npm - @stigmer/protos - Versions diffs - 0.0.82 → 0.0.84 - Mend

@stigmer/protos 0.0.82 → 0.0.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/ai/stigmer/agentic/mcpserver/v1/io_pb.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { GenEnum, GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
 import type { ExecutionValue } from "../../executioncontext/v1/spec_pb";
 import type { Message } from "@bufbuild/protobuf";
 /**
@@ -320,9 +320,336 @@ export type GetOAuthGrantStatusOutput = Message<"ai.stigmer.agentic.mcpserver.v1
      * @generated from field: string auth_method = 4;
      */
     authMethod: string;
+    /**
+     * Evaluated health of the OAuth connection.
+     * Provides an actionable signal beyond the binary "connected" field:
+     * the frontend can distinguish "healthy" from "expired but refreshable"
+     * from "expired and needs re-auth" from "never connected."
+     *
+     * @generated from field: ai.stigmer.agentic.mcpserver.v1.OAuthConnectionHealth connection_health = 5;
+     */
+    connectionHealth: OAuthConnectionHealth;
 };
 /**
  * Describes the message ai.stigmer.agentic.mcpserver.v1.GetOAuthGrantStatusOutput.
  * Use `create(GetOAuthGrantStatusOutputSchema)` to create a new message.
  */
 export declare const GetOAuthGrantStatusOutputSchema: GenMessage<GetOAuthGrantStatusOutput>;
+/**
+ * DisconnectOAuthInput tears down a user's OAuth connection for a resource.
+ *
+ * @internal
+ * The handler:
+ * 1. Finds the OAuthGrant for (caller, resource_id, org)
+ * 2. Deletes the managed Environment that holds the tokens
+ * 3. Deletes the OAuthGrant record
+ *
+ * After this, the user's access token and refresh token are gone. The
+ * MCP server remains configured — only the user's personal OAuth connection
+ * is removed. Other users' connections to the same resource are unaffected.
+ *
+ * Idempotent: if no OAuthGrant exists for the (caller, resource_id, org)
+ * tuple, the handler returns disconnected=false without error. This
+ * supports race conditions (concurrent disconnect calls), retries after
+ * partial failures, and desired-state semantics ("ensure no connection").
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthInput
+ */
+export type DisconnectOAuthInput = Message<"ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthInput"> & {
+    /**
+     * System-generated ID of the resource to disconnect OAuth for.
+     *
+     * @generated from field: string resource_id = 1;
+     */
+    resourceId: string;
+    /**
+     * Organization context. Must match the org used during the original
+     * OAuth connect flow (part of the OAuthGrant composite key).
+     *
+     * @generated from field: string org = 2;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthInput.
+ * Use `create(DisconnectOAuthInputSchema)` to create a new message.
+ */
+export declare const DisconnectOAuthInputSchema: GenMessage<DisconnectOAuthInput>;
+/**
+ * DisconnectOAuthOutput reports the result of a disconnect request.
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthOutput
+ */
+export type DisconnectOAuthOutput = Message<"ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthOutput"> & {
+    /**
+     * Whether an active grant was found and deleted.
+     * true: grant and its managed environment were deleted.
+     * false: no grant existed for this resource + org + caller. The desired
+     * state (no OAuth connection) was already achieved. This is not an error.
+     *
+     * @generated from field: bool disconnected = 1;
+     */
+    disconnected: boolean;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthOutput.
+ * Use `create(DisconnectOAuthOutputSchema)` to create a new message.
+ */
+export declare const DisconnectOAuthOutputSchema: GenMessage<DisconnectOAuthOutput>;
+/**
+ * SetOrgOAuthAppInput creates or updates an org-level BYOA OAuth app
+ * override for a resource.
+ *
+ * @internal
+ * The handler:
+ * 1. Looks up the platform-default OAuthApp via the resource's auth block
+ *    to use as a template (authorization_url, token_url, scopes, etc.)
+ * 2. Creates a new OAuthApp with the org-provided client_id + client_secret
+ *    and the template's endpoint URLs and scopes
+ * 3. Creates or updates an OAuthAppOverride binding
+ *    (resource_id, resource_kind, org_id) → new OAuthApp ID
+ *
+ * If an override already exists for this resource + org, the handler
+ * updates the existing OAuthApp's credentials and returns the same ID.
+ *
+ * After this, the resolution chain for this resource in this org will
+ * return the org's OAuthApp instead of the platform default.
+ *
+ * Prerequisites:
+ * - The resource must exist and have an auth block with oauth_app_ref
+ *   (BYOA requires a platform template to clone from)
+ * - The caller must have can_create_oauth_app permission in the org
+ *
+ * Errors:
+ * - FAILED_PRECONDITION: Resource has no auth block or no oauth_app_ref
+ * - NOT_FOUND: Resource does not exist
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppInput
+ */
+export type SetOrgOAuthAppInput = Message<"ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppInput"> & {
+    /**
+     * System-generated ID of the resource to set the BYOA override for.
+     *
+     * @generated from field: string resource_id = 1;
+     */
+    resourceId: string;
+    /**
+     * Organization that will own this override.
