@pattern-stack/codegen 0.15.1 → 0.15.2

package/dist/chunk-L7BNNRGI.js

@@ -0,0 +1,134 @@
+import {
+  BRIDGE_DELIVERY_JOB_TYPE
+} from "./chunk-YTN6BKWA.js";
+import {
+  bridgeDelivery
+} from "./chunk-2TVVBC53.js";
+import {
+  BRIDGE_REGISTRY
+} from "./chunk-4LH67P4U.js";
+import {
+  jobRuns
+} from "./chunk-OKXZ63IA.js";
+import {
+  __decorateClass,
+  __decorateParam
+} from "./chunk-2E224ZSN.js";
+
+// runtime/subsystems/bridge/bridge-outbox-drain-hook.ts
+import { Inject, Injectable, Logger, Optional } from "@nestjs/common";
+import { randomUUID } from "crypto";
+import { eq } from "drizzle-orm";
+var POOL_BY_DIRECTION = {
+  inbound: "events_inbound",
+  change: "events_change",
+  outbound: "events_outbound"
+};
+var BridgeOutboxDrainHook = class {
+  constructor(registry = {}) {
+    this.registry = registry;
+  }
+  registry;
+  logger = new Logger(BridgeOutboxDrainHook.name);
+  warnedNullDirection = false;
+  warnedAuditTypes = /* @__PURE__ */ new Set();
+  async processEvent(event, tx) {
+    if (event.metadata?.["tier"] === "audit") {
+      this.warnAuditBlockedOnce(event);
+      return {
+        delivered: 0,
+        dedupSkips: 0,
+        triggerCount: 0,
+        auditBlocked: 1
+      };
+    }
+    const triggers = this.lookupTriggers(event.type);
+    if (triggers.length === 0) {
+      return {
+        delivered: 0,
+        dedupSkips: 0,
+        triggerCount: 0,
+        auditBlocked: 0
+      };
+    }
+    const direction = event.metadata?.["direction"] ?? null;
+    const tenantId = event.metadata?.["tenantId"] ?? null;
+    const wrapperPool = direction ? POOL_BY_DIRECTION[direction] : void 0;
+    if (!wrapperPool) {
+      if (!this.warnedNullDirection) {
+        this.warnedNullDirection = true;
+        this.logger.warn(
+          `Skipping bridge fanout for events with null/unknown direction. event.id=${event.id} event.type=${event.type} direction=${String(direction)}. The wrapper pool is derived from direction (events_<direction>); publishers must use TypedEventBus.publish() so direction is stamped on the outbox row.`
+        );
+      }
+      return {
+        delivered: 0,
+        dedupSkips: 0,
+        triggerCount: triggers.length,
+        auditBlocked: 0
+      };
+    }
+    let delivered = 0;
+    let dedupSkips = 0;
+    const client = tx;
+    for (const trigger of triggers) {
+      const deliveryId = randomUUID();
+      const wrapperRunId = randomUUID();
+      await tx.insert(jobRuns).values({
+        id: wrapperRunId,
+        jobType: BRIDGE_DELIVERY_JOB_TYPE,
+        jobVersion: 1,
+        rootRunId: wrapperRunId,
+        pool: wrapperPool,
+        status: "pending",
+        input: { deliveryId },
+        triggerSource: "event",
+        triggerRef: event.id,
+        tenantId
+      });
+      const inserted = await tx.insert(bridgeDelivery).values({
+        id: deliveryId,
+        eventId: event.id,
+        triggerId: trigger.triggerId,
+        wrapperRunId,
+        status: "pending",
+        tenantId
+      }).onConflictDoNothing({
+        target: [bridgeDelivery.eventId, bridgeDelivery.triggerId]
+      }).returning({ id: bridgeDelivery.id });
+      if (inserted.length === 0) {
+        await tx.delete(jobRuns).where(eq(jobRuns.id, wrapperRunId));
+        dedupSkips++;
+        continue;
+      }
+      delivered++;
+    }
+    return {
+      delivered,
+      dedupSkips,
+      triggerCount: triggers.length,
+      auditBlocked: 0
+    };
+  }
+  warnAuditBlockedOnce(event) {
+    if (this.warnedAuditTypes.has(event.type)) return;
+    this.warnedAuditTypes.add(event.type);
+    this.logger.warn(
+      `Bridge guard blocked audit-tier event '${event.type}' (event.id=${event.id}). Registry says this event is not bridge-eligible; a bridge_trigger row exists out-of-band. Investigate registry/runtime drift.`
+    );
+  }
+  lookupTriggers(eventType) {
+    const candidates = this.registry[eventType];
+    return candidates ?? [];
+  }
+};
+BridgeOutboxDrainHook = __decorateClass([
+  Injectable(),
+  __decorateParam(0, Optional()),
+  __decorateParam(0, Inject(BRIDGE_REGISTRY))
+], BridgeOutboxDrainHook);
+
+export {
+  BridgeOutboxDrainHook
+};
+//# sourceMappingURL=chunk-L7BNNRGI.js.map

