@tangle-network/agent-integrations 0.15.0 → 0.16.0

package/dist/index.js

@@ -129,7 +129,7 @@ function buildActivepiecesConnectors(options = {}) {
     const category = override?.category ?? entry.category;
     const scopes = [`${entry.id}.read`, `${entry.id}.write`];
     const catalogActions = entry.actions.length > 0 ? entry.actions.map((action) => toAction(applyActionOverride(action, override), scopes, dataClassFor(category))) : defaultActions(entry.id, scopes, dataClassFor(category));
-    const catalogTriggers = entry.triggers.map((trigger) => toTrigger(trigger, scopes, dataClassFor(category)));
+    const catalogTriggers = entry.triggers.map((trigger2) => toTrigger(trigger2, scopes, dataClassFor(category)));
     return {
       id: entry.id,
       providerId,
@@ -172,10 +172,10 @@ function toAction(action, scopes, dataClass) {
     inputSchema: { type: "object", additionalProperties: true, properties: {} }
   };
 }
-function toTrigger(trigger, scopes, dataClass) {
+function toTrigger(trigger2, scopes, dataClass) {
   return {
-    id: trigger.id,
-    title: trigger.title,
+    id: trigger2.id,
+    title: trigger2.title,
     requiredScopes: [scopes[0]],
     dataClass,
     payloadSchema: { type: "object", additionalProperties: true, properties: {} }
@@ -1247,8 +1247,8 @@ function mergeActions(candidates) {
 function mergeTriggers(candidates) {
   const out = /* @__PURE__ */ new Map();
   for (const candidate of toolBindableCandidates(candidates)) {
-    for (const trigger of candidate.connector.triggers ?? []) {
-      if (!out.has(trigger.id)) out.set(trigger.id, trigger);
+    for (const trigger2 of candidate.connector.triggers ?? []) {
+      if (!out.has(trigger2.id)) out.set(trigger2.id, trigger2);
     }
   }
   return out.size > 0 ? [...out.values()] : void 0;
@@ -1521,6 +1521,228 @@ function approvalInputHash(input) {
   return createHash("sha256").update(JSON.stringify(input ?? null)).digest("base64url");
 }
 
+// src/actions.ts
+var CANONICAL_INTEGRATION_ACTIONS = {
+  googleCalendarEventsList: "google-calendar.events.list",
+  googleCalendarEventsCreate: "google-calendar.events.create",
+  gmailMessagesSearch: "gmail.messages.search",
+  gmailMessagesSend: "gmail.messages.send",
+  googleDriveFilesSearch: "google-drive.files.search",
+  googleDriveFilesRead: "google-drive.files.read",
+  githubRepositoriesGet: "github.repositories.get",
+  githubIssuesSearch: "github.issues.search",
+  githubIssuesCreate: "github.issues.create",
+  githubPullRequestsComment: "github.pull-requests.comment",
+  slackChannelsList: "slack.channels.list",
+  slackMessagesSearch: "slack.messages.search",
+  slackMessagesPost: "slack.messages.post",
+  providerHttpRequest: "provider.http.request"
+};
+function buildCanonicalLaunchConnectors(options = {}) {
+  const providerId = options.providerId ?? "tangle-platform";
+  const connectors = [
+    googleCalendarConnector(providerId),
+    gmailConnector(providerId),
+    googleDriveConnector(providerId),
+    githubConnector(providerId),
+    slackConnector(providerId)
+  ];
+  if (!options.includeProviderPassthrough) return connectors;
+  return connectors.map((connector) => ({
+    ...connector,
+    actions: [...connector.actions, providerPassthroughAction(connector.id)]
+  }));
+}
+function canonicalActionConnectorId(actionId) {
+  if (actionId.startsWith("google-calendar.")) return "google-calendar";
+  if (actionId.startsWith("gmail.")) return "gmail";
+  if (actionId.startsWith("google-drive.")) return "google-drive";
+  if (actionId.startsWith("github.")) return "github";
+  if (actionId.startsWith("slack.")) return "slack";
+  if (actionId === CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest) return void 0;
+  return actionId.split(".")[0];
+}
+function googleCalendarConnector(providerId) {
+  return {
+    id: "google-calendar",
+    providerId,
+    title: "Google Calendar",
+    category: "calendar",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/calendar.readonly", "https://www.googleapis.com/auth/calendar.events"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsList,
+        title: "List calendar events",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/calendar.readonly"],
+        dataClass: "private",
+        description: "Read events from a Google Calendar over a bounded time range.",
+        inputSchema: objectSchema2({
+          calendarId: { type: "string", default: "primary" },
+          timeMin: { type: "string", description: "RFC3339 lower bound." },
+          timeMax: { type: "string", description: "RFC3339 upper bound." }
+        }, ["timeMin", "timeMax"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsCreate,
+        title: "Create calendar event",
+        risk: "write",
+        requiredScopes: ["https://www.googleapis.com/auth/calendar.events"],
+        dataClass: "private",
+        approvalRequired: true,
+        description: "Create an event on a Google Calendar after user approval.",
+        inputSchema: objectSchema2({
+          calendarId: { type: "string", default: "primary" },
+          start: { type: "string", description: "RFC3339 start time." },
+          end: { type: "string", description: "RFC3339 end time." },
+          summary: { type: "string" },
+          description: { type: "string" },
+          attendees: { type: "array", items: { type: "string" } }
+        }, ["start", "end", "summary"])
+      }
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function gmailConnector(providerId) {
+  return {
+    id: "gmail",
+    providerId,
+    title: "Gmail",
+    category: "email",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/gmail.readonly", "https://www.googleapis.com/auth/gmail.send"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.gmailMessagesSearch,
+        title: "Search Gmail messages",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
+        dataClass: "private",
+        description: "Search user Gmail messages and return bounded message metadata/snippets.",
+        inputSchema: objectSchema2({ query: { type: "string" }, maxResults: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.gmailMessagesSend,
+        title: "Send Gmail message",
+        risk: "write",
+        requiredScopes: ["https://www.googleapis.com/auth/gmail.send"],
+        dataClass: "private",
+        approvalRequired: true,
+        description: "Send an email from the user account after approval.",
+        inputSchema: objectSchema2({
+          to: { type: "array", items: { type: "string" } },
+          subject: { type: "string" },
+          body: { type: "string" }
+        }, ["to", "subject", "body"])
+      }
+    ],
+    triggers: [{
+      id: "gmail.messages.received",
+      title: "Gmail message received",
+      requiredScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
+      dataClass: "private",
+      description: "Triggered when a new matching Gmail message is received."
