npm - @siglume/api-sdk - Versions diffs - 0.10.8 → 1.0.0 - Mend

@siglume/api-sdk 0.10.8 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/bin/siglume.js CHANGED Viewed

@@ -1438,18 +1438,6 @@ function parseBundleMember(data) {
     link_id: stringOrNull(data.link_id)
   };
 }
-function parseConnectedAccountLifecycle(data) {
-  return {
-    connected_account_id: String(data.connected_account_id ?? ""),
-    provider_key: String(data.provider_key ?? ""),
-    expires_at: stringOrNull(data.expires_at),
-    scopes: Array.isArray(data.scopes) ? data.scopes.filter((s) => typeof s === "string") : [],
-    refreshed_at: stringOrNull(data.refreshed_at),
-    connection_status: stringOrNull(data.connection_status),
-    provider_revoked: typeof data.provider_revoked === "boolean" ? data.provider_revoked : null,
-    revoked_at: stringOrNull(data.revoked_at)
-  };
-}
 function parseBundle(data) {
   const membersRaw = Array.isArray(data.members) ? data.members : [];
   return {
@@ -1528,21 +1516,6 @@ function parseBinding(data) {
     raw: { ...data }
   };
 }
-function parseConnectedAccount(data) {
-  return {
-    connected_account_id: String(data.connected_account_id ?? data.id ?? ""),
-    provider_key: String(data.provider_key ?? ""),
-    account_role: String(data.account_role ?? ""),
-    display_name: stringOrNull(data.display_name),
-    environment: stringOrNull(data.environment),
-    connection_status: stringOrNull(data.connection_status),
-    scopes: Array.isArray(data.scopes) ? data.scopes.filter((item) => typeof item === "string") : [],
-    metadata: toRecord(data.metadata),
-    created_at: stringOrNull(data.created_at),
-    updated_at: stringOrNull(data.updated_at),
-    raw: { ...data }
-  };
-}
 function parseSupportCase(data) {
   return {
     support_case_id: String(data.support_case_id ?? data.id ?? ""),
@@ -2581,13 +2554,6 @@ var init_client = __esm({
         if (options.runtime_validation) {
           payload.runtime_validation = coerceMapping(options.runtime_validation, "runtime_validation");
         }
-        if (options.oauth_credentials) {
-          payload.oauth_credentials = Array.isArray(options.oauth_credentials) ? {
-            items: options.oauth_credentials.map(
-              (item, index) => coerceMapping(item, `oauth_credentials[${index}]`)
-            )
-          } : coerceMapping(options.oauth_credentials, "oauth_credentials");
-        }
         if (options.source_context) {
           payload.source_context = coerceMapping(options.source_context, "source_context");
         }
@@ -2717,7 +2683,6 @@ var init_client = __esm({
           auto_manifest: toRecord(data.auto_manifest),
           confidence: toRecord(data.confidence),
           validation_report: toRecord(data.validation_report),
-          oauth_status: toRecord(data.oauth_status),
           review_url: stringOrNull(data.review_url),
           trace_id: meta.trace_id,
           request_id: meta.request_id
@@ -2893,66 +2858,9 @@ var init_client = __esm({
         return parseBundle(data);
       }
       // ----- end bundles -------------------------------------------------------
-      // ----- Connected accounts (v0.7 track 3) ---------------------------------
-      // `resolve()` is intentionally NOT wrapped: runtime-only, never over the wire.
