@tangle-network/agent-integrations 0.14.0 → 0.16.0

package/dist/index.js

@@ -1,5 +1,5 @@
 // src/index.ts
-import { createHmac as createHmac3, randomUUID as randomUUID2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { createHmac as createHmac3, randomUUID as randomUUID3, timingSafeEqual as timingSafeEqual2 } from "crypto";
 
 // src/activepieces-catalog.ts
 import { readFileSync } from "fs";
@@ -129,7 +129,7 @@ function buildActivepiecesConnectors(options = {}) {
     const category = override?.category ?? entry.category;
     const scopes = [`${entry.id}.read`, `${entry.id}.write`];
     const catalogActions = entry.actions.length > 0 ? entry.actions.map((action) => toAction(applyActionOverride(action, override), scopes, dataClassFor(category))) : defaultActions(entry.id, scopes, dataClassFor(category));
-    const catalogTriggers = entry.triggers.map((trigger) => toTrigger(trigger, scopes, dataClassFor(category)));
+    const catalogTriggers = entry.triggers.map((trigger2) => toTrigger(trigger2, scopes, dataClassFor(category)));
     return {
       id: entry.id,
       providerId,
@@ -172,10 +172,10 @@ function toAction(action, scopes, dataClass) {
     inputSchema: { type: "object", additionalProperties: true, properties: {} }
   };
 }
-function toTrigger(trigger, scopes, dataClass) {
+function toTrigger(trigger2, scopes, dataClass) {
   return {
-    id: trigger.id,
-    title: trigger.title,
+    id: trigger2.id,
+    title: trigger2.title,
     requiredScopes: [scopes[0]],
     dataClass,
     payloadSchema: { type: "object", additionalProperties: true, properties: {} }
@@ -1247,8 +1247,8 @@ function mergeActions(candidates) {
 function mergeTriggers(candidates) {
   const out = /* @__PURE__ */ new Map();
   for (const candidate of toolBindableCandidates(candidates)) {
-    for (const trigger of candidate.connector.triggers ?? []) {
-      if (!out.has(trigger.id)) out.set(trigger.id, trigger);
+    for (const trigger2 of candidate.connector.triggers ?? []) {
+      if (!out.has(trigger2.id)) out.set(trigger2.id, trigger2);
     }
   }
   return out.size > 0 ? [...out.values()] : void 0;
@@ -1290,6 +1290,1554 @@ function unique(values) {
   return [...new Set(values)];
 }
 
+// src/audit.ts
+import { randomUUID } from "crypto";
+var InMemoryIntegrationAuditStore = class {
+  events = [];
+  record(event) {
+    this.events.push(event);
+  }
+  list(filter = {}) {
+    return this.events.filter((event) => matchesFilter(event, filter));
+  }
+};
+function createIntegrationAuditEvent(input) {
+  const occurredAt = input.occurredAt instanceof Date ? input.occurredAt.toISOString() : input.occurredAt ?? (input.now?.() ?? /* @__PURE__ */ new Date()).toISOString();
+  return {
+    ...input,
+    id: input.id ?? `audit_${randomUUID()}`,
+    occurredAt,
+    metadata: input.metadata ? redactUnknown(input.metadata) : void 0
+  };
+}
+function createAuditingActionGuard(options) {
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  return {
+    async invokeAction(ctx, proceed) {
+      const startedAt = now();
+      try {
+        const result = await proceed();
+        await options.sink.record(actionEvent({
+          ctx,
+          request: ctx.request,
+          result,
+          type: result.ok ? "action.invoked" : "action.failed",
+          subject: options.subject,
+          occurredAt: startedAt,
+          includeInputPreview: options.includeInputPreview
+        }));
+        return result;
+      } catch (error) {
+        await options.sink.record(actionEvent({
+          ctx,
+          request: ctx.request,
+          type: "action.failed",
+          subject: options.subject,
+          occurredAt: startedAt,
+          includeInputPreview: options.includeInputPreview,
+          message: error instanceof Error ? error.message : "Integration action failed."
+        }));
+        throw error;
+      }
+    }
+  };
+}
+function sanitizeAuditConnection(connection) {
+  return {
+    id: connection.id,
+    owner: connection.owner,
+    providerId: connection.providerId,
+    connectorId: connection.connectorId,
+    status: connection.status,
+    grantedScopes: connection.grantedScopes,
+    account: connection.account,
+    hasSecretRef: Boolean(connection.secretRef),
+    createdAt: connection.createdAt,
+    updatedAt: connection.updatedAt,
+    expiresAt: connection.expiresAt,
+    lastUsedAt: connection.lastUsedAt
+  };
+}
+function actionEvent(input) {
+  return createIntegrationAuditEvent({
+    type: input.type,
+    occurredAt: input.occurredAt,
+    actor: input.subject ?? input.ctx.connection.owner,
+    connectionId: input.ctx.connection.id,
+    providerId: input.ctx.connection.providerId,
+    connectorId: input.ctx.connection.connectorId,
+    action: input.request.action,
+    risk: input.ctx.action?.risk,
+    dataClass: input.ctx.action?.dataClass,
+    ok: input.result?.ok ?? false,
+    message: input.message,
+    metadata: {
+      idempotencyKey: input.request.idempotencyKey,
+      dryRun: input.request.dryRun,
+      externalId: input.result?.externalId,
+      warnings: input.result?.warnings,
+      inputPreview: input.includeInputPreview ? redactUnknown(input.request.input) : void 0
+    }
+  });
+}
+function matchesFilter(event, filter) {
+  if (filter.type && event.type !== filter.type) return false;
+  if (filter.actor && (!event.actor || event.actor.type !== filter.actor.type || event.actor.id !== filter.actor.id)) return false;
+  if (filter.connectionId && event.connectionId !== filter.connectionId) return false;
+  if (filter.providerId && event.providerId !== filter.providerId) return false;
+  if (filter.connectorId && event.connectorId !== filter.connectorId) return false;
+  if (filter.action && event.action !== filter.action) return false;
+  return true;
+}
+function redactUnknown(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential|refresh/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown(child);
+    }
+  }
+  return out;
+}
+
+// src/approval.ts
+import { createHash } from "crypto";
+var InMemoryIntegrationApprovalStore = class {
+  records = /* @__PURE__ */ new Map();
+  get(approvalId) {
+    return this.records.get(approvalId);
+  }
+  put(record) {
+    this.records.set(record.id, record);
+  }
+  list(filter = {}) {
+    return [...this.records.values()].filter((record) => matchesFilter2(record, filter));
+  }
+};
+var ApprovalBackedPolicyEngine = class {
+  base;
+  store;
+  audit;
+  now;
+  approvalTtlMs;
+  constructor(options) {
+    this.base = options.base;
+    this.store = options.store;
+    this.audit = options.audit;
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+    this.approvalTtlMs = options.approvalTtlMs;
+  }
+  async decide(ctx) {
+    const approved = await this.findApprovedRecord(ctx);
+    if (approved) return { decision: "allow", reason: `Approved by ${approved.resolvedBy?.type ?? "actor"} ${approved.resolvedBy?.id ?? "unknown"}.`, metadata: { approvalId: approved.id } };
+    const decision = await this.base.decide(ctx);
+    if (decision.decision !== "require_approval") return decision;
+    const requestedAt = decision.approval.requestedAt;
+    const expiresAt = this.approvalTtlMs ? new Date(Date.parse(requestedAt) + this.approvalTtlMs).toISOString() : void 0;
+    const record = {
+      id: decision.approval.id,
+      request: decision.approval,
+      status: "pending",
+      requestedAt,
+      expiresAt,
+      metadata: { ...decision.metadata ?? {}, inputHash: approvalInputHash(ctx.request.input) }
+    };
+    await this.store.put(record);
+    await this.audit?.record(createIntegrationAuditEvent({
+      type: "approval.requested",
+      actor: ctx.subject,
+      connectionId: ctx.connection.id,
+      providerId: ctx.connection.providerId,
+      connectorId: ctx.connection.connectorId,
+      action: ctx.request.action,
+      risk: ctx.action?.risk,
+      dataClass: ctx.action?.dataClass,
+      message: decision.reason,
+      metadata: { approvalId: record.id },
+      now: this.now
+    }));
+    return decision;
+  }
+  async findApprovedRecord(ctx) {
+    const approvalId = typeof ctx.request.metadata?.approvalId === "string" ? ctx.request.metadata.approvalId : void 0;
+    if (!approvalId) return void 0;
+    const record = await this.store.get(approvalId);
+    if (!record || record.status !== "approved") return void 0;
+    if (record.expiresAt && Date.parse(record.expiresAt) <= this.now().getTime()) {
+      await this.store.put({ ...record, status: "expired" });
+      return void 0;
+    }
+    if (!approvalMatches(record, ctx)) return void 0;
+    return record;
+  }
+};
+function createApprovalBackedPolicyEngine(options) {
+  return new ApprovalBackedPolicyEngine(options);
+}
+async function resolveIntegrationApproval(input) {
+  const record = await input.store.get(input.approvalId);
+  if (!record) throw new Error(`Approval ${input.approvalId} not found.`);
+  const now = input.now ?? (() => /* @__PURE__ */ new Date());
+  const next = {
+    ...record,
+    status: input.approved ? "approved" : "denied",
+    resolvedAt: now().toISOString(),
+    resolvedBy: input.resolvedBy,
+    reason: input.reason,
+    metadata: { ...record.metadata ?? {}, ...input.metadata ?? {} }
+  };
+  await input.store.put(next);
+  await input.audit?.record(createIntegrationAuditEvent({
+    type: "approval.resolved",
+    actor: input.resolvedBy,
+    connectionId: record.request.connectionId,
+    providerId: record.request.providerId,
+    connectorId: record.request.connectorId,
+    action: record.request.action,
+    risk: record.request.risk,
+    dataClass: record.request.dataClass,
+    ok: input.approved,
+    message: input.reason,
+    metadata: { approvalId: record.id, status: next.status },
+    now
+  }));
+  return next;
+}
+function approvalMatches(record, ctx) {
+  return record.request.connectionId === ctx.connection.id && record.request.providerId === ctx.connection.providerId && record.request.connectorId === ctx.connection.connectorId && record.request.action === ctx.request.action && record.request.actor.type === ctx.subject.type && record.request.actor.id === ctx.subject.id && record.metadata?.inputHash === approvalInputHash(ctx.request.input);
+}
+function matchesFilter2(record, filter) {
+  if (filter.status && record.status !== filter.status) return false;
+  if (filter.connectionId && record.request.connectionId !== filter.connectionId) return false;
+  if (filter.connectorId && record.request.connectorId !== filter.connectorId) return false;
+  if (filter.action && record.request.action !== filter.action) return false;
+  if (filter.actor && (record.request.actor.type !== filter.actor.type || record.request.actor.id !== filter.actor.id)) return false;
+  return true;
+}
+function approvalInputHash(input) {
+  return createHash("sha256").update(JSON.stringify(input ?? null)).digest("base64url");
+}
+
+// src/actions.ts
+var CANONICAL_INTEGRATION_ACTIONS = {
+  googleCalendarEventsList: "google-calendar.events.list",
+  googleCalendarEventsCreate: "google-calendar.events.create",
+  gmailMessagesSearch: "gmail.messages.search",
+  gmailMessagesSend: "gmail.messages.send",
+  googleDriveFilesSearch: "google-drive.files.search",
+  googleDriveFilesRead: "google-drive.files.read",
+  githubRepositoriesGet: "github.repositories.get",
+  githubIssuesSearch: "github.issues.search",
+  githubIssuesCreate: "github.issues.create",
+  githubPullRequestsComment: "github.pull-requests.comment",
+  slackChannelsList: "slack.channels.list",
+  slackMessagesSearch: "slack.messages.search",
+  slackMessagesPost: "slack.messages.post",
+  providerHttpRequest: "provider.http.request"
+};
+function buildCanonicalLaunchConnectors(options = {}) {
+  const providerId = options.providerId ?? "tangle-platform";
+  const connectors = [
+    googleCalendarConnector(providerId),
+    gmailConnector(providerId),
+    googleDriveConnector(providerId),
+    githubConnector(providerId),
+    slackConnector(providerId)
+  ];
+  if (!options.includeProviderPassthrough) return connectors;
+  return connectors.map((connector) => ({
+    ...connector,
+    actions: [...connector.actions, providerPassthroughAction(connector.id)]
+  }));
+}
+function canonicalActionConnectorId(actionId) {
+  if (actionId.startsWith("google-calendar.")) return "google-calendar";
+  if (actionId.startsWith("gmail.")) return "gmail";
+  if (actionId.startsWith("google-drive.")) return "google-drive";
+  if (actionId.startsWith("github.")) return "github";
+  if (actionId.startsWith("slack.")) return "slack";
+  if (actionId === CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest) return void 0;
+  return actionId.split(".")[0];
+}
+function googleCalendarConnector(providerId) {
+  return {
+    id: "google-calendar",
+    providerId,
+    title: "Google Calendar",
+    category: "calendar",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/calendar.readonly", "https://www.googleapis.com/auth/calendar.events"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsList,
+        title: "List calendar events",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/calendar.readonly"],
+        dataClass: "private",
+        description: "Read events from a Google Calendar over a bounded time range.",
+        inputSchema: objectSchema2({
+          calendarId: { type: "string", default: "primary" },
+          timeMin: { type: "string", description: "RFC3339 lower bound." },
+          timeMax: { type: "string", description: "RFC3339 upper bound." }
+        }, ["timeMin", "timeMax"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsCreate,
+        title: "Create calendar event",
+        risk: "write",
+        requiredScopes: ["https://www.googleapis.com/auth/calendar.events"],
+        dataClass: "private",
+        approvalRequired: true,
+        description: "Create an event on a Google Calendar after user approval.",
+        inputSchema: objectSchema2({
+          calendarId: { type: "string", default: "primary" },
+          start: { type: "string", description: "RFC3339 start time." },
+          end: { type: "string", description: "RFC3339 end time." },
+          summary: { type: "string" },
+          description: { type: "string" },
+          attendees: { type: "array", items: { type: "string" } }
+        }, ["start", "end", "summary"])
+      }
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function gmailConnector(providerId) {
+  return {
+    id: "gmail",
+    providerId,
+    title: "Gmail",
+    category: "email",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/gmail.readonly", "https://www.googleapis.com/auth/gmail.send"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.gmailMessagesSearch,
+        title: "Search Gmail messages",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
+        dataClass: "private",
+        description: "Search user Gmail messages and return bounded message metadata/snippets.",
+        inputSchema: objectSchema2({ query: { type: "string" }, maxResults: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.gmailMessagesSend,
+        title: "Send Gmail message",
+        risk: "write",
+        requiredScopes: ["https://www.googleapis.com/auth/gmail.send"],
+        dataClass: "private",
+        approvalRequired: true,
+        description: "Send an email from the user account after approval.",
+        inputSchema: objectSchema2({
+          to: { type: "array", items: { type: "string" } },
+          subject: { type: "string" },
+          body: { type: "string" }
+        }, ["to", "subject", "body"])
+      }
+    ],
+    triggers: [{
+      id: "gmail.messages.received",
+      title: "Gmail message received",
+      requiredScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
+      dataClass: "private",
+      description: "Triggered when a new matching Gmail message is received."
