npm - @tangle-network/agent-integrations - Versions diffs - 0.14.0 → 0.15.0 - Mend

@tangle-network/agent-integrations 0.14.0 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +15 -0
package/dist/index.d.ts +552 -248
package/dist/index.js +938 -164
package/dist/index.js.map +1 -1
package/docs/architecture.md +7 -0
package/docs/production-completion-checklist.md +63 -0
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 // src/index.ts
-import { createHmac as createHmac3, randomUUID as randomUUID2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { createHmac as createHmac3, randomUUID as randomUUID3, timingSafeEqual as timingSafeEqual2 } from "crypto";
 // src/activepieces-catalog.ts
 import { readFileSync } from "fs";
@@ -1290,6 +1290,869 @@ function unique(values) {
   return [...new Set(values)];
 }
+// src/audit.ts
+import { randomUUID } from "crypto";
+var InMemoryIntegrationAuditStore = class {
+  events = [];
+  record(event) {
+    this.events.push(event);
+  }
+  list(filter = {}) {
+    return this.events.filter((event) => matchesFilter(event, filter));
+  }
+};
+function createIntegrationAuditEvent(input) {
+  const occurredAt = input.occurredAt instanceof Date ? input.occurredAt.toISOString() : input.occurredAt ?? (input.now?.() ?? /* @__PURE__ */ new Date()).toISOString();
+  return {
+    ...input,
+    id: input.id ?? `audit_${randomUUID()}`,
+    occurredAt,
+    metadata: input.metadata ? redactUnknown(input.metadata) : void 0
+  };
+}
+function createAuditingActionGuard(options) {
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  return {
+    async invokeAction(ctx, proceed) {
+      const startedAt = now();
+      try {
+        const result = await proceed();
+        await options.sink.record(actionEvent({
+          ctx,
+          request: ctx.request,
+          result,
+          type: result.ok ? "action.invoked" : "action.failed",
+          subject: options.subject,
+          occurredAt: startedAt,
+          includeInputPreview: options.includeInputPreview
+        }));
+        return result;
+      } catch (error) {
+        await options.sink.record(actionEvent({
+          ctx,
+          request: ctx.request,
+          type: "action.failed",
+          subject: options.subject,
+          occurredAt: startedAt,
+          includeInputPreview: options.includeInputPreview,
+          message: error instanceof Error ? error.message : "Integration action failed."
+        }));
+        throw error;
+      }
+    }
+  };
+}
+function sanitizeAuditConnection(connection) {
+  return {
+    id: connection.id,
+    owner: connection.owner,
+    providerId: connection.providerId,
+    connectorId: connection.connectorId,
+    status: connection.status,
+    grantedScopes: connection.grantedScopes,
+    account: connection.account,
+    hasSecretRef: Boolean(connection.secretRef),
+    createdAt: connection.createdAt,
+    updatedAt: connection.updatedAt,
+    expiresAt: connection.expiresAt,
+    lastUsedAt: connection.lastUsedAt
+  };
+}
+function actionEvent(input) {
+  return createIntegrationAuditEvent({
+    type: input.type,
+    occurredAt: input.occurredAt,
+    actor: input.subject ?? input.ctx.connection.owner,
+    connectionId: input.ctx.connection.id,
+    providerId: input.ctx.connection.providerId,
+    connectorId: input.ctx.connection.connectorId,
+    action: input.request.action,
+    risk: input.ctx.action?.risk,
+    dataClass: input.ctx.action?.dataClass,
+    ok: input.result?.ok ?? false,
+    message: input.message,
+    metadata: {
+      idempotencyKey: input.request.idempotencyKey,
+      dryRun: input.request.dryRun,
+      externalId: input.result?.externalId,
+      warnings: input.result?.warnings,
+      inputPreview: input.includeInputPreview ? redactUnknown(input.request.input) : void 0
+    }
+  });
+}
+function matchesFilter(event, filter) {
+  if (filter.type && event.type !== filter.type) return false;
+  if (filter.actor && (!event.actor || event.actor.type !== filter.actor.type || event.actor.id !== filter.actor.id)) return false;
+  if (filter.connectionId && event.connectionId !== filter.connectionId) return false;
+  if (filter.providerId && event.providerId !== filter.providerId) return false;
+  if (filter.connectorId && event.connectorId !== filter.connectorId) return false;
+  if (filter.action && event.action !== filter.action) return false;
+  return true;
+}
+function redactUnknown(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential|refresh/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown(child);
+    }
+  }
+  return out;
+}
+// src/approval.ts
+import { createHash } from "crypto";
+var InMemoryIntegrationApprovalStore = class {
+  records = /* @__PURE__ */ new Map();
+  get(approvalId) {
+    return this.records.get(approvalId);
+  }
+  put(record) {
+    this.records.set(record.id, record);
+  }
+  list(filter = {}) {
+    return [...this.records.values()].filter((record) => matchesFilter2(record, filter));
+  }
+};
+var ApprovalBackedPolicyEngine = class {
+  base;
+  store;
+  audit;
+  now;
+  approvalTtlMs;
+  constructor(options) {
+    this.base = options.base;
+    this.store = options.store;
+    this.audit = options.audit;
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+    this.approvalTtlMs = options.approvalTtlMs;
+  }
+  async decide(ctx) {
+    const approved = await this.findApprovedRecord(ctx);
+    if (approved) return { decision: "allow", reason: `Approved by ${approved.resolvedBy?.type ?? "actor"} ${approved.resolvedBy?.id ?? "unknown"}.`, metadata: { approvalId: approved.id } };
+    const decision = await this.base.decide(ctx);
+    if (decision.decision !== "require_approval") return decision;
+    const requestedAt = decision.approval.requestedAt;
+    const expiresAt = this.approvalTtlMs ? new Date(Date.parse(requestedAt) + this.approvalTtlMs).toISOString() : void 0;
+    const record = {
+      id: decision.approval.id,