-      async start_connected_account_oauth(input) {
-        const body = {
-          listing_id: input.listing_id,
-          redirect_uri: input.redirect_uri
-        };
-        if (input.scopes !== void 0) body.scopes = input.scopes;
-        if (input.account_role !== void 0) body.account_role = input.account_role;
-        const [data] = await this.request("POST", "/me/connected-accounts/oauth/authorize", {
-          json_body: body
-        });
-        return {
-          authorize_url: String(data.authorize_url ?? ""),
-          state: String(data.state ?? ""),
-          provider_key: String(data.provider_key ?? ""),
-          scopes: Array.isArray(data.scopes) ? data.scopes.filter((s) => typeof s === "string") : [],
-          pkce_method: stringOrNull(data.pkce_method)
-        };
-      }
-      async complete_connected_account_oauth(input) {
-        const [data] = await this.request("POST", "/me/connected-accounts/oauth/callback", {
-          json_body: { state: input.state, code: input.code }
-        });
-        return { ...data };
-      }
-      async refresh_connected_account(account_id) {
-        const [data] = await this.request("POST", `/me/connected-accounts/${account_id}/refresh`);
-        return parseConnectedAccountLifecycle(data);
-      }
-      async revoke_connected_account(account_id) {
-        const [data] = await this.request("POST", `/me/connected-accounts/${account_id}/revoke`);
-        return parseConnectedAccountLifecycle(data);
-      }
-      async set_listing_oauth_credentials(listing_id, input) {
-        const body = {
-          provider_key: input.provider_key,
-          client_id: input.client_id,
-          client_secret: input.client_secret,
-          authorize_url: input.authorize_url,
-          token_url: input.token_url
-        };
-        if (input.revoke_url !== void 0) body.revoke_url = input.revoke_url;
-        if (input.display_name !== void 0) body.display_name = input.display_name;
-        if (input.scope_separator !== void 0) body.scope_separator = input.scope_separator;
-        if (input.token_endpoint_auth !== void 0) body.token_endpoint_auth = input.token_endpoint_auth;
-        if (input.pkce_required !== void 0) body.pkce_required = input.pkce_required;
-        if (input.refresh_supported !== void 0) body.refresh_supported = input.refresh_supported;
-        if (input.available_scopes !== void 0) body.available_scopes = input.available_scopes;
-        if (input.required_scopes !== void 0) body.required_scopes = input.required_scopes;
-        const [data] = await this.request("PUT", `/market/capabilities/${listing_id}/oauth-credentials`, {
-          json_body: body
-        });
-        return { ...data };
-      }
-      async get_listing_oauth_credentials_status(listing_id) {
-        const [data] = await this.request("GET", `/market/capabilities/${listing_id}/oauth-credentials`);
-        return { ...data };
-      }
-      // ----- end connected accounts --------------------------------------------
+      // ----- Connected accounts ------------------------------------------------
+      // Architecture B: publisher APIs own external OAuth and token storage.
+      // The SDK no longer exposes platform OAuth or listing credential APIs.
       async get_developer_portal() {
         const [data, meta] = await this.request("GET", "/market/developer/portal");
         return {
@@ -2985,7 +2893,6 @@ var init_client = __esm({
           dry_run_supported: Boolean(data.dry_run_supported ?? false),
           approval_mode: stringOrNull(data.approval_mode),
           required_connected_accounts: Array.isArray(data.required_connected_accounts) ? data.required_connected_accounts : [],
-          connected_accounts: Array.isArray(data.connected_accounts) ? data.connected_accounts.filter((item) => isRecord(item)).map((item) => ({ ...item })) : [],
           stub_providers_enabled: Boolean(data.stub_providers_enabled ?? false),