package/dist/chunk-L7BNNRGI.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/bridge/bridge-outbox-drain-hook.ts"],"sourcesContent":["/**\n * BridgeOutboxDrainHook — drains-time bridge fanout writer (BRIDGE-4,\n * ADR-023 Phase 2).\n *\n * Implements `IBridgeOutboxDrainHook`. Called by `DrizzleEventBus`'s\n * modified `processBatch` once per drained event, INSIDE the per-event\n * transaction. For every trigger registered against the event's type in\n * the codegen-emitted `bridgeRegistry`, writes:\n *\n *   1. `bridge_delivery` ledger row — `INSERT … ON CONFLICT (event_id,\n *      trigger_id) DO NOTHING RETURNING id`. Empty result ⇒ Case B\n *      facade-eager pre-write OR drain-replay collision; skip wrapper\n *      insert for that trigger; sibling triggers still fire.\n *   2. `job_run` wrapper row — `type='@framework/bridge_delivery'`,\n *      `pool='events_<direction>'`, `input={ deliveryId }`,\n *      `trigger_source='event'`, `trigger_ref=event.id`. The wrapper is\n *      what the framework `BridgeDeliveryHandler` (BRIDGE-5) eventually\n *      claims via the worker that polls the corresponding reserved pool.\n *\n * Null `event.metadata.direction` is tolerated: the hook logs a one-line\n * warning per event and returns zeros without writing rows. The drain's\n * `processed_at` stamp + subscriber dispatch still fire normally.\n * Direction is null only for events published via the legacy\n * `IEventBus.publish(...)` path (`TypedEventBus.publish` always sets it);\n * such events are out of scope for bridge fanout.\n *\n * The wrapper insert generates its own `id` via Drizzle's `defaultRandom`\n * — we don't `RETURNING id` because nobody needs it at drain time;\n * `BridgeDeliveryHandler` later looks up the wrapper via the\n * `bridge_delivery.wrapper_run_id` link if needed. This keeps the drain\n * one-round-trip-per-trigger.\n */\nimport { Inject, Injectable, Logger, Optional } from '@nestjs/common';\nimport { randomUUID } from 'node:crypto';\nimport { eq } from 'drizzle-orm';\n\nimport type { DomainEvent, DrizzleTransaction } from '../events/event-bus.protocol';\nimport { bridgeDelivery } from './bridge-delivery.schema';\nimport { jobRuns } from '../jobs/job-orchestration.schema';\n\nimport { BRIDGE_REGISTRY } from './bridge.tokens';\nimport type {\n  BridgeOutboxDrainResult,\n  BridgeRegistry,\n  BridgeTriggerEntry,\n  IBridgeOutboxDrainHook,\n} from './bridge.protocol';\nimport { BRIDGE_DELIVERY_JOB_TYPE } from './bridge-delivery-handler';\nimport type { EventTypeName } from '../events/event-registry';\n\n/** Reserved pools the wrapper rows route into; ADR-022 / ADR-024. */\nconst POOL_BY_DIRECTION: Record<string, string> = {\n  inbound: 'events_inbound',\n  change: 'events_change',\n  outbound: 'events_outbound',\n};\n\n@Injectable()\nexport class BridgeOutboxDrainHook implements IBridgeOutboxDrainHook {\n  private readonly logger = new Logger(BridgeOutboxDrainHook.name);\n  private warnedNullDirection = false;\n  private readonly warnedAuditTypes = new Set<string>();\n\n  constructor(\n    @Optional()\n    @Inject(BRIDGE_REGISTRY)\n    private readonly registry: BridgeRegistry = {},\n  ) {}\n\n  async processEvent(\n    event: DomainEvent,\n    tx: DrizzleTransaction,\n  ): Promise<BridgeOutboxDrainResult> {\n    // Audit-tier guard (defense-in-depth — AUDIT-4). Audit events are not\n    // bridge-eligible: the codegen-side validator (AUDIT-2) blocks the\n    // registry from listing them as triggers. Reaching this branch means\n    // registry/runtime drift — an out-of-band `bridge_trigger` insert, or\n    // version skew during deploy. Refuse fanout, surface drift via WARN.\n    if (event.metadata?.['tier'] === 'audit') {\n      this.warnAuditBlockedOnce(event);\n      return {\n        delivered: 0,\n        dedupSkips: 0,\n        triggerCount: 0,\n        auditBlocked: 1,\n      };\n    }\n\n    const triggers = this.lookupTriggers(event.type);\n    if (triggers.length === 0) {\n      return {\n        delivered: 0,\n        dedupSkips: 0,\n        triggerCount: 0,\n        auditBlocked: 0,\n      };\n    }\n\n    const direction =\n      (event.metadata?.['direction'] as string | undefined) ?? null;\n    const tenantId =\n      (event.metadata?.['tenantId'] as string | null | undefined) ?? null;\n    const wrapperPool = direction ? POOL_BY_DIRECTION[direction] : undefined;\n\n    if (!wrapperPool) {\n      // Null direction (or an unrecognised one — defensive). Bridge\n      // fanout requires a routed wrapper pool; without one we can't\n      // spawn. Log once per process so misconfiguration surfaces.\n      if (!this.warnedNullDirection) {\n        this.warnedNullDirection = true;\n        this.logger.warn(\n          `Skipping bridge fanout for events with null/unknown direction. ` +\n            `event.id=${event.id} event.type=${event.type} ` +\n            `direction=${String(direction)}. The wrapper pool is derived ` +\n            `from direction (events_<direction>); publishers must use ` +\n            `TypedEventBus.publish() so direction is stamped on the ` +\n            `outbox row.`,\n        );\n      }\n      return {\n        delivered: 0,\n        dedupSkips: 0,\n        triggerCount: triggers.length,\n        auditBlocked: 0,\n      };\n    }\n\n    let delivered = 0;\n    let dedupSkips = 0;\n    const client = tx as unknown as {\n      insert: (table: unknown) => {\n        values: (v: unknown) => {\n          onConflictDoNothing: (opts: unknown) => {\n            returning: (cols: unknown) => Promise<{ id: string }[]>;\n          };\n        } & {\n          // wrapper insert path — no ON CONFLICT\n          // (typed loosely via the same helper return shape)\n        };\n      };\n    };\n\n    for (const trigger of triggers) {\n      const deliveryId = randomUUID();\n      const wrapperRunId = randomUUID();\n\n      // FK ORDER (BRIDGE / 0.15.2): `bridge_delivery.wrapper_run_id` REFERENCES\n      // `job_run(id)` is a plain (non-deferrable) FK, so the referenced\n      // wrapper `job_run` MUST exist before the delivery row that points at it\n      // is inserted — otherwise Postgres rejects the delivery insert\n      // immediately. (The codegen unit tests mock `tx`, so they never\n      // exercised this ordering against a real FK; package-mode bridge\n      // deliveries are the first to do so.) We therefore insert the wrapper\n      // run FIRST, then the delivery. Idempotency is unchanged: the delivery\n      // keeps its `ON CONFLICT (event_id, trigger_id) DO NOTHING RETURNING`,\n      // and when the delivery conflicts (outbox replay or facade-eager Case B)\n      // we DELETE the just-inserted orphan wrapper run in the same tx, so a\n      // skipped delivery leaves no stray `job_run` for a worker to claim.\n\n      // 1. Wrapper job_run insert. We carry the deliveryId into the wrapper\n      //    input so BridgeDeliveryHandler.run(ctx) can locate the row via\n      //    repo.findDeliveryById(ctx.input.deliveryId).\n      await (tx as unknown as { insert: typeof client.insert })\n        .insert(jobRuns)\n        .values({\n          id: wrapperRunId,\n          jobType: BRIDGE_DELIVERY_JOB_TYPE,\n          jobVersion: 1,\n          rootRunId: wrapperRunId,\n          pool: wrapperPool,\n          status: 'pending',\n          input: { deliveryId },\n          triggerSource: 'event',\n          triggerRef: event.id,\n          tenantId,\n        });\n\n      // 2. bridge_delivery insert with ON CONFLICT DO NOTHING + RETURNING.\n      const inserted = await (tx as unknown as {\n        insert: typeof client.insert;\n      })\n        .insert(bridgeDelivery)\n        .values({\n          id: deliveryId,\n          eventId: event.id,\n          triggerId: trigger.triggerId,\n          wrapperRunId,\n          status: 'pending',\n          tenantId,\n        })\n        .onConflictDoNothing({\n          target: [bridgeDelivery.eventId, bridgeDelivery.triggerId],\n        })\n        .returning({ id: bridgeDelivery.id });\n\n      if (inserted.length === 0) {\n        // Case B (facade pre-wrote `delivered`) or drain replay — the delivery\n        // already exists, so this trigger is a no-op. Remove the orphan wrapper\n        // run we speculatively inserted above so no worker claims it. Sibling\n        // triggers still fire.\n        await (tx as unknown as {\n          delete: (table: unknown) => {\n            where: (cond: unknown) => Promise<unknown>;\n          };\n        })\n          .delete(jobRuns)\n          .where(eq(jobRuns.id, wrapperRunId));\n        dedupSkips++;\n        continue;\n      }\n\n      delivered++;\n    }\n\n    return {\n      delivered,\n      dedupSkips,\n      triggerCount: triggers.length,\n      auditBlocked: 0,\n    };\n  }\n\n  private warnAuditBlockedOnce(event: DomainEvent): void {\n    if (this.warnedAuditTypes.has(event.type)) return;\n    this.warnedAuditTypes.add(event.type);\n    this.logger.warn(\n      `Bridge guard blocked audit-tier event '${event.type}' (event.id=${event.id}). ` +\n        `Registry says this event is not bridge-eligible; a bridge_trigger row exists ` +\n        `out-of-band. Investigate registry/runtime drift.`,\n    );\n  }\n\n  private lookupTriggers(\n    eventType: string,\n  ): BridgeTriggerEntry[] {\n    const candidates = this.registry[eventType as EventTypeName];\n    return (candidates ?? []) as BridgeTriggerEntry[];\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAgCA,SAAS,QAAQ,YAAY,QAAQ,gBAAgB;AACrD,SAAS,kBAAkB;AAC3B,SAAS,UAAU;AAiBnB,IAAM,oBAA4C;AAAA,EAChD,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,UAAU;AACZ;AAGO,IAAM,wBAAN,MAA8D;AAAA,EAKnE,YAGmB,WAA2B,CAAC,GAC7C;AADiB;AAAA,EAChB;AAAA,EADgB;AAAA,EAPF,SAAS,IAAI,OAAO,sBAAsB,IAAI;AAAA,EACvD,sBAAsB;AAAA,EACb,mBAAmB,oBAAI,IAAY;AAAA,EAQpD,MAAM,aACJ,OACA,IACkC;AAMlC,QAAI,MAAM,WAAW,MAAM,MAAM,SAAS;AACxC,WAAK,qBAAqB,KAAK;AAC/B,aAAO;AAAA,QACL,WAAW;AAAA,QACX,YAAY;AAAA,QACZ,cAAc;AAAA,QACd,cAAc;AAAA,MAChB;AAAA,IACF;AAEA,UAAM,WAAW,KAAK,eAAe,MAAM,IAAI;AAC/C,QAAI,SAAS,WAAW,GAAG;AACzB,aAAO;AAAA,QACL,WAAW;AAAA,QACX,YAAY;AAAA,QACZ,cAAc;AAAA,QACd,cAAc;AAAA,MAChB;AAAA,IACF;AAEA,UAAM,YACH,MAAM,WAAW,WAAW,KAA4B;AAC3D,UAAM,WACH,MAAM,WAAW,UAAU,KAAmC;AACjE,UAAM,cAAc,YAAY,kBAAkB,SAAS,IAAI;AAE/D,QAAI,CAAC,aAAa;AAIhB,UAAI,CAAC,KAAK,qBAAqB;AAC7B,aAAK,sBAAsB;AAC3B,aAAK,OAAO;AAAA,UACV,2EACc,MAAM,EAAE,eAAe,MAAM,IAAI,cAChC,OAAO,SAAS,CAAC;AAAA,QAIlC;AAAA,MACF;AACA,aAAO;AAAA,QACL,WAAW;AAAA,QACX,YAAY;AAAA,QACZ,cAAc,SAAS;AAAA,QACvB,cAAc;AAAA,MAChB;AAAA,IACF;AAEA,QAAI,YAAY;AAChB,QAAI,aAAa;AACjB,UAAM,SAAS;AAaf,eAAW,WAAW,UAAU;AAC9B,YAAM,aAAa,WAAW;AAC9B,YAAM,eAAe,WAAW;AAkBhC,YAAO,GACJ,OAAO,OAAO,EACd,OAAO;AAAA,QACN,IAAI;AAAA,QACJ,SAAS;AAAA,QACT,YAAY;AAAA,QACZ,WAAW;AAAA,QACX,MAAM;AAAA,QACN,QAAQ;AAAA,QACR,OAAO,EAAE,WAAW;AAAA,QACpB,eAAe;AAAA,QACf,YAAY,MAAM;AAAA,QAClB;AAAA,MACF,CAAC;AAGH,YAAM,WAAW,MAAO,GAGrB,OAAO,cAAc,EACrB,OAAO;AAAA,QACN,IAAI;AAAA,QACJ,SAAS,MAAM;AAAA,QACf,WAAW,QAAQ;AAAA,QACnB;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,MACF,CAAC,EACA,oBAAoB;AAAA,QACnB,QAAQ,CAAC,eAAe,SAAS,eAAe,SAAS;AAAA,MAC3D,CAAC,EACA,UAAU,EAAE,IAAI,eAAe,GAAG,CAAC;AAEtC,UAAI,SAAS,WAAW,GAAG;AAKzB,cAAO,GAKJ,OAAO,OAAO,EACd,MAAM,GAAG,QAAQ,IAAI,YAAY,CAAC;AACrC;AACA;AAAA,MACF;AAEA;AAAA,IACF;AAEA,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,cAAc,SAAS;AAAA,MACvB,cAAc;AAAA,IAChB;AAAA,EACF;AAAA,EAEQ,qBAAqB,OAA0B;AACrD,QAAI,KAAK,iBAAiB,IAAI,MAAM,IAAI,EAAG;AAC3C,SAAK,iBAAiB,IAAI,MAAM,IAAI;AACpC,SAAK,OAAO;AAAA,MACV,0CAA0C,MAAM,IAAI,eAAe,MAAM,EAAE;AAAA,IAG7E;AAAA,EACF;AAAA,EAEQ,eACN,WACsB;AACtB,UAAM,aAAa,KAAK,SAAS,SAA0B;AAC3D,WAAQ,cAAc,CAAC;AAAA,EACzB;AACF;AApLa,wBAAN;AAAA,EADN,WAAW;AAAA,EAOP,4BAAS;AAAA,EACT,0BAAO,eAAe;AAAA,GAPd;","names":[]}