+    }],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function googleDriveConnector(providerId) {
+  return {
+    id: "google-drive",
+    providerId,
+    title: "Google Drive",
+    category: "storage",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/drive.readonly", "https://www.googleapis.com/auth/drive.file"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleDriveFilesSearch,
+        title: "Search Drive files",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/drive.readonly"],
+        dataClass: "private",
+        description: "Search user-visible Google Drive files.",
+        inputSchema: objectSchema2({ query: { type: "string" }, maxResults: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleDriveFilesRead,
+        title: "Read Drive file",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/drive.readonly"],
+        dataClass: "private",
+        description: "Read metadata and content for an authorized Drive file.",
+        inputSchema: objectSchema2({ fileId: { type: "string" } }, ["fileId"])
+      }
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function githubConnector(providerId) {
+  return {
+    id: "github",
+    providerId,
+    title: "GitHub",
+    category: "workflow",
+    auth: "oauth2",
+    scopes: ["repo", "read:user"],
+    actions: [
+      readAction(CANONICAL_INTEGRATION_ACTIONS.githubRepositoriesGet, "Read repository metadata", ["repo"], objectSchema2({ owner: { type: "string" }, repo: { type: "string" } }, ["owner", "repo"])),
+      readAction(CANONICAL_INTEGRATION_ACTIONS.githubIssuesSearch, "Search issues and pull requests", ["repo"], objectSchema2({ query: { type: "string" }, limit: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.githubIssuesCreate, "Create issue", ["repo"], objectSchema2({ owner: { type: "string" }, repo: { type: "string" }, title: { type: "string" }, body: { type: "string" } }, ["owner", "repo", "title"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.githubPullRequestsComment, "Comment on pull request", ["repo"], objectSchema2({ owner: { type: "string" }, repo: { type: "string" }, pullNumber: { type: "integer" }, body: { type: "string" } }, ["owner", "repo", "pullNumber", "body"]))
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function slackConnector(providerId) {
+  return {
+    id: "slack",
+    providerId,
+    title: "Slack",
+    category: "chat",
+    auth: "oauth2",
+    scopes: ["channels:read", "search:read", "chat:write"],
+    actions: [
+      readAction(CANONICAL_INTEGRATION_ACTIONS.slackChannelsList, "List Slack channels", ["channels:read"], objectSchema2({ limit: { type: "integer", minimum: 1, maximum: 200 } })),
+      readAction(CANONICAL_INTEGRATION_ACTIONS.slackMessagesSearch, "Search Slack messages", ["search:read"], objectSchema2({ query: { type: "string" }, count: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.slackMessagesPost, "Post Slack message", ["chat:write"], objectSchema2({ channel: { type: "string" }, text: { type: "string" }, blocks: { type: "array" } }, ["channel", "text"]))
+    ],
+    triggers: [trigger("slack.message.posted", "Slack message posted", ["channels:read"])],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function readAction(id, title, scopes, inputSchema) {
+  return { id, title, risk: "read", requiredScopes: scopes, dataClass: "private", inputSchema };
+}
+function writeAction(id, title, scopes, inputSchema) {
+  return { id, title, risk: "write", requiredScopes: scopes, dataClass: "private", approvalRequired: true, inputSchema };
+}
+function trigger(id, title, scopes) {
+  return { id, title, requiredScopes: scopes, dataClass: "private" };
+}
+function providerPassthroughAction(connectorId) {
+  return {
+    id: CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest,
+    title: "Provider HTTP request",
+    risk: "write",
+    requiredScopes: [],
+    dataClass: "sensitive",
+    approvalRequired: true,
+    description: `Controlled provider-native passthrough for ${connectorId}. Disabled by default by platform policy.`,
+    inputSchema: objectSchema2({
+      method: { type: "string", enum: ["GET", "POST", "PUT", "PATCH", "DELETE"] },
+      path: { type: "string" },
+      query: { type: "object" },
+      body: { type: "object" }
+    }, ["method", "path"])
+  };
+}
+function objectSchema2(properties, required = []) {
+  return { type: "object", additionalProperties: false, properties, required };
+}
+
+// src/bridge.ts
+var DEFAULT_INTEGRATION_BRIDGE_ENV = "TANGLE_INTEGRATION_BUNDLE";
+function buildIntegrationBridgePayload(bundle) {
+  return {
+    version: 1,
+    manifestId: bundle.manifestId,
+    subject: bundle.subject,
+    expiresAt: bundle.expiresAt,
+    tools: bundle.tools.flatMap((tool) => {
+      const binding = bundle.capabilities.find(
+        (candidate) => candidate.connectorId === tool.connectorId && candidate.connectionId && candidate.allowedActions.includes(tool.action.id)
+      );
+      if (!binding) return [];
+      return [{
+        name: tool.name,
+        title: tool.title,
+        connectorId: tool.connectorId,
+        connectionId: binding.connectionId,
+        action: tool.action.id,
+        risk: tool.risk,
+        dataClass: tool.dataClass,
+        requiredScopes: tool.requiredScopes,
+        capabilityToken: binding.capability.token
+      }];
+    })
+  };
+}
+function encodeIntegrationBridgePayload(payload) {
+  return Buffer.from(JSON.stringify(payload), "utf8").toString("base64url");
+}
+function decodeIntegrationBridgePayload(encoded) {
+  const parsed = JSON.parse(Buffer.from(encoded, "base64url").toString("utf8"));
+  assertBridgePayload(parsed);
+  return parsed;
+}
+function buildIntegrationBridgeEnvironment(bundle, options = {}) {
+  const envVar = options.envVar ?? DEFAULT_INTEGRATION_BRIDGE_ENV;
+  return {
+    [envVar]: encodeIntegrationBridgePayload(buildIntegrationBridgePayload(bundle))
+  };
+}
+function parseIntegrationBridgeEnvironment(env, options = {}) {
+  const envVar = options.envVar ?? DEFAULT_INTEGRATION_BRIDGE_ENV;
+  const encoded = env[envVar];
+  if (!encoded) throw new Error(`Missing ${envVar}.`);
+  return decodeIntegrationBridgePayload(encoded);
+}
+function redactIntegrationBridgePayload(payload) {
+  return {
+    ...payload,
+    tools: payload.tools.map((tool) => ({
+      ...tool,
+      capabilityToken: "[REDACTED]"
+    }))
+  };
+}
+function assertBridgePayload(value) {
+  if (!value || typeof value !== "object") throw new Error("Invalid integration bridge payload.");
+  const payload = value;
+  if (payload.version !== 1) throw new Error("Unsupported integration bridge payload version.");
+  if (typeof payload.manifestId !== "string") throw new Error("Invalid integration bridge manifestId.");
+  if (typeof payload.expiresAt !== "string") throw new Error("Invalid integration bridge expiresAt.");
+  if (!Array.isArray(payload.tools)) throw new Error("Invalid integration bridge tools.");
+}
+
+// src/errors.ts
+var IntegrationRuntimeError = class extends Error {
+  code;
+  status;
+  userAction;
+  metadata;
+  constructor(input) {
+    super(input.message);
+    this.name = "IntegrationRuntimeError";
+    this.code = input.code;
+    this.status = input.status ?? statusForCode(input.code);
+    this.userAction = input.userAction;
+    this.metadata = input.metadata;
+  }
+};
+function normalizeIntegrationError(error) {
+  if (error instanceof IntegrationRuntimeError) {
+    return {
+      ok: false,
+      code: error.code,
+      message: error.message,
+      status: error.status,
+      userAction: error.userAction,
+      metadata: redactUnknown2(error.metadata)
+    };
+  }
+  const message = error instanceof Error ? error.message : String(error ?? "Unknown integration error.");
+  return {
+    ok: false,
+    code: inferCode(message),
+    message,
+    status: 500
+  };
+}
+function statusForCode(code) {
+  if (code === "missing_connection" || code === "missing_grant") return 409;
+  if (code === "approval_required") return 202;
+  if (code === "approval_denied") return 403;
+  if (code === "connection_revoked" || code === "connection_expired" || code === "provider_auth_failed") return 401;
+  if (code === "scope_missing" || code === "action_denied" || code === "passthrough_disabled") return 403;
+  if (code === "action_not_found" || code === "manifest_invalid" || code === "input_invalid") return 400;
+  if (code === "provider_rate_limited") return 429;
+  if (code === "provider_unavailable") return 503;
+  if (code === "capability_expired" || code === "capability_invalid") return 401;
+  return 500;
+}
+function inferCode(message) {
+  if (/approval/i.test(message)) return "approval_required";
+  if (/scope/i.test(message)) return "scope_missing";
+  if (/expired/i.test(message)) return "connection_expired";
+  if (/revoked/i.test(message)) return "connection_revoked";
+  if (/rate.?limit|429/i.test(message)) return "provider_rate_limited";
+  if (/unauth|forbidden|401|403/i.test(message)) return "provider_auth_failed";
+  return "unknown";
+}
+function redactUnknown2(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown2);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential|refresh/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown2(child);
+    }
+  }
+  return out;
+}
+
+// src/client.ts
+var TangleIntegrationsClient = class {
+  endpoint;
+  bridge;
+  fetchImpl;
+  getCapabilityToken;
+  constructor(options) {
+    this.endpoint = options.endpoint.replace(/\/$/, "");
+    this.bridge = options.bridge ?? parseIntegrationBridgeEnvironment(
+      options.env ?? readProcessEnv(),
+      { envVar: options.envVar ?? DEFAULT_INTEGRATION_BRIDGE_ENV }
+    );
+    this.fetchImpl = options.fetchImpl ?? fetch;
+    this.getCapabilityToken = options.getCapabilityToken ?? ((tool) => tool.capabilityToken);
+  }
+  tools() {
+    return [...this.bridge.tools];
+  }
+  findTool(toolOrAction) {
+    const found = this.bridge.tools.find(
+      (tool) => tool.name === toolOrAction || tool.action === toolOrAction || `${tool.connectorId}.${tool.action}` === toolOrAction
+    );
+    if (!found) {
+      throw new IntegrationRuntimeError({
+        code: "action_not_found",
+        message: `Integration tool ${toolOrAction} is not available in this runtime.`,
+        metadata: { available: this.bridge.tools.map((tool) => ({ name: tool.name, action: tool.action, connectorId: tool.connectorId })) }
+      });
+    }
+    return found;
+  }
+  async invoke(input) {
+    try {
+      const tool = this.findTool(input.tool);
+      const token = await this.getCapabilityToken(tool);
+      const response = await this.fetchImpl(`${this.endpoint}/v1/integrations/invoke`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${token}`
+        },
+        body: JSON.stringify({
+          action: tool.action,
+          input: input.input,
+          idempotencyKey: input.idempotencyKey ?? defaultIdempotencyKey(tool.action),
+          dryRun: input.dryRun,
+          metadata: input.metadata
+        })
+      });
+      const json = await response.json().catch(() => void 0);
+      if (!response.ok && !json) {
+        return { status: "failed", action: tool.action, error: `Integration invoke failed with HTTP ${response.status}` };
+      }
+      return json ?? { status: "failed", action: tool.action, error: "Integration invoke returned an empty response." };
+    } catch (error) {
+      const normalized = normalizeIntegrationError(error);
+      return { status: "failed", action: input.tool, error: normalized.message, metadata: { code: normalized.code, userAction: normalized.userAction } };
+    }
+  }
+};
+function createTangleIntegrationsClient(options) {
+  return new TangleIntegrationsClient(options);
+}
+function defaultIdempotencyKey(action) {
+  return `${action}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
+}
+function readProcessEnv() {
+  if (typeof process !== "undefined" && process.env) return process.env;
+  return {};
+}
+
+// src/consent.ts
+function renderConsentSummary(manifestOrResolution, options = {}) {
+  const manifest = "manifest" in manifestOrResolution ? manifestOrResolution.manifest : manifestOrResolution;
+  const appName = options.appName ?? manifest.title ?? manifest.id;