+    }],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function googleDriveConnector(providerId) {
+  return {
+    id: "google-drive",
+    providerId,
+    title: "Google Drive",
+    category: "storage",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/drive.readonly", "https://www.googleapis.com/auth/drive.file"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleDriveFilesSearch,
+        title: "Search Drive files",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/drive.readonly"],
+        dataClass: "private",
+        description: "Search user-visible Google Drive files.",
+        inputSchema: objectSchema2({ query: { type: "string" }, maxResults: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleDriveFilesRead,
+        title: "Read Drive file",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/drive.readonly"],
+        dataClass: "private",
+        description: "Read metadata and content for an authorized Drive file.",
+        inputSchema: objectSchema2({ fileId: { type: "string" } }, ["fileId"])
+      }
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function githubConnector(providerId) {
+  return {
+    id: "github",
+    providerId,
+    title: "GitHub",
+    category: "workflow",
+    auth: "oauth2",
+    scopes: ["repo", "read:user"],
+    actions: [
+      readAction(CANONICAL_INTEGRATION_ACTIONS.githubRepositoriesGet, "Read repository metadata", ["repo"], objectSchema2({ owner: { type: "string" }, repo: { type: "string" } }, ["owner", "repo"])),
+      readAction(CANONICAL_INTEGRATION_ACTIONS.githubIssuesSearch, "Search issues and pull requests", ["repo"], objectSchema2({ query: { type: "string" }, limit: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.githubIssuesCreate, "Create issue", ["repo"], objectSchema2({ owner: { type: "string" }, repo: { type: "string" }, title: { type: "string" }, body: { type: "string" } }, ["owner", "repo", "title"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.githubPullRequestsComment, "Comment on pull request", ["repo"], objectSchema2({ owner: { type: "string" }, repo: { type: "string" }, pullNumber: { type: "integer" }, body: { type: "string" } }, ["owner", "repo", "pullNumber", "body"]))
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function slackConnector(providerId) {
+  return {
+    id: "slack",
+    providerId,
+    title: "Slack",
+    category: "chat",
+    auth: "oauth2",
+    scopes: ["channels:read", "search:read", "chat:write"],
+    actions: [
+      readAction(CANONICAL_INTEGRATION_ACTIONS.slackChannelsList, "List Slack channels", ["channels:read"], objectSchema2({ limit: { type: "integer", minimum: 1, maximum: 200 } })),
+      readAction(CANONICAL_INTEGRATION_ACTIONS.slackMessagesSearch, "Search Slack messages", ["search:read"], objectSchema2({ query: { type: "string" }, count: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.slackMessagesPost, "Post Slack message", ["chat:write"], objectSchema2({ channel: { type: "string" }, text: { type: "string" }, blocks: { type: "array" } }, ["channel", "text"]))
+    ],
+    triggers: [trigger("slack.message.posted", "Slack message posted", ["channels:read"])],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function readAction(id, title, scopes, inputSchema) {
+  return { id, title, risk: "read", requiredScopes: scopes, dataClass: "private", inputSchema };
+}
+function writeAction(id, title, scopes, inputSchema) {
+  return { id, title, risk: "write", requiredScopes: scopes, dataClass: "private", approvalRequired: true, inputSchema };
+}
+function trigger(id, title, scopes) {
+  return { id, title, requiredScopes: scopes, dataClass: "private" };
+}
+function providerPassthroughAction(connectorId) {
+  return {
+    id: CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest,
+    title: "Provider HTTP request",
+    risk: "write",
+    requiredScopes: [],
+    dataClass: "sensitive",
+    approvalRequired: true,
+    description: `Controlled provider-native passthrough for ${connectorId}. Disabled by default by platform policy.`,
+    inputSchema: objectSchema2({
+      method: { type: "string", enum: ["GET", "POST", "PUT", "PATCH", "DELETE"] },
+      path: { type: "string" },
+      query: { type: "object" },
+      body: { type: "object" }
+    }, ["method", "path"])
+  };
+}
+function objectSchema2(properties, required = []) {
+  return { type: "object", additionalProperties: false, properties, required };
+}
+
 // src/bridge.ts
 var DEFAULT_INTEGRATION_BRIDGE_ENV = "TANGLE_INTEGRATION_BUNDLE";
 function buildIntegrationBridgePayload(bundle) {
@@ -1586,6 +1808,219 @@ function assertBridgePayload(value) {
   if (!Array.isArray(payload.tools)) throw new Error("Invalid integration bridge tools.");
 }
 
+// src/errors.ts
+var IntegrationRuntimeError = class extends Error {
+  code;
+  status;
+  userAction;
+  metadata;
+  constructor(input) {
+    super(input.message);
+    this.name = "IntegrationRuntimeError";
+    this.code = input.code;
+    this.status = input.status ?? statusForCode(input.code);
+    this.userAction = input.userAction;
+    this.metadata = input.metadata;
+  }
+};
+function normalizeIntegrationError(error) {
+  if (error instanceof IntegrationRuntimeError) {
+    return {
+      ok: false,
+      code: error.code,
+      message: error.message,
+      status: error.status,
+      userAction: error.userAction,
+      metadata: redactUnknown2(error.metadata)
+    };
+  }
+  const message = error instanceof Error ? error.message : String(error ?? "Unknown integration error.");
+  return {
+    ok: false,
+    code: inferCode(message),
+    message,
+    status: 500
+  };
+}
+function statusForCode(code) {
+  if (code === "missing_connection" || code === "missing_grant") return 409;
+  if (code === "approval_required") return 202;
+  if (code === "approval_denied") return 403;
+  if (code === "connection_revoked" || code === "connection_expired" || code === "provider_auth_failed") return 401;
+  if (code === "scope_missing" || code === "action_denied" || code === "passthrough_disabled") return 403;
+  if (code === "action_not_found" || code === "manifest_invalid" || code === "input_invalid") return 400;
+  if (code === "provider_rate_limited") return 429;
+  if (code === "provider_unavailable") return 503;
+  if (code === "capability_expired" || code === "capability_invalid") return 401;