package/dist/chunk-LG57S2SC.js

@@ -0,0 +1,150 @@
+// runtime/subsystems/integration/incremental-read.ts
+async function mapConcurrent(ids, fn, limit) {
+  const out = /* @__PURE__ */ new Map();
+  if (ids.length === 0) return out;
+  const width = Math.max(1, Math.min(limit, ids.length));
+  let next = 0;
+  const worker = async () => {
+    while (next < ids.length) {
+      const idx = next++;
+      const id = ids[idx];
+      out.set(id, await fn(id));
+    }
+  };
+  await Promise.all(Array.from({ length: width }, worker));
+  return out;
+}
+var IncrementalReadBase = class {
+  /**
+   * Whether the vendor takes the request predicate server-side. Declared, not
+   * enforced here — surfaced into the emission manifest (R3) so the falsifier
+   * suite (R4) can record which adapters filter post-hydrate. `false` is the
+   * honest floor (e.g. Gmail without `q=`), handled via `matchesRecord`.
+   */
+  filterPushdown = false;
+  /** Max concurrent in-flight calls for a `mapConcurrent`-built `hydrate`. */
+  hydrateConcurrency = 10;
+  /** `Change<T>.source` provenance stamped by `listChanges`. */
+  changeSource = "poll";
+  /**
+   * Whether this source's cursor strategy is divisible (RFC-0003 §3). When
+   * `true` (default — sortable watermarks like `systemModstamp`/`timestamp`/
+   * `replayId`), `listChanges` emits each record's per-ref cursor, so the
+   * orchestrator may checkpoint mid-walk and a crash resumes from the last
+   * delivered ref.
+   *
+   * When `false` (atomic opaque tokens — Gmail `historyId`, Calendar
+   * `syncToken`), `listChanges` WITHHOLDS per-ref cursors and emits the
+   * end-of-walk token only on the final record, so the orchestrator's
+   * persist-last-yielded lifecycle can never persist an unresumable mid-walk
+   * token. The cost is blast-radius: an interrupted atomic run resumes
+   * all-or-nothing from the prior persisted token. For atomic *backfills* that
+   * radius is the whole enumerate walk — bound it with `ReadRequest.pageSize`
+   * (smaller pages ⇒ shorter walks per run). Per-page atomic checkpointing is a
+   * future refinement; R2 gates at end-of-walk.
+   *
+   * Codegen (R3) sets this from the strategy kind via `isDivisibleCursor`.
+   */
+  cursorDivisible = true;
+  // ---- Optional filter hooks — exactly one is live per `filterPushdown` ----
+  /** Pre-hydrate predicate over the cheap ref (preferred — avoids hydration). */
+  matchesRef(_ref, _filter) {
+    return true;
+  }
+  /** Post-hydrate predicate over the canonical record (the no-pushdown floor). */
+  matchesRecord(_record, _filter) {
+    return true;
+  }
+  /**
+   * Resolve the filter for a subscription when adapting to `listChanges`
+   * (which has no filter argument). Defaults to none; codegen wiring (R3)
+   * overrides this to thread `DetectionConfig.filters`.
+   */
+  filterFor(_subscription) {
+    return void 0;
+  }
+  // ---- PROVIDED by the base ----
+  /**
+   * Stream canonical records for a request. Filter is applied BEFORE hydrate
+   * (structural: a kept ref is hydrated, a rejected one never is), so an
+   * adapter cannot hydrate-then-discard. A hydrate miss (deleted mid-run) is
+   * skipped, never fabricated.
+   */
+  async *read(req, ctx) {
+    for await (const refPage of this.enumerate(req.mode, req.filter, req.pageSize, ctx)) {
+      const kept = refPage.filter((ref) => this.matchesRef(ref, req.filter));
+      if (kept.length === 0) continue;
+      const raws = await this.hydrate(
+        kept.map((ref) => ref.externalId),
+        ctx
+      );
+      for (const ref of kept) {
+        const raw = raws.get(ref.externalId);
+        if (raw === void 0 || raw === null) continue;
+        const record = this.toCanonical(raw);
+        if (record !== null && this.matchesRecord(record, req.filter)) {
+          yield { externalId: ref.externalId, record, raw, cursor: ref.cursor };
+        }
+      }
+    }
+  }
+  /**
+   * `RandomRead<T>` — single-record read, provided for free as
+   * `toCanonical ∘ hydrate([id])`. Reuses the adapter's batched fetch + miss
+   * tolerance; returns `null` for a missing or undecodable record.
+   */
+  async get(id, ctx) {
+    const raws = await this.hydrate([id], ctx);
+    const raw = raws.get(id);
+    if (raw === void 0 || raw === null) return null;
+    return this.toCanonical(raw);
+  }
+  /**
+   * `IChangeSource<T>` adaptation. Maps the orchestrator's by-value cursor to a
+   * `ReadMode` (`null` → `full` backfill, else `delta`), streams `read()`, and
+   * stamps each `SourcedRecord` into a `Change<T>`. All records surface as
+   * `'updated'`; the orchestrator's diff stage classifies create-vs-update and
+   * deletes arrive as tombstone refs (`toCanonical` may flag them).
+   *
+   * Cursor emission honors `cursorDivisible` (RFC-0003 §3). Divisible: each
+   * record carries its own per-ref cursor. Atomic: per-ref cursors are withheld
+   * (`undefined`, which the orchestrator skips persisting) and the end-of-walk
+   * token rides only on the final record — so a mid-walk crash never persists
+   * an unresumable token. If an atomic run yields no surviving records, no
+   * cursor is persisted and the next run re-reads the same (empty) delta — a
+   * bounded inefficiency, never data loss.
+   */
+  async *listChanges(subscription, cursor) {
+    const mode = cursor === null || cursor === void 0 ? { kind: "full" } : { kind: "delta", cursor };
+    const filter = this.filterFor(subscription);
+    const stream = this.read({ mode, filter }, { subscription });
+    if (this.cursorDivisible) {
+      for await (const sourced of stream) {
+        yield this.toChange(sourced, sourced.cursor);
+      }
+      return;
+    }
+    let prev = null;
+    for await (const sourced of stream) {
+      if (prev !== null) yield this.toChange(prev, void 0);
+      prev = sourced;
+    }
+    if (prev !== null) yield this.toChange(prev, prev.cursor);
+  }
+  /** Stamp a `SourcedRecord` into a `Change<T>` with an explicit emitted cursor. */
+  toChange(sourced, cursor) {
+    return {
+      externalId: sourced.externalId,
+      operation: "updated",
+      record: sourced.record,
+      cursor,
+      source: this.changeSource
+    };
+  }
+};
+
+export {
+  mapConcurrent,
+  IncrementalReadBase
+};
+//# sourceMappingURL=chunk-LG57S2SC.js.map

