@slashfi/agents-sdk 0.34.0 → 0.35.0

package/src/agent-definitions/integrations.ts

@@ -28,7 +28,23 @@ import {
   generateCollectionToken,
   pendingCollections,
 } from "../secret-collection.js";
-import type { AgentDefinition, ToolContext, ToolDefinition } from "../types.js";
+import type {
+  AgentDefinition,
+  CallAgentRequest,
+  CallAgentResponse,
+  JsonSchema,
+  ToolContext,
+  ToolDefinition,
+} from "../types.js";
+
+/** Unwrap `execute_tool` payload from a registry response. */
+function executeToolResult(
+  r: CallAgentResponse | undefined,
+): unknown | undefined {
+  if (!r || r.success === false) return undefined;
+  if ("result" in r) return r.result;
+  return undefined;
+}
 
 // ============================================
 // OAuth Config Types
@@ -73,6 +89,9 @@ export interface IntegrationOAuthConfig {
   refreshGrantType?: string;
   refreshBodyParams?: string[];
   refreshHeaders?: Record<string, string>;
+
+  /** OAuth client id (plain string or secret: ref) */
+  clientId?: string;
 }
 
 // ============================================
@@ -106,7 +125,14 @@ export interface ProviderConfig {
    * Agent path that handles this integration type.
    * @integrations dispatches setup/connect/call to that agent's integrationMethods.
    */
-  agentPath: string;
+  agentPath?: string;
+  /**
+   * @internal Secret store ids for credentials encrypted by @integrations.
+   */
+  _clientIdSecretId?: string;
+  _clientSecretSecretId?: string;
+  /** Client id as plain string or secret: ref (when not using _clientIdSecretId) */
+  clientId?: string;
   /**
    * Scope of the integration:
    * - 'user': per-user tokens (Slack, Notion, Linear)
@@ -515,7 +541,7 @@ export interface IntegrationsAgentOptions {
   /** Registry instance for calling other agents' internal tools */
   registry?: {
     list?(): AgentDefinition[];
-    call(request: any): Promise<any>;
+    call(request: CallAgentRequest): Promise<CallAgentResponse>;
   };
 
   /** Secret store for storing/resolving client credentials and tokens */
@@ -668,29 +694,32 @@ export function createIntegrationsAgent(
       },
       required: ["id", "name", "type", "api"],
     },
-    execute: async (input: any, _ctx: ToolContext) => {
+    execute: async (input: Record<string, unknown>, _ctx: ToolContext) => {
       const config: ProviderConfig = {
-        id: input.id,
-        name: input.name,
-        agentPath: input.agentPath,
-        scope: input.scope,
-        docs: input.docs,
-        auth: input.auth,
-        api: input.api,
+        id: input.id as string,
+        name: input.name as string,
+        agentPath: input.agentPath as string | undefined,
+        scope: input.scope as "user" | "tenant" | undefined,
+        docs: input.docs as ProviderConfig["docs"],
+        auth: input.auth as ProviderConfig["auth"],
+        api: input.api as ProviderConfig["api"],
       };
       // Store client credentials encrypted and save secret IDs
       const result: Record<string, unknown> = { success: true };
       if (input.clientId) {
-        const secretId = await secretStore.store(input.clientId, SYSTEM_OWNER);
-        (config as any)._clientIdSecretId = secretId;
+        const secretId = await secretStore.store(
+          input.clientId as string,
+          SYSTEM_OWNER,
+        );
+        config._clientIdSecretId = secretId;
         result.clientIdStored = true;
       }
       if (input.clientSecret) {
         const secretId = await secretStore.store(
-          input.clientSecret,
+          input.clientSecret as string,
           SYSTEM_OWNER,
         );
-        (config as any)._clientSecretSecretId = secretId;
+        config._clientSecretSecretId = secretId;
         result.clientSecretStored = true;
       }
 