+  return 500;
+}
+function inferCode(message) {
+  if (/approval/i.test(message)) return "approval_required";
+  if (/scope/i.test(message)) return "scope_missing";
+  if (/expired/i.test(message)) return "connection_expired";
+  if (/revoked/i.test(message)) return "connection_revoked";
+  if (/rate.?limit|429/i.test(message)) return "provider_rate_limited";
+  if (/unauth|forbidden|401|403/i.test(message)) return "provider_auth_failed";
+  return "unknown";
+}
+function redactUnknown2(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown2);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential|refresh/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown2(child);
+    }
+  }
+  return out;
+}
+
+// src/client.ts
+var TangleIntegrationsClient = class {
+  endpoint;
+  bridge;
+  fetchImpl;
+  getCapabilityToken;
+  constructor(options) {
+    this.endpoint = options.endpoint.replace(/\/$/, "");
+    this.bridge = options.bridge ?? parseIntegrationBridgeEnvironment(
+      options.env ?? readProcessEnv(),
+      { envVar: options.envVar ?? DEFAULT_INTEGRATION_BRIDGE_ENV }
+    );
+    this.fetchImpl = options.fetchImpl ?? fetch;
+    this.getCapabilityToken = options.getCapabilityToken ?? ((tool) => tool.capabilityToken);
+  }
+  tools() {
+    return [...this.bridge.tools];
+  }
+  findTool(toolOrAction) {
+    const found = this.bridge.tools.find(
+      (tool) => tool.name === toolOrAction || tool.action === toolOrAction || `${tool.connectorId}.${tool.action}` === toolOrAction
+    );
+    if (!found) {
+      throw new IntegrationRuntimeError({
+        code: "action_not_found",
+        message: `Integration tool ${toolOrAction} is not available in this runtime.`,
+        metadata: { available: this.bridge.tools.map((tool) => ({ name: tool.name, action: tool.action, connectorId: tool.connectorId })) }
+      });
+    }
+    return found;
+  }
+  async invoke(input) {
+    try {
+      const tool = this.findTool(input.tool);
+      const token = await this.getCapabilityToken(tool);
+      const response = await this.fetchImpl(`${this.endpoint}/v1/integrations/invoke`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${token}`
+        },
+        body: JSON.stringify({
+          action: tool.action,
+          input: input.input,
+          idempotencyKey: input.idempotencyKey ?? defaultIdempotencyKey(tool.action),
+          dryRun: input.dryRun,
+          metadata: input.metadata
+        })
+      });
+      const json = await response.json().catch(() => void 0);
+      if (!response.ok && !json) {
+        return { status: "failed", action: tool.action, error: `Integration invoke failed with HTTP ${response.status}` };
+      }
+      return json ?? { status: "failed", action: tool.action, error: "Integration invoke returned an empty response." };
+    } catch (error) {
+      const normalized = normalizeIntegrationError(error);
+      return { status: "failed", action: input.tool, error: normalized.message, metadata: { code: normalized.code, userAction: normalized.userAction } };
+    }
+  }
+};
+function createTangleIntegrationsClient(options) {
+  return new TangleIntegrationsClient(options);
+}
+function defaultIdempotencyKey(action) {
+  return `${action}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
+}
+function readProcessEnv() {
+  if (typeof process !== "undefined" && process.env) return process.env;
+  return {};
+}
+
+// src/consent.ts
+function renderConsentSummary(manifestOrResolution, options = {}) {
+  const manifest = "manifest" in manifestOrResolution ? manifestOrResolution.manifest : manifestOrResolution;
+  const appName = options.appName ?? manifest.title ?? manifest.id;
+  const requirements = manifest.requirements;
+  const risk = aggregateRisk(requirements, options.connectors);
+  const connectorIds = unique2(requirements.map((requirement) => requirement.connectorId));
+  const first = requirements[0];
+  const body = first ? sentenceForRequirement(appName, first) : `${appName} does not request integrations.`;
+  return {
+    title: `${appName} wants to use ${humanList(connectorIds.map(titleize))}`,
+    body,
+    bullets: requirements.map((requirement) => bulletForRequirement(requirement, options.connectors)),
+    primaryAction: risk === "read" ? "Allow access" : risk === "write" ? "Review and allow" : "Review destructive access",
+    risk,
+    connectorIds
+  };
+}
+function renderApprovalCopy(input) {
+  return {
+    title: `${input.appName} wants to ${input.action.title.toLowerCase()}`,
+    body: `${input.appName} is requesting permission to run "${input.action.title}" on ${input.connectorTitle}.`,
+    bullets: [
+      `Risk: ${input.action.risk}`,
+      `Data: ${input.action.dataClass}`,
+      ...input.approvalId ? [`Approval id: ${input.approvalId}`] : []
+    ],
+    primaryAction: input.action.risk === "read" ? "Allow" : "Approve action",
+    risk: input.action.risk,
+    connectorIds: []
+  };
+}
+function sentenceForRequirement(appName, requirement) {
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "read") {
+    return `${appName} wants to read your Google Calendar to find schedule-aware recommendations.`;
+  }
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "write") {
+    return `${appName} wants to create or update Google Calendar events after your approval.`;
+  }
+  if (requirement.mode === "read") return `${appName} wants to read ${titleize(requirement.connectorId)} data.`;
+  if (requirement.mode === "write") return `${appName} wants to write ${titleize(requirement.connectorId)} data after approval.`;
+  return `${appName} wants to subscribe to ${titleize(requirement.connectorId)} events.`;
+}
+function bulletForRequirement(requirement, connectors = []) {
+  const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+  const actions = requirement.requiredActions?.length ? requirement.requiredActions.map((id) => connector?.actions.find((action) => action.id === id)?.title ?? id) : requirement.requiredTriggers ?? [];
+  return `${titleize(requirement.connectorId)}: ${requirement.reason}${actions.length ? ` (${actions.join(", ")})` : ""}`;
+}
+function aggregateRisk(requirements, connectors = []) {
+  let rank = 0;
+  for (const requirement of requirements) {
+    if (requirement.mode === "write") rank = Math.max(rank, 1);
