@superblocksteam/shared 0.9586.6 → 0.9589.0

package/src/database-lifecycle/index.ts

@@ -0,0 +1,278 @@
+import { sha256Base64 } from '../signing/hashing.js';
+
+export const LIFECYCLE_TERMINAL_STATES = ['ready', 'failed', 'cancelled'] as const;
+export const LIFECYCLE_NON_TERMINAL_STATES = ['pending', 'provisioning', 'migrating', 'retiring'] as const;
+export const LIFECYCLE_STATES = [...LIFECYCLE_NON_TERMINAL_STATES, ...LIFECYCLE_TERMINAL_STATES] as const;
+export const LIFECYCLE_MIGRATION_STATES = ['pending', 'migrated', 'failed'] as const;
+export const LIFECYCLE_OPERATIONS = ['ensure_dev_database', 'ensure_prod_database', 'migrate_schema', 'retire_database'] as const;
+export const ENVIRONMENT_CLASSES = ['dev', 'staging', 'prod'] as const;
+export const DATABASE_ENGINES = ['postgres', 'snowflake', 'snowflake_postgres', 'lakebase'] as const;
+export const DATABASE_LIFECYCLE_MANAGED_BY = 'database_lifecycle';
+
+export type EnvironmentClass = (typeof ENVIRONMENT_CLASSES)[number];
+export type DatabaseEngine = (typeof DATABASE_ENGINES)[number];
+export type LifecycleOperation = (typeof LIFECYCLE_OPERATIONS)[number];
+export type LifecycleTerminalState = (typeof LIFECYCLE_TERMINAL_STATES)[number];
+export type LifecycleNonTerminalState = (typeof LIFECYCLE_NON_TERMINAL_STATES)[number];
+export type LifecycleState = (typeof LIFECYCLE_STATES)[number];
+export type LifecycleMigrationState = (typeof LIFECYCLE_MIGRATION_STATES)[number];
+
+export type LifecycleErrorCode =
+  | 'unsupported_provider_capability'
+  | 'backend_locked'
+  | 'policy_blocked'
+  | 'credential_resolution_failed'
+  | 'terraform_failed'
+  | 'callback_failed';
+
+export const CREDENTIAL_RESOLVERS = ['opa_local', 'aws_secrets_manager', 'gcp_secret_manager', 'vault', 'kubernetes_secret'] as const;
+export type CredentialResolver = (typeof CREDENTIAL_RESOLVERS)[number];
+
+export type CredentialRef = {
+  resolver: CredentialResolver;
+  ref: string;
+  field?: string;
+};
+
+export type DatabaseRequirement = {
+  logicalName: string;
+  engine: DatabaseEngine;
+  version?: string;
+  sizing?: Record<string, unknown>;
+  extensions?: readonly string[];
+  replicaCount?: number;
+  migrationDirectory?: string;
+};
+
+export type TerraformDatabaseBackend = {
+  provisioner: 'terraform';
+  provider: 'aws-rds' | 'snowflake' | 'databricks';
+  stateBackend: 's3' | 'gcs' | 'azurerm' | 'local';
+  remoteState: boolean;
+  locking: boolean;
+};
+
+export type DatabaseBackend = TerraformDatabaseBackend;
+
+export type EnvironmentProfile = {
+  id: string;
+  organizationId: string;
+  environmentClass: EnvironmentClass;
+  environmentName: string;
+  opaAgentId: string;
+  supportedOperations: LifecycleOperation[];
+  supportedEngines: DatabaseEngine[];
+  backend: DatabaseBackend;
+};
+
+type DatabaseBindingBase = {
+  id: string;
+  bindingKey: string;
+  requirementKey: string;
+  logicalName: string;
+  applicationId: string;
+  environmentClass: EnvironmentClass;
+  environmentName: string;
+  desiredSpecHash: string;
+  migrationState: LifecycleMigrationState;
+};
+
+// A binding that has completed provisioning. The `ready` discriminant
+// guarantees that the OPA returned both `connectionMetadata` and
+// `credentialRefs`, so consumers can rely on those without null checks.
+export type ReadyDatabaseBinding = DatabaseBindingBase & {
+  lifecycleState: 'ready';
+  connectionMetadata: Record<string, string | number | boolean>;
+  credentialRefs: Record<string, CredentialRef>;
+};
+
+// A binding in any non-ready state. Connection metadata and credential refs
+// may be present from a prior `ready` transition or absent if the binding
+// never reached `ready`.
+export type IncompleteDatabaseBinding = DatabaseBindingBase & {
+  lifecycleState: Exclude<LifecycleState, 'ready'>;
+  connectionMetadata?: Record<string, string | number | boolean>;
+  credentialRefs?: Record<string, CredentialRef>;
+};
+
+export type DatabaseBinding = ReadyDatabaseBinding | IncompleteDatabaseBinding;
+
+export function isReadyDatabaseBinding(binding: DatabaseBinding): binding is ReadyDatabaseBinding {
+  return binding.lifecycleState === 'ready';
+}
+
+export type LifecycleRequest = {
+  id: string;
+  operation: LifecycleOperation;
+  bindingKey: string;
+  requirementKey: string;
+  desiredSpecHash: string;
+  state: LifecycleState;
+};
+
+export type TerraformModuleInput = {
+  bindingKey: string;
+  requirement: DatabaseRequirement;
+  credentialRefs: Record<string, CredentialRef>;
+  metadata: Record<string, string>;
+};
+
+export type TerraformModuleOutput = {
+  connection: Record<string, string | number | boolean>;
+  credentialRefs: Record<string, CredentialRef>;
+  resourceKey: string;
+};
+
+export function computeRequirementKey(requirement: Pick<DatabaseRequirement, 'logicalName' | 'engine'>): string {
