@squadbase/vite-server 0.1.8 → 0.1.9-dev.3841401

package/dist/connectors/google-audit-log.js

@@ -0,0 +1,813 @@
+// ../connectors/src/parameter-definition.ts
+var ParameterDefinition = class {
+  slug;
+  name;
+  description;
+  envVarBaseKey;
+  type;
+  secret;
+  required;
+  constructor(config) {
+    this.slug = config.slug;
+    this.name = config.name;
+    this.description = config.description;
+    this.envVarBaseKey = config.envVarBaseKey;
+    this.type = config.type;
+    this.secret = config.secret;
+    this.required = config.required;
+  }
+  /**
+   * Get the parameter value from a ConnectorConnectionObject.
+   */
+  getValue(connection2) {
+    const param = connection2.parameters.find(
+      (p) => p.parameterSlug === this.slug
+    );
+    if (!param || param.value == null) {
+      throw new Error(
+        `Parameter "${this.slug}" not found or has no value in connection "${connection2.id}"`
+      );
+    }
+    return param.value;
+  }
+  /**
+   * Try to get the parameter value. Returns undefined if not found (for optional params).
+   */
+  tryGetValue(connection2) {
+    const param = connection2.parameters.find(
+      (p) => p.parameterSlug === this.slug
+    );
+    if (!param || param.value == null) return void 0;
+    return param.value;
+  }
+};
+
+// ../connectors/src/connectors/google-audit-log/parameters.ts
+var parameters = {
+  serviceAccountKeyJsonBase64: new ParameterDefinition({
+    slug: "service-account-key-json-base64",
+    name: "Google Cloud Service Account JSON",
+    description: "The service account JSON key. Domain-wide Delegation must be authorized in the Google Workspace admin console for the Admin SDK Reports API scopes (admin.reports.audit.readonly, admin.reports.usage.readonly). The Workspace admin user to impersonate is supplied per call as the `subject` argument.",
+    envVarBaseKey: "GOOGLE_AUDIT_LOG_SERVICE_ACCOUNT_JSON_BASE64",
+    type: "base64EncodedJson",
+    secret: true,
+    required: true
+  })
+};
+
+// ../connectors/src/connectors/google-audit-log/sdk/index.ts
+var BASE_URL = "https://admin.googleapis.com/admin/reports/v1";
+function createClient(params) {
+  const serviceAccountKeyJsonBase64 = params[parameters.serviceAccountKeyJsonBase64.slug];
+  if (!serviceAccountKeyJsonBase64) {
+    throw new Error(
+      `google-audit-log: missing required parameter: ${parameters.serviceAccountKeyJsonBase64.slug}`
+    );
+  }
+  let serviceAccountKey;
+  try {
+    const decoded = Buffer.from(
+      serviceAccountKeyJsonBase64,
+      "base64"
+    ).toString("utf-8");
+    serviceAccountKey = JSON.parse(decoded);
+  } catch {
+    throw new Error(
+      "google-audit-log: failed to decode service account key JSON from base64"
+    );
+  }
+  if (!serviceAccountKey.client_email || !serviceAccountKey.private_key) {
+    throw new Error(
+      "google-audit-log: service account key JSON must contain client_email and private_key"
+    );
+  }
+  return {
+    async requestWithDelegation(path2, { subject, scopes, init }) {
+      const { GoogleAuth } = await import("google-auth-library");
+      const auth = new GoogleAuth({
+        credentials: {
+          client_email: serviceAccountKey.client_email,
+          private_key: serviceAccountKey.private_key
+        },
+        scopes,
+        clientOptions: { subject }
+      });
+      const token = await auth.getAccessToken();
+      if (!token) {
+        throw new Error(
+          `google-audit-log: failed to obtain access token for ${subject}`
+        );
+      }
+      const url = `${BASE_URL}${path2.startsWith("/") ? "" : "/"}${path2}`;
+      const headers = new Headers(init?.headers);
+      headers.set("Authorization", `Bearer ${token}`);
+      return fetch(url, { ...init, headers });
+    }
+  };
+}
+
+// ../connectors/src/connector-onboarding.ts
+var ConnectorOnboarding = class {
+  /** Phase 1: Connection setup instructions (optional — some connectors don't need this) */
+  connectionSetupInstructions;
+  /** Phase 2: Data overview instructions */
+  dataOverviewInstructions;
+  constructor(config) {
+    this.connectionSetupInstructions = config.connectionSetupInstructions;
+    this.dataOverviewInstructions = config.dataOverviewInstructions;
+  }
+  getConnectionSetupPrompt(language) {
+    return this.connectionSetupInstructions?.[language] ?? null;
+  }
+  getDataOverviewInstructions(language) {
+    return this.dataOverviewInstructions[language];
+  }
+};
+
+// ../connectors/src/connector-tool.ts
+var ConnectorTool = class {
+  name;
+  description;
+  inputSchema;
+  outputSchema;
+  _execute;
+  constructor(config) {
+    this.name = config.name;
+    this.description = config.description;
+    this.inputSchema = config.inputSchema;
+    this.outputSchema = config.outputSchema;
+    this._execute = config.execute;
+  }
+  createTool(connections, config) {
+    return {
+      description: this.description,
+      inputSchema: this.inputSchema,
+      outputSchema: this.outputSchema,
+      execute: (input) => this._execute(input, connections, config)
+    };
+  }
+};
+
+// ../connectors/src/connector-plugin.ts
+var ConnectorPlugin = class _ConnectorPlugin {
+  slug;
+  authType;
+  name;
+  description;
+  iconUrl;
+  parameters;
+  releaseFlag;
+  proxyPolicy;
+  experimentalAttributes;
+  categories;
+  onboarding;
+  systemPrompt;
+  tools;
+  query;
+  checkConnection;
+  constructor(config) {
+    this.slug = config.slug;
+    this.authType = config.authType;
+    this.name = config.name;
+    this.description = config.description;
+    this.iconUrl = config.iconUrl;
+    this.parameters = config.parameters;
+    this.releaseFlag = config.releaseFlag;
+    this.proxyPolicy = config.proxyPolicy;
+    this.experimentalAttributes = config.experimentalAttributes;
+    this.categories = config.categories ?? [];
+    this.onboarding = config.onboarding;
+    this.systemPrompt = config.systemPrompt;
+    this.tools = config.tools;
+    this.query = config.query;
+    this.checkConnection = config.checkConnection;
+  }
+  get connectorKey() {
+    return _ConnectorPlugin.deriveKey(this.slug, this.authType);
+  }
+  /**
+   * Create tools for connections that belong to this connector.