+    const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+    for (const actionId of requirement.requiredActions ?? []) {
+      const risk = connector?.actions.find((action) => action.id === actionId)?.risk;
+      if (risk === "write") rank = Math.max(rank, 1);
+      if (risk === "destructive") rank = Math.max(rank, 2);
+    }
+  }
+  return rank === 2 ? "destructive" : rank === 1 ? "write" : "read";
+}
+function humanList(values) {
+  if (values.length <= 1) return values[0] ?? "integrations";
+  if (values.length === 2) return `${values[0]} and ${values[1]}`;
+  return `${values.slice(0, -1).join(", ")}, and ${values.at(-1)}`;
+}
+function titleize(value) {
+  return value.split(/[-_.]/g).filter(Boolean).map((part) => part[0].toUpperCase() + part.slice(1)).join(" ");
+}
+function unique2(values) {
+  return [...new Set(values)];
+}
+
 // src/adapter-provider.ts
 function createConnectorAdapterProvider(options) {
   const providerId = options.id ?? "first-party";
@@ -2153,6 +2588,256 @@ function rollupHealthStatus(checks) {
   return "healthy";
 }
 
+// src/manifest.ts
+function validateIntegrationManifest(manifest) {
+  const issues = [];
+  if (!manifest.id?.trim()) issues.push({ path: "id", message: "Manifest id is required." });
+  if (!Array.isArray(manifest.requirements)) issues.push({ path: "requirements", message: "Requirements must be an array." });
+  const ids = /* @__PURE__ */ new Set();
+  for (const [index, requirement] of (manifest.requirements ?? []).entries()) {
+    const path = `requirements[${index}]`;
+    if (!requirement.id?.trim()) issues.push({ path: `${path}.id`, message: "Requirement id is required." });
+    if (ids.has(requirement.id)) issues.push({ path: `${path}.id`, message: `Duplicate requirement id ${requirement.id}.` });
+    ids.add(requirement.id);
+    if (!requirement.connectorId?.trim()) issues.push({ path: `${path}.connectorId`, message: "Connector id is required." });
+    if (!["read", "write", "trigger"].includes(requirement.mode)) issues.push({ path: `${path}.mode`, message: "Mode must be read, write, or trigger." });
+    if (!requirement.reason?.trim()) issues.push({ path: `${path}.reason`, message: "Human-readable reason is required." });
+    if (requirement.mode !== "trigger" && !requirement.requiredActions?.length) {
+      issues.push({ path: `${path}.requiredActions`, message: "Non-trigger requirements should list required actions." });
+    }
+    if (requirement.mode === "trigger" && !requirement.requiredTriggers?.length) {
+      issues.push({ path: `${path}.requiredTriggers`, message: "Trigger requirements should list required triggers." });
+    }
+  }
+  return { ok: issues.length === 0, issues };
+}
+function assertValidIntegrationManifest(manifest) {
+  const result = validateIntegrationManifest(manifest);
+  if (!result.ok) {
+    throw new Error(`Invalid integration manifest: ${result.issues.map((issue) => `${issue.path}: ${issue.message}`).join("; ")}`);
+  }
+}
+function inferIntegrationManifestFromTools(options) {
+  const byConnector = /* @__PURE__ */ new Map();
+  for (const item of options.tools) {
+    const action = typeof item === "string" ? item : item.action;
+    const connectorId = typeof item === "string" ? canonicalActionConnectorId(action) : item.connectorId ?? canonicalActionConnectorId(action);
+    if (!connectorId) continue;
+    const mode = typeof item === "string" ? inferMode(action) : item.mode ?? inferMode(action);
+    const id = `${connectorId}-${mode}`;
+    const existing = byConnector.get(id);
+    const reason = typeof item === "string" ? defaultReason(connectorId, mode) : item.reason ?? defaultReason(connectorId, mode);
+    if (existing) {
+      byConnector.set(id, {
+        ...existing,
+        requiredActions: unique3([...existing.requiredActions ?? [], action]),
+        requiredScopes: unique3([...existing.requiredScopes ?? [], ...typeof item === "string" ? [] : item.scopes ?? []])
+      });
+    } else {
+      byConnector.set(id, {
+        id,
+        connectorId,
+        mode,
+        reason,
+        requiredActions: mode === "trigger" ? void 0 : [action],
+        requiredScopes: typeof item === "string" ? void 0 : item.scopes
+      });
+    }
+  }
+  const manifest = {
+    id: options.manifestId,
+    title: options.title,
+    requirements: [...byConnector.values()],
+    metadata: options.metadata
+  };
+  assertValidIntegrationManifest(manifest);
+  return manifest;
+}
+function explainMissingRequirements(resolution) {
+  return [...resolution.missing, ...resolution.optionalMissing].map((item) => ({
+    requirementId: item.requirement.id,
+    connectorId: item.requirement.connectorId,
+    status: item.status,
+    message: item.message,
+    userAction: item.requirement.optional ? "ignore_optional" : item.status === "not_executable" ? "enable" : "connect"
+  }));
+}
+function calendarExercisePlannerManifest(id = "exercise-calendar-planner") {
+  return {
+    id,
+    title: "Exercise Calendar Planner",
+    requirements: [{
+      id: "calendar-read",
+      connectorId: "google-calendar",
+      mode: "read",
+      reason: "Read busy and free calendar windows to recommend exercise sessions.",
+      requiredActions: [CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsList],
+      requiredScopes: ["https://www.googleapis.com/auth/calendar.readonly"]
+    }]
+  };
+}
+function inferMode(action) {
+  if (/(create|send|post|update|delete|write|comment|request)$/i.test(action)) return "write";
+  return "read";
+}
+function defaultReason(connectorId, mode) {
+  if (connectorId === "google-calendar" && mode === "read") return "Read calendar availability for the generated app.";
+  if (connectorId === "google-calendar" && mode === "write") return "Create or update calendar events after user approval.";
+  return `${mode === "read" ? "Read from" : mode === "write" ? "Write to" : "Subscribe to"} ${connectorId} for this app.`;
+}
+function unique3(values) {
+  return [...new Set(values)];
+}
+
+// src/passthrough.ts
+var PROVIDER_PASSTHROUGH_ACTION = CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest;
+function validateProviderPassthroughRequest(input, policy) {
+  if (!policy.enabled) {
+    throw new IntegrationRuntimeError({
+      code: "passthrough_disabled",
+      message: "Provider-native passthrough is disabled for this connector."
