@tangle-network/agent-integrations 0.15.0 → 0.16.1

package/dist/index.js

@@ -1,3 +1,25 @@
+import {
+  INTEGRATION_FAMILIES,
+  assertValidIntegrationSpec,
+  buildHealthcheckPlan,
+  buildIntegrationCoverageConnectors,
+  consoleStepsToText,
+  getIntegrationFamily,
+  getIntegrationSpec,
+  integrationCoverageChecklistMarkdown,
+  integrationSpecToConnector,
+  listExecutableIntegrationSpecs,
+  listIntegrationCoverageSpecs,
+  listIntegrationSpecs,
+  renderAgentToolDescription,
+  renderConsoleSteps,
+  renderRunbookMarkdown,
+  specAuthToConnectorAuth,
+  validateCredentialFormat,
+  validateCredentialSet,
+  validateIntegrationSpec
+} from "./chunk-DIJ3I66K.js";
+
 // src/index.ts
 import { createHmac as createHmac3, randomUUID as randomUUID3, timingSafeEqual as timingSafeEqual2 } from "crypto";
 
@@ -129,7 +151,7 @@ function buildActivepiecesConnectors(options = {}) {
     const category = override?.category ?? entry.category;
     const scopes = [`${entry.id}.read`, `${entry.id}.write`];
     const catalogActions = entry.actions.length > 0 ? entry.actions.map((action) => toAction(applyActionOverride(action, override), scopes, dataClassFor(category))) : defaultActions(entry.id, scopes, dataClassFor(category));
-    const catalogTriggers = entry.triggers.map((trigger) => toTrigger(trigger, scopes, dataClassFor(category)));
+    const catalogTriggers = entry.triggers.map((trigger2) => toTrigger(trigger2, scopes, dataClassFor(category)));
     return {
       id: entry.id,
       providerId,
@@ -172,10 +194,10 @@ function toAction(action, scopes, dataClass) {
     inputSchema: { type: "object", additionalProperties: true, properties: {} }
   };
 }
-function toTrigger(trigger, scopes, dataClass) {
+function toTrigger(trigger2, scopes, dataClass) {
   return {
-    id: trigger.id,
-    title: trigger.title,
+    id: trigger2.id,
+    title: trigger2.title,
     requiredScopes: [scopes[0]],
     dataClass,
     payloadSchema: { type: "object", additionalProperties: true, properties: {} }
@@ -210,867 +232,6 @@ function dataClassFor(category) {
   return "internal";
 }
 
-// src/coverage-catalog.ts
-var DEFAULT_PROVIDER_KINDS = ["first_party", "nango", "pipedream", "activepieces", "custom"];
-var COVERAGE_SPECS = [
-  ["gmail", "Gmail", "email", "email", "tier_0", "email,google,workspace,inbox"],
-  ["outlook-mail", "Outlook Mail", "email", "email", "tier_0", "email,microsoft,office,inbox"],
-  ["google-calendar", "Google Calendar", "calendar", "calendar", "tier_0", "calendar,google,workspace,scheduling"],
-  ["outlook-calendar", "Outlook Calendar", "calendar", "calendar", "tier_0", "calendar,microsoft,office,scheduling"],
-  ["slack", "Slack", "chat", "chat", "tier_0", "chat,collaboration,internal-comms"],
-  ["microsoft-teams", "Microsoft Teams", "chat", "chat", "tier_0", "chat,microsoft,collaboration"],
-  ["google-drive", "Google Drive", "storage", "storage", "tier_0", "files,google,workspace,storage"],
-  ["onedrive", "OneDrive", "storage", "storage", "tier_0", "files,microsoft,office,storage"],
-  ["dropbox", "Dropbox", "storage", "storage", "tier_1", "files,storage"],
-  ["box", "Box", "storage", "storage", "tier_1", "files,enterprise,storage"],
-  ["google-docs", "Google Docs", "docs", "docs", "tier_0", "docs,google,workspace"],
-  ["google-sheets", "Google Sheets", "database", "database", "tier_0", "sheets,spreadsheet,google,database"],
-  ["microsoft-excel", "Microsoft Excel", "database", "database", "tier_0", "sheets,spreadsheet,microsoft,database"],
-  ["notion", "Notion", "docs", "docs", "tier_0", "docs,wiki,knowledge"],
-  ["airtable", "Airtable", "database", "database", "tier_0", "database,spreadsheet,ops"],
-  ["coda", "Coda", "docs", "docs", "tier_1", "docs,wiki,ops"],