+  const requirements = manifest.requirements;
+  const risk = aggregateRisk(requirements, options.connectors);
+  const connectorIds = unique2(requirements.map((requirement) => requirement.connectorId));
+  const first = requirements[0];
+  const body = first ? sentenceForRequirement(appName, first) : `${appName} does not request integrations.`;
+  return {
+    title: `${appName} wants to use ${humanList(connectorIds.map(titleize))}`,
+    body,
+    bullets: requirements.map((requirement) => bulletForRequirement(requirement, options.connectors)),
+    primaryAction: risk === "read" ? "Allow access" : risk === "write" ? "Review and allow" : "Review destructive access",
+    risk,
+    connectorIds
+  };
+}
+function renderApprovalCopy(input) {
+  return {
+    title: `${input.appName} wants to ${input.action.title.toLowerCase()}`,
+    body: `${input.appName} is requesting permission to run "${input.action.title}" on ${input.connectorTitle}.`,
+    bullets: [
+      `Risk: ${input.action.risk}`,
+      `Data: ${input.action.dataClass}`,
+      ...input.approvalId ? [`Approval id: ${input.approvalId}`] : []
+    ],
+    primaryAction: input.action.risk === "read" ? "Allow" : "Approve action",
+    risk: input.action.risk,
+    connectorIds: []
+  };
+}
+function sentenceForRequirement(appName, requirement) {
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "read") {
+    return `${appName} wants to read your Google Calendar to find schedule-aware recommendations.`;
+  }
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "write") {
+    return `${appName} wants to create or update Google Calendar events after your approval.`;
+  }
+  if (requirement.mode === "read") return `${appName} wants to read ${titleize(requirement.connectorId)} data.`;
+  if (requirement.mode === "write") return `${appName} wants to write ${titleize(requirement.connectorId)} data after approval.`;
+  return `${appName} wants to subscribe to ${titleize(requirement.connectorId)} events.`;
+}
+function bulletForRequirement(requirement, connectors = []) {
+  const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+  const actions = requirement.requiredActions?.length ? requirement.requiredActions.map((id) => connector?.actions.find((action) => action.id === id)?.title ?? id) : requirement.requiredTriggers ?? [];
+  return `${titleize(requirement.connectorId)}: ${requirement.reason}${actions.length ? ` (${actions.join(", ")})` : ""}`;
+}
+function aggregateRisk(requirements, connectors = []) {
+  let rank = 0;
+  for (const requirement of requirements) {
+    if (requirement.mode === "write") rank = Math.max(rank, 1);
+    const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+    for (const actionId of requirement.requiredActions ?? []) {
+      const risk = connector?.actions.find((action) => action.id === actionId)?.risk;
+      if (risk === "write") rank = Math.max(rank, 1);
+      if (risk === "destructive") rank = Math.max(rank, 2);
+    }
+  }
+  return rank === 2 ? "destructive" : rank === 1 ? "write" : "read";
+}
+function humanList(values) {
+  if (values.length <= 1) return values[0] ?? "integrations";
+  if (values.length === 2) return `${values[0]} and ${values[1]}`;
+  return `${values.slice(0, -1).join(", ")}, and ${values.at(-1)}`;
+}
+function titleize(value) {
+  return value.split(/[-_.]/g).filter(Boolean).map((part) => part[0].toUpperCase() + part.slice(1)).join(" ");
+}
+function unique2(values) {
+  return [...new Set(values)];
+}
+
+// src/adapter-provider.ts
+function createConnectorAdapterProvider(options) {
+  const providerId = options.id ?? "first-party";
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  const adapters = /* @__PURE__ */ new Map();
+  for (const adapter of options.adapters) {
+    adapters.set(adapter.manifest.kind, adapter);
+  }
+  return {
+    id: providerId,
+    kind: options.kind ?? "first_party",
+    listConnectors: () => [...adapters.values()].map((adapter) => manifestToConnector(providerId, adapter)),
+    async invokeAction(connection, request) {
+      const adapter = adapters.get(connection.connectorId);
+      if (!adapter) {
+        throw new IntegrationError(`Connector adapter ${connection.connectorId} not found.`, "connector_not_found");
+      }
+      const capability = adapter.manifest.capabilities.find((candidate) => candidate.name === request.action);
+      if (!capability) {
+        throw new IntegrationError(`Capability ${request.action} is not defined by ${connection.connectorId}.`, "action_not_found");
+      }
+      const source = await options.resolveDataSource(connection);
+      const invocation = {
+        source,
+        capabilityName: request.action,
+        args: toRecord(request.input),
+        idempotencyKey: request.idempotencyKey ?? `idem_${connection.id}_${request.action}_${now().getTime()}`,
+        expectedEtag: typeof request.metadata?.expectedEtag === "string" ? request.metadata.expectedEtag : void 0,
+        callSessionId: typeof request.metadata?.callSessionId === "string" ? request.metadata.callSessionId : void 0
+      };
+      if (capability.class === "read") {
+        if (!adapter.executeRead) {
+          throw new IntegrationError(`Connector ${connection.connectorId} does not implement reads.`, "action_not_found");
+        }
+        const result = await adapter.executeRead(invocation);
+        return readResultToAction(request, result);
+      }
+      if (capability.class === "mutation") {
+        if (!adapter.executeMutation) {
+          throw new IntegrationError(`Connector ${connection.connectorId} does not implement mutations.`, "action_not_found");
+        }
+        const result = await adapter.executeMutation(invocation);
+        return mutationResultToAction(request, result);
+      }
+      throw new IntegrationError(`Capability ${request.action} is not invokable as an action.`, "action_not_found");
+    }
+  };
+}
+function manifestToConnector(providerId, adapter) {
+  const manifest = adapter.manifest;
+  return {
+    id: manifest.kind,
+    providerId,
+    title: manifest.displayName,
+    category: mapCategory(manifest.category),
+    auth: mapAuth(manifest.auth.kind),
+    scopes: manifest.auth.kind === "oauth2" ? manifest.auth.scopes : [],
+    actions: manifest.capabilities.filter((capability) => capability.class === "read" || capability.class === "mutation").map((capability) => ({
+      id: capability.name,
+      title: titleFromName(capability.name),
+      risk: capability.class === "read" ? "read" : capability.externalEffect ? "destructive" : "write",
+      requiredScopes: capability.requiredScopes ?? [],
+      dataClass: inferDataClass(manifest.category),
+      description: capability.description,
+      approvalRequired: capability.class === "mutation",
+      inputSchema: capability.parameters
+    })),
+    metadata: {
+      source: "first-party-adapter",
+      supportTier: "firstPartyExecutable",
+      executable: true
+    }
+  };
+}
+function readResultToAction(request, result) {
+  return {
+    ok: true,
+    action: request.action,
+    output: result.data,
+    metadata: {
+      etag: result.etag,
+      fetchedAt: result.fetchedAt
+    }
+  };
+}
+function mutationResultToAction(request, result) {
+  if (result.status === "committed") {
+    return {
+      ok: true,
+      action: request.action,
+      output: result.data,
+      metadata: {
+        etagAfter: result.etagAfter,
+        committedAt: result.committedAt,
+        idempotentReplay: result.idempotentReplay
+      }
+    };
+  }
+  if (result.status === "conflict") {
+    return {
+      ok: false,
+      action: request.action,
+      output: {
+        conflict: true,
+        message: result.message,
+        alternatives: result.alternatives,
+        currentState: result.currentState
+      }
+    };
+  }
+  return {
+    ok: false,
+    action: request.action,
+    output: {
+      rateLimited: true,
+      retryAfterMs: result.retryAfterMs,
+      message: result.message
+    }
+  };
+}
+function mapAuth(kind) {
+  if (kind === "oauth2") return "oauth2";
+  if (kind === "api-key") return "api_key";
+  if (kind === "none") return "none";
+  return "custom";
+}
+function mapCategory(category) {
+  if (category === "comms") return "chat";
+  if (category === "spreadsheet") return "database";
+  if (category === "doc") return "docs";
+  if (category === "commerce") return "workflow";
+  return category === "other" ? "other" : category;
+}
+function inferDataClass(category) {
+  if (category === "commerce") return "sensitive";
+  if (category === "webhook") return "internal";
+  return "private";
+}
+function titleFromName(name) {
+  return name.split(/[._-]/g).filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
+}
+function toRecord(input) {
+  if (input && typeof input === "object" && !Array.isArray(input)) return input;
+  return {};
+}
+
+// src/credentials.ts
+var InMemoryIntegrationSecretStore = class {
+  secrets = /* @__PURE__ */ new Map();
+  get(ref) {
+    return this.secrets.get(secretKey(ref));
+  }
+  put(ref, credentials) {
+    this.secrets.set(secretKey(ref), credentials);
+  }
+  delete(ref) {
+    this.secrets.delete(secretKey(ref));
+  }
+};
+function createConnectionCredentialResolver(options) {
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  return async function resolveDataSource(connection) {
+    const credentials = await resolveConnectionCredentials(connection, {
+      secrets: options.secrets,
+      connections: options.connections,
+      adapters: options.adapters,
+      now,
+      markConnectionError: options.markConnectionError
+    });
+    return {
+      id: connection.id,
+      projectId: String(connection.metadata?.projectId ?? connection.owner.id),
+      publishedAgentId: typeof connection.metadata?.publishedAgentId === "string" ? connection.metadata.publishedAgentId : null,
+      kind: connection.connectorId,
+      label: connection.account?.displayName ?? connection.account?.email ?? connection.connectorId,
+      consistencyModel: typeof connection.metadata?.consistencyModel === "string" ? connection.metadata.consistencyModel : "authoritative",
+      scopes: connection.grantedScopes,
+      metadata: connection.metadata ?? {},
+      credentials,
+      status: connection.status === "active" ? "active" : connection.status === "revoked" ? "revoked" : "error"
+    };
+  };
+}
+async function resolveConnectionCredentials(input, options) {
+  if (input.status !== "active") throw new Error(`Connection ${input.id} is ${input.status}.`);
+  if (!input.secretRef) return { kind: "none" };
+  const current = await options.secrets.get(input.secretRef);
+  if (!current) throw new Error(`Secret ${input.secretRef.provider}/${input.secretRef.id} not found.`);
+  if (!isExpiredOauth(current, options.now ?? (() => /* @__PURE__ */ new Date()))) return current;
+  const adapter = options.adapters?.find((candidate) => candidate.manifest.kind === input.connectorId);
+  if (!adapter?.refreshToken) return current;
+  try {
+    const refreshed = await adapter.refreshToken(current);
+    await options.secrets.put(input.secretRef, refreshed);
+    if (options.connections) {
+      await options.connections.put({
+        ...input,
+        status: "active",
+        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString(),
+        expiresAt: refreshed.kind === "oauth2" && refreshed.expiresAt ? new Date(refreshed.expiresAt).toISOString() : input.expiresAt
+      });
+    }
+    return refreshed;
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error("Credential refresh failed.");
+    await options.markConnectionError?.(input, err);
+    if (options.connections) {
+      await options.connections.put({
+        ...input,
+        status: "expired",
+        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    throw err;
+  }
+}
+function createCredentialBackedAdapterProvider(options) {
+  return createConnectorAdapterProvider({
+    ...options,
+    resolveDataSource: createConnectionCredentialResolver(options)
+  });
+}
+async function revokeConnection(input) {
+  if (input.connection.secretRef) await input.secrets?.delete?.(input.connection.secretRef);
+  const revoked = {