package/dist/chunk-LG57S2SC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/integration/incremental-read.ts"],"sourcesContent":["/**\n * Integration subsystem — `IncrementalRead<T, F>` + `RandomRead<T>` capability\n * and the providing `IncrementalReadBase<T, F, M>` (RFC-0003 R1).\n *\n * The universal read primitive. Where `IChangeSource.listChanges` is the\n * *transport* contract (stream `Change<T>`, orchestrator owns cursor lifecycle),\n * this base owns *how the body that produces those changes is written* — the\n * level the bare `changeSources = {}` author-seam left unstructured.\n *\n * The read decomposes into two composable verbs the adapter supplies:\n *\n *   - `enumerate(mode, filter) → AsyncIterable<Ref<M>[]>` — the cheap delta /\n *     backfill walk; streams pages of lightweight refs (id + per-ref cursor +\n *     filterable metadata). LAZY: pull-driven so hydrate backpressures it.\n *   - `hydrate(ids) → Map<id, raw>` — the expensive fetch-by-id, batched; where\n *     bounded concurrency / a vendor `/batch` endpoint lives. Keyed and\n *     miss-tolerant (a mid-run 404 cannot shift alignment).\n *   - `toCanonical(raw) → T | null` — provider payload → canonical record.\n *\n * The base PROVIDES the orchestration: drain enumerate, **filter before\n * hydrate** (structural — an adapter physically cannot hydrate-then-discard),\n * keyed pairing, per-ref cursor emission, and the `IChangeSource.listChanges`\n * adaptation. It also provides `RandomRead.get()` for free as\n * `toCanonical ∘ hydrate([id])` — so every incremental adapter is a\n * single-record reader (the \"list cheaply, fill on click\" query-surface need)\n * without extra code.\n *\n * The shape generalizes dealbrain's proven HubSpot `listSince` (streams, pushes\n * the filter server-side, carries a per-record cursor) to vendors whose list\n * returns id-stubs (Gmail) or nested resources (Meet). Calendar-style\n * full-object lists override `hydrate` as a passthrough.\n *\n * See RFC-0003 (Track D round-3), ADR-033 (`detection:` config), and\n * `poll-change-source.ts` (the sibling primitive this composes beside).\n */\n\nimport type {\n  Change,\n  ChangeSource,\n  IChangeSource,\n  IntegrationSubscriptionView,\n} from './integration-change-source.protocol';\n\n// ============================================================================\n// Capability shapes\n// ============================================================================\n\n/**\n * How a read walks the upstream. Modes are values, not verbs (swe-brain\n * ADR-0003: mode ≠ capability) — one `read()` verb dispatches on these.\n *\n *   - `delta`     — incremental walk from a persisted cursor.\n *   - `full`      — cursorless backfill (optionally bounded by `since`).\n *   - `reconcile` — gap-repair: re-fetch a known id set the cursor skipped\n *                   (the repair pass for the silent-tail-skip + #414-style\n *                   multi-provider divergence).\n */\nexport type ReadMode =\n  | { readonly kind: 'delta'; readonly cursor: unknown }\n  | { readonly kind: 'full'; readonly since?: Date }\n  | { readonly kind: 'reconcile'; readonly knownIds: readonly string[] };\n\n/**\n * A cheap ref from the enumerate pass: identity + per-ref cursor + metadata to\n * filter or display on. `cursor` is the position AS OF this ref — see\n * `IncrementalReadBase.cursorDivisible` (R2) for when it may be checkpointed\n * mid-walk versus withheld until a safe boundary.\n */\nexport interface Ref<M = Record<string, unknown>> {\n  readonly externalId: string;\n  readonly cursor: unknown;\n  readonly meta: M;\n}\n\n/** A read request: the mode, an optional adapter-typed filter, and page size. */\nexport interface ReadRequest<F = unknown> {\n  readonly mode: ReadMode;\n  readonly filter?: F;\n  readonly pageSize?: number;\n}\n\n/**\n * Per-run context threaded from `listChanges` into the vendor read body (R5).\n *\n * Carries the `subscription` framing the run so `enumerate`/`hydrate` can resolve\n * **per-connection credentials** (and raw-landing keys) from\n * `subscription.externalRef` — the gap a multi-account consumer surfaced: a\n * singleton change source cannot hold connection-scoped auth, and before R5 the\n * base forwarded the subscription only into `filterFor`, never into the fetch.\n *\n * Optional throughout (the core contract): a direct `read()` / `get()` call — the\n * query surface's \"fill one record on click\" — may omit it. An adapter that needs\n * per-connection auth reads `ctx?.subscription?.externalRef` and asserts its\n * presence; a provider-level-auth adapter ignores it.\n */\nexport interface ReadContext {\n  /** The subscription framing this run; `externalRef` is the upstream scope /\n   *  connection id the adapter resolves credentials + raw-landing keys from. */\n  readonly subscription?: IntegrationSubscriptionView;\n}\n\n/**\n * The `read()`-side envelope: canonical record + the raw vendor payload it came\n * from + the originating external id + the per-ref cursor.\n *\n * Distinct from the runtime's transport envelope `Change<T>`\n * (operation/externalId/cursor/source). The relationship is one-directional:\n * `listChanges()` adapts `read()` → `Change<T>` (dropping `raw`, stamping\n * `operation`). `read()` keeps `raw` and `externalId` so a query surface can\n * re-project without a second fetch.\n */\nexport interface SourcedRecord<T> {\n  readonly externalId: string;\n  readonly record: T;\n  readonly raw: unknown;\n  readonly cursor: unknown;\n}\n\n/**\n * The universal read capability — one public verb that streams. Filtering,\n * hydration, and cursor emission are the providing base's concern.\n */\nexport interface IncrementalRead<T, F = unknown> {\n  read(req: ReadRequest<F>, ctx?: ReadContext): AsyncIterable<SourcedRecord<T>>;\n}\n\n/**\n * Single-record read by external id — the \"fill on click\" atom. Provided for\n * free by `IncrementalReadBase` (composes `hydrate` + `toCanonical`); declared\n * as its own capability so consumers can depend on it without the streaming\n * surface.\n */\nexport interface RandomRead<T> {\n  get(id: string, ctx?: ReadContext): Promise<T | null>;\n}\n\n// ============================================================================\n// Bounded-parallel map helper\n// ============================================================================\n\n/**\n * Map `ids` through `fn` with at most `limit` concurrent in-flight calls,\n * collecting results keyed by id. The workhorse for writing a batched\n * `hydrate` over a single-id fetch without serial N+1 latency.\n */\nexport async function mapConcurrent<R>(\n  ids: readonly string[],\n  fn: (id: string) => Promise<R>,\n  limit: number,\n): Promise<Map<string, R>> {\n  const out = new Map<string, R>();\n  if (ids.length === 0) return out;\n  const width = Math.max(1, Math.min(limit, ids.length));\n  let next = 0;\n  const worker = async (): Promise<void> => {\n    while (next < ids.length) {\n      const idx = next++;\n      const id = ids[idx]!;\n      out.set(id, await fn(id));\n    }\n  };\n  await Promise.all(Array.from({ length: width }, worker));\n  return out;\n}\n\n// ============================================================================\n// IncrementalReadBase\n// ============================================================================\n\n/**\n * Providing base for the read capability. A subclass fills exactly three vendor\n * methods — `enumerate`, `hydrate`, `toCanonical` — and gets a streaming,\n * filter-before-hydrate, miss-tolerant `IncrementalRead<T, F>` +\n * `IChangeSource<T>` + `RandomRead<T>`.\n *\n * Type params: `T` canonical record, `F` adapter-typed filter, `M` per-ref\n * metadata (defaults to an untyped bag — surface packages supply a domain `M`).\n */\nexport abstract class IncrementalReadBase<T, F = unknown, M = Record<string, unknown>>\n  implements IncrementalRead<T, F>, IChangeSource<T>, RandomRead<T>\n{\n  /** Human label for run logs — e.g. `'google-mail-email'`. */\n  abstract readonly label: string;\n\n  /**\n   * Whether the vendor takes the request predicate server-side. Declared, not\n   * enforced here — surfaced into the emission manifest (R3) so the falsifier\n   * suite (R4) can record which adapters filter post-hydrate. `false` is the\n   * honest floor (e.g. Gmail without `q=`), handled via `matchesRecord`.\n   */\n  protected readonly filterPushdown: boolean = false;\n\n  /** Max concurrent in-flight calls for a `mapConcurrent`-built `hydrate`. */\n  protected readonly hydrateConcurrency: number = 10;\n\n  /** `Change<T>.source` provenance stamped by `listChanges`. */\n  protected readonly changeSource: ChangeSource = 'poll';\n\n  /**\n   * Whether this source's cursor strategy is divisible (RFC-0003 §3). When\n   * `true` (default — sortable watermarks like `systemModstamp`/`timestamp`/\n   * `replayId`), `listChanges` emits each record's per-ref cursor, so the\n   * orchestrator may checkpoint mid-walk and a crash resumes from the last\n   * delivered ref.\n   *\n   * When `false` (atomic opaque tokens — Gmail `historyId`, Calendar\n   * `syncToken`), `listChanges` WITHHOLDS per-ref cursors and emits the\n   * end-of-walk token only on the final record, so the orchestrator's\n   * persist-last-yielded lifecycle can never persist an unresumable mid-walk\n   * token. The cost is blast-radius: an interrupted atomic run resumes\n   * all-or-nothing from the prior persisted token. For atomic *backfills* that\n   * radius is the whole enumerate walk — bound it with `ReadRequest.pageSize`\n   * (smaller pages ⇒ shorter walks per run). Per-page atomic checkpointing is a\n   * future refinement; R2 gates at end-of-walk.\n   *\n   * Codegen (R3) sets this from the strategy kind via `isDivisibleCursor`.\n   */\n  protected readonly cursorDivisible: boolean = true;\n\n  // ---- SUPPLIED by the adapter (the irreducible vendor seam) ----\n\n  /**\n   * The cheap walk. Streams pages of refs; LAZY so `hydrate` backpressures it\n   * (one page hydrated before the next is pulled). Mode-dispatch lives here:\n   * `delta` resumes from `mode.cursor`, `full` walks from the top, `reconcile`\n   * re-fetches `mode.knownIds`.\n   *\n   * `pageSize` (from `ReadRequest`) is the adapter's requested vendor page size\n   * — also the atomic-cursor backfill blast-radius bound (§ `cursorDivisible`).\n   * Honor it as a hint; vendors that cap page size clamp it.\n   *\n   * `ctx?.subscription` (R5) carries the run's subscription, so a per-connection\n   * adapter resolves credentials / upstream scope from `externalRef` here; absent\n   * on a direct `read()` with no run subscription.\n   */\n  protected abstract enumerate(\n    mode: ReadMode,\n    filter?: F,\n    pageSize?: number,\n    ctx?: ReadContext,\n  ): AsyncIterable<Ref<M>[]>;\n\n  /**\n   * Fetch raw payloads for `ids`, keyed by id. MUST be miss-tolerant: omit (or\n   * map to `null`) any id that 404s mid-run rather than throwing or shifting\n   * alignment. Write it over `mapConcurrent(ids, (id) => this.fetchOne(id),\n   * this.hydrateConcurrency)`; override with a real `/batch` call or a\n   * passthrough (full-object list) where the vendor allows.\n   *\n   * `ctx?.subscription` (R5) carries the run's subscription for per-connection\n   * credential resolution (the fetch is where the vendor call happens) and is the\n   * natural place to land raw payloads keyed by `subscription.id`.\n   */\n  protected abstract hydrate(ids: string[], ctx?: ReadContext): Promise<Map<string, unknown>>;\n\n  /** Provider payload → canonical record. Return `null` to drop a record. */\n  protected abstract toCanonical(raw: unknown): T | null;\n\n  // ---- Optional filter hooks — exactly one is live per `filterPushdown` ----\n\n  /** Pre-hydrate predicate over the cheap ref (preferred — avoids hydration). */\n  protected matchesRef(_ref: Ref<M>, _filter?: F): boolean {\n    return true;\n  }\n\n  /** Post-hydrate predicate over the canonical record (the no-pushdown floor). */\n  protected matchesRecord(_record: T, _filter?: F): boolean {\n    return true;\n  }\n\n  /**\n   * Resolve the filter for a subscription when adapting to `listChanges`\n   * (which has no filter argument). Defaults to none; codegen wiring (R3)\n   * overrides this to thread `DetectionConfig.filters`.\n   */\n  protected filterFor(_subscription: IntegrationSubscriptionView): F | undefined {\n    return undefined;\n  }\n\n  // ---- PROVIDED by the base ----\n\n  /**\n   * Stream canonical records for a request. Filter is applied BEFORE hydrate\n   * (structural: a kept ref is hydrated, a rejected one never is), so an\n   * adapter cannot hydrate-then-discard. A hydrate miss (deleted mid-run) is\n   * skipped, never fabricated.\n   */\n  async *read(req: ReadRequest<F>, ctx?: ReadContext): AsyncIterable<SourcedRecord<T>> {\n    for await (const refPage of this.enumerate(req.mode, req.filter, req.pageSize, ctx)) {\n      const kept = refPage.filter((ref) => this.matchesRef(ref, req.filter));\n      if (kept.length === 0) continue;\n      const raws = await this.hydrate(\n        kept.map((ref) => ref.externalId),\n        ctx,\n      );\n      for (const ref of kept) {\n        const raw = raws.get(ref.externalId);\n        if (raw === undefined || raw === null) continue; // deleted mid-run → skip\n        const record = this.toCanonical(raw);\n        if (record !== null && this.matchesRecord(record, req.filter)) {\n          yield { externalId: ref.externalId, record, raw, cursor: ref.cursor };\n        }\n      }\n    }\n  }\n\n  /**\n   * `RandomRead<T>` — single-record read, provided for free as\n   * `toCanonical ∘ hydrate([id])`. Reuses the adapter's batched fetch + miss\n   * tolerance; returns `null` for a missing or undecodable record.\n   */\n  async get(id: string, ctx?: ReadContext): Promise<T | null> {\n    const raws = await this.hydrate([id], ctx);\n    const raw = raws.get(id);\n    if (raw === undefined || raw === null) return null;\n    return this.toCanonical(raw);\n  }\n\n  /**\n   * `IChangeSource<T>` adaptation. Maps the orchestrator's by-value cursor to a\n   * `ReadMode` (`null` → `full` backfill, else `delta`), streams `read()`, and\n   * stamps each `SourcedRecord` into a `Change<T>`. All records surface as\n   * `'updated'`; the orchestrator's diff stage classifies create-vs-update and\n   * deletes arrive as tombstone refs (`toCanonical` may flag them).\n   *\n   * Cursor emission honors `cursorDivisible` (RFC-0003 §3). Divisible: each\n   * record carries its own per-ref cursor. Atomic: per-ref cursors are withheld\n   * (`undefined`, which the orchestrator skips persisting) and the end-of-walk\n   * token rides only on the final record — so a mid-walk crash never persists\n   * an unresumable token. If an atomic run yields no surviving records, no\n   * cursor is persisted and the next run re-reads the same (empty) delta — a\n   * bounded inefficiency, never data loss.\n   */\n  async *listChanges(\n    subscription: IntegrationSubscriptionView,\n    cursor: unknown | null,\n  ): AsyncIterable<Change<T>> {\n    const mode: ReadMode =\n      cursor === null || cursor === undefined\n        ? { kind: 'full' }\n        : { kind: 'delta', cursor };\n    const filter = this.filterFor(subscription);\n    // R5: thread the run's subscription into the read body so `enumerate`/`hydrate`\n    // can resolve per-connection credentials (and raw-landing keys) from it.\n    const stream = this.read({ mode, filter }, { subscription });\n\n    if (this.cursorDivisible) {\n      for await (const sourced of stream) {\n        yield this.toChange(sourced, sourced.cursor);\n      }\n      return;\n    }\n\n    // Atomic: one-record lookahead. Emit every record but the last with a\n    // withheld (`undefined`) cursor; the last record carries the end-of-walk\n    // token. Contract: an atomic adapter stamps the (single, shared) end-of-walk\n    // token onto its refs' `cursor` — so whichever record survives last carries\n    // it. The base emits a real cursor exactly once, on that final record, so the\n    // orchestrator can never persist a mid-walk value. If zero records survive,\n    // nothing is persisted (next run re-reads the delta — bounded, never lossy).\n    let prev: SourcedRecord<T> | null = null;\n    for await (const sourced of stream) {\n      if (prev !== null) yield this.toChange(prev, undefined);\n      prev = sourced;\n    }\n    if (prev !== null) yield this.toChange(prev, prev.cursor);\n  }\n\n  /** Stamp a `SourcedRecord` into a `Change<T>` with an explicit emitted cursor. */\n  private toChange(sourced: SourcedRecord<T>, cursor: unknown): Change<T> {\n    return {\n      externalId: sourced.externalId,\n      operation: 'updated',\n      record: sourced.record,\n      cursor,\n      source: this.changeSource,\n    };\n  }\n}\n"],"mappings":";AAiJA,eAAsB,cACpB,KACA,IACA,OACyB;AACzB,QAAM,MAAM,oBAAI,IAAe;AAC/B,MAAI,IAAI,WAAW,EAAG,QAAO;AAC7B,QAAM,QAAQ,KAAK,IAAI,GAAG,KAAK,IAAI,OAAO,IAAI,MAAM,CAAC;AACrD,MAAI,OAAO;AACX,QAAM,SAAS,YAA2B;AACxC,WAAO,OAAO,IAAI,QAAQ;AACxB,YAAM,MAAM;AACZ,YAAM,KAAK,IAAI,GAAG;AAClB,UAAI,IAAI,IAAI,MAAM,GAAG,EAAE,CAAC;AAAA,IAC1B;AAAA,EACF;AACA,QAAM,QAAQ,IAAI,MAAM,KAAK,EAAE,QAAQ,MAAM,GAAG,MAAM,CAAC;AACvD,SAAO;AACT;AAeO,IAAe,sBAAf,MAEP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUqB,iBAA0B;AAAA;AAAA,EAG1B,qBAA6B;AAAA;AAAA,EAG7B,eAA6B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqB7B,kBAA2B;AAAA;AAAA;AAAA,EA4CpC,WAAW,MAAc,SAAsB;AACvD,WAAO;AAAA,EACT;AAAA;AAAA,EAGU,cAAc,SAAY,SAAsB;AACxD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOU,UAAU,eAA2D;AAC7E,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,OAAO,KAAK,KAAqB,KAAoD;AACnF,qBAAiB,WAAW,KAAK,UAAU,IAAI,MAAM,IAAI,QAAQ,IAAI,UAAU,GAAG,GAAG;AACnF,YAAM,OAAO,QAAQ,OAAO,CAAC,QAAQ,KAAK,WAAW,KAAK,IAAI,MAAM,CAAC;AACrE,UAAI,KAAK,WAAW,EAAG;AACvB,YAAM,OAAO,MAAM,KAAK;AAAA,QACtB,KAAK,IAAI,CAAC,QAAQ,IAAI,UAAU;AAAA,QAChC;AAAA,MACF;AACA,iBAAW,OAAO,MAAM;AACtB,cAAM,MAAM,KAAK,IAAI,IAAI,UAAU;AACnC,YAAI,QAAQ,UAAa,QAAQ,KAAM;AACvC,cAAM,SAAS,KAAK,YAAY,GAAG;AACnC,YAAI,WAAW,QAAQ,KAAK,cAAc,QAAQ,IAAI,MAAM,GAAG;AAC7D,gBAAM,EAAE,YAAY,IAAI,YAAY,QAAQ,KAAK,QAAQ,IAAI,OAAO;AAAA,QACtE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,IAAI,IAAY,KAAsC;AAC1D,UAAM,OAAO,MAAM,KAAK,QAAQ,CAAC,EAAE,GAAG,GAAG;AACzC,UAAM,MAAM,KAAK,IAAI,EAAE;AACvB,QAAI,QAAQ,UAAa,QAAQ,KAAM,QAAO;AAC9C,WAAO,KAAK,YAAY,GAAG;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,OAAO,YACL,cACA,QAC0B;AAC1B,UAAM,OACJ,WAAW,QAAQ,WAAW,SAC1B,EAAE,MAAM,OAAO,IACf,EAAE,MAAM,SAAS,OAAO;AAC9B,UAAM,SAAS,KAAK,UAAU,YAAY;AAG1C,UAAM,SAAS,KAAK,KAAK,EAAE,MAAM,OAAO,GAAG,EAAE,aAAa,CAAC;AAE3D,QAAI,KAAK,iBAAiB;AACxB,uBAAiB,WAAW,QAAQ;AAClC,cAAM,KAAK,SAAS,SAAS,QAAQ,MAAM;AAAA,MAC7C;AACA;AAAA,IACF;AASA,QAAI,OAAgC;AACpC,qBAAiB,WAAW,QAAQ;AAClC,UAAI,SAAS,KAAM,OAAM,KAAK,SAAS,MAAM,MAAS;AACtD,aAAO;AAAA,IACT;AACA,QAAI,SAAS,KAAM,OAAM,KAAK,SAAS,MAAM,KAAK,MAAM;AAAA,EAC1D;AAAA;AAAA,EAGQ,SAAS,SAA2B,QAA4B;AACtE,WAAO;AAAA,MACL,YAAY,QAAQ;AAAA,MACpB,WAAW;AAAA,MACX,QAAQ,QAAQ;AAAA,MAChB;AAAA,MACA,QAAQ,KAAK;AAAA,IACf;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-M6QLSLPO.js

