@squadbase/vite-server 0.1.12-dev.a9ac647 → 0.1.17-dev.24af54e

package/dist/connectors/tableau.js

@@ -1,48 +1,60 @@
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+
 // ../connectors/src/parameter-definition.ts
-var ParameterDefinition = class {
-  slug;
-  name;
-  description;
-  envVarBaseKey;
-  type;
-  secret;
-  required;
-  constructor(config) {
-    this.slug = config.slug;
-    this.name = config.name;
-    this.description = config.description;
-    this.envVarBaseKey = config.envVarBaseKey;
-    this.type = config.type;
-    this.secret = config.secret;
-    this.required = config.required;
-  }
-  /**
-   * Get the parameter value from a ConnectorConnectionObject.
-   */
-  getValue(connection2) {
-    const param = connection2.parameters.find(
-      (p) => p.parameterSlug === this.slug
-    );
-    if (!param || param.value == null) {
-      throw new Error(
-        `Parameter "${this.slug}" not found or has no value in connection "${connection2.id}"`
-      );
-    }
-    return param.value;
-  }
-  /**
-   * Try to get the parameter value. Returns undefined if not found (for optional params).
-   */
-  tryGetValue(connection2) {
-    const param = connection2.parameters.find(
-      (p) => p.parameterSlug === this.slug
-    );
-    if (!param || param.value == null) return void 0;
-    return param.value;
+var ParameterDefinition;
+var init_parameter_definition = __esm({
+  "../connectors/src/parameter-definition.ts"() {
+    "use strict";
+    ParameterDefinition = class {
+      slug;
+      name;
+      description;
+      envVarBaseKey;
+      type;
+      secret;
+      required;
+      constructor(config) {
+        this.slug = config.slug;
+        this.name = config.name;
+        this.description = config.description;
+        this.envVarBaseKey = config.envVarBaseKey;
+        this.type = config.type;
+        this.secret = config.secret;
+        this.required = config.required;
+      }
+      /**
+       * Get the parameter value from a ConnectorConnectionObject.
+       */
+      getValue(connection2) {
+        const param = connection2.parameters.find(
+          (p) => p.parameterSlug === this.slug
+        );
+        if (!param || param.value == null) {
+          throw new Error(
+            `Parameter "${this.slug}" not found or has no value in connection "${connection2.id}"`
+          );
+        }
+        return param.value;
+      }
+      /**
+       * Try to get the parameter value. Returns undefined if not found (for optional params).
+       */
+      tryGetValue(connection2) {
+        const param = connection2.parameters.find(
+          (p) => p.parameterSlug === this.slug
+        );
+        if (!param || param.value == null) return void 0;
+        return param.value;
+      }
+    };
   }
-};
+});
 
 // ../connectors/src/connectors/tableau/parameters.ts
+init_parameter_definition();
 var parameters = {
   serverUrl: new ParameterDefinition({
     slug: "server-url",
@@ -93,64 +105,26 @@ var parameters = {
 
 // ../connectors/src/connectors/tableau/sdk/index.ts
 var DEFAULT_API_VERSION = "3.28";
-function createClient(params) {
+var TABLEAU_SESSION_SENTINEL_URL = "squadbase://tableau-session/";
+function createClient(params, fetchFn = fetch) {
   const serverUrl = params[parameters.serverUrl.slug];
-  const siteContentUrl = params[parameters.siteContentUrl.slug];
-  const patName = params[parameters.patName.slug];
-  const patSecret = params[parameters.patSecret.slug];
   const apiVersion = params[parameters.apiVersion.slug] || DEFAULT_API_VERSION;
-  if (!serverUrl || siteContentUrl == null || !patName || !patSecret) {
-    throw new Error(
-      `tableau: missing required parameters: ${parameters.serverUrl.slug}, ${parameters.siteContentUrl.slug}, ${parameters.patName.slug}, ${parameters.patSecret.slug}`
-    );
+  if (!serverUrl) {