+     *
+     * @generated from field: string org = 2;
+     */
+    org: string;
+    /**
+     * OAuth client ID from the org's own app registration with the vendor.
+     *
+     * @generated from field: string client_id = 3;
+     */
+    clientId: string;
+    /**
+     * OAuth client secret from the org's own app registration with the vendor.
+     * Encrypted at rest, redacted in logs.
+     *
+     * @generated from field: string client_secret = 4;
+     */
+    clientSecret: string;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppInput.
+ * Use `create(SetOrgOAuthAppInputSchema)` to create a new message.
+ */
+export declare const SetOrgOAuthAppInputSchema: GenMessage<SetOrgOAuthAppInput>;
+/**
+ * SetOrgOAuthAppOutput confirms the BYOA override was created or updated.
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppOutput
+ */
+export type SetOrgOAuthAppOutput = Message<"ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppOutput"> & {
+    /**
+     * System-generated ID of the OAuthApp resource created (or updated)
+     * for this override. Can be used to inspect the full OAuthApp via
+     * OAuthAppQueryController.get.
+     *
+     * @generated from field: string oauth_app_id = 1;
+     */
+    oauthAppId: string;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppOutput.
+ * Use `create(SetOrgOAuthAppOutputSchema)` to create a new message.
+ */
+export declare const SetOrgOAuthAppOutputSchema: GenMessage<SetOrgOAuthAppOutput>;
+/**
+ * GetOrgOAuthAppInput queries whether an org has a BYOA override for a resource.
+ *
+ * @internal
+ * Returns override metadata without exposing secrets. The frontend uses
+ * this to show "Using org credentials" vs. "Using platform credentials"
+ * and to offer the option to remove the override.
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppInput
+ */
+export type GetOrgOAuthAppInput = Message<"ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppInput"> & {
+    /**
+     * System-generated ID of the resource to check for an override.
+     *
+     * @generated from field: string resource_id = 1;
+     */
+    resourceId: string;
+    /**
+     * Organization context to check.
+     *
+     * @generated from field: string org = 2;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppInput.
+ * Use `create(GetOrgOAuthAppInputSchema)` to create a new message.
+ */
+export declare const GetOrgOAuthAppInputSchema: GenMessage<GetOrgOAuthAppInput>;
+/**
+ * GetOrgOAuthAppOutput returns the org's BYOA override status.
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppOutput
+ */
+export type GetOrgOAuthAppOutput = Message<"ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppOutput"> & {
+    /**
+     * Whether an OAuthAppOverride exists for this resource + org.
+     *
+     * @generated from field: bool has_override = 1;
+     */
+    hasOverride: boolean;
+    /**
+     * System-generated ID of the override's OAuthApp.
+     * Empty when has_override is false.
+     *
+     * @generated from field: string oauth_app_id = 2;
+     */
+    oauthAppId: string;
+    /**
+     * Client ID from the override's OAuthApp (non-secret, safe to display).
+     * Empty when has_override is false. Useful for UI display so the admin
+     * can verify which app registration is active.
+     *
+     * @generated from field: string client_id = 3;
+     */
+    clientId: string;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppOutput.
+ * Use `create(GetOrgOAuthAppOutputSchema)` to create a new message.
+ */
+export declare const GetOrgOAuthAppOutputSchema: GenMessage<GetOrgOAuthAppOutput>;
+/**
+ * DeleteOrgOAuthAppInput removes an org-level BYOA override for a resource.
+ *
+ * @internal
+ * The handler:
+ * 1. Finds the OAuthAppOverride for (resource_id, resource_kind, org)
+ * 2. Deletes the OAuthApp resource created for this override
+ * 3. Deletes the OAuthAppOverride binding
+ *
+ * After this, the resolution chain falls back to the platform default.
+ * Existing user OAuthGrants that were issued using the org's OAuthApp
+ * will fail on next refresh — those users will need to re-authenticate
+ * using the platform default (or a new org override).
+ *
+ * Prerequisites:
+ * - An override must exist for this resource + org
+ *
+ * Errors:
+ * - NOT_FOUND: No override exists for this resource + org
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppInput
+ */
+export type DeleteOrgOAuthAppInput = Message<"ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppInput"> & {
+    /**
+     * System-generated ID of the resource to remove the override for.
+     *
+     * @generated from field: string resource_id = 1;
+     */
+    resourceId: string;
+    /**
+     * Organization whose override should be removed.
+     *
+     * @generated from field: string org = 2;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppInput.
+ * Use `create(DeleteOrgOAuthAppInputSchema)` to create a new message.
+ */
+export declare const DeleteOrgOAuthAppInputSchema: GenMessage<DeleteOrgOAuthAppInput>;
+/**
+ * DeleteOrgOAuthAppOutput confirms the BYOA override was removed.
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppOutput
+ */
+export type DeleteOrgOAuthAppOutput = Message<"ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppOutput"> & {
+    /**
+     * Whether the delete completed successfully.
+     *
+     * @generated from field: bool deleted = 1;
+     */
+    deleted: boolean;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppOutput.
