken, forceRefresh = false) {
-    const url = `${authBaseUrl}/api/integrations/${encodeURIComponent(slug)}/credentials`;
-    console.log(`[nova-sdk] 🌐 Fetching credentials via HTTP: GET ${url}${forceRefresh ? " (force-refresh)" : ""}`);
-    const headers = {
-        Authorization: `Bearer ${bearerToken}`,
-        Accept: "application/json",
-    };
-    // Signal the auth server to discard its stored token and force a refresh
-    if (forceRefresh) {
-        headers["X-Nova-Token-Invalid"] = "true";
-    }
-    const res = await fetch(url, { method: "GET", headers });
-    if (!res.ok) {
-        const errBody = await res.text().catch(() => "");
-        if (res.status === 401) {
-            throw new Error(`[nova-sdk] Auth server rejected JWT for credential fetch (401). ` +
-                `Ensure the JWT is valid and signed by the auth server. ${errBody}`);
-        }
-        if (res.status === 404) {
-            throw new IntegrationNotFoundError(slug);
-        }
-        throw new Error(`[nova-sdk] Credential fetch failed: HTTP ${res.status} ${errBody.slice(0, 300)}`);
-    }
-    const data = (await res.json());
-    console.log(`[nova-sdk] ✅ Received credentials for "${slug}" via HTTP (authMode: ${data.authMode})`);
-    return data;
-}
-/**
- * Resolve credentials for an integration using the HTTP callback strategy.
- *
- * This is the main entry point for Strategy B. It:
- * 1. Checks the in-memory cache
- * 2. Fetches decrypted credentials from the auth server via HTTP
- * 3. Performs the OAuth token exchange (client_credentials or mTLS)
- * 4. Caches the resulting access token in memory
- *
- * @param authBaseUrl - Auth server base URL
- * @param slug        - Integration slug
- * @param bearerToken - JWT to authenticate with the auth server
- * @param userId      - Optional user ID (for cache key differentiation)
- */
-export async function resolveCredentialsViaHttp(authBaseUrl, slug, bearerToken, userId, options) {
-    const effectiveUserId = userId ?? SYSTEM_USER_ID;
-    const cacheKey = getCacheKey(slug, effectiveUserId);
-    const forceRefresh = options?.forceRefresh ?? false;
-    console.log(`[nova-sdk] 🔑 Resolving credentials for "${slug}" via HTTP (userId: ${effectiveUserId}${forceRefresh ? ", forceRefresh=true" : ""})`);
-    // ── Step 1: Check in-memory cache (skip if forcing refresh) ──────────
-    const cached = forceRefresh ? null : getCachedToken(cacheKey);
-    if (cached) {
-        // Derive authMode: use stored value if available, otherwise infer from httpsAgent
-        const cachedAuthMode = cached.authMode ?? (cached.httpsAgent ? "mtls" : "client_credentials");
-        console.log(`[nova-sdk] ⚡ Using in-memory cached token (expires ${cached.expiresAt.toISOString()}, authMode: ${cachedAuthMode})`);
-        return {
-            accessToken: cached.accessToken,
-            expiresAt: cached.expiresAt,
-            integrationId: `http:${slug}`, // No DB UUID available in HTTP mode
-            authMode: cachedAuthMode,
-            httpsAgent: cached.httpsAgent,
-        };
-    }
-    // ── Step 2: Fetch credentials from auth server ────────────────────────
-    const creds = await fetchCredentialsFromAuthServer(authBaseUrl, slug, bearerToken, forceRefresh);
-    // ── Step 2b: Standard auth — use pre-resolved access token if available ──
-    if (creds.authMode === "standard") {
-        if (creds.accessToken) {
-            const expiresAt = creds.expiresAt
-                ? new Date(creds.expiresAt)
-                : new Date(Date.now() + 3600 * 1000); // default 1h if not provided
-            console.log(`[nova-sdk] ✅ Using pre-resolved access token for "${slug}" (standard auth, HTTP mode) — expires ${expiresAt.toISOString()}`);
-            // Cache in memory (include authMode so cache hits return correct mode)
-            _tokenCache.set(cacheKey, { accessToken: creds.accessToken, expiresAt, authMode: "standard" });
-            return {
-                accessToken: creds.accessToken,
-                expiresAt,
-                integrationId: `http:${slug}`,
-                authMode: "standard",
-            };
-        }
-        // Standard auth but no access token returned — user hasn't authorized yet
-        throw new ConnectionNotFoundError(slug, `${effectiveUserId} (no stored access token — user must authorize via OAuth popup first)`);
