@pattern-stack/codegen 0.10.0 → 0.11.0

package/dist/runtime/subsystems/auth/protocols/{integration-store.d.ts → connection-store.d.ts}

@@ -1,25 +1,25 @@
 /**
- * Auth subsystem — integration storage ports.
+ * Auth subsystem — connection storage ports.
  *
- * `OAuth2RefreshStrategy` reads decrypted integration rows and persists
+ * `OAuth2RefreshStrategy` reads decrypted connection rows and persists
  * refreshed tokens. The subsystem doesn't care what entity framework stores
  * those rows — consumers implement these narrow ports against whatever
- * `integrations` table their app uses.
+ * `connections` table their app uses.
  *
  * In the extraction-source app both ports are satisfied by a
- * pair of thin adapters over `IntegrationService` + `RefreshIntegrationUseCase`.
+ * pair of thin adapters over `ConnectionService` + `RefreshConnectionUseCase`.
  * The codegen-patterns `examples/auth-integrations/` starter (separate PR)
- * ships a canonical `integration.yaml` whose generated service + use case
+ * ships a canonical `connection.yaml` whose generated service + use case
  * satisfy the shape out of the box.
  */
 /**
- * An integration row with its secrets decrypted and ready to use.
+ * An connection row with its secrets decrypted and ready to use.
  *
  * Consumers produce this shape from their own storage by passing stored
  * ciphertexts through `IEncryptionKey.decrypt`. The subsystem never sees
  * the ciphertext form.
  */
-interface DecryptedIntegration {
+interface DecryptedConnection {
     id: string;
     /** Provider slug — must match the strategy's `provider`. */
     provider: string;
@@ -33,13 +33,13 @@ interface DecryptedIntegration {
     providerMetadata?: Record<string, unknown> | null;
 }
 /**
- * Read port — fetches a decrypted integration by id.
+ * Read port — fetches a decrypted connection by id.
  *
  * Adapters typically wrap a service/repo call that does the decryption
  * internally. `OAuth2RefreshStrategy.resolve()` calls this on every invocation.
  */
-interface IIntegrationReader {
-    findByIdDecrypted(integrationId: string): Promise<DecryptedIntegration | null>;
+interface IConnectionReader {
+    findByIdDecrypted(connectionId: string): Promise<DecryptedConnection | null>;
 }
 /**
  * Write port — persists a refreshed access token (and optionally rotated
@@ -51,14 +51,14 @@ interface IIntegrationReader {
  * `refreshToken` semantics: `undefined` means "provider did not rotate; keep
  * existing ciphertext". A rotated token comes through as a string.
  */
-interface IntegrationTokenUpdate {
-    integrationId: string;
+interface ConnectionTokenUpdate {
+    connectionId: string;
     accessToken: string;
     refreshToken?: string;
     expiresAt: Date;
 }
-interface IIntegrationTokenWriter {
-    persistRefresh(update: IntegrationTokenUpdate): Promise<void>;
+interface IConnectionTokenWriter {
+    persistRefresh(update: ConnectionTokenUpdate): Promise<void>;
 }
 /**
  * Grant-sink port — persists a freshly-minted OAuth2 grant from the
@@ -66,10 +66,10 @@ interface IIntegrationTokenWriter {
  * re-connected an existing one).
  *
  * `AuthController.callback` invokes this after `IProviderStrategy.exchangeCodeForTokens`.
- * The subsystem itself never imports a concrete `IntegrationsService` — the
+ * The subsystem itself never imports a concrete `ConnectionsService` — the
  * consumer's `auth-integrations` starter (or any equivalent) adapts this
  * port. Keeps the auth subsystem standalone: a non-codegen consumer can
- * satisfy the port against its own integrations storage.
+ * satisfy the port against its own connections storage.
  *
  * Semantics:
  *   - Upserts on `(userId, provider)`. Repeated grants for the same pair
@@ -80,7 +80,7 @@ interface IIntegrationTokenWriter {
  *     them (e.g. some providers omit `expires_in`; not every flow returns
  *     a refresh token on first grant).
  */
-interface IntegrationGrantInput {
+interface ConnectionGrantInput {
     userId: string;
     /** Provider slug — must match the strategy's `provider`. */
     provider: string;
@@ -92,8 +92,8 @@ interface IntegrationGrantInput {
     /** Provider-specific bag (SFDC `instance_url`, Google `sub`, …). */
     providerMetadata?: Record<string, unknown>;
 }
-interface IIntegrationGrantSink {
-    createOrUpdateFromOAuthGrant(input: IntegrationGrantInput): Promise<void>;
+interface IConnectionGrantSink {
+    createOrUpdateFromOAuthGrant(input: ConnectionGrantInput): Promise<void>;
 }
 
-export type { DecryptedIntegration, IIntegrationGrantSink, IIntegrationReader, IIntegrationTokenWriter, IntegrationGrantInput, IntegrationTokenUpdate };
+export type { ConnectionGrantInput, ConnectionTokenUpdate, DecryptedConnection, IConnectionGrantSink, IConnectionReader, IConnectionTokenWriter };

package/dist/runtime/subsystems/auth/protocols/connection-store.js

@@ -0,0 +1 @@
+//# sourceMappingURL=connection-store.js.map

package/dist/runtime/subsystems/auth/protocols/provider-strategy.d.ts

@@ -1,6 +1,6 @@
 import { OAuth2RefreshStrategy } from '../runtime/oauth2-refresh.strategy.js';
 import './auth-strategy.js';
-import './integration-store.js';
+import './connection-store.js';
 
 /**
  * Auth subsystem — `IProviderStrategy` contract.
@@ -22,9 +22,9 @@ import './integration-store.js';
  * and dispatches by slug.
  *
  * **Naming convention:** interfaces that describe behavioral ports use the
- * `I` prefix (`IProviderStrategy`, `IIntegrationReader`, `IUserContext`,
+ * `I` prefix (`IProviderStrategy`, `IConnectionReader`, `IUserContext`,
  * `IOAuthStateStore`, `IEncryptionKey`). Plain data types / DTOs (e.g.
- * `ExchangedTokens`, `DecryptedIntegration`, `IntegrationGrantInput`) do
+ * `ExchangedTokens`, `DecryptedConnection`, `ConnectionGrantInput`) do
  * not. Abstract template-method classes (e.g. `OAuth2RefreshStrategy`) also
  * do not — the `I` is for interfaces only.
  */

package/dist/runtime/subsystems/auth/runtime/{integration-broken.error.d.ts → connection-broken.error.d.ts}