+    ...input.connection,
+    status: "revoked",
+    updatedAt: (input.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
+  };
+  await input.connections?.put(revoked);
+  return revoked;
+}
+function isExpiredOauth(credentials, now) {
+  return credentials.kind === "oauth2" && typeof credentials.expiresAt === "number" && credentials.expiresAt <= now().getTime() && Boolean(credentials.refreshToken);
+}
+function secretKey(ref) {
+  return `${ref.provider}:${ref.id}`;
+}
+
+// src/events.ts
+var InMemoryIntegrationEventStore = class {
+  events = /* @__PURE__ */ new Map();
+  providerIds = /* @__PURE__ */ new Set();
+  put(event) {
+    this.events.set(event.id, event);
+    if (event.providerEventId) this.providerIds.add(providerKey(event.sourceId, event.providerEventId));
+  }
+  hasProviderEvent(sourceId, providerEventId) {
+    return this.providerIds.has(providerKey(sourceId, providerEventId));
+  }
+  list() {
+    return [...this.events.values()];
+  }
+};
+async function receiveIntegrationWebhook(input) {
+  if (!input.adapter.handleInboundEvent) {
+    return { status: 405, body: { ok: false, error: "Connector does not support inbound webhooks." }, received: [], duplicates: [] };
+  }
+  const signature = input.adapter.verifySignature?.({
+    rawBody: input.rawBody,
+    headers: input.headers,
+    source: input.source
+  });
+  if (signature && !signature.valid) {
+    return { status: 401, body: { ok: false, error: signature.reason ?? "Invalid webhook signature." }, received: [], duplicates: [] };
+  }
+  const handled = await input.adapter.handleInboundEvent({
+    source: input.source,
+    rawBody: input.rawBody,
+    headers: input.headers
+  });
+  const received = [];
+  const duplicates = [];
+  for (const inbound of handled.events) {
+    const event = storedEvent(input.source, inbound, input.now ?? (() => /* @__PURE__ */ new Date()));
+    if (event.providerEventId && await input.store.hasProviderEvent(event.sourceId, event.providerEventId)) {
+      duplicates.push(event);
+      continue;
+    }
+    await input.store.put(event);
+    received.push(event);
+    await dispatchStoredEvent(event, input.source, input.workflowRuntime);
+  }
+  return {
+    status: handled.response?.status ?? 200,
+    body: handled.response?.body ?? { received: true, count: received.length, duplicateCount: duplicates.length },
+    headers: handled.response?.headers,
+    received,
+    duplicates
+  };
+}
+function storedEventToTriggerEvent(event, source) {
+  return {
+    id: event.id,
+    providerId: String(source.metadata.providerId ?? "first-party"),
+    connectorId: event.connectorId,
+    connectionId: source.id,
+    trigger: event.eventType,
+    occurredAt: event.receivedAt,
+    payload: event.payload,
+    metadata: {
+      providerEventId: event.providerEventId,
+      sourceId: event.sourceId,
+      ...event.metadata
+    }
+  };
+}
+async function dispatchStoredEvent(event, source, workflowRuntime) {
+  if (!workflowRuntime) return;
+  await workflowRuntime.dispatchEvent(storedEventToTriggerEvent(event, source), () => void 0);
+}
+function storedEvent(source, event, now) {
+  return {
+    id: `evt_${source.id}_${event.providerEventId ?? `${event.eventType}_${now().getTime()}`}`,
+    sourceId: source.id,
+    connectorId: source.kind,
+    eventType: event.eventType,
+    providerEventId: event.providerEventId,
+    receivedAt: now().toISOString(),
+    payload: event.payload
+  };
+}
+function providerKey(sourceId, providerEventId) {
+  return `${sourceId}:${providerEventId}`;
+}
+
+// src/guard.ts
+import { createHash as createHash2 } from "crypto";
+var InMemoryIntegrationIdempotencyStore = class {
+  records = /* @__PURE__ */ new Map();
+  get(key) {
+    return this.records.get(key);
+  }
+  put(record) {
+    this.records.set(record.key, record);
+  }
+};
+var DefaultIntegrationActionGuard = class {
+  idempotency;
+  audit;
+  rateLimiter;
+  now;
+  constructor(options = {}) {
+    this.idempotency = options.idempotency;
+    this.audit = options.audit;
+    this.rateLimiter = options.rateLimiter;
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  async invokeAction(ctx, proceed) {
+    const idempotencyKey = ctx.request.idempotencyKey;
+    const requestHash = hashRequest(ctx);
+    if (idempotencyKey && this.idempotency) {
+      const existing = await this.idempotency.get(idempotencyKey);
+      if (existing) {
+        if (existing.requestHash !== requestHash) {
+          return {
+            ok: false,
+            action: ctx.request.action,
+            output: { idempotencyConflict: true, message: "Idempotency key was reused with different integration input." }
+          };
+        }
+        return {
+          ...existing.result,
+          metadata: { ...existing.result.metadata ?? {}, idempotentReplay: true }
+        };
+      }
+    }
+    if (ctx.request.dryRun && ctx.action?.risk !== "read") {
+      const result = {
+        ok: true,
+        action: ctx.request.action,
+        output: { dryRun: true },
+        metadata: { dryRun: true }
+      };
+      await this.writeIdempotency(idempotencyKey, requestHash, result);
+      return result;
+    }
+    const rateLimit = await this.rateLimiter?.check(ctx);
+    if (rateLimit && !rateLimit.allowed) {
+      return {
+        ok: false,
+        action: ctx.request.action,
+        output: { rateLimited: true, retryAfterMs: rateLimit.retryAfterMs, message: rateLimit.reason ?? "Integration rate limit exceeded." }
+      };
+    }
+    try {
+      const result = await proceed();
+      await this.writeIdempotency(idempotencyKey, requestHash, result);
+      await this.audit?.record(createIntegrationAuditEvent({
+        type: result.ok ? "action.invoked" : "action.failed",
+        actor: ctx.connection.owner,
+        connectionId: ctx.connection.id,
+        providerId: ctx.connection.providerId,
+        connectorId: ctx.connection.connectorId,
+        action: ctx.request.action,
+        risk: ctx.action?.risk,
+        dataClass: ctx.action?.dataClass,
+        ok: result.ok,
+        metadata: { idempotencyKey, externalId: result.externalId, warnings: result.warnings },
+        now: this.now
+      }));
+      return result;
+    } catch (error) {
+      await this.audit?.record(createIntegrationAuditEvent({
+        type: "action.failed",
+        actor: ctx.connection.owner,
+        connectionId: ctx.connection.id,
+        providerId: ctx.connection.providerId,
+        connectorId: ctx.connection.connectorId,
+        action: ctx.request.action,
+        risk: ctx.action?.risk,
+        dataClass: ctx.action?.dataClass,
+        ok: false,
+        message: error instanceof Error ? error.message : "Integration action failed.",
+        metadata: { idempotencyKey },
+        now: this.now
+      }));
+      throw error;
+    }
+  }
+  async writeIdempotency(key, requestHash, result) {
+    if (!key || !this.idempotency) return;
+    await this.idempotency.put({
+      key,
+      requestHash,
+      result,
+      createdAt: this.now().toISOString()
+    });
+  }
+};
+function createDefaultIntegrationActionGuard(options = {}) {
+  return new DefaultIntegrationActionGuard(options);
+}
+function hashRequest(ctx) {
+  return createHash2("sha256").update(JSON.stringify({
+    connectionId: ctx.connection.id,
+    action: ctx.request.action,
+    input: ctx.request.input ?? null,
+    dryRun: ctx.request.dryRun ?? false
+  })).digest("base64url");
+}
+
+// src/healthcheck.ts
+var InMemoryIntegrationHealthcheckStore = class {
+  results = /* @__PURE__ */ new Map();
+  put(result) {
+    this.results.set(result.connectionId, result);
+  }
+  get(connectionId) {
+    return this.results.get(connectionId);
+  }
+  list() {
+    return [...this.results.values()];
+  }
+};
+async function runIntegrationHealthcheck(input) {
+  const now = input.now ?? (() => /* @__PURE__ */ new Date());
+  const checkedAt = now().toISOString();
+  const connector = input.connector ?? input.registry?.byId.get(input.connection.connectorId)?.connector;
+  const checks = [];
+  checks.push(connectionStatusCheck(input.connection, now));
+  if (!connector) {
+    checks.push({ id: "connector-known", status: "unknown", message: `Connector ${input.connection.connectorId} is not in the registry.` });
+  } else {
+    checks.push(connectorExecutableCheck(connector));
+    checks.push(scopeShapeCheck(input.connection, connector));
+    if (input.test && input.connection.status === "active") {
+      checks.push(await liveHealthcheck(input.connection, connector, input.test));
+    }
+  }
+  const result = {
+    connectionId: input.connection.id,
+    providerId: input.connection.providerId,
+    connectorId: input.connection.connectorId,
+    status: rollupHealthStatus(checks),
+    checkedAt,
+    checks
+  };
+  await input.audit?.record(createIntegrationAuditEvent({
+    type: "healthcheck.completed",
+    actor: input.connection.owner,
+    connectionId: input.connection.id,
+    providerId: input.connection.providerId,
+    connectorId: input.connection.connectorId,
+    ok: result.status === "healthy",
+    message: result.status,
+    metadata: { checks: checks.map((check) => ({ id: check.id, status: check.status, message: check.message })) },
+    occurredAt: checkedAt
+  }));
+  return result;
+}
+async function runIntegrationHealthchecks(input) {
+  const results = [];
+  for (const connection of input.connections) {
+    const result = await runIntegrationHealthcheck({
+      connection,
+      registry: input.registry,
+      test: input.test,
+      audit: input.audit,
+      now: input.now
+    });
+    await input.store?.put(result);
+    results.push(result);
+  }
+  return results;
+}
+function healthcheckRequest(action = "healthcheck") {
+  return {
+    connectionId: "__healthcheck__",
+    action,
+    input: {},
+    dryRun: true,
+    metadata: { healthcheck: true }
+  };
+}
+function connectionStatusCheck(connection, now) {
+  if (connection.status !== "active") {
+    return { id: "connection-active", status: "unhealthy", message: `Connection is ${connection.status}.` };
+  }
+  if (connection.expiresAt && Date.parse(connection.expiresAt) <= now().getTime()) {
+    return { id: "connection-active", status: "unhealthy", message: "Connection credentials are expired." };
+  }
+  return { id: "connection-active", status: "healthy", message: "Connection is active." };
+}
+function connectorExecutableCheck(connector) {
+  const executable = connector.actions.length > 0 || (connector.triggers?.length ?? 0) > 0;
+  if (!executable) {
+    return { id: "connector-executable", status: "degraded", message: `${connector.title} is catalog-only.` };
+  }
+  return { id: "connector-executable", status: "healthy", message: `${connector.title} has executable actions or triggers.` };
+}
+function scopeShapeCheck(connection, connector) {
+  const declaredScopes = new Set(connector.scopes);
+  const undeclared = connection.grantedScopes.filter((scope) => !declaredScopes.has(scope));
+  if (connector.scopes.length === 0 && connection.grantedScopes.length > 0) {
+    return { id: "scope-shape", status: "unknown", message: "Connector does not declare a scope catalog.", metadata: { grantedScopes: connection.grantedScopes } };
+  }
+  if (undeclared.length > 0) {
+    return { id: "scope-shape", status: "degraded", message: "Connection has scopes not declared by the connector.", metadata: { undeclared } };
+  }
+  return { id: "scope-shape", status: "healthy", message: "Granted scopes match the connector shape." };
+}
+async function liveHealthcheck(connection, connector, test) {
+  try {
+    const result = await test(connection, connector);
+    const ok = typeof result === "boolean" ? result : result.ok;
+    return {
+      id: "provider-live-test",
+      status: ok ? "healthy" : "unhealthy",
+      message: ok ? "Provider live test passed." : "Provider live test failed.",
+      metadata: typeof result === "boolean" ? void 0 : { action: result.action, warnings: result.warnings }
+    };
+  } catch (error) {
+    return {
+      id: "provider-live-test",
+      status: "unhealthy",
+      message: error instanceof Error ? error.message : "Provider live test failed."