@@ -0,0 +1,97 @@
+import {
+  ConnectionBrokenError
+} from "./chunk-2N4UG4VD.js";
+
+// runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts
+var REFRESH_SAFETY_MS = 5 * 60 * 1e3;
+var OAuth2RefreshStrategy = class {
+  connectionReader;
+  tokenWriter;
+  fetchImpl;
+  now;
+  constructor(opts) {
+    this.connectionReader = opts.connectionReader;
+    this.tokenWriter = opts.tokenWriter;
+    this.fetchImpl = opts.fetch ?? fetch;
+    this.now = opts.now ?? Date.now;
+  }
+  async resolve(connectionId, opts = {}) {
+    const connection = await this.connectionReader.findByIdDecrypted(connectionId);
+    if (!connection) {
+      throw new Error(`Connection ${connectionId} not found`);
+    }
+    if (connection.provider !== this.provider) {
+      throw new Error(
+        `${this.constructor.name} called for non-${this.provider} connection ${connectionId} (provider=${connection.provider})`
+      );
+    }
+    const needsRefresh = opts.forceRefresh || this.isExpiring(connection.expiresAt) || !connection.accessToken;
+    if (!needsRefresh) {
+      return this.buildCredentials(connection.accessToken, connection);
+    }
+    if (!connection.refreshToken) {
+      throw new ConnectionBrokenError(
+        connectionId,
+        "no_refresh_token",
+        "Connection has no refresh token; user must reconnect"
+      );
+    }
+    const { parsed, raw } = await this.executeRefresh(
+      connectionId,
+      connection.refreshToken
+    );
+    const newExpiresAt = new Date(
+      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1e3
+    );
+    await this.tokenWriter.persistRefresh({
+      connectionId,
+      accessToken: parsed.accessToken,
+      refreshToken: parsed.refreshToken ?? void 0,
+      expiresAt: newExpiresAt
+    });
+    return this.buildCredentials(parsed.accessToken, connection, raw);
+  }
+  async executeRefresh(connectionId, refreshToken) {
+    const body = new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      ...this.refreshBodyExtras()
+    });
+    const response = await this.fetchImpl(this.tokenEndpoint(), {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const err = await safeJson(response);
+      if (response.status === 400 && (err.error === "invalid_grant" || err.error === "invalid_token")) {
+        throw new ConnectionBrokenError(
+          connectionId,
+          err.error ?? "invalid_grant",
+          err.error_description ?? err.message ?? "refresh token rejected"
+        );
+      }
+      throw new Error(
+        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ""} ${err.error_description ?? err.message ?? ""}`.trim()
+      );
+    }
+    const raw = await response.json();
+    return { parsed: this.parseRefreshResponse(raw), raw };
+  }
+  isExpiring(expiresAt) {
+    if (!expiresAt) return true;
+    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;
+  }
+};
+async function safeJson(response) {
+  try {
+    return await response.clone().json();
+  } catch {
+    return {};
+  }
+}
+
+export {
+  OAuth2RefreshStrategy
+};
+//# sourceMappingURL=chunk-M6QLSLPO.js.map