@@ -2,16 +2,16 @@
  * Thrown when an OAuth2 provider returns `400 invalid_grant`/`invalid_token`
  * on refresh — the refresh token itself is dead (user revoked, org
  * deactivated, token expired beyond the provider's rotation window). The
- * integration should be marked broken so background sync stops picking it
+ * connection should be marked broken so background sync stops picking it
  * up; the user re-initiates OAuth.
  *
  * Shared across every OAuth2 strategy.
  */
-declare class IntegrationBrokenError extends Error {
-    readonly integrationId: string;
+declare class ConnectionBrokenError extends Error {
+    readonly connectionId: string;
     readonly errorCode: string;
     readonly errorDescription: string;
-    constructor(integrationId: string, errorCode: string, errorDescription: string);
+    constructor(connectionId: string, errorCode: string, errorDescription: string);
 }
 
-export { IntegrationBrokenError };
+export { ConnectionBrokenError };

package/dist/runtime/subsystems/auth/runtime/connection-broken.error.js

@@ -0,0 +1,19 @@
+// runtime/subsystems/auth/runtime/connection-broken.error.ts
+var ConnectionBrokenError = class extends Error {
+  constructor(connectionId, errorCode, errorDescription) {
+    super(
+      `Connection ${connectionId} broken: ${errorCode} - ${errorDescription}`
+    );
+    this.connectionId = connectionId;
+    this.errorCode = errorCode;
+    this.errorDescription = errorDescription;
+    this.name = "ConnectionBrokenError";
+  }
+  connectionId;
+  errorCode;
+  errorDescription;
+};
+export {
+  ConnectionBrokenError
+};
+//# sourceMappingURL=connection-broken.error.js.map

package/dist/runtime/subsystems/auth/runtime/connection-broken.error.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/connection-broken.error.ts"],"sourcesContent":["/**\n * Thrown when an OAuth2 provider returns `400 invalid_grant`/`invalid_token`\n * on refresh — the refresh token itself is dead (user revoked, org\n * deactivated, token expired beyond the provider's rotation window). The\n * connection should be marked broken so background sync stops picking it\n * up; the user re-initiates OAuth.\n *\n * Shared across every OAuth2 strategy.\n */\nexport class ConnectionBrokenError extends Error {\n  constructor(\n    readonly connectionId: string,\n    readonly errorCode: string,\n    readonly errorDescription: string,\n  ) {\n    super(\n      `Connection ${connectionId} broken: ${errorCode} - ${errorDescription}`,\n    );\n    this.name = 'ConnectionBrokenError';\n  }\n}\n"],"mappings":";AASO,IAAM,wBAAN,cAAoC,MAAM;AAAA,EAC/C,YACW,cACA,WACA,kBACT;AACA;AAAA,MACE,cAAc,YAAY,YAAY,SAAS,MAAM,gBAAgB;AAAA,IACvE;AANS;AACA;AACA;AAKT,SAAK,OAAO;AAAA,EACd;AAAA,EARW;AAAA,EACA;AAAA,EACA;AAOb;","names":[]}

package/dist/runtime/subsystems/auth/runtime/oauth2-refresh.strategy.d.ts

@@ -1,5 +1,5 @@
 import { IAuthStrategy, AuthResolveOptions, AuthCredentials } from '../protocols/auth-strategy.js';
-import { IIntegrationReader, IIntegrationTokenWriter, DecryptedIntegration } from '../protocols/integration-store.js';
+import { IConnectionReader, IConnectionTokenWriter, DecryptedConnection } from '../protocols/connection-store.js';
 
 /**
  * Abstract base class for OAuth2 refresh-token strategies.
@@ -11,25 +11,25 @@ import { IIntegrationReader, IIntegrationTokenWriter, DecryptedIntegration } fro
  * later" evidence.
  *
  * Subclass contract:
- *   - `provider`                — slug matched against `integrations.provider`
+ *   - `provider`                — slug matched against `connections.provider`
  *   - `defaultExpiresInSec`     — fallback when refresh response omits `expires_in`
  *   - `tokenEndpoint()`         — URL to POST the refresh grant
  *   - `refreshBodyExtras()`     — provider-specific body params
  *   - `parseRefreshResponse()`  — raw JSON → ParsedRefreshResponse
  *   - `buildCredentials()`      — stored or freshly-refreshed access token +
- *                                 integration + optional raw refresh response
+ *                                 connection + optional raw refresh response
  *                                 → provider credentials
  *
  * Base handles: expiry check w/ 5-min safety window, `forceRefresh` escape
  * hatch, POST form-urlencoded body, OAuth2 error mapping to
- * `IntegrationBrokenError`, refresh-token rotation persistence, fetch +
+ * `ConnectionBrokenError`, refresh-token rotation persistence, fetch +
  * clock injection for tests.
  */
 
 type FetchLike = (input: string | URL | Request, init?: RequestInit) => Promise<Response>;
 interface OAuth2RefreshStrategyOptions {
-    integrationReader: IIntegrationReader;
-    tokenWriter: IIntegrationTokenWriter;
+    connectionReader: IConnectionReader;
+    tokenWriter: IConnectionTokenWriter;
     /** Injectable fetch for tests. Defaults to the global `fetch`. */
     fetch?: FetchLike;
     /** Injectable clock for tests. Defaults to `Date.now`. */
@@ -48,16 +48,16 @@ interface ParsedRefreshResponse {
 declare abstract class OAuth2RefreshStrategy implements IAuthStrategy {
     protected abstract readonly provider: string;
     protected abstract readonly defaultExpiresInSec: number;
-    protected readonly integrationReader: IIntegrationReader;
-    protected readonly tokenWriter: IIntegrationTokenWriter;
+    protected readonly connectionReader: IConnectionReader;
+    protected readonly tokenWriter: IConnectionTokenWriter;
     protected readonly fetchImpl: FetchLike;
     protected readonly now: () => number;
     constructor(opts: OAuth2RefreshStrategyOptions);
-    resolve(integrationId: string, opts?: AuthResolveOptions): Promise<AuthCredentials>;
+    resolve(connectionId: string, opts?: AuthResolveOptions): Promise<AuthCredentials>;
     protected abstract tokenEndpoint(): string;
     protected abstract refreshBodyExtras(): Record<string, string>;
     protected abstract parseRefreshResponse(raw: unknown): ParsedRefreshResponse;
-    protected abstract buildCredentials(accessToken: string, integration: DecryptedIntegration, refreshRaw?: unknown): AuthCredentials;
+    protected abstract buildCredentials(accessToken: string, connection: DecryptedConnection, refreshRaw?: unknown): AuthCredentials;
     private executeRefresh;
     private isExpiring;
 }

