@squadbase/vite-server 0.1.12-dev.a9ac647 → 0.1.17-dev.3b633bb

package/dist/connectors/tableau.js

@@ -1,48 +1,60 @@
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+
 // ../connectors/src/parameter-definition.ts
-var ParameterDefinition = class {
-  slug;
-  name;
-  description;
-  envVarBaseKey;
-  type;
-  secret;
-  required;
-  constructor(config) {
-    this.slug = config.slug;
-    this.name = config.name;
-    this.description = config.description;
-    this.envVarBaseKey = config.envVarBaseKey;
-    this.type = config.type;
-    this.secret = config.secret;
-    this.required = config.required;
-  }
-  /**
-   * Get the parameter value from a ConnectorConnectionObject.
-   */
-  getValue(connection2) {
-    const param = connection2.parameters.find(
-      (p) => p.parameterSlug === this.slug
-    );
-    if (!param || param.value == null) {
-      throw new Error(
-        `Parameter "${this.slug}" not found or has no value in connection "${connection2.id}"`
-      );
-    }
-    return param.value;
-  }
-  /**
-   * Try to get the parameter value. Returns undefined if not found (for optional params).
-   */
-  tryGetValue(connection2) {
-    const param = connection2.parameters.find(
-      (p) => p.parameterSlug === this.slug
-    );
-    if (!param || param.value == null) return void 0;
-    return param.value;
+var ParameterDefinition;
+var init_parameter_definition = __esm({
+  "../connectors/src/parameter-definition.ts"() {
+    "use strict";
+    ParameterDefinition = class {
+      slug;
+      name;
+      description;
+      envVarBaseKey;
+      type;
+      secret;
+      required;
+      constructor(config) {
+        this.slug = config.slug;
+        this.name = config.name;
+        this.description = config.description;
+        this.envVarBaseKey = config.envVarBaseKey;
+        this.type = config.type;
+        this.secret = config.secret;
+        this.required = config.required;
+      }
+      /**
+       * Get the parameter value from a ConnectorConnectionObject.
+       */
+      getValue(connection2) {
+        const param = connection2.parameters.find(
+          (p) => p.parameterSlug === this.slug
+        );
+        if (!param || param.value == null) {
+          throw new Error(
+            `Parameter "${this.slug}" not found or has no value in connection "${connection2.id}"`
+          );
+        }
+        return param.value;
+      }
+      /**
+       * Try to get the parameter value. Returns undefined if not found (for optional params).
+       */
+      tryGetValue(connection2) {
+        const param = connection2.parameters.find(
+          (p) => p.parameterSlug === this.slug
+        );
+        if (!param || param.value == null) return void 0;
+        return param.value;
+      }
+    };
   }
-};
+});
 
 // ../connectors/src/connectors/tableau/parameters.ts
+init_parameter_definition();
 var parameters = {
   serverUrl: new ParameterDefinition({
     slug: "server-url",
@@ -93,64 +105,26 @@ var parameters = {
 
 // ../connectors/src/connectors/tableau/sdk/index.ts
 var DEFAULT_API_VERSION = "3.28";
-function createClient(params) {
+var TABLEAU_SESSION_SENTINEL_URL = "squadbase://tableau-session/";
+function createClient(params, fetchFn = fetch) {
   const serverUrl = params[parameters.serverUrl.slug];
-  const siteContentUrl = params[parameters.siteContentUrl.slug];
-  const patName = params[parameters.patName.slug];
-  const patSecret = params[parameters.patSecret.slug];
   const apiVersion = params[parameters.apiVersion.slug] || DEFAULT_API_VERSION;
-  if (!serverUrl || siteContentUrl == null || !patName || !patSecret) {
-    throw new Error(
-      `tableau: missing required parameters: ${parameters.serverUrl.slug}, ${parameters.siteContentUrl.slug}, ${parameters.patName.slug}, ${parameters.patSecret.slug}`
-    );
+  if (!serverUrl) {
+    throw new Error(`tableau: missing required parameter: ${parameters.serverUrl.slug}`);
   }
   const baseUrl = `${serverUrl.replace(/\/$/, "")}/api/${apiVersion}`;
-  let session = null;
-  async function signIn2() {
-    const res = await fetch(`${baseUrl}/auth/signin`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Accept: "application/json"
-      },
-      body: JSON.stringify({
-        credentials: {
-          personalAccessTokenName: patName,
-          personalAccessTokenSecret: patSecret,