+ * Use `create(DeleteOrgOAuthAppOutputSchema)` to create a new message.
+ */
+export declare const DeleteOrgOAuthAppOutputSchema: GenMessage<DeleteOrgOAuthAppOutput>;
+/**
+ * OAuthConnectionHealth evaluates the health of an OAuth connection by
+ * examining grant existence and token expiry metadata. Used in
+ * GetOAuthGrantStatusOutput to give the frontend an actionable signal
+ * beyond the binary "connected" boolean.
+ *
+ * The backend determines health from locally available metadata (grant
+ * record + access_token_expires_at). It cannot detect server-side token
+ * revocation without making an API call to the vendor, so HEALTHY means
+ * "valid as far as we know" — not a guarantee the token will be accepted.
+ *
+ * @generated from enum ai.stigmer.agentic.mcpserver.v1.OAuthConnectionHealth
+ */
+export declare enum OAuthConnectionHealth {
+    /**
+     * Default / unset. Health has not been evaluated.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_UNSPECIFIED = 0;
+     */
+    OAUTH_CONNECTION_HEALTH_UNSPECIFIED = 0,
+    /**
+     * The access token exists and is not expired (or does not expire).
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_HEALTHY = 1;
+     */
+    OAUTH_CONNECTION_HEALTH_HEALTHY = 1,
+    /**
+     * The access token is expired and no refresh token is available.
+     * The user must re-authenticate via the OAuth flow.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED = 2;
+     */
+    OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED = 2,
+    /**
+     * The access token is expired but a refresh token is available.
+     * The backend will attempt automatic refresh at execution time.
+     * If the refresh token is itself expired, the refresh will fail and
+     * the user will need to re-authenticate.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED_REFRESHABLE = 3;
+     */
+    OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED_REFRESHABLE = 3,
+    /**
+     * No OAuth grant exists for this resource + org + user combination.
+     * The user has never connected or has disconnected.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_NO_GRANT = 4;
+     */
+    OAUTH_CONNECTION_HEALTH_NO_GRANT = 4
+}
+/**
+ * Describes the enum ai.stigmer.agentic.mcpserver.v1.OAuthConnectionHealth.
+ */
+export declare const OAuthConnectionHealthSchema: GenEnum<OAuthConnectionHealth>;

package/ai/stigmer/agentic/mcpserver/v1/io_pb.js CHANGED Viewed

@@ -1,13 +1,13 @@
 // @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
 // @generated from file ai/stigmer/agentic/mcpserver/v1/io.proto (package ai.stigmer.agentic.mcpserver.v1, syntax proto3)
 /* eslint-disable */
-import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { enumDesc, fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_agentic_executioncontext_v1_spec } from "../../executioncontext/v1/spec_pb";
 import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
 /**
  * Describes the file ai/stigmer/agentic/mcpserver/v1/io.proto.
  */