package/dist/runtime/subsystems/auth/runtime/oauth2-refresh.strategy.js

@@ -1,15 +1,15 @@
-// runtime/subsystems/auth/runtime/integration-broken.error.ts
-var IntegrationBrokenError = class extends Error {
-  constructor(integrationId, errorCode, errorDescription) {
+// runtime/subsystems/auth/runtime/connection-broken.error.ts
+var ConnectionBrokenError = class extends Error {
+  constructor(connectionId, errorCode, errorDescription) {
     super(
-      `Integration ${integrationId} broken: ${errorCode} - ${errorDescription}`
+      `Connection ${connectionId} broken: ${errorCode} - ${errorDescription}`
     );
-    this.integrationId = integrationId;
+    this.connectionId = connectionId;
     this.errorCode = errorCode;
     this.errorDescription = errorDescription;
-    this.name = "IntegrationBrokenError";
+    this.name = "ConnectionBrokenError";
   }
-  integrationId;
+  connectionId;
   errorCode;
   errorDescription;
 };
@@ -17,53 +17,53 @@ var IntegrationBrokenError = class extends Error {
 // runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts
 var REFRESH_SAFETY_MS = 5 * 60 * 1e3;
 var OAuth2RefreshStrategy = class {
-  integrationReader;
+  connectionReader;
   tokenWriter;
   fetchImpl;
   now;
   constructor(opts) {
-    this.integrationReader = opts.integrationReader;
+    this.connectionReader = opts.connectionReader;
     this.tokenWriter = opts.tokenWriter;
     this.fetchImpl = opts.fetch ?? fetch;
     this.now = opts.now ?? Date.now;
   }
-  async resolve(integrationId, opts = {}) {
-    const integration = await this.integrationReader.findByIdDecrypted(integrationId);
-    if (!integration) {
-      throw new Error(`Integration ${integrationId} not found`);
+  async resolve(connectionId, opts = {}) {
+    const connection = await this.connectionReader.findByIdDecrypted(connectionId);
+    if (!connection) {
+      throw new Error(`Connection ${connectionId} not found`);
     }
-    if (integration.provider !== this.provider) {
+    if (connection.provider !== this.provider) {
       throw new Error(
-        `${this.constructor.name} called for non-${this.provider} integration ${integrationId} (provider=${integration.provider})`
+        `${this.constructor.name} called for non-${this.provider} connection ${connectionId} (provider=${connection.provider})`
       );
     }
-    const needsRefresh = opts.forceRefresh || this.isExpiring(integration.expiresAt) || !integration.accessToken;
+    const needsRefresh = opts.forceRefresh || this.isExpiring(connection.expiresAt) || !connection.accessToken;
     if (!needsRefresh) {
-      return this.buildCredentials(integration.accessToken, integration);
+      return this.buildCredentials(connection.accessToken, connection);
     }
-    if (!integration.refreshToken) {
-      throw new IntegrationBrokenError(
-        integrationId,
+    if (!connection.refreshToken) {
+      throw new ConnectionBrokenError(
+        connectionId,
         "no_refresh_token",
-        "Integration has no refresh token; user must reconnect"
+        "Connection has no refresh token; user must reconnect"
       );
     }
     const { parsed, raw } = await this.executeRefresh(
-      integrationId,
-      integration.refreshToken
+      connectionId,
+      connection.refreshToken
     );
     const newExpiresAt = new Date(
       this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1e3
     );
     await this.tokenWriter.persistRefresh({
-      integrationId,
+      connectionId,
       accessToken: parsed.accessToken,
       refreshToken: parsed.refreshToken ?? void 0,
       expiresAt: newExpiresAt
     });
-    return this.buildCredentials(parsed.accessToken, integration, raw);
+    return this.buildCredentials(parsed.accessToken, connection, raw);
   }
-  async executeRefresh(integrationId, refreshToken) {
+  async executeRefresh(connectionId, refreshToken) {
     const body = new URLSearchParams({
       grant_type: "refresh_token",
       refresh_token: refreshToken,
@@ -77,8 +77,8 @@ var OAuth2RefreshStrategy = class {
     if (!response.ok) {
       const err = await safeJson(response);
       if (response.status === 400 && (err.error === "invalid_grant" || err.error === "invalid_token")) {
-        throw new IntegrationBrokenError(
-          integrationId,
+        throw new ConnectionBrokenError(
+          connectionId,
           err.error ?? "invalid_grant",
           err.error_description ?? err.message ?? "refresh token rejected"
         );