-          site: { contentUrl: siteContentUrl }
-        }
-      })
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`tableau: sign-in failed (${res.status}): ${body}`);
-    }
-    const data = await res.json();
-    return {
-      authToken: data.credentials.token,
-      siteId: data.credentials.site.id,
-      userId: data.credentials.user.id,
-      expiresAt: Date.now() + 30 * 60 * 1e3
-    };
-  }
-  async function ensureSession() {
-    if (session && session.expiresAt > Date.now() + 6e4) {
-      return session;
-    }
-    session = await signIn2();
-    return session;
-  }
-  async function request(path2, init) {
-    const s = await ensureSession();
-    const resolvedPath = path2.replace(/\{siteId\}/g, s.siteId).replace(/^([^/])/, "/$1");
-    const url = `${baseUrl}${resolvedPath}`;
+  function buildRequestInit(init) {
     const headers = new Headers(init?.headers);
-    headers.set("X-Tableau-Auth", s.authToken);
     if (!headers.has("Accept")) headers.set("Accept", "application/json");
     if (!headers.has("Content-Type") && init?.body) {
       headers.set("Content-Type", "application/json");
     }
-    return fetch(url, { ...init, headers });
+    return { ...init, headers };
+  }
+  async function request(path2, init) {
+    const trimmedPath = path2.replace(/^([^/])/, "/$1");
+    const url = `${baseUrl}${trimmedPath}`;
+    return fetchFn(url, buildRequestInit(init));
   }
   async function getJson(path2) {
     const res = await request(path2);
@@ -173,8 +147,19 @@ function createClient(params) {
   return {
     request,
     async getSession() {
-      const s = await ensureSession();
-      return { authToken: s.authToken, siteId: s.siteId, userId: s.userId };
+      const res = await fetchFn(TABLEAU_SESSION_SENTINEL_URL, { method: "POST" });
+      if (!res.ok) {
+        const body = await res.text().catch(() => "(unreadable)");
+        throw new Error(
+          `tableau: failed to fetch session (${res.status}): ${body}`
+        );
+      }
+      const data = await res.json();
+      return {
+        authToken: data.authToken,
+        siteId: data.siteId,
+        userId: data.userId
+      };
     },
     async listProjects(options) {
       return getJson(
@@ -271,6 +256,28 @@ var ConnectorPlugin = class _ConnectorPlugin {
   tools;
   query;
   checkConnection;
+  /**
+   * SQPD-1212: Logic-based, rule-driven connection setup. Connectors that
+   * implement this expose a step-by-step exploration flow (database/schema/
+   * table/etc. discovery) that the dashboard backend drives via the
+   * `/connections/:connectionId/setup` endpoint. Implement by delegating to
+   * `runSetupFlow` from `setup-flow.ts`.
+   */
+  setup;
+  /**
+   * Opt-out of the default "verify before save" behavior on connection
+   * creation. The backend invokes `checkConnection` synchronously while
+   * creating the connection and aborts (no row inserted) if it fails — this
+   * flag disables that for connectors where the check cannot succeed pre-save:
+   *
+   *   - `squadbase-db` populates `connection-url` only after Neon provisioning
+   *   - OAuth connectors require an OAuth-aware proxyFetch keyed by the
+   *     connectionId, which doesn't exist until the row is saved
+   *
+   * Exceptions are the explicit position; new credential-input connectors get
+   * the default verify-on-create behavior without opt-in.
+   */
+  skipConnectionCheckOnCreate;
   constructor(config) {
     this.slug = config.slug;
     this.authType = config.authType;
@@ -287,6 +294,8 @@ var ConnectorPlugin = class _ConnectorPlugin {
     this.tools = config.tools;
     this.query = config.query;
     this.checkConnection = config.checkConnection;
+    this.setup = config.setup;
+    this.skipConnectionCheckOnCreate = config.skipConnectionCheckOnCreate;
   }
   get connectorKey() {
     return _ConnectorPlugin.deriveKey(this.slug, this.authType);
@@ -351,6 +360,76 @@ var ConnectorPlugin = class _ConnectorPlugin {
   }
 };
 
+// ../connectors/src/setup-flow.ts
+async function runSetupFlow(flow, params, ctx, config) {
+  const runtime = {
+    params,
+    language: ctx.language,
+    config
+  };
+  let state = flow.initialState();
+  let answerIdx = 0;
+  const pendingParameterUpdates = [];
+  for (const step of flow.steps) {
+    const ans = ctx.answers[answerIdx];