           simulated_receipts: Boolean(data.simulated_receipts ?? false),
           approval_simulator: Boolean(data.approval_simulator ?? false),
@@ -4283,25 +4190,6 @@ var init_client = __esm({
           raw: { ...data }
         };
       }
-      async list_connected_accounts(options = {}) {
-        const params = {
-          provider_key: options.provider_key,
-          environment: options.environment,
-          limit: Math.max(1, Math.min(Math.trunc(options.limit ?? 50), 100)),
-          cursor: options.cursor
-        };
-        const [data, meta] = await this.request("GET", "/market/connected-accounts", { params });
-        const items = Array.isArray(data.items) ? data.items.filter((item) => isRecord(item)).map(parseConnectedAccount) : [];
-        const next_cursor = stringOrNull(data.next_cursor);
-        return new CursorPageResult({
-          items,
-          next_cursor,
-          limit: typeof data.limit === "number" ? data.limit : params.limit,
-          offset: typeof data.offset === "number" ? data.offset : null,
-          meta,
-          fetchNext: next_cursor ? (cursor) => this.list_connected_accounts({ ...options, cursor }) : void 0
-        });
-      }
       async create_support_case(subject, body, options = {}) {
         const summary = subject.trim();
         const details = body.trim();
@@ -6145,24 +6033,12 @@ var AppTestHarness = class {
     this.stubs = stubs;
   }
   async executeWithKind(execution_kind, task_type = "default", options = {}) {
-    const connected_accounts = options.connected_accounts ?? Object.fromEntries(
-      Object.keys(this.stubs).map((key) => [
-        key,
-        {
-          provider_key: key,
-          session_token: `stub-token-${key}`,
-          environment: Environment.SANDBOX,
-          scopes: []
-        }
-      ])
-    );
     const ctx = {
       agent_id: "test-agent-001",
       owner_user_id: "test-owner-001",
       task_type,
       environment: Environment.SANDBOX,
       execution_kind,
-      connected_accounts,
       input_params: options.input_params ?? {},
       trace_id: options.trace_id,
       idempotency_key: options.idempotency_key,
@@ -6252,12 +6128,6 @@ var AppTestHarness = class {
     }
     return issues;
   }
-  async simulate_connected_account_missing(task_type = "default", options = {}) {
-    return this.executeWithKind("dry_run", task_type, {
-      ...options,
-      connected_accounts: {}
-    });
-  }
   async simulate_metering(record, options = {}) {
     const { normalizeUsageRecord: normalizeUsageRecord2 } = await Promise.resolve().then(() => (init_metering(), metering_exports));
     const manifest = await this.app.manifest();
@@ -7220,15 +7090,6 @@ async function loadProject(path = ".") {
   const tool_manual = tool_manual_path ? JSON.parse(await readFile(tool_manual_path, "utf8")) : buildToolManualTemplate(manifest);
   const runtime_validation_path = await findRuntimeValidationPath(root_dir);
   const runtime_validation = runtime_validation_path ? await loadJsonObject(runtime_validation_path, "runtime_validation") : void 0;
-  const oauth_credentials_path = await findOauthCredentialsPath(root_dir);
-  let oauth_credentials;
-  if (oauth_credentials_path) {
-    const parsed = JSON.parse(await readFile(oauth_credentials_path, "utf8"));
-    if (!isRecord(parsed) && !Array.isArray(parsed)) {
-      throw new SiglumeProjectError("oauth_credentials must be a JSON object or array");
-    }
-    oauth_credentials = parsed;
-  }
   return {
     root_dir,
     adapter_path,
@@ -7237,9 +7098,7 @@ async function loadProject(path = ".") {
     tool_manual_path: tool_manual_path ?? void 0,
     tool_manual,
     runtime_validation_path: runtime_validation_path ?? void 0,
-    runtime_validation,
-    oauth_credentials_path: oauth_credentials_path ?? void 0,
-    oauth_credentials
+    runtime_validation
   };
 }