package/dist/chunk-M6QLSLPO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts"],"sourcesContent":["/**\n * Abstract base class for OAuth2 refresh-token strategies.\n *\n * Template-method pattern: `resolve()` is concrete; four small hooks inject\n * provider specifics. Validated across two providers (Salesforce, HubSpot)\n * in the extraction-source app before being extracted here — see\n * `docs/gate-1-auth-extraction-findings.md` for the \"build first, extract\n * later\" evidence.\n *\n * Subclass contract:\n *   - `provider`                — slug matched against `connections.provider`\n *   - `defaultExpiresInSec`     — fallback when refresh response omits `expires_in`\n *   - `tokenEndpoint()`         — URL to POST the refresh grant\n *   - `refreshBodyExtras()`     — provider-specific body params\n *   - `parseRefreshResponse()`  — raw JSON → ParsedRefreshResponse\n *   - `buildCredentials()`      — stored or freshly-refreshed access token +\n *                                 connection + optional raw refresh response\n *                                 → provider credentials\n *\n * Base handles: expiry check w/ 5-min safety window, `forceRefresh` escape\n * hatch, POST form-urlencoded body, OAuth2 error mapping to\n * `ConnectionBrokenError`, refresh-token rotation persistence, fetch +\n * clock injection for tests.\n */\nimport type {\n  AuthCredentials,\n  AuthResolveOptions,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport type {\n  DecryptedConnection,\n  IConnectionReader,\n  IConnectionTokenWriter,\n} from '../protocols/connection-store';\nimport { ConnectionBrokenError } from './connection-broken.error';\n\nexport type FetchLike = (\n  input: string | URL | Request,\n  init?: RequestInit,\n) => Promise<Response>;\n\n/** Safety window before expiry that triggers a refresh. */\nconst REFRESH_SAFETY_MS = 5 * 60 * 1000;\n\nexport interface OAuth2RefreshStrategyOptions {\n  connectionReader: IConnectionReader;\n  tokenWriter: IConnectionTokenWriter;\n  /** Injectable fetch for tests. Defaults to the global `fetch`. */\n  fetch?: FetchLike;\n  /** Injectable clock for tests. Defaults to `Date.now`. */\n  now?: () => number;\n}\n\nexport interface ParsedRefreshResponse {\n  accessToken: string;\n  /**\n   * New refresh token if the provider rotated it (HubSpot: always, Salesforce:\n   * sometimes). Omit when the provider reused the old refresh token.\n   */\n  refreshToken?: string;\n  /** Seconds from now. If omitted, subclass `defaultExpiresInSec` applies. */\n  expiresInSec?: number;\n}\n\nexport abstract class OAuth2RefreshStrategy implements IAuthStrategy {\n  protected abstract readonly provider: string;\n  protected abstract readonly defaultExpiresInSec: number;\n\n  protected readonly connectionReader: IConnectionReader;\n  protected readonly tokenWriter: IConnectionTokenWriter;\n  protected readonly fetchImpl: FetchLike;\n  protected readonly now: () => number;\n\n  constructor(opts: OAuth2RefreshStrategyOptions) {\n    this.connectionReader = opts.connectionReader;\n    this.tokenWriter = opts.tokenWriter;\n    this.fetchImpl = opts.fetch ?? fetch;\n    this.now = opts.now ?? Date.now;\n  }\n\n  async resolve(\n    connectionId: string,\n    opts: AuthResolveOptions = {},\n  ): Promise<AuthCredentials> {\n    const connection =\n      await this.connectionReader.findByIdDecrypted(connectionId);\n    if (!connection) {\n      throw new Error(`Connection ${connectionId} not found`);\n    }\n    if (connection.provider !== this.provider) {\n      throw new Error(\n        `${this.constructor.name} called for non-${this.provider} connection ${connectionId} (provider=${connection.provider})`,\n      );\n    }\n\n    const needsRefresh =\n      opts.forceRefresh ||\n      this.isExpiring(connection.expiresAt) ||\n      !connection.accessToken;\n\n    if (!needsRefresh) {\n      return this.buildCredentials(connection.accessToken, connection);\n    }\n\n    if (!connection.refreshToken) {\n      throw new ConnectionBrokenError(\n        connectionId,\n        'no_refresh_token',\n        'Connection has no refresh token; user must reconnect',\n      );\n    }\n\n    const { parsed, raw } = await this.executeRefresh(\n      connectionId,\n      connection.refreshToken,\n    );\n    const newExpiresAt = new Date(\n      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1000,\n    );\n    await this.tokenWriter.persistRefresh({\n      connectionId,\n      accessToken: parsed.accessToken,\n      refreshToken: parsed.refreshToken ?? undefined,\n      expiresAt: newExpiresAt,\n    });\n\n    return this.buildCredentials(parsed.accessToken, connection, raw);\n  }\n\n  protected abstract tokenEndpoint(): string;\n  protected abstract refreshBodyExtras(): Record<string, string>;\n  protected abstract parseRefreshResponse(raw: unknown): ParsedRefreshResponse;\n  protected abstract buildCredentials(\n    accessToken: string,\n    connection: DecryptedConnection,\n    refreshRaw?: unknown,\n  ): AuthCredentials;\n\n  private async executeRefresh(\n    connectionId: string,\n    refreshToken: string,\n  ): Promise<{ parsed: ParsedRefreshResponse; raw: unknown }> {\n    const body = new URLSearchParams({\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...this.refreshBodyExtras(),\n    });\n    const response = await this.fetchImpl(this.tokenEndpoint(), {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n    if (!response.ok) {\n      const err = (await safeJson(response)) as Partial<{\n        error: string;\n        error_description: string;\n        message: string;\n      }>;\n      if (\n        response.status === 400 &&\n        (err.error === 'invalid_grant' || err.error === 'invalid_token')\n      ) {\n        throw new ConnectionBrokenError(\n          connectionId,\n          err.error ?? 'invalid_grant',\n          err.error_description ?? err.message ?? 'refresh token rejected',\n        );\n      }\n      throw new Error(\n        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ''} ${err.error_description ?? err.message ?? ''}`.trim(),\n      );\n    }\n    const raw = await response.json();\n    return { parsed: this.parseRefreshResponse(raw), raw };\n  }\n\n  private isExpiring(expiresAt: Date | null): boolean {\n    if (!expiresAt) return true;\n    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;\n  }\n}\n\nasync function safeJson(response: Response): Promise<unknown> {\n  try {\n    return await response.clone().json();\n  } catch {\n    return {};\n  }\n}\n"],"mappings":";;;;;AA0CA,IAAM,oBAAoB,IAAI,KAAK;AAsB5B,IAAe,wBAAf,MAA8D;AAAA,EAIhD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEnB,YAAY,MAAoC;AAC9C,SAAK,mBAAmB,KAAK;AAC7B,SAAK,cAAc,KAAK;AACxB,SAAK,YAAY,KAAK,SAAS;AAC/B,SAAK,MAAM,KAAK,OAAO,KAAK;AAAA,EAC9B;AAAA,EAEA,MAAM,QACJ,cACA,OAA2B,CAAC,GACF;AAC1B,UAAM,aACJ,MAAM,KAAK,iBAAiB,kBAAkB,YAAY;AAC5D,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,MAAM,cAAc,YAAY,YAAY;AAAA,IACxD;AACA,QAAI,WAAW,aAAa,KAAK,UAAU;AACzC,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,mBAAmB,KAAK,QAAQ,eAAe,YAAY,cAAc,WAAW,QAAQ;AAAA,MACtH;AAAA,IACF;AAEA,UAAM,eACJ,KAAK,gBACL,KAAK,WAAW,WAAW,SAAS,KACpC,CAAC,WAAW;AAEd,QAAI,CAAC,cAAc;AACjB,aAAO,KAAK,iBAAiB,WAAW,aAAa,UAAU;AAAA,IACjE;AAEA,QAAI,CAAC,WAAW,cAAc;AAC5B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,IAAI,MAAM,KAAK;AAAA,MACjC;AAAA,MACA,WAAW;AAAA,IACb;AACA,UAAM,eAAe,IAAI;AAAA,MACvB,KAAK,IAAI,KAAK,OAAO,gBAAgB,KAAK,uBAAuB;AAAA,IACnE;AACA,UAAM,KAAK,YAAY,eAAe;AAAA,MACpC;AAAA,MACA,aAAa,OAAO;AAAA,MACpB,cAAc,OAAO,gBAAgB;AAAA,MACrC,WAAW;AAAA,IACb,CAAC;AAED,WAAO,KAAK,iBAAiB,OAAO,aAAa,YAAY,GAAG;AAAA,EAClE;AAAA,EAWA,MAAc,eACZ,cACA,cAC0D;AAC1D,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,GAAG,KAAK,kBAAkB;AAAA,IAC5B,CAAC;AACD,UAAM,WAAW,MAAM,KAAK,UAAU,KAAK,cAAc,GAAG;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAO,MAAM,SAAS,QAAQ;AAKpC,UACE,SAAS,WAAW,QACnB,IAAI,UAAU,mBAAmB,IAAI,UAAU,kBAChD;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,IAAI,SAAS;AAAA,UACb,IAAI,qBAAqB,IAAI,WAAW;AAAA,QAC1C;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,QAAQ,0BAA0B,SAAS,MAAM,IAAI,IAAI,SAAS,EAAE,IAAI,IAAI,qBAAqB,IAAI,WAAW,EAAE,GAAG,KAAK;AAAA,MACpI;AAAA,IACF;AACA,UAAM,MAAM,MAAM,SAAS,KAAK;AAChC,WAAO,EAAE,QAAQ,KAAK,qBAAqB,GAAG,GAAG,IAAI;AAAA,EACvD;AAAA,EAEQ,WAAW,WAAiC;AAClD,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,IAAI;AAAA,EAC5C;AACF;AAEA,eAAe,SAAS,UAAsC;AAC5D,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AAAA,EACrC,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;","names":[]}