+    if (ans && ans.questionSlug === step.slug) {
+      state = step.applyAnswer(state, ans.answer);
+      if (step.toParameterUpdates) {
+        pendingParameterUpdates.push(...step.toParameterUpdates(state));
+      }
+      answerIdx += 1;
+      continue;
+    }
+    const resolvedAllowFreeText = step.allowFreeText !== void 0 ? step.allowFreeText : true;
+    if (step.type === "text") {
+      if (step.fetchOptions) {
+        const options2 = await step.fetchOptions(state, runtime);
+        if (options2.length === 0) {
+          continue;
+        }
+      }
+      return {
+        type: "nextQuestion",
+        questionSlug: step.slug,
+        question: step.question[ctx.language],
+        questionType: "text",
+        allowFreeText: resolvedAllowFreeText,
+        ...pendingParameterUpdates.length > 0 && {
+          parameterUpdates: pendingParameterUpdates
+        }
+      };
+    }
+    const options = step.fetchOptions ? await step.fetchOptions(state, runtime) : [];
+    if (options.length === 0) {
+      continue;
+    }
+    return {
+      type: "nextQuestion",
+      questionSlug: step.slug,
+      question: step.question[ctx.language],
+      questionType: step.type,
+      options,
+      allowFreeText: resolvedAllowFreeText,
+      ...pendingParameterUpdates.length > 0 && {
+        parameterUpdates: pendingParameterUpdates
+      }
+    };
+  }
+  const dataInvestigationResult = await flow.finalize(state, runtime);
+  return {
+    type: "fulfilled",
+    dataInvestigationResult,
+    ...pendingParameterUpdates.length > 0 && {
+      parameterUpdates: pendingParameterUpdates
+    }
+  };
+}
+async function resolveSetupSelection(params) {
+  const { selected, allSentinel, fetchAll, limit } = params;
+  const resolved = selected.includes(allSentinel) ? await fetchAll() : selected.filter((v) => v !== allSentinel);
+  return resolved.slice(0, limit);
+}
+
 // ../connectors/src/auth-types.ts
 var AUTH_TYPES = {
   OAUTH: "oauth",
@@ -393,60 +472,341 @@ var tableauOnboarding = new ConnectorOnboarding({
   }
 });
 
-// ../connectors/src/connectors/tableau/tools/request.ts
-import { z } from "zod";
+// ../connectors/src/connectors/tableau/utils.ts
 var DEFAULT_API_VERSION2 = "3.28";
-var REQUEST_TIMEOUT_MS = 6e4;
-var sessionCache = /* @__PURE__ */ new Map();
-function buildBaseUrl(serverUrl, apiVersion) {
+function buildTableauBaseUrl(params) {
+  const serverUrl = params[parameters.serverUrl.slug];
+  const apiVersion = params[parameters.apiVersion.slug] || DEFAULT_API_VERSION2;
+  if (!serverUrl) {
+    throw new Error(
+      `tableau: missing required parameter: ${parameters.serverUrl.slug}`
+    );
+  }
   return `${serverUrl.replace(/\/$/, "")}/api/${apiVersion}`;
 }
-async function signIn(serverUrl, apiVersion, siteContentUrl, patName, patSecret) {
-  const url = `${buildBaseUrl(serverUrl, apiVersion)}/auth/signin`;
-  const body = {
-    credentials: {
-      personalAccessTokenName: patName,
-      personalAccessTokenSecret: patSecret,
-      site: { contentUrl: siteContentUrl }
+async function tableauProxyApiFetch(proxyFetch, params, path2, init) {
+  const baseUrl = buildTableauBaseUrl(params);
+  const trimmedPath = path2.replace(/^([^/])/, "/$1");
+  return proxyFetch(`${baseUrl}${trimmedPath}`, init);
+}
+
+// ../connectors/src/connectors/tableau/setup-flow.ts
+var ALL_PROJECTS = "__ALL_PROJECTS__";
+var ALL_WORKBOOKS = "__ALL_WORKBOOKS__";
+var TABLEAU_SETUP_MAX_PROJECTS = 10;
+var MAX_WORKBOOKS_DETAIL = 10;
+var MAX_VIEWS_PER_WORKBOOK = 5;
+var MAX_SAMPLE_ROWS = 5;
+var PAGE_SIZE = 100;
+async function listAllProjects(rt) {
+  const all = [];
+  let pageNumber = 1;
+  while (all.length < 500) {
+    const res = await tableauProxyApiFetch(
+      rt.config.proxyFetch,
+      rt.params,
+      `/sites/{siteId}/projects?pageSize=${PAGE_SIZE}&pageNumber=${pageNumber}`
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => res.statusText);
+      throw new Error(`tableau: listProjects failed (${res.status}): ${body}`);
     }
-  };
+    const data = await res.json();
+    const batch = data.projects?.project ?? [];
+    all.push(...batch);
+    const total = Number(data.pagination?.totalAvailable ?? "0");
+    if (!batch.length || all.length >= total) break;
+    pageNumber += 1;
+  }
+  return all;
+}
+async function listProjectResources(rt, resource) {