 function isPlatformManagedRequirement(value) {
@@ -7277,6 +7136,21 @@ function requiredOauthProviders(requirements) {
   }
   return providers;
 }
+function apiManagedRequirementsMissingConnectUrl(requirements) {
+  const missing = [];
+  for (const item of requirements ?? []) {
+    if (!isRecord(item)) continue;
+    const managedBy = String(item.managed_by ?? "").trim().toLowerCase().replaceAll("_", "-");
+    if (managedBy !== "api") continue;
+    const connectUrl = String(item.connect_url ?? "").trim();
+    if (connectUrl) continue;
+    const label = oauthProviderKeyFromRequirement(item) ?? "(missing provider_key)";
+    if (!missing.includes(label)) {
+      missing.push(label);
+    }
+  }
+  return missing;
+}
 function connectedAccountRequirementLabel(value) {
   if (isRecord(value)) {
     for (const key of ["provider_key", "provider", "account_type", "name"]) {
@@ -7287,102 +7161,6 @@ function connectedAccountRequirementLabel(value) {
   }
   return String(value ?? "").trim();
 }
-function oauthProviderRecordsMap(payload) {
-  if (!payload) {
-    return {};
-  }
-  const items = Array.isArray(payload) ? payload : Array.isArray(payload.items) ? payload.items : [payload];
-  const resolved = {};
-  for (const [index, item] of items.entries()) {
-    if (!isRecord(item)) {
-      throw new SiglumeProjectError(`oauth_credentials[${index}] must be a JSON object.`);
-    }
-    const providerKey = oauthProviderKeyFromRequirement(item.provider_key ?? item.provider);
-    if (!providerKey) {
-      throw new SiglumeProjectError(`oauth_credentials[${index}].provider_key is required.`);
-    }
-    const authorizeUrl = String(item.authorize_url ?? item.authorization_url ?? item.auth_url ?? "").trim();
-    const tokenUrl = String(item.token_url ?? "").trim();
-    if (!authorizeUrl || !tokenUrl) {
-      throw new SiglumeProjectError(
-        `oauth_credentials[${index}] must include authorize_url and token_url.`
-      );
-    }
-    for (const [urlKey, urlValue] of Object.entries({
-      authorize_url: authorizeUrl,
-      token_url: tokenUrl,
-      revoke_url: String(item.revoke_url ?? "").trim()
-    })) {
-      if (urlValue && !urlValue.startsWith("https://")) {
-        throw new SiglumeProjectError(`oauth_credentials[${index}].${urlKey} must be an https URL.`);
-      }
-    }
-    const clientId = String(item.client_id ?? "").trim();
-    const clientSecret = String(item.client_secret ?? "").trim();
-    if (!clientId || !clientSecret) {
-      throw new SiglumeProjectError(`oauth_credentials[${index}] must include client_id and client_secret.`);
-    }
-    const rawScopes = item.required_scopes ?? item.scopes;
-    let scopes = [];
-    if (rawScopes == null) {
-      scopes = [];
-    } else if (!Array.isArray(rawScopes)) {
-      throw new SiglumeProjectError(`oauth_credentials[${index}].required_scopes must be a JSON array.`);
-    } else {
-      scopes = rawScopes.map((scope) => String(scope ?? "").trim()).filter(Boolean);
-    }
-    const record = {
-      provider_key: providerKey,
-      client_id: clientId,
-      client_secret: clientSecret,
-      required_scopes: scopes
-    };
-    for (const [key, value] of Object.entries({
-      authorize_url: authorizeUrl,
-      token_url: tokenUrl,
-      revoke_url: String(item.revoke_url ?? "").trim(),
-      display_name: String(item.display_name ?? "").trim(),
-      scope_separator: String(item.scope_separator ?? "").trim(),
-      token_endpoint_auth: String(item.token_endpoint_auth ?? "").trim()
-    })) {
-      if (value) record[key] = value;
-    }
-    for (const key of ["pkce_required", "refresh_supported"]) {
-      if (typeof item[key] === "boolean") record[key] = item[key];
-    }
-    if (Array.isArray(item.available_scopes)) {
-      const availableScopes = item.available_scopes.map((scope) => String(scope ?? "").trim()).filter(Boolean);
-      if (availableScopes.length > 0) record.available_scopes = availableScopes;