-export const file_ai_stigmer_agentic_mcpserver_v1_io = /*@__PURE__*/ fileDesc("CihhaS9zdGlnbWVyL2FnZW50aWMvbWNwc2VydmVyL3YxL2lvLnByb3RvEh9haS5zdGlnbWVyLmFnZW50aWMubWNwc2VydmVyLnYxIiQKC01jcFNlcnZlcklkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiggIKDENvbm5lY3RJbnB1dBIdCg1tY3Bfc2VydmVyX2lkGAEgASgJQga6SAPIAQESUgoLcnVudGltZV9lbnYYAiADKAsyPS5haS5zdGlnbWVyLmFnZW50aWMubWNwc2VydmVyLnYxLkNvbm5lY3RJbnB1dC5SdW50aW1lRW52RW50cnkSFAoDb3JnGAMgASgJQge6SARyAhABGmkKD1J1bnRpbWVFbnZFbnRyeRILCgNrZXkYASABKAkSRQoFdmFsdWUYAiABKAsyNi5haS5zdGlnbWVyLmFnZW50aWMuZXhlY3V0aW9uY29udGV4dC52MS5FeGVjdXRpb25WYWx1ZToCOAEiUAoZSW5pdGlhdGVPQXV0aENvbm5lY3RJbnB1dBIdCg1tY3Bfc2VydmVyX2lkGAEgASgJQga6SAPIAQESFAoDb3JnGAIgASgJQge6SARyAhABIm0KGkluaXRpYXRlT0F1dGhDb25uZWN0T3V0cHV0EhkKEWF1dGhvcml6YXRpb25fdXJsGAEgASgJEg0KBXN0YXRlGAIgASgJEg4KBnNjb3BlcxgDIAMoCRIVCg1wcm92aWRlcl9uYW1lGAQgASgJIncKGUNvbXBsZXRlT0F1dGhDb25uZWN0SW5wdXQSHQoNbWNwX3NlcnZlcl9pZBgBIAEoCUIGukgDyAEBEiMKEmF1dGhvcml6YXRpb25fY29kZRgCIAEoCUIHukgEcgIQARIWCgVzdGF0ZRgDIAEoCUIHukgEcgIQASJkChpDb21wbGV0ZU9BdXRoQ29ubmVjdE91dHB1dBIRCgljb25uZWN0ZWQYASABKAgSFgoOdGFyZ2V0X2Vudl92YXIYAiABKAkSGwoTdG9rZW5fbGlmZXRpbWVfaGludBgDIAEoCSJNChhHZXRPQXV0aEdyYW50U3RhdHVzSW5wdXQSGwoLcmVzb3VyY2VfaWQYASABKAlCBrpIA8gBARIUCgNvcmcYAiABKAlCB7pIBHICEAEifAoZR2V0T0F1dGhHcmFudFN0YXR1c091dHB1dBIRCgljb25uZWN0ZWQYASABKAgSHwoXYWNjZXNzX3Rva2VuX2V4cGlyZXNfYXQYAiABKAMSFgoOdGFyZ2V0X2Vudl92YXIYAyABKAkSEwoLYXV0aF9tZXRob2QYBCABKAliBnByb3RvMw", [file_ai_stigmer_agentic_executioncontext_v1_spec, file_buf_validate_validate]);
+export const file_ai_stigmer_agentic_mcpserver_v1_io = /*@__PURE__*/ fileDesc("CihhaS9zdGlnbWVyL2FnZW50aWMvbWNwc2VydmVyL3YxL2lvLnByb3RvEh9haS5zdGlnbWVyLmFnZW50aWMubWNwc2VydmVyLnYxIiQKC01jcFNlcnZlcklkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiggIKDENvbm5lY3RJbnB1dBIdCg1tY3Bfc2VydmVyX2lkGAEgASgJQga6SAPIAQESUgoLcnVudGltZV9lbnYYAiADKAsyPS5haS5zdGlnbWVyLmFnZW50aWMubWNwc2VydmVyLnYxLkNvbm5lY3RJbnB1dC5SdW50aW1lRW52RW50cnkSFAoDb3JnGAMgASgJQge6SARyAhABGmkKD1J1bnRpbWVFbnZFbnRyeRILCgNrZXkYASABKAkSRQoFdmFsdWUYAiABKAsyNi5haS5zdGlnbWVyLmFnZW50aWMuZXhlY3V0aW9uY29udGV4dC52MS5FeGVjdXRpb25WYWx1ZToCOAEiUAoZSW5pdGlhdGVPQXV0aENvbm5lY3RJbnB1dBIdCg1tY3Bfc2VydmVyX2lkGAEgASgJQga6SAPIAQESFAoDb3JnGAIgASgJQge6SARyAhABIm0KGkluaXRpYXRlT0F1dGhDb25uZWN0T3V0cHV0EhkKEWF1dGhvcml6YXRpb25fdXJsGAEgASgJEg0KBXN0YXRlGAIgASgJEg4KBnNjb3BlcxgDIAMoCRIVCg1wcm92aWRlcl9uYW1lGAQgASgJIncKGUNvbXBsZXRlT0F1dGhDb25uZWN0SW5wdXQSHQoNbWNwX3NlcnZlcl9pZBgBIAEoCUIGukgDyAEBEiMKEmF1dGhvcml6YXRpb25fY29kZRgCIAEoCUIHukgEcgIQARIWCgVzdGF0ZRgDIAEoCUIHukgEcgIQASJkChpDb21wbGV0ZU9BdXRoQ29ubmVjdE91dHB1dBIRCgljb25uZWN0ZWQYASABKAgSFgoOdGFyZ2V0X2Vudl92YXIYAiABKAkSGwoTdG9rZW5fbGlmZXRpbWVfaGludBgDIAEoCSJNChhHZXRPQXV0aEdyYW50U3RhdHVzSW5wdXQSGwoLcmVzb3VyY2VfaWQYASABKAlCBrpIA8gBARIUCgNvcmcYAiABKAlCB7pIBHICEAEizwEKGUdldE9BdXRoR3JhbnRTdGF0dXNPdXRwdXQSEQoJY29ubmVjdGVkGAEgASgIEh8KF2FjY2Vzc190b2tlbl9leHBpcmVzX2F0GAIgASgDEhYKDnRhcmdldF9lbnZfdmFyGAMgASgJEhMKC2F1dGhfbWV0aG9kGAQgASgJElEKEWNvbm5lY3Rpb25faGVhbHRoGAUgASgOMjYuYWkuc3RpZ21lci5hZ2VudGljLm1jcHNlcnZlci52MS5PQXV0aENvbm5lY3Rpb25IZWFsdGgiSQoURGlzY29ubmVjdE9BdXRoSW5wdXQSGwoLcmVzb3VyY2VfaWQYASABKAlCBrpIA8gBARIUCgNvcmcYAiABKAlCB7pIBHICEAEiLQoVRGlzY29ubmVjdE9BdXRoT3V0cHV0EhQKDGRpc2Nvbm5lY3RlZBgBIAEoCCKEAQoTU2V0T3JnT0F1dGhBcHBJbnB1dBIbCgtyZXNvdXJjZV9pZBgBIAEoCUIGukgDyAEBEhQKA29yZxgCIAEoCUIHukgEcgIQARIaCgljbGllbnRfaWQYAyABKAlCB7pIBHICEAESHgoNY2xpZW50X3NlY3JldBgEIAEoCUIHukgEcgIQASIsChRTZXRPcmdPQXV0aEFwcE91dHB1dBIUCgxvYXV0aF9hcHBfaWQYASABKAkiSAoTR2V0T3JnT0F1dGhBcHBJbnB1dBIbCgtyZXNvdXJjZV9pZBgBIAEoCUIGukgDyAEBEhQKA29yZxgCIAEoCUIHukgEcgIQASJVChRHZXRPcmdPQXV0aEFwcE91dHB1dBIUCgxoYXNfb3ZlcnJpZGUYASABKAgSFAoMb2F1dGhfYXBwX2lkGAIgASgJEhEKCWNsaWVudF9pZBgDIAEoCSJLChZEZWxldGVPcmdPQXV0aEFwcElucHV0EhsKC3Jlc291cmNlX2lkGAEgASgJQga6SAPIAQESFAoDb3JnGAIgASgJQge6SARyAhABIioKF0RlbGV0ZU9yZ09BdXRoQXBwT3V0cHV0Eg8KB2RlbGV0ZWQYASABKAgq7QEKFU9BdXRoQ29ubmVjdGlvbkhlYWx0aBInCiNPQVVUSF9DT05ORUNUSU9OX0hFQUxUSF9VTlNQRUNJRklFRBAAEiMKH09BVVRIX0NPTk5FQ1RJT05fSEVBTFRIX0hFQUxUSFkQARIpCiVPQVVUSF9DT05ORUNUSU9OX0hFQUxUSF9UT0tFTl9FWFBJUkVEEAISNQoxT0FVVEhfQ09OTkVDVElPTl9IRUFMVEhfVE9LRU5fRVhQSVJFRF9SRUZSRVNIQUJMRRADEiQKIE9BVVRIX0NPTk5FQ1RJT05fSEVBTFRIX05PX0dSQU5UEARiBnByb3RvMw", [file_ai_stigmer_agentic_executioncontext_v1_spec, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.agentic.mcpserver.v1.McpServerId.