+    throw new Error(`tableau: missing required parameter: ${parameters.serverUrl.slug}`);
   }
   const baseUrl = `${serverUrl.replace(/\/$/, "")}/api/${apiVersion}`;
-  let session = null;
-  async function signIn2() {
-    const res = await fetch(`${baseUrl}/auth/signin`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Accept: "application/json"
-      },
-      body: JSON.stringify({
-        credentials: {
-          personalAccessTokenName: patName,
-          personalAccessTokenSecret: patSecret,
-          site: { contentUrl: siteContentUrl }
-        }
-      })
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`tableau: sign-in failed (${res.status}): ${body}`);
-    }
-    const data = await res.json();
-    return {
-      authToken: data.credentials.token,
-      siteId: data.credentials.site.id,
-      userId: data.credentials.user.id,
-      expiresAt: Date.now() + 30 * 60 * 1e3
-    };
-  }
-  async function ensureSession() {
-    if (session && session.expiresAt > Date.now() + 6e4) {
-      return session;
-    }
-    session = await signIn2();
-    return session;
-  }
-  async function request(path2, init) {
-    const s = await ensureSession();
-    const resolvedPath = path2.replace(/\{siteId\}/g, s.siteId).replace(/^([^/])/, "/$1");
-    const url = `${baseUrl}${resolvedPath}`;
+  function buildRequestInit(init) {
     const headers = new Headers(init?.headers);
-    headers.set("X-Tableau-Auth", s.authToken);
     if (!headers.has("Accept")) headers.set("Accept", "application/json");
     if (!headers.has("Content-Type") && init?.body) {
       headers.set("Content-Type", "application/json");
     }
-    return fetch(url, { ...init, headers });
+    return { ...init, headers };
+  }
+  async function request(path2, init) {
+    const trimmedPath = path2.replace(/^([^/])/, "/$1");
+    const url = `${baseUrl}${trimmedPath}`;
+    return fetchFn(url, buildRequestInit(init));
   }
   async function getJson(path2) {
     const res = await request(path2);
@@ -173,8 +147,19 @@ function createClient(params) {
   return {
     request,
     async getSession() {
-      const s = await ensureSession();
-      return { authToken: s.authToken, siteId: s.siteId, userId: s.userId };
+      const res = await fetchFn(TABLEAU_SESSION_SENTINEL_URL, { method: "POST" });
+      if (!res.ok) {
+        const body = await res.text().catch(() => "(unreadable)");
+        throw new Error(
+          `tableau: failed to fetch session (${res.status}): ${body}`
+        );
+      }
+      const data = await res.json();
+      return {
+        authToken: data.authToken,
+        siteId: data.siteId,
+        userId: data.userId
+      };
     },
     async listProjects(options) {
       return getJson(
@@ -271,6 +256,28 @@ var ConnectorPlugin = class _ConnectorPlugin {
   tools;
   query;
   checkConnection;
+  /**
+   * SQPD-1212: Logic-based, rule-driven connection setup. Connectors that
+   * implement this expose a step-by-step exploration flow (database/schema/
+   * table/etc. discovery) that the dashboard backend drives via the
+   * `/connections/:connectionId/setup` endpoint. Implement by delegating to
+   * `runSetupFlow` from `setup-flow.ts`.
+   */
+  setup;
+  /**
+   * Opt-out of the default "verify before save" behavior on connection
+   * creation. The backend invokes `checkConnection` synchronously while
+   * creating the connection and aborts (no row inserted) if it fails — this
+   * flag disables that for connectors where the check cannot succeed pre-save:
+   *
+   *   - `squadbase-db` populates `connection-url` only after Neon provisioning
+   *   - OAuth connectors require an OAuth-aware proxyFetch keyed by the
+   *     connectionId, which doesn't exist until the row is saved
+   *
+   * Exceptions are the explicit position; new credential-input connectors get
+   * the default verify-on-create behavior without opt-in.