+   * Filters connections by connectorKey internally.
+   * Returns tools keyed as `${connectorKey}_${toolName}`.
+   */
+  createTools(connections, config, opts) {
+    const myConnections = connections.filter(
+      (c) => _ConnectorPlugin.deriveKey(c.connector.slug, c.connector.authType) === this.connectorKey
+    );
+    const result = {};
+    for (const t of Object.values(this.tools)) {
+      const tool = t.createTool(myConnections, config);
+      const originalToModelOutput = tool.toModelOutput;
+      result[`${this.connectorKey}_${t.name}`] = {
+        ...tool,
+        toModelOutput: async (options) => {
+          if (!originalToModelOutput) {
+            return opts.truncateOutput(options.output);
+          }
+          const modelOutput = await originalToModelOutput(options);
+          if (modelOutput.type === "text" || modelOutput.type === "json") {
+            return opts.truncateOutput(modelOutput.value);
+          }
+          return modelOutput;
+        }
+      };
+    }
+    return result;
+  }
+  static deriveKey(slug, authType) {
+    if (authType) return `${slug}-${authType}`;
+    const LEGACY_NULL_AUTH_TYPE_MAP = {
+      // user-password
+      "postgresql": "user-password",
+      "mysql": "user-password",
+      "clickhouse": "user-password",
+      "kintone": "user-password",
+      "squadbase-db": "user-password",
+      // service-account
+      "snowflake": "service-account",
+      "bigquery": "service-account",
+      "google-analytics": "service-account",
+      "google-calendar": "service-account",
+      "aws-athena": "service-account",
+      "redshift": "service-account",
+      // api-key
+      "databricks": "api-key",
+      "dbt": "api-key",
+      "airtable": "api-key",
+      "openai": "api-key",
+      "gemini": "api-key",
+      "anthropic": "api-key",
+      "wix-store": "api-key"
+    };
+    const fallbackAuthType = LEGACY_NULL_AUTH_TYPE_MAP[slug];
+    if (fallbackAuthType) return `${slug}-${fallbackAuthType}`;
+    return slug;
+  }
+};
+
+// ../connectors/src/auth-types.ts
+var AUTH_TYPES = {
+  OAUTH: "oauth",
+  API_KEY: "api-key",
+  JWT: "jwt",
+  SERVICE_ACCOUNT: "service-account",
+  PAT: "pat",
+  USER_PASSWORD: "user-password"
+};
+
+// ../connectors/src/lib/normalize-path.ts
+function normalizeRequestPath(path2, basePathSegment) {
+  let p = path2.trim();
+  if (!p.startsWith("/")) p = "/" + p;
+  if (p === basePathSegment || p.startsWith(basePathSegment + "/")) {
+    p = p.slice(basePathSegment.length) || "/";
+  }
+  return p;
+}
+
+// ../connectors/src/connectors/google-audit-log/tools/request-with-delegation.ts
+import { z } from "zod";
+var BASE_HOST = "https://admin.googleapis.com";
+var BASE_PATH_SEGMENT = "/admin/reports/v1";
+var BASE_URL2 = `${BASE_HOST}${BASE_PATH_SEGMENT}`;
+var REQUEST_TIMEOUT_MS = 6e4;
+function decodeServiceAccount(keyJsonBase64) {
+  const decoded = Buffer.from(keyJsonBase64, "base64").toString("utf-8");
+  return JSON.parse(decoded);
+}
+var inputSchema = z.object({
+  toolUseIntent: z.string().optional().describe(
+    "Brief description of what you intend to accomplish with this tool call"
+  ),
+  connectionId: z.string().describe(
+    "ID of the Google Audit Log (Admin SDK Reports) service account connection to use"
+  ),
+  method: z.enum(["GET"]).describe("HTTP method. Reports API is read-only."),
+  path: z.string().describe(
+    "API path appended to https://admin.googleapis.com/admin/reports/v1. Examples: '/activity/users/all/applications/login', '/activity/users/{userKey}/applications/drive', '/usage/users/all/dates/2025-04-01', '/usage/dates/2025-04-01'."
+  ),
+  subject: z.string().describe(
+    "Email of the Google Workspace admin user to impersonate via Domain-wide Delegation. The Reports API requires the impersonated user to have admin privileges in the Workspace."
+  ),
+  scopes: z.array(z.string()).describe(
+    "OAuth scopes the token must include. This connector is read-only \u2014 pass one or both of: ['https://www.googleapis.com/auth/admin.reports.audit.readonly'] (audit activities), ['https://www.googleapis.com/auth/admin.reports.usage.readonly'] (usage reports). For maximum coverage you can pass both."