@@ -703,10 +732,11 @@ export function createIntegrationsAgent(
             action: "execute_tool",
             path: config.agentPath,
             tool: "setup_integration",
-            params: input.config ?? input,
+            params: (input.config ?? input) as Record<string, unknown>,
             callerType: "system",
           });
-          result.setupResult = (setupResult as any)?.result ?? setupResult;
+          result.setupResult =
+            executeToolResult(setupResult) ?? setupResult;
         } catch (err) {
           result.setupError = err instanceof Error ? err.message : String(err);
         }
@@ -857,7 +887,7 @@ export function createIntegrationsAgent(
         const agents = options.registry.list?.() ?? [];
         for (const agent of agents) {
           const hasListTool = agent.tools?.some(
-            (t: any) => t.name === "list_integrations",
+            (t: ToolDefinition) => t.name === "list_integrations",
           );
           if (hasListTool && agent.config?.integration) {
             const meta = {
@@ -878,9 +908,15 @@ export function createIntegrationsAgent(
                     callerType: "system",
                   })
                 : null;
-              const result = (callResult as any)?.result ??
-                callResult ?? { success: false };
-              if (result.success && result.data) {
+              const raw =
+                executeToolResult(callResult ?? undefined) ??
+                callResult ??
+                { success: false };
+              const result = raw as {
+                success?: boolean;
+                data?: unknown;
+              };
+              if (result.success && result.data != null) {
                 // Flatten: if data has an array field, each item becomes an integration
                 const items = Array.isArray(result.data)
                   ? result.data
@@ -982,7 +1018,7 @@ export function createIntegrationsAgent(
           params: { ...input, registryId: config.id },
           callerType: "system",
         });
-        return (connectResult as any)?.result ?? connectResult;
+        return executeToolResult(connectResult) ?? connectResult;
       }
 
       if (!config.auth)
@@ -998,26 +1034,26 @@ export function createIntegrationsAgent(
       // Check both _clientIdSecretId (from setup_integration direct) and
       // clientId field as secret:ref (from collect_secrets flow)
       let clientId: string | null = null;
-      const cidSecretId = (config as any)._clientIdSecretId;
+      const cidSecretId = config._clientIdSecretId;
       if (cidSecretId && secretStore) {
         clientId = await secretStore.resolve(cidSecretId, SYSTEM_OWNER);
       }
       // Also check if auth config has clientId as a secret:ref
       if (
         !clientId &&
-        (oauth as any).clientId &&
-        typeof (oauth as any).clientId === "string"
+        oauth.clientId &&
+        typeof oauth.clientId === "string"
       ) {
-        if ((oauth as any).clientId.startsWith("secret:") && secretStore) {
-          const refId = (oauth as any).clientId.slice("secret:".length);
+        if (oauth.clientId.startsWith("secret:") && secretStore) {
+          const refId = oauth.clientId.slice("secret:".length);
           clientId = await secretStore.resolve(refId, SYSTEM_OWNER);
-        } else if (!(oauth as any).clientId.startsWith("secret:")) {
-          clientId = (oauth as any).clientId;
+        } else if (!oauth.clientId.startsWith("secret:")) {
+          clientId = oauth.clientId;
         }
       }
       // Check top-level config too
-      if (!clientId && (config as any).clientId) {
-        const cid = (config as any).clientId;
+      if (!clientId && config.clientId) {
+        const cid = config.clientId;
         if (
           typeof cid === "string" &&
           cid.startsWith("secret:") &&
@@ -1112,14 +1148,17 @@ export function createIntegrationsAgent(
       },
       required: ["provider", "type"],
     },
-    execute: async (input: any, ctx: ToolContext) => {
-      const config = await store.getProvider(input.provider);
+    execute: async (input: Record<string, unknown>, ctx: ToolContext) => {
+      const config = await store.getProvider(input.provider as string);
       if (!config) return { error: `Provider '${input.provider}' not found` };
 
       const userId = ctx.callerId;
 