  * Use `create(McpServerIdSchema)` to create a new message.
@@ -48,4 +48,99 @@ export const GetOAuthGrantStatusInputSchema = /*@__PURE__*/ messageDesc(file_ai_
  * Use `create(GetOAuthGrantStatusOutputSchema)` to create a new message.
  */
 export const GetOAuthGrantStatusOutputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 7);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthInput.
+ * Use `create(DisconnectOAuthInputSchema)` to create a new message.
+ */
+export const DisconnectOAuthInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 8);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DisconnectOAuthOutput.
+ * Use `create(DisconnectOAuthOutputSchema)` to create a new message.
+ */
+export const DisconnectOAuthOutputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 9);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppInput.
+ * Use `create(SetOrgOAuthAppInputSchema)` to create a new message.
+ */
+export const SetOrgOAuthAppInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 10);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.SetOrgOAuthAppOutput.
+ * Use `create(SetOrgOAuthAppOutputSchema)` to create a new message.
+ */
+export const SetOrgOAuthAppOutputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 11);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppInput.
+ * Use `create(GetOrgOAuthAppInputSchema)` to create a new message.
+ */
+export const GetOrgOAuthAppInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 12);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.GetOrgOAuthAppOutput.
+ * Use `create(GetOrgOAuthAppOutputSchema)` to create a new message.
+ */
+export const GetOrgOAuthAppOutputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 13);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppInput.
+ * Use `create(DeleteOrgOAuthAppInputSchema)` to create a new message.
+ */
+export const DeleteOrgOAuthAppInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 14);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.DeleteOrgOAuthAppOutput.
+ * Use `create(DeleteOrgOAuthAppOutputSchema)` to create a new message.
+ */
+export const DeleteOrgOAuthAppOutputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 15);
+/**
+ * OAuthConnectionHealth evaluates the health of an OAuth connection by
+ * examining grant existence and token expiry metadata. Used in
+ * GetOAuthGrantStatusOutput to give the frontend an actionable signal
+ * beyond the binary "connected" boolean.
+ *
+ * The backend determines health from locally available metadata (grant
+ * record + access_token_expires_at). It cannot detect server-side token
+ * revocation without making an API call to the vendor, so HEALTHY means
+ * "valid as far as we know" — not a guarantee the token will be accepted.
+ *
+ * @generated from enum ai.stigmer.agentic.mcpserver.v1.OAuthConnectionHealth
+ */
+export var OAuthConnectionHealth;
+(function (OAuthConnectionHealth) {
+    /**
+     * Default / unset. Health has not been evaluated.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_UNSPECIFIED = 0;
+     */
+    OAuthConnectionHealth[OAuthConnectionHealth["OAUTH_CONNECTION_HEALTH_UNSPECIFIED"] = 0] = "OAUTH_CONNECTION_HEALTH_UNSPECIFIED";
+    /**
+     * The access token exists and is not expired (or does not expire).