+  const all = [];
+  let pageNumber = 1;
+  while (all.length < 1e3) {
+    const res = await tableauProxyApiFetch(
+      rt.config.proxyFetch,
+      rt.params,
+      `/sites/{siteId}/${resource}?pageSize=${PAGE_SIZE}&pageNumber=${pageNumber}`
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => res.statusText);
+      throw new Error(
+        `tableau: list ${resource} failed (${res.status}): ${body}`
+      );
+    }
+    const data = await res.json();
+    const container = data[resource];
+    const batch = (resource === "workbooks" ? container?.workbook : container?.datasource) ?? [];
+    all.push(...batch);
+    const total = Number(data.pagination?.totalAvailable ?? "0");
+    if (!batch.length || all.length >= total) break;
+    pageNumber += 1;
+  }
+  return all;
+}
+async function listViewsForWorkbook(rt, workbookId) {
+  const res = await tableauProxyApiFetch(
+    rt.config.proxyFetch,
+    rt.params,
+    `/sites/{siteId}/workbooks/${encodeURIComponent(workbookId)}/views`
+  );
+  if (!res.ok) return [];
+  const data = await res.json();
+  return data.views?.view ?? [];
+}
+async function fetchViewDataSample(rt, viewId) {
+  try {
+    const res = await tableauProxyApiFetch(
+      rt.config.proxyFetch,
+      rt.params,
+      `/sites/{siteId}/views/${encodeURIComponent(viewId)}/data`
+    );
+    if (!res.ok) return null;
+    const csv = await res.text();
+    const lines = csv.trim().split("\n").filter(Boolean);
+    if (lines.length === 0) return null;
+    const columns = parseCsvLine(lines[0]);
+    const rows = lines.slice(1, 1 + MAX_SAMPLE_ROWS).map(parseCsvLine);
+    return { columns, rows };
+  } catch {
+    return null;
+  }
+}
+function parseCsvLine(line) {
+  const result = [];
+  let current = "";
+  let inQuotes = false;
+  for (let i = 0; i < line.length; i++) {
+    const ch = line[i];
+    if (ch === '"') {
+      if (inQuotes && line[i + 1] === '"') {
+        current += '"';
+        i++;
+      } else {
+        inQuotes = !inQuotes;
+      }
+    } else if (ch === "," && !inQuotes) {
+      result.push(current.trim());
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  result.push(current.trim());
+  return result;
+}
+var tableauSetupFlow = {
+  initialState: () => ({}),
+  steps: [
+    {
+      slug: "projects",
+      type: "multiSelect",
+      question: {
+        ja: "\u5BFE\u8C61\u306E\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3092\u9078\u3093\u3067\u304F\u3060\u3055\u3044\uFF08\u8907\u6570\u9078\u629E\u53EF\uFF09",
+        en: "Select target projects (multi-select allowed)"
+      },
+      async fetchOptions(_state, rt) {
+        const projects = await listAllProjects(rt);
+        const projectOptions = projects.filter((p) => p.id && p.name).map((p) => ({ value: p.id, label: p.name }));
+        return [
+          {
+            value: ALL_PROJECTS,
+            label: rt.language === "ja" ? "\u3059\u3079\u3066\u306E\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8" : "All projects"
+          },
+          ...projectOptions
+        ];
+      },
+      applyAnswer: (state, answer) => ({ ...state, projects: answer })
+    },
+    {
+      slug: "workbooks",
+      type: "multiSelect",
+      question: {
+        ja: "\u5206\u6790\u5BFE\u8C61\u306E\u30EF\u30FC\u30AF\u30D6\u30C3\u30AF\u3092\u9078\u3093\u3067\u304F\u3060\u3055\u3044\uFF08\u8907\u6570\u9078\u629E\u53EF\uFF09",
+        en: "Select the workbooks to analyze (multi-select allowed)"
+      },
+      async fetchOptions(state, rt) {
+        if (!state.projects?.length) return [];
+        const allProjects = await listAllProjects(rt);
+        const targetIds = await resolveSetupSelection({
+          selected: state.projects,
+          allSentinel: ALL_PROJECTS,
+          fetchAll: async () => allProjects.map((p) => p.id).filter((id) => id),
+          limit: TABLEAU_SETUP_MAX_PROJECTS
+        });
+        const targetSet = new Set(targetIds);
+        const workbooks = await listProjectResources(rt, "workbooks");
+        const options = workbooks.filter((wb) => wb.id && wb.project?.id && targetSet.has(wb.project.id)).map((wb) => ({
+          value: wb.id,
+          label: wb.name ?? wb.id ?? "(unknown)"
+        }));
+        if (options.length === 0) return [];
+        return [
+          {
+            value: ALL_WORKBOOKS,