+    };
+  }
+}
+function rollupHealthStatus(checks) {
+  if (checks.some((check) => check.status === "unhealthy")) return "unhealthy";
+  if (checks.some((check) => check.status === "degraded")) return "degraded";
+  if (checks.some((check) => check.status === "unknown")) return "unknown";
+  return "healthy";
+}
+
+// src/manifest.ts
+function validateIntegrationManifest(manifest) {
+  const issues = [];
+  if (!manifest.id?.trim()) issues.push({ path: "id", message: "Manifest id is required." });
+  if (!Array.isArray(manifest.requirements)) issues.push({ path: "requirements", message: "Requirements must be an array." });
+  const ids = /* @__PURE__ */ new Set();
+  for (const [index, requirement] of (manifest.requirements ?? []).entries()) {
+    const path = `requirements[${index}]`;
+    if (!requirement.id?.trim()) issues.push({ path: `${path}.id`, message: "Requirement id is required." });
+    if (ids.has(requirement.id)) issues.push({ path: `${path}.id`, message: `Duplicate requirement id ${requirement.id}.` });
+    ids.add(requirement.id);
+    if (!requirement.connectorId?.trim()) issues.push({ path: `${path}.connectorId`, message: "Connector id is required." });
+    if (!["read", "write", "trigger"].includes(requirement.mode)) issues.push({ path: `${path}.mode`, message: "Mode must be read, write, or trigger." });
+    if (!requirement.reason?.trim()) issues.push({ path: `${path}.reason`, message: "Human-readable reason is required." });
+    if (requirement.mode !== "trigger" && !requirement.requiredActions?.length) {
+      issues.push({ path: `${path}.requiredActions`, message: "Non-trigger requirements should list required actions." });
+    }
+    if (requirement.mode === "trigger" && !requirement.requiredTriggers?.length) {
+      issues.push({ path: `${path}.requiredTriggers`, message: "Trigger requirements should list required triggers." });
+    }
+  }
+  return { ok: issues.length === 0, issues };
+}
+function assertValidIntegrationManifest(manifest) {
+  const result = validateIntegrationManifest(manifest);
+  if (!result.ok) {
+    throw new Error(`Invalid integration manifest: ${result.issues.map((issue) => `${issue.path}: ${issue.message}`).join("; ")}`);
+  }
+}
+function inferIntegrationManifestFromTools(options) {
+  const byConnector = /* @__PURE__ */ new Map();
+  for (const item of options.tools) {
+    const action = typeof item === "string" ? item : item.action;
+    const connectorId = typeof item === "string" ? canonicalActionConnectorId(action) : item.connectorId ?? canonicalActionConnectorId(action);
+    if (!connectorId) continue;
+    const mode = typeof item === "string" ? inferMode(action) : item.mode ?? inferMode(action);
+    const id = `${connectorId}-${mode}`;
+    const existing = byConnector.get(id);
+    const reason = typeof item === "string" ? defaultReason(connectorId, mode) : item.reason ?? defaultReason(connectorId, mode);
+    if (existing) {
+      byConnector.set(id, {
+        ...existing,
+        requiredActions: unique3([...existing.requiredActions ?? [], action]),
+        requiredScopes: unique3([...existing.requiredScopes ?? [], ...typeof item === "string" ? [] : item.scopes ?? []])
+      });
+    } else {
+      byConnector.set(id, {
+        id,
+        connectorId,
+        mode,
+        reason,
+        requiredActions: mode === "trigger" ? void 0 : [action],
+        requiredScopes: typeof item === "string" ? void 0 : item.scopes
+      });
+    }
+  }
+  const manifest = {
+    id: options.manifestId,
+    title: options.title,
+    requirements: [...byConnector.values()],
+    metadata: options.metadata
+  };
+  assertValidIntegrationManifest(manifest);
+  return manifest;
+}
+function explainMissingRequirements(resolution) {
+  return [...resolution.missing, ...resolution.optionalMissing].map((item) => ({
+    requirementId: item.requirement.id,
+    connectorId: item.requirement.connectorId,
+    status: item.status,
+    message: item.message,
+    userAction: item.requirement.optional ? "ignore_optional" : item.status === "not_executable" ? "enable" : "connect"
+  }));
+}
+function calendarExercisePlannerManifest(id = "exercise-calendar-planner") {
+  return {
+    id,
+    title: "Exercise Calendar Planner",
+    requirements: [{
+      id: "calendar-read",
+      connectorId: "google-calendar",
+      mode: "read",
+      reason: "Read busy and free calendar windows to recommend exercise sessions.",
+      requiredActions: [CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsList],
+      requiredScopes: ["https://www.googleapis.com/auth/calendar.readonly"]
+    }]
+  };
+}
+function inferMode(action) {
+  if (/(create|send|post|update|delete|write|comment|request)$/i.test(action)) return "write";
+  return "read";
+}
+function defaultReason(connectorId, mode) {
+  if (connectorId === "google-calendar" && mode === "read") return "Read calendar availability for the generated app.";
+  if (connectorId === "google-calendar" && mode === "write") return "Create or update calendar events after user approval.";
+  return `${mode === "read" ? "Read from" : mode === "write" ? "Write to" : "Subscribe to"} ${connectorId} for this app.`;
+}
+function unique3(values) {
+  return [...new Set(values)];
+}
+
+// src/passthrough.ts
+var PROVIDER_PASSTHROUGH_ACTION = CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest;
+function validateProviderPassthroughRequest(input, policy) {
+  if (!policy.enabled) {
+    throw new IntegrationRuntimeError({
+      code: "passthrough_disabled",
+      message: "Provider-native passthrough is disabled for this connector."
+    });
+  }
+  if (!input.path.startsWith("/")) {
+    throw new IntegrationRuntimeError({ code: "input_invalid", message: "Provider passthrough path must start with /." });
+  }
+  if (policy.allowedMethods?.length && !policy.allowedMethods.includes(input.method)) {
+    throw new IntegrationRuntimeError({ code: "action_denied", message: `Provider passthrough method ${input.method} is not allowed.` });
+  }
+  if (policy.allowedPathPrefixes?.length && !policy.allowedPathPrefixes.some((prefix) => input.path.startsWith(prefix))) {
+    throw new IntegrationRuntimeError({ code: "action_denied", message: `Provider passthrough path ${input.path} is not allowed.` });
+  }
+  const maxBodyBytes = policy.maxBodyBytes ?? 64 * 1024;
+  const bodyBytes = Buffer.byteLength(JSON.stringify(input.body ?? null), "utf8");
+  if (bodyBytes > maxBodyBytes) {
+    throw new IntegrationRuntimeError({ code: "input_invalid", message: `Provider passthrough body exceeds ${maxBodyBytes} bytes.` });
+  }
+  for (const key of Object.keys(input.headers ?? {})) {
+    if (/authorization|cookie|token|secret|api[_-]?key/i.test(key)) {
+      throw new IntegrationRuntimeError({ code: "input_invalid", message: `Provider passthrough header ${key} is not caller-settable.` });
+    }
+  }
+}
+
+// src/policy.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var StaticIntegrationPolicyEngine = class {
+  rules;
+  defaultReadEffect;
+  defaultWriteEffect;
+  defaultDestructiveEffect;
+  now;
+  constructor(options = {}) {
+    this.rules = options.rules ?? [];
+    this.defaultReadEffect = options.defaultReadEffect ?? "allow";
+    this.defaultWriteEffect = options.defaultWriteEffect ?? "require_approval";
+    this.defaultDestructiveEffect = options.defaultDestructiveEffect ?? "deny";
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  decide(ctx) {
+    const action = ctx.action;
+    if (!action) return { decision: "deny", reason: "Integration action is missing from connector catalog." };
+    const matched = this.rules.find((rule) => ruleMatches(rule, ctx));
+    const effect = matched?.effect ?? this.defaultEffect(action.risk);
+    const reason = matched?.reason ?? defaultReason2(effect, action.risk);
+    if (effect === "allow") return { decision: "allow", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
+    if (effect === "deny") return { decision: "deny", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
+    return {
+      decision: "require_approval",
+      reason,
+      approval: buildApprovalRequest(ctx, reason, this.now()),
+      metadata: matched ? { ruleId: matched.id } : void 0
+    };
+  }
+  defaultEffect(risk) {
+    if (risk === "read") return this.defaultReadEffect;
+    if (risk === "write") return this.defaultWriteEffect;
+    return this.defaultDestructiveEffect;
+  }
+};
+function createDefaultIntegrationPolicyEngine(options = {}) {
+  return new StaticIntegrationPolicyEngine(options);
+}
+function buildApprovalRequest(ctx, reason, requestedAt) {
+  if (!ctx.action) {
+    throw new Error("Cannot build approval request without an action descriptor.");
+  }
+  return {
+    id: `approval_${randomUUID2()}`,
+    connectionId: ctx.connection.id,
+    providerId: ctx.connection.providerId,
+    connectorId: ctx.connection.connectorId,
+    action: ctx.request.action,
+    actor: { type: ctx.subject.type, id: ctx.subject.id },
+    risk: ctx.action.risk,
+    dataClass: ctx.action.dataClass,
+    reason,
+    requestedAt: requestedAt.toISOString(),
+    inputPreview: previewInput(ctx.request.input)
+  };
+}
+function redactApprovalRequest(request) {
+  return {
+    ...request,
+    inputPreview: redactUnknown3(request.inputPreview)
+  };
+}
+function ruleMatches(rule, ctx) {
+  if (!ctx.action) return false;
+  if (rule.providerId && rule.providerId !== ctx.connection.providerId) return false;
+  if (rule.connectorId && rule.connectorId !== ctx.connection.connectorId) return false;
+  if (rule.action && rule.action !== ctx.request.action) return false;
+  if (rule.risk && rule.risk !== ctx.action.risk) return false;
+  if (rule.maxRisk && riskRank(ctx.action.risk) > riskRank(rule.maxRisk)) return false;
+  if (rule.dataClass && rule.dataClass !== ctx.action.dataClass) return false;
+  return true;
+}
+function riskRank(risk) {
+  if (risk === "read") return 0;
+  if (risk === "write") return 1;
+  return 2;
+}
+function defaultReason2(effect, risk) {
+  if (effect === "allow") return `${risk} integration action allowed by default policy.`;
+  if (effect === "deny") return `${risk} integration action denied by default policy.`;
+  return `${risk} integration action requires approval by default policy.`;
+}
+function previewInput(input) {
+  return redactUnknown3(input);
+}
+function redactUnknown3(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown3);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown3(child);
+    }
+  }
+  return out;
+}
+
+// src/presets.ts
+function createPlatformIntegrationPolicyPreset(options = {}) {
+  return new StaticIntegrationPolicyEngine({
+    ...options,
+    defaultReadEffect: "allow",
+    defaultWriteEffect: options.allowWritesWithoutApproval ? "allow" : "require_approval",
+    defaultDestructiveEffect: options.allowDestructiveActions ? "require_approval" : "deny",
+    rules: [
+      ...options.allowProviderPassthrough ? [] : [{
+        id: "deny-provider-native-passthrough",
+        action: "provider.http.request",
+        effect: "deny",
+        reason: "Provider-native passthrough is disabled by default. Promote the connector action or enable passthrough explicitly."