+  return `${slugify(requirement.logicalName)}~${encodeURIComponent(requirement.logicalName)}:${requirement.engine}`;
+}
+
+export function computeBindingKey(input: {
+  organizationId: string;
+  applicationId: string;
+  environmentClass: EnvironmentClass;
+  environmentName: string;
+  requirementKey: string;
+}): string {
+  return [input.organizationId, ...bindingKeySegments(input)].join(':');
+}
+
+export function computeLegacyBindingKeyWithoutOrganization(input: {
+  applicationId: string;
+  environmentClass: EnvironmentClass;
+  environmentName: string;
+  requirementKey: string;
+}): string {
+  return bindingKeySegments(input).join(':');
+}
+
+function bindingKeySegments(input: {
+  applicationId: string;
+  environmentClass: EnvironmentClass;
+  environmentName: string;
+  requirementKey: string;
+}): string[] {
+  return [
+    input.applicationId,
+    input.environmentClass,
+    `${slugify(input.environmentName)}~${encodeURIComponent(input.environmentName)}`,
+    input.requirementKey
+  ];
+}
+
+export async function computeDesiredSpecHash(requirement: DatabaseRequirement): Promise<string> {
+  return await sha256Base64(JSON.stringify(canonicalize(requirement)));
+}
+
+export function isTerminalLifecycleState(state: LifecycleState): state is LifecycleTerminalState {
+  return (LIFECYCLE_TERMINAL_STATES as readonly string[]).includes(state);
+}
+
+export function redactLifecycleSecrets<T>(value: T): T {
+  return redact(value) as T;
+}
+
+function slugify(value: string): string {
+  return value
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-|-$/g, '');
+}
+
+function canonicalize(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(canonicalize).sort((left, right) => codepointCompare(JSON.stringify(left), JSON.stringify(right)));
+  }
+  if (value && typeof value === 'object') {
+    return Object.fromEntries(
+      Object.entries(value)
+        .filter(([, entryValue]) => entryValue !== undefined)
+        .sort(([left], [right]) => codepointCompare(left, right))
+        .map(([key, entryValue]) => [key, canonicalize(entryValue)])
+    );
+  }
+  return value;
+}
+
+function codepointCompare(left: string, right: string): number {
+  if (left < right) {
+    return -1;
+  }
+  if (left > right) {
+    return 1;
+  }
+  return 0;
+}
+
+function redact(value: unknown, preserveCredentialRefs = false): unknown {
+  if (Array.isArray(value)) {
+    return value.map((entry) => redact(entry, preserveCredentialRefs));
+  }
+  if (value && typeof value === 'object') {
+    return Object.fromEntries(
+      Object.entries(value).map(([key, entryValue]) => {
+        if (isCredentialRefKey(key)) {
+          return [key, redact(entryValue, true)];
+        }
+        if (!preserveCredentialRefs && SECRET_KEY_PATTERN.test(key)) {
+          return [key, '[REDACTED]'];
+        }
+        return [key, redact(entryValue, preserveCredentialRefs)];
+      })
+    );
+  }
+  return value;
+}
+
+// Shared secret-key tripwire: keys whose name strongly suggests a raw secret
+// value. Used by `redactLifecycleSecrets` to scrub logs/error reporting and by
+// the server-side `assertNoRawCredentialMaterial` guard to refuse callbacks
+// that violate the typed-CredentialRef contract. NOT a security boundary --
+// callers must still send `Record<string, string | number | boolean>` for
+// `connectionMetadata` and `CredentialRef` for `credentialRefs`; this catches
+// obvious misuse only.
+export const SECRET_KEY_PATTERN = /password|secret|token|private[_-]?key|dsn/i;
+
+// Schemes whose URI form embeds credentials before `@`. Used as a value-side
+// tripwire alongside `SECRET_KEY_PATTERN` -- callers should never send
+// connection strings; the typed `connectionMetadata` shape is the contract.
+export const CREDENTIAL_BEARING_DSN_SCHEMES = [
+  'postgres',
+  'postgresql',
+  'mysql',
+  'mariadb',
+  'mongodb',
+  'mongodb+srv',
+  'redis',
+  'rediss',
+  'amqp',
+  'amqps',
+  'kafka'
+] as const;
+
+export function isSecretKey(key: string): boolean {
+  return SECRET_KEY_PATTERN.test(key);
+}
+
+export function containsCredentialMaterial(value: string): boolean {
+  if (DSN_WITH_INLINE_AUTH.test(value)) {
+    return true;
+  }
+  if (CREDENTIAL_KV_PATTERN.test(value)) {
+    return true;
+  }
+  if (JSON_ENCODED_SECRET_PATTERN.test(value)) {
+    return true;
+  }
+  return false;
+}
+
+const DSN_SCHEME_GROUP = CREDENTIAL_BEARING_DSN_SCHEMES.join('|').replace(/\+/g, '\\+');
+const DSN_WITH_INLINE_AUTH = new RegExp(`(?:${DSN_SCHEME_GROUP}):\\/\\/[^/@\\s:]+:[^/@\\s]+@`, 'i');
+const CREDENTIAL_KV_PATTERN = /(?:password|pwd|token|secret|private[_-]?key|api[_-]?key)\s*=\s*[^;&\s"]+/i;
+const JSON_ENCODED_SECRET_PATTERN = /["']\s*(?:password|secret|token|private[_-]?key|dsn)\s*["']\s*:/i;
+
+function isCredentialRefKey(key: string): boolean {
+  return /credential[_-]?ref/i.test(key);
+}