package/dist/runtime/subsystems/auth/runtime/oauth2-refresh.strategy.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/integration-broken.error.ts","../../../../../runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts"],"sourcesContent":["/**\n * Thrown when an OAuth2 provider returns `400 invalid_grant`/`invalid_token`\n * on refresh — the refresh token itself is dead (user revoked, org\n * deactivated, token expired beyond the provider's rotation window). The\n * integration should be marked broken so background sync stops picking it\n * up; the user re-initiates OAuth.\n *\n * Shared across every OAuth2 strategy.\n */\nexport class IntegrationBrokenError extends Error {\n  constructor(\n    readonly integrationId: string,\n    readonly errorCode: string,\n    readonly errorDescription: string,\n  ) {\n    super(\n      `Integration ${integrationId} broken: ${errorCode} - ${errorDescription}`,\n    );\n    this.name = 'IntegrationBrokenError';\n  }\n}\n","/**\n * Abstract base class for OAuth2 refresh-token strategies.\n *\n * Template-method pattern: `resolve()` is concrete; four small hooks inject\n * provider specifics. Validated across two providers (Salesforce, HubSpot)\n * in the extraction-source app before being extracted here — see\n * `docs/gate-1-auth-extraction-findings.md` for the \"build first, extract\n * later\" evidence.\n *\n * Subclass contract:\n *   - `provider`                — slug matched against `integrations.provider`\n *   - `defaultExpiresInSec`     — fallback when refresh response omits `expires_in`\n *   - `tokenEndpoint()`         — URL to POST the refresh grant\n *   - `refreshBodyExtras()`     — provider-specific body params\n *   - `parseRefreshResponse()`  — raw JSON → ParsedRefreshResponse\n *   - `buildCredentials()`      — stored or freshly-refreshed access token +\n *                                 integration + optional raw refresh response\n *                                 → provider credentials\n *\n * Base handles: expiry check w/ 5-min safety window, `forceRefresh` escape\n * hatch, POST form-urlencoded body, OAuth2 error mapping to\n * `IntegrationBrokenError`, refresh-token rotation persistence, fetch +\n * clock injection for tests.\n */\nimport type {\n  AuthCredentials,\n  AuthResolveOptions,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport type {\n  DecryptedIntegration,\n  IIntegrationReader,\n  IIntegrationTokenWriter,\n} from '../protocols/integration-store';\nimport { IntegrationBrokenError } from './integration-broken.error';\n\nexport type FetchLike = (\n  input: string | URL | Request,\n  init?: RequestInit,\n) => Promise<Response>;\n\n/** Safety window before expiry that triggers a refresh. */\nconst REFRESH_SAFETY_MS = 5 * 60 * 1000;\n\nexport interface OAuth2RefreshStrategyOptions {\n  integrationReader: IIntegrationReader;\n  tokenWriter: IIntegrationTokenWriter;\n  /** Injectable fetch for tests. Defaults to the global `fetch`. */\n  fetch?: FetchLike;\n  /** Injectable clock for tests. Defaults to `Date.now`. */\n  now?: () => number;\n}\n\nexport interface ParsedRefreshResponse {\n  accessToken: string;\n  /**\n   * New refresh token if the provider rotated it (HubSpot: always, Salesforce:\n   * sometimes). Omit when the provider reused the old refresh token.\n   */\n  refreshToken?: string;\n  /** Seconds from now. If omitted, subclass `defaultExpiresInSec` applies. */\n  expiresInSec?: number;\n}\n\nexport abstract class OAuth2RefreshStrategy implements IAuthStrategy {\n  protected abstract readonly provider: string;\n  protected abstract readonly defaultExpiresInSec: number;\n\n  protected readonly integrationReader: IIntegrationReader;\n  protected readonly tokenWriter: IIntegrationTokenWriter;\n  protected readonly fetchImpl: FetchLike;\n  protected readonly now: () => number;\n\n  constructor(opts: OAuth2RefreshStrategyOptions) {\n    this.integrationReader = opts.integrationReader;\n    this.tokenWriter = opts.tokenWriter;\n    this.fetchImpl = opts.fetch ?? fetch;\n    this.now = opts.now ?? Date.now;\n  }\n\n  async resolve(\n    integrationId: string,\n    opts: AuthResolveOptions = {},\n  ): Promise<AuthCredentials> {\n    const integration =\n      await this.integrationReader.findByIdDecrypted(integrationId);\n    if (!integration) {\n      throw new Error(`Integration ${integrationId} not found`);\n    }\n    if (integration.provider !== this.provider) {\n      throw new Error(\n        `${this.constructor.name} called for non-${this.provider} integration ${integrationId} (provider=${integration.provider})`,\n      );\n    }\n\n    const needsRefresh =\n      opts.forceRefresh ||\n      this.isExpiring(integration.expiresAt) ||\n      !integration.accessToken;\n\n    if (!needsRefresh) {\n      return this.buildCredentials(integration.accessToken, integration);\n    }\n\n    if (!integration.refreshToken) {\n      throw new IntegrationBrokenError(\n        integrationId,\n        'no_refresh_token',\n        'Integration has no refresh token; user must reconnect',\n      );\n    }\n\n    const { parsed, raw } = await this.executeRefresh(\n      integrationId,\n      integration.refreshToken,\n    );\n    const newExpiresAt = new Date(\n      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1000,\n    );\n    await this.tokenWriter.persistRefresh({\n      integrationId,\n      accessToken: parsed.accessToken,\n      refreshToken: parsed.refreshToken ?? undefined,\n      expiresAt: newExpiresAt,\n    });\n\n    return this.buildCredentials(parsed.accessToken, integration, raw);\n  }\n\n  protected abstract tokenEndpoint(): string;\n  protected abstract refreshBodyExtras(): Record<string, string>;\n  protected abstract parseRefreshResponse(raw: unknown): ParsedRefreshResponse;\n  protected abstract buildCredentials(\n    accessToken: string,\n    integration: DecryptedIntegration,\n    refreshRaw?: unknown,\n  ): AuthCredentials;\n\n  private async executeRefresh(\n    integrationId: string,\n    refreshToken: string,\n  ): Promise<{ parsed: ParsedRefreshResponse; raw: unknown }> {\n    const body = new URLSearchParams({\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...this.refreshBodyExtras(),\n    });\n    const response = await this.fetchImpl(this.tokenEndpoint(), {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n    if (!response.ok) {\n      const err = (await safeJson(response)) as Partial<{\n        error: string;\n        error_description: string;\n        message: string;\n      }>;\n      if (\n        response.status === 400 &&\n        (err.error === 'invalid_grant' || err.error === 'invalid_token')\n      ) {\n        throw new IntegrationBrokenError(\n          integrationId,\n          err.error ?? 