-    }
-    // ── Step 3: Validate required fields (client_credentials / mTLS only) ──
-    if (!creds.clientId) {
-        throw new CredentialsNotConfiguredError(slug, "client_id is not set");
-    }
-    if (!creds.clientSecret) {
-        throw new CredentialsNotConfiguredError(slug, "client_secret not available");
-    }
-    if (!creds.tokenEndpoint) {
-        throw new CredentialsNotConfiguredError(slug, "token_endpoint is not set");
-    }
-    // ── Step 4: Build mTLS agent if needed ────────────────────────────────
-    let httpsAgent;
-    if (creds.authMode === "mtls") {
-        if (!creds.mtlsCert || !creds.mtlsKey) {
-            throw new CredentialsNotConfiguredError(slug, "mTLS cert/key not returned by auth server");
-        }
-        httpsAgent = buildMtlsAgentFromPem(slug, creds.mtlsCert, creds.mtlsKey);
-    }
-    // ── Step 5: Perform token exchange (client_credentials / mTLS) ────────
-    console.log(`[nova-sdk] 🔄 Exchanging client_credentials at ${creds.tokenEndpoint} for "${slug}" (HTTP mode)`);
-    const tokenResponse = await performTokenExchange(slug, {
-        tokenEndpoint: creds.tokenEndpoint,
-        clientId: creds.clientId,
-        clientSecret: creds.clientSecret,
-        httpsAgent,
-    });
-    const expiresAt = new Date(Date.now() + tokenResponse.expires_in * 1000);
-    console.log(`[nova-sdk] ✅ Token exchange successful for "${slug}" (HTTP mode) — expires ${expiresAt.toISOString()} (${tokenResponse.expires_in}s)`);
-    // ── Step 6: Cache in memory ───────────────────────────────────────────
-    _tokenCache.set(cacheKey, {
-        accessToken: tokenResponse.access_token,
-        expiresAt,
-        httpsAgent,
-    });
-    return {
-        accessToken: tokenResponse.access_token,
-        expiresAt,
-        integrationId: `http:${slug}`,
-        authMode: creds.authMode,
-        httpsAgent,
-    };
-}
-/**
- * Detect which credential resolution strategy to use.
- * Returns 'db' if PLATFORM_SUPABASE_* are available, 'http' if AUTH_ISSUER_BASE_URL
- * is set, or 'none' if neither is configured.
- */
-export function detectCredentialStrategy() {
-    const hasDB = !!process.env.PLATFORM_SUPABASE_URL &&
-        !!process.env.PLATFORM_SUPABASE_SERVICE_ROLE_KEY;
-    const hasAuth = !!process.env.AUTH_ISSUER_BASE_URL;
-    if (hasDB)
-        return "db";
-    if (hasAuth)
-        return "http";
-    return "none";
-}

package/dist/index.d.ts CHANGED Viewed

@@ -415,5 +415,5 @@ export type ScheduleTrigger = {
 };
 /** Union of all trigger variants */
 export type Trigger = EventTrigger | ScheduleTrigger;
-export { createPlatformClient, resolveCredentials, resolveCredentialsViaHttp, detectCredentialStrategy, integrationFetch, emitPlatformEvent, IntegrationNotFoundError, IntegrationDisabledError, CredentialsNotConfiguredError, ConnectionNotFoundError, TokenExchangeError, } from "./credentials.js";
-export type { ResolvedCredentials, IntegrationConfig, AuthMode, } from "./credentials.js";
+export { createPlatformClient, resolveCredentialsViaHttp, detectCredentialStrategy, clearTokenCache, integrationFetch, emitPlatformEvent, IntegrationNotFoundError, IntegrationDisabledError, CredentialsNotConfiguredError, ConnectionNotFoundError, TokenExchangeError, } from "./credentials.js";
+export type { ResolvedCredentials, AuthMode, } from "./credentials.js";

package/dist/index.js CHANGED Viewed

@@ -6,7 +6,7 @@ import { createServer } from "node:http";
 import { os } from "@orpc/server";
 import { RPCHandler } from "@orpc/server/node";
 import { CORSPlugin } from "@orpc/server/plugins";
-import { createPlatformClient, resolveCredentials as _resolveCredentials, resolveCredentialsViaHttp as _resolveCredentialsViaHttp, detectCredentialStrategy, integrationFetch as _integrationFetch, clearTokenCache as _clearTokenCache, } from "./credentials.js";
+import { resolveCredentialsViaHttp as _resolveCredentialsViaHttp, detectCredentialStrategy, integrationFetch as _integrationFetch, clearTokenCache as _clearTokenCache, } from "./credentials.js";
 if (!process.env.RUNTIME_SUPABASE_URL) {
     // local dev – read .env.local
     dotenv.config({ path: ".env.local", override: true });
@@ -541,78 +541,70 @@ export async function generateOpenAPISpec(def) {
 /**
  * Build resolveCredentials() and fetch() methods bound to this worker's slug.