+  ),
+  queryParams: z.record(z.string(), z.string()).optional().describe(
+    "Query parameters to append to the URL (e.g., { startTime: '2025-04-01T00:00:00Z', endTime: '2025-04-30T23:59:59Z', maxResults: '100', pageToken: '...', eventName: 'login_success', filters: 'doc_type==document', parameters: 'accounts:num_users' })"
+  )
+});
+var outputSchema = z.discriminatedUnion("success", [
+  z.object({
+    success: z.literal(true),
+    status: z.number(),
+    data: z.record(z.string(), z.unknown()),
+    serviceAccountEmail: z.string()
+  }),
+  z.object({
+    success: z.literal(false),
+    error: z.string(),
+    serviceAccountEmail: z.string().optional()
+  })
+]);
+var requestWithDelegationTool = new ConnectorTool({
+  name: "request_with_delegation",
+  description: "Call the Google Workspace Admin SDK Reports API on behalf of the specified Workspace admin via Domain-wide Delegation. Read-only operations only. Pass `subject` as the admin user email and `scopes` as one or both of ['https://www.googleapis.com/auth/admin.reports.audit.readonly', 'https://www.googleapis.com/auth/admin.reports.usage.readonly']. Paths are relative to https://admin.googleapis.com/admin/reports/v1 (e.g., '/activity/users/all/applications/login', '/usage/users/all/dates/2025-04-01'). Requires Domain-wide Delegation to be authorized for the service account in the Workspace admin console.",
+  inputSchema,
+  outputSchema,
+  async execute({ connectionId, method, path: path2, subject, scopes, queryParams }, connections) {
+    const connection2 = connections.find((c) => c.id === connectionId);
+    if (!connection2) {
+      return {
+        success: false,
+        error: `Connection ${connectionId} not found`
+      };
+    }
+    const keyJsonBase64 = parameters.serviceAccountKeyJsonBase64.getValue(connection2);
+    let serviceAccount;
+    try {
+      serviceAccount = decodeServiceAccount(keyJsonBase64);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        error: `Failed to decode service account key: ${msg}`
+      };
+    }
+    const serviceAccountEmail = serviceAccount.client_email;
+    console.log(
+      `[connector-request] google-audit-log/${connection2.name}: ${method} ${path2} subject=${subject}`
+    );
+    try {
+      const { GoogleAuth } = await import("google-auth-library");
+      const auth = new GoogleAuth({
+        credentials: {
+          client_email: serviceAccount.client_email,
+          private_key: serviceAccount.private_key
+        },
+        scopes,
+        clientOptions: { subject }
+      });
+      const token = await auth.getAccessToken();
+      if (!token) {
+        return {
+          success: false,
+          error: "Failed to obtain access token",
+          serviceAccountEmail
+        };
+      }
+      const normalizedPath = normalizeRequestPath(path2, BASE_PATH_SEGMENT);
+      let url = `${BASE_URL2}${normalizedPath}`;
+      if (queryParams) {
+        const searchParams = new URLSearchParams(queryParams);
+        url += `?${searchParams.toString()}`;
+      }
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+      try {
+        const response = await fetch(url, {
+          method,
+          headers: {
+            Authorization: `Bearer ${token}`,
+            "Content-Type": "application/json"
+          },
+          signal: controller.signal
+        });
+        const data = await response.json().catch(() => ({}));
+        if (!response.ok) {
+          const errorObj = data?.error;
+          const errorMessage = errorObj?.message ?? (typeof data?.message === "string" ? data.message : `HTTP ${response.status} ${response.statusText}`);
+          return {
+            success: false,
+            error: errorMessage,
+            serviceAccountEmail
+          };
+        }
+        return {
+          success: true,
+          status: response.status,
+          data,
+          serviceAccountEmail
+        };
+      } finally {
+        clearTimeout(timeout);
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        error: msg,
+        serviceAccountEmail
+      };
+    }
+  }
+});
+
+// ../connectors/src/connectors/google-audit-log/setup.ts
+var requestWithDelegationToolName = `google-audit-log-service-account_${requestWithDelegationTool.name}`;
+var READONLY_SCOPES = '["https://www.googleapis.com/auth/admin.reports.audit.readonly", "https://www.googleapis.com/auth/admin.reports.usage.readonly"]';
+var googleAuditLogOnboarding = new ConnectorOnboarding({
+  connectionSetupInstructions: {
+    ja: `Google Audit Log\uFF08\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\uFF09\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306E\u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u3092\u884C\u3044\u307E\u3059\u3002Reports API \u306F Workspace \u7BA1\u7406\u8005\u6A29\u9650\u3092\u6301\u3064\u30E6\u30FC\u30B6\u30FC\u306B\u306A\u308A\u3059\u307E\u3057\u3066\u547C\u3073\u51FA\u3059\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\u30A2\u30AF\u30BB\u30B9\u306B\u4F7F\u3046\u7BA1\u7406\u8005\u30E6\u30FC\u30B6\u30FC\u3092\u30E6\u30FC\u30B6\u30FC\u304B\u3089\u805E\u304D\u3001Project Knowledge \u306B\u8A18\u9332\u3057\u307E\u3059\u3002
+
+1. \`askUserQuestion\` \u3067\u5BFE\u8C61\u306E Workspace \u7BA1\u7406\u8005\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u805E\u304F:
+   - \`type\`: \`"freeText"\`
+   - \`question\`: \u300CAudit Log / Usage Report \u306E\u53D6\u5F97\u306B\u4F7F\u3046 Google Workspace \u7BA1\u7406\u8005\u30E6\u30FC\u30B6\u30FC\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044\uFF08\u8907\u6570\u53EF\u3001\u30AB\u30F3\u30DE\u533A\u5207\u308A\uFF09\u3002Reports API \u3078\u306E\u6A29\u9650\u3092\u6301\u3064\u30A2\u30AB\u30A6\u30F3\u30C8\u3067\u3042\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\u300D