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_HEALTHY = 1;
+     */
+    OAuthConnectionHealth[OAuthConnectionHealth["OAUTH_CONNECTION_HEALTH_HEALTHY"] = 1] = "OAUTH_CONNECTION_HEALTH_HEALTHY";
+    /**
+     * The access token is expired and no refresh token is available.
+     * The user must re-authenticate via the OAuth flow.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED = 2;
+     */
+    OAuthConnectionHealth[OAuthConnectionHealth["OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED"] = 2] = "OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED";
+    /**
+     * The access token is expired but a refresh token is available.
+     * The backend will attempt automatic refresh at execution time.
+     * If the refresh token is itself expired, the refresh will fail and
+     * the user will need to re-authenticate.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED_REFRESHABLE = 3;
+     */
+    OAuthConnectionHealth[OAuthConnectionHealth["OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED_REFRESHABLE"] = 3] = "OAUTH_CONNECTION_HEALTH_TOKEN_EXPIRED_REFRESHABLE";
+    /**
+     * No OAuth grant exists for this resource + org + user combination.
+     * The user has never connected or has disconnected.
+     *
+     * @generated from enum value: OAUTH_CONNECTION_HEALTH_NO_GRANT = 4;
+     */
+    OAuthConnectionHealth[OAuthConnectionHealth["OAUTH_CONNECTION_HEALTH_NO_GRANT"] = 4] = "OAUTH_CONNECTION_HEALTH_NO_GRANT";
+})(OAuthConnectionHealth || (OAuthConnectionHealth = {}));
+/**
+ * Describes the enum ai.stigmer.agentic.mcpserver.v1.OAuthConnectionHealth.
+ */
+export const OAuthConnectionHealthSchema = /*@__PURE__*/ enumDesc(file_ai_stigmer_agentic_mcpserver_v1_io, 0);
 //# sourceMappingURL=io_pb.js.map

package/ai/stigmer/agentic/mcpserver/v1/io_pb.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/agentic/mcpserver/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,yHAAyH;AACzH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;~~AAErE~~,OAAO,EAAE,gDAAgD,EAAE,MAAM,mCAAmC,CAAC;AACrG,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,uCAAuC,GAAY,aAAa,CAC3E,QAAQ,CAAC,~~4zCAA4zC~~,EAAE,CAAC,gDAAgD,EAAE,0BAA0B,CAAC,CAAC,CAAC;~~AAoBz5C~~;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA4B,aAAa,CACrE,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAgE1D;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAA6B,aAAa,CACvE,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAqC1D;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AA6C1D;;;GAGG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAA2C,aAAa,CACnG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAiD1D;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAiC1D;;;GAGG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAA2C,aAAa,CACnG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AA6B1D;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAyC,aAAa,CAC/F,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;~~AAwC1D~~;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC"}
1	+ {"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/agentic/mcpserver/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,yHAAyH;AACzH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAE/E,OAAO,EAAE,gDAAgD,EAAE,MAAM,mCAAmC,CAAC;AACrG,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,uCAAuC,GAAY,aAAa,CAC3E,QAAQ,CAAC,w/EAAw/E,EAAE,CAAC,gDAAgD,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAoBrlF;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA4B,aAAa,CACrE,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAgE1D;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAA6B,aAAa,CACvE,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAqC1D;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AA6C1D;;;GAGG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAA2C,aAAa,CACnG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAiD1D;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAiC1D;;;GAGG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAA2C,aAAa,CACnG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AA6B1D;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAyC,aAAa,CAC/F,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAkD1D;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAuC1D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AAmB1D;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAsC,aAAa,CACzF,WAAW,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC;AA+D1D;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;AAkB3D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;AA4B3D;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;AAiC3D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;AAwC3D;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;AAgB3D;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,uCAAuC,EAAE,EAAE,CAAC,CAAC;AAE3D;;;;;;;;;;;;GAYG;AACH,MAAM,CAAN,IAAY,qBAwCX;AAxCD,WAAY,qBAAqB;IAC/B;;;;OAIG;IACH,+HAAuC,CAAA;IAEvC;;;;OAIG;IACH,uHAAmC,CAAA;IAEnC;;;;;OAKG;IACH,mIAAyC,CAAA;IAEzC;;;;;;;OAOG;IACH,2JAAqD,CAAA;IAErD;;;;;OAKG;IACH,yHAAoC,CAAA;AACtC,CAAC,EAxCW,qBAAqB,KAArB,qBAAqB,QAwChC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAmC,aAAa,CACtF,QAAQ,CAAC,uCAAuC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/agentic/mcpserver/v1/oauth_pb.d.ts CHANGED Viewed

@@ -122,3 +122,71 @@ export type OAuthGrant = Message<"ai.stigmer.agentic.mcpserver.v1.OAuthGrant"> &
  * Use `create(OAuthGrantSchema)` to create a new message.
  */
 export declare const OAuthGrantSchema: GenMessage<OAuthGrant>;
+/**
+ * OAuthAppOverride binds a specific OAuthApp to an API resource within an
+ * organization, overriding the platform-default OAuthApp for that resource.
