@squadbase/vite-server 0.1.3-dev.6 → 0.1.3-dev.8

package/dist/connectors/google-calendar.js

@@ -56,6 +56,15 @@ var parameters = {
     secret: true,
     required: true
   }),
+  impersonateEmail: new ParameterDefinition({
+    slug: "impersonate-email",
+    name: "User Email Address(es)",
+    description: "The email address(es) of the Google Workspace user(s) whose calendar will be accessed via Domain-wide Delegation. Multiple addresses can be provided as a comma-separated list (e.g., 'user1@example.com, user2@example.com') to aggregate accessible calendars across users during setup. After setup completes, this value is overwritten with the owner email of the selected calendar.",
+    envVarBaseKey: "GOOGLE_CALENDAR_IMPERSONATE_EMAIL",
+    type: "text",
+    secret: false,
+    required: true
+  }),
   calendarId: new ParameterDefinition({
     slug: "calendar-id",
     name: "Default Calendar ID",
@@ -95,14 +104,20 @@ function buildJwt(clientEmail, privateKey, nowSec, subject) {
   const signature = base64url(sign.sign(privateKey));
   return `${signingInput}.${signature}`;
 }
-function createClient(params, options) {
+function createClient(params) {
   const serviceAccountKeyJsonBase64 = params[parameters.serviceAccountKeyJsonBase64.slug];
+  const impersonateEmail = params[parameters.impersonateEmail.slug];
   const defaultCalendarId = params[parameters.calendarId.slug] ?? "primary";
   if (!serviceAccountKeyJsonBase64) {
     throw new Error(
       `google-calendar: missing required parameter: ${parameters.serviceAccountKeyJsonBase64.slug}`
     );
   }
+  if (!impersonateEmail) {
+    throw new Error(
+      `google-calendar: missing required parameter: ${parameters.impersonateEmail.slug}`
+    );
+  }
   let serviceAccountKey;
   try {
     const decoded = Buffer.from(
@@ -120,10 +135,10 @@ function createClient(params, options) {
       "google-calendar: service account key JSON must contain client_email and private_key"
     );
   }
-  const subject = options?.subject;
+  const subject = impersonateEmail;
   let cachedToken = null;
   let tokenExpiresAt = 0;
-  async function getAccessToken() {
+  async function getAccessToken2() {
     const nowSec = Math.floor(Date.now() / 1e3);
     if (cachedToken && nowSec < tokenExpiresAt - 60) {
       return cachedToken;
@@ -158,7 +173,7 @@ function createClient(params, options) {
   }
   return {
     async request(path2, init) {
-      const accessToken = await getAccessToken();
+      const accessToken = await getAccessToken2();
       const resolvedPath = path2.replace(
         /\{calendarId\}/g,
         defaultCalendarId
@@ -181,18 +196,18 @@ function createClient(params, options) {
       const data = await response.json();
       return data.items ?? [];
     },
-    async listEvents(options2, calendarId) {
+    async listEvents(options, calendarId) {
       const cid = resolveCalendarId(calendarId);
       const searchParams = new URLSearchParams();
-      if (options2?.timeMin) searchParams.set("timeMin", options2.timeMin);
-      if (options2?.timeMax) searchParams.set("timeMax", options2.timeMax);
-      if (options2?.maxResults)
-        searchParams.set("maxResults", String(options2.maxResults));
-      if (options2?.q) searchParams.set("q", options2.q);
-      if (options2?.singleEvents != null)
-        searchParams.set("singleEvents", String(options2.singleEvents));
-      if (options2?.orderBy) searchParams.set("orderBy", options2.orderBy);
-      if (options2?.pageToken) searchParams.set("pageToken", options2.pageToken);
+      if (options?.timeMin) searchParams.set("timeMin", options.timeMin);
+      if (options?.timeMax) searchParams.set("timeMax", options.timeMax);
+      if (options?.maxResults)
+        searchParams.set("maxResults", String(options.maxResults));
+      if (options?.q) searchParams.set("q", options.q);
+      if (options?.singleEvents != null)
+        searchParams.set("singleEvents", String(options.singleEvents));
+      if (options?.orderBy) searchParams.set("orderBy", options.orderBy);
+      if (options?.pageToken) searchParams.set("pageToken", options.pageToken);
       const qs = searchParams.toString();
       const path2 = `/calendars/${encodeURIComponent(cid)}/events${qs ? `?${qs}` : ""}`;
       const response = await this.request(path2, { method: "GET" });
@@ -329,8 +344,224 @@ var AUTH_TYPES = {
   USER_PASSWORD: "user-password"
 };
 