+    });
+  }
+  if (!input.path.startsWith("/")) {
+    throw new IntegrationRuntimeError({ code: "input_invalid", message: "Provider passthrough path must start with /." });
+  }
+  if (policy.allowedMethods?.length && !policy.allowedMethods.includes(input.method)) {
+    throw new IntegrationRuntimeError({ code: "action_denied", message: `Provider passthrough method ${input.method} is not allowed.` });
+  }
+  if (policy.allowedPathPrefixes?.length && !policy.allowedPathPrefixes.some((prefix) => input.path.startsWith(prefix))) {
+    throw new IntegrationRuntimeError({ code: "action_denied", message: `Provider passthrough path ${input.path} is not allowed.` });
+  }
+  const maxBodyBytes = policy.maxBodyBytes ?? 64 * 1024;
+  const bodyBytes = Buffer.byteLength(JSON.stringify(input.body ?? null), "utf8");
+  if (bodyBytes > maxBodyBytes) {
+    throw new IntegrationRuntimeError({ code: "input_invalid", message: `Provider passthrough body exceeds ${maxBodyBytes} bytes.` });
+  }
+  for (const key of Object.keys(input.headers ?? {})) {
+    if (/authorization|cookie|token|secret|api[_-]?key/i.test(key)) {
+      throw new IntegrationRuntimeError({ code: "input_invalid", message: `Provider passthrough header ${key} is not caller-settable.` });
+    }
+  }
+}
+
+// src/policy.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var StaticIntegrationPolicyEngine = class {
+  rules;
+  defaultReadEffect;
+  defaultWriteEffect;
+  defaultDestructiveEffect;
+  now;
+  constructor(options = {}) {
+    this.rules = options.rules ?? [];
+    this.defaultReadEffect = options.defaultReadEffect ?? "allow";
+    this.defaultWriteEffect = options.defaultWriteEffect ?? "require_approval";
+    this.defaultDestructiveEffect = options.defaultDestructiveEffect ?? "deny";
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  decide(ctx) {
+    const action = ctx.action;
+    if (!action) return { decision: "deny", reason: "Integration action is missing from connector catalog." };
+    const matched = this.rules.find((rule) => ruleMatches(rule, ctx));
+    const effect = matched?.effect ?? this.defaultEffect(action.risk);
+    const reason = matched?.reason ?? defaultReason2(effect, action.risk);
+    if (effect === "allow") return { decision: "allow", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
+    if (effect === "deny") return { decision: "deny", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
+    return {
+      decision: "require_approval",
+      reason,
+      approval: buildApprovalRequest(ctx, reason, this.now()),
+      metadata: matched ? { ruleId: matched.id } : void 0
+    };
+  }
+  defaultEffect(risk) {
+    if (risk === "read") return this.defaultReadEffect;
+    if (risk === "write") return this.defaultWriteEffect;
+    return this.defaultDestructiveEffect;
+  }
+};
+function createDefaultIntegrationPolicyEngine(options = {}) {
+  return new StaticIntegrationPolicyEngine(options);
+}
+function buildApprovalRequest(ctx, reason, requestedAt) {
+  if (!ctx.action) {
+    throw new Error("Cannot build approval request without an action descriptor.");
+  }
+  return {
+    id: `approval_${randomUUID2()}`,
+    connectionId: ctx.connection.id,
+    providerId: ctx.connection.providerId,
+    connectorId: ctx.connection.connectorId,
+    action: ctx.request.action,
+    actor: { type: ctx.subject.type, id: ctx.subject.id },
+    risk: ctx.action.risk,
+    dataClass: ctx.action.dataClass,
+    reason,
+    requestedAt: requestedAt.toISOString(),
+    inputPreview: previewInput(ctx.request.input)
+  };
+}
+function redactApprovalRequest(request) {
+  return {
+    ...request,
+    inputPreview: redactUnknown3(request.inputPreview)
+  };
+}
+function ruleMatches(rule, ctx) {
+  if (!ctx.action) return false;
+  if (rule.providerId && rule.providerId !== ctx.connection.providerId) return false;
+  if (rule.connectorId && rule.connectorId !== ctx.connection.connectorId) return false;
+  if (rule.action && rule.action !== ctx.request.action) return false;
+  if (rule.risk && rule.risk !== ctx.action.risk) return false;
+  if (rule.maxRisk && riskRank(ctx.action.risk) > riskRank(rule.maxRisk)) return false;
+  if (rule.dataClass && rule.dataClass !== ctx.action.dataClass) return false;
+  return true;
+}
+function riskRank(risk) {
+  if (risk === "read") return 0;
+  if (risk === "write") return 1;
+  return 2;
+}
+function defaultReason2(effect, risk) {
+  if (effect === "allow") return `${risk} integration action allowed by default policy.`;
+  if (effect === "deny") return `${risk} integration action denied by default policy.`;
+  return `${risk} integration action requires approval by default policy.`;
+}
+function previewInput(input) {
+  return redactUnknown3(input);
+}
+function redactUnknown3(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown3);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown3(child);
+    }
+  }
+  return out;
+}
+
+// src/presets.ts
+function createPlatformIntegrationPolicyPreset(options = {}) {
+  return new StaticIntegrationPolicyEngine({
+    ...options,
+    defaultReadEffect: "allow",
+    defaultWriteEffect: options.allowWritesWithoutApproval ? "allow" : "require_approval",
+    defaultDestructiveEffect: options.allowDestructiveActions ? "require_approval" : "deny",
+    rules: [
+      ...options.allowProviderPassthrough ? [] : [{
+        id: "deny-provider-native-passthrough",
+        action: "provider.http.request",
+        effect: "deny",
+        reason: "Provider-native passthrough is disabled by default. Promote the connector action or enable passthrough explicitly."