+            label: rt.language === "ja" ? "\u3059\u3079\u3066\u306E\u30EF\u30FC\u30AF\u30D6\u30C3\u30AF" : "All workbooks"
+          },
+          ...options
+        ];
+      },
+      applyAnswer: (state, answer) => ({ ...state, workbooks: answer })
+    }
+  ],
+  async finalize(state, rt) {
+    if (!state.projects) {
+      throw new Error("Tableau setup: incomplete state on finalize");
+    }
+    const allProjects = await listAllProjects(rt);
+    const projectById = new Map(allProjects.map((p) => [p.id, p]));
+    const targetProjectIds = await resolveSetupSelection({
+      selected: state.projects,
+      allSentinel: ALL_PROJECTS,
+      fetchAll: async () => allProjects.map((p) => p.id).filter((id) => id),
+      limit: TABLEAU_SETUP_MAX_PROJECTS
+    });
+    const sections = ["## Tableau", ""];
+    if (!targetProjectIds.length) {
+      sections.push("_No projects selected._", "");
+      return sections.join("\n");
+    }
+    const [allWorkbooks, datasources] = await Promise.all([
+      listProjectResources(rt, "workbooks"),
+      listProjectResources(rt, "datasources")
+    ]);
+    const projectIdSet = new Set(targetProjectIds);
+    const targetWorkbooks = await resolveSetupSelection({
+      selected: state.workbooks ?? [],
+      allSentinel: ALL_WORKBOOKS,
+      fetchAll: async () => allWorkbooks.filter((wb) => wb.id && wb.project?.id && projectIdSet.has(wb.project.id)).map((wb) => wb.id).filter(Boolean),
+      limit: MAX_WORKBOOKS_DETAIL
+    });
+    const targetWorkbookSet = new Set(targetWorkbooks);
+    const workbooksByProject = /* @__PURE__ */ new Map();
+    for (const wb of allWorkbooks) {
+      const pid = wb.project?.id;
+      if (!pid || !projectIdSet.has(pid)) continue;
+      const bucket = workbooksByProject.get(pid) ?? [];
+      bucket.push(wb);
+      workbooksByProject.set(pid, bucket);
+    }
+    const datasourcesByProject = /* @__PURE__ */ new Map();
+    for (const ds of datasources) {
+      const pid = ds.project?.id;
+      if (!pid || !projectIdSet.has(pid)) continue;
+      const bucket = datasourcesByProject.get(pid) ?? [];
+      bucket.push(ds);
+      datasourcesByProject.set(pid, bucket);
+    }
+    const allDiscoveredColumns = [];
+    for (const pid of targetProjectIds) {
+      const project = projectById.get(pid);
+      sections.push(`### Project: ${project?.name ?? pid}`, "");
+      const projectWorkbooks = workbooksByProject.get(pid) ?? [];
+      for (const wb of projectWorkbooks) {
+        if (!wb.id) continue;
+        const isDetailed = targetWorkbookSet.has(wb.id);
+        sections.push(`#### Workbook: ${wb.name ?? wb.id}`, "");
+        if (!isDetailed) continue;
+        const views = await listViewsForWorkbook(rt, wb.id);
+        if (views.length === 0) {
+          sections.push("_No views found._", "");
+          continue;
+        }
+        for (const view of views.slice(0, MAX_VIEWS_PER_WORKBOOK)) {
+          if (!view.id) continue;
+          sections.push(`##### View: ${view.name ?? view.id}`, "");
+          const sample = await fetchViewDataSample(rt, view.id);
+          if (!sample || sample.columns.length === 0) {
+            sections.push("_Data not available._", "");
+            continue;
+          }
+          allDiscoveredColumns.push(...sample.columns);
+          sections.push(`| ${sample.columns.join(" | ")} |`);
+          sections.push(`|${sample.columns.map(() => "---").join("|")}|`);
+          for (const row of sample.rows) {
+            const cells = row.map((c) => c.replace(/\|/g, "\\|"));
+            sections.push(`| ${cells.join(" | ")} |`);
+          }
+          sections.push("");
+        }
+      }
+      const projectDatasources = datasourcesByProject.get(pid) ?? [];
+      if (projectDatasources.length > 0) {
+        sections.push(`#### Datasources (${projectDatasources.length})`, "");
+        for (const ds of projectDatasources.slice(0, 25)) {
+          sections.push(`- ${ds.name ?? ds.id ?? "(unknown)"}`);
+        }
+        sections.push("");
+      }
+    }
+    if (allDiscoveredColumns.length > 0) {
+      const unique = [...new Set(allDiscoveredColumns.map((c) => c.toLowerCase()))];
+      const themes = [];
+      const hasPattern = (keywords) => unique.some((c) => keywords.some((k) => c.includes(k)));