+// ../connectors/src/connectors/google-calendar/tools/list-calendars.ts
+import * as crypto2 from "crypto";
+import { z } from "zod";
+var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
+var BASE_URL2 = "https://www.googleapis.com/calendar/v3";
+var SCOPE2 = "https://www.googleapis.com/auth/calendar.readonly https://www.googleapis.com/auth/calendar.events.readonly";
+var REQUEST_TIMEOUT_MS = 6e4;
+function base64url2(input) {
+  const buf = typeof input === "string" ? Buffer.from(input) : input;
+  return buf.toString("base64url");
+}
+function buildJwt2(clientEmail, privateKey, nowSec, subject) {
+  const header = base64url2(JSON.stringify({ alg: "RS256", typ: "JWT" }));
+  const payload = base64url2(
+    JSON.stringify({
+      iss: clientEmail,
+      sub: subject,
+      scope: SCOPE2,
+      aud: TOKEN_URL2,
+      iat: nowSec,
+      exp: nowSec + 3600
+    })
+  );
+  const signingInput = `${header}.${payload}`;
+  const sign = crypto2.createSign("RSA-SHA256");
+  sign.update(signingInput);
+  sign.end();
+  const signature = base64url2(sign.sign(privateKey));
+  return `${signingInput}.${signature}`;
+}
+async function getAccessToken(serviceAccount, subject) {
+  const nowSec = Math.floor(Date.now() / 1e3);
+  const jwt = buildJwt2(
+    serviceAccount.client_email,
+    serviceAccount.private_key,
+    nowSec,
+    subject
+  );
+  const response = await fetch(TOKEN_URL2, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt
+    })
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(
+      `token exchange failed for ${subject} (${response.status}): ${text}`
+    );
+  }
+  const data = await response.json();
+  return data.access_token;
+}
+var inputSchema = z.object({
+  toolUseIntent: z.string().optional().describe(
+    "Brief description of what you intend to accomplish with this tool call"
+  ),
+  connectionId: z.string().describe("ID of the Google Calendar connection to use")
+});
+var outputSchema = z.discriminatedUnion("success", [
+  z.object({
+    success: z.literal(true),
+    calendars: z.array(
+      z.object({
+        impersonateEmail: z.string(),
+        id: z.string(),
+        summary: z.string(),
+        primary: z.boolean().optional(),
+        accessRole: z.string()
+      })
+    ),
+    errors: z.array(
+      z.object({
+        impersonateEmail: z.string(),
+        error: z.string()
+      })
+    )
+  }),
+  z.object({
+    success: z.literal(false),
+    error: z.string()
+  })
+]);
+var listCalendarsTool = new ConnectorTool({
+  name: "listCalendars",
+  description: "List Google Calendars accessible via Domain-wide Delegation by impersonating the Google Workspace user(s) configured on the connection's `impersonate-email` parameter (comma-separated list supported). Use during setup to aggregate calendars across the configured emails.",
+  inputSchema,
+  outputSchema,
+  async execute({ connectionId }, connections) {
+    const connection2 = connections.find((c) => c.id === connectionId);
+    if (!connection2) {
+      return {
+        success: false,
+        error: `Connection ${connectionId} not found`
+      };
+    }
+    const impersonateEmailRaw = parameters.impersonateEmail.getValue(connection2);
+    const emails = impersonateEmailRaw.split(",").map((e) => e.trim()).filter((e) => e.length > 0);
+    if (emails.length === 0) {
+      return {
+        success: false,
+        error: "impersonate-email parameter is empty"
+      };
+    }
+    console.log(
+      `[connector-request] google-calendar/${connection2.name}: listCalendars for ${emails.join(",")}`
+    );
+    let serviceAccount;
+    try {
+      const keyJsonBase64 = parameters.serviceAccountKeyJsonBase64.getValue(connection2);
+      const decoded = Buffer.from(keyJsonBase64, "base64").toString("utf-8");
+      serviceAccount = JSON.parse(decoded);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        error: `failed to decode service account key: ${msg}`
+      };
+    }
+    if (!serviceAccount.client_email || !serviceAccount.private_key) {
+      return {
+        success: false,
+        error: "service account key JSON must contain client_email and private_key"
+      };
+    }
+    const aggregated = [];
+    const errors = [];
+    for (const email of emails) {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+      try {
+        const token = await getAccessToken(serviceAccount, email);
+        const response = await fetch(`${BASE_URL2}/users/me/calendarList`, {
+          method: "GET",
+          headers: { Authorization: `Bearer ${token}` },
+          signal: controller.signal
+        });
+        const data = await response.json();
+        if (!response.ok) {
+          const errorObj = data?.error;
+          errors.push({
+            impersonateEmail: email,
+            error: errorObj?.message ?? `HTTP ${response.status} ${response.statusText}`
+          });
+          continue;
+        }
+        const items = data.items ?? [];
+        for (const c of items) {
+          aggregated.push({
+            impersonateEmail: email,
+            id: c.id,
+            summary: c.summary,
+            primary: c.primary,
+            accessRole: c.accessRole
+          });
+        }
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        errors.push({ impersonateEmail: email, error: msg });
+      } finally {
+        clearTimeout(timeout);
+      }
+    }
+    return {
+      success: true,
+      calendars: aggregated,
+      errors
+    };
+  }
+});
+
 // ../connectors/src/connectors/google-calendar/setup.ts
+var listCalendarsToolName = `google-calendar_${listCalendarsTool.name}`;
 var googleCalendarOnboarding = new ConnectorOnboarding({
+  connectionSetupInstructions: {
+    ja: `\u4EE5\u4E0B\u306E\u624B\u9806\u3067Google Calendar\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306E\u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u3092\u884C\u3063\u3066\u304F\u3060\u3055\u3044\u3002