package/src/index.ts

@@ -26,3 +26,4 @@ export * from './tracing/methodTracing.js';
 export * from './tracing/errorSanitizer.js';
 export * from './jwt/index.js';
 export * from './org-features/index.js';
+export * from './database-lifecycle/index.js';

package/src/plugins/index.ts

@@ -117,6 +117,10 @@ export const CLOUD_PLUGIN_VERSIONS_LATEST: PluginExecutionVersions = {
   [HubSpotPlugin.id]: MAX_VERSION,
   [IntercomPlugin.id]: MAX_VERSION,
   [JavascriptPlugin.id]: MAX_VERSION,
+  // The javascriptsdkapi plugin has no corresponding Plugin definition in
+  // packages/shared (it's only registered by the orchestrator). Keep the literal
+  // string in sync with SDK_API_PLUGIN_ID consumers.
+  javascriptsdkapi: MAX_VERSION,
   [JiraPlugin.id]: MAX_VERSION,
   [KafkaPlugin.id]: MAX_VERSION,
   [KinesisPlugin.id]: MAX_VERSION,

package/src/plugins/templates/dropbox.ts

@@ -11,9 +11,13 @@ export const DropboxPlugin: Plugin = getNativeOpenApiPlugin({
       tokenUrl: 'https://www.dropbox.com/oauth2/token',
       revokeTokenUrl: 'https://api.dropboxapi.com/2/auth/token/revoke',
       iconUrl: `${PUBLIC_INTEGRATIONS_LOGO_URL}/dropbox.png`,
+      defaultScope: 'account_info.read files.metadata.read files.content.read files.content.write',
       authorizationExtraParams: {
         stateConfigExclude: ['datasource-auth-state'],
-        responseType: 'code'
+        responseType: 'code',
+        additionalUrlParams: {
+          token_access_type: 'offline'
+        }
       }
     }
   },

package/src/plugins/templates/shared/auth.ts

@@ -68,6 +68,7 @@ export type AuthorizationExtraParams = {
   accessType?: string;
   stateConfigExclude?: AuthorizationStateConfig[];
   owner?: string;
+  additionalUrlParams?: Record<string, string>;
 };
 