+      }],
+      ...options.rules ?? []
+    ]
+  });
+}
+
 // src/connectors/types.ts
 var ResourceContention = class extends Error {
   constructor(message, alternatives = [], currentState) {
@@ -1344,7 +2892,7 @@ function assertValidConnectorManifest(manifest) {
 }
 
 // src/connectors/oauth.ts
-import { createHash, randomBytes } from "crypto";
+import { createHash as createHash3, randomBytes } from "crypto";
 var PENDING_TTL_MS = 10 * 60 * 1e3;
 var InMemoryOAuthFlowStore = class {
   pendingFlows = /* @__PURE__ */ new Map();
@@ -1372,7 +2920,7 @@ function startOAuthFlow(input) {
   const now = input.now ?? Date.now();
   store.sweep?.(now);
   const codeVerifier = base64Url(randomBytes(48));
-  const codeChallenge = base64Url(createHash("sha256").update(codeVerifier).digest());
+  const codeChallenge = base64Url(createHash3("sha256").update(codeVerifier).digest());
   const state = base64Url(randomBytes(24));
   store.put(state, {
     codeVerifier,
@@ -1837,7 +3385,7 @@ function readMetaString(meta, key) {
 }
 
 // src/connectors/adapters/google-sheets.ts
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 var SCOPES2 = ["https://www.googleapis.com/auth/spreadsheets"];
 var AUTH_URL2 = "https://accounts.google.com/o/oauth2/v2/auth";
 var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
@@ -2111,7 +3659,7 @@ async function fetchAllRows(accessToken, meta) {
 function rowFingerprint(values) {
   const keys = Object.keys(values).sort();
   const blob = keys.map((k) => `${k}=${values[k]}`).join("
");
-  return createHash2("sha256").update(blob).digest("hex").slice(0, 16);
+  return createHash4("sha256").update(blob).digest("hex").slice(0, 16);
 }
 function matchesPredicate(row, predicate) {
   for (const [k, v] of Object.entries(predicate)) {
@@ -4150,7 +5698,7 @@ var repoParams = {
   },
   required: ["owner", "repo"]
 };
-var githubConnector = declarativeRestConnector({
+var githubConnector2 = declarativeRestConnector({
   kind: "github",
   displayName: "GitHub",
   description: "Search repositories/issues and create or update GitHub issues through a user-scoped token.",
@@ -4485,7 +6033,7 @@ var salesforceConnector = declarativeRestConnector({
 });
 
 // src/catalog.ts
-var riskRank = {
+var riskRank2 = {
   read: 0,
   write: 1,
   destructive: 2
@@ -4508,7 +6056,7 @@ function buildIntegrationToolCatalog(connectors) {
   const tools = [];
   for (const connector of connectors) {
     for (const action of connector.actions) {
-      const tags = unique2([
+      const tags = unique4([
         connector.id,
         connector.providerId,
         connector.title,
@@ -4527,173 +6075,73 @@ function buildIntegrationToolCatalog(connectors) {
         providerId: connector.providerId,
         connectorId: connector.id,
         connectorTitle: connector.title,
-        category: connector.category,
-        action,
-        risk: action.risk,
-        dataClass: action.dataClass,
-        requiredScopes: action.requiredScopes,
-        inputSchema: action.inputSchema,
-        outputSchema: action.outputSchema,
-        tags
-      });
-    }
-  }
-  return tools;
-}
-function searchIntegrationTools(catalog, query, filters = {}) {
-  const terms = tokenize(query);
-  const filtered = catalog.filter((tool) => {
-    if (filters.providerId && tool.providerId !== filters.providerId) return false;
-    if (filters.connectorId && tool.connectorId !== filters.connectorId) return false;
-    if (filters.category && tool.category !== filters.category) return false;
-    if (filters.dataClass && tool.dataClass !== filters.dataClass) return false;
-    if (filters.maxRisk && riskRank[tool.risk] > riskRank[filters.maxRisk]) return false;
-    return true;
-  });
-  const scored = filtered.map((tool) => scoreTool(tool, terms));
-  return scored.filter((result) => terms.length === 0 || result.score > 0).sort((a, b) => b.score - a.score || a.tool.name.localeCompare(b.tool.name)).slice(0, filters.limit ?? 20);
-}
-function toMcpTools(tools) {
-  return tools.map((tool) => ({
-    name: tool.name,
-    description: `${tool.title}. ${tool.description}`,
-    inputSchema: tool.inputSchema ?? {
-      type: "object",
-      additionalProperties: true,
-      properties: {}
-    }
-  }));
-}
-function scoreTool(tool, terms) {
-  if (terms.length === 0) return { tool, score: 1, matched: [] };
-  const haystack = new Set(tool.tags);
-  const matched = [];
-  let score = 0;
-  for (const term of terms) {
-    if (haystack.has(term)) {
-      matched.push(term);
-      score += 4;
-      continue;
-    }
-    if (tool.tags.some((tag) => tag.includes(term))) {
-      matched.push(term);
-      score += 1;
-    }
-  }
-  if (tool.risk === "read") score += 0.25;
-  return { tool, score, matched: unique2(matched) };
-}
-function tokenize(value) {
-  return value.toLowerCase().split(/[^a-z0-9]+/g).map((part) => part.trim()).filter(Boolean);
-}
-function encodeToolPart(value) {
-  return Buffer.from(value, "utf8").toString("base64url").replace(/_/g, ".");
-}
-function decodeToolPart(value) {
-  return Buffer.from(value.replace(/\./g, "_"), "base64url").toString("utf8");
-}
-function unique2(values) {
-  return [...new Set(values)];
-}
-
-// src/policy.ts
-import { randomUUID } from "crypto";
-var StaticIntegrationPolicyEngine = class {
-  rules;
-  defaultReadEffect;
-  defaultWriteEffect;
-  defaultDestructiveEffect;
-  now;
-  constructor(options = {}) {
-    this.rules = options.rules ?? [];
-    this.defaultReadEffect = options.defaultReadEffect ?? "allow";
-    this.defaultWriteEffect = options.defaultWriteEffect ?? "require_approval";
-    this.defaultDestructiveEffect = options.defaultDestructiveEffect ?? "deny";
-    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
-  }
-  decide(ctx) {
-    const action = ctx.action;
-    if (!action) return { decision: "deny", reason: "Integration action is missing from connector catalog." };
-    const matched = this.rules.find((rule) => ruleMatches(rule, ctx));
-    const effect = matched?.effect ?? this.defaultEffect(action.risk);
-    const reason = matched?.reason ?? defaultReason(effect, action.risk);
-    if (effect === "allow") return { decision: "allow", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
-    if (effect === "deny") return { decision: "deny", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
-    return {
-      decision: "require_approval",
-      reason,
-      approval: buildApprovalRequest(ctx, reason, this.now()),
-      metadata: matched ? { ruleId: matched.id } : void 0
-    };
-  }
-  defaultEffect(risk) {
-    if (risk === "read") return this.defaultReadEffect;
-    if (risk === "write") return this.defaultWriteEffect;
-    return this.defaultDestructiveEffect;
-  }
-};
-function createDefaultIntegrationPolicyEngine(options = {}) {
-  return new StaticIntegrationPolicyEngine(options);
-}
-function buildApprovalRequest(ctx, reason, requestedAt) {
-  if (!ctx.action) {
-    throw new Error("Cannot build approval request without an action descriptor.");
-  }
-  return {
-    id: `approval_${randomUUID()}`,
-    connectionId: ctx.connection.id,
-    providerId: ctx.connection.providerId,
-    connectorId: ctx.connection.connectorId,
-    action: ctx.request.action,
-    actor: { type: ctx.subject.type, id: ctx.subject.id },
-    risk: ctx.action.risk,
-    dataClass: ctx.action.dataClass,
-    reason,
-    requestedAt: requestedAt.toISOString(),
-    inputPreview: previewInput(ctx.request.input)
-  };
+        category: connector.category,
+        action,
+        risk: action.risk,
+        dataClass: action.dataClass,
+        requiredScopes: action.requiredScopes,
+        inputSchema: action.inputSchema,
+        outputSchema: action.outputSchema,
+        tags
+      });
+    }
+  }
+  return tools;
 }
-function redactApprovalRequest(request) {
-  return {
-    ...request,
-    inputPreview: redactUnknown(request.inputPreview)
-  };
+function searchIntegrationTools(catalog, query, filters = {}) {
+  const terms = tokenize(query);
+  const filtered = catalog.filter((tool) => {
+    if (filters.providerId && tool.providerId !== filters.providerId) return false;
+    if (filters.connectorId && tool.connectorId !== filters.connectorId) return false;
+    if (filters.category && tool.category !== filters.category) return false;
+    if (filters.dataClass && tool.dataClass !== filters.dataClass) return false;
+    if (filters.maxRisk && riskRank2[tool.risk] > riskRank2[filters.maxRisk]) return false;
+    return true;
+  });
+  const scored = filtered.map((tool) => scoreTool(tool, terms));
+  return scored.filter((result) => terms.length === 0 || result.score > 0).sort((a, b) => b.score - a.score || a.tool.name.localeCompare(b.tool.name)).slice(0, filters.limit ?? 20);
 }
-function ruleMatches(rule, ctx) {
-  if (!ctx.action) return false;
-  if (rule.providerId && rule.providerId !== ctx.connection.providerId) return false;
-  if (rule.connectorId && rule.connectorId !== ctx.connection.connectorId) return false;
-  if (rule.action && rule.action !== ctx.request.action) return false;
-  if (rule.risk && rule.risk !== ctx.action.risk) return false;
-  if (rule.maxRisk && riskRank2(ctx.action.risk) > riskRank2(rule.maxRisk)) return false;
-  if (rule.dataClass && rule.dataClass !== ctx.action.dataClass) return false;
-  return true;
+function toMcpTools(tools) {
+  return tools.map((tool) => ({
+    name: tool.name,
+    description: `${tool.title}. ${tool.description}`,
+    inputSchema: tool.inputSchema ?? {
+      type: "object",
+      additionalProperties: true,
+      properties: {}
+    }
+  }));
 }
-function riskRank2(risk) {
-  if (risk === "read") return 0;
-  if (risk === "write") return 1;
-  return 2;
+function scoreTool(tool, terms) {
+  if (terms.length === 0) return { tool, score: 1, matched: [] };
+  const haystack = new Set(tool.tags);
+  const matched = [];
+  let score = 0;
+  for (const term of terms) {
+    if (haystack.has(term)) {
+      matched.push(term);
+      score += 4;
+      continue;
+    }
+    if (tool.tags.some((tag) => tag.includes(term))) {
+      matched.push(term);
+      score += 1;
+    }
+  }
+  if (tool.risk === "read") score += 0.25;
+  return { tool, score, matched: unique4(matched) };
 }
-function defaultReason(effect, risk) {
-  if (effect === "allow") return `${risk} integration action allowed by default policy.`;
-  if (effect === "deny") return `${risk} integration action denied by default policy.`;
-  return `${risk} integration action requires approval by default policy.`;
+function tokenize(value) {
+  return value.toLowerCase().split(/[^a-z0-9]+/g).map((part) => part.trim()).filter(Boolean);
 }
-function previewInput(input) {
-  return redactUnknown(input);
+function encodeToolPart(value) {
+  return Buffer.from(value, "utf8").toString("base64url").replace(/_/g, ".");
 }
-function redactUnknown(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown);
-  if (!value || typeof value !== "object") return value;
-  const out = {};
-  for (const [key, child] of Object.entries(value)) {
-    if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
-      out[key] = "[REDACTED]";
-    } else {
-      out[key] = redactUnknown(child);
-    }
-  }
-  return out;
+function decodeToolPart(value) {
+  return Buffer.from(value.replace(/\./g, "_"), "base64url").toString("utf8");
+}
+function unique4(values) {
+  return [...new Set(values)];
 }
 
 // src/sandbox.ts
@@ -4754,13 +6202,13 @@ function redactInvocationEnvelope(envelope) {
   return {
     ...envelope,
     capabilityToken: "[REDACTED]",
-    input: redactUnknown2(envelope.input)
+    input: redactUnknown4(envelope.input)
   };
 }
 function redactCapability(capability) {
   return {
     ...capability,
-    metadata: redactUnknown2(capability.metadata)
+    metadata: redactUnknown4(capability.metadata)
   };
 }
 function normalizeIntegrationResult(result) {
@@ -4788,15 +6236,40 @@ function normalizeIntegrationResult(result) {
     metadata: result.metadata
   };
 }
-function redactUnknown2(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown2);
+async function dispatchIntegrationInvocation(envelope, options) {
+  try {
+    validateIntegrationInvocationEnvelope(envelope, options);
+    const result = await options.hub.invokeWithCapability(
+      envelope.capabilityToken,
+      invocationRequestFromEnvelope(envelope)
+    );
+    return normalizeIntegrationResult(result);
+  } catch (error) {
+    return {
+      status: "failed",
+      action: typeof envelope?.action === "string" ? envelope.action : "unknown",
+      error: error instanceof Error ? error.message : "Integration invocation failed."