+
+1. \`${listCalendarsToolName}\` \u3092\u547C\u3073\u51FA\u3057\u3066\u3001\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306E \`impersonate-email\` \u30D1\u30E9\u30E1\u30FC\u30BF\u306B\u8A2D\u5B9A\u3055\u308C\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\uFF08\u30AB\u30F3\u30DE\u533A\u5207\u308A\u5BFE\u5FDC\uFF09\u3067\u30A2\u30AF\u30BB\u30B9\u53EF\u80FD\u306A\u30AB\u30EC\u30F3\u30C0\u30FC\u4E00\u89A7\u3092\u53D6\u5F97\u3059\u308B
+2. \u8FD4\u5374\u3055\u308C\u305F \`calendars\` \u914D\u5217\uFF08\u5404\u8981\u7D20: \`{ impersonateEmail, id, summary, primary, accessRole }\`\uFF09\u3092\u5143\u306B\u3001\u300C\u4F7F\u7528\u3059\u308B\u30AB\u30EC\u30F3\u30C0\u30FC\u3092\u9078\u629E\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u300D\u3068\u30E6\u30FC\u30B6\u30FC\u306B\u4F1D\u3048\u305F\u4E0A\u3067\u3001\`updateConnectionParameters\` \u3092\u547C\u3073\u51FA\u3059:
+   - \`parameterSlug\`: \`"calendar-id"\`
+   - \`options\`: \u30AB\u30EC\u30F3\u30C0\u30FC\u4E00\u89A7\u3002\u5404 option \u306E \`label\` \u306F \`\u30AB\u30EC\u30F3\u30C0\u30FC\u540D (owner: impersonateEmail)\` \u306E\u5F62\u5F0F\u3001\`value\` \u306F\u30AB\u30EC\u30F3\u30C0\u30FCID
+   - \`errors\` \u306B\u5931\u6557\u3057\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u304C\u3042\u308B\u5834\u5408\u306F\u3001\u305D\u306E\u65E8\u3092\u77ED\u304F\u4F1D\u3048\u308B
+3. \u30E6\u30FC\u30B6\u30FC\u304C\u9078\u629E\u3057\u305F\u30AB\u30EC\u30F3\u30C0\u30FC\u306E \`label\` \u304C\u30E1\u30C3\u30BB\u30FC\u30B8\u3068\u3057\u3066\u5C4A\u304F\u3002\u305D\u306E label \u304B\u3089 owner \u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u62BD\u51FA\u3057\u3001\`updateConnectionParameters\` \u3092\u547C\u3073\u51FA\u3059:
+   - \`parameterSlug\`: \`"impersonate-email"\`
+   - \`options\`: \`[{ value: <ownerEmail>, label: <ownerEmail> }]\`\uFF08\u9078\u629E\u6E08\u307F\u30AB\u30EC\u30F3\u30C0\u30FC\u306E owner email \u3092\u5358\u4E00\u30AA\u30D7\u30B7\u30E7\u30F3\u3068\u3057\u3066\u6E21\u3059\uFF09
+4. \`updateConnectionContext\` \u3092\u547C\u3073\u51FA\u3057\u3066\u3001\u5BFE\u8C61\u60C5\u5831\u3092\u8A18\u9332\u3059\u308B:
+   - \`user\`: \u8A2D\u5B9A\u3057\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9
+   - \`calendar\`: \u9078\u629E\u3055\u308C\u305F\u30AB\u30EC\u30F3\u30C0\u30FC\u540D
+   - \`calendarId\`: \u9078\u629E\u3055\u308C\u305F\u30AB\u30EC\u30F3\u30C0\u30FCID
+   - \`note\`: \u300CDomain-wide Delegation\u3067 {email} \u306E {calendar} \u306B\u30A2\u30AF\u30BB\u30B9\u300D\u306A\u3069\u306E\u8AAC\u660E
+
+#### \u5236\u7D04
+- **\u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u4E2D\u306B\u30E6\u30FC\u30B6\u30FC\u3078\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u7B49\u306E\u5165\u529B\u3092\u6C42\u3081\u306A\u3044\u3053\u3068**\u3002\u5FC5\u8981\u306A\u5024\u306F\u63A5\u7D9A\u4F5C\u6210\u6642\u306E\u30D1\u30E9\u30E1\u30FC\u30BF\uFF08\`impersonate-email\`\uFF09\u304B\u3089\u53D6\u5F97\u3059\u308B
+- **\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\u306E\u30C9\u30E1\u30A4\u30F3\u5168\u4F53\u306E\u59D4\u4EFB\u8A2D\u5B9A\u304C\u5FC5\u8981\u3067\u3059**\u3002\`${listCalendarsToolName}\` \u306E \`errors\` \u306B\u6A29\u9650\u30A8\u30E9\u30FC\u304C\u51FA\u308B\u5834\u5408\u3001Google Workspace\u7BA1\u7406\u8005\u306BDomain-wide Delegation\u306E\u8A2D\u5B9A\u78BA\u8A8D\u3092\u4FC3\u3057\u3066\u304F\u3060\u3055\u3044
+- \u30C4\u30FC\u30EB\u9593\u306F1\u6587\u3060\u3051\u66F8\u3044\u3066\u5373\u6B21\u306E\u30C4\u30FC\u30EB\u547C\u3073\u51FA\u3057\u3002\u4E0D\u8981\u306A\u8AAC\u660E\u306F\u7701\u7565\u3057\u3001\u52B9\u7387\u7684\u306B\u9032\u3081\u308B`,
+    en: `Follow these steps to set up the Google Calendar connection.
+
+1. Call \`${listCalendarsToolName}\` to list calendars accessible via the email address(es) configured in the connection's \`impersonate-email\` parameter (comma-separated list supported)
+2. Using the returned \`calendars\` array (each item: \`{ impersonateEmail, id, summary, primary, accessRole }\`), tell the user "Please select a calendar.", then call \`updateConnectionParameters\`:
+   - \`parameterSlug\`: \`"calendar-id"\`
+   - \`options\`: The calendar list. Each option's \`label\` should be \`Calendar Name (owner: impersonateEmail)\`, \`value\` should be the calendar ID
+   - If \`errors\` contains failing email addresses, briefly mention them
+3. The \`label\` of the user's selected calendar will arrive as a message. Extract the owner email from that label and call \`updateConnectionParameters\`:
+   - \`parameterSlug\`: \`"impersonate-email"\`
+   - \`options\`: \`[{ value: <ownerEmail>, label: <ownerEmail> }]\` (pass the selected calendar's owner email as a single option)
+4. Call \`updateConnectionContext\` to record the target:
+   - \`user\`: The configured email address
+   - \`calendar\`: The selected calendar's name
+   - \`calendarId\`: The selected calendar ID
+   - \`note\`: A description such as "Accessing {email}'s {calendar} via Domain-wide Delegation"
+
+#### Constraints
+- **Do NOT prompt the user for any input (e.g., email addresses) during setup**. The required values come from the connection parameters (\`impersonate-email\`) filled in at connection creation time
+- **Domain-wide Delegation must be configured on the service account**. If \`${listCalendarsToolName}\` returns permission errors in the \`errors\` field, ask the user to verify the Domain-wide Delegation setup with their Google Workspace administrator
+- Write only 1 sentence between tool calls, then immediately call the next tool. Skip unnecessary explanations and proceed efficiently`
+  },
   dataOverviewInstructions: {
     en: `1. Call google-calendar_request with GET /calendars/{calendarId} to get the default calendar's metadata
 2. Call google-calendar_request with GET /users/me/calendarList to list all accessible calendars
@@ -342,33 +573,33 @@ var googleCalendarOnboarding = new ConnectorOnboarding({
 });
 