 type OAuth2Config = {
@@ -78,6 +79,7 @@ type OAuth2Config = {
   userInfoUrl?: string;
   authorizationExtraParams?: AuthorizationExtraParams;
   iconUrl: string;
+  defaultScope?: string;
 };
 
 type OAuth2HostedClientConfig = OAuth2Config & { clientId: string };
@@ -1102,6 +1104,7 @@ export const authSections = ({
             markdownText: `The scope of access request. It may have multiple space-separated values.`
           },
           singleLine: true,
+          initialValue: enabledMethods.oauth2BringYourOwn?.defaultScope ?? enabledMethods.oauth2SuperblocksClient?.defaultScope,
           display: {
             show: {
               authType: [IntegrationAuthType.OAUTH2_CODE]

package/src/types/ai/index.ts

@@ -121,4 +121,5 @@ export interface AiPromptCostResponse {
   totalCreditsUsed: number;
 }
 
+export * from './provider-credential.js';
 export * from './quota-paywall.js';

package/src/types/ai/provider-credential.ts

@@ -0,0 +1,61 @@
+export enum AiProviderType {
+  SNOWFLAKE_CORTEX = 'snowflake_cortex',
+  DATABRICKS_AI_GATEWAY = 'databricks_ai_gateway'
+}
+
+export const AI_PROVIDER_CREDENTIAL_STATUSES = ['untested', 'passing', 'failing'] as const;
+export type AiProviderCredentialStatus = (typeof AI_PROVIDER_CREDENTIAL_STATUSES)[number];
+
+export interface SnowflakeCortexBYOCredentials {
+  account: string;
+  username: string;
+  role?: string;
+  pat: string;
+}
+
+export interface DatabricksAiGatewayBYOCredentials {
+  gatewayHost: string;
+  pat: string;
+}
+
+export type BYOCredentials = SnowflakeCortexBYOCredentials | DatabricksAiGatewayBYOCredentials;
+
+export interface AiProviderCredentialDto {
+  id: string;
+  provider: AiProviderType;
+  displayName: string;
+  providerMetadata?: Record<string, string>;
+  status: AiProviderCredentialStatus;
+  statusMessage?: string | null;
+  statusCheckedAt?: string | null;
+  isActive: boolean;
+  useManagedFallback: boolean;
+  fingerprint: string;
+  created: string;
+  updated: string;
+}
+
+export interface CreateAiProviderCredentialRequest {
+  provider: AiProviderType;
+  displayName: string;
+  credentials: BYOCredentials;
+  useManagedFallback?: boolean;
+}
+
+export interface UpdateAiProviderCredentialRequest {
+  displayName?: string;
+  credentials?: Partial<BYOCredentials>;
+  isActive?: boolean;
+  useManagedFallback?: boolean;
+}
+
+export interface TestAiProviderCredentialConfigurationRequest {
+  provider: AiProviderType;
+  credentials: BYOCredentials;
+}
+
+export interface AiProviderCredentialTestResult {
+  valid: boolean;
+  error?: string;
+  checkedAt: string;
+}

package/src/types/audit/ocsf.ts

@@ -213,7 +213,13 @@ export const AUDIT_EVENT_TYPE_CATALOG: AuditEventTypeEntry[] = [
     category_uid: OCSFCategoryUid.APPLICATION_ACTIVITY,
     category_name: 'APPLICATION_ACTIVITY',
     resource_type: 'Integration',
-    operations: ['integration.create', 'integration.delete', 'integration.secret.view', 'integration.update']
+    operations: [
+      'integration.create',
+      'integration.delete',
+      'integration.ownership.update',
+      'integration.secret.view',
+      'integration.update'
+    ]
   },
   {
     class_uid: OCSFClassUid.ENTITY_MANAGEMENT,
@@ -259,7 +265,7 @@ export const AUDIT_EVENT_TYPE_CATALOG: AuditEventTypeEntry[] = [
     category_uid: OCSFCategoryUid.IAM,
     category_name: 'IAM',
     resource_type: 'Token',
-    operations: ['token.create', 'token.delete', 'token.update']
+    operations: ['token.create', 'token.delete', 'token.regenerate', 'token.update']
   },
   {
     class_uid: OCSFClassUid.USER_ACCESS_MANAGEMENT,