+    };
+  }
+}
+var IntegrationSandboxHost = class {
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+  dispatch(envelope) {
+    return dispatchIntegrationInvocation(envelope, this.options);
+  }
+};
+function redactUnknown4(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown4);
   if (!value || typeof value !== "object") return value;
   const out = {};
   for (const [key, child] of Object.entries(value)) {
     if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
       out[key] = "[REDACTED]";
     } else {
-      out[key] = redactUnknown2(child);
+      out[key] = redactUnknown4(child);
     }
   }
   return out;
@@ -4808,152 +6281,6 @@ function isPlainRecord(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 
-// src/adapter-provider.ts
-function createConnectorAdapterProvider(options) {
-  const providerId = options.id ?? "first-party";
-  const now = options.now ?? (() => /* @__PURE__ */ new Date());
-  const adapters = /* @__PURE__ */ new Map();
-  for (const adapter of options.adapters) {
-    adapters.set(adapter.manifest.kind, adapter);
-  }
-  return {
-    id: providerId,
-    kind: options.kind ?? "first_party",
-    listConnectors: () => [...adapters.values()].map((adapter) => manifestToConnector(providerId, adapter)),
-    async invokeAction(connection, request) {
-      const adapter = adapters.get(connection.connectorId);
-      if (!adapter) {
-        throw new IntegrationError(`Connector adapter ${connection.connectorId} not found.`, "connector_not_found");
-      }
-      const capability = adapter.manifest.capabilities.find((candidate) => candidate.name === request.action);
-      if (!capability) {
-        throw new IntegrationError(`Capability ${request.action} is not defined by ${connection.connectorId}.`, "action_not_found");
-      }
-      const source = await options.resolveDataSource(connection);
-      const invocation = {
-        source,
-        capabilityName: request.action,
-        args: toRecord(request.input),
-        idempotencyKey: request.idempotencyKey ?? `idem_${connection.id}_${request.action}_${now().getTime()}`,
-        expectedEtag: typeof request.metadata?.expectedEtag === "string" ? request.metadata.expectedEtag : void 0,
-        callSessionId: typeof request.metadata?.callSessionId === "string" ? request.metadata.callSessionId : void 0
-      };
-      if (capability.class === "read") {
-        if (!adapter.executeRead) {
-          throw new IntegrationError(`Connector ${connection.connectorId} does not implement reads.`, "action_not_found");
-        }
-        const result = await adapter.executeRead(invocation);
-        return readResultToAction(request, result);
-      }
-      if (capability.class === "mutation") {
-        if (!adapter.executeMutation) {
-          throw new IntegrationError(`Connector ${connection.connectorId} does not implement mutations.`, "action_not_found");
-        }
-        const result = await adapter.executeMutation(invocation);
-        return mutationResultToAction(request, result);
-      }
-      throw new IntegrationError(`Capability ${request.action} is not invokable as an action.`, "action_not_found");
-    }
-  };
-}
-function manifestToConnector(providerId, adapter) {
-  const manifest = adapter.manifest;
-  return {
-    id: manifest.kind,
-    providerId,
-    title: manifest.displayName,
-    category: mapCategory(manifest.category),
-    auth: mapAuth(manifest.auth.kind),
-    scopes: manifest.auth.kind === "oauth2" ? manifest.auth.scopes : [],
-    actions: manifest.capabilities.filter((capability) => capability.class === "read" || capability.class === "mutation").map((capability) => ({
-      id: capability.name,
-      title: titleFromName(capability.name),
-      risk: capability.class === "read" ? "read" : capability.externalEffect ? "destructive" : "write",
-      requiredScopes: capability.requiredScopes ?? [],
-      dataClass: inferDataClass(manifest.category),
-      description: capability.description,
-      approvalRequired: capability.class === "mutation",
-      inputSchema: capability.parameters
-    })),
-    metadata: {
-      source: "first-party-adapter",
-      supportTier: "firstPartyExecutable",
-      executable: true
-    }
-  };
-}
-function readResultToAction(request, result) {
-  return {
-    ok: true,
-    action: request.action,
-    output: result.data,
-    metadata: {
-      etag: result.etag,
-      fetchedAt: result.fetchedAt
-    }
-  };
-}
-function mutationResultToAction(request, result) {
-  if (result.status === "committed") {
-    return {
-      ok: true,
-      action: request.action,
-      output: result.data,
-      metadata: {
-        etagAfter: result.etagAfter,
-        committedAt: result.committedAt,
-        idempotentReplay: result.idempotentReplay
-      }
-    };
-  }
-  if (result.status === "conflict") {
-    return {
-      ok: false,
-      action: request.action,
-      output: {
-        conflict: true,
-        message: result.message,
-        alternatives: result.alternatives,
-        currentState: result.currentState
-      }
-    };
-  }
-  return {
-    ok: false,
-    action: request.action,
-    output: {
-      rateLimited: true,
-      retryAfterMs: result.retryAfterMs,
-      message: result.message
-    }
-  };
-}
-function mapAuth(kind) {
-  if (kind === "oauth2") return "oauth2";
-  if (kind === "api-key") return "api_key";
-  if (kind === "none") return "none";
-  return "custom";
-}
-function mapCategory(category) {
-  if (category === "comms") return "chat";
-  if (category === "spreadsheet") return "database";
-  if (category === "doc") return "docs";
-  if (category === "commerce") return "workflow";
-  return category === "other" ? "other" : category;
-}
-function inferDataClass(category) {
-  if (category === "commerce") return "sensitive";
-  if (category === "webhook") return "internal";
-  return "private";
-}
-function titleFromName(name) {
-  return name.split(/[._-]/g).filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
-}
-function toRecord(input) {
-  if (input && typeof input === "object" && !Array.isArray(input)) return input;
-  return {};
-}
-
 // src/importers.ts
 var HTTP_METHODS = /* @__PURE__ */ new Set(["get", "post", "put", "patch", "delete"]);
 function importOpenApiConnector(document, options) {
@@ -5008,7 +6335,7 @@ function importMcpConnector(catalog, options) {
   }));
 }
 function connectorFromActions(options, actions) {
-  const scopes = unique3([
+  const scopes = unique5([
     ...options.scopes ?? [],
     ...actions.flatMap((action) => action.requiredScopes)
   ]);
@@ -5040,7 +6367,7 @@ function riskFromMcpTool(tool, fallback) {
 }
 function scopesFromOpenApiOperation(operation, fallback) {
   const scopes = (operation.security ?? []).flatMap((entry) => Object.values(entry).flat());
-  return unique3(scopes.length > 0 ? scopes : fallback);
+  return unique5(scopes.length > 0 ? scopes : fallback);
 }
 function openApiInputSchema(path, method, operation) {
   return {
@@ -5060,7 +6387,7 @@ function titleFromId(id) {
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function unique3(values) {
+function unique5(values) {
   return [...new Set(values)];
 }
 
@@ -5111,7 +6438,7 @@ function normalizeGatewayCatalog(entries, options) {
       title,
       category: normalizeCategory(entry.category),
       auth: normalizeAuth(entry.auth),
-      scopes: unique4([
+      scopes: unique6([
         ...entry.scopes ?? [],
         ...actions.flatMap((action) => action.requiredScopes)
       ]),
@@ -5141,7 +6468,7 @@ function normalizeActions(actions, fallbackScopes) {
       id,
       title: action.title ?? action.name ?? titleFromId2(id),
       risk: normalizeRisk(action.risk),
-      requiredScopes: unique4([
+      requiredScopes: unique6([
         ...action.requiredScopes ?? [],
         ...action.scopes ?? [],
         ...action.requiredScopes?.length || action.scopes?.length ? [] : fallbackScopes
@@ -5155,21 +6482,21 @@ function normalizeActions(actions, fallbackScopes) {
   }).filter((action) => action.id);
 }
 function normalizeTriggers(triggers, fallbackScopes) {
-  const normalized = triggers.map((trigger) => {
-    const id = slug2(trigger.id ?? trigger.key ?? trigger.name ?? trigger.title ?? "");
+  const normalized = triggers.map((trigger2) => {
+    const id = slug2(trigger2.id ?? trigger2.key ?? trigger2.name ?? trigger2.title ?? "");
     return {
       id,
-      title: trigger.title ?? trigger.name ?? titleFromId2(id),
-      requiredScopes: unique4([
-        ...trigger.requiredScopes ?? [],
-        ...trigger.scopes ?? [],
-        ...trigger.requiredScopes?.length || trigger.scopes?.length ? [] : fallbackScopes
+      title: trigger2.title ?? trigger2.name ?? titleFromId2(id),
+      requiredScopes: unique6([
+        ...trigger2.requiredScopes ?? [],
+        ...trigger2.scopes ?? [],
+        ...trigger2.requiredScopes?.length || trigger2.scopes?.length ? [] : fallbackScopes
       ]),
-      dataClass: normalizeDataClass(trigger.dataClass),
-      description: trigger.description,
-      payloadSchema: trigger.payloadSchema
+      dataClass: normalizeDataClass(trigger2.dataClass),
+      description: trigger2.description,
+      payloadSchema: trigger2.payloadSchema
     };
-  }).filter((trigger) => trigger.id);
+  }).filter((trigger2) => trigger2.id);
   return normalized.length > 0 ? normalized : void 0;
 }
 function defaultActionsFor(category, scopes) {
@@ -5249,7 +6576,7 @@ function slug2(value) {
 function titleFromId2(id) {
   return id.split("-").filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
 }
-function unique4(values) {
+function unique6(values) {
   return [...new Set(values)];
 }
 
@@ -5337,7 +6664,7 @@ var IntegrationRuntime = class {
       const connector = {
         ...entry.connector,
         actions: entry.connector.actions.filter((action) => grant.allowedActions.includes(action.id)),