 // ../connectors/src/connectors/google-calendar/tools/request.ts
-import { z } from "zod";
-var BASE_URL2 = "https://www.googleapis.com/calendar/v3";
-var REQUEST_TIMEOUT_MS = 6e4;
-var inputSchema = z.object({
-  toolUseIntent: z.string().optional().describe(
+import { z as z2 } from "zod";
+var BASE_URL3 = "https://www.googleapis.com/calendar/v3";
+var REQUEST_TIMEOUT_MS2 = 6e4;
+var inputSchema2 = z2.object({
+  toolUseIntent: z2.string().optional().describe(
     "Brief description of what you intend to accomplish with this tool call"
   ),
-  connectionId: z.string().describe("ID of the Google Calendar connection to use"),
-  method: z.enum(["GET", "POST", "PUT", "PATCH", "DELETE"]).describe("HTTP method"),
-  path: z.string().describe(
+  connectionId: z2.string().describe("ID of the Google Calendar connection to use"),
+  method: z2.enum(["GET", "POST", "PUT", "PATCH", "DELETE"]).describe("HTTP method"),
+  path: z2.string().describe(
     "API path appended to https://www.googleapis.com/calendar/v3 (e.g., '/calendars/{calendarId}/events'). {calendarId} is automatically replaced."
   ),
-  queryParams: z.record(z.string(), z.string()).optional().describe("Query parameters to append to the URL"),
-  body: z.record(z.string(), z.unknown()).optional().describe("Request body (JSON) for POST/PUT/PATCH methods"),
-  subject: z.string().optional().describe(
-    "Email address of the user to impersonate via Domain-wide Delegation. When set, the service account acts on behalf of this user."
+  queryParams: z2.record(z2.string(), z2.string()).optional().describe("Query parameters to append to the URL"),
+  body: z2.record(z2.string(), z2.unknown()).optional().describe("Request body (JSON) for POST/PUT/PATCH methods"),
+  subject: z2.string().optional().describe(
+    "Override the email address of the user to impersonate via Domain-wide Delegation. If omitted, the connection's configured user email is used."
   )
 });
-var outputSchema = z.discriminatedUnion("success", [
-  z.object({
-    success: z.literal(true),
-    status: z.number(),
-    data: z.record(z.string(), z.unknown())
+var outputSchema2 = z2.discriminatedUnion("success", [
+  z2.object({
+    success: z2.literal(true),
+    status: z2.number(),
+    data: z2.record(z2.string(), z2.unknown())
   }),
-  z.object({
-    success: z.literal(false),
-    error: z.string()
+  z2.object({
+    success: z2.literal(false),
+    error: z2.string()
   })
 ]);
 var requestTool = new ConnectorTool({
@@ -376,8 +607,8 @@ var requestTool = new ConnectorTool({
   description: `Send authenticated requests to the Google Calendar API v3.
 Authentication is handled automatically using a service account.
 {calendarId} in the path is automatically replaced with the connection's default calendar ID.`,
-  inputSchema,
-  outputSchema,
+  inputSchema: inputSchema2,
+  outputSchema: outputSchema2,
   async execute({ connectionId, method, path: path2, queryParams, body, subject }, connections) {
     const connection2 = connections.find((c) => c.id === connectionId);
     if (!connection2) {
@@ -392,7 +623,15 @@ Authentication is handled automatically using a service account.
     try {
       const { GoogleAuth } = await import("google-auth-library");
       const keyJsonBase64 = parameters.serviceAccountKeyJsonBase64.getValue(connection2);
+      const impersonateEmail = parameters.impersonateEmail.tryGetValue(connection2);
       const calendarId = parameters.calendarId.tryGetValue(connection2) ?? "primary";
+      const resolvedSubject = subject ?? impersonateEmail;
+      if (!resolvedSubject) {
+        return {
+          success: false,
+          error: `Missing required parameter: ${parameters.impersonateEmail.slug}. Configure the user email for this connection.`
+        };
+      }
       const credentials = JSON.parse(
         Buffer.from(keyJsonBase64, "base64").toString("utf-8")
       );
@@ -402,7 +641,7 @@ Authentication is handled automatically using a service account.
           "https://www.googleapis.com/auth/calendar.readonly",
           "https://www.googleapis.com/auth/calendar.events.readonly"
         ],
-        ...subject ? { clientOptions: { subject } } : {}
+        clientOptions: { subject: resolvedSubject }
       });
       const token = await auth.getAccessToken();
       if (!token) {
@@ -412,13 +651,13 @@ Authentication is handled automatically using a service account.
         };
       }
       const resolvedPath = path2.replace(/\{calendarId\}/g, calendarId);
-      let url = `${BASE_URL2}${resolvedPath.startsWith("/") ? "" : "/"}${resolvedPath}`;
+      let url = `${BASE_URL3}${resolvedPath.startsWith("/") ? "" : "/"}${resolvedPath}`;
       if (queryParams) {
         const searchParams = new URLSearchParams(queryParams);
         url += `?${searchParams.toString()}`;
       }
       const controller = new AbortController();
-      const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+      const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS2);
       try {
         const response = await fetch(url, {
           method,
@@ -456,26 +695,26 @@ Authentication is handled automatically using a service account.
 });
 