+      request: decision.approval,
+      status: "pending",
+      requestedAt,
+      expiresAt,
+      metadata: { ...decision.metadata ?? {}, inputHash: approvalInputHash(ctx.request.input) }
+    };
+    await this.store.put(record);
+    await this.audit?.record(createIntegrationAuditEvent({
+      type: "approval.requested",
+      actor: ctx.subject,
+      connectionId: ctx.connection.id,
+      providerId: ctx.connection.providerId,
+      connectorId: ctx.connection.connectorId,
+      action: ctx.request.action,
+      risk: ctx.action?.risk,
+      dataClass: ctx.action?.dataClass,
+      message: decision.reason,
+      metadata: { approvalId: record.id },
+      now: this.now
+    }));
+    return decision;
+  }
+  async findApprovedRecord(ctx) {
+    const approvalId = typeof ctx.request.metadata?.approvalId === "string" ? ctx.request.metadata.approvalId : void 0;
+    if (!approvalId) return void 0;
+    const record = await this.store.get(approvalId);
+    if (!record || record.status !== "approved") return void 0;
+    if (record.expiresAt && Date.parse(record.expiresAt) <= this.now().getTime()) {
+      await this.store.put({ ...record, status: "expired" });
+      return void 0;
+    }
+    if (!approvalMatches(record, ctx)) return void 0;
+    return record;
+  }
+};
+function createApprovalBackedPolicyEngine(options) {
+  return new ApprovalBackedPolicyEngine(options);
+}
+async function resolveIntegrationApproval(input) {
+  const record = await input.store.get(input.approvalId);
+  if (!record) throw new Error(`Approval ${input.approvalId} not found.`);
+  const now = input.now ?? (() => /* @__PURE__ */ new Date());
+  const next = {
+    ...record,
+    status: input.approved ? "approved" : "denied",
+    resolvedAt: now().toISOString(),
+    resolvedBy: input.resolvedBy,
+    reason: input.reason,
+    metadata: { ...record.metadata ?? {}, ...input.metadata ?? {} }
+  };
+  await input.store.put(next);
+  await input.audit?.record(createIntegrationAuditEvent({
+    type: "approval.resolved",
+    actor: input.resolvedBy,
+    connectionId: record.request.connectionId,
+    providerId: record.request.providerId,
+    connectorId: record.request.connectorId,
+    action: record.request.action,
+    risk: record.request.risk,
+    dataClass: record.request.dataClass,
+    ok: input.approved,
+    message: input.reason,
+    metadata: { approvalId: record.id, status: next.status },
+    now
+  }));
+  return next;
+}
+function approvalMatches(record, ctx) {
+  return record.request.connectionId === ctx.connection.id && record.request.providerId === ctx.connection.providerId && record.request.connectorId === ctx.connection.connectorId && record.request.action === ctx.request.action && record.request.actor.type === ctx.subject.type && record.request.actor.id === ctx.subject.id && record.metadata?.inputHash === approvalInputHash(ctx.request.input);
+}
+function matchesFilter2(record, filter) {
+  if (filter.status && record.status !== filter.status) return false;
+  if (filter.connectionId && record.request.connectionId !== filter.connectionId) return false;
+  if (filter.connectorId && record.request.connectorId !== filter.connectorId) return false;
+  if (filter.action && record.request.action !== filter.action) return false;
+  if (filter.actor && (record.request.actor.type !== filter.actor.type || record.request.actor.id !== filter.actor.id)) return false;
+  return true;
+}
+function approvalInputHash(input) {
+  return createHash("sha256").update(JSON.stringify(input ?? null)).digest("base64url");
+}
+// src/bridge.ts
+var DEFAULT_INTEGRATION_BRIDGE_ENV = "TANGLE_INTEGRATION_BUNDLE";
+function buildIntegrationBridgePayload(bundle) {
+  return {
+    version: 1,
+    manifestId: bundle.manifestId,
+    subject: bundle.subject,
+    expiresAt: bundle.expiresAt,
+    tools: bundle.tools.flatMap((tool) => {
+      const binding = bundle.capabilities.find(
+        (candidate) => candidate.connectorId === tool.connectorId && candidate.connectionId && candidate.allowedActions.includes(tool.action.id)
+      );
+      if (!binding) return [];
+      return [{
+        name: tool.name,
+        title: tool.title,
+        connectorId: tool.connectorId,
+        connectionId: binding.connectionId,
+        action: tool.action.id,
+        risk: tool.risk,
+        dataClass: tool.dataClass,
+        requiredScopes: tool.requiredScopes,
+        capabilityToken: binding.capability.token
+      }];
+    })
+  };
+}
+function encodeIntegrationBridgePayload(payload) {
+  return Buffer.from(JSON.stringify(payload), "utf8").toString("base64url");
+}
+function decodeIntegrationBridgePayload(encoded) {
+  const parsed = JSON.parse(Buffer.from(encoded, "base64url").toString("utf8"));
+  assertBridgePayload(parsed);
+  return parsed;
+}
+function buildIntegrationBridgeEnvironment(bundle, options = {}) {
+  const envVar = options.envVar ?? DEFAULT_INTEGRATION_BRIDGE_ENV;
+  return {
+    [envVar]: encodeIntegrationBridgePayload(buildIntegrationBridgePayload(bundle))
+  };
+}
+function parseIntegrationBridgeEnvironment(env, options = {}) {
+  const envVar = options.envVar ?? DEFAULT_INTEGRATION_BRIDGE_ENV;
+  const encoded = env[envVar];
+  if (!encoded) throw new Error(`Missing ${envVar}.`);
+  return decodeIntegrationBridgePayload(encoded);
+}
+function redactIntegrationBridgePayload(payload) {
+  return {
+    ...payload,
+    tools: payload.tools.map((tool) => ({
+      ...tool,
+      capabilityToken: "[REDACTED]"
+    }))
+  };
+}
+function assertBridgePayload(value) {
+  if (!value || typeof value !== "object") throw new Error("Invalid integration bridge payload.");
+  const payload = value;
+  if (payload.version !== 1) throw new Error("Unsupported integration bridge payload version.");
+  if (typeof payload.manifestId !== "string") throw new Error("Invalid integration bridge manifestId.");