-        triggers: entry.connector.triggers?.filter((trigger) => grant.allowedTriggers.includes(trigger.id)),
+        triggers: entry.connector.triggers?.filter((trigger2) => grant.allowedTriggers.includes(trigger2.id)),
         scopes: entry.connector.scopes.filter((scope) => grant.scopes.includes(scope))
       };
       const capability = await this.hub.issueCapability({
@@ -5431,32 +6758,32 @@ function missing(requirement, status, message, connector, registryEntry2) {
 }
 function requiredActions(requirement, connector) {
   if (requirement.mode === "trigger") return [];
-  if (requirement.requiredActions?.length) return unique5(requirement.requiredActions);
+  if (requirement.requiredActions?.length) return unique7(requirement.requiredActions);
   const actions = connector.actions.filter((action) => {
     if (requirement.mode === "read") return action.risk === "read";
     if (requirement.mode === "write") return action.risk !== "read";
     return false;
   });
-  return unique5(actions.map((action) => action.id));
+  return unique7(actions.map((action) => action.id));
 }
 function requiredTriggers(requirement, connector) {
-  if (requirement.requiredTriggers?.length) return unique5(requirement.requiredTriggers);
+  if (requirement.requiredTriggers?.length) return unique7(requirement.requiredTriggers);
   if (requirement.mode !== "trigger") return [];
-  return unique5((connector.triggers ?? []).map((trigger) => trigger.id));
+  return unique7((connector.triggers ?? []).map((trigger2) => trigger2.id));
 }
 function requiredScopes(requirement, connector) {
-  if (requirement.requiredScopes?.length) return unique5(requirement.requiredScopes);
+  if (requirement.requiredScopes?.length) return unique7(requirement.requiredScopes);
   const actionIds = new Set(requiredActions(requirement, connector));
   const triggerIds = new Set(requiredTriggers(requirement, connector));
-  return unique5([
+  return unique7([
     ...connector.actions.filter((action) => actionIds.has(action.id)).flatMap((action) => action.requiredScopes),
-    ...(connector.triggers ?? []).filter((trigger) => triggerIds.has(trigger.id)).flatMap((trigger) => trigger.requiredScopes)
+    ...(connector.triggers ?? []).filter((trigger2) => triggerIds.has(trigger2.id)).flatMap((trigger2) => trigger2.requiredScopes)
   ]);
 }
 function sameActor(a, b) {
   return a.type === b.type && a.id === b.id;
 }
-function unique5(values) {
+function unique7(values) {
   return [...new Set(values)];
 }
 
@@ -5740,11 +7067,11 @@ var IntegrationHub = class {
     assertScopes(connection, request.scopes);
     const now = this.now();
     const capability = {
-      id: `cap_${randomUUID2()}`,
+      id: `cap_${randomUUID3()}`,
       subject: request.subject,
       connectionId: request.connectionId,
-      scopes: unique6(request.scopes),
-      allowedActions: unique6(request.allowedActions),
+      scopes: unique8(request.scopes),
+      allowedActions: unique8(request.allowedActions),
       issuedAt: now.toISOString(),
       expiresAt: new Date(now.getTime() + request.ttlMs).toISOString(),
       metadata: request.metadata
@@ -5797,18 +7124,18 @@ var IntegrationHub = class {
     }
     return proceed();
   }
-  async subscribeTrigger(connectionId, trigger, targetUrl) {
+  async subscribeTrigger(connectionId, trigger2, targetUrl) {
     const connection = await this.requireConnection(connectionId);
     this.assertConnectionActive(connection);
     const provider = this.requireProvider(connection.providerId);
     const connector = await this.requireConnector(provider, connection.connectorId);
-    const spec = connector.triggers?.find((candidate) => candidate.id === trigger);
-    if (!spec) throw new IntegrationError(`Trigger ${trigger} is not defined by connector ${connector.id}.`, "action_not_found");
+    const spec = connector.triggers?.find((candidate) => candidate.id === trigger2);
+    if (!spec) throw new IntegrationError(`Trigger ${trigger2} is not defined by connector ${connector.id}.`, "action_not_found");
     assertScopes(connection, spec.requiredScopes);
     if (!provider.subscribeTrigger) {
       throw new IntegrationError(`Provider ${provider.id} does not support triggers.`, "auth_not_supported");
     }
-    return provider.subscribeTrigger(connection, trigger, targetUrl);
+    return provider.subscribeTrigger(connection, trigger2, targetUrl);
   }
   requireProvider(providerId) {
     const provider = this.providers.get(providerId);
@@ -5893,10 +7220,10 @@ function createMockIntegrationProvider(options = {}) {
       action: request.action,
       output: { echo: request.input ?? null }
     },
-    subscribeTrigger: (connection, trigger, targetUrl) => ({
-      id: `sub_${connection.id}_${trigger}`,
+    subscribeTrigger: (connection, trigger2, targetUrl) => ({
+      id: `sub_${connection.id}_${trigger2}`,
       connectionId: connection.id,
-      trigger,
+      trigger: trigger2,
       targetUrl,
       status: "active",
       createdAt: (/* @__PURE__ */ new Date(0)).toISOString()
@@ -5924,10 +7251,10 @@ function createHttpIntegrationProvider(options) {
         request
       }, options.bearer);
     },
-    async subscribeTrigger(connection, trigger, targetUrl) {
+    async subscribeTrigger(connection, trigger2, targetUrl) {
       return postJson(fetcher, `${baseUrl}/triggers/subscribe`, {
         connection,
-        trigger,
+        trigger: trigger2,
         targetUrl
       }, options.bearer);
     },
@@ -5990,61 +7317,95 @@ function base64UrlEncode(value) {
 function base64UrlDecode(value) {
   return Buffer.from(value, "base64url").toString("utf8");
 }
-function unique6(values) {
+function unique8(values) {
   return [...new Set(values)];
 }
 export {
   ACTIVEPIECES_OVERRIDES,
+  ApprovalBackedPolicyEngine,
+  CANONICAL_INTEGRATION_ACTIONS,
   CredentialsExpired,
+  DEFAULT_INTEGRATION_BRIDGE_ENV,
   DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
+  DefaultIntegrationActionGuard,
   INTEGRATION_FAMILIES,
   InMemoryConnectionStore,
+  InMemoryIntegrationApprovalStore,
+  InMemoryIntegrationAuditStore,
+  InMemoryIntegrationEventStore,
   InMemoryIntegrationGrantStore,
+  InMemoryIntegrationHealthcheckStore,
+  InMemoryIntegrationIdempotencyStore,
+  InMemoryIntegrationSecretStore,
   InMemoryIntegrationWorkflowStore,
   InMemoryOAuthFlowStore,
   IntegrationError,
   IntegrationHub,
   IntegrationRuntime,
+  IntegrationRuntimeError,
+  IntegrationSandboxHost,
   IntegrationWorkflowRuntime,
+  PROVIDER_PASSTHROUGH_ACTION,
   ResourceContention,
   StaticIntegrationPolicyEngine,
+  TangleIntegrationsClient,
   _resetPendingFlowsForTests,
   airtableConnector,
   asanaConnector,
   assertValidConnectorManifest,
+  assertValidIntegrationManifest,
   assertValidIntegrationSpec,
   buildActivepiecesConnectors,
   buildApprovalRequest,
+  buildCanonicalLaunchConnectors,
   buildDefaultIntegrationRegistry,
   buildHealthcheckPlan,
+  buildIntegrationBridgeEnvironment,
+  buildIntegrationBridgePayload,
   buildIntegrationCoverageConnectors,
   buildIntegrationInvocationEnvelope,
   buildIntegrationToolCatalog,
+  calendarExercisePlannerManifest,
+  canonicalActionConnectorId,
   canonicalConnectorId,
   composeIntegrationRegistry,
   consoleStepsToText,
   consumePendingFlow,
+  createApprovalBackedPolicyEngine,
+  createAuditingActionGuard,
+  createConnectionCredentialResolver,
   createConnectorAdapterProvider,
+  createCredentialBackedAdapterProvider,
+  createDefaultIntegrationActionGuard,
   createDefaultIntegrationPolicyEngine,
   createGatewayCatalogProvider,
   createHttpIntegrationProvider,
+  createIntegrationAuditEvent,
   createIntegrationRuntime,
   createIntegrationWorkflowRuntime,
   createMockIntegrationProvider,
+  createPlatformIntegrationPolicyPreset,
+  createTangleIntegrationsClient,
   declarativeRestConnector,
+  decodeIntegrationBridgePayload,
+  dispatchIntegrationInvocation,
+  encodeIntegrationBridgePayload,
   exchangeAuthorizationCode,
+  explainMissingRequirements,
   firstHeader,
   getActivepiecesOverride,
   getIntegrationFamily,
   getIntegrationSpec,
-  githubConnector,
+  githubConnector2 as githubConnector,
   gitlabConnector,
   googleCalendar,
   googleSheets,
+  healthcheckRequest,
   hubspot,
   importGraphqlConnector,
   importMcpConnector,
   importOpenApiConnector,
+  inferIntegrationManifestFromTools,
   inferIntegrationSupportTier,
   integrationCoverageChecklistMarkdown,
   integrationSpecToConnector,
@@ -6057,18 +7418,30 @@ export {
   manifestToConnector,
   microsoftCalendar,
   normalizeGatewayCatalog,
+  normalizeIntegrationError,
   normalizeIntegrationResult,
   notionDatabase,
+  parseIntegrationBridgeEnvironment,
   parseIntegrationToolName,
   parseStripeSignatureHeader,
+  receiveIntegrationWebhook,
   redactApprovalRequest,
   redactCapability,
+  redactIntegrationBridgePayload,
   redactInvocationEnvelope,
   refreshAccessToken,
   renderAgentToolDescription,
+  renderApprovalCopy,
+  renderConsentSummary,
   renderConsoleSteps,
   renderRunbookMarkdown,
+  resolveConnectionCredentials,
+  resolveIntegrationApproval,
+  revokeConnection,
+  runIntegrationHealthcheck,
+  runIntegrationHealthchecks,
   salesforceConnector,
+  sanitizeAuditConnection,
   sanitizeConnection,
   searchIntegrationTools,
   signCapability,
@@ -6076,6 +7449,8 @@ export {
   slackEventsConnector,
   specAuthToConnectorAuth,
   startOAuthFlow,
+  statusForCode,
+  storedEventToTriggerEvent,
   stripePackConnector,
   stripeWebhookReceiverConnector,
   summarizeIntegrationRegistry,
@@ -6085,7 +7460,9 @@ export {
   validateCredentialFormat,
   validateCredentialSet,
   validateIntegrationInvocationEnvelope,
+  validateIntegrationManifest,
   validateIntegrationSpec,
+  validateProviderPassthroughRequest,
   verifyCapabilityToken,
   verifyHmacSignature,
   verifySlackSignature,