       // Get access token
-      const connection = await store.getConnection(userId, input.provider);
+      const connection = await store.getConnection(
+        userId,
+        input.provider as string,
+      );
       if (!connection) {
         return {
           error: `Not connected to '${input.provider}'. Use connect_integration first.`,
@@ -1135,8 +1174,8 @@ export function createIntegrationsAgent(
         connection.refreshToken
       ) {
         try {
-          const rCidId = (config as any)._clientIdSecretId;
-          const rCsecId = (config as any)._clientSecretSecretId;
+          const rCidId = config._clientIdSecretId;
+          const rCsecId = config._clientSecretSecretId;
           if (!rCidId || !rCsecId) {
             throw new Error(
               "No client credentials stored. Re-run setup_integration with clientId/clientSecret.",
@@ -1181,12 +1220,12 @@ export function createIntegrationsAgent(
           return executeRestCall(
             config,
             {
-              provider: input.provider,
+              provider: input.provider as string,
               type: "rest",
-              method: input.method ?? "GET",
-              path: input.path ?? "/",
-              body: input.body,
-              query: input.query,
+              method: (input.method as RestCallInput["method"]) ?? "GET",
+              path: (input.path as string) ?? "/",
+              body: input.body as Record<string, unknown> | undefined,
+              query: input.query as Record<string, string> | undefined,
             },
             accessToken,
           );
@@ -1195,10 +1234,12 @@ export function createIntegrationsAgent(
           return executeGraphqlCall(
             config,
             {
-              provider: input.provider,
+              provider: input.provider as string,
               type: "graphql",
-              query: input.graphqlQuery ?? input.query ?? "",
-              variables: input.variables,
+              query: String(input.graphqlQuery ?? ""),
+              variables: input.variables as
+                | Record<string, unknown>
+                | undefined,
             },
             accessToken,
           );
@@ -1249,7 +1290,7 @@ export function createIntegrationsAgent(
           params: { ...input, registryId: config.id },
           callerType: "system",
         });
-        return (connectResult as any)?.result ?? connectResult;
+        return executeToolResult(connectResult) ?? connectResult;
       }
 
       if (!config.auth)
@@ -1266,8 +1307,8 @@ export function createIntegrationsAgent(
       }
 
       // Resolve client credentials from secret store via config
-      const cbCidId = (config as any)._clientIdSecretId;
-      const cbCsecId = (config as any)._clientSecretSecretId;
+      const cbCidId = config._clientIdSecretId;
+      const cbCsecId = config._clientSecretSecretId;
       if (!cbCidId || !cbCsecId) {
         return { error: "No client credentials stored for this provider." };
       }
@@ -1390,7 +1431,7 @@ export function createIntegrationsAgent(
       // Fetch tool schema from registry
       let toolSchema: {
         name: string;
-        inputSchema?: any;
+        inputSchema?: JsonSchema;
         description?: string;
       } | null = null;
       const registryUrl = input.registry;
@@ -1414,10 +1455,14 @@ export function createIntegrationsAgent(
           },
         }),
       });
-      const data = (await res.json()) as any;
-      const parsed = JSON.parse(data?.result?.content?.[0]?.text ?? "{}");
+      const data = (await res.json()) as Record<string, unknown>;
+      const resultBlock = data.result as
+        | { content?: Array<{ text?: string }> }
+        | undefined;
+      const parsed = JSON.parse(resultBlock?.content?.[0]?.text ?? "{}");
       const tools = parsed?.tools ?? parsed?.result?.tools ?? [];
-      toolSchema = tools.find((t: any) => t.name === input.tool) ?? null;
+      toolSchema =
+        tools.find((t: { name: string }) => t.name === input.tool) ?? null;
 
       if (!toolSchema?.inputSchema) {
         return { error: `Tool '${input.tool}' not found on '${input.agent}'` };
@@ -1437,15 +1482,24 @@ export function createIntegrationsAgent(
         required: boolean;
       }> = [];
 