'invalid_grant',\n          err.error_description ?? err.message ?? 'refresh token rejected',\n        );\n      }\n      throw new Error(\n        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ''} ${err.error_description ?? err.message ?? ''}`.trim(),\n      );\n    }\n    const raw = await response.json();\n    return { parsed: this.parseRefreshResponse(raw), raw };\n  }\n\n  private isExpiring(expiresAt: Date | null): boolean {\n    if (!expiresAt) return true;\n    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;\n  }\n}\n\nasync function safeJson(response: Response): Promise<unknown> {\n  try {\n    return await response.clone().json();\n  } catch {\n    return {};\n  }\n}\n"],"mappings":";AASO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YACW,eACA,WACA,kBACT;AACA;AAAA,MACE,eAAe,aAAa,YAAY,SAAS,MAAM,gBAAgB;AAAA,IACzE;AANS;AACA;AACA;AAKT,SAAK,OAAO;AAAA,EACd;AAAA,EARW;AAAA,EACA;AAAA,EACA;AAOb;;;ACsBA,IAAM,oBAAoB,IAAI,KAAK;AAsB5B,IAAe,wBAAf,MAA8D;AAAA,EAIhD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEnB,YAAY,MAAoC;AAC9C,SAAK,oBAAoB,KAAK;AAC9B,SAAK,cAAc,KAAK;AACxB,SAAK,YAAY,KAAK,SAAS;AAC/B,SAAK,MAAM,KAAK,OAAO,KAAK;AAAA,EAC9B;AAAA,EAEA,MAAM,QACJ,eACA,OAA2B,CAAC,GACF;AAC1B,UAAM,cACJ,MAAM,KAAK,kBAAkB,kBAAkB,aAAa;AAC9D,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,MAAM,eAAe,aAAa,YAAY;AAAA,IAC1D;AACA,QAAI,YAAY,aAAa,KAAK,UAAU;AAC1C,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,mBAAmB,KAAK,QAAQ,gBAAgB,aAAa,cAAc,YAAY,QAAQ;AAAA,MACzH;AAAA,IACF;AAEA,UAAM,eACJ,KAAK,gBACL,KAAK,WAAW,YAAY,SAAS,KACrC,CAAC,YAAY;AAEf,QAAI,CAAC,cAAc;AACjB,aAAO,KAAK,iBAAiB,YAAY,aAAa,WAAW;AAAA,IACnE;AAEA,QAAI,CAAC,YAAY,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,IAAI,MAAM,KAAK;AAAA,MACjC;AAAA,MACA,YAAY;AAAA,IACd;AACA,UAAM,eAAe,IAAI;AAAA,MACvB,KAAK,IAAI,KAAK,OAAO,gBAAgB,KAAK,uBAAuB;AAAA,IACnE;AACA,UAAM,KAAK,YAAY,eAAe;AAAA,MACpC;AAAA,MACA,aAAa,OAAO;AAAA,MACpB,cAAc,OAAO,gBAAgB;AAAA,MACrC,WAAW;AAAA,IACb,CAAC;AAED,WAAO,KAAK,iBAAiB,OAAO,aAAa,aAAa,GAAG;AAAA,EACnE;AAAA,EAWA,MAAc,eACZ,eACA,cAC0D;AAC1D,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,GAAG,KAAK,kBAAkB;AAAA,IAC5B,CAAC;AACD,UAAM,WAAW,MAAM,KAAK,UAAU,KAAK,cAAc,GAAG;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAO,MAAM,SAAS,QAAQ;AAKpC,UACE,SAAS,WAAW,QACnB,IAAI,UAAU,mBAAmB,IAAI,UAAU,kBAChD;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,IAAI,SAAS;AAAA,UACb,IAAI,qBAAqB,IAAI,WAAW;AAAA,QAC1C;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,QAAQ,0BAA0B,SAAS,MAAM,IAAI,IAAI,SAAS,EAAE,IAAI,IAAI,qBAAqB,IAAI,WAAW,EAAE,GAAG,KAAK;AAAA,MACpI;AAAA,IACF;AACA,UAAM,MAAM,MAAM,SAAS,KAAK;AAChC,WAAO,EAAE,QAAQ,KAAK,qBAAqB,GAAG,GAAG,IAAI;AAAA,EACvD;AAAA,EAEQ,WAAW,WAAiC;AAClD,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,IAAI;AAAA,EAC5C;AACF;AAEA,eAAe,SAAS,UAAsC;AAC5D,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AAAA,EACrC,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;","names":[]}
+{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/connection-broken.error.ts","../../../../../runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts"],"sourcesContent":["/**\n * Thrown when an OAuth2 provider returns `400 invalid_grant`/`invalid_token`\n * on refresh — the refresh token itself is dead (user revoked, org\n * deactivated, token expired beyond the provider's rotation window). The\n * connection should be marked broken so background sync stops picking it\n * up; the user re-initiates OAuth.\n *\n * Shared across every OAuth2 strategy.\n */\nexport class ConnectionBrokenError extends Error {\n  constructor(\n    readonly connectionId: string,\n    readonly errorCode: string,\n    readonly errorDescription: string,\n  ) {\n    super(\n      `Connection ${connectionId} broken: ${errorCode} - ${errorDescription}`,\n    );\n    this.name = 'ConnectionBrokenError';\n  }\n}\n","/**\n * Abstract base class for OAuth2 refresh-token strategies.\n *\n * Template-method pattern: `resolve()` is concrete; four small hooks inject\n * provider specifics. Validated across two providers (Salesforce, HubSpot)\n * in the extraction-source app before being extracted here — see\n * `docs/gate-1-auth-extraction-findings.md` for the \"build first, extract\n * later\" evidence.\n *\n * Subclass contract:\n *   - `provider`                — slug matched against `connections.provider`\n *   - `defaultExpiresInSec`     — fallback when refresh response omits `expires_in`\n *   - `tokenEndpoint()`         — URL to POST the refresh grant\n *   - `refreshBodyExtras()`     — provider-specific body params\n *   - `parseRefreshResponse()`  — raw JSON → ParsedRefreshResponse\n *   - `buildCredentials()`      — stored or freshly-refreshed access token +\n *                                 connection + optional raw refresh response\n *                                 → provider credentials\n *\n * Base handles: expiry check w/ 5-min safety window, `forceRefresh` escape\n * hatch, POST form-urlencoded body, OAuth2 error mapping to\n * `ConnectionBrokenError`, refresh-token rotation persistence, fetch +\n * clock injection for tests.\n */\nimport type {\n  AuthCredentials,\n  AuthResolveOptions,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport type {\n  DecryptedConnection,\n  IConnectionReader,\n  IConnectionTokenWriter,\n} from '../protocols/connection-store';\nimport { ConnectionBrokenError } from './connection-broken.error';\n\nexport type FetchLike = (\n  input: string | URL | Request,\n  init?: RequestInit,\n) => Promise<Response>;\n\n/** Safety window before expiry that triggers a refresh. */\nconst REFRESH_SAFETY_MS = 5 * 60 * 1000;\n\nexport interface OAuth2RefreshStrategyOptions {\n  connectionReader: IConnectionReader;\n  tokenWriter: IConnectionTokenWriter;\n  /** Injectable fetch for tests. Defaults to the global `fetch`. */\n  fetch?: FetchLike;\n  /** Injectable clock for tests. Defaults to `Date.now`. */\n  now?: () => number;\n}\n\nexport interface ParsedRefreshResponse {\n  accessToken: string;\n  /**\n   * New refresh token if the provider rotated it (HubSpot: always, Salesforce:\n   * sometimes). Omit when the provider reused the old refresh token.