@suveren/gateway 0.2.5 → 0.2.6

package/content/integrations/calendar.json

@@ -25,6 +25,8 @@
     "authUrl": "https://accounts.google.com/o/oauth2/v2/auth",
     "tokenUrl": "https://oauth2.googleapis.com/token",
     "scopes": [
+      "openid",
+      "https://www.googleapis.com/auth/userinfo.email",
       "https://www.googleapis.com/auth/calendar.events",
       "https://www.googleapis.com/auth/calendar.readonly"
     ],

package/content/integrations/gmail.json

@@ -26,6 +26,8 @@
     "authUrl": "https://accounts.google.com/o/oauth2/v2/auth",
     "tokenUrl": "https://oauth2.googleapis.com/token",
     "scopes": [
+      "openid",
+      "https://www.googleapis.com/auth/userinfo.email",
       "https://www.googleapis.com/auth/gmail.modify",
       "https://www.googleapis.com/auth/gmail.send"
     ],

package/dist/control-plane/index.mjs

@@ -1583,6 +1583,18 @@ function resolveOrigin(req) {
 }
 var oauthRedirectUris = /* @__PURE__ */ new Map();
 var manifestCache = null;
+function decodeJwtEmail(idToken) {
+  if (!idToken) return void 0;
+  try {
+    const payload = idToken.split(".")[1];
+    if (!payload) return void 0;
+    const json = Buffer.from(payload.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf8");
+    const claims = JSON.parse(json);
+    return typeof claims.email === "string" ? claims.email : void 0;
+  } catch {
+    return void 0;
+  }
+}
 async function getOAuthManifest(integrationId) {
   if (!manifestCache) {
     try {
@@ -1660,7 +1672,13 @@ app.get("/auth/oauth/:integrationId/callback", async (req, res) => {
       res.status(400).send(`<html><body><h2>Token exchange failed</h2><p>${String(tokens.error || "No token received")}</p><script>setTimeout(()=>window.close(),3000)</script></body></html>`);
       return;
     }
-    const updatedCreds = { ...creds, [oauth.tokenStorage]: tokenValue };
+    const account = decodeJwtEmail(tokens.id_token);
+    const updatedCreds = {
+      ...creds,
+      [oauth.tokenStorage]: tokenValue,
+      _oauthConnectedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (account) updatedCreds._oauthAccount = account;
     vault.setCredential(integrationId, updatedCreds);
     console.log(`[Control Plane] ${integrationId} OAuth tokens stored in vault`);
     try {
@@ -1683,6 +1701,52 @@ app.get("/auth/gmail/callback", (req, res) => {
   res.redirect(`/auth/oauth/gmail/callback${qs ? "?" + qs : ""}`);
 });
 var authGuard = requireAuth(vault);
+app.get("/auth/oauth/:integrationId/health", authGuard, async (req, res) => {
+  const integrationId = String(req.params.integrationId);
+  const manifest = await getOAuthManifest(integrationId);
+  if (!manifest?.oauth) {
+    res.json({ status: "not_configured" });
+    return;
+  }
+  const oauth = manifest.oauth;
+  const creds = vault.getCredential(integrationId);
+  const clientIdKey = oauth.credentialKeys.clientId ?? "clientId";
+  const clientSecretKey = oauth.credentialKeys.clientSecret ?? "clientSecret";
+  const account = creds?._oauthAccount;
+  if (!creds?.[clientIdKey] || !creds?.[clientSecretKey]) {
+    res.json({ status: "not_configured", account });
+    return;
+  }
+  const token = creds[oauth.tokenStorage];
+  if (!token) {
+    res.json({ status: "not_connected", account });
+    return;
+  }
+  if (!/refresh/i.test(oauth.tokenStorage)) {
+    res.json({ status: "unverified", account });
+    return;
+  }
+  try {
+    const r = await fetch(oauth.tokenUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: token,
+        client_id: creds[clientIdKey],
+        client_secret: creds[clientSecretKey]
+      })
+    });
+    const body = await r.json().catch(() => ({}));
+    if (r.ok && body.access_token) {
+      res.json({ status: "ok", account });
+      return;
+    }
+    res.json({ status: "failed", account, error: body.error_description || body.error || `HTTP ${r.status}` });
+  } catch (err) {
+    res.json({ status: "failed", account, error: err instanceof Error ? err.message : "probe failed" });
+  }
+});
 app.get("/events", requireAuthQueryOrHeader(vault), createEventsHandler());
 app.use("/vault", jsonParser, authGuard, createVaultRouter(vault));
 app.use("/ai", jsonParser, authGuard, createAIRouter(vault));
@@ -1943,5 +2007,16 @@ app.listen(port, "0.0.0.0", () => {
   console.error(`[Control Plane]   SP proxy: ${SP_URL2}`);
   console.error(`[Control Plane]   UI dist:  ${UI_DIST}`);
   console.error(`[Control Plane]   Internal secret: configured`);
+  console.error(`[Control Plane]   MCP server: ${MCP_BASE}`);
+  getManifests().then((d) => {
+    const n = d?.manifests?.length ?? 0;
+    if (n === 0) {
+      console.error(`[Control Plane] \u26A0 MCP server at ${MCP_BASE} returned 0 integration manifests \u2014 wrong SUVEREN_MCP_INTERNAL_URL? (dev MCP is :3431, npm is :3430)`);
+    } else {
+      console.error(`[Control Plane]   Integrations: ${n} manifests loaded from ${MCP_BASE}`);
+    }
+  }).catch((err) => {
+    console.error(`[Control Plane] \u26A0 Could not reach MCP server at ${MCP_BASE} for manifests \u2014 wrong SUVEREN_MCP_INTERNAL_URL? (dev=:3431, npm=:3430). ${err instanceof Error ? err.message : err}`);
+  });
   startUpdateChecker(INSTALL_METHOD, RUNNING_VERSION);
 });