-      for (const [name, def] of Object.entries(properties) as [string, any][]) {
+      for (const [name, def] of Object.entries(properties) as [
+        string,
+        Record<string, unknown>,
+      ][]) {
         const isSecret = def.secret === true;
         const isRequired = requiredFields.has(name);
         const isProvided = name in providedParams;
         if (isSecret || (isRequired && !isProvided)) {
           fields.push({
             name,
-            type: def.type ?? "string",
-            description: def.description ?? name,
+            type:
+              typeof def.type === "string"
+                ? def.type
+                : Array.isArray(def.type)
+                  ? def.type.join("|")
+                  : "string",
+            description:
+              typeof def.description === "string" ? def.description : name,
             secret: isSecret,
             required: isRequired,
           });
@@ -1502,11 +1556,11 @@ export function createIntegrationsAgent(
     inputSchema: { type: "object" as const, properties: {} },
     execute: async () => {
       const agents = options.registry?.list?.() ?? [];
-      const results: any[] = [];
+      const results: unknown[] = [];
       if (options.registry) {
         for (const agent of agents) {
           const hasDiscoverTool = agent.tools?.some(
-            (t: any) => t.name === "discover_integrations",
+            (t: ToolDefinition) => t.name === "discover_integrations",
           );
           if (hasDiscoverTool) {
             try {
@@ -1518,8 +1572,9 @@ export function createIntegrationsAgent(
                 callerId: "@integrations",
                 callerType: "system",
               });
-              if (res?.result && Array.isArray(res.result)) {
-                results.push(...res.result);
+              const payload = executeToolResult(res);
+              if (payload && Array.isArray(payload)) {
+                results.push(...payload);
               }
             } catch {}
           }
@@ -1542,14 +1597,14 @@ export function createIntegrationsAgent(
     },
     execute: async (input: { agent_path?: string }) => {
       const agents = options.registry?.list?.() ?? [];
-      const results: any[] = [];
+      const results: unknown[] = [];
       if (options.registry) {
         const targetAgents = input.agent_path
-          ? agents.filter((a: any) => a.path === input.agent_path)
+          ? agents.filter((a: AgentDefinition) => a.path === input.agent_path)
           : agents;
         for (const agent of targetAgents) {
           const hasListTool = agent.tools?.some(
-            (t: any) => t.name === "list_integrations",
+            (t: ToolDefinition) => t.name === "list_integrations",
           );
           if (hasListTool) {
             try {
@@ -1561,8 +1616,9 @@ export function createIntegrationsAgent(
                 callerId: "@integrations",
                 callerType: "system",
               });
-              if (res?.result && Array.isArray(res.result)) {
-                results.push(...res.result);
+              const payload = executeToolResult(res);
+              if (payload && Array.isArray(payload)) {
+                results.push(...payload);
               }
             } catch {}
           }

package/src/agent-definitions/remote-registry.ts

@@ -27,9 +27,9 @@
 import { defineAgent, defineTool } from "../define.js";
 import type {
   AgentDefinition,
-  IntegrationMethodContext,
   IntegrationMethodResult,
   ToolContext,
+  ToolDefinition,
 } from "../types.js";
 import type { SecretStore } from "./secrets.js";
 
@@ -53,6 +53,39 @@ interface RegistryConnection {
 
 const ENTITY_TYPE = "remote-registry-connections";
 
+/** JSON-RPC response for MCP `tools/call` over HTTP. */
+interface McpToolsCallRpcBody {
+  result?: {
+    content?: Array<{ type: string; text?: string }>;
+  };
+  error?: { message: string };
+}
+
+interface ProxyCallToolInput {
+  registryId: string;
+  action: string;
+  path: string;
+  tool: string;
+  params?: Record<string, unknown>;
+}
+
+interface AddConnectionToolInput {
+  id: string;
+  name?: string;
+  url: string;
+  remoteTenantId?: string;
+}
+
+/** Typical fields from POST /oauth/token JSON body. */
+interface OAuthTokenJsonBody {
+  access_token?: string;
+  tenant_id?: string;
+  user_id?: string;
+  error?: string;
+  error_description?: string;
+  authorize_url?: string;
+}
+
 export function createRemoteRegistryAgent(
   options: RemoteRegistryAgentOptions,
 ): AgentDefinition {
@@ -122,7 +155,7 @@ export function createRemoteRegistryAgent(
     url: string,
     jwt: string,
     request: Record<string, unknown>,
-  ): Promise<any> {
+  ): Promise<unknown> {
     const res = await globalThis.fetch(url, {
       method: "POST",
       headers: {
@@ -136,7 +169,7 @@ export function createRemoteRegistryAgent(
         params: { name: "call_agent", arguments: { request } },
       }),
     });
-    const rpc = (await res.json()) as any;
+    const rpc = (await res.json()) as McpToolsCallRpcBody;
     const text = rpc.result?.content?.[0]?.text;
     if (!text) return rpc.result;
     const parsed = JSON.parse(text);
@@ -167,7 +200,7 @@ export function createRemoteRegistryAgent(
       tool: string;
       params?: Record<string, unknown>;
     },
-  ): Promise<any> {
+  ): Promise<unknown> {
     const conn = await loadConnection(ownerId, registryId);
     if (!conn) {
       throw new Error(
@@ -202,7 +235,7 @@ export function createRemoteRegistryAgent(
       },
       required: ["registryId", "action", "path", "tool"],
     },
-    execute: async (input: any, _ctx: ToolContext) => {
+    execute: async (input: ProxyCallToolInput, _ctx: ToolContext) => {
       return proxyCall("system", input.registryId, {
         action: input.action,
         path: input.path,
@@ -230,7 +263,7 @@ export function createRemoteRegistryAgent(
       },
       required: ["id", "url"],
     },
-    execute: async (input: any, _ctx: ToolContext) => {
+    execute: async (input: AddConnectionToolInput, _ctx: ToolContext) => {
       const conn: RegistryConnection = {
         id: input.id,
         name: input.name ?? input.id,
@@ -248,7 +281,7 @@ export function createRemoteRegistryAgent(
     description: "List all connected remote registries.",
     visibility: "public" as const,
     inputSchema: { type: "object" as const, properties: {} },
-    execute: async (_input: any, _ctx: ToolContext) => {
+    execute: async (_input: Record<string, unknown>, _ctx: ToolContext) => {
       const all = await loadAllConnections("system");
       return {
         connections: Object.values(all).map((c) => ({
@@ -264,7 +297,7 @@ export function createRemoteRegistryAgent(
   // Extract setup/connect as standalone functions to avoid circular reference
   const setupFn = async (
     params: Record<string, unknown>,
-    _ctx: IntegrationMethodContext,
+    _ctx: ToolContext,
   ): Promise<IntegrationMethodResult> => {
     console.log(
       "[remote-registry] setupFn called with:",
@@ -294,7 +327,7 @@ export function createRemoteRegistryAgent(
             redirect_uri: params.redirect_uri ?? "",
           }),
         });
-        const tokenData = (await tokenRes.json()) as any;
+        const tokenData = (await tokenRes.json()) as OAuthTokenJsonBody;
         if (!tokenData.access_token && !tokenData.tenant_id) {
           return {
             success: false,
@@ -319,23 +352,16 @@ export function createRemoteRegistryAgent(
         };
       }
 