+  if (typeof payload.expiresAt !== "string") throw new Error("Invalid integration bridge expiresAt.");
+  if (!Array.isArray(payload.tools)) throw new Error("Invalid integration bridge tools.");
+}
+// src/adapter-provider.ts
+function createConnectorAdapterProvider(options) {
+  const providerId = options.id ?? "first-party";
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  const adapters = /* @__PURE__ */ new Map();
+  for (const adapter of options.adapters) {
+    adapters.set(adapter.manifest.kind, adapter);
+  }
+  return {
+    id: providerId,
+    kind: options.kind ?? "first_party",
+    listConnectors: () => [...adapters.values()].map((adapter) => manifestToConnector(providerId, adapter)),
+    async invokeAction(connection, request) {
+      const adapter = adapters.get(connection.connectorId);
+      if (!adapter) {
+        throw new IntegrationError(`Connector adapter ${connection.connectorId} not found.`, "connector_not_found");
+      }
+      const capability = adapter.manifest.capabilities.find((candidate) => candidate.name === request.action);
+      if (!capability) {
+        throw new IntegrationError(`Capability ${request.action} is not defined by ${connection.connectorId}.`, "action_not_found");
+      }
+      const source = await options.resolveDataSource(connection);
+      const invocation = {
+        source,
+        capabilityName: request.action,
+        args: toRecord(request.input),
+        idempotencyKey: request.idempotencyKey ?? `idem_${connection.id}_${request.action}_${now().getTime()}`,
+        expectedEtag: typeof request.metadata?.expectedEtag === "string" ? request.metadata.expectedEtag : void 0,
+        callSessionId: typeof request.metadata?.callSessionId === "string" ? request.metadata.callSessionId : void 0
+      };
+      if (capability.class === "read") {
+        if (!adapter.executeRead) {
+          throw new IntegrationError(`Connector ${connection.connectorId} does not implement reads.`, "action_not_found");
+        }
+        const result = await adapter.executeRead(invocation);
+        return readResultToAction(request, result);
+      }
+      if (capability.class === "mutation") {
+        if (!adapter.executeMutation) {
+          throw new IntegrationError(`Connector ${connection.connectorId} does not implement mutations.`, "action_not_found");
+        }
+        const result = await adapter.executeMutation(invocation);
+        return mutationResultToAction(request, result);
+      }
+      throw new IntegrationError(`Capability ${request.action} is not invokable as an action.`, "action_not_found");
+    }
+  };
+}
+function manifestToConnector(providerId, adapter) {
+  const manifest = adapter.manifest;
+  return {
+    id: manifest.kind,
+    providerId,
+    title: manifest.displayName,
+    category: mapCategory(manifest.category),
+    auth: mapAuth(manifest.auth.kind),
+    scopes: manifest.auth.kind === "oauth2" ? manifest.auth.scopes : [],
+    actions: manifest.capabilities.filter((capability) => capability.class === "read" || capability.class === "mutation").map((capability) => ({
+      id: capability.name,
+      title: titleFromName(capability.name),
+      risk: capability.class === "read" ? "read" : capability.externalEffect ? "destructive" : "write",
+      requiredScopes: capability.requiredScopes ?? [],
+      dataClass: inferDataClass(manifest.category),
+      description: capability.description,
+      approvalRequired: capability.class === "mutation",
+      inputSchema: capability.parameters
+    })),
+    metadata: {
+      source: "first-party-adapter",
+      supportTier: "firstPartyExecutable",
+      executable: true
+    }
+  };
+}
+function readResultToAction(request, result) {
+  return {
+    ok: true,
+    action: request.action,
+    output: result.data,
+    metadata: {
+      etag: result.etag,
+      fetchedAt: result.fetchedAt
+    }
+  };
+}
+function mutationResultToAction(request, result) {
+  if (result.status === "committed") {
+    return {
+      ok: true,
+      action: request.action,
+      output: result.data,
+      metadata: {
+        etagAfter: result.etagAfter,
+        committedAt: result.committedAt,
+        idempotentReplay: result.idempotentReplay
+      }
+    };
+  }
+  if (result.status === "conflict") {
+    return {
+      ok: false,
+      action: request.action,
+      output: {
+        conflict: true,
+        message: result.message,
+        alternatives: result.alternatives,
+        currentState: result.currentState
+      }
+    };
+  }
+  return {
+    ok: false,
+    action: request.action,
+    output: {
+      rateLimited: true,
+      retryAfterMs: result.retryAfterMs,
+      message: result.message
+    }
+  };
+}
+function mapAuth(kind) {
+  if (kind === "oauth2") return "oauth2";
+  if (kind === "api-key") return "api_key";
+  if (kind === "none") return "none";
+  return "custom";
+}
+function mapCategory(category) {
+  if (category === "comms") return "chat";
+  if (category === "spreadsheet") return "database";
+  if (category === "doc") return "docs";
+  if (category === "commerce") return "workflow";
+  return category === "other" ? "other" : category;
+}
+function inferDataClass(category) {
+  if (category === "commerce") return "sensitive";
+  if (category === "webhook") return "internal";
+  return "private";
+}
+function titleFromName(name) {
+  return name.split(/[._-]/g).filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
+}
+function toRecord(input) {
+  if (input && typeof input === "object" && !Array.isArray(input)) return input;
+  return {};
+}
+// src/credentials.ts
+var InMemoryIntegrationSecretStore = class {
+  secrets = /* @__PURE__ */ new Map();
+  get(ref) {
+    return this.secrets.get(secretKey(ref));
+  }
+  put(ref, credentials) {
+    this.secrets.set(secretKey(ref), credentials);
+  }
+  delete(ref) {
+    this.secrets.delete(secretKey(ref));
+  }
+};
+function createConnectionCredentialResolver(options) {