+   */
+  skipConnectionCheckOnCreate;
   constructor(config) {
     this.slug = config.slug;
     this.authType = config.authType;
@@ -287,6 +294,8 @@ var ConnectorPlugin = class _ConnectorPlugin {
     this.tools = config.tools;
     this.query = config.query;
     this.checkConnection = config.checkConnection;
+    this.setup = config.setup;
+    this.skipConnectionCheckOnCreate = config.skipConnectionCheckOnCreate;
   }
   get connectorKey() {
     return _ConnectorPlugin.deriveKey(this.slug, this.authType);
@@ -351,6 +360,51 @@ var ConnectorPlugin = class _ConnectorPlugin {
   }
 };
 
+// ../connectors/src/setup-flow.ts
+async function runSetupFlow(flow, params, ctx, config) {
+  const runtime = {
+    params,
+    language: ctx.language,
+    config
+  };
+  let state = flow.initialState();
+  let answerIdx = 0;
+  for (const step of flow.steps) {
+    const ans = ctx.answers[answerIdx];
+    if (ans && ans.questionSlug === step.slug) {
+      state = step.applyAnswer(state, ans.answer);
+      answerIdx += 1;
+      continue;
+    }
+    if (step.type === "text") {
+      return {
+        type: "nextQuestion",
+        questionSlug: step.slug,
+        question: step.question[ctx.language],
+        questionType: "text"
+      };
+    }
+    const options = step.fetchOptions ? await step.fetchOptions(state, runtime) : [];
+    if (options.length === 0) {
+      continue;
+    }
+    return {
+      type: "nextQuestion",
+      questionSlug: step.slug,
+      question: step.question[ctx.language],
+      questionType: step.type,
+      options
+    };
+  }
+  const dataInvestigationResult = await flow.finalize(state, runtime);
+  return { type: "fulfilled", dataInvestigationResult };
+}
+async function resolveSetupSelection(params) {
+  const { selected, allSentinel, fetchAll, limit } = params;
+  const resolved = selected.includes(allSentinel) ? await fetchAll() : selected.filter((v) => v !== allSentinel);
+  return resolved.slice(0, limit);
+}
+
 // ../connectors/src/auth-types.ts
 var AUTH_TYPES = {
   OAUTH: "oauth",
@@ -393,60 +447,190 @@ var tableauOnboarding = new ConnectorOnboarding({
   }
 });
 
-// ../connectors/src/connectors/tableau/tools/request.ts
-import { z } from "zod";
+// ../connectors/src/connectors/tableau/utils.ts
 var DEFAULT_API_VERSION2 = "3.28";
-var REQUEST_TIMEOUT_MS = 6e4;
-var sessionCache = /* @__PURE__ */ new Map();
-function buildBaseUrl(serverUrl, apiVersion) {
+function buildTableauBaseUrl(params) {
+  const serverUrl = params[parameters.serverUrl.slug];
+  const apiVersion = params[parameters.apiVersion.slug] || DEFAULT_API_VERSION2;
+  if (!serverUrl) {
+    throw new Error(
+      `tableau: missing required parameter: ${parameters.serverUrl.slug}`
+    );
+  }
   return `${serverUrl.replace(/\/$/, "")}/api/${apiVersion}`;
 }
-async function signIn(serverUrl, apiVersion, siteContentUrl, patName, patSecret) {
-  const url = `${buildBaseUrl(serverUrl, apiVersion)}/auth/signin`;
-  const body = {
-    credentials: {
-      personalAccessTokenName: patName,
-      personalAccessTokenSecret: patSecret,
-      site: { contentUrl: siteContentUrl }
+async function tableauProxyApiFetch(proxyFetch, params, path2, init) {
+  const baseUrl = buildTableauBaseUrl(params);
+  const trimmedPath = path2.replace(/^([^/])/, "/$1");
+  return proxyFetch(`${baseUrl}${trimmedPath}`, init);
+}
+
+// ../connectors/src/connectors/tableau/setup-flow.ts
+var ALL_PROJECTS = "__ALL_PROJECTS__";
+var TABLEAU_SETUP_MAX_PROJECTS = 10;
+var PAGE_SIZE = 100;
+async function listAllProjects(rt) {
+  const all = [];
+  let pageNumber = 1;
+  while (all.length < 500) {
