npm - @suveren/gateway - Versions diffs - 0.2.4 → 0.2.6 - Mend

@suveren/gateway 0.2.4 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/content/integrations/calendar.json +2 -0
package/content/integrations/gmail.json +2 -0
package/dist/control-plane/index.mjs +76 -1
package/dist/mcp-server/http.mjs +6 -4
package/dist/ui/assets/index-Cg93zQWk.js +102 -0
package/dist/ui/assets/index-Ch-vXKVZ.css +1 -0
package/dist/ui/index.html +2 -2
package/package.json +1 -1
package/dist/ui/assets/index-B8OeLWqp.css +0 -1
package/dist/ui/assets/index-CIhRJ6MD.js +0 -102

package/content/integrations/calendar.json CHANGED Viewed

@@ -25,6 +25,8 @@
     "authUrl": "https://accounts.google.com/o/oauth2/v2/auth",
     "tokenUrl": "https://oauth2.googleapis.com/token",
     "scopes": [
+      "openid",
+      "https://www.googleapis.com/auth/userinfo.email",
       "https://www.googleapis.com/auth/calendar.events",
       "https://www.googleapis.com/auth/calendar.readonly"
     ],

package/content/integrations/gmail.json CHANGED Viewed

@@ -26,6 +26,8 @@
     "authUrl": "https://accounts.google.com/o/oauth2/v2/auth",
     "tokenUrl": "https://oauth2.googleapis.com/token",
     "scopes": [
+      "openid",
+      "https://www.googleapis.com/auth/userinfo.email",
       "https://www.googleapis.com/auth/gmail.modify",
       "https://www.googleapis.com/auth/gmail.send"
     ],