-  ["confluence", "Confluence", "docs", "docs", "tier_1", "docs,wiki,atlassian"],
-  ["sharepoint", "SharePoint", "storage", "storage", "tier_1", "files,microsoft,enterprise"],
-  ["hubspot", "HubSpot", "crm", "crm", "tier_0", "crm,sales,marketing"],
-  ["salesforce", "Salesforce", "crm", "crm", "tier_0", "crm,sales,enterprise"],
-  ["pipedrive", "Pipedrive", "crm", "crm", "tier_1", "crm,sales"],
-  ["zoho-crm", "Zoho CRM", "crm", "crm", "tier_1", "crm,sales"],
-  ["close", "Close", "crm", "crm", "tier_1", "crm,sales"],
-  ["attio", "Attio", "crm", "crm", "tier_1", "crm,sales,startups"],
-  ["linear", "Linear", "workflow", "project", "tier_0", "project,engineering,tickets"],
-  ["jira", "Jira", "workflow", "project", "tier_0", "project,engineering,tickets,atlassian"],
-  ["github", "GitHub", "workflow", "dev", "tier_0", "code,dev,issues,git"],
-  ["gitlab", "GitLab", "workflow", "dev", "tier_1", "code,dev,issues,git"],
-  ["bitbucket", "Bitbucket", "workflow", "dev", "tier_2", "code,dev,git,atlassian"],
-  ["asana", "Asana", "workflow", "project", "tier_1", "project,tasks"],
-  ["trello", "Trello", "workflow", "project", "tier_1", "project,tasks,atlassian"],
-  ["monday", "monday.com", "workflow", "project", "tier_1", "project,tasks,ops"],
-  ["clickup", "ClickUp", "workflow", "project", "tier_1", "project,tasks,ops"],
-  ["basecamp", "Basecamp", "workflow", "project", "tier_2", "project,tasks"],
-  ["zendesk", "Zendesk", "crm", "support", "tier_0", "support,tickets,customer-success"],
-  ["intercom", "Intercom", "crm", "support", "tier_0", "support,chat,customer-success"],
-  ["freshdesk", "Freshdesk", "crm", "support", "tier_1", "support,tickets"],
-  ["helpscout", "Help Scout", "crm", "support", "tier_1", "support,tickets"],
-  ["front", "Front", "email", "support", "tier_1", "support,email,shared-inbox"],
-  ["gorgias", "Gorgias", "crm", "support", "tier_1", "support,ecommerce"],
-  ["stripe", "Stripe", "workflow", "finance", "tier_0", "payments,billing,finance"],
-  ["quickbooks", "QuickBooks", "workflow", "finance", "tier_0", "accounting,finance"],
-  ["xero", "Xero", "workflow", "finance", "tier_1", "accounting,finance"],
-  ["netsuite", "NetSuite", "workflow", "finance", "tier_1", "erp,finance,enterprise"],
-  ["sage", "Sage", "workflow", "finance", "tier_2", "accounting,finance"],
-  ["plaid", "Plaid", "workflow", "finance", "tier_1", "banking,finance"],
-  ["shopify", "Shopify", "workflow", "commerce", "tier_0", "ecommerce,orders,commerce"],
-  ["woocommerce", "WooCommerce", "workflow", "commerce", "tier_1", "ecommerce,orders,wordpress"],
-  ["bigcommerce", "BigCommerce", "workflow", "commerce", "tier_1", "ecommerce,orders"],
-  ["amazon-seller-central", "Amazon Seller Central", "workflow", "commerce", "tier_1", "marketplace,ecommerce"],
-  ["ebay", "eBay", "workflow", "commerce", "tier_2", "marketplace,ecommerce"],
-  ["etsy", "Etsy", "workflow", "commerce", "tier_2", "marketplace,ecommerce"],
-  ["mailchimp", "Mailchimp", "workflow", "marketing", "tier_0", "email-marketing,marketing"],
-  ["klaviyo", "Klaviyo", "workflow", "marketing", "tier_0", "email-marketing,ecommerce,marketing"],
-  ["marketo", "Marketo", "workflow", "marketing", "tier_1", "marketing,enterprise"],
-  ["braze", "Braze", "workflow", "marketing", "tier_1", "marketing,lifecycle"],
-  ["customer-io", "Customer.io", "workflow", "marketing", "tier_1", "marketing,lifecycle"],
-  ["sendgrid", "SendGrid", "email", "email", "tier_1", "email,transactional"],
-  ["postmark", "Postmark", "email", "email", "tier_1", "email,transactional"],
-  ["twilio", "Twilio", "chat", "chat", "tier_0", "sms,voice,communications"],
-  ["discord", "Discord", "chat", "chat", "tier_1", "chat,community"],
-  ["telegram", "Telegram", "chat", "chat", "tier_1", "chat,community"],