 // ../connectors/src/connectors/google-calendar/index.ts
-var tools = { request: requestTool };
+var tools = { request: requestTool, listCalendars: listCalendarsTool };
 var googleCalendarConnector = new ConnectorPlugin({
   slug: "google-calendar",
   authType: AUTH_TYPES.SERVICE_ACCOUNT,
   name: "Google Calendar",
   description: "Connect to Google Calendar for calendar and event data access using a service account.",
-  iconUrl: "https://images.ctfassets.net/9ncizv60xc5y/5D9eTiMxiL7MaezWXyAaLG/dbcf25e1d51ab877548b3d77e4b02c6d/google-calendar.svg",
+  iconUrl: "https://images.ctfassets.net/9ncizv60xc5y/2YsqoBEpdELmfDeFcyGHyE/4494c633b5ae15e562cb739cd85442c1/google-calendar.png",
   parameters,
   releaseFlag: { dev1: true, dev2: true, prod: true },
   onboarding: googleCalendarOnboarding,
   systemPrompt: {
     en: `### Tools
 
-- \`google-calendar_request\`: The only way to call the Google Calendar API. Use it to list calendars, get events, and manage calendar data. Authentication is handled automatically using a service account. The {calendarId} placeholder in paths is automatically replaced with the configured default calendar ID. Supports Domain-wide Delegation via the optional \`subject\` parameter to impersonate a user.
+- \`google-calendar_request\`: The only way to call the Google Calendar API. Use it to list calendars, get events, and manage calendar data. Authentication is handled automatically using a service account with Domain-wide Delegation \u2014 the service account impersonates the user configured on the connection (\`impersonate-email\` parameter). The {calendarId} placeholder in paths is automatically replaced with the configured default calendar ID. Pass an optional \`subject\` only if you need to override the configured user for a specific request.
 