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  return async function resolveDataSource(connection) {
+    const credentials = await resolveConnectionCredentials(connection, {
+      secrets: options.secrets,
+      connections: options.connections,
+      adapters: options.adapters,
+      now,
+      markConnectionError: options.markConnectionError
+    });
+    return {
+      id: connection.id,
+      projectId: String(connection.metadata?.projectId ?? connection.owner.id),
+      publishedAgentId: typeof connection.metadata?.publishedAgentId === "string" ? connection.metadata.publishedAgentId : null,
+      kind: connection.connectorId,
+      label: connection.account?.displayName ?? connection.account?.email ?? connection.connectorId,
+      consistencyModel: typeof connection.metadata?.consistencyModel === "string" ? connection.metadata.consistencyModel : "authoritative",
+      scopes: connection.grantedScopes,
+      metadata: connection.metadata ?? {},
+      credentials,
+      status: connection.status === "active" ? "active" : connection.status === "revoked" ? "revoked" : "error"
+    };
+  };
+}
+async function resolveConnectionCredentials(input, options) {
+  if (input.status !== "active") throw new Error(`Connection ${input.id} is ${input.status}.`);
+  if (!input.secretRef) return { kind: "none" };
+  const current = await options.secrets.get(input.secretRef);
+  if (!current) throw new Error(`Secret ${input.secretRef.provider}/${input.secretRef.id} not found.`);
+  if (!isExpiredOauth(current, options.now ?? (() => /* @__PURE__ */ new Date()))) return current;
+  const adapter = options.adapters?.find((candidate) => candidate.manifest.kind === input.connectorId);
+  if (!adapter?.refreshToken) return current;
+  try {
+    const refreshed = await adapter.refreshToken(current);
+    await options.secrets.put(input.secretRef, refreshed);
+    if (options.connections) {
+      await options.connections.put({
+        ...input,
+        status: "active",
+        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString(),
+        expiresAt: refreshed.kind === "oauth2" && refreshed.expiresAt ? new Date(refreshed.expiresAt).toISOString() : input.expiresAt
+      });
+    }
+    return refreshed;
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error("Credential refresh failed.");
+    await options.markConnectionError?.(input, err);
+    if (options.connections) {
+      await options.connections.put({
+        ...input,
+        status: "expired",
+        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    throw err;
+  }
+}
+function createCredentialBackedAdapterProvider(options) {
+  return createConnectorAdapterProvider({
+    ...options,
+    resolveDataSource: createConnectionCredentialResolver(options)
+  });
+}
+async function revokeConnection(input) {
+  if (input.connection.secretRef) await input.secrets?.delete?.(input.connection.secretRef);
+  const revoked = {
+    ...input.connection,
+    status: "revoked",
+    updatedAt: (input.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
+  };
+  await input.connections?.put(revoked);
+  return revoked;
+}
+function isExpiredOauth(credentials, now) {
+  return credentials.kind === "oauth2" && typeof credentials.expiresAt === "number" && credentials.expiresAt <= now().getTime() && Boolean(credentials.refreshToken);
+}
+function secretKey(ref) {
+  return `${ref.provider}:${ref.id}`;
+}
+// src/events.ts
+var InMemoryIntegrationEventStore = class {
+  events = /* @__PURE__ */ new Map();
+  providerIds = /* @__PURE__ */ new Set();
+  put(event) {
+    this.events.set(event.id, event);
+    if (event.providerEventId) this.providerIds.add(providerKey(event.sourceId, event.providerEventId));
+  }
+  hasProviderEvent(sourceId, providerEventId) {
+    return this.providerIds.has(providerKey(sourceId, providerEventId));
+  }
+  list() {
+    return [...this.events.values()];
+  }
+};
+async function receiveIntegrationWebhook(input) {
+  if (!input.adapter.handleInboundEvent) {
+    return { status: 405, body: { ok: false, error: "Connector does not support inbound webhooks." }, received: [], duplicates: [] };
+  }
+  const signature = input.adapter.verifySignature?.({
+    rawBody: input.rawBody,
+    headers: input.headers,
+    source: input.source
+  });
+  if (signature && !signature.valid) {
+    return { status: 401, body: { ok: false, error: signature.reason ?? "Invalid webhook signature." }, received: [], duplicates: [] };
+  }
+  const handled = await input.adapter.handleInboundEvent({
+    source: input.source,
+    rawBody: input.rawBody,
+    headers: input.headers
+  });
+  const received = [];
+  const duplicates = [];
+  for (const inbound of handled.events) {
+    const event = storedEvent(input.source, inbound, input.now ?? (() => /* @__PURE__ */ new Date()));
+    if (event.providerEventId && await input.store.hasProviderEvent(event.sourceId, event.providerEventId)) {
+      duplicates.push(event);
+      continue;
+    }
+    await input.store.put(event);
+    received.push(event);
+    await dispatchStoredEvent(event, input.source, input.workflowRuntime);
+  }
+  return {
+    status: handled.response?.status ?? 200,
+    body: handled.response?.body ?? { received: true, count: received.length, duplicateCount: duplicates.length },
+    headers: handled.response?.headers,
+    received,
+    duplicates
+  };
+}
+function storedEventToTriggerEvent(event, source) {
+  return {
+    id: event.id,
+    providerId: String(source.metadata.providerId ?? "first-party"),
+    connectorId: event.connectorId,
+    connectionId: source.id,
+    trigger: event.eventType,
+    occurredAt: event.receivedAt,
+    payload: event.payload,
+    metadata: {
+      providerEventId: event.providerEventId,
+      sourceId: event.sourceId,
+      ...event.metadata
+    }
+  };
+}
+async function dispatchStoredEvent(event, source, workflowRuntime) {
+  if (!workflowRuntime) return;