+      }],
+      ...options.rules ?? []
+    ]
+  });
+}
+
 // src/connectors/types.ts
 var ResourceContention = class extends Error {
   constructor(message, alternatives = [], currentState) {
@@ -5013,7 +5698,7 @@ var repoParams = {
   },
   required: ["owner", "repo"]
 };
-var githubConnector = declarativeRestConnector({
+var githubConnector2 = declarativeRestConnector({
   kind: "github",
   displayName: "GitHub",
   description: "Search repositories/issues and create or update GitHub issues through a user-scoped token.",
@@ -5348,7 +6033,7 @@ var salesforceConnector = declarativeRestConnector({
 });
 
 // src/catalog.ts
-var riskRank = {
+var riskRank2 = {
   read: 0,
   write: 1,
   destructive: 2
@@ -5371,7 +6056,7 @@ function buildIntegrationToolCatalog(connectors) {
   const tools = [];
   for (const connector of connectors) {
     for (const action of connector.actions) {
-      const tags = unique2([
+      const tags = unique4([
         connector.id,
         connector.providerId,
         connector.title,
@@ -5410,7 +6095,7 @@ function searchIntegrationTools(catalog, query, filters = {}) {
     if (filters.connectorId && tool.connectorId !== filters.connectorId) return false;
     if (filters.category && tool.category !== filters.category) return false;
     if (filters.dataClass && tool.dataClass !== filters.dataClass) return false;
-    if (filters.maxRisk && riskRank[tool.risk] > riskRank[filters.maxRisk]) return false;
+    if (filters.maxRisk && riskRank2[tool.risk] > riskRank2[filters.maxRisk]) return false;
     return true;
   });
   const scored = filtered.map((tool) => scoreTool(tool, terms));
@@ -5444,7 +6129,7 @@ function scoreTool(tool, terms) {
     }
   }
   if (tool.risk === "read") score += 0.25;
-  return { tool, score, matched: unique2(matched) };
+  return { tool, score, matched: unique4(matched) };
 }
 function tokenize(value) {
   return value.toLowerCase().split(/[^a-z0-9]+/g).map((part) => part.trim()).filter(Boolean);
@@ -5455,110 +6140,10 @@ function encodeToolPart(value) {
 function decodeToolPart(value) {
   return Buffer.from(value.replace(/\./g, "_"), "base64url").toString("utf8");
 }
-function unique2(values) {
+function unique4(values) {
   return [...new Set(values)];
 }
 
-// src/policy.ts
-import { randomUUID as randomUUID2 } from "crypto";
-var StaticIntegrationPolicyEngine = class {
-  rules;
-  defaultReadEffect;
-  defaultWriteEffect;
-  defaultDestructiveEffect;
-  now;
-  constructor(options = {}) {
-    this.rules = options.rules ?? [];
-    this.defaultReadEffect = options.defaultReadEffect ?? "allow";
-    this.defaultWriteEffect = options.defaultWriteEffect ?? "require_approval";
-    this.defaultDestructiveEffect = options.defaultDestructiveEffect ?? "deny";
-    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
-  }
-  decide(ctx) {
-    const action = ctx.action;
-    if (!action) return { decision: "deny", reason: "Integration action is missing from connector catalog." };
-    const matched = this.rules.find((rule) => ruleMatches(rule, ctx));
-    const effect = matched?.effect ?? this.defaultEffect(action.risk);
-    const reason = matched?.reason ?? defaultReason(effect, action.risk);
-    if (effect === "allow") return { decision: "allow", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
-    if (effect === "deny") return { decision: "deny", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
-    return {
-      decision: "require_approval",
-      reason,
-      approval: buildApprovalRequest(ctx, reason, this.now()),
-      metadata: matched ? { ruleId: matched.id } : void 0
-    };
-  }
-  defaultEffect(risk) {
-    if (risk === "read") return this.defaultReadEffect;
-    if (risk === "write") return this.defaultWriteEffect;
-    return this.defaultDestructiveEffect;
-  }
-};
-function createDefaultIntegrationPolicyEngine(options = {}) {
-  return new StaticIntegrationPolicyEngine(options);
-}
-function buildApprovalRequest(ctx, reason, requestedAt) {
-  if (!ctx.action) {
-    throw new Error("Cannot build approval request without an action descriptor.");
-  }
-  return {
-    id: `approval_${randomUUID2()}`,
-    connectionId: ctx.connection.id,
-    providerId: ctx.connection.providerId,
-    connectorId: ctx.connection.connectorId,
-    action: ctx.request.action,
-    actor: { type: ctx.subject.type, id: ctx.subject.id },
-    risk: ctx.action.risk,
-    dataClass: ctx.action.dataClass,
-    reason,
-    requestedAt: requestedAt.toISOString(),
-    inputPreview: previewInput(ctx.request.input)
-  };
-}
-function redactApprovalRequest(request) {
-  return {
-    ...request,
-    inputPreview: redactUnknown2(request.inputPreview)
-  };
-}
-function ruleMatches(rule, ctx) {
-  if (!ctx.action) return false;
-  if (rule.providerId && rule.providerId !== ctx.connection.providerId) return false;
-  if (rule.connectorId && rule.connectorId !== ctx.connection.connectorId) return false;
-  if (rule.action && rule.action !== ctx.request.action) return false;
-  if (rule.risk && rule.risk !== ctx.action.risk) return false;
-  if (rule.maxRisk && riskRank2(ctx.action.risk) > riskRank2(rule.maxRisk)) return false;
-  if (rule.dataClass && rule.dataClass !== ctx.action.dataClass) return false;
-  return true;
-}
-function riskRank2(risk) {
-  if (risk === "read") return 0;
-  if (risk === "write") return 1;
-  return 2;
-}
-function defaultReason(effect, risk) {
-  if (effect === "allow") return `${risk} integration action allowed by default policy.`;
-  if (effect === "deny") return `${risk} integration action denied by default policy.`;
-  return `${risk} integration action requires approval by default policy.`;
-}
-function previewInput(input) {
-  return redactUnknown2(input);
-}
-function redactUnknown2(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown2);
-  if (!value || typeof value !== "object") return value;
-  const out = {};
-  for (const [key, child] of Object.entries(value)) {
-    if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
-      out[key] = "[REDACTED]";
-    } else {
-      out[key] = redactUnknown2(child);
-    }
-  }
-  return out;
-}
-
 // src/sandbox.ts
 function buildIntegrationInvocationEnvelope(input) {
   const parsed = parseIntegrationToolName(input.toolName);
@@ -5617,13 +6202,13 @@ function redactInvocationEnvelope(envelope) {
   return {
     ...envelope,
     capabilityToken: "[REDACTED]",
-    input: redactUnknown3(envelope.input)
+    input: redactUnknown4(envelope.input)
   };
 }
 function redactCapability(capability) {