\n   */\n  refreshToken?: string;\n  /** Seconds from now. If omitted, subclass `defaultExpiresInSec` applies. */\n  expiresInSec?: number;\n}\n\nexport abstract class OAuth2RefreshStrategy implements IAuthStrategy {\n  protected abstract readonly provider: string;\n  protected abstract readonly defaultExpiresInSec: number;\n\n  protected readonly connectionReader: IConnectionReader;\n  protected readonly tokenWriter: IConnectionTokenWriter;\n  protected readonly fetchImpl: FetchLike;\n  protected readonly now: () => number;\n\n  constructor(opts: OAuth2RefreshStrategyOptions) {\n    this.connectionReader = opts.connectionReader;\n    this.tokenWriter = opts.tokenWriter;\n    this.fetchImpl = opts.fetch ?? fetch;\n    this.now = opts.now ?? Date.now;\n  }\n\n  async resolve(\n    connectionId: string,\n    opts: AuthResolveOptions = {},\n  ): Promise<AuthCredentials> {\n    const connection =\n      await this.connectionReader.findByIdDecrypted(connectionId);\n    if (!connection) {\n      throw new Error(`Connection ${connectionId} not found`);\n    }\n    if (connection.provider !== this.provider) {\n      throw new Error(\n        `${this.constructor.name} called for non-${this.provider} connection ${connectionId} (provider=${connection.provider})`,\n      );\n    }\n\n    const needsRefresh =\n      opts.forceRefresh ||\n      this.isExpiring(connection.expiresAt) ||\n      !connection.accessToken;\n\n    if (!needsRefresh) {\n      return this.buildCredentials(connection.accessToken, connection);\n    }\n\n    if (!connection.refreshToken) {\n      throw new ConnectionBrokenError(\n        connectionId,\n        'no_refresh_token',\n        'Connection has no refresh token; user must reconnect',\n      );\n    }\n\n    const { parsed, raw } = await this.executeRefresh(\n      connectionId,\n      connection.refreshToken,\n    );\n    const newExpiresAt = new Date(\n      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1000,\n    );\n    await this.tokenWriter.persistRefresh({\n      connectionId,\n      accessToken: parsed.accessToken,\n      refreshToken: parsed.refreshToken ?? undefined,\n      expiresAt: newExpiresAt,\n    });\n\n    return this.buildCredentials(parsed.accessToken, connection, raw);\n  }\n\n  protected abstract tokenEndpoint(): string;\n  protected abstract refreshBodyExtras(): Record<string, string>;\n  protected abstract parseRefreshResponse(raw: unknown): ParsedRefreshResponse;\n  protected abstract buildCredentials(\n    accessToken: string,\n    connection: DecryptedConnection,\n    refreshRaw?: unknown,\n  ): AuthCredentials;\n\n  private async executeRefresh(\n    connectionId: string,\n    refreshToken: string,\n  ): Promise<{ parsed: ParsedRefreshResponse; raw: unknown }> {\n    const body = new URLSearchParams({\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...this.refreshBodyExtras(),\n    });\n    const response = await this.fetchImpl(this.tokenEndpoint(), {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n    if (!response.ok) {\n      const err = (await safeJson(response)) as Partial<{\n        error: string;\n        error_description: string;\n        message: string;\n      }>;\n      if (\n        response.status === 400 &&\n        (err.error === 'invalid_grant' || err.error === 'invalid_token')\n      ) {\n        throw new ConnectionBrokenError(\n          connectionId,\n          err.error ?? 'invalid_grant',\n          err.error_description ?? err.message ?? 'refresh token rejected',\n        );\n      }\n      throw new Error(\n        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ''} ${err.error_description ?? err.message ?? ''}`.trim(),\n      );\n    }\n    const raw = await response.json();\n    return { parsed: this.parseRefreshResponse(raw), raw };\n  }\n\n  private isExpiring(expiresAt: Date | null): boolean {\n    if (!expiresAt) return true;\n    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;\n  }\n}\n\nasync function safeJson(response: Response): Promise<unknown> {\n  try {\n    return await response.clone().json();\n  } catch {\n    return {};\n  }\n}\n"],"mappings":";AASO,IAAM,wBAAN,cAAoC,MAAM;AAAA,EAC/C,YACW,cACA,WACA,kBACT;AACA;AAAA,MACE,cAAc,YAAY,YAAY,SAAS,MAAM,gBAAgB;AAAA,IACvE;AANS;AACA;AACA;AAKT,SAAK,OAAO;AAAA,EACd;AAAA,EARW;AAAA,EACA;AAAA,EACA;AAOb;;;ACsBA,IAAM,oBAAoB,IAAI,KAAK;AAsB5B,IAAe,wBAAf,MAA8D;AAAA,EAIhD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEnB,YAAY,MAAoC;AAC9C,SAAK,mBAAmB,KAAK;AAC7B,SAAK,cAAc,KAAK;AACxB,SAAK,YAAY,KAAK,SAAS;AAC/B,SAAK,MAAM,KAAK,OAAO,KAAK;AAAA,EAC9B;AAAA,EAEA,MAAM,QACJ,cACA,OAA2B,CAAC,GACF;AAC1B,UAAM,aACJ,MAAM,KAAK,iBAAiB,kBAAkB,YAAY;AAC5D,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,MAAM,cAAc,YAAY,YAAY;AAAA,IACxD;AACA,QAAI,WAAW,aAAa,KAAK,UAAU;AACzC,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,mBAAmB,KAAK,QAAQ,eAAe,YAAY,cAAc,WAAW,QAAQ;AAAA,MACtH;AAAA,IACF;AAEA,UAAM,eACJ,KAAK,gBACL,KAAK,WAAW,WAAW,SAAS,KACpC,CAAC,WAAW;AAEd,QAAI,CAAC,cAAc;AACjB,aAAO,KAAK,iBAAiB,WAAW,aAAa,UAAU;AAAA,IACjE;AAEA,QAAI,CAAC,WAAW,cAAc;AAC5B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,IAAI,MAAM,KAAK;AAAA,MACjC;AAAA,MACA,WAAW;AAAA,IACb;AACA,UAAM,eAAe,IAAI;AAAA,MACvB,KAAK,IAAI,KAAK,OAAO,gBAAgB,KAAK,uBAAuB;AAAA,IACnE;AACA,UAAM,KAAK,YAAY,eAAe;AAAA,MACpC;AAAA,MACA,aAAa,OAAO;AAAA,MACpB,cAAc,OAAO,gBAAgB;AAAA,MACrC,WAAW;AAAA,IACb,CAAC;AAED,WAAO,KAAK,iBAAiB,OAAO,aAAa,YAAY,GAAG;AAAA,EAClE;AAAA,EAWA,MAAc,eACZ,cACA,cAC0D;AAC1D,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,GAAG,KAAK,kBAAkB;AAAA,IAC5B,CAAC;AACD,UAAM,WAAW,MAAM,KAAK,UAAU,KAAK,cAAc,GAAG;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAO,MAAM,SAAS,QAAQ;AAKpC,UACE,SAAS,WAAW,QACnB,IAAI,UAAU,mBAAmB,IAAI,UAAU,kBAChD;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,IAAI,SAAS;AAAA,UACb,IAAI,qBAAqB,IAAI,WAAW;AAAA,QAC1C;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,QAAQ,0BAA0B,SAAS,MAAM,IAAI,IAAI,SAAS,EAAE,IAAI,IAAI,qBAAqB,IAAI,WAAW,EAAE,GAAG,KAAK;AAAA,MACpI;AAAA,IACF;AACA,UAAM,MAAM,MAAM,SAAS,KAAK;AAChC,WAAO,EAAE,QAAQ,KAAK,qBAAqB,GAAG,GAAG,IAAI;AAAA,EACvD;AAAA,EAEQ,WAAW,WAAiC;AAClD,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,IAAI;AAAA,EAC5C;AACF;AAEA,eAAe,SAAS,UAAsC;AAC5D,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AAAA,EACrC,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;","names":[]}