+    const res = await tableauProxyApiFetch(
+      rt.config.proxyFetch,
+      rt.params,
+      `/sites/{siteId}/projects?pageSize=${PAGE_SIZE}&pageNumber=${pageNumber}`
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => res.statusText);
+      throw new Error(`tableau: listProjects failed (${res.status}): ${body}`);
     }
-  };
+    const data = await res.json();
+    const batch = data.projects?.project ?? [];
+    all.push(...batch);
+    const total = Number(data.pagination?.totalAvailable ?? "0");
+    if (!batch.length || all.length >= total) break;
+    pageNumber += 1;
+  }
+  return all;
+}
+async function listProjectResources(rt, resource) {
+  const all = [];
+  let pageNumber = 1;
+  while (all.length < 1e3) {
+    const res = await tableauProxyApiFetch(
+      rt.config.proxyFetch,
+      rt.params,
+      `/sites/{siteId}/${resource}?pageSize=${PAGE_SIZE}&pageNumber=${pageNumber}`
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => res.statusText);
+      throw new Error(
+        `tableau: list ${resource} failed (${res.status}): ${body}`
+      );
+    }
+    const data = await res.json();
+    const container = data[resource];
+    const batch = (resource === "workbooks" ? container?.workbook : container?.datasource) ?? [];
+    all.push(...batch);
+    const total = Number(data.pagination?.totalAvailable ?? "0");
+    if (!batch.length || all.length >= total) break;
+    pageNumber += 1;
+  }
+  return all;
+}
+var tableauSetupFlow = {
+  initialState: () => ({}),
+  steps: [
+    {
+      slug: "projects",
+      type: "multiSelect",
+      question: {
+        ja: "\u5BFE\u8C61\u306E\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3092\u9078\u3093\u3067\u304F\u3060\u3055\u3044\uFF08\u8907\u6570\u9078\u629E\u53EF\uFF09",
+        en: "Select target projects (multi-select allowed)"
+      },
+      async fetchOptions(_state, rt) {
+        const projects = await listAllProjects(rt);
+        const projectOptions = projects.filter((p) => p.id && p.name).map((p) => ({ value: p.id, label: p.name }));
+        return [
+          {
+            value: ALL_PROJECTS,
+            label: rt.language === "ja" ? "\u3059\u3079\u3066\u306E\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8" : "All projects"
+          },
+          ...projectOptions
+        ];
+      },
+      applyAnswer: (state, answer) => ({ ...state, projects: answer })
+    }
+  ],
+  async finalize(state, rt) {
+    if (!state.projects) {
+      throw new Error("Tableau setup: incomplete state on finalize");
+    }
+    const allProjects = await listAllProjects(rt);
+    const projectById = new Map(allProjects.map((p) => [p.id, p]));
+    const targetIds = await resolveSetupSelection({
+      selected: state.projects,
+      allSentinel: ALL_PROJECTS,
+      fetchAll: async () => allProjects.map((p) => p.id).filter((id) => id),
+      limit: TABLEAU_SETUP_MAX_PROJECTS
+    });
+    const sections = ["## Tableau", ""];
+    if (!targetIds.length) {
+      sections.push("_No projects selected._", "");
+      return sections.join("\n");
+    }
+    const [workbooks, datasources] = await Promise.all([
+      listProjectResources(rt, "workbooks"),
+      listProjectResources(rt, "datasources")
+    ]);
+    const workbooksByProject = /* @__PURE__ */ new Map();
+    for (const wb of workbooks) {
+      const pid = wb.project?.id;
+      if (!pid) continue;
+      const bucket = workbooksByProject.get(pid) ?? [];
+      bucket.push(wb);
+      workbooksByProject.set(pid, bucket);
+    }
+    const datasourcesByProject = /* @__PURE__ */ new Map();
+    for (const ds of datasources) {