package/dist/control-plane/index.mjs CHANGED Viewed

@@ -1583,6 +1583,18 @@ function resolveOrigin(req) {
 }
 var oauthRedirectUris = /* @__PURE__ */ new Map();
 var manifestCache = null;
+function decodeJwtEmail(idToken) {
+  if (!idToken) return void 0;
+  try {
+    const payload = idToken.split(".")[1];
+    if (!payload) return void 0;
+    const json = Buffer.from(payload.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf8");
+    const claims = JSON.parse(json);
+    return typeof claims.email === "string" ? claims.email : void 0;
+  } catch {
+    return void 0;
+  }
+}
 async function getOAuthManifest(integrationId) {
   if (!manifestCache) {
     try {
@@ -1660,7 +1672,13 @@ app.get("/auth/oauth/:integrationId/callback", async (req, res) => {
       res.status(400).send(`<html><body><h2>Token exchange failed</h2><p>${String(tokens.error || "No token received")}</p><script>setTimeout(()=>window.close(),3000)</script></body></html>`);
       return;
     }
-    const updatedCreds = { ...creds, [oauth.tokenStorage]: tokenValue };
+    const account = decodeJwtEmail(tokens.id_token);
+    const updatedCreds = {
+      ...creds,
+      [oauth.tokenStorage]: tokenValue,
+      _oauthConnectedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (account) updatedCreds._oauthAccount = account;
     vault.setCredential(integrationId, updatedCreds);
     console.log(`[Control Plane] ${integrationId} OAuth tokens stored in vault`);
     try {
@@ -1683,6 +1701,52 @@ app.get("/auth/gmail/callback", (req, res) => {
   res.redirect(`/auth/oauth/gmail/callback${qs ? "?" + qs : ""}`);
 });
 var authGuard = requireAuth(vault);
+app.get("/auth/oauth/:integrationId/health", authGuard, async (req, res) => {
+  const integrationId = String(req.params.integrationId);
+  const manifest = await getOAuthManifest(integrationId);
+  if (!manifest?.oauth) {
+    res.json({ status: "not_configured" });
+    return;
+  }
+  const oauth = manifest.oauth;
+  const creds = vault.getCredential(integrationId);
+  const clientIdKey = oauth.credentialKeys.clientId ?? "clientId";
+  const clientSecretKey = oauth.credentialKeys.clientSecret ?? "clientSecret";
+  const account = creds?._oauthAccount;
+  if (!creds?.[clientIdKey] || !creds?.[clientSecretKey]) {
+    res.json({ status: "not_configured", account });
+    return;
+  }
+  const token = creds[oauth.tokenStorage];
+  if (!token) {
+    res.json({ status: "not_connected", account });
+    return;
+  }
+  if (!/refresh/i.test(oauth.tokenStorage)) {
+    res.json({ status: "unverified", account });
+    return;
+  }
+  try {
+    const r = await fetch(oauth.tokenUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: token,
+        client_id: creds[clientIdKey],
+        client_secret: creds[clientSecretKey]
+      })
+    });
+    const body = await r.json().catch(() => ({}));
+    if (r.ok && body.access_token) {
+      res.json({ status: "ok", account });
+      return;
+    }
+    res.json({ status: "failed", account, error: body.error_description || body.error || `HTTP ${r.status}` });
+  } catch (err) {
+    res.json({ status: "failed", account, error: err instanceof Error ? err.message : "probe failed" });
+  }
+});
 app.get("/events", requireAuthQueryOrHeader(vault), createEventsHandler());
 app.use("/vault", jsonParser, authGuard, createVaultRouter(vault));
 app.use("/ai", jsonParser, authGuard, createAIRouter(vault));
@@ -1943,5 +2007,16 @@ app.listen(port, "0.0.0.0", () => {
   console.error(`[Control Plane]   SP proxy: ${SP_URL2}`);
   console.error(`[Control Plane]   UI dist:  ${UI_DIST}`);
   console.error(`[Control Plane]   Internal secret: configured`);
+  console.error(`[Control Plane]   MCP server: ${MCP_BASE}`);
+  getManifests().then((d) => {
+    const n = d?.manifests?.length ?? 0;
+    if (n === 0) {
+      console.error(`[Control Plane] \u26A0 MCP server at ${MCP_BASE} returned 0 integration manifests \u2014 wrong SUVEREN_MCP_INTERNAL_URL? (dev MCP is :3431, npm is :3430)`);
+    } else {
+      console.error(`[Control Plane]   Integrations: ${n} manifests loaded from ${MCP_BASE}`);
+    }
+  }).catch((err) => {
+    console.error(`[Control Plane] \u26A0 Could not reach MCP server at ${MCP_BASE} for manifests \u2014 wrong SUVEREN_MCP_INTERNAL_URL? (dev=:3431, npm=:3430). ${err instanceof Error ? err.message : err}`);
+  });
   startUpdateChecker(INSTALL_METHOD, RUNNING_VERSION);
 });

package/dist/mcp-server/http.mjs CHANGED Viewed

@@ -1072,9 +1072,11 @@ Proposal ID: ${proposal.id}. Check status with check-pending-commitments(proposa
             );
           }
           await state2.spClient.postReceipt({
-            attestationHash: authHash,
+            // v0.5: send the bare content address; the AS reconstructs the
+            // per-user storage key. Fall back to frameHash only for legacy
+            // (pre-v0.4) records that predate bounds_hash.
+            boundsHash: auth.boundsHash ?? authHash,
             profileId: auth.profileId,
-            path: auth.path,
             action: tool.namespacedName,
             actionType,
             executionContext: { ...execution },
@@ -1501,10 +1503,10 @@ async function executeCommitted(proposal, state2, integrationManager2) {
     );
   }
   try {
+    const boundsHash = proposal.frameHash.split(":").slice(0, 2).join(":");
     await state2.spClient.postReceipt({
-      attestationHash: proposal.frameHash,
+      boundsHash,
       profileId: proposal.profileId,
-      path: proposal.path,
       action: proposal.tool,
       actionType: proposalActionType,
       executionContext: proposal.executionContext,