-      // Phase 1: Discover JWKS, establish trust, then request OIDC
-      const configUrl = `${baseUrl}/.well-known/configuration`;
-      console.log("[setupFn] fetching config:", configUrl);
-      const configRes = await globalThis.fetch(configUrl);
-      console.log("[setupFn] config status:", configRes.status);
-      if (!configRes.ok)
+      // Phase 1: Verify JWKS at origin, establish trust, then request OIDC
+      const jwksUri = `${new URL(baseUrl).origin}/.well-known/jwks.json`;
+      console.log("[setupFn] fetching JWKS:", jwksUri);
+      const jwksRes = await globalThis.fetch(jwksUri);
+      console.log("[setupFn] JWKS status:", jwksRes.status);
+      if (!jwksRes.ok)
         return {
           success: false,
-          error: `Failed to discover registry at ${configUrl}`,
+          error: `JWKS not reachable at ${jwksUri}`,
         };
-      const remoteConfig = (await configRes.json()) as any;
-      if (remoteConfig.jwks_uri) {
-        console.log("[setupFn] fetching JWKS:", remoteConfig.jwks_uri);
-        const jwksRes = await globalThis.fetch(remoteConfig.jwks_uri);
-        console.log("[setupFn] JWKS status:", jwksRes.status);
-        if (!jwksRes.ok) return { success: false, error: "JWKS not reachable" };
-      }
       if (addTrustedIssuer) {
         console.log("[setupFn] adding trusted issuer:", baseUrl);
         await addTrustedIssuer(baseUrl);
@@ -361,7 +387,7 @@ export function createRemoteRegistryAgent(
         }),
       });
       console.log("[setupFn] token status:", tokenRes.status);
-      const tokenData = (await tokenRes.json()) as any;
+      const tokenData = (await tokenRes.json()) as OAuthTokenJsonBody;
       console.log(
         "[setupFn] tokenData:",
         JSON.stringify(tokenData).substring(0, 300),
@@ -414,7 +440,7 @@ export function createRemoteRegistryAgent(
 