+      const pid = ds.project?.id;
+      if (!pid) continue;
+      const bucket = datasourcesByProject.get(pid) ?? [];
+      bucket.push(ds);
+      datasourcesByProject.set(pid, bucket);
+    }
+    for (const id of targetIds) {
+      const project = projectById.get(id);
+      const name = project?.name ?? id;
+      sections.push(`### Project: ${name}`, "", `- id: \`${id}\``);
+      const projectWorkbooks = workbooksByProject.get(id) ?? [];
+      sections.push(`- Workbooks (${projectWorkbooks.length}):`);
+      for (const wb of projectWorkbooks.slice(0, 25)) {
+        sections.push(`  - ${wb.name ?? wb.id ?? "(unknown)"}`);
+      }
+      if (projectWorkbooks.length > 25) {
+        sections.push(`  - \u2026and ${projectWorkbooks.length - 25} more`);
+      }
+      const projectDatasources = datasourcesByProject.get(id) ?? [];
+      sections.push(`- Datasources (${projectDatasources.length}):`);
+      for (const ds of projectDatasources.slice(0, 25)) {
+        sections.push(`  - ${ds.name ?? ds.id ?? "(unknown)"}`);
+      }
+      if (projectDatasources.length > 25) {
+        sections.push(`  - \u2026and ${projectDatasources.length - 25} more`);
+      }
+      sections.push("");
+    }
+    return sections.join("\n");
+  }
+};
+
+// ../connectors/src/connectors/tableau/tools/request.ts
+import { z } from "zod";
+var DEFAULT_API_VERSION3 = "3.28";
+var REQUEST_TIMEOUT_MS = 6e4;
+async function fetchTableauSession(connectionId) {
+  const token = process.env.INTERNAL_SQUADBASE_OAUTH_MACHINE_CREDENTIAL;
+  const sandboxId = process.env.INTERNAL_SQUADBASE_SANDBOX_ID;
+  if (!token || !sandboxId) {
+    throw new Error(
+      "Tableau session manager is not configured. Missing INTERNAL_SQUADBASE_OAUTH_MACHINE_CREDENTIAL or INTERNAL_SQUADBASE_SANDBOX_ID."
+    );
+  }
+  const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
+  const url = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/tableau-session`;
   const res = await fetch(url, {
     method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Accept: "application/json"
-    },
-    body: JSON.stringify(body)
+    headers: { Authorization: `Bearer ${token}` }
   });
   if (!res.ok) {
-    const errorText = await res.text().catch(() => res.statusText);
+    const errBody = await res.text().catch(() => res.statusText);
     throw new Error(
-      `Tableau sign-in failed: HTTP ${res.status} ${errorText}`
+      `Failed to fetch Tableau session from backend-api (HTTP ${res.status}): ${errBody}`
     );
   }
-  const data = await res.json();
-  return {
-    authToken: data.credentials.token,
-    siteId: data.credentials.site.id,
-    userId: data.credentials.user.id,
-    expiresAt: Date.now() + 30 * 60 * 1e3
-  };
+  return await res.json();
 }
-async function getSession(serverUrl, apiVersion, siteContentUrl, patName, patSecret) {
-  const cacheKey = `${serverUrl}|${siteContentUrl}|${patName}`;
-  const cached = sessionCache.get(cacheKey);
-  if (cached && cached.expiresAt > Date.now() + 6e4) {
-    return cached;
-  }
-  const session = await signIn(
-    serverUrl,
-    apiVersion,
-    siteContentUrl,
-    patName,
-    patSecret
-  );
-  sessionCache.set(cacheKey, session);
-  return session;
+function buildBaseUrl(serverUrl, apiVersion) {
+  return `${serverUrl.replace(/\/$/, "")}/api/${apiVersion}`;
 }
 var inputSchema = z.object({
   toolUseIntent: z.string().optional().describe(
@@ -480,8 +664,8 @@ var outputSchema = z.discriminatedUnion("success", [
 var requestTool = new ConnectorTool({
   name: "request",
   description: `Send authenticated requests to the Tableau REST API.