+      if (hasPattern(["revenue", "sales", "amount", "price", "cost", "profit", "\u58F2\u4E0A", "\u91D1\u984D", "\u5229\u76CA"]))
+        themes.push("Revenue & profitability analysis (trends, breakdown by segment)");
+      if (hasPattern(["date", "month", "year", "quarter", "day", "\u65E5\u4ED8", "\u6708", "\u5E74", "\u671F"]))
+        themes.push("Time-series trend analysis (YoY, MoM comparisons)");
+      if (hasPattern(["region", "country", "city", "state", "\u5730\u57DF", "\u56FD", "\u90FD\u5E02", "\u5E02"]))
+        themes.push("Geographic/regional performance comparison");
+      if (hasPattern(["product", "category", "item", "sku", "\u5546\u54C1", "\u30AB\u30C6\u30B4\u30EA"]))
+        themes.push("Product/category mix analysis");
+      if (hasPattern(["customer", "user", "account", "\u9867\u5BA2", "\u30E6\u30FC\u30B6\u30FC"]))
+        themes.push("Customer segmentation and behavior analysis");
+      if (hasPattern(["quantity", "count", "volume", "\u6570\u91CF", "\u4EF6\u6570"]))
+        themes.push("Volume and demand pattern analysis");
+      if (hasPattern(["rate", "ratio", "percentage", "%", "\u7387"]))
+        themes.push("KPI ratio tracking and benchmarking");
+      if (themes.length > 0) {
+        sections.push("### Suggested Analysis Themes", "");
+        for (const theme of themes) {
+          sections.push(`- ${theme}`);
+        }
+        sections.push("");
+      }
+    }
+    return sections.join("\n");
+  }
+};
+
+// ../connectors/src/connectors/tableau/tools/request.ts
+import { z } from "zod";
+var DEFAULT_API_VERSION3 = "3.28";
+var REQUEST_TIMEOUT_MS = 6e4;
+var cachedToken = null;
+async function getProxyToken(config) {
+  if (cachedToken && cachedToken.expiresAt > Date.now() + 6e4) {
+    return cachedToken.token;
+  }
+  const url = `${config.appApiBaseUrl}/v0/database/${config.projectId}/environment/${config.environmentId}/oauth-request-proxy-token`;
   const res = await fetch(url, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
-      Accept: "application/json"
+      "x-api-key": config.appApiKey,
+      "project-id": config.projectId
     },
-    body: JSON.stringify(body)
+    body: JSON.stringify({
+      sandboxId: config.sandboxId,
+      issuedBy: "coding-agent"
+    })
   });
   if (!res.ok) {
     const errorText = await res.text().catch(() => res.statusText);
     throw new Error(
-      `Tableau sign-in failed: HTTP ${res.status} ${errorText}`
+      `Failed to get proxy token: HTTP ${res.status} ${errorText}`
     );
   }
   const data = await res.json();
-  return {
-    authToken: data.credentials.token,
-    siteId: data.credentials.site.id,
-    userId: data.credentials.user.id,
-    expiresAt: Date.now() + 30 * 60 * 1e3
+  cachedToken = {
+    token: data.token,
+    expiresAt: new Date(data.expiresAt).getTime()
   };
+  return data.token;
 }
-async function getSession(serverUrl, apiVersion, siteContentUrl, patName, patSecret) {
-  const cacheKey = `${serverUrl}|${siteContentUrl}|${patName}`;
-  const cached = sessionCache.get(cacheKey);
-  if (cached && cached.expiresAt > Date.now() + 6e4) {
-    return cached;
-  }
-  const session = await signIn(
-    serverUrl,
-    apiVersion,
-    siteContentUrl,
-    patName,
-    patSecret
-  );
-  sessionCache.set(cacheKey, session);
-  return session;
+function buildBaseUrl(serverUrl, apiVersion) {
+  return `${serverUrl.replace(/\/$/, "")}/api/${apiVersion}`;
 }
 var inputSchema = z.object({
   toolUseIntent: z.string().optional().describe(
@@ -480,12 +840,12 @@ var outputSchema = z.discriminatedUnion("success", [
 var requestTool = new ConnectorTool({
   name: "request",
   description: `Send authenticated requests to the Tableau REST API.
-The tool signs in once with the configured Personal Access Token (PAT) to obtain an X-Tableau-Auth token (cached per connection), then forwards the request with the token attached.
-All paths are relative to {serverUrl}/api/{apiVersion}. Use the literal placeholder \`{siteId}\` in the path \u2014 it is automatically substituted with the site ID returned from sign-in.
+The X-Tableau-Auth token is issued and managed centrally by the Squadbase backend so concurrent processes (chat & deployed app) share a single PAT sign-in.
+All paths are relative to {serverUrl}/api/{apiVersion}. Use the literal placeholder \`{siteId}\` in the path \u2014 it is automatically substituted with the signed-in site ID.