package/dist/chunk-MZ6GV4YF.js

@@ -0,0 +1,21 @@
+// runtime/subsystems/integration/integration-errors.ts
+var MissingTenantIdError = class extends Error {
+  name = "MissingTenantIdError";
+  constructor(operation) {
+    super(
+      `Missing tenantId for integration operation '${operation}'. IntegrationModule is configured with multiTenant: true \u2014 every call must include a non-null tenantId. Either pass the tenantId or disable multi-tenancy on the module.`
+    );
+  }
+};
+function assertTenantId(tenantId, options) {
+  if (!options.multiTenant) return;
+  if (tenantId === void 0 || tenantId === null) {
+    throw new MissingTenantIdError(options.operation);
+  }
+}
+
+export {
+  MissingTenantIdError,
+  assertTenantId
+};
+//# sourceMappingURL=chunk-MZ6GV4YF.js.map

package/dist/chunk-MZ6GV4YF.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/integration/integration-errors.ts"],"sourcesContent":["/**\n * Typed errors + shared boundary helpers for the integration subsystem.\n *\n * Classes (not bare Error) so consumers can `instanceof` them in catch\n * blocks and exception filters can map them to HTTP codes.\n *\n * Mirrors the shape of `events-errors.ts` and `jobs-errors.ts`.\n */\n\n/**\n * Thrown by the Drizzle cursor-store / run-recorder backends AND by the\n * orchestrator entry point when `INTEGRATION_MULTI_TENANT` is enabled but the\n * caller did not supply a non-null `tenantId`. Strict enforcement at the\n * boundary — explicit `null` still throws.\n *\n * Disable multi-tenancy on the module (`multiTenant: false`, the default)\n * to opt out of the requirement entirely.\n *\n * `operation` identifies the call site (e.g. `'cursor.put'`,\n * `'startRun'`, `'execute'`) so the stack-trace message points at the\n * specific boundary that rejected the input.\n */\nexport class MissingTenantIdError extends Error {\n  override readonly name = 'MissingTenantIdError';\n  constructor(operation: string) {\n    super(\n      `Missing tenantId for integration operation '${operation}'. IntegrationModule is ` +\n        `configured with multiTenant: true — every call must include a ` +\n        `non-null tenantId. Either pass the tenantId or disable multi-` +\n        `tenancy on the module.`,\n    );\n  }\n}\n\n/**\n * Shared boundary guard — used at the orchestrator entry AND inside the\n * Drizzle backends. Keeping the check in one function guarantees every\n * `MissingTenantIdError` carries the same message shape regardless of the\n * site that raised it, which makes it easier for consumers to pattern-\n * match on the error in logs/metrics.\n *\n * When `multiTenant` is false, the function is a no-op — `tenantId` may\n * be anything (including `undefined`). When true, `undefined` or `null`\n * throws.\n */\nexport function assertTenantId(\n  tenantId: string | null | undefined,\n  options: { multiTenant: boolean; operation: string },\n): asserts tenantId is string {\n  if (!options.multiTenant) return;\n  if (tenantId === undefined || tenantId === null) {\n    throw new MissingTenantIdError(options.operation);\n  }\n}\n"],"mappings":";AAsBO,IAAM,uBAAN,cAAmC,MAAM;AAAA,EAC5B,OAAO;AAAA,EACzB,YAAY,WAAmB;AAC7B;AAAA,MACE,+CAA+C,SAAS;AAAA,IAI1D;AAAA,EACF;AACF;AAaO,SAAS,eACd,UACA,SAC4B;AAC5B,MAAI,CAAC,QAAQ,YAAa;AAC1B,MAAI,aAAa,UAAa,aAAa,MAAM;AAC/C,UAAM,IAAI,qBAAqB,QAAQ,SAAS;AAAA,EAClD;AACF;","names":[]}

package/dist/chunk-N5OTOWTP.js

@@ -0,0 +1,55 @@
+import {
+  OAuthStateError
+} from "./chunk-BPARRK6F.js";
+import {
+  authOAuthState
+} from "./chunk-NPFPZ2HO.js";
+
+// runtime/subsystems/auth/backends/state-store.drizzle-backend.ts
+import { randomBytes } from "crypto";
+import { eq } from "drizzle-orm";
+var DrizzleOAuthStateStore = class {
+  constructor(db, opts = {}) {
+    this.db = db;
+    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1e3;
+    this.now = opts.now ?? (() => Date.now());
+    this.generateToken = opts.generateToken ?? (() => randomBytes(32).toString("base64url"));
+  }
+  db;
+  ttlMs;
+  now;
+  generateToken;
+  async generate(record) {
+    const state = this.generateToken();
+    const expiresAt = new Date(this.now() + this.ttlMs);
+    await this.db.insert(authOAuthState).values({
+      state,
+      userId: record.userId,
+      redirect: record.redirect ?? null,
+      expiresAt
+    });
+    return state;
+  }
+  async consume(state) {
+    const rows = await this.db.delete(authOAuthState).where(eq(authOAuthState.state, state)).returning();
+    const row = rows[0];
+    if (!row) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        "missing"
+      );
+    }
+    if (row.expiresAt.getTime() <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, "expired");
+    }
+    return {
+      userId: row.userId,
+      redirect: row.redirect ?? void 0
+    };
+  }
+};
+
+export {
+  DrizzleOAuthStateStore
+};
+//# sourceMappingURL=chunk-N5OTOWTP.js.map