-The tool signs in once with the configured Personal Access Token (PAT) to obtain an X-Tableau-Auth token (cached per connection), then forwards the request with the token attached.
-All paths are relative to {serverUrl}/api/{apiVersion}. Use the literal placeholder \`{siteId}\` in the path \u2014 it is automatically substituted with the site ID returned from sign-in.
+The X-Tableau-Auth token is issued and managed centrally by the Squadbase backend so concurrent processes (chat & deployed app) share a single PAT sign-in.
+All paths are relative to {serverUrl}/api/{apiVersion}. Use the literal placeholder \`{siteId}\` in the path \u2014 it is automatically substituted with the signed-in site ID.
 Accept and Content-Type headers default to application/json so list responses come back as JSON instead of Tableau's default XML.`,
   inputSchema,
   outputSchema,
@@ -498,52 +682,52 @@ Accept and Content-Type headers default to application/json so list responses co
     );
     try {
       const serverUrl = parameters.serverUrl.getValue(connection2);
-      const siteContentUrl = parameters.siteContentUrl.getValue(connection2);
-      const patName = parameters.patName.getValue(connection2);
-      const patSecret = parameters.patSecret.getValue(connection2);
-      const apiVersion = parameters.apiVersion.tryGetValue(connection2) || DEFAULT_API_VERSION2;
-      const session = await getSession(
-        serverUrl,
-        apiVersion,
-        siteContentUrl,
-        patName,
-        patSecret
-      );
-      const resolvedPath = path2.trim().replace(/\{siteId\}/g, session.siteId).replace(/^([^/])/, "/$1");
-      let url = `${buildBaseUrl(serverUrl, apiVersion)}${resolvedPath}`;
-      if (queryParams) {
-        const searchParams = new URLSearchParams(queryParams);
-        url += `?${searchParams.toString()}`;
-      }
+      const apiVersion = parameters.apiVersion.tryGetValue(connection2) || DEFAULT_API_VERSION3;
+      const trimmedPath = path2.trim().replace(/^([^/])/, "/$1");
+      const queryString = queryParams ? `?${new URLSearchParams(queryParams).toString()}` : "";
+      const baseUrl = buildBaseUrl(serverUrl, apiVersion);
       const controller = new AbortController();
       const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
       try {
-        const init = {
-          method,
-          headers: {
-            "X-Tableau-Auth": session.authToken,
-            Accept: "application/json",
-            "Content-Type": "application/json"
-          },
-          signal: controller.signal
-        };
-        if (body !== void 0) {
-          init.body = JSON.stringify(body);
-        }
-        const response = await fetch(url, init);
-        const text = await response.text();
-        const data = text ? (() => {
-          try {
-            return JSON.parse(text);
-          } catch {
-            return text;
+        let attempt = 0;
+        while (true) {
+          const session = await fetchTableauSession(connectionId);
+          const resolvedPath = trimmedPath.replace(
+            /\{siteId\}/g,
+            session.siteId
+          );
+          const url = `${baseUrl}${resolvedPath}${queryString}`;
+          const init = {
+            method,
+            headers: {
+              "X-Tableau-Auth": session.authToken,
+              Accept: "application/json",
+              "Content-Type": "application/json"
+            },
+            signal: controller.signal
+          };
+          if (body !== void 0) {
+            init.body = JSON.stringify(body);
+          }
+          const response = await fetch(url, init);
+          const text = await response.text();
+          const data = text ? (() => {
+            try {
+              return JSON.parse(text);
+            } catch {
+              return text;
+            }
+          })() : null;
+          if (response.status === 401 && attempt === 0) {
+            attempt++;
+            continue;
+          }
+          if (!response.ok) {
+            const errorMessage = data && typeof data === "object" && "error" in data ? JSON.stringify(data.error) : typeof data === "string" && data ? data : `HTTP ${response.status} ${response.statusText}`;
+            return { success: false, error: errorMessage };
           }
-        })() : null;
-        if (!response.ok) {
-          const errorMessage = data && typeof data === "object" && "error" in data ? JSON.stringify(data.error) : typeof data === "string" && data ? data : `HTTP ${response.status} ${response.statusText}`;
-          return { success: false, error: errorMessage };
+          return { success: true, status: response.status, data };
         }
-        return { success: true, status: response.status, data };
       } finally {
         clearTimeout(timeout);
       }
@@ -569,7 +753,7 @@ var tableauConnector = new ConnectorPlugin({
   systemPrompt: {
     en: `### Tools
 
-- \`tableau_request\`: The only way to call the Tableau REST API. Use it for projects, workbooks, views, data sources, users, and permissions. The tool signs in once with the configured PAT to obtain an \`X-Tableau-Auth\` token (cached), then forwards each request with the token attached. Use the literal \`{siteId}\` placeholder in the path \u2014 it is replaced with the session's site ID automatically.