+  await workflowRuntime.dispatchEvent(storedEventToTriggerEvent(event, source), () => void 0);
+}
+function storedEvent(source, event, now) {
+  return {
+    id: `evt_${source.id}_${event.providerEventId ?? `${event.eventType}_${now().getTime()}`}`,
+    sourceId: source.id,
+    connectorId: source.kind,
+    eventType: event.eventType,
+    providerEventId: event.providerEventId,
+    receivedAt: now().toISOString(),
+    payload: event.payload
+  };
+}
+function providerKey(sourceId, providerEventId) {
+  return `${sourceId}:${providerEventId}`;
+}
+// src/guard.ts
+import { createHash as createHash2 } from "crypto";
+var InMemoryIntegrationIdempotencyStore = class {
+  records = /* @__PURE__ */ new Map();
+  get(key) {
+    return this.records.get(key);
+  }
+  put(record) {
+    this.records.set(record.key, record);
+  }
+};
+var DefaultIntegrationActionGuard = class {
+  idempotency;
+  audit;
+  rateLimiter;
+  now;
+  constructor(options = {}) {
+    this.idempotency = options.idempotency;
+    this.audit = options.audit;
+    this.rateLimiter = options.rateLimiter;
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  async invokeAction(ctx, proceed) {
+    const idempotencyKey = ctx.request.idempotencyKey;
+    const requestHash = hashRequest(ctx);
+    if (idempotencyKey && this.idempotency) {
+      const existing = await this.idempotency.get(idempotencyKey);
+      if (existing) {
+        if (existing.requestHash !== requestHash) {
+          return {
+            ok: false,
+            action: ctx.request.action,
+            output: { idempotencyConflict: true, message: "Idempotency key was reused with different integration input." }
+          };
+        }
+        return {
+          ...existing.result,
+          metadata: { ...existing.result.metadata ?? {}, idempotentReplay: true }
+        };
+      }
+    }
+    if (ctx.request.dryRun && ctx.action?.risk !== "read") {
+      const result = {
+        ok: true,
+        action: ctx.request.action,
+        output: { dryRun: true },
+        metadata: { dryRun: true }
+      };
+      await this.writeIdempotency(idempotencyKey, requestHash, result);
+      return result;
+    }
+    const rateLimit = await this.rateLimiter?.check(ctx);
+    if (rateLimit && !rateLimit.allowed) {
+      return {
+        ok: false,
+        action: ctx.request.action,
+        output: { rateLimited: true, retryAfterMs: rateLimit.retryAfterMs, message: rateLimit.reason ?? "Integration rate limit exceeded." }
+      };
+    }
+    try {
+      const result = await proceed();
+      await this.writeIdempotency(idempotencyKey, requestHash, result);
+      await this.audit?.record(createIntegrationAuditEvent({
+        type: result.ok ? "action.invoked" : "action.failed",
+        actor: ctx.connection.owner,
+        connectionId: ctx.connection.id,
+        providerId: ctx.connection.providerId,
+        connectorId: ctx.connection.connectorId,
+        action: ctx.request.action,
+        risk: ctx.action?.risk,
+        dataClass: ctx.action?.dataClass,
+        ok: result.ok,
+        metadata: { idempotencyKey, externalId: result.externalId, warnings: result.warnings },
+        now: this.now
+      }));
+      return result;
+    } catch (error) {
+      await this.audit?.record(createIntegrationAuditEvent({
+        type: "action.failed",
+        actor: ctx.connection.owner,
+        connectionId: ctx.connection.id,
+        providerId: ctx.connection.providerId,
+        connectorId: ctx.connection.connectorId,
+        action: ctx.request.action,
+        risk: ctx.action?.risk,
+        dataClass: ctx.action?.dataClass,
+        ok: false,
+        message: error instanceof Error ? error.message : "Integration action failed.",
+        metadata: { idempotencyKey },
+        now: this.now
+      }));
+      throw error;
+    }
+  }
+  async writeIdempotency(key, requestHash, result) {
+    if (!key || !this.idempotency) return;
+    await this.idempotency.put({
+      key,
+      requestHash,
+      result,
+      createdAt: this.now().toISOString()
+    });
+  }
+};
+function createDefaultIntegrationActionGuard(options = {}) {
+  return new DefaultIntegrationActionGuard(options);
+}
+function hashRequest(ctx) {
+  return createHash2("sha256").update(JSON.stringify({
+    connectionId: ctx.connection.id,
+    action: ctx.request.action,
+    input: ctx.request.input ?? null,
+    dryRun: ctx.request.dryRun ?? false
+  })).digest("base64url");
+}
+// src/healthcheck.ts
+var InMemoryIntegrationHealthcheckStore = class {
+  results = /* @__PURE__ */ new Map();
+  put(result) {
+    this.results.set(result.connectionId, result);
+  }
+  get(connectionId) {
+    return this.results.get(connectionId);
+  }
+  list() {
+    return [...this.results.values()];
+  }
+};
+async function runIntegrationHealthcheck(input) {
+  const now = input.now ?? (() => /* @__PURE__ */ new Date());
+  const checkedAt = now().toISOString();
+  const connector = input.connector ?? input.registry?.byId.get(input.connection.connectorId)?.connector;
+  const checks = [];
+  checks.push(connectionStatusCheck(input.connection, now));
+  if (!connector) {
+    checks.push({ id: "connector-known", status: "unknown", message: `Connector ${input.connection.connectorId} is not in the registry.` });
+  } else {
+    checks.push(connectorExecutableCheck(connector));
+    checks.push(scopeShapeCheck(input.connection, connector));
+    if (input.test && input.connection.status === "active") {
+      checks.push(await liveHealthcheck(input.connection, connector, input.test));
+    }
+  }
+  const result = {
+    connectionId: input.connection.id,
+    providerId: input.connection.providerId,
+    connectorId: input.connection.connectorId,
+    status: rollupHealthStatus(checks),
+    checkedAt,
+    checks
+  };
+  await input.audit?.record(createIntegrationAuditEvent({
+    type: "healthcheck.completed",
+    actor: input.connection.owner,