   return {
     ...capability,
-    metadata: redactUnknown3(capability.metadata)
+    metadata: redactUnknown4(capability.metadata)
   };
 }
 function normalizeIntegrationResult(result) {
@@ -5676,15 +6261,15 @@ var IntegrationSandboxHost = class {
     return dispatchIntegrationInvocation(envelope, this.options);
   }
 };
-function redactUnknown3(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown3);
+function redactUnknown4(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown4);
   if (!value || typeof value !== "object") return value;
   const out = {};
   for (const [key, child] of Object.entries(value)) {
     if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
       out[key] = "[REDACTED]";
     } else {
-      out[key] = redactUnknown3(child);
+      out[key] = redactUnknown4(child);
     }
   }
   return out;
@@ -5750,7 +6335,7 @@ function importMcpConnector(catalog, options) {
   }));
 }
 function connectorFromActions(options, actions) {
-  const scopes = unique3([
+  const scopes = unique5([
     ...options.scopes ?? [],
     ...actions.flatMap((action) => action.requiredScopes)
   ]);
@@ -5782,7 +6367,7 @@ function riskFromMcpTool(tool, fallback) {
 }
 function scopesFromOpenApiOperation(operation, fallback) {
   const scopes = (operation.security ?? []).flatMap((entry) => Object.values(entry).flat());
-  return unique3(scopes.length > 0 ? scopes : fallback);
+  return unique5(scopes.length > 0 ? scopes : fallback);
 }
 function openApiInputSchema(path, method, operation) {
   return {
@@ -5802,7 +6387,7 @@ function titleFromId(id) {
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function unique3(values) {
+function unique5(values) {
   return [...new Set(values)];
 }
 
@@ -5853,7 +6438,7 @@ function normalizeGatewayCatalog(entries, options) {
       title,
       category: normalizeCategory(entry.category),
       auth: normalizeAuth(entry.auth),
-      scopes: unique4([
+      scopes: unique6([
         ...entry.scopes ?? [],
         ...actions.flatMap((action) => action.requiredScopes)
       ]),
@@ -5883,7 +6468,7 @@ function normalizeActions(actions, fallbackScopes) {
       id,
       title: action.title ?? action.name ?? titleFromId2(id),
       risk: normalizeRisk(action.risk),
-      requiredScopes: unique4([
+      requiredScopes: unique6([
         ...action.requiredScopes ?? [],
         ...action.scopes ?? [],
         ...action.requiredScopes?.length || action.scopes?.length ? [] : fallbackScopes
@@ -5897,21 +6482,21 @@ function normalizeActions(actions, fallbackScopes) {
   }).filter((action) => action.id);
 }
 function normalizeTriggers(triggers, fallbackScopes) {
-  const normalized = triggers.map((trigger) => {
-    const id = slug2(trigger.id ?? trigger.key ?? trigger.name ?? trigger.title ?? "");
+  const normalized = triggers.map((trigger2) => {
+    const id = slug2(trigger2.id ?? trigger2.key ?? trigger2.name ?? trigger2.title ?? "");
     return {
       id,
-      title: trigger.title ?? trigger.name ?? titleFromId2(id),
-      requiredScopes: unique4([
-        ...trigger.requiredScopes ?? [],
-        ...trigger.scopes ?? [],
-        ...trigger.requiredScopes?.length || trigger.scopes?.length ? [] : fallbackScopes
+      title: trigger2.title ?? trigger2.name ?? titleFromId2(id),
+      requiredScopes: unique6([
+        ...trigger2.requiredScopes ?? [],
+        ...trigger2.scopes ?? [],
+        ...trigger2.requiredScopes?.length || trigger2.scopes?.length ? [] : fallbackScopes
       ]),
-      dataClass: normalizeDataClass(trigger.dataClass),
-      description: trigger.description,
-      payloadSchema: trigger.payloadSchema
+      dataClass: normalizeDataClass(trigger2.dataClass),
+      description: trigger2.description,
+      payloadSchema: trigger2.payloadSchema
     };
-  }).filter((trigger) => trigger.id);
+  }).filter((trigger2) => trigger2.id);
   return normalized.length > 0 ? normalized : void 0;
 }
 function defaultActionsFor(category, scopes) {
@@ -5991,7 +6576,7 @@ function slug2(value) {
 function titleFromId2(id) {
   return id.split("-").filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
 }
-function unique4(values) {
+function unique6(values) {
   return [...new Set(values)];
 }
 
@@ -6079,7 +6664,7 @@ var IntegrationRuntime = class {
       const connector = {
         ...entry.connector,
         actions: entry.connector.actions.filter((action) => grant.allowedActions.includes(action.id)),
-        triggers: entry.connector.triggers?.filter((trigger) => grant.allowedTriggers.includes(trigger.id)),
+        triggers: entry.connector.triggers?.filter((trigger2) => grant.allowedTriggers.includes(trigger2.id)),
         scopes: entry.connector.scopes.filter((scope) => grant.scopes.includes(scope))
       };
       const capability = await this.hub.issueCapability({
@@ -6173,32 +6758,32 @@ function missing(requirement, status, message, connector, registryEntry2) {
 }
 function requiredActions(requirement, connector) {
   if (requirement.mode === "trigger") return [];
-  if (requirement.requiredActions?.length) return unique5(requirement.requiredActions);
+  if (requirement.requiredActions?.length) return unique7(requirement.requiredActions);
   const actions = connector.actions.filter((action) => {
     if (requirement.mode === "read") return action.risk === "read";
     if (requirement.mode === "write") return action.risk !== "read";
     return false;
   });
-  return unique5(actions.map((action) => action.id));
+  return unique7(actions.map((action) => action.id));
 }
 function requiredTriggers(requirement, connector) {
-  if (requirement.requiredTriggers?.length) return unique5(requirement.requiredTriggers);
+  if (requirement.requiredTriggers?.length) return unique7(requirement.requiredTriggers);
   if (requirement.mode !== "trigger") return [];
-  return unique5((connector.triggers ?? []).map((trigger) => trigger.id));
+  return unique7((connector.triggers ?? []).map((trigger2) => trigger2.id));
 }
 function requiredScopes(requirement, connector) {
-  if (requirement.requiredScopes?.length) return unique5(requirement.requiredScopes);
+  if (requirement.requiredScopes?.length) return unique7(requirement.requiredScopes);
   const actionIds = new Set(requiredActions(requirement, connector));
   const triggerIds = new Set(requiredTriggers(requirement, connector));
-  return unique5([
+  return unique7([
     ...connector.actions.filter((action) => actionIds.has(action.id)).flatMap((action) => action.requiredScopes),