  *
- * Automatically detects the credential resolution strategy:
- *   - **Strategy A (DB)**: PLATFORM_SUPABASE_* env vars → direct Supabase Vault access
- *   - **Strategy B (HTTP)**: AUTH_ISSUER_BASE_URL env var → call auth server with JWT
+ * Uses the HTTP callback strategy exclusively:
+ *   AUTH_ISSUER_BASE_URL → calls the auth server with the inbound JWT to
+ *   retrieve credentials, then performs the OAuth token exchange locally.
  *
- * @param defaultSlug - Integration slug (e.g., "adp")
- * @param authToken   - JWT Bearer token from the inbound request (for HTTP strategy)
+ * Token cache order: in-memory → client-side refresh_token grant → auth server fetch
+ *
+ * @param defaultSlug - Integration slug (e.g., "jira", "bamboohr")
+ * @param authToken   - JWT Bearer token from the inbound request (forwarded to auth server)
  */
 function buildCredentialCtx(defaultSlug, authToken) {
-    // Cache the resolved credentials per request to avoid duplicate round-trips
+    // Per-request credentials cache — avoids duplicate round-trips within a single handler
     let _lastCreds = null;
     const strategy = detectCredentialStrategy();
     const ctxResolveCredentials = async (slug, userId) => {
         const targetSlug = slug ?? defaultSlug;
-        if (strategy === "db") {
-            // Strategy A: Direct DB access via PLATFORM_SUPABASE_*
-            const platformDB = createPlatformClient();
-            const creds = await _resolveCredentials(platformDB, targetSlug, userId);
-            _lastCreds = creds;
-            return creds;
-        }
+        console.log(`[nova-sdk] 🔑 ctx.resolveCredentials() called: slug="${targetSlug}" userId="${userId ?? "system"}" strategy="${strategy}"`);
         if (strategy === "http") {
-            // Strategy B: HTTP callback to auth server with JWT
             const authBaseUrl = process.env.AUTH_ISSUER_BASE_URL;
             if (!authToken) {
                 throw new Error(`[nova-sdk] HTTP credential resolution requires a JWT bearer token, ` +
                     `but no authToken was provided in the request context. ` +
-                    `Ensure the request includes an Authorization: Bearer header.`);
+                    `Ensure the inbound request includes an Authorization: Bearer <jwt> header.`);
             }
             const creds = await _resolveCredentialsViaHttp(authBaseUrl, targetSlug, authToken, userId);
             _lastCreds = creds;
             return creds;
         }
         // strategy === "none"
-        throw new Error(`[nova-sdk] No credential resolution strategy available. ` +
-            `Set either PLATFORM_SUPABASE_URL + PLATFORM_SUPABASE_SERVICE_ROLE_KEY (direct DB) ` +
-            `or AUTH_ISSUER_BASE_URL (HTTP callback) to enable credential resolution.`);
+        throw new Error(`[nova-sdk] No credential resolution strategy configured. ` +
+            `Set AUTH_ISSUER_BASE_URL to enable HTTP-based credential resolution.`);
     };
     const ctxFetch = async (url, options, credentials) => {
         const creds = credentials ?? _lastCreds ?? await ctxResolveCredentials();
         const response = await _integrationFetch(url, creds, options);
-        // ── 401 auto-retry: token may have been revoked ──────────────────────────
-        // If the API returns 401 AND the caller didn't supply explicit credentials
-        // (i.e., we used the cached/resolved ones), clear the in-memory cache and
-        // force-refresh from the auth server, then retry once.
-        // This handles the "user re-authenticated but container still holds the old
-        // revoked token" scenario.
+        // ── 401 auto-retry ───────────────────────────────────────────────────────
+        // If the API returns 401 AND the caller did NOT supply explicit credentials
+        // (3rd argument), the token may be stale. Clear the cache and force-refresh
+        // from the auth server, then retry the request once.
+        //
+        // If credentials were passed explicitly (3rd arg), skip retry — the caller
+        // is managing their own token lifecycle.