-  ["whatsapp-business", "WhatsApp Business", "chat", "chat", "tier_1", "chat,meta,customer-comms"],
-  ["facebook-pages", "Facebook Pages", "workflow", "marketing", "tier_1", "social,meta,marketing"],
-  ["instagram-business", "Instagram Business", "workflow", "marketing", "tier_1", "social,meta,marketing"],
-  ["linkedin", "LinkedIn", "workflow", "sales", "tier_1", "social,sales,gtm"],
-  ["x-twitter", "X / Twitter", "workflow", "marketing", "tier_1", "social,marketing"],
-  ["youtube", "YouTube", "storage", "storage", "tier_1", "video,content"],
-  ["tiktok", "TikTok", "workflow", "marketing", "tier_2", "social,video,marketing"],
-  ["google-analytics", "Google Analytics", "database", "analytics", "tier_0", "analytics,web,marketing"],
-  ["mixpanel", "Mixpanel", "database", "analytics", "tier_1", "analytics,product"],
-  ["amplitude", "Amplitude", "database", "analytics", "tier_1", "analytics,product"],
-  ["segment", "Segment", "database", "analytics", "tier_1", "analytics,cdp"],
-  ["snowflake", "Snowflake", "database", "database", "tier_0", "warehouse,data"],
-  ["bigquery", "BigQuery", "database", "database", "tier_0", "warehouse,google,data"],
-  ["redshift", "Redshift", "database", "database", "tier_1", "warehouse,aws,data"],
-  ["postgres", "Postgres", "database", "database", "tier_0", "database,sql"],
-  ["mysql", "MySQL", "database", "database", "tier_1", "database,sql"],
-  ["mongodb", "MongoDB", "database", "database", "tier_1", "database,nosql"],
-  ["supabase", "Supabase", "database", "database", "tier_1", "database,postgres"],
-  ["firebase", "Firebase", "database", "database", "tier_1", "database,google,app"],
-  ["redis", "Redis", "database", "database", "tier_2", "database,cache"],
-  ["aws-s3", "Amazon S3", "storage", "storage", "tier_0", "files,aws,storage"],
-  ["aws-lambda", "AWS Lambda", "workflow", "dev", "tier_1", "aws,serverless,dev"],
-  ["aws-cloudwatch", "AWS CloudWatch", "database", "analytics", "tier_1", "aws,logs,observability"],
-  ["google-cloud-storage", "Google Cloud Storage", "storage", "storage", "tier_1", "files,gcp,storage"],
-  ["azure-blob-storage", "Azure Blob Storage", "storage", "storage", "tier_1", "files,azure,storage"],
-  ["vercel", "Vercel", "workflow", "dev", "tier_1", "deployments,dev"],
-  ["netlify", "Netlify", "workflow", "dev", "tier_2", "deployments,dev"],
-  ["cloudflare", "Cloudflare", "workflow", "dev", "tier_1", "edge,dev,dns"],
-  ["sentry", "Sentry", "workflow", "dev", "tier_1", "errors,observability,dev"],
-  ["datadog", "Datadog", "database", "analytics", "tier_1", "observability,logs,metrics"],
-  ["new-relic", "New Relic", "database", "analytics", "tier_2", "observability,logs,metrics"],
-  ["pagerduty", "PagerDuty", "workflow", "project", "tier_1", "incident,on-call"],
-  ["opsgenie", "Opsgenie", "workflow", "project", "tier_2", "incident,on-call,atlassian"],
-  ["okta", "Okta", "internal", "workflow", "tier_1", "identity,security"],
-  ["auth0", "Auth0", "internal", "workflow", "tier_1", "identity,security"],
-  ["workday", "Workday", "workflow", "hr", "tier_1", "hr,finance,enterprise"],
-  ["bamboohr", "BambooHR", "workflow", "hr", "tier_1", "hr,people"],
-  ["greenhouse", "Greenhouse", "workflow", "hr", "tier_1", "recruiting,hr"],
-  ["lever", "Lever", "workflow", "hr", "tier_1", "recruiting,hr"],
-  ["gusto", "Gusto", "workflow", "hr", "tier_1", "payroll,hr"],
-  ["rippling", "Rippling", "workflow", "hr", "tier_1", "hr,it,identity"],
-  ["docusign", "DocuSign", "docs", "docs", "tier_1", "contracts,signature,legal"],
-  ["pandadoc", "PandaDoc", "docs", "docs", "tier_1", "contracts,signature,sales"],
-  ["hellosign", "Dropbox Sign", "docs", "docs", "tier_2", "contracts,signature"],
-  ["clio", "Clio", "workflow", "project", "tier_1", "legal,practice-management"],