+   - \`placeholder\`: \`"admin@example.com"\`
+
+2. \u30E6\u30FC\u30B6\u30FC\u304B\u3089\u53D7\u3051\u53D6\u3063\u305F\u6587\u5B57\u5217\u304B\u3089\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u62BD\u51FA\u3059\u308B\u3002\u5404 \`<email>\` \u306B\u3064\u3044\u3066 \`${requestWithDelegationToolName}\` \u3092\u4EE5\u4E0B\u306E\u5F15\u6570\u3067\u547C\u3073\u3001Domain-wide Delegation \u7D4C\u7531\u3067\u30A2\u30AF\u30BB\u30B9\u53EF\u80FD\u304B\u3092\u78BA\u8A8D\u3059\u308B:
+   - \`method\`: \`"GET"\`
+   - \`path\`: \`"/activity/users/all/applications/login"\`
+   - \`subject\`: \`<email>\`
+   - \`scopes\`: \`${READONLY_SCOPES}\`
+   - \`queryParams\`: \`{ "maxResults": "1" }\`
+
+3. \u5931\u6557\u3057\u305F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u304C\u3042\u308C\u3070\u3001\u30A8\u30E9\u30FC\u30EC\u30B9\u30DD\u30F3\u30B9\u306E \`serviceAccountEmail\` \u30D5\u30A3\u30FC\u30EB\u30C9\u304B\u3089\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u53D6\u308A\u51FA\u3057\u3001\`askUserQuestion\` \u3067\u6B21\u306E\u9078\u629E\u80A2\u3092\u63D0\u793A\u3059\u308B\u3002\`question\` \u306B\u306F\u6B21\u306E\u6848\u5185\u6587\u3092\u542B\u3081\u308B: \u300C\u6B21\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3067\u306F Reports API \u306B\u30A2\u30AF\u30BB\u30B9\u3067\u304D\u307E\u305B\u3093\u3067\u3057\u305F: {\u5931\u6557\u30A2\u30C9\u30EC\u30B9\u4E00\u89A7}\u3002\u30B5\u30FC\u30D3\u30B9\u30A2\u30AB\u30A6\u30F3\u30C8 \`<serviceAccountEmail>\` \u306E Domain-wide Delegation \u304C Workspace \u7BA1\u7406\u30B3\u30F3\u30BD\u30FC\u30EB\u3067\u627F\u8A8D\u3055\u308C\u3066\u304A\u308A\u3001\u5BFE\u8C61\u30B9\u30B3\u30FC\u30D7\uFF08\`admin.reports.audit.readonly\`, \`admin.reports.usage.readonly\`\uFF09\u304C\u6709\u52B9\u5316\u3055\u308C\u3066\u3044\u308B\u304B\u3001\u307E\u305F\u6307\u5B9A\u3057\u305F\u30E6\u30FC\u30B6\u30FC\u304C Workspace \u306E\u7BA1\u7406\u8005\u30ED\u30FC\u30EB\u3092\u6301\u3063\u3066\u3044\u308B\u304B\u78BA\u8A8D\u3057\u3066\u304F\u3060\u3055\u3044\uFF08[\u8A2D\u5B9A\u30AC\u30A4\u30C9](https://support.google.com/a/answer/162106)\uFF09\u300D\u3002
+   - \`options\`: \`[{ label: "\u30C9\u30E1\u30A4\u30F3\u5168\u4F53\u306E\u59D4\u4EFB\u3092\u627F\u8A8D\u3057\u305F\u306E\u3067\u30EA\u30C8\u30E9\u30A4", value: "retry" }, { label: "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u5165\u529B\u3057\u76F4\u3059", value: "restart" }]\`
+   - \u300C\u30EA\u30C8\u30E9\u30A4\u300D: \u76F4\u524D\u306E\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u30EA\u30B9\u30C8\u3067\u30B9\u30C6\u30C3\u30D7 2 \u3092\u518D\u5B9F\u884C
+   - \u300C\u5165\u529B\u3057\u76F4\u3059\u300D: \u30B9\u30C6\u30C3\u30D7 1 \u304B\u3089\u518D\u5B9F\u884C
+
+4. \u5168\u30A2\u30C9\u30EC\u30B9\u304C\u6210\u529F\u3057\u305F\u3089 \`finalizeSetup\` \u3092\u547C\u3076\u3002\u691C\u8A3C\u6E08\u307F\u306E\u7BA1\u7406\u8005\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092\u3053\u306E\u30B3\u30CD\u30AF\u30B7\u30E7\u30F3\u306E\u30B9\u30B3\u30FC\u30D7\u60C5\u5831\u3068\u3057\u3066\u8A18\u9332\u3059\u308B\u3002
+
+#### \u5236\u7D04
+- \u30BB\u30C3\u30C8\u30A2\u30C3\u30D7\u4E2D\u306B\u53D6\u5F97\u3057\u305F\u76E3\u67FB\u30ED\u30B0\u672C\u6587\u3092\u8AAD\u307F\u53D6\u3089\u306A\u3044\u3053\u3068\u3002\u8A31\u53EF\u3055\u308C\u3066\u3044\u308B\u306E\u306F\u30B9\u30C6\u30C3\u30D7 2 \u306E\u30A2\u30AF\u30BB\u30B9\u78BA\u8A8D\u306E\u307F
+- \u30C4\u30FC\u30EB\u547C\u3073\u51FA\u3057\u306E\u9593\u306F 1 \u6587\u3060\u3051\u66F8\u3044\u3066\u5373\u6B21\u306E\u30C4\u30FC\u30EB\u547C\u3073\u51FA\u3057`,
+    en: `Set up the Google Audit Log (Service Account) connection. The Reports API requires impersonating a user with Workspace admin privileges. Ask the user which admin user(s) to access, verify each via Domain-wide Delegation, and record them in Project Knowledge.
+
+1. Call \`askUserQuestion\` to collect target admin emails:
+   - \`type\`: \`"freeText"\`
+   - \`question\`: "Enter the Google Workspace admin user email(s) to use for Audit Log / Usage Report access (comma-separated for multiple). The account must have the necessary admin privileges for the Reports API."
+   - \`placeholder\`: \`"admin@example.com"\`
+
+2. Extract individual emails from the response. For each \`<email>\`, verify Domain-wide Delegation access by calling \`${requestWithDelegationToolName}\`:
+   - \`method\`: \`"GET"\`
+   - \`path\`: \`"/activity/users/all/applications/login"\`
+   - \`subject\`: \`<email>\`
+   - \`scopes\`: \`${READONLY_SCOPES}\`
+   - \`queryParams\`: \`{ "maxResults": "1" }\`
+
+3. For any failed email, take \`serviceAccountEmail\` from the error response and call \`askUserQuestion\`. Include this guidance in \`question\`: "Could not access the Reports API for {failed emails}. Verify that Domain-wide Delegation for service account \`<serviceAccountEmail>\` is authorized in the Workspace admin console with the scopes \`admin.reports.audit.readonly\` and \`admin.reports.usage.readonly\`, and that the impersonated user has a Workspace admin role ([setup guide](https://support.google.com/a/answer/162106))".
+   - \`options\`: \`[{ label: "Authorized Domain-wide Delegation \u2014 retry", value: "retry" }, { label: "Re-enter the email addresses", value: "restart" }]\`
+   - On "retry" \u2192 re-run step 2 with the previously entered email list
+   - On "Re-enter" \u2192 re-run step 1
+
+4. Once every email succeeds, call \`finalizeSetup\`. Record the verified admin email addresses as this connection's scope info.
+
+#### Constraints
+- Do NOT read audit log contents during setup. Only the access verification call in step 2 is permitted
+- Write at most 1 sentence between tool calls`
+  },
+  dataOverviewInstructions: {
+    en: `Pick ONE admin user and use that user's email as \`subject\` for every call below. Pass \`scopes: ${READONLY_SCOPES}\` every time.