   const connectFn = async (
     params: Record<string, unknown>,
-    ctx: IntegrationMethodContext,
+    ctx: ToolContext,
   ): Promise<IntegrationMethodResult> => {
     const registryId = params.registryId as string;
     const redirectUri = (params.redirectUri as string) ?? "";
@@ -443,7 +469,7 @@ export function createRemoteRegistryAgent(
           redirect_uri: redirectUri,
         }),
       });
-      const tokenData = (await tokenRes.json()) as any;
+      const tokenData = (await tokenRes.json()) as OAuthTokenJsonBody;
       if (tokenData.access_token)
         return {
           success: true,
@@ -498,27 +524,28 @@ export function createRemoteRegistryAgent(
       category: "infrastructure",
       description:
         "Connect to a remote agent registry via JWKS trust exchange.",
-      setup: (params, ctx) => setupFn(params, ctx as any),
-      connect: (params, ctx) => connectFn(params, ctx as any),
+      setup: (params, ctx) => setupFn(params, ctx),
+      connect: (params, ctx) => connectFn(params, ctx),
       async discover(params) {
         const url = (params.url as string) ?? "";
         try {
-          const res = await globalThis.fetch(
-            `${url.replace(/\/$/, "")}/.well-known/configuration`,
-          );
-          if (!res.ok)
+          const base = url.replace(/\/$/, "");
+          const origin = new URL(base).origin;
+          const jwksUri = `${origin}/.well-known/jwks.json`;
+          const res = await globalThis.fetch(jwksUri);
+          if (!res.ok) {
             return {
               success: false,
-              error: `No configuration endpoint at ${url}`,
+              error: `JWKS not reachable at ${jwksUri}`,
             };
-          const config = (await res.json()) as any;
+          }
           return {
             success: true,
             data: {
               url,
-              issuer: config.issuer,
-              grantTypes: config.supported_grant_types,
-              jwksUri: config.jwks_uri,
+              issuer: origin,
+              grantTypes: ["client_credentials", "jwt_exchange"],
+              jwksUri,
             },
           };
         } catch (err) {
@@ -558,6 +585,6 @@ export function createRemoteRegistryAgent(
         return { success: true, data: conn };
       },
     },
-    tools: [proxyTool, listTool, addConnectionTool] as any[],
+    tools: [proxyTool, listTool, addConnectionTool] as ToolDefinition<ToolContext>[],
   });
 }

package/src/agent-definitions/users.ts

@@ -230,6 +230,39 @@ export interface UsersAgentOptions {
   store: UserStore;
 }
 
+interface CreateUserToolInput {
+  id?: string;
+  tenantId: string;
+  email?: string;
+  name?: string;
+  avatarUrl?: string;
+  metadata?: Record<string, unknown>;
+  externalRef?: { issuer: string; userId: string };
+}
+
+interface UpdateUserToolInput {
+  userId: string;
+  email?: string;
+  name?: string;
+  avatarUrl?: string;
+  metadata?: Record<string, unknown>;
+}
+
+interface LinkIdentityToolInput {
+  userId: string;
+  provider: string;
+  providerUserId: string;
+  email?: string;
+  name?: string;
+  avatarUrl?: string;
+  accessToken?: string;
+  refreshToken?: string;
+  expiresAt?: number;
+  tokenType?: string;
+  scopes?: string[];
+  metadata?: Record<string, unknown>;
+}
+
 export function createUsersAgent(options: UsersAgentOptions): AgentDefinition {
   const { store } = options;
 
@@ -268,7 +301,7 @@ export function createUsersAgent(options: UsersAgentOptions): AgentDefinition {
       },
       required: ["tenantId"],
     },
-    execute: async (input: any, __ctx: ToolContext) => {
+    execute: async (input: CreateUserToolInput, __ctx: ToolContext) => {
       // If externalRef provided, check if identity already exists
       if (input.externalRef) {
         const existing = await store.findIdentityByProviderUserId(
@@ -365,7 +398,7 @@ export function createUsersAgent(options: UsersAgentOptions): AgentDefinition {
       },
       required: ["userId"],
     },
-    execute: async (input: any, __ctx: ToolContext) => {
+    execute: async (input: UpdateUserToolInput, __ctx: ToolContext) => {
       const { userId, ...updates } = input;
       const user = await store.updateUser(userId, updates);
       if (!user) return { error: `User '${userId}' not found` };
@@ -416,7 +449,7 @@ export function createUsersAgent(options: UsersAgentOptions): AgentDefinition {
       },
       required: ["userId", "provider", "providerUserId"],
     },
-    execute: async (input: any, __ctx: ToolContext) => {
+    execute: async (input: LinkIdentityToolInput, __ctx: ToolContext) => {
       // Check if identity already exists
       const existing = await store.getIdentityByProvider(
         input.userId,