package/src/types/commit/index.ts

@@ -16,6 +16,7 @@ export interface CommitDto {
   directoryContentsHash?: string | null;
   buildStatus?: BuildStatus;
   autosaveType?: string | null;
+  templateName?: string | null;
 }
 
 export enum CommitType {

package/src/types/common/env.test.ts

@@ -0,0 +1,27 @@
+import { describe, test, expect } from 'vitest';
+
+import { DeploymentTypeEnum, isBrowserTelemetryEnabled } from './env.js';
+
+describe('isBrowserTelemetryEnabled', () => {
+  test('returns true for CLOUD deployment', () => {
+    expect(isBrowserTelemetryEnabled(DeploymentTypeEnum.CLOUD)).toBe(true);
+  });
+
+  test('returns false for CLOUD_PREM deployment', () => {
+    expect(isBrowserTelemetryEnabled(DeploymentTypeEnum.CLOUD_PREM)).toBe(false);
+  });
+
+  test('returns false when deploymentType is undefined (fail-closed on ambiguity)', () => {
+    expect(isBrowserTelemetryEnabled(undefined)).toBe(false);
+  });
+
+  test("returns false for empty string (helm configmap renders '' when deploymentType override is missing)", () => {
+    expect(isBrowserTelemetryEnabled('' as DeploymentTypeEnum)).toBe(false);
+  });
+
+  test('returns false for common typos that would bypass a blocklist check', () => {
+    expect(isBrowserTelemetryEnabled('cloud_prem' as DeploymentTypeEnum)).toBe(false);
+    expect(isBrowserTelemetryEnabled('CLOUD-PREM' as DeploymentTypeEnum)).toBe(false);
+    expect(isBrowserTelemetryEnabled('cloud-prem ' as DeploymentTypeEnum)).toBe(false);
+  });
+});

package/src/types/common/env.ts

@@ -7,7 +7,35 @@ export enum EnvEnum {
   LOCAL = 'local'
 }
 
+/**
+ * Deployment model for the running process.
+ *
+ * WARNING — opposing defaults by context: `parseDeploymentType` in
+ * `@superblocksteam/telemetry/common/deployment-type` (server-side) defaults a MISSING OR
+ * EMPTY value to `CLOUD` (fail-open — the server is trusted internal infrastructure) and
+ * THROWS on unrecognized values. `isBrowserTelemetryEnabled` in this module (browser-side)
+ * fails CLOSED — missing, empty, and unrecognized values all disable telemetry. Both are
+ * correct in their contexts (the browser reads values from an untrusted env-var pipeline),
+ * but the asymmetry is easy to miss. When adding new deployment-type-gated policies, pick
+ * the fail direction deliberately and document it.
+ */
 export enum DeploymentTypeEnum {
   CLOUD = 'cloud',
   CLOUD_PREM = 'cloud-prem'
 }
+
+/**
+ * Returns whether browser telemetry (Datadog RUM, browser-logs) may be initialized.
+ * Allowlist-on-CLOUD: any non-CLOUD value — CLOUD_PREM, undefined, empty string,
+ * typos ('cloud_prem', 'CLOUD-PREM'), or future deployment types — disables telemetry.
+ * Cloud-prem deployments must not emit to Superblocks' public intake (customer network egress);
+ * fail-closed on ambiguity is the correct default for a privacy gate.
+ *
+ * Parameter widened to `string | undefined` because call sites pull from env.get() with an
+ * `as DeploymentTypeEnum` cast — any string can actually arrive (empty, typo, whitespace,
+ * unexpected value). The strict equality still narrows correctly; the wider type makes the
+ * runtime truth explicit at the boundary.
+ */
+export const isBrowserTelemetryEnabled = (deploymentType: string | undefined): boolean => {
+  return deploymentType === DeploymentTypeEnum.CLOUD;
+};

package/src/types/common/response.ts

@@ -51,11 +51,11 @@ export class ResponseMeta {
 }
 
 export class ErrorDto {
-  code: number;
+  code: number | string;
   message: string;
   superblocksError?: SuperblocksError;
 