+    connectionId: input.connection.id,
+    providerId: input.connection.providerId,
+    connectorId: input.connection.connectorId,
+    ok: result.status === "healthy",
+    message: result.status,
+    metadata: { checks: checks.map((check) => ({ id: check.id, status: check.status, message: check.message })) },
+    occurredAt: checkedAt
+  }));
+  return result;
+}
+async function runIntegrationHealthchecks(input) {
+  const results = [];
+  for (const connection of input.connections) {
+    const result = await runIntegrationHealthcheck({
+      connection,
+      registry: input.registry,
+      test: input.test,
+      audit: input.audit,
+      now: input.now
+    });
+    await input.store?.put(result);
+    results.push(result);
+  }
+  return results;
+}
+function healthcheckRequest(action = "healthcheck") {
+  return {
+    connectionId: "__healthcheck__",
+    action,
+    input: {},
+    dryRun: true,
+    metadata: { healthcheck: true }
+  };
+}
+function connectionStatusCheck(connection, now) {
+  if (connection.status !== "active") {
+    return { id: "connection-active", status: "unhealthy", message: `Connection is ${connection.status}.` };
+  }
+  if (connection.expiresAt && Date.parse(connection.expiresAt) <= now().getTime()) {
+    return { id: "connection-active", status: "unhealthy", message: "Connection credentials are expired." };
+  }
+  return { id: "connection-active", status: "healthy", message: "Connection is active." };
+}
+function connectorExecutableCheck(connector) {
+  const executable = connector.actions.length > 0 || (connector.triggers?.length ?? 0) > 0;
+  if (!executable) {
+    return { id: "connector-executable", status: "degraded", message: `${connector.title} is catalog-only.` };
+  }
+  return { id: "connector-executable", status: "healthy", message: `${connector.title} has executable actions or triggers.` };
+}
+function scopeShapeCheck(connection, connector) {
+  const declaredScopes = new Set(connector.scopes);
+  const undeclared = connection.grantedScopes.filter((scope) => !declaredScopes.has(scope));
+  if (connector.scopes.length === 0 && connection.grantedScopes.length > 0) {
+    return { id: "scope-shape", status: "unknown", message: "Connector does not declare a scope catalog.", metadata: { grantedScopes: connection.grantedScopes } };
+  }
+  if (undeclared.length > 0) {
+    return { id: "scope-shape", status: "degraded", message: "Connection has scopes not declared by the connector.", metadata: { undeclared } };
+  }
+  return { id: "scope-shape", status: "healthy", message: "Granted scopes match the connector shape." };
+}
+async function liveHealthcheck(connection, connector, test) {
+  try {
+    const result = await test(connection, connector);
+    const ok = typeof result === "boolean" ? result : result.ok;
+    return {
+      id: "provider-live-test",
+      status: ok ? "healthy" : "unhealthy",
+      message: ok ? "Provider live test passed." : "Provider live test failed.",
+      metadata: typeof result === "boolean" ? void 0 : { action: result.action, warnings: result.warnings }
+    };
+  } catch (error) {
+    return {
+      id: "provider-live-test",
+      status: "unhealthy",
+      message: error instanceof Error ? error.message : "Provider live test failed."
+    };
+  }
+}
+function rollupHealthStatus(checks) {
+  if (checks.some((check) => check.status === "unhealthy")) return "unhealthy";
+  if (checks.some((check) => check.status === "degraded")) return "degraded";
+  if (checks.some((check) => check.status === "unknown")) return "unknown";
+  return "healthy";
+}
 // src/connectors/types.ts
 var ResourceContention = class extends Error {
   constructor(message, alternatives = [], currentState) {
@@ -1344,7 +2207,7 @@ function assertValidConnectorManifest(manifest) {
 }
 // src/connectors/oauth.ts
-import { createHash, randomBytes } from "crypto";
+import { createHash as createHash3, randomBytes } from "crypto";
 var PENDING_TTL_MS = 10 * 60 * 1e3;
 var InMemoryOAuthFlowStore = class {
   pendingFlows = /* @__PURE__ */ new Map();
@@ -1372,7 +2235,7 @@ function startOAuthFlow(input) {
   const now = input.now ?? Date.now();
   store.sweep?.(now);
   const codeVerifier = base64Url(randomBytes(48));
-  const codeChallenge = base64Url(createHash("sha256").update(codeVerifier).digest());
+  const codeChallenge = base64Url(createHash3("sha256").update(codeVerifier).digest());
   const state = base64Url(randomBytes(24));
   store.put(state, {
     codeVerifier,
@@ -1837,7 +2700,7 @@ function readMetaString(meta, key) {
 }
 // src/connectors/adapters/google-sheets.ts
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 var SCOPES2 = ["https://www.googleapis.com/auth/spreadsheets"];
 var AUTH_URL2 = "https://accounts.google.com/o/oauth2/v2/auth";
 var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
@@ -2111,7 +2974,7 @@ async function fetchAllRows(accessToken, meta) {
 function rowFingerprint(values) {
   const keys = Object.keys(values).sort();
   const blob = keys.map((k) => `${k}=${values[k]}`).join("");
-  return createHash2("sha256").update(blob).digest("hex").slice(0, 16);
+  return createHash4("sha256").update(blob).digest("hex").slice(0, 16);
 }
 function matchesPredicate(row, predicate) {
   for (const [k, v] of Object.entries(predicate)) {
@@ -4597,7 +5460,7 @@ function unique2(values) {
 }
 // src/policy.ts
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 var StaticIntegrationPolicyEngine = class {
   rules;
   defaultReadEffect;
@@ -4640,7 +5503,7 @@ function buildApprovalRequest(ctx, reason, requestedAt) {
     throw new Error("Cannot build approval request without an action descriptor.");
   }
   return {
-    id: `approval_${randomUUID()}`,
+    id: `approval_${randomUUID2()}`,
     connectionId: ctx.connection.id,
     providerId: ctx.connection.providerId,
     connectorId: ctx.connection.connectorId,
@@ -4656,7 +5519,7 @@ function buildApprovalRequest(ctx, reason, requestedAt) {