 Accept and Content-Type headers default to application/json so list responses come back as JSON instead of Tableau's default XML.`,
   inputSchema,
   outputSchema,
-  async execute({ connectionId, method, path: path2, queryParams, body }, connections) {
+  async execute({ connectionId, method, path: path2, queryParams, body }, connections, config) {
     const connection2 = connections.find((c) => c.id === connectionId);
     if (!connection2) {
       return {
@@ -498,39 +858,31 @@ Accept and Content-Type headers default to application/json so list responses co
     );
     try {
       const serverUrl = parameters.serverUrl.getValue(connection2);
-      const siteContentUrl = parameters.siteContentUrl.getValue(connection2);
-      const patName = parameters.patName.getValue(connection2);
-      const patSecret = parameters.patSecret.getValue(connection2);
-      const apiVersion = parameters.apiVersion.tryGetValue(connection2) || DEFAULT_API_VERSION2;
-      const session = await getSession(
-        serverUrl,
-        apiVersion,
-        siteContentUrl,
-        patName,
-        patSecret
-      );
-      const resolvedPath = path2.trim().replace(/\{siteId\}/g, session.siteId).replace(/^([^/])/, "/$1");
-      let url = `${buildBaseUrl(serverUrl, apiVersion)}${resolvedPath}`;
+      const apiVersion = parameters.apiVersion.tryGetValue(connection2) || DEFAULT_API_VERSION3;
+      const trimmedPath = path2.trim().replace(/^([^/])/, "/$1");
+      const baseUrl = buildBaseUrl(serverUrl, apiVersion);
+      let url = `${baseUrl}${trimmedPath}`;
       if (queryParams) {
-        const searchParams = new URLSearchParams(queryParams);
-        url += `?${searchParams.toString()}`;
+        url += `?${new URLSearchParams(queryParams).toString()}`;
       }
+      const token = await getProxyToken(config.oauthProxy);
+      const proxyUrl = `https://${config.oauthProxy.sandboxId}.${config.oauthProxy.previewBaseDomain}/_sqcore/connections/${connectionId}/request`;
       const controller = new AbortController();
       const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
       try {
-        const init = {
-          method,
+        const response = await fetch(proxyUrl, {
+          method: "POST",
           headers: {
-            "X-Tableau-Auth": session.authToken,
-            Accept: "application/json",
-            "Content-Type": "application/json"
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${token}`
           },
+          body: JSON.stringify({
+            url,
+            method,
+            ...body !== void 0 ? { body } : {}
+          }),
           signal: controller.signal
-        };
-        if (body !== void 0) {
-          init.body = JSON.stringify(body);
-        }
-        const response = await fetch(url, init);
+        });
         const text = await response.text();
         const data = text ? (() => {
           try {
@@ -569,7 +921,7 @@ var tableauConnector = new ConnectorPlugin({
   systemPrompt: {
     en: `### Tools
 
-- \`tableau_request\`: The only way to call the Tableau REST API. Use it for projects, workbooks, views, data sources, users, and permissions. The tool signs in once with the configured PAT to obtain an \`X-Tableau-Auth\` token (cached), then forwards each request with the token attached. Use the literal \`{siteId}\` placeholder in the path \u2014 it is replaced with the session's site ID automatically.
+- \`tableau_request\`: The only way to call the Tableau REST API. Use it for projects, workbooks, views, data sources, users, and permissions. The \`X-Tableau-Auth\` token is issued and managed centrally by the Squadbase backend so concurrent processes (chat & deployed app) share a single PAT sign-in. Use the literal \`{siteId}\` placeholder in the path \u2014 it is replaced with the session's site ID automatically.
 
 ### Business Logic
 
@@ -626,7 +978,7 @@ export default async function handler(c: Context) {
 - Combine: \`filter=ownerName:eq:alice,tags:in:[finance]\``,
     ja: `### \u30C4\u30FC\u30EB
 
-- \`tableau_request\`: Tableau REST API \u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3001\u30EF\u30FC\u30AF\u30D6\u30C3\u30AF\u3001\u30D3\u30E5\u30FC\u3001\u30C7\u30FC\u30BF\u30BD\u30FC\u30B9\u3001\u30E6\u30FC\u30B6\u30FC\u3001\u6A29\u9650\u306A\u3069\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\u8A2D\u5B9A\u3055\u308C\u305F PAT \u3067\u4E00\u5EA6\u30B5\u30A4\u30F3\u30A4\u30F3\u3057\u3066 \`X-Tableau-Auth\` \u30C8\u30FC\u30AF\u30F3\u3092\u53D6\u5F97 (\u30AD\u30E3\u30C3\u30B7\u30E5) \u3057\u3001\u5404\u30EA\u30AF\u30A8\u30B9\u30C8\u306B\u305D\u306E\u30C8\u30FC\u30AF\u30F3\u3092\u4ED8\u3051\u3066\u9001\u4FE1\u3057\u307E\u3059\u3002\u30D1\u30B9\u5185\u306B\u306F \`{siteId}\` \u30D7\u30EC\u30FC\u30B9\u30DB\u30EB\u30C0\u30FC\u3092\u4F7F\u3063\u3066\u304F\u3060\u3055\u3044 \u2014 \u30BB\u30C3\u30B7\u30E7\u30F3\u306E\u30B5\u30A4\u30C8 ID \u3067\u81EA\u52D5\u7F6E\u63DB\u3055\u308C\u307E\u3059\u3002