-    }
-    resolved[providerKey] = record;
-  }
-  return resolved;
-}
-function canonicalOauthCredentialsPayload(payload) {
-  const records = oauthProviderRecordsMap(payload);
-  const providerKeys = Object.keys(records).sort();
-  if (providerKeys.length === 0) {
-    return void 0;
-  }
-  return {
-    items: providerKeys.map((providerKey) => records[providerKey])
-  };
-}
-function ensureRequiredOauthCredentials(project) {
-  const requiredProviders = requiredOauthProviders(project.manifest.required_connected_accounts ?? []);
-  if (requiredProviders.length === 0) {
-    return;
-  }
-  const provided = new Set(Object.keys(oauthProviderRecordsMap(project.oauth_credentials)));
-  const missing = requiredProviders.filter((provider) => !provided.has(provider));
-  if (missing.length === 0) {
-    return;
-  }
-  const path = project.oauth_credentials_path ?? join(project.root_dir, "oauth_credentials.json");
-  throw new SiglumeProjectError(
-    `${path} is required for platform-managed OAuth APIs. Missing provider seeds: ${missing.join(", ")}`
-  );
-}
 async function validateProject(path = ".", deps = {}) {
   const project = await loadProject(path);
   const manifest_issues = await projectValidationIssues(project);
@@ -7537,10 +7315,21 @@ function ensureExplicitToolManual(project) {
 async function registrationPreflight(project, client) {
   const manifestIssues = await projectValidationIssues(project);
   const [toolManualValid, toolManualIssues] = validate_tool_manual(project.tool_manual);
+  const retiredPlatformOauthProviders = requiredOauthProviders(project.manifest.required_connected_accounts ?? []);
+  if (retiredPlatformOauthProviders.length > 0) {
+    throw new SiglumeProjectError(
+      `Registration preflight failed. Fix these before calling auto-register:
+- platform-managed OAuth is retired. Use managed_by="api" with connect_url: ${retiredPlatformOauthProviders.join(", ")}`
+    );
+  }
+  const apiManagedMissingConnectUrl = apiManagedRequirementsMissingConnectUrl(project.manifest.required_connected_accounts ?? []);
+  if (apiManagedMissingConnectUrl.length > 0) {
+    throw new SiglumeProjectError(
+      `Registration preflight failed. Fix these before calling auto-register:
+- API-managed OAuth requirements must include connect_url: ${apiManagedMissingConnectUrl.join(", ")}`
+    );
+  }
   const remoteQuality = await client.preview_quality_score(project.tool_manual);
-  const requiredOauthProvidersList = requiredOauthProviders(project.manifest.required_connected_accounts ?? []);
-  const oauthProviderRecords = oauthProviderRecordsMap(project.oauth_credentials);
-  const missingOauthProviders = requiredOauthProvidersList.filter((provider) => !oauthProviderRecords[provider]);
   const blockingToolManualIssues = toolManualIssues.filter((issue2) => issue2.severity === "error");
   const errors = [
     ...manifestIssues.map((issue2) => String(issue2)),
@@ -7552,17 +7341,12 @@ async function registrationPreflight(project, client) {
   if (!remoteQualityOk(remoteQuality)) {
     errors.push(`remote Tool Manual quality is not publishable: ${remoteQuality.grade} (${remoteQuality.overall_score}/100)`);
   }
-  if (missingOauthProviders.length > 0) {
-    errors.push(`oauth_credentials.json is required for platform-managed OAuth APIs: ${missingOauthProviders.join(", ")}`);
-  }
   const preflight = {
     manifest_issues: manifestIssues,
     tool_manual_valid: toolManualValid,
     tool_manual_issues: toolManualIssues.map((issue2) => toJsonable(issue2)),
     remote_quality: toJsonable(remoteQuality),
-    required_oauth_providers: requiredOauthProvidersList,
-    oauth_credentials_path: project.oauth_credentials_path ?? null,
-    oauth_missing_providers: missingOauthProviders,
+    retired_platform_oauth_providers: retiredPlatformOauthProviders,
     ok: errors.length === 0
   };
   if (errors.length > 0) {