 ### Business Logic
 
 The business logic type for this connector is "typescript". Use the connector SDK in your handler. Do NOT read credentials from environment variables.
 
-SDK methods (client created via \`connection(connectionId)\` or \`connection(connectionId, { subject })\`):
+SDK methods (client created via \`connection(connectionId)\` \u2014 the connection's \`impersonate-email\` parameter is used automatically for Domain-wide Delegation):
 - \`client.listCalendars()\` \u2014 list all accessible calendars
 - \`client.listEvents(options?, calendarId?)\` \u2014 list events with optional filters
 - \`client.getEvent(eventId, calendarId?)\` \u2014 get a single event by ID
@@ -483,10 +722,10 @@ SDK methods (client created via \`connection(connectionId)\` or \`connection(con
 
 #### Domain-wide Delegation
 
-To access a user's calendar via Domain-wide Delegation, pass \`subject\` (the user's email) as the second argument to \`connection()\`:
+The target user email is configured on the connection (\`impersonate-email\` parameter), so \`connection()\` automatically uses it. Pass \`subject\` only to override it:
 
 \`\`\`ts
-const calendar = connection("<connectionId>", { subject: "user@example.com" });
+const calendar = connection("<connectionId>", { subject: "other-user@example.com" });
 \`\`\`
 
 \`\`\`ts
@@ -540,13 +779,13 @@ export default async function handler(c: Context) {
 - The default calendar ID is "primary" if not configured`,
     ja: `### \u30C4\u30FC\u30EB
 