-    ...(connector.triggers ?? []).filter((trigger) => triggerIds.has(trigger.id)).flatMap((trigger) => trigger.requiredScopes)
+    ...(connector.triggers ?? []).filter((trigger2) => triggerIds.has(trigger2.id)).flatMap((trigger2) => trigger2.requiredScopes)
   ]);
 }
 function sameActor(a, b) {
   return a.type === b.type && a.id === b.id;
 }
-function unique5(values) {
+function unique7(values) {
   return [...new Set(values)];
 }
 
@@ -6485,8 +7070,8 @@ var IntegrationHub = class {
       id: `cap_${randomUUID3()}`,
       subject: request.subject,
       connectionId: request.connectionId,
-      scopes: unique6(request.scopes),
-      allowedActions: unique6(request.allowedActions),
+      scopes: unique8(request.scopes),
+      allowedActions: unique8(request.allowedActions),
       issuedAt: now.toISOString(),
       expiresAt: new Date(now.getTime() + request.ttlMs).toISOString(),
       metadata: request.metadata
@@ -6539,18 +7124,18 @@ var IntegrationHub = class {
     }
     return proceed();
   }
-  async subscribeTrigger(connectionId, trigger, targetUrl) {
+  async subscribeTrigger(connectionId, trigger2, targetUrl) {
     const connection = await this.requireConnection(connectionId);
     this.assertConnectionActive(connection);
     const provider = this.requireProvider(connection.providerId);
     const connector = await this.requireConnector(provider, connection.connectorId);
-    const spec = connector.triggers?.find((candidate) => candidate.id === trigger);
-    if (!spec) throw new IntegrationError(`Trigger ${trigger} is not defined by connector ${connector.id}.`, "action_not_found");
+    const spec = connector.triggers?.find((candidate) => candidate.id === trigger2);
+    if (!spec) throw new IntegrationError(`Trigger ${trigger2} is not defined by connector ${connector.id}.`, "action_not_found");
     assertScopes(connection, spec.requiredScopes);
     if (!provider.subscribeTrigger) {
       throw new IntegrationError(`Provider ${provider.id} does not support triggers.`, "auth_not_supported");
     }
-    return provider.subscribeTrigger(connection, trigger, targetUrl);
+    return provider.subscribeTrigger(connection, trigger2, targetUrl);
   }
   requireProvider(providerId) {
     const provider = this.providers.get(providerId);
@@ -6635,10 +7220,10 @@ function createMockIntegrationProvider(options = {}) {
       action: request.action,
       output: { echo: request.input ?? null }
     },
-    subscribeTrigger: (connection, trigger, targetUrl) => ({
-      id: `sub_${connection.id}_${trigger}`,
+    subscribeTrigger: (connection, trigger2, targetUrl) => ({
+      id: `sub_${connection.id}_${trigger2}`,
       connectionId: connection.id,
-      trigger,
+      trigger: trigger2,
       targetUrl,
       status: "active",
       createdAt: (/* @__PURE__ */ new Date(0)).toISOString()
@@ -6666,10 +7251,10 @@ function createHttpIntegrationProvider(options) {
         request
       }, options.bearer);
     },
-    async subscribeTrigger(connection, trigger, targetUrl) {
+    async subscribeTrigger(connection, trigger2, targetUrl) {
       return postJson(fetcher, `${baseUrl}/triggers/subscribe`, {
         connection,
-        trigger,
+        trigger: trigger2,
         targetUrl
       }, options.bearer);
     },
@@ -6732,12 +7317,13 @@ function base64UrlEncode(value) {
 function base64UrlDecode(value) {
   return Buffer.from(value, "base64url").toString("utf8");
 }
-function unique6(values) {
+function unique8(values) {
   return [...new Set(values)];
 }
 export {
   ACTIVEPIECES_OVERRIDES,
   ApprovalBackedPolicyEngine,
+  CANONICAL_INTEGRATION_ACTIONS,
   CredentialsExpired,
   DEFAULT_INTEGRATION_BRIDGE_ENV,
   DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
@@ -6756,17 +7342,22 @@ export {
   IntegrationError,
   IntegrationHub,
   IntegrationRuntime,
+  IntegrationRuntimeError,
   IntegrationSandboxHost,
   IntegrationWorkflowRuntime,
+  PROVIDER_PASSTHROUGH_ACTION,
   ResourceContention,
   StaticIntegrationPolicyEngine,
+  TangleIntegrationsClient,
   _resetPendingFlowsForTests,
   airtableConnector,
   asanaConnector,
   assertValidConnectorManifest,
+  assertValidIntegrationManifest,
   assertValidIntegrationSpec,
   buildActivepiecesConnectors,
   buildApprovalRequest,
+  buildCanonicalLaunchConnectors,
   buildDefaultIntegrationRegistry,
   buildHealthcheckPlan,
   buildIntegrationBridgeEnvironment,
@@ -6774,6 +7365,8 @@ export {
   buildIntegrationCoverageConnectors,
   buildIntegrationInvocationEnvelope,
   buildIntegrationToolCatalog,
+  calendarExercisePlannerManifest,
+  canonicalActionConnectorId,
   canonicalConnectorId,
   composeIntegrationRegistry,
   consoleStepsToText,
@@ -6791,16 +7384,19 @@ export {
   createIntegrationRuntime,
   createIntegrationWorkflowRuntime,
   createMockIntegrationProvider,
+  createPlatformIntegrationPolicyPreset,
+  createTangleIntegrationsClient,
   declarativeRestConnector,
   decodeIntegrationBridgePayload,
   dispatchIntegrationInvocation,
   encodeIntegrationBridgePayload,
   exchangeAuthorizationCode,
+  explainMissingRequirements,
   firstHeader,
   getActivepiecesOverride,
   getIntegrationFamily,
   getIntegrationSpec,
-  githubConnector,
+  githubConnector2 as githubConnector,
   gitlabConnector,
   googleCalendar,
   googleSheets,
@@ -6809,6 +7405,7 @@ export {
   importGraphqlConnector,
   importMcpConnector,
   importOpenApiConnector,
+  inferIntegrationManifestFromTools,
   inferIntegrationSupportTier,
   integrationCoverageChecklistMarkdown,
   integrationSpecToConnector,
@@ -6821,6 +7418,7 @@ export {
   manifestToConnector,
   microsoftCalendar,
   normalizeGatewayCatalog,
+  normalizeIntegrationError,
   normalizeIntegrationResult,
   notionDatabase,
   parseIntegrationBridgeEnvironment,
@@ -6833,6 +7431,8 @@ export {
   redactInvocationEnvelope,
   refreshAccessToken,
   renderAgentToolDescription,
+  renderApprovalCopy,
+  renderConsentSummary,
   renderConsoleSteps,
   renderRunbookMarkdown,
   resolveConnectionCredentials,
@@ -6849,6 +7449,7 @@ export {
   slackEventsConnector,
   specAuthToConnectorAuth,
   startOAuthFlow,
+  statusForCode,
   storedEventToTriggerEvent,
   stripePackConnector,
   stripeWebhookReceiverConnector,
@@ -6859,7 +7460,9 @@ export {
   validateCredentialFormat,
   validateCredentialSet,
   validateIntegrationInvocationEnvelope,
+  validateIntegrationManifest,
   validateIntegrationSpec,
+  validateProviderPassthroughRequest,
   verifyCapabilityToken,
   verifyHmacSignature,
   verifySlackSignature,