+
+1. \`method=GET\`, \`path=/activity/users/all/applications/login\`, \`queryParams={ maxResults: "10" }\` to verify recent login activity events are available.
+2. \`method=GET\`, \`path=/activity/users/all/applications/admin\`, \`queryParams={ maxResults: "10" }\` to inspect recent admin console events.
+3. \`method=GET\`, \`path=/usage/dates/{YYYY-MM-DD}\` (use yesterday's date) to fetch a customer-level usage report sample.`,
+    ja: `\u5BFE\u8C61\u306E\u7BA1\u7406\u8005\u30E6\u30FC\u30B6\u30FC\u3092 1 \u4EBA\u9078\u3073\u3001\u4EE5\u4E0B\u306E\u30B9\u30C6\u30C3\u30D7\u3067 \`subject\` \u5F15\u6570\u3068\u3057\u3066\u4F7F\u3063\u3066\u304F\u3060\u3055\u3044\u3002\`scopes\` \u306F\u6BCE\u56DE \`${READONLY_SCOPES}\` \u3092\u6E21\u3057\u307E\u3059\u3002
+
+1. \`method=GET\`\u3001\`path=/activity/users/all/applications/login\`\u3001\`queryParams={ maxResults: "10" }\` \u3067\u76F4\u8FD1\u306E\u30ED\u30B0\u30A4\u30F3\u30A2\u30AF\u30C6\u30A3\u30D3\u30C6\u30A3\u304C\u53D6\u5F97\u3067\u304D\u308B\u3053\u3068\u3092\u78BA\u8A8D
+2. \`method=GET\`\u3001\`path=/activity/users/all/applications/admin\`\u3001\`queryParams={ maxResults: "10" }\` \u3067\u76F4\u8FD1\u306E\u7BA1\u7406\u30B3\u30F3\u30BD\u30FC\u30EB\u64CD\u4F5C\u3092\u78BA\u8A8D
+3. \`method=GET\`\u3001\`path=/usage/dates/{YYYY-MM-DD}\`\uFF08\u524D\u65E5\u306E\u65E5\u4ED8\u3092\u4F7F\u7528\uFF09\u3067\u30AB\u30B9\u30BF\u30DE\u30FC\u5358\u4F4D\u306E\u5229\u7528\u30EC\u30DD\u30FC\u30C8\u30B5\u30F3\u30D7\u30EB\u3092\u53D6\u5F97`
+  }
+});
+
+// ../connectors/src/connectors/google-audit-log/index.ts
+var tools = { request_with_delegation: requestWithDelegationTool };
+var googleAuditLogConnector = new ConnectorPlugin({
+  slug: "google-audit-log",
+  authType: AUTH_TYPES.SERVICE_ACCOUNT,
+  name: "Google Audit Log",
+  description: "Connect to the Google Workspace Admin SDK Reports API for audit activities and usage reports using a service account with domain-wide delegation. Read-only.",
+  iconUrl: "https://images.ctfassets.net/9ncizv60xc5y/6VWp0bASiAEgiSlwoZOT8A/fb59a3a2d0219db7df0a943b286a5995/admin_2020q4_48dp.png",
+  parameters,
+  releaseFlag: { dev1: true, dev2: true, prod: true },
+  categories: ["observability"],
+  onboarding: googleAuditLogOnboarding,
+  systemPrompt: {
+    en: `### Tools
+
+- \`google-audit-log-service-account_request_with_delegation\`: Call the Google Workspace Admin SDK Reports API on behalf of a Workspace admin via Domain-wide Delegation. Pass \`subject\` as the admin email; the token will be issued as that user. Always pass \`scopes\`.
+
+### OAuth Scopes (pass as \`scopes\` argument)
+
+This connector is read-only. Pass one or both:
+
+- \`https://www.googleapis.com/auth/admin.reports.audit.readonly\` \u2014 audit activity events (Activities API)
+- \`https://www.googleapis.com/auth/admin.reports.usage.readonly\` \u2014 usage reports (Customer/User Usage API)
+
+The Workspace admin must have authorized these scopes for the service account in the Domain-wide Delegation settings, otherwise token issuance will fail with \`unauthorized_client\`. The impersonated \`subject\` user must also have an admin role with permission to view the relevant reports.
+
+Per-endpoint reference: https://developers.google.com/admin-sdk/reports/v1/reference
+
+### Reports API Reference
+
+#### Activities (audit logs)
+- GET \`/activity/users/all/applications/{applicationName}\` \u2014 list activity events across all users for an application
+- GET \`/activity/users/{userKey}/applications/{applicationName}\` \u2014 list activity events for a specific user (\`userKey\` is the user's email or immutable ID)
+- GET \`/activity/users/all/applications/{applicationName}/watch\` \u2014 (not supported here, push notifications)
+
+\`applicationName\` values include: \`access_transparency\`, \`admin\`, \`calendar\`, \`chat\`, \`chrome\`, \`context_aware_access\`, \`data_studio\`, \`drive\`, \`gcp\`, \`gplus\`, \`groups\`, \`groups_enterprise\`, \`jamboard\`, \`keep\`, \`login\`, \`meet\`, \`mobile\`, \`rules\`, \`saml\`, \`token\`, \`user_accounts\`, \`vault\`.
+
+Common Activities query parameters (pass via \`queryParams\`):
+- \`startTime\` / \`endTime\` \u2014 ISO-8601 timestamps (e.g., \`2025-04-01T00:00:00Z\`)
+- \`eventName\` \u2014 filter by a specific event (e.g., \`login_success\`, \`login_failure\`, \`document_open\`)
+- \`filters\` \u2014 comma-separated event-parameter filters (e.g., \`doc_type==document\`)
+- \`actorIpAddress\` \u2014 filter by IP
+- \`maxResults\` \u2014 page size (default 1000)
+- \`pageToken\` \u2014 pagination token from previous response's \`nextPageToken\`
+
+#### Usage reports
+- GET \`/usage/dates/{date}\` \u2014 customer-level usage on a specific date (\`YYYY-MM-DD\`)
+- GET \`/usage/users/all/dates/{date}\` \u2014 per-user usage on a specific date
+- GET \`/usage/users/{userKey}/dates/{date}\` \u2014 usage for a single user on a specific date
+
+Common Usage query parameters:
+- \`parameters\` \u2014 comma-separated metric names (e.g., \`accounts:num_users,gmail:num_emails_received\`). See https://developers.google.com/admin-sdk/reports/v1/reference/usage-ref-appendix-a for the full list.