-- \`google-calendar_request\`: Google Calendar API\u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30AB\u30EC\u30F3\u30C0\u30FC\u306E\u4E00\u89A7\u53D6\u5F97\u3001\u30A4\u30D9\u30F3\u30C8\u306E\u53D6\u5F97\u3001\u30AB\u30EC\u30F3\u30C0\u30FC\u30C7\u30FC\u30BF\u306E\u7BA1\u7406\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\u3092\u4F7F\u7528\u3057\u3066\u8A8D\u8A3C\u306F\u81EA\u52D5\u7684\u306B\u51E6\u7406\u3055\u308C\u307E\u3059\u3002\u30D1\u30B9\u5185\u306E{calendarId}\u30D7\u30EC\u30FC\u30B9\u30DB\u30EB\u30C0\u30FC\u306F\u8A2D\u5B9A\u6E08\u307F\u306E\u30C7\u30D5\u30A9\u30EB\u30C8\u30AB\u30EC\u30F3\u30C0\u30FCID\u3067\u81EA\u52D5\u7684\u306B\u7F6E\u63DB\u3055\u308C\u307E\u3059\u3002Domain-wide Delegation\u3092\u4F7F\u7528\u3059\u308B\u5834\u5408\u3001\u30AA\u30D7\u30B7\u30E7\u30F3\u306E\`subject\`\u30D1\u30E9\u30E1\u30FC\u30BF\u3067\u30E6\u30FC\u30B6\u30FC\u3092\u507D\u88C5\u3067\u304D\u307E\u3059\u3002
+- \`google-calendar_request\`: Google Calendar API\u3092\u547C\u3073\u51FA\u3059\u552F\u4E00\u306E\u624B\u6BB5\u3067\u3059\u3002\u30AB\u30EC\u30F3\u30C0\u30FC\u306E\u4E00\u89A7\u53D6\u5F97\u3001\u30A4\u30D9\u30F3\u30C8\u306E\u53D6\u5F97\u3001\u30AB\u30EC\u30F3\u30C0\u30FC\u30C7\u30FC\u30BF\u306E\u7BA1\u7406\u306B\u4F7F\u7528\u3057\u307E\u3059\u3002\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\uFF0BDomain-wide Delegation\u3067\u8A8D\u8A3C\u304C\u81EA\u52D5\u7684\u306B\u51E6\u7406\u3055\u308C\u3001\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306B\u8A2D\u5B9A\u3055\u308C\u305F\u30E6\u30FC\u30B6\u30FC\uFF08\`impersonate-email\`\u30D1\u30E9\u30E1\u30FC\u30BF\uFF09\u3068\u3057\u3066\u52D5\u4F5C\u3057\u307E\u3059\u3002\u30D1\u30B9\u5185\u306E{calendarId}\u30D7\u30EC\u30FC\u30B9\u30DB\u30EB\u30C0\u30FC\u306F\u8A2D\u5B9A\u6E08\u307F\u306E\u30C7\u30D5\u30A9\u30EB\u30C8\u30AB\u30EC\u30F3\u30C0\u30FCID\u3067\u81EA\u52D5\u7684\u306B\u7F6E\u63DB\u3055\u308C\u307E\u3059\u3002\u7279\u5B9A\u30EA\u30AF\u30A8\u30B9\u30C8\u3067\u8A2D\u5B9A\u30E6\u30FC\u30B6\u30FC\u3092\u4E0A\u66F8\u304D\u3057\u305F\u3044\u5834\u5408\u306E\u307F\u3001\u30AA\u30D7\u30B7\u30E7\u30F3\u306E\`subject\`\u30D1\u30E9\u30E1\u30FC\u30BF\u3092\u6E21\u3057\u3066\u304F\u3060\u3055\u3044\u3002
 
 ### Business Logic
 
 \u3053\u306E\u30B3\u30CD\u30AF\u30BF\u306E\u30D3\u30B8\u30CD\u30B9\u30ED\u30B8\u30C3\u30AF\u30BF\u30A4\u30D7\u306F "typescript" \u3067\u3059\u3002\u30CF\u30F3\u30C9\u30E9\u5185\u3067\u306F\u30B3\u30CD\u30AF\u30BFSDK\u3092\u4F7F\u7528\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u74B0\u5883\u5909\u6570\u304B\u3089\u8A8D\u8A3C\u60C5\u5831\u3092\u8AAD\u307F\u53D6\u3089\u306A\u3044\u3067\u304F\u3060\u3055\u3044\u3002
 
-SDK\u30E1\u30BD\u30C3\u30C9 (\`connection(connectionId)\` \u307E\u305F\u306F \`connection(connectionId, { subject })\` \u3067\u4F5C\u6210\u3057\u305F\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8):
+SDK\u30E1\u30BD\u30C3\u30C9 (\`connection(connectionId)\` \u3067\u4F5C\u6210\u3057\u305F\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8 \u2014 \u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306E\`impersonate-email\`\u30D1\u30E9\u30E1\u30FC\u30BF\u304C\u81EA\u52D5\u7684\u306BDomain-wide Delegation\u306Esubject\u3068\u3057\u3066\u4F7F\u308F\u308C\u307E\u3059):
 - \`client.listCalendars()\` \u2014 \u30A2\u30AF\u30BB\u30B9\u53EF\u80FD\u306A\u5168\u30AB\u30EC\u30F3\u30C0\u30FC\u306E\u4E00\u89A7\u53D6\u5F97
 - \`client.listEvents(options?, calendarId?)\` \u2014 \u30D5\u30A3\u30EB\u30BF\u30FC\u4ED8\u304D\u30A4\u30D9\u30F3\u30C8\u4E00\u89A7\u53D6\u5F97
 - \`client.getEvent(eventId, calendarId?)\` \u2014 ID\u306B\u3088\u308B\u5358\u4E00\u30A4\u30D9\u30F3\u30C8\u53D6\u5F97
@@ -554,10 +793,10 @@ SDK\u30E1\u30BD\u30C3\u30C9 (\`connection(connectionId)\` \u307E\u305F\u306F \`c
 