 function redactApprovalRequest(request) {
   return {
     ...request,
-    inputPreview: redactUnknown(request.inputPreview)
+    inputPreview: redactUnknown2(request.inputPreview)
   };
 }
 function ruleMatches(rule, ctx) {
@@ -4680,17 +5543,17 @@ function defaultReason(effect, risk) {
   return `${risk} integration action requires approval by default policy.`;
 }
 function previewInput(input) {
-  return redactUnknown(input);
+  return redactUnknown2(input);
 }
-function redactUnknown(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown);
+function redactUnknown2(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown2);
   if (!value || typeof value !== "object") return value;
   const out = {};
   for (const [key, child] of Object.entries(value)) {
     if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
       out[key] = "[REDACTED]";
     } else {
-      out[key] = redactUnknown(child);
+      out[key] = redactUnknown2(child);
     }
   }
   return out;
@@ -4754,13 +5617,13 @@ function redactInvocationEnvelope(envelope) {
   return {
     ...envelope,
     capabilityToken: "[REDACTED]",
-    input: redactUnknown2(envelope.input)
+    input: redactUnknown3(envelope.input)
   };
 }
 function redactCapability(capability) {
   return {
     ...capability,
-    metadata: redactUnknown2(capability.metadata)
+    metadata: redactUnknown3(capability.metadata)
   };
 }
 function normalizeIntegrationResult(result) {
@@ -4788,15 +5651,40 @@ function normalizeIntegrationResult(result) {
     metadata: result.metadata
   };
 }
-function redactUnknown2(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown2);
+async function dispatchIntegrationInvocation(envelope, options) {
+  try {
+    validateIntegrationInvocationEnvelope(envelope, options);
+    const result = await options.hub.invokeWithCapability(
+      envelope.capabilityToken,
+      invocationRequestFromEnvelope(envelope)
+    );
+    return normalizeIntegrationResult(result);
+  } catch (error) {
+    return {
+      status: "failed",
+      action: typeof envelope?.action === "string" ? envelope.action : "unknown",
+      error: error instanceof Error ? error.message : "Integration invocation failed."
+    };
+  }
+}
+var IntegrationSandboxHost = class {
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+  dispatch(envelope) {
+    return dispatchIntegrationInvocation(envelope, this.options);
+  }
+};
+function redactUnknown3(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown3);
   if (!value || typeof value !== "object") return value;
   const out = {};
   for (const [key, child] of Object.entries(value)) {
     if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
       out[key] = "[REDACTED]";
     } else {
-      out[key] = redactUnknown2(child);
+      out[key] = redactUnknown3(child);
     }
   }
   return out;
@@ -4808,152 +5696,6 @@ function isPlainRecord(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-// src/adapter-provider.ts
-function createConnectorAdapterProvider(options) {
-  const providerId = options.id ?? "first-party";
-  const now = options.now ?? (() => /* @__PURE__ */ new Date());
-  const adapters = /* @__PURE__ */ new Map();
-  for (const adapter of options.adapters) {
-    adapters.set(adapter.manifest.kind, adapter);
-  }
-  return {
-    id: providerId,
-    kind: options.kind ?? "first_party",
-    listConnectors: () => [...adapters.values()].map((adapter) => manifestToConnector(providerId, adapter)),
-    async invokeAction(connection, request) {
-      const adapter = adapters.get(connection.connectorId);
-      if (!adapter) {
-        throw new IntegrationError(`Connector adapter ${connection.connectorId} not found.`, "connector_not_found");
-      }
-      const capability = adapter.manifest.capabilities.find((candidate) => candidate.name === request.action);
-      if (!capability) {
-        throw new IntegrationError(`Capability ${request.action} is not defined by ${connection.connectorId}.`, "action_not_found");
-      }
-      const source = await options.resolveDataSource(connection);
-      const invocation = {
-        source,
-        capabilityName: request.action,
-        args: toRecord(request.input),
-        idempotencyKey: request.idempotencyKey ?? `idem_${connection.id}_${request.action}_${now().getTime()}`,
-        expectedEtag: typeof request.metadata?.expectedEtag === "string" ? request.metadata.expectedEtag : void 0,
-        callSessionId: typeof request.metadata?.callSessionId === "string" ? request.metadata.callSessionId : void 0
-      };
-      if (capability.class === "read") {
-        if (!adapter.executeRead) {
-          throw new IntegrationError(`Connector ${connection.connectorId} does not implement reads.`, "action_not_found");
-        }
-        const result = await adapter.executeRead(invocation);
-        return readResultToAction(request, result);
-      }
-      if (capability.class === "mutation") {
-        if (!adapter.executeMutation) {
-          throw new IntegrationError(`Connector ${connection.connectorId} does not implement mutations.`, "action_not_found");
-        }
-        const result = await adapter.executeMutation(invocation);
-        return mutationResultToAction(request, result);
-      }
-      throw new IntegrationError(`Capability ${request.action} is not invokable as an action.`, "action_not_found");
-    }
-  };
-}
-function manifestToConnector(providerId, adapter) {
-  const manifest = adapter.manifest;
-  return {
-    id: manifest.kind,
-    providerId,
-    title: manifest.displayName,
-    category: mapCategory(manifest.category),
-    auth: mapAuth(manifest.auth.kind),
-    scopes: manifest.auth.kind === "oauth2" ? manifest.auth.scopes : [],
-    actions: manifest.capabilities.filter((capability) => capability.class === "read" || capability.class === "mutation").map((capability) => ({
-      id: capability.name,
-      title: titleFromName(capability.name),