+ *
+ * @internal
+ * Infrastructure-only. Not a public API resource — no kind, no apiVersion,
+ * no CRUD RPCs. Stored in the backend's database, keyed by the composite
+ * of (resource_id, resource_kind, org_id).
+ *
+ * This is the "Bring Your Own App" (BYOA) binding: it records that org Z
+ * wants resource Y to use OAuthApp X instead of the platform default
+ * referenced by McpServerAuth.oauth_app_ref.
+ *
+ * Separation of concerns:
+ * - OAuthApp (credential resource): holds client_id, client_secret, and
+ *   vendor endpoint URLs. Reusable — may be referenced by multiple overrides
+ *   or MCP servers.
+ * - OAuthAppOverride (binding document): maps (resource, org) to an OAuthApp.
+ *   Analogous to OAuthGrant, which maps (user, resource, org) to token metadata.
+ *
+ * Resolution chain (evaluated at connect time and token refresh):
+ *   1. OAuthAppOverride for (resource_id, resource_kind, org_id) — org override
+ *   2. McpServerAuth.oauth_app_ref on the resource spec — platform default
+ *   3. None — no OAuth app available (manual token or DCR only)
+ *
+ * The override is resource-agnostic: currently used for MCP servers, but the
+ * composite key supports any API resource kind that needs BYOA (e.g., workflows).
+ *
+ * @generated from message ai.stigmer.agentic.mcpserver.v1.OAuthAppOverride
+ */
+export type OAuthAppOverride = Message<"ai.stigmer.agentic.mcpserver.v1.OAuthAppOverride"> & {
+    /**
+     * System-generated ID (metadata.id) of the API resource this override
+     * applies to. Part of the composite key: (resource_id, resource_kind, org_id).
+     *
+     * @generated from field: string resource_id = 1;
+     */
+    resourceId: string;
+    /**
+     * Kind of the API resource identified by resource_id (e.g., "mcp_server").
+     * Part of the composite key. Enables the same table to serve overrides
+     * for multiple resource types without collision.
+     *
+     * @generated from field: string resource_kind = 2;
+     */
+    resourceKind: string;
+    /**
+     * Organization that owns this override. Part of the composite key.
+     * Different orgs can maintain independent BYOA overrides for the same
+     * shared (platform-scoped) resource.
+     *
+     * @generated from field: string org_id = 3;
+     */
+    orgId: string;
+    /**
+     * ID of the OAuthApp resource that holds the org's client credentials.
+     * Created by the setOrgOAuthApp handler, which clones the platform
+     * OAuthApp template and applies the org-provided client_id + client_secret.
+     *
+     * @generated from field: string oauth_app_id = 4;
+     */
+    oauthAppId: string;
+};
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.OAuthAppOverride.
+ * Use `create(OAuthAppOverrideSchema)` to create a new message.
+ */
+export declare const OAuthAppOverrideSchema: GenMessage<OAuthAppOverride>;

package/ai/stigmer/agentic/mcpserver/v1/oauth_pb.js CHANGED Viewed

@@ -5,10 +5,15 @@ import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
 /**
  * Describes the file ai/stigmer/agentic/mcpserver/v1/oauth.proto.
  */
-export const file_ai_stigmer_agentic_mcpserver_v1_oauth = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL2FnZW50aWMvbWNwc2VydmVyL3YxL29hdXRoLnByb3RvEh9haS5zdGlnbWVyLmFnZW50aWMubWNwc2VydmVyLnYxIpsCCgpPQXV0aEdyYW50EhsKE2lkZW50aXR5X2FjY291bnRfaWQYASABKAkSEwoLcmVzb3VyY2VfaWQYAiABKAkSHwoXYWNjZXNzX3Rva2VuX2V4cGlyZXNfYXQYAyABKAMSEQoJY2xpZW50X2lkGAQgASgJEhMKC2F1dGhfbWV0aG9kGAUgASgJEhYKDnRva2VuX2VuZHBvaW50GAYgASgJEhwKFGFjY2Vzc190b2tlbl9lbnZfdmFyGAcgASgJEh0KFXJlZnJlc2hfdG9rZW5fZW52X3ZhchgIIAEoCRIWCg5lbnZpcm9ubWVudF9pZBgJIAEoCRIVCg1yZXNvdXJjZV9raW5kGAogASgJEg4KBm9yZ19pZBgLIAEoCWIGcHJvdG8z");
+export const file_ai_stigmer_agentic_mcpserver_v1_oauth = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL2FnZW50aWMvbWNwc2VydmVyL3YxL29hdXRoLnByb3RvEh9haS5zdGlnbWVyLmFnZW50aWMubWNwc2VydmVyLnYxIpsCCgpPQXV0aEdyYW50EhsKE2lkZW50aXR5X2FjY291bnRfaWQYASABKAkSEwoLcmVzb3VyY2VfaWQYAiABKAkSHwoXYWNjZXNzX3Rva2VuX2V4cGlyZXNfYXQYAyABKAMSEQoJY2xpZW50X2lkGAQgASgJEhMKC2F1dGhfbWV0aG9kGAUgASgJEhYKDnRva2VuX2VuZHBvaW50GAYgASgJEhwKFGFjY2Vzc190b2tlbl9lbnZfdmFyGAcgASgJEh0KFXJlZnJlc2hfdG9rZW5fZW52X3ZhchgIIAEoCRIWCg5lbnZpcm9ubWVudF9pZBgJIAEoCRIVCg1yZXNvdXJjZV9raW5kGAogASgJEg4KBm9yZ19pZBgLIAEoCSJkChBPQXV0aEFwcE92ZXJyaWRlEhMKC3Jlc291cmNlX2lkGAEgASgJEhUKDXJlc291cmNlX2tpbmQYAiABKAkSDgoGb3JnX2lkGAMgASgJEhQKDG9hdXRoX2FwcF9pZBgEIAEoCWIGcHJvdG8z");
 /**
  * Describes the message ai.stigmer.agentic.mcpserver.v1.OAuthGrant.