+- \`tableau_request\`: Tableau REST API \u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30D7\u30ED\u30B8\u30A7\u30AF\u30C8\u3001\u30EF\u30FC\u30AF\u30D6\u30C3\u30AF\u3001\u30D3\u30E5\u30FC\u3001\u30C7\u30FC\u30BF\u30BD\u30FC\u30B9\u3001\u30E6\u30FC\u30B6\u30FC\u3001\u6A29\u9650\u306A\u3069\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\`X-Tableau-Auth\` \u30C8\u30FC\u30AF\u30F3\u306F Squadbase \u30D0\u30C3\u30AF\u30A8\u30F3\u30C9\u3067\u4E00\u5143\u7BA1\u7406\u3055\u308C\u3001\u8907\u6570\u30D7\u30ED\u30BB\u30B9 (\u30C1\u30E3\u30C3\u30C8\u30FB\u30C7\u30D7\u30ED\u30A4\u6E08\u307F\u30A2\u30D7\u30EA) \u3067\u540C\u3058 PAT \u30B5\u30A4\u30F3\u30A4\u30F3\u3092\u5171\u6709\u3057\u307E\u3059\u3002\u30D1\u30B9\u5185\u306B\u306F \`{siteId}\` \u30D7\u30EC\u30FC\u30B9\u30DB\u30EB\u30C0\u30FC\u3092\u4F7F\u3063\u3066\u304F\u3060\u3055\u3044 \u2014 \u30BB\u30C3\u30B7\u30E7\u30F3\u306E\u30B5\u30A4\u30C8 ID \u3067\u81EA\u52D5\u7F6E\u63DB\u3055\u308C\u307E\u3059\u3002
 
 ### Business Logic
 
@@ -683,6 +1035,7 @@ export default async function handler(c: Context) {
 - \u7D44\u307F\u5408\u308F\u305B: \`filter=ownerName:eq:alice,tags:in:[finance]\``
   },
   tools,
+  setup: (params, ctx, config) => runSetupFlow(tableauSetupFlow, params, ctx, config),
   async checkConnection(params) {
     const serverUrl = params[parameters.serverUrl.slug];
     const siteContentUrl = params[parameters.siteContentUrl.slug];
@@ -756,6 +1109,7 @@ function resolveEnvVarOptional(entry, key) {
 import { getContext } from "hono/context-storage";
 import { getCookie } from "hono/cookie";
 var APP_SESSION_COOKIE_NAME = "__Host-squadbase-session";
+var TABLEAU_SESSION_SENTINEL_URL2 = "squadbase://tableau-session/";
 function normalizeHeaders(input) {
   const out = {};
   if (!input) return out;
@@ -764,6 +1118,11 @@ function normalizeHeaders(input) {
   });
   return out;
 }
+function extractInputUrl(input) {
+  if (typeof input === "string") return input;
+  if (input instanceof URL) return input.href;
+  return input.url;
+}
 function createSandboxProxyFetch(connectionId) {
   return async (input, init) => {
     const token = process.env.INTERNAL_SQUADBASE_OAUTH_MACHINE_CREDENTIAL;
@@ -773,10 +1132,17 @@ function createSandboxProxyFetch(connectionId) {
         "Connection proxy is not configured. Please check your deployment settings."
       );
     }
-    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const originalUrl = extractInputUrl(input);
+    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
+    if (originalUrl === TABLEAU_SESSION_SENTINEL_URL2) {
+      const sessionUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/tableau-session`;
+      return fetch(sessionUrl, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${token}` }
+      });
+    }
     const originalMethod = init?.method ?? "GET";
     const originalBody = init?.body ? JSON.parse(init.body) : void 0;
-    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
     const proxyUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
     return fetch(proxyUrl, {
       method: "POST",
@@ -802,10 +1168,9 @@ function createDeployedAppProxyFetch(connectionId) {
   }
   const baseDomain = process.env["SQUADBASE_APP_BASE_DOMAIN"] ?? "squadbase.app";
   const proxyUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
+  const sessionUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/tableau-session`;
   return async (input, init) => {
-    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
-    const originalMethod = init?.method ?? "GET";
-    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
+    const originalUrl = extractInputUrl(input);
     const c = getContext();
     const appSession = getCookie(c, APP_SESSION_COOKIE_NAME);
     if (!appSession) {
@@ -813,6 +1178,14 @@ function createDeployedAppProxyFetch(connectionId) {
         "No authentication method available for connection proxy."
       );
     }
+    if (originalUrl === TABLEAU_SESSION_SENTINEL_URL2) {
+      return fetch(sessionUrl, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${appSession}` }
+      });
+    }
+    const originalMethod = init?.method ?? "GET";
+    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
     return fetch(proxyUrl, {
       method: "POST",
       headers: {