+- \`tableau_request\`: The only way to call the Tableau REST API. Use it for projects, workbooks, views, data sources, users, and permissions. The \`X-Tableau-Auth\` token is issued and managed centrally by the Squadbase backend so concurrent processes (chat & deployed app) share a single PAT sign-in. Use the literal \`{siteId}\` placeholder in the path \u2014 it is replaced with the session's site ID automatically.
 
 ### Business Logic
 
@@ -626,7 +810,7 @@ export default async function handler(c: Context) {
 - Combine: \`filter=ownerName:eq:alice,tags:in:[finance]\``,
     ja: `### \u30C4\u30FC\u30EB
 
-- \`tableau_request\`: Tableau REST API \u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3001\u30EF\u30FC\u30AF\u30D6\u30C3\u30AF\u3001\u30D3\u30E5\u30FC\u3001\u30C7\u30FC\u30BF\u30BD\u30FC\u30B9\u3001\u30E6\u30FC\u30B6\u30FC\u3001\u6A29\u9650\u306A\u3069\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\u8A2D\u5B9A\u3055\u308C\u305F PAT \u3067\u4E00\u5EA6\u30B5\u30A4\u30F3\u30A4\u30F3\u3057\u3066 \`X-Tableau-Auth\` \u30C8\u30FC\u30AF\u30F3\u3092\u53D6\u5F97 (\u30AD\u30E3\u30C3\u30B7\u30E5) \u3057\u3001\u5404\u30EA\u30AF\u30A8\u30B9\u30C8\u306B\u305D\u306E\u30C8\u30FC\u30AF\u30F3\u3092\u4ED8\u3051\u3066\u9001\u4FE1\u3057\u307E\u3059\u3002\u30D1\u30B9\u5185\u306B\u306F \`{siteId}\` \u30D7\u30EC\u30FC\u30B9\u30DB\u30EB\u30C0\u30FC\u3092\u4F7F\u3063\u3066\u304F\u3060\u3055\u3044 \u2014 \u30BB\u30C3\u30B7\u30E7\u30F3\u306E\u30B5\u30A4\u30C8 ID \u3067\u81EA\u52D5\u7F6E\u63DB\u3055\u308C\u307E\u3059\u3002
+- \`tableau_request\`: Tableau REST API \u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3001\u30EF\u30FC\u30AF\u30D6\u30C3\u30AF\u3001\u30D3\u30E5\u30FC\u3001\u30C7\u30FC\u30BF\u30BD\u30FC\u30B9\u3001\u30E6\u30FC\u30B6\u30FC\u3001\u6A29\u9650\u306A\u3069\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\`X-Tableau-Auth\` \u30C8\u30FC\u30AF\u30F3\u306F Squadbase \u30D0\u30C3\u30AF\u30A8\u30F3\u30C9\u3067\u4E00\u5143\u7BA1\u7406\u3055\u308C\u3001\u8907\u6570\u30D7\u30ED\u30BB\u30B9 (\u30C1\u30E3\u30C3\u30C8\u30FB\u30C7\u30D7\u30ED\u30A4\u6E08\u307F\u30A2\u30D7\u30EA) \u3067\u540C\u3058 PAT \u30B5\u30A4\u30F3\u30A4\u30F3\u3092\u5171\u6709\u3057\u307E\u3059\u3002\u30D1\u30B9\u5185\u306B\u306F \`{siteId}\` \u30D7\u30EC\u30FC\u30B9\u30DB\u30EB\u30C0\u30FC\u3092\u4F7F\u3063\u3066\u304F\u3060\u3055\u3044 \u2014 \u30BB\u30C3\u30B7\u30E7\u30F3\u306E\u30B5\u30A4\u30C8 ID \u3067\u81EA\u52D5\u7F6E\u63DB\u3055\u308C\u307E\u3059\u3002
 
 ### Business Logic
 
@@ -683,6 +867,7 @@ export default async function handler(c: Context) {
 - \u7D44\u307F\u5408\u308F\u305B: \`filter=ownerName:eq:alice,tags:in:[finance]\``
   },
   tools,
+  setup: (params, ctx, config) => runSetupFlow(tableauSetupFlow, params, ctx, config),
   async checkConnection(params) {
     const serverUrl = params[parameters.serverUrl.slug];
     const siteContentUrl = params[parameters.siteContentUrl.slug];