+- \`filters\` \u2014 filter expression on the same metric namespace
+- \`maxResults\` / \`pageToken\` \u2014 pagination
+
+### Business Logic
+
+The business logic type for this connector is "typescript". Write handler code using the connector SDK shown below. Do NOT access credentials directly from environment variables.
+
+SDK methods (client created via \`connection(connectionId)\`):
+
+- \`client.requestWithDelegation(path, { subject, scopes, init? })\` \u2014 call the Reports API as the impersonated Workspace admin. Pass the minimum scopes required.
+
+The method returns a standard \`Response\`. Read the body with \`.json()\`. Same path conventions as the tool.
+
+#### Example
+
+\`\`\`ts
+import type { Context } from "hono";
+import { connection } from "@squadbase/vite-server/connectors/google-audit-log";
+
+const reports = connection("<connectionId>");
+
+const SUBJECT = "admin@example.com"; // the admin user to impersonate
+const AUDIT = ["https://www.googleapis.com/auth/admin.reports.audit.readonly"];
+
+export default async function handler(c: Context) {
+  const { startTime, endTime } = await c.req.json<{
+    startTime: string;
+    endTime: string;
+  }>();
+
+  const params = new URLSearchParams({
+    startTime,
+    endTime,
+    maxResults: "100",
+  });
+  const res = await reports.requestWithDelegation(
+    \`/activity/users/all/applications/login?\${params}\`,
+    { subject: SUBJECT, scopes: AUDIT },
+  );
+  const data = (await res.json()) as { items?: { id: { time: string }; events?: { name: string }[]; actor?: { email?: string } }[] };
+
+  return c.json(
+    (data.items ?? []).map((item) => ({
+      time: item.id.time,
+      actor: item.actor?.email,
+      event: item.events?.[0]?.name,
+    })),
+  );
+}
+\`\`\``,
+    ja: `### \u30C4\u30FC\u30EB
+
+- \`google-audit-log-service-account_request_with_delegation\`: Domain-wide Delegation \u7D4C\u7531\u3067 Workspace \u7BA1\u7406\u8005\u306B\u306A\u308A\u3059\u307E\u3057\u3066 Google Workspace Admin SDK Reports API \u3092\u547C\u3073\u51FA\u3057\u307E\u3059\u3002\u4EE3\u7406\u5BFE\u8C61\u306E\u7BA1\u7406\u8005\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u3092 \`subject\` \u3068\u3057\u3066\u6E21\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u30C8\u30FC\u30AF\u30F3\u306F\u305D\u306E\u30E6\u30FC\u30B6\u30FC\u3068\u3057\u3066\u767A\u884C\u3055\u308C\u307E\u3059\u3002\`scopes\` \u3082\u6BCE\u56DE\u6E21\u3057\u3066\u304F\u3060\u3055\u3044\u3002
+
+### OAuth \u30B9\u30B3\u30FC\u30D7 (\`scopes\` \u5F15\u6570\u3067\u6E21\u3059)
+
+\u3053\u306E\u30B3\u30CD\u30AF\u30BF\u30FC\u306F\u8AAD\u307F\u53D6\u308A\u5C02\u7528\u3067\u3059\u3002\u6B21\u306E\u3044\u305A\u308C\u304B\u3001\u307E\u305F\u306F\u4E21\u65B9\u3092\u6E21\u3057\u3066\u304F\u3060\u3055\u3044:
+
+- \`https://www.googleapis.com/auth/admin.reports.audit.readonly\` \u2014 \u76E3\u67FB\u30A2\u30AF\u30C6\u30A3\u30D3\u30C6\u30A3\u30A4\u30D9\u30F3\u30C8 (Activities API)
+- \`https://www.googleapis.com/auth/admin.reports.usage.readonly\` \u2014 \u5229\u7528\u30EC\u30DD\u30FC\u30C8 (Customer/User Usage API)
+
+\u8981\u6C42\u3059\u308B scope \u306F Workspace \u7BA1\u7406\u8005\u304C Domain-wide Delegation \u8A2D\u5B9A\u3067\u5F53\u8A72 Service Account \u306B\u5BFE\u3057\u3066\u627F\u8A8D\u3057\u3066\u3044\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\u627F\u8A8D\u3055\u308C\u3066\u3044\u306A\u3044\u5834\u5408\u30C8\u30FC\u30AF\u30F3\u767A\u884C\u304C \`unauthorized_client\` \u3067\u5931\u6557\u3057\u307E\u3059\u3002\u307E\u305F\u4EE3\u7406\u5BFE\u8C61\u306E \`subject\` \u30E6\u30FC\u30B6\u30FC\u304C\u8A72\u5F53\u30EC\u30DD\u30FC\u30C8\u3092\u95B2\u89A7\u3067\u304D\u308B\u7BA1\u7406\u8005\u30ED\u30FC\u30EB\u3092\u6301\u3063\u3066\u3044\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002
+
+\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u5225\u306E\u6B63\u78BA\u306A\u30EA\u30D5\u30A1\u30EC\u30F3\u30B9: https://developers.google.com/admin-sdk/reports/v1/reference
+
+### Reports API \u30EA\u30D5\u30A1\u30EC\u30F3\u30B9
+
+#### Activities\uFF08\u76E3\u67FB\u30ED\u30B0\uFF09
+- GET \`/activity/users/all/applications/{applicationName}\` \u2014 \u6307\u5B9A\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306B\u3064\u3044\u3066\u5168\u30E6\u30FC\u30B6\u30FC\u306E\u30A2\u30AF\u30C6\u30A3\u30D3\u30C6\u30A3\u30A4\u30D9\u30F3\u30C8\u3092\u4E00\u89A7
+- GET \`/activity/users/{userKey}/applications/{applicationName}\` \u2014 \u6307\u5B9A\u30E6\u30FC\u30B6\u30FC\uFF08\`userKey\` \u306F\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u307E\u305F\u306F\u4E0D\u5909ID\uFF09\u306E\u30A2\u30AF\u30C6\u30A3\u30D3\u30C6\u30A3
+