package/dist/chunk-N5OTOWTP.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/auth/backends/state-store.drizzle-backend.ts"],"sourcesContent":["/**\n * Drizzle-backed `IOAuthStateStore`.\n *\n * Uses the `auth_oauth_state` table (see `auth-oauth-state.schema.ts`).\n * Single-use semantics enforced via `DELETE ... RETURNING`: the consume\n * path atomically deletes and returns the row, so a concurrent /callback\n * with the same state cannot replay.\n *\n * Behaviour:\n *   - `generate(record)` mints a 256-bit base64url token, INSERTs the row\n *     with `expires_at = now() + ttlMs`.\n *   - `consume(state)` runs `DELETE ... WHERE state = $1 RETURNING ...`\n *     once. Throws `OAuthStateError('missing')` if no row was deleted\n *     (unknown or already consumed) and `OAuthStateError('expired')` if\n *     the deleted row was past its `expires_at`.\n */\nimport { randomBytes } from 'node:crypto';\nimport { eq } from 'drizzle-orm';\nimport type { DrizzleClient } from '../../../types/drizzle';\nimport { authOAuthState } from '../auth-oauth-state.schema';\nimport {\n  type IOAuthStateStore,\n  type OAuthStateRecord,\n  OAuthStateError,\n} from '../protocols/oauth-state-store';\n\nexport interface DrizzleOAuthStateStoreOptions {\n  /** TTL in ms. Default 10 minutes. */\n  ttlMs?: number;\n  /** Injectable clock for tests. Default `Date.now`. */\n  now?: () => number;\n  /** Injectable token generator for tests. Default 32-byte base64url. */\n  generateToken?: () => string;\n}\n\nexport class DrizzleOAuthStateStore implements IOAuthStateStore {\n  private readonly ttlMs: number;\n  private readonly now: () => number;\n  private readonly generateToken: () => string;\n\n  constructor(\n    private readonly db: DrizzleClient,\n    opts: DrizzleOAuthStateStoreOptions = {},\n  ) {\n    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1000;\n    this.now = opts.now ?? (() => Date.now());\n    this.generateToken =\n      opts.generateToken ?? (() => randomBytes(32).toString('base64url'));\n  }\n\n  async generate(record: OAuthStateRecord): Promise<string> {\n    const state = this.generateToken();\n    const expiresAt = new Date(this.now() + this.ttlMs);\n    await this.db.insert(authOAuthState).values({\n      state,\n      userId: record.userId,\n      redirect: record.redirect ?? null,\n      expiresAt,\n    });\n    return state;\n  }\n\n  async consume(state: string): Promise<OAuthStateRecord> {\n    const rows = await this.db\n      .delete(authOAuthState)\n      .where(eq(authOAuthState.state, state))\n      .returning();\n    const row = rows[0];\n    if (!row) {\n      throw new OAuthStateError(\n        `OAuth state token unknown or already consumed`,\n        'missing',\n      );\n    }\n    if (row.expiresAt.getTime() <= this.now()) {\n      throw new OAuthStateError(`OAuth state token expired`, 'expired');\n    }\n    return {\n      userId: row.userId,\n      redirect: row.redirect ?? undefined,\n    };\n  }\n}\n"],"mappings":";;;;;;;;AAgBA,SAAS,mBAAmB;AAC5B,SAAS,UAAU;AAkBZ,IAAM,yBAAN,MAAyD;AAAA,EAK9D,YACmB,IACjB,OAAsC,CAAC,GACvC;AAFiB;AAGjB,SAAK,QAAQ,KAAK,SAAS,KAAK,KAAK;AACrC,SAAK,MAAM,KAAK,QAAQ,MAAM,KAAK,IAAI;AACvC,SAAK,gBACH,KAAK,kBAAkB,MAAM,YAAY,EAAE,EAAE,SAAS,WAAW;AAAA,EACrE;AAAA,EAPmB;AAAA,EALF;AAAA,EACA;AAAA,EACA;AAAA,EAYjB,MAAM,SAAS,QAA2C;AACxD,UAAM,QAAQ,KAAK,cAAc;AACjC,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK;AAClD,UAAM,KAAK,GAAG,OAAO,cAAc,EAAE,OAAO;AAAA,MAC1C;AAAA,MACA,QAAQ,OAAO;AAAA,MACf,UAAU,OAAO,YAAY;AAAA,MAC7B;AAAA,IACF,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAA0C;AACtD,UAAM,OAAO,MAAM,KAAK,GACrB,OAAO,cAAc,EACrB,MAAM,GAAG,eAAe,OAAO,KAAK,CAAC,EACrC,UAAU;AACb,UAAM,MAAM,KAAK,CAAC;AAClB,QAAI,CAAC,KAAK;AACR,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,QAAI,IAAI,UAAU,QAAQ,KAAK,KAAK,IAAI,GAAG;AACzC,YAAM,IAAI,gBAAgB,6BAA6B,SAAS;AAAA,IAClE;AACA,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ,UAAU,IAAI,YAAY;AAAA,IAC5B;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-NN7XZEGF.js

@@ -0,0 +1,14 @@
+import {
+  BaseRepository
+} from "./chunk-J6KZS54B.js";
+
+// runtime/base-classes/knowledge-entity-repository.ts
+var KnowledgeEntityRepository = class extends BaseRepository {
+  // pgvector-dependent methods will be added when the extension is available:
+  //   semanticSearch, findPendingByOpportunityId, updateStatus, updateStatusBatch
+};
+
+export {
+  KnowledgeEntityRepository
+};
+//# sourceMappingURL=chunk-NN7XZEGF.js.map

package/dist/chunk-NN7XZEGF.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/base-classes/knowledge-entity-repository.ts"],"sourcesContent":["/**\n * KnowledgeEntityRepository<TEntity>\n *\n * Stub for the knowledge family (requires pgvector — parked for now).\n * Concrete repos extend this when pgvector is available.\n */\nimport { BaseRepository } from './base-repository';\n\nexport abstract class KnowledgeEntityRepository<TEntity> extends BaseRepository<TEntity> {\n  // pgvector-dependent methods will be added when the extension is available:\n  //   semanticSearch, findPendingByOpportunityId, updateStatus, updateStatusBatch\n}\n"],"mappings":";;;;;AAQO,IAAe,4BAAf,cAA0D,eAAwB;AAAA;AAAA;AAGzF;","names":[]}

package/dist/chunk-NPFPZ2HO.js

@@ -0,0 +1,13 @@
+// runtime/subsystems/auth/auth-oauth-state.schema.ts
+import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+var authOAuthState = pgTable("auth_oauth_state", {
+  state: text("state").primaryKey(),
+  userId: text("user_id").notNull(),
+  redirect: text("redirect"),
+  expiresAt: timestamp("expires_at", { withTimezone: true }).notNull()
+});
+
+export {
+  authOAuthState
+};
+//# sourceMappingURL=chunk-NPFPZ2HO.js.map

package/dist/chunk-NPFPZ2HO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/auth/auth-oauth-state.schema.ts"],"sourcesContent":["/**\n * Drizzle schema for the `auth_oauth_state` table — backs the\n * `DrizzleOAuthStateStore` (`state-store.drizzle-backend.ts`).\n *\n * One row per outstanding /connect → /callback dance. Single-use; rows are\n * deleted on consume. A periodic sweep (or a `WHERE expires_at < now()`\n * filter on read) clears abandoned rows.\n *\n * Columns:\n *   - `state`       — opaque random token, primary key.\n *   - `user_id`     — text (matches the consumer-defined user-id shape;\n *                     the auth subsystem doesn't constrain this to UUID\n *                     because some apps key users by external id).\n *   - `redirect`    — optional post-callback redirect path.\n *   - `expires_at`  — TTL boundary; entries past this are treated as absent.\n *\n * Convention: schema files live at the root of the subsystem dir\n * (mirrors `cache.schema.ts`, `integration-audit.schema.ts`, `domain-events.schema.ts`).\n */\nimport { pgTable, text, timestamp } from 'drizzle-orm/pg-core';\nimport type { InferSelectModel } from 'drizzle-orm';\n\nexport const authOAuthState = pgTable('auth_oauth_state', {\n  state: text('state').primaryKey(),\n  userId: text('user_id').notNull(),\n  redirect: text('redirect'),\n  expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),\n});\n\nexport type AuthOAuthState = InferSelectModel<typeof authOAuthState>;\n"],"mappings":";AAmBA,SAAS,SAAS,MAAM,iBAAiB;AAGlC,IAAM,iBAAiB,QAAQ,oBAAoB;AAAA,EACxD,OAAO,KAAK,OAAO,EAAE,WAAW;AAAA,EAChC,QAAQ,KAAK,SAAS,EAAE,QAAQ;AAAA,EAChC,UAAU,KAAK,UAAU;AAAA,EACzB,WAAW,UAAU,cAAc,EAAE,cAAc,KAAK,CAAC,EAAE,QAAQ;AACrE,CAAC;","names":[]}

package/dist/chunk-NXXDZ6ZF.js

@@ -0,0 +1,42 @@
+// runtime/subsystems/bridge/bridge-errors.ts
+var MissingTenantIdError = class extends Error {
+  constructor(callSite) {
+    super(
+      `MissingTenantIdError: BridgeModule was configured with multiTenant=true but ${callSite} was called without tenantId (undefined). Pass an explicit tenantId, or pass null for cross-tenant work.`
+    );
+    this.callSite = callSite;
+  }
+  callSite;
+  name = "MissingTenantIdError";
+};
+var BridgeReservedPoolsNotPolledError = class extends Error {
+  constructor(missingPools) {
+    super(
+      `BridgeModule loaded but JobWorkerModule is not polling reserved pool '${missingPools[0]}'. Add ...BRIDGE_RESERVED_POOLS to your JobWorkerModule.forRoot({ pools }) configuration. Missing pools: ${missingPools.join(", ")}. (Bridge-fanout wrappers will sit pending forever without these pollers.)`
+    );
+    this.missingPools = missingPools;
+  }
+  missingPools;
+  name = "BridgeReservedPoolsNotPolledError";
+};
+var UniqueConstraintError = class extends Error {
+  constructor(constraint, eventId, triggerId) {
+    super(
+      `UniqueConstraintError: duplicate insert into bridge_delivery for (event_id='${eventId}', trigger_id='${triggerId}') \u2014 violates constraint '${constraint}'.`
+    );
+    this.constraint = constraint;
+    this.eventId = eventId;
+    this.triggerId = triggerId;
+  }
+  constraint;
+  eventId;
+  triggerId;
+  name = "UniqueConstraintError";
+};
+
+export {
+  MissingTenantIdError,
+  BridgeReservedPoolsNotPolledError,
+  UniqueConstraintError
+};
+//# sourceMappingURL=chunk-NXXDZ6ZF.js.map