  * Use `create(OAuthGrantSchema)` to create a new message.
  */
 export const OAuthGrantSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_oauth, 0);
+/**
+ * Describes the message ai.stigmer.agentic.mcpserver.v1.OAuthAppOverride.
+ * Use `create(OAuthAppOverrideSchema)` to create a new message.
+ */
+export const OAuthAppOverrideSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_agentic_mcpserver_v1_oauth, 1);
 //# sourceMappingURL=oauth_pb.js.map

package/ai/stigmer/agentic/mcpserver/v1/oauth_pb.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/agentic/mcpserver/v1/oauth_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,4HAA4H;AAC5H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAGrE;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,~~kfAAkf~~,CAAC,CAAC;~~AA8H/f~~;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA2B,aAAa,CACnE,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}
1	+ {"version":3,"file":"oauth_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/agentic/mcpserver/v1/oauth_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,4HAA4H;AAC5H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAGrE;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,0nBAA0nB,CAAC,CAAC;AA8HvoB;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA2B,aAAa,CACnE,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAqE7D;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/agentic/mcpserver/v1/query_connect.d.ts CHANGED Viewed

@@ -48,5 +48,46 @@ export declare const McpServerQueryController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * Check whether the authenticated user has an active OAuth grant for
+         * an MCP server in the specified org.
+         *
+         * Returns grant metadata (connected status, token expiry, auth method)
+         * without exposing any secret token values. The frontend uses this to
+         * render the correct OAuth state in the MCP server detail page and
+         * session composer.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the mcp_server resource.
+         * The resource_id field contains the MCP server's system-generated ID.
+         *
+         * @generated from rpc ai.stigmer.agentic.mcpserver.v1.McpServerQueryController.getOAuthGrantStatus
+         */
+        readonly getOAuthGrantStatus: {
+            readonly name: "getOAuthGrantStatus";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Query whether an org has a BYOA override for a resource.
+         *
+         * Returns override metadata (existence, OAuthApp ID, client_id) without
+         * exposing secrets. The frontend uses this to show which credential
+         * source is active and to offer override management options to org admins.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the mcp_server resource.
+         * Any user who can view the MCP server can check whether their org has
+         * an override — no secrets are exposed.
+         *
+         * @generated from rpc ai.stigmer.agentic.mcpserver.v1.McpServerQueryController.getOrgOAuthApp
+         */
+        readonly getOrgOAuthApp: {
+            readonly name: "getOrgOAuthApp";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
     };
 };

package/ai/stigmer/agentic/mcpserver/v1/query_connect.js CHANGED Viewed

@@ -53,6 +53,47 @@ export const McpServerQueryController = {
             O: McpServer,
             kind: MethodKind.Unary,
         },
+        /**
+         * Check whether the authenticated user has an active OAuth grant for
+         * an MCP server in the specified org.
+         *
+         * Returns grant metadata (connected status, token expiry, auth method)
+         * without exposing any secret token values. The frontend uses this to
+         * render the correct OAuth state in the MCP server detail page and
+         * session composer.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the mcp_server resource.
+         * The resource_id field contains the MCP server's system-generated ID.
+         *
+         * @generated from rpc ai.stigmer.agentic.mcpserver.v1.McpServerQueryController.getOAuthGrantStatus
+         */
+        getOAuthGrantStatus: {
+            name: "getOAuthGrantStatus",
+            I: GetOAuthGrantStatusInput,
+            O: GetOAuthGrantStatusOutput,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Query whether an org has a BYOA override for a resource.
+         *
+         * Returns override metadata (existence, OAuthApp ID, client_id) without
+         * exposing secrets. The frontend uses this to show which credential
+         * source is active and to offer override management options to org admins.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the mcp_server resource.
+         * Any user who can view the MCP server can check whether their org has
+         * an override — no secrets are exposed.
+         *
+         * @generated from rpc ai.stigmer.agentic.mcpserver.v1.McpServerQueryController.getOrgOAuthApp
+         */
+        getOrgOAuthApp: {
+            name: "getOrgOAuthApp",
+            I: GetOrgOAuthAppInput,
+            O: GetOrgOAuthAppOutput,
+            kind: MethodKind.Unary,
+        },
     }
 };
 //# sourceMappingURL=query_connect.js.map