@@ -7601,8 +7385,6 @@ async function runRegistration(path = ".", options = {}, deps = {}) {
   ensureExplicitToolManual(project);
   ensureManifestPublisherIdentity(project);
   ensureRuntimeValidationReady(project);
-  ensureRequiredOauthCredentials(project);
-  const canonicalOauthCredentials = canonicalOauthCredentialsPayload(project.oauth_credentials);
   const client = await createClient(deps);
   if (requestedCompanySlug) {
     const slug = companyNameSlug(requestedCompanySlug);
@@ -7679,14 +7461,12 @@ async function runRegistration(path = ".", options = {}, deps = {}) {
     }
   }
   const receipt = await client.auto_register(project.manifest, project.tool_manual, {
-    runtime_validation: project.runtime_validation,
-    oauth_credentials: canonicalOauthCredentials
+    runtime_validation: project.runtime_validation
   });
   const result = {
     receipt: toJsonable(receipt),
     registration_preflight: preflight,
-    runtime_validation_path: project.runtime_validation_path ?? null,
-    oauth_credentials_path: project.oauth_credentials_path ?? null
+    runtime_validation_path: project.runtime_validation_path ?? null
   };
   if (developerPortalPreflight) {
     result.developer_portal_preflight = developerPortalPreflight;
@@ -7707,7 +7487,6 @@ async function runPreflight(path = ".", deps = {}) {
   ensureExplicitToolManual(project);
   ensureManifestPublisherIdentity(project);
   ensureRuntimeValidationReady(project);
-  ensureRequiredOauthCredentials(project);
   const client = await createClient(deps);
   const preflight = await registrationPreflight(project, client);
   let developerPortalPreflight = null;
@@ -7725,8 +7504,7 @@ async function runPreflight(path = ".", deps = {}) {
     ok: true,
     adapter_path: project.adapter_path,
     registration_preflight: preflight,
-    runtime_validation_path: project.runtime_validation_path ?? null,
-    oauth_credentials_path: project.oauth_credentials_path ?? null
+    runtime_validation_path: project.runtime_validation_path ?? null
   };
   if (developerPortalPreflight) {
     result.developer_portal_preflight = developerPortalPreflight;
@@ -8208,7 +7986,7 @@ function operationReadmeTemplate(operation, manifest, warning) {
     "- `tool_manual.json`: machine-generated ToolManual scaffold",
     "- `runtime_validation.json`: local public endpoint and review-key checks used by auto-register",
     "- `docs/api-usage.md`: publishable API usage guide template for `docs_url`",
-    "- `.gitignore`: keeps runtime review keys and OAuth client secrets out of Git",
+    "- `.gitignore`: keeps runtime review keys out of Git",
     "- `tests/test_adapter.ts`: smoke test for `AppTestHarness`",
     "",
     "Before registering, replace all generated placeholders:",
@@ -8216,8 +7994,8 @@ function operationReadmeTemplate(operation, manifest, warning) {
     "- Replace `support_contact` with a real support email address or public support URL.",
     "- Optional `seller_homepage_url` is the seller's official site and can stay blank.",
     "- In the local `runtime_validation.json`, replace the public URL and review-key placeholders.",
-    "- If the API uses seller-side OAuth, create a local `oauth_credentials.json` next to the adapter.",
-    "- Do not commit real review keys or OAuth client secrets; the generated `.gitignore` excludes those files.",
+    "- If the API uses external OAuth, implement that flow in your API runtime and keep user tokens outside Siglume.",
+    "- Do not commit real review keys or external-provider secrets; the generated `.gitignore` excludes local secret files.",
     "- Because `runtime_validation.json` is ignored, GitHub samples do not commit review-key values.",
     "",
     "## Commands",
@@ -8293,8 +8071,6 @@ function generatedGitignore() {
     "!.env.example",
     "runtime_validation.json",
     "runtime-validation.json",
-    "oauth_credentials.json",
-    "oauth-credentials.json",
     "",
     "# Python / test artifacts.",