@@ -756,6 +941,7 @@ function resolveEnvVarOptional(entry, key) {
 import { getContext } from "hono/context-storage";
 import { getCookie } from "hono/cookie";
 var APP_SESSION_COOKIE_NAME = "__Host-squadbase-session";
+var TABLEAU_SESSION_SENTINEL_URL2 = "squadbase://tableau-session/";
 function normalizeHeaders(input) {
   const out = {};
   if (!input) return out;
@@ -764,6 +950,11 @@ function normalizeHeaders(input) {
   });
   return out;
 }
+function extractInputUrl(input) {
+  if (typeof input === "string") return input;
+  if (input instanceof URL) return input.href;
+  return input.url;
+}
 function createSandboxProxyFetch(connectionId) {
   return async (input, init) => {
     const token = process.env.INTERNAL_SQUADBASE_OAUTH_MACHINE_CREDENTIAL;
@@ -773,10 +964,17 @@ function createSandboxProxyFetch(connectionId) {
         "Connection proxy is not configured. Please check your deployment settings."
       );
     }
-    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const originalUrl = extractInputUrl(input);
+    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
+    if (originalUrl === TABLEAU_SESSION_SENTINEL_URL2) {
+      const sessionUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/tableau-session`;
+      return fetch(sessionUrl, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${token}` }
+      });
+    }
     const originalMethod = init?.method ?? "GET";
     const originalBody = init?.body ? JSON.parse(init.body) : void 0;
-    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
     const proxyUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
     return fetch(proxyUrl, {
       method: "POST",
@@ -802,10 +1000,9 @@ function createDeployedAppProxyFetch(connectionId) {
   }
   const baseDomain = process.env["SQUADBASE_APP_BASE_DOMAIN"] ?? "squadbase.app";
   const proxyUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
+  const sessionUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/tableau-session`;
   return async (input, init) => {
-    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
-    const originalMethod = init?.method ?? "GET";
-    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
+    const originalUrl = extractInputUrl(input);
     const c = getContext();
     const appSession = getCookie(c, APP_SESSION_COOKIE_NAME);
     if (!appSession) {
@@ -813,6 +1010,14 @@ function createDeployedAppProxyFetch(connectionId) {
         "No authentication method available for connection proxy."
       );
     }
+    if (originalUrl === TABLEAU_SESSION_SENTINEL_URL2) {
+      return fetch(sessionUrl, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${appSession}` }
+      });
+    }
+    const originalMethod = init?.method ?? "GET";
+    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
     return fetch(proxyUrl, {
       method: "POST",
       headers: {