-  constructor({ code, message, type }: { code: number; message: string; type?: SuperblocksError }) {
+  constructor({ code, message, type }: { code: number | string; message: string; type?: SuperblocksError }) {
     this.code = code;
     this.message = message;
     this.superblocksError = type;

package/src/types/credentials/index.ts

@@ -100,20 +100,20 @@ export type InferenceSnowflakeCortexPayload = {
 /**
  * Databricks AI Gateway credential. AI Gateway only accepts Programmatic
  * Access Tokens (PATs) as bearer credentials — there is no keypair or
- * OAuth path comparable to Snowflake Cortex. `workspaceUrl` is validated
- * at the registry with a strict https + known-suffix regex so a typo
- * there can't silently point at the wrong workspace at call time.
+ * OAuth path comparable to Snowflake Cortex. `gatewayHost` is either the
+ * Anthropic-compatible AI Gateway origin or a workspace AI Gateway
+ * Anthropic messages URL, both validated at the registry.
  */
 export type InferenceDatabricksAiGatewayPayload = {
   type: 'inference.databricks-ai-gateway.pat';
   secrets: { pat: string };
   metadata: {
     /**
-     * Full workspace URL, e.g. `https://dbc-abcd1234-5678.cloud.databricks.com`
-     * or `https://adb-1234567890123456.7.azuredatabricks.net`. Must match
-     * the strict Databricks-host regex in the registry.
+     * AI Gateway origin, e.g. `https://<gateway-name>.ai-gateway.cloud.databricks.com`,
+     * or workspace Anthropic messages URL, e.g.
+     * `https://<your-databricks-workspace-url>/ai-gateway/anthropic/v1/messages`.
      */
-    workspaceUrl: string;
+    gatewayHost: string;
   };
 };
 

package/src/types/index.ts

@@ -22,10 +22,12 @@ export * from './lock/index.js';
 export * from './observability/index.js';
 export * from './organization/index.js';
 export * from './page/index.js';
+export * from './policyGate/index.js';
 export * from './plugin/index.js';
 export * from './profile/index.js';
 export * from './rbac/index.js';
 export * from './response/index.js';
+export * from './reviewPolicy/index.js';
 export * from './remoteCommit/index.js';
 export * from './scim/index.js';
 export * from './signingKeyRotationJob/index.js';

package/src/types/integration/index.ts

@@ -89,6 +89,7 @@ class IntegrationBaseDto {
   name: string;
   pluginId: string;
   organizationId: string;
+  applicationId?: string | null;
   isUserConfigured: boolean;
   demoIntegrationId?: string;
 }
@@ -125,7 +126,8 @@ export class SupersetIntegrationDto extends IntegrationBaseDto {
     editable,
     permissions,
     creator,
-    enabledForV2
+    enabledForV2,
+    applicationId
   }: {
     id: string;
     created: Date;
@@ -145,6 +147,7 @@ export class SupersetIntegrationDto extends IntegrationBaseDto {
     permissions?: ActionTypeEnum[];
     creator?: CreatorDto;
     enabledForV2?: boolean;
+    applicationId?: string | null;
   }) {
     super();
     this.id = id;
@@ -154,6 +157,7 @@ export class SupersetIntegrationDto extends IntegrationBaseDto {
     this.pluginId = pluginId;
     this.kind = kind;
     this.organizationId = organizationId;
+    this.applicationId = applicationId;
     this.configurations = configurations;
     this.demoIntegrationId = demoIntegrationId;
     this.isUserConfigured = isUserConfigured;
@@ -202,7 +206,8 @@ export class IntegrationDto extends IntegrationBaseDto {
     creator,
     kind,
     slug,
-    enabledForV2
+    enabledForV2,
+    applicationId
   }: {
     id: string;
     created: Date;
@@ -218,6 +223,7 @@ export class IntegrationDto extends IntegrationBaseDto {
     kind: IntegrationKind;
     slug?: string;
     enabledForV2?: boolean;
+    applicationId?: string | null;
   }) {
     super();
     this.id = id;
@@ -226,6 +232,7 @@ export class IntegrationDto extends IntegrationBaseDto {
     this.name = name;
     this.pluginId = pluginId;
     this.organizationId = organizationId;
+    this.applicationId = applicationId;
     this.demoIntegrationId = demoIntegrationId;
     this.configurations = configurations;
     this.isUserConfigured = isUserConfigured;

package/src/types/organization/agent.ts

@@ -1,4 +1,4 @@
-import * as semver from 'semver';
+import semver from 'semver';
 
 import { SemVer } from '../plugin/index.js';
 

package/src/types/plugin/form.ts

@@ -359,6 +359,7 @@ type ConnectOAuthPayload = {
     responseType?: string;
     stateConfigExclude?: AuthorizationStateConfig[];
     owner?: string;
+    additionalUrlParams?: Record<string, string>;
     authType?: AuthType;
     authConfig?: {
       clientId: string;