+\`applicationName\` \u306E\u5024: \`access_transparency\`, \`admin\`, \`calendar\`, \`chat\`, \`chrome\`, \`context_aware_access\`, \`data_studio\`, \`drive\`, \`gcp\`, \`gplus\`, \`groups\`, \`groups_enterprise\`, \`jamboard\`, \`keep\`, \`login\`, \`meet\`, \`mobile\`, \`rules\`, \`saml\`, \`token\`, \`user_accounts\`, \`vault\`\u3002
+
+\u4E3B\u306A\u30AF\u30A8\u30EA\u30D1\u30E9\u30E1\u30FC\u30BF\uFF08\`queryParams\` \u306B\u6E21\u3059\uFF09:
+- \`startTime\` / \`endTime\` \u2014 ISO-8601 \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\uFF08\u4F8B: \`2025-04-01T00:00:00Z\`\uFF09
+- \`eventName\` \u2014 \u7279\u5B9A\u306E\u30A4\u30D9\u30F3\u30C8\u3067\u30D5\u30A3\u30EB\u30BF\uFF08\u4F8B: \`login_success\`, \`login_failure\`, \`document_open\`\uFF09
+- \`filters\` \u2014 \u30A4\u30D9\u30F3\u30C8\u30D1\u30E9\u30E1\u30FC\u30BF\u3067\u306E\u30D5\u30A3\u30EB\u30BF\uFF08\u30AB\u30F3\u30DE\u533A\u5207\u308A\u3001\u4F8B: \`doc_type==document\`\uFF09
+- \`actorIpAddress\` \u2014 IP\u30A2\u30C9\u30EC\u30B9\u3067\u30D5\u30A3\u30EB\u30BF
+- \`maxResults\` \u2014 \u30DA\u30FC\u30B8\u30B5\u30A4\u30BA\uFF08\u30C7\u30D5\u30A9\u30EB\u30C8 1000\uFF09
+- \`pageToken\` \u2014 \u30EC\u30B9\u30DD\u30F3\u30B9\u306E \`nextPageToken\` \u3092\u6E21\u3057\u3066\u30DA\u30FC\u30B8\u30F3\u30B0
+
+#### Usage\uFF08\u5229\u7528\u30EC\u30DD\u30FC\u30C8\uFF09
+- GET \`/usage/dates/{date}\` \u2014 \u6307\u5B9A\u65E5\uFF08\`YYYY-MM-DD\`\uFF09\u306E\u30AB\u30B9\u30BF\u30DE\u30FC\u5358\u4F4D\u306E\u5229\u7528\u30EC\u30DD\u30FC\u30C8
+- GET \`/usage/users/all/dates/{date}\` \u2014 \u6307\u5B9A\u65E5\u306E\u5168\u30E6\u30FC\u30B6\u30FC\u5229\u7528\u30EC\u30DD\u30FC\u30C8
+- GET \`/usage/users/{userKey}/dates/{date}\` \u2014 \u6307\u5B9A\u65E5\u306E\u7279\u5B9A\u30E6\u30FC\u30B6\u30FC\u306E\u5229\u7528\u30EC\u30DD\u30FC\u30C8
+
+\u4E3B\u306A\u30AF\u30A8\u30EA\u30D1\u30E9\u30E1\u30FC\u30BF:
+- \`parameters\` \u2014 \u53D6\u5F97\u3059\u308B\u30E1\u30C8\u30EA\u30AF\u30B9\u540D\uFF08\u30AB\u30F3\u30DE\u533A\u5207\u308A\u3001\u4F8B: \`accounts:num_users,gmail:num_emails_received\`\uFF09\u3002\u4E00\u89A7: https://developers.google.com/admin-sdk/reports/v1/reference/usage-ref-appendix-a
+- \`filters\` \u2014 \u30E1\u30C8\u30EA\u30AF\u30B9\u306B\u5BFE\u3059\u308B\u30D5\u30A3\u30EB\u30BF\u5F0F
+- \`maxResults\` / \`pageToken\` \u2014 \u30DA\u30FC\u30B8\u30F3\u30B0
+
+### Business Logic
+
+\u3053\u306E\u30B3\u30CD\u30AF\u30BF\u306E\u30D3\u30B8\u30CD\u30B9\u30ED\u30B8\u30C3\u30AF\u30BF\u30A4\u30D7\u306F "typescript" \u3067\u3059\u3002\u4EE5\u4E0B\u306B\u793A\u3059\u30B3\u30CD\u30AF\u30BFSDK\u3092\u4F7F\u7528\u3057\u3066\u30CF\u30F3\u30C9\u30E9\u30B3\u30FC\u30C9\u3092\u8A18\u8FF0\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u74B0\u5883\u5909\u6570\u304B\u3089\u76F4\u63A5\u8A8D\u8A3C\u60C5\u5831\u306B\u30A2\u30AF\u30BB\u30B9\u3057\u306A\u3044\u3067\u304F\u3060\u3055\u3044\u3002
+
+SDK\u30E1\u30BD\u30C3\u30C9 (\`connection(connectionId)\` \u3067\u4F5C\u6210\u3057\u305F\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8):
+
+- \`client.requestWithDelegation(path, { subject, scopes, init? })\` \u2014 Domain-wide Delegation \u3067\u6307\u5B9A Workspace \u7BA1\u7406\u8005\u3068\u3057\u3066 Reports API \u3092\u547C\u3076\u3002\u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8\u306B\u5FC5\u8981\u306A\u6700\u5C0F scope \u3092\u6E21\u3059\u3002
+
+\u30E1\u30BD\u30C3\u30C9\u306F\u6A19\u6E96\u306E \`Response\` \u3092\u8FD4\u3057\u307E\u3059\u3002\`response.json()\` \u3067\u30DC\u30C7\u30A3\u3092\u53D6\u5F97\u3057\u3066\u304F\u3060\u3055\u3044\u3002\u30D1\u30B9\u306E\u66F8\u304D\u65B9\u306F\u30C4\u30FC\u30EB\u3068\u540C\u3058\u3002
+
+#### Example
+
+\`\`\`ts
+import type { Context } from "hono";
+import { connection } from "@squadbase/vite-server/connectors/google-audit-log";
+
+const reports = connection("<connectionId>");
+
+const SUBJECT = "admin@example.com"; // \u4EE3\u7406\u5BFE\u8C61\u306E\u7BA1\u7406\u8005
+const AUDIT = ["https://www.googleapis.com/auth/admin.reports.audit.readonly"];
+
+export default async function handler(c: Context) {
+  const { startTime, endTime } = await c.req.json<{
+    startTime: string;
+    endTime: string;
+  }>();
+
+  const params = new URLSearchParams({
+    startTime,
+    endTime,
+    maxResults: "100",
+  });
+  const res = await reports.requestWithDelegation(
+    \`/activity/users/all/applications/login?\${params}\`,
+    { subject: SUBJECT, scopes: AUDIT },
+  );
+  const data = (await res.json()) as { items?: { id: { time: string }; events?: { name: string }[]; actor?: { email?: string } }[] };
+
+  return c.json(
+    (data.items ?? []).map((item) => ({
+      time: item.id.time,
+      actor: item.actor?.email,
+      event: item.events?.[0]?.name,
+    })),
+  );
+}
+\`\`\``
+  },
+  tools
+});
+
+// src/connectors/create-connector-sdk.ts
+import { readFileSync } from "fs";
+import path from "path";
+