         if (response.status === 401 && !credentials) {
-            console.warn(`[nova-sdk] ⚠️ 401 received from ${url} — clearing cache and force-refreshing credentials for "${defaultSlug}"`);
+            console.warn(`[nova-sdk] ⚠️ 401 Unauthorized from ${url} — clearing cache and force-refreshing credentials for "${defaultSlug}"`);
             _clearTokenCache(defaultSlug);
             _lastCreds = null;
-            let freshCreds;
-            if (strategy === "http") {
-                // HTTP strategy: signal auth server to bypass its stored token and refresh
-                const authBaseUrl = process.env.AUTH_ISSUER_BASE_URL;
-                if (!authToken) {
-                    console.error("[nova-sdk] ❌ Cannot force-refresh: no authToken available");
-                    return response; // return original 401
-                }
-                freshCreds = await _resolveCredentialsViaHttp(authBaseUrl, defaultSlug, authToken, undefined, { forceRefresh: true });
+            if (strategy !== "http") {
+                console.error(`[nova-sdk] ❌ Cannot force-refresh: strategy is "${strategy}" (not "http")`);
+                return response;
             }
-            else {
-                // DB strategy: just re-resolve (DB always reads latest from vault)
-                freshCreds = await ctxResolveCredentials();
+            const authBaseUrl = process.env.AUTH_ISSUER_BASE_URL;
+            if (!authToken) {
+                console.error("[nova-sdk] ❌ Cannot force-refresh: no authToken available in request context");
+                return response; // return original 401
             }
+            console.log(`[nova-sdk] 🔄 Force-refreshing token for "${defaultSlug}" via auth server`);
+            const freshCreds = await _resolveCredentialsViaHttp(authBaseUrl, defaultSlug, authToken, undefined, { forceRefresh: true });
             _lastCreds = freshCreds;
-            // Only retry if we got a different (fresh) token — avoid an infinite loop
+            // Only retry if we actually got a different token — guards against infinite loop
             if (freshCreds.accessToken !== creds.accessToken) {
-                console.log(`[nova-sdk] 🔄 Retrying request with refreshed token for "${defaultSlug}"`);
+                console.log(`[nova-sdk] 🔄 Retrying ${options?.method ?? "GET"} ${url} with refreshed token`);
                 return _integrationFetch(url, freshCreds, options);
             }
             else {
-                console.warn(`[nova-sdk] ⚠️ Force-refresh returned the same token for "${defaultSlug}" — not retrying`);
+                console.warn(`[nova-sdk] ⚠️ Force-refresh returned the same token for "${defaultSlug}" — not retrying (token may be permanently invalid)`);
             }
         }
         return response;
@@ -855,11 +847,10 @@ export function runHttpServer(def, opts = {}) {
     // ── Log credential resolution strategy ──
     const credStrategy = detectCredentialStrategy();
     const strategyLabels = {
-        db: '🗄️  Direct DB (PLATFORM_SUPABASE_*)',
         http: '🌐 HTTP callback (AUTH_ISSUER_BASE_URL → auth server)',
         none: '⚠️  NONE — ctx.resolveCredentials() will throw if called',
     };
-    console.log(`[nova] 🔑 Credential strategy: ${strategyLabels[credStrategy]}`);
+    console.log(`[nova] 🔑 Credential strategy: ${strategyLabels[credStrategy] ?? credStrategy}`);
     const port = opts.port ?? (process.env.PORT ? parseInt(process.env.PORT) : 8000);
     app.listen(port, () => {
         console.log(`[nova] HTTP server listening on http://localhost:${port}`);
@@ -917,7 +908,9 @@ export { parseIntegrationSpec, IntegrationSpecSchema } from "./integrationSpec.j
 /*──────────────── Credential Resolution (re-exports) ───────────────*/
 // These are the first-class SDK exports for integration credential management.
 // Every integration gets vault-backed token caching, mTLS, and OAuth for free.
-export { createPlatformClient, resolveCredentials, resolveCredentialsViaHttp, detectCredentialStrategy, integrationFetch, emitPlatformEvent,
+export { createPlatformClient,
+// resolveCredentials (DB-based strategy removed — use resolveCredentialsViaHttp)
+resolveCredentialsViaHttp, detectCredentialStrategy, clearTokenCache, integrationFetch, emitPlatformEvent,
 // Error classes
 IntegrationNotFoundError, IntegrationDisabledError, CredentialsNotConfiguredError, ConnectionNotFoundError, TokenExchangeError, } from "./credentials.js";
 // // Default export for compatibility

package/dist/workerSchema.d.ts CHANGED Viewed

@@ -49,8 +49,6 @@ export declare const WorkerDefSchema: z.ZodObject<{
                 boolean: "boolean";
                 date: "date";
                 text: "text";
-                uuid: "uuid";
-                json: "json";
                 textarea: "textarea";
                 integer: "integer";
                 datetime: "datetime";
@@ -59,6 +57,8 @@ export declare const WorkerDefSchema: z.ZodObject<{
                 password: "password";
                 email: "email";
                 url: "url";
+                uuid: "uuid";
+                json: "json";
                 hidden: "hidden";
             }>>;
             label: z.ZodOptional<z.ZodString>;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@newhomestar/sdk",
-  "version": "0.7.18",
+  "version": "0.7.20",
   "description": "Type-safe SDK for building Nova pipelines (workers & functions)",
   "homepage": "https://github.com/newhomestar/nova-node-sdk#readme",
   "bugs": {