 #### Domain-wide Delegation
 
-Domain-wide Delegation\u3067\u30E6\u30FC\u30B6\u30FC\u306E\u30AB\u30EC\u30F3\u30C0\u30FC\u306B\u30A2\u30AF\u30BB\u30B9\u3059\u308B\u306B\u306F\u3001\`connection()\`\u306E\u7B2C2\u5F15\u6570\u306B\`subject\`\uFF08\u30E6\u30FC\u30B6\u30FC\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\uFF09\u3092\u6E21\u3057\u307E\u3059\uFF1A
+\u5BFE\u8C61\u30E6\u30FC\u30B6\u30FC\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\uFF08\`impersonate-email\`\u30D1\u30E9\u30E1\u30FC\u30BF\uFF09\u306B\u8A2D\u5B9A\u3055\u308C\u3066\u3044\u308B\u305F\u3081\u3001\`connection()\`\u306F\u81EA\u52D5\u7684\u306B\u305D\u308C\u3092\u4F7F\u3044\u307E\u3059\u3002\u4E0A\u66F8\u304D\u3057\u305F\u3044\u5834\u5408\u306E\u307F\`subject\`\u3092\u6E21\u3057\u307E\u3059\uFF1A
 
 \`\`\`ts
-const calendar = connection("<connectionId>", { subject: "user@example.com" });
+const calendar = connection("<connectionId>", { subject: "other-user@example.com" });
 \`\`\`
 
 \`\`\`ts
@@ -635,6 +874,79 @@ function resolveEnvVarOptional(entry, key) {
   return process.env[envVarName] || void 0;
 }
 
+// src/connector-client/proxy-fetch.ts
+import { getContext } from "hono/context-storage";
+import { getCookie } from "hono/cookie";
+var APP_SESSION_COOKIE_NAME = "__Host-squadbase-session";
+function createSandboxProxyFetch(connectionId) {
+  return async (input, init) => {
+    const token = process.env.INTERNAL_SQUADBASE_OAUTH_MACHINE_CREDENTIAL;
+    const sandboxId = process.env.INTERNAL_SQUADBASE_SANDBOX_ID;
+    if (!token || !sandboxId) {
+      throw new Error(
+        "Connection proxy is not configured. Please check your deployment settings."
+      );
+    }
+    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const originalMethod = init?.method ?? "GET";
+    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
+    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
+    const proxyUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
+    return fetch(proxyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`
+      },
+      body: JSON.stringify({
+        url: originalUrl,
+        method: originalMethod,
+        body: originalBody
+      })
+    });
+  };
+}
+function createDeployedAppProxyFetch(connectionId) {
+  const projectId = process.env["SQUADBASE_PROJECT_ID"];
+  if (!projectId) {
+    throw new Error(
+      "Connection proxy is not configured. Please check your deployment settings."
+    );
+  }
+  const baseDomain = process.env["SQUADBASE_APP_BASE_DOMAIN"] ?? "squadbase.app";
+  const proxyUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
+  return async (input, init) => {
+    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const originalMethod = init?.method ?? "GET";
+    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
+    const c = getContext();
+    const appSession = getCookie(c, APP_SESSION_COOKIE_NAME);
+    if (!appSession) {
+      throw new Error(
+        "No authentication method available for connection proxy."
+      );
+    }
+    return fetch(proxyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${appSession}`
+      },
+      body: JSON.stringify({
+        url: originalUrl,
+        method: originalMethod,
+        body: originalBody
+      })
+    });
+  };
+}
+function createProxyFetch(connectionId) {
+  if (process.env.INTERNAL_SQUADBASE_SANDBOX_ID) {
+    return createSandboxProxyFetch(connectionId);
+  }
+  return createDeployedAppProxyFetch(connectionId);
+}
+
 // src/connectors/create-connector-sdk.ts
 function loadConnectionsSync() {
   const filePath = process.env.CONNECTIONS_PATH ?? path.join(process.cwd(), ".squadbase/connections.json");
@@ -668,21 +980,12 @@ function createConnectorSdk(plugin, createClient2) {
         if (val !== void 0) params[param.slug] = val;
       }
     }
-    return createClient2(params);
+    return createClient2(params, createProxyFetch(connectionId));
   };
 }
 
 // src/connectors/entries/google-calendar.ts
-var baseConnection = createConnectorSdk(googleCalendarConnector, createClient);
-var connection = (connectionId, options) => {
-  if (options) {
-    return createConnectorSdk(
-      googleCalendarConnector,
-      (params) => createClient(params, options)
-    )(connectionId);
-  }
-  return baseConnection(connectionId);
-};
+var connection = createConnectorSdk(googleCalendarConnector, createClient);
 export {
   connection
 };