+// src/connector-client/env.ts
+function resolveEnvVar(entry, key, connectionId) {
+  const envVarName = entry.envVars[key];
+  if (!envVarName) {
+    throw new Error(`Connection "${connectionId}" is missing envVars mapping for key "${key}"`);
+  }
+  const value = process.env[envVarName];
+  if (!value) {
+    throw new Error(`Environment variable "${envVarName}" (for connection "${connectionId}", key "${key}") is not set`);
+  }
+  return value;
+}
+function resolveEnvVarOptional(entry, key) {
+  const envVarName = entry.envVars[key];
+  if (!envVarName) return void 0;
+  return process.env[envVarName] || void 0;
+}
+
+// src/connector-client/proxy-fetch.ts
+import { getContext } from "hono/context-storage";
+import { getCookie } from "hono/cookie";
+var APP_SESSION_COOKIE_NAME = "__Host-squadbase-session";
+function normalizeHeaders(input) {
+  const out = {};
+  if (!input) return out;
+  new Headers(input).forEach((value, key) => {
+    out[key] = value;
+  });
+  return out;
+}
+function createSandboxProxyFetch(connectionId) {
+  return async (input, init) => {
+    const token = process.env.INTERNAL_SQUADBASE_OAUTH_MACHINE_CREDENTIAL;
+    const sandboxId = process.env.INTERNAL_SQUADBASE_SANDBOX_ID;
+    if (!token || !sandboxId) {
+      throw new Error(
+        "Connection proxy is not configured. Please check your deployment settings."
+      );
+    }
+    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const originalMethod = init?.method ?? "GET";
+    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
+    const baseDomain = process.env["SQUADBASE_PREVIEW_BASE_DOMAIN"] ?? "preview.app.squadbase.dev";
+    const proxyUrl = `https://${sandboxId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
+    return fetch(proxyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`
+      },
+      body: JSON.stringify({
+        url: originalUrl,
+        method: originalMethod,
+        headers: normalizeHeaders(init?.headers),
+        body: originalBody
+      })
+    });
+  };
+}
+function createDeployedAppProxyFetch(connectionId) {
+  const projectId = process.env["SQUADBASE_PROJECT_ID"];
+  if (!projectId) {
+    throw new Error(
+      "Connection proxy is not configured. Please check your deployment settings."
+    );
+  }
+  const baseDomain = process.env["SQUADBASE_APP_BASE_DOMAIN"] ?? "squadbase.app";
+  const proxyUrl = `https://${projectId}.${baseDomain}/_sqcore/connections/${connectionId}/request`;
+  return async (input, init) => {
+    const originalUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const originalMethod = init?.method ?? "GET";
+    const originalBody = init?.body ? JSON.parse(init.body) : void 0;
+    const c = getContext();
+    const appSession = getCookie(c, APP_SESSION_COOKIE_NAME);
+    if (!appSession) {
+      throw new Error(
+        "No authentication method available for connection proxy."
+      );
+    }
+    return fetch(proxyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${appSession}`
+      },
+      body: JSON.stringify({
+        url: originalUrl,
+        method: originalMethod,
+        headers: normalizeHeaders(init?.headers),
+        body: originalBody
+      })
+    });
+  };
+}
+function createProxyFetch(connectionId) {
+  if (process.env.INTERNAL_SQUADBASE_SANDBOX_ID) {
+    return createSandboxProxyFetch(connectionId);
+  }
+  return createDeployedAppProxyFetch(connectionId);
+}
+
+// src/connectors/create-connector-sdk.ts
+function loadConnectionsSync() {
+  const filePath = process.env.CONNECTIONS_PATH ?? path.join(process.cwd(), ".squadbase/connections.json");
+  try {
+    const raw = readFileSync(filePath, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+function createConnectorSdk(plugin, createClient2) {
+  return (connectionId) => {
+    const connections = loadConnectionsSync();
+    const entry = connections[connectionId];
+    if (!entry) {
+      throw new Error(
+        `Connection "${connectionId}" not found in .squadbase/connections.json`
+      );
+    }
+    if (entry.connector.slug !== plugin.slug) {
+      throw new Error(
+        `Connection "${connectionId}" is not a ${plugin.slug} connection (got "${entry.connector.slug}")`
+      );
+    }
+    const params = {};
+    for (const param of Object.values(plugin.parameters)) {
+      if (param.required) {
+        params[param.slug] = resolveEnvVar(entry, param.slug, connectionId);
+      } else {
+        const val = resolveEnvVarOptional(entry, param.slug);
+        if (val !== void 0) params[param.slug] = val;
+      }
+    }
+    return createClient2(params, createProxyFetch(connectionId));
+  };
+}
+
+// src/connectors/entries/google-audit-log.ts
+var connection = createConnectorSdk(googleAuditLogConnector, createClient);
+export {
+  connection
+};