package/dist/runtime/subsystems/auth/runtime/with-auth-retry.d.ts

@@ -27,6 +27,6 @@ interface WithAuthRetryOptions {
      */
     isSessionExpired?: (err: unknown) => boolean;
 }
-declare function withAuthRetry<T>(authStrategy: IAuthStrategy, integrationId: string, op: (credentials: AuthCredentials) => Promise<T>, options?: WithAuthRetryOptions): Promise<T>;
+declare function withAuthRetry<T>(authStrategy: IAuthStrategy, connectionId: string, op: (credentials: AuthCredentials) => Promise<T>, options?: WithAuthRetryOptions): Promise<T>;
 
 export { type WithAuthRetryOptions, withAuthRetry };

package/dist/runtime/subsystems/auth/runtime/with-auth-retry.js

@@ -16,14 +16,14 @@ function isSessionExpiredError(err) {
 }
 
 // runtime/subsystems/auth/runtime/with-auth-retry.ts
-async function withAuthRetry(authStrategy, integrationId, op, options = {}) {
+async function withAuthRetry(authStrategy, connectionId, op, options = {}) {
   const classify = options.isSessionExpired ?? isSessionExpiredError;
-  let creds = await authStrategy.resolve(integrationId);
+  let creds = await authStrategy.resolve(connectionId);
   try {
     return await op(creds);
   } catch (e) {
     if (!classify(e)) throw e;
-    creds = await authStrategy.resolve(integrationId, { forceRefresh: true });
+    creds = await authStrategy.resolve(connectionId, { forceRefresh: true });
     return op(creds);
   }
 }