-      risk: capability.class === "read" ? "read" : capability.externalEffect ? "destructive" : "write",
-      requiredScopes: capability.requiredScopes ?? [],
-      dataClass: inferDataClass(manifest.category),
-      description: capability.description,
-      approvalRequired: capability.class === "mutation",
-      inputSchema: capability.parameters
-    })),
-    metadata: {
-      source: "first-party-adapter",
-      supportTier: "firstPartyExecutable",
-      executable: true
-    }
-  };
-}
-function readResultToAction(request, result) {
-  return {
-    ok: true,
-    action: request.action,
-    output: result.data,
-    metadata: {
-      etag: result.etag,
-      fetchedAt: result.fetchedAt
-    }
-  };
-}
-function mutationResultToAction(request, result) {
-  if (result.status === "committed") {
-    return {
-      ok: true,
-      action: request.action,
-      output: result.data,
-      metadata: {
-        etagAfter: result.etagAfter,
-        committedAt: result.committedAt,
-        idempotentReplay: result.idempotentReplay
-      }
-    };
-  }
-  if (result.status === "conflict") {
-    return {
-      ok: false,
-      action: request.action,
-      output: {
-        conflict: true,
-        message: result.message,
-        alternatives: result.alternatives,
-        currentState: result.currentState
-      }
-    };
-  }
-  return {
-    ok: false,
-    action: request.action,
-    output: {
-      rateLimited: true,
-      retryAfterMs: result.retryAfterMs,
-      message: result.message
-    }
-  };
-}
-function mapAuth(kind) {
-  if (kind === "oauth2") return "oauth2";
-  if (kind === "api-key") return "api_key";
-  if (kind === "none") return "none";
-  return "custom";
-}
-function mapCategory(category) {
-  if (category === "comms") return "chat";
-  if (category === "spreadsheet") return "database";
-  if (category === "doc") return "docs";
-  if (category === "commerce") return "workflow";
-  return category === "other" ? "other" : category;
-}
-function inferDataClass(category) {
-  if (category === "commerce") return "sensitive";
-  if (category === "webhook") return "internal";
-  return "private";
-}
-function titleFromName(name) {
-  return name.split(/[._-]/g).filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
-}
-function toRecord(input) {
-  if (input && typeof input === "object" && !Array.isArray(input)) return input;
-  return {};
-}
 // src/importers.ts
 var HTTP_METHODS = /* @__PURE__ */ new Set(["get", "post", "put", "patch", "delete"]);
 function importOpenApiConnector(document, options) {
@@ -5740,7 +6482,7 @@ var IntegrationHub = class {
     assertScopes(connection, request.scopes);
     const now = this.now();
     const capability = {
-      id: `cap_${randomUUID2()}`,
+      id: `cap_${randomUUID3()}`,
       subject: request.subject,
       connectionId: request.connectionId,
       scopes: unique6(request.scopes),
@@ -5995,16 +6737,26 @@ function unique6(values) {
 }
 export {
   ACTIVEPIECES_OVERRIDES,
+  ApprovalBackedPolicyEngine,
   CredentialsExpired,
+  DEFAULT_INTEGRATION_BRIDGE_ENV,
   DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
+  DefaultIntegrationActionGuard,
   INTEGRATION_FAMILIES,
   InMemoryConnectionStore,
+  InMemoryIntegrationApprovalStore,
+  InMemoryIntegrationAuditStore,
+  InMemoryIntegrationEventStore,
   InMemoryIntegrationGrantStore,
+  InMemoryIntegrationHealthcheckStore,
+  InMemoryIntegrationIdempotencyStore,
+  InMemoryIntegrationSecretStore,
   InMemoryIntegrationWorkflowStore,
   InMemoryOAuthFlowStore,
   IntegrationError,
   IntegrationHub,
   IntegrationRuntime,
+  IntegrationSandboxHost,
   IntegrationWorkflowRuntime,
   ResourceContention,
   StaticIntegrationPolicyEngine,
@@ -6017,6 +6769,8 @@ export {
   buildApprovalRequest,
   buildDefaultIntegrationRegistry,
   buildHealthcheckPlan,
+  buildIntegrationBridgeEnvironment,
+  buildIntegrationBridgePayload,
   buildIntegrationCoverageConnectors,
   buildIntegrationInvocationEnvelope,
   buildIntegrationToolCatalog,
@@ -6024,14 +6778,23 @@ export {
   composeIntegrationRegistry,
   consoleStepsToText,
   consumePendingFlow,
+  createApprovalBackedPolicyEngine,
+  createAuditingActionGuard,
+  createConnectionCredentialResolver,
   createConnectorAdapterProvider,
+  createCredentialBackedAdapterProvider,
+  createDefaultIntegrationActionGuard,
   createDefaultIntegrationPolicyEngine,
   createGatewayCatalogProvider,
   createHttpIntegrationProvider,
+  createIntegrationAuditEvent,
   createIntegrationRuntime,
   createIntegrationWorkflowRuntime,
   createMockIntegrationProvider,
   declarativeRestConnector,
+  decodeIntegrationBridgePayload,
+  dispatchIntegrationInvocation,
+  encodeIntegrationBridgePayload,
   exchangeAuthorizationCode,
   firstHeader,
   getActivepiecesOverride,
@@ -6041,6 +6804,7 @@ export {
   gitlabConnector,
   googleCalendar,
   googleSheets,
+  healthcheckRequest,
   hubspot,
   importGraphqlConnector,
   importMcpConnector,
@@ -6059,16 +6823,25 @@ export {
   normalizeGatewayCatalog,
   normalizeIntegrationResult,
   notionDatabase,
+  parseIntegrationBridgeEnvironment,
   parseIntegrationToolName,
   parseStripeSignatureHeader,
+  receiveIntegrationWebhook,
   redactApprovalRequest,
   redactCapability,
+  redactIntegrationBridgePayload,
   redactInvocationEnvelope,
   refreshAccessToken,
   renderAgentToolDescription,
   renderConsoleSteps,
   renderRunbookMarkdown,
+  resolveConnectionCredentials,
+  resolveIntegrationApproval,
+  revokeConnection,
+  runIntegrationHealthcheck,
+  runIntegrationHealthchecks,
   salesforceConnector,
+  sanitizeAuditConnection,
   sanitizeConnection,
   searchIntegrationTools,
   signCapability,
@@ -6076,6 +6849,7 @@ export {
   slackEventsConnector,
   specAuthToConnectorAuth,
   startOAuthFlow,
+  storedEventToTriggerEvent,
   stripePackConnector,
   stripeWebhookReceiverConnector,
   summarizeIntegrationRegistry,