     "__pycache__/",
@@ -8440,13 +8216,6 @@ async function runHarnessForProject(project) {
     checks.push(executionCheck("quote", await harness.execute_quote(task_type, { input_params: sample_input }), harness));
     checks.push(executionCheck("payment", await harness.execute_payment(task_type, { input_params: sample_input }), harness));
   }
-  checks.push(
-    executionCheck(
-      "missing_account_simulation",
-      await harness.simulate_connected_account_missing(task_type, { input_params: sample_input }),
-      harness
-    )
-  );
   return {
     adapter_path: project.adapter_path,
     task_type,
@@ -8549,15 +8318,6 @@ async function findRuntimeValidationPath(root_dir) {
   }
   return null;
 }
-async function findOauthCredentialsPath(root_dir) {
-  for (const name of ["oauth_credentials.json", "oauth-credentials.json"]) {
-    const candidate = join(root_dir, name);
-    if (existsSync(candidate)) {
-      return candidate;
-    }
-  }
-  return null;
-}
 async function loadJsonObject(path, label) {
   let payload;
   try {
@@ -8789,15 +8549,15 @@ function readmeTemplate(template) {
     "- `tool_manual.json`: editable ToolManual draft for validation and registration",
     "- `runtime_validation.json`: local live API smoke-test contract used during registration",
     "- `docs/api-usage.md`: publish this page and use its public URL as `docs_url`",
-    "- `.gitignore`: keeps runtime review keys and OAuth client secrets out of Git",
+    "- `.gitignore`: keeps runtime review keys out of Git",
     "",
     "Before registering, replace all generated placeholders:",
     "- In `adapter.ts` and `manifest.json`, replace `docs_url` with a dedicated public API usage guide, not a homepage.",
     "- Replace `support_contact` with a real support email address or public support URL.",
     "- Optional `seller_homepage_url` is the seller's official site and can stay blank.",
     "- In the local `runtime_validation.json`, replace the public URL and review-key placeholders.",
-    "- If the API uses seller-side OAuth, create a local `oauth_credentials.json` next to the adapter.",
-    "- Do not commit real review keys or OAuth client secrets; the generated `.gitignore` excludes those files.",
+    "- If the API uses external OAuth, implement that flow in your API runtime and keep user tokens outside Siglume.",
+    "- Do not commit real review keys or external-provider secrets; the generated `.gitignore` excludes local secret files.",
     "- Because `runtime_validation.json` is ignored, GitHub samples do not commit review-key values.",
     "",
     "Suggested workflow:",
@@ -9015,7 +8775,6 @@ async function runCli(argv, deps = {}) {
       emit(stdout, `preflight_quality: ${preflight.remote_quality.grade} (${preflight.remote_quality.overall_score}/100)`);
     }
     if (report.runtime_validation_path) emit(stdout, `runtime_validation_path: ${String(report.runtime_validation_path)}`);
-    if (report.oauth_credentials_path) emit(stdout, `oauth_credentials_path: ${String(report.oauth_credentials_path)}`);
   });
   program.command("companies").description("List Siglume companies available for company-name publishing.").option("--json", "emit machine-readable JSON", false).action(async (options) => {
     const report = await listCompanyPublishersReport(deps);
@@ -9066,7 +8825,6 @@ async function runCli(argv, deps = {}) {
       emit(stdout, `listing_id: ${receipt.listing_id}`);
       emit(stdout, `receipt_status: ${receipt.status}`);
       if (receipt.listing_status) emit(stdout, `listing_status: ${receipt.listing_status}`);
-      if (receipt.oauth_status) emit(stdout, `oauth_configured: ${Boolean(receipt.oauth_status.configured)}`);
       if (receipt.review_url) emit(stdout, `review_url: ${receipt.review_url}`);
       if (receipt.trace_id) emit(stdout, `trace_id: ${receipt.trace_id}`);
       if (receipt.request_id) emit(stdout, `request_id: ${receipt.request_id}`);