package/dist/runtime/subsystems/auth/runtime/with-auth-retry.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/session-expired.error.ts","../../../../../runtime/subsystems/auth/runtime/with-auth-retry.ts"],"sourcesContent":["/**\n * Provider-agnostic marker for \"the access token was rejected; a forced\n * refresh may recover.\"\n *\n * Concrete provider error classes (e.g. SalesforceSessionExpiredError,\n * HubSpotUnauthorizedError) either extend `SessionExpiredError` directly or\n * set `isSessionExpired === true` on their instances. `withAuthRetry` uses\n * the `isSessionExpiredError` predicate to decide whether to force-refresh\n * and retry once.\n *\n * This discriminator replaces the SFDC-only `instanceof` check from the\n * extraction-source app's original `withAuthRetry`. See\n * `docs/gate-1-auth-extraction-findings.md` (recommendation 4).\n */\nexport class SessionExpiredError extends Error {\n  /** Duck-type marker — works across package boundaries where `instanceof` fails. */\n  readonly isSessionExpired = true as const;\n\n  constructor(message = 'Access token rejected by provider') {\n    super(message);\n    this.name = 'SessionExpiredError';\n  }\n}\n\n/**\n * Predicate used by `withAuthRetry` by default.\n *\n * Matches any error that either `instanceof SessionExpiredError` or carries\n * the `isSessionExpired === true` marker property. Provider adapters that\n * want their existing error classes to participate can simply add the\n * marker property without touching the class hierarchy.\n */\nexport function isSessionExpiredError(err: unknown): boolean {\n  if (err instanceof SessionExpiredError) return true;\n  if (err !== null && typeof err === 'object' && 'isSessionExpired' in err) {\n    return (err as { isSessionExpired?: unknown }).isSessionExpired === true;\n  }\n  return false;\n}\n","/**\n * Run `op` with auth-aware retry-once on session-expired errors.\n *\n * Pattern: resolve creds → run op → if `isSessionExpired(e)` → resolve with\n * `forceRefresh: true` → retry → propagate. A second session-expired error\n * on the refreshed token propagates rather than looping, so transient\n * adapter bugs can't hang the caller.\n *\n * Generalisation over the extraction source's SFDC-specific original: the\n * session-expired classifier is injected. Providers mark their session-\n * expired errors (via `instanceof` of a marker class, or by setting a known\n * property) and pass a classifier matching that shape.\n *\n * Default classifier recognises the marker interface `SessionExpiredError`\n * shipped in `session-expired.error.ts` — concrete provider errors that\n * extend it (or set `isSessionExpired === true`) get retried without any\n * further wiring.\n */\nimport type {\n  AuthCredentials,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport { isSessionExpiredError } from './session-expired.error';\n\nexport interface WithAuthRetryOptions {\n  /**\n   * Classifier that decides whether a thrown error is a session-expired\n   * signal worth retrying once with a fresh token. Defaults to the marker-\n   * interface check in `session-expired.error.ts`.\n   */\n  isSessionExpired?: (err: unknown) => boolean;\n}\n\nexport async function withAuthRetry<T>(\n  authStrategy: IAuthStrategy,\n  integrationId: string,\n  op: (credentials: AuthCredentials) => Promise<T>,\n  options: WithAuthRetryOptions = {},\n): Promise<T> {\n  const classify = options.isSessionExpired ?? isSessionExpiredError;\n\n  let creds = await authStrategy.resolve(integrationId);\n  try {\n    return await op(creds);\n  } catch (e) {\n    if (!classify(e)) throw e;\n    creds = await authStrategy.resolve(integrationId, { forceRefresh: true });\n    return op(creds);\n  }\n}\n"],"mappings":";AAcO,IAAM,sBAAN,cAAkC,MAAM;AAAA;AAAA,EAEpC,mBAAmB;AAAA,EAE5B,YAAY,UAAU,qCAAqC;AACzD,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAUO,SAAS,sBAAsB,KAAuB;AAC3D,MAAI,eAAe,oBAAqB,QAAO;AAC/C,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,sBAAsB,KAAK;AACxE,WAAQ,IAAuC,qBAAqB;AAAA,EACtE;AACA,SAAO;AACT;;;ACLA,eAAsB,cACpB,cACA,eACA,IACA,UAAgC,CAAC,GACrB;AACZ,QAAM,WAAW,QAAQ,oBAAoB;AAE7C,MAAI,QAAQ,MAAM,aAAa,QAAQ,aAAa;AACpD,MAAI;AACF,WAAO,MAAM,GAAG,KAAK;AAAA,EACvB,SAAS,GAAG;AACV,QAAI,CAAC,SAAS,CAAC,EAAG,OAAM;AACxB,YAAQ,MAAM,aAAa,QAAQ,eAAe,EAAE,cAAc,KAAK,CAAC;AACxE,WAAO,GAAG,KAAK;AAAA,EACjB;AACF;","names":[]}
+{"version":3,"sources":["../../../../../runtime/subsystems/auth/runtime/session-expired.error.ts","../../../../../runtime/subsystems/auth/runtime/with-auth-retry.ts"],"sourcesContent":["/**\n * Provider-agnostic marker for \"the access token was rejected; a forced\n * refresh may recover.\"\n *\n * Concrete provider error classes (e.g. SalesforceSessionExpiredError,\n * HubSpotUnauthorizedError) either extend `SessionExpiredError` directly or\n * set `isSessionExpired === true` on their instances. `withAuthRetry` uses\n * the `isSessionExpiredError` predicate to decide whether to force-refresh\n * and retry once.\n *\n * This discriminator replaces the SFDC-only `instanceof` check from the\n * extraction-source app's original `withAuthRetry`. See\n * `docs/gate-1-auth-extraction-findings.md` (recommendation 4).\n */\nexport class SessionExpiredError extends Error {\n  /** Duck-type marker — works across package boundaries where `instanceof` fails. */\n  readonly isSessionExpired = true as const;\n\n  constructor(message = 'Access token rejected by provider') {\n    super(message);\n    this.name = 'SessionExpiredError';\n  }\n}\n\n/**\n * Predicate used by `withAuthRetry` by default.\n *\n * Matches any error that either `instanceof SessionExpiredError` or carries\n * the `isSessionExpired === true` marker property. Provider adapters that\n * want their existing error classes to participate can simply add the\n * marker property without touching the class hierarchy.\n */\nexport function isSessionExpiredError(err: unknown): boolean {\n  if (err instanceof SessionExpiredError) return true;\n  if (err !== null && typeof err === 'object' && 'isSessionExpired' in err) {\n    return (err as { isSessionExpired?: unknown }).isSessionExpired === true;\n  }\n  return false;\n}\n","/**\n * Run `op` with auth-aware retry-once on session-expired errors.\n *\n * Pattern: resolve creds → run op → if `isSessionExpired(e)` → resolve with\n * `forceRefresh: true` → retry → propagate. A second session-expired error\n * on the refreshed token propagates rather than looping, so transient\n * adapter bugs can't hang the caller.\n *\n * Generalisation over the extraction source's SFDC-specific original: the\n * session-expired classifier is injected. Providers mark their session-\n * expired errors (via `instanceof` of a marker class, or by setting a known\n * property) and pass a classifier matching that shape.\n *\n * Default classifier recognises the marker interface `SessionExpiredError`\n * shipped in `session-expired.error.ts` — concrete provider errors that\n * extend it (or set `isSessionExpired === true`) get retried without any\n * further wiring.\n */\nimport type {\n  AuthCredentials,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport { isSessionExpiredError } from './session-expired.error';\n\nexport interface WithAuthRetryOptions {\n  /**\n   * Classifier that decides whether a thrown error is a session-expired\n   * signal worth retrying once with a fresh token. Defaults to the marker-\n   * interface check in `session-expired.error.ts`.\n   */\n  isSessionExpired?: (err: unknown) => boolean;\n}\n\nexport async function withAuthRetry<T>(\n  authStrategy: IAuthStrategy,\n  connectionId: string,\n  op: (credentials: AuthCredentials) => Promise<T>,\n  options: WithAuthRetryOptions = {},\n): Promise<T> {\n  const classify = options.isSessionExpired ?? isSessionExpiredError;\n\n  let creds = await authStrategy.resolve(connectionId);\n  try {\n    return await op(creds);\n  } catch (e) {\n    if (!classify(e)) throw e;\n    creds = await authStrategy.resolve(connectionId, { forceRefresh: true });\n    return op(creds);\n  }\n}\n"],"mappings":";AAcO,IAAM,sBAAN,cAAkC,MAAM;AAAA;AAAA,EAEpC,mBAAmB;AAAA,EAE5B,YAAY,UAAU,qCAAqC;AACzD,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAUO,SAAS,sBAAsB,KAAuB;AAC3D,MAAI,eAAe,oBAAqB,QAAO;AAC/C,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,sBAAsB,KAAK;AACxE,WAAQ,IAAuC,qBAAqB;AAAA,EACtE;AACA,SAAO;AACT;;;ACLA,eAAsB,cACpB,cACA,cACA,IACA,UAAgC,CAAC,GACrB;AACZ,QAAM,WAAW,QAAQ,oBAAoB;AAE7C,MAAI,QAAQ,MAAM,aAAa,QAAQ,YAAY;AACnD,MAAI;AACF,WAAO,MAAM,GAAG,KAAK;AAAA,EACvB,SAAS,GAAG;AACV,QAAI,CAAC,SAAS,CAAC,EAAG,OAAM;AACxB,YAAQ,MAAM,aAAa,QAAQ,cAAc,EAAE,cAAc,KAAK,CAAC;AACvE,WAAO,GAAG,KAAK;AAAA,EACjB;AACF;","names":[]}

package/dist/runtime/subsystems/bridge/bridge.module.d.ts

@@ -5,7 +5,6 @@ import '../../types/drizzle.js';
 import 'drizzle-orm/node-postgres';
 import '../jobs/jobs-domain.module.js';
 import '../jobs/bullmq.config.js';
-import 'bullmq';
 import '../jobs/pool-config.loader.js';
 import '../../../job-orchestrator.protocol-CHOEqBDk.js';
 import '../events/event-bus.protocol.js';