-  ["ironclad", "Ironclad", "docs", "docs", "tier_1", "legal,contracts"],
-  ["lexisnexis", "LexisNexis", "docs", "docs", "tier_2", "legal,research"],
-  ["calendly", "Calendly", "calendar", "calendar", "tier_0", "scheduling,calendar"],
-  ["cal-com", "Cal.com", "calendar", "calendar", "tier_1", "scheduling,calendar"],
-  ["zoom", "Zoom", "calendar", "calendar", "tier_0", "meetings,video,calendar"],
-  ["google-meet", "Google Meet", "calendar", "calendar", "tier_1", "meetings,google,video"],
-  ["microsoft-graph", "Microsoft Graph", "internal", "workflow", "tier_0", "microsoft,enterprise,identity"],
-  ["openai", "OpenAI", "workflow", "ai", "tier_0", "ai,llm"],
-  ["anthropic", "Anthropic", "workflow", "ai", "tier_1", "ai,llm"],
-  ["gemini", "Google Gemini", "workflow", "ai", "tier_1", "ai,llm,google"],
-  ["huggingface", "Hugging Face", "workflow", "ai", "tier_1", "ai,models"],
-  ["pinecone", "Pinecone", "database", "database", "tier_1", "vector,database,ai"],
-  ["weaviate", "Weaviate", "database", "database", "tier_1", "vector,database,ai"],
-  ["qdrant", "Qdrant", "database", "database", "tier_1", "vector,database,ai"],
-  ["zapier", "Zapier", "workflow", "workflow", "tier_1", "automation,workflow"],
-  ["make", "Make", "workflow", "workflow", "tier_1", "automation,workflow"],
-  ["nango", "Nango", "workflow", "workflow", "tier_1", "integration-platform,oauth"],
-  ["pipedream", "Pipedream", "workflow", "workflow", "tier_1", "integration-platform,workflow"],
-  ["activepieces", "Activepieces", "workflow", "workflow", "tier_1", "automation,workflow,open-source"],
-  ["webhook", "Generic Webhook", "webhook", "webhook", "tier_0", "webhook,http,events", "none"],
-  ["http", "HTTP Request", "workflow", "webhook", "tier_0", "http,api,webhook", "none"],
-  ["rss", "RSS", "webhook", "webhook", "tier_1", "feeds,content", "none"],
-  ["zapier-transfer", "Zapier Transfer", "workflow", "workflow", "long_tail", "automation,migration"],
-  ["typeform", "Typeform", "workflow", "marketing", "tier_1", "forms,marketing"],
-  ["google-forms", "Google Forms", "workflow", "marketing", "tier_1", "forms,google"],
-  ["jotform", "Jotform", "workflow", "marketing", "tier_2", "forms"],
-  ["webflow", "Webflow", "workflow", "marketing", "tier_1", "cms,website"],
-  ["wordpress", "WordPress", "workflow", "marketing", "tier_1", "cms,website"],
-  ["contentful", "Contentful", "docs", "docs", "tier_1", "cms,content"],
-  ["sanity", "Sanity", "docs", "docs", "tier_1", "cms,content"],
-  ["figma", "Figma", "docs", "docs", "tier_0", "design,creative"],
-  ["canva", "Canva", "docs", "docs", "tier_1", "design,creative"],
-  ["adobe-creative-cloud", "Adobe Creative Cloud", "storage", "storage", "tier_1", "design,creative,files"],
-  ["miro", "Miro", "docs", "docs", "tier_1", "whiteboard,collaboration"],
-  ["figjam", "FigJam", "docs", "docs", "tier_2", "whiteboard,design"]
-];
-function listIntegrationCoverageSpecs() {
-  return COVERAGE_SPECS.map(([id, title, category, actionPack2, priority, domains, auth = "oauth2"]) => ({
-    id,
-    title,
-    category,
-    actionPack: actionPack2,
-    priority,
-    auth,
-    providerKinds: providerKindsFor(auth),
-    domains: domains.split(",").map((domain) => domain.trim()).filter(Boolean),
-    scopes: scopesFor(id, actionPack2)
-  }));
-}
-function buildIntegrationCoverageConnectors(options = {}) {
-  const providerId = options.providerId ?? "coverage";
-  return listIntegrationCoverageSpecs().filter((spec) => !options.priorities || options.priorities.includes(spec.priority)).filter((spec) => !options.categories || options.categories.includes(spec.category)).filter((spec) => !options.actionPacks || options.actionPacks.includes(spec.actionPack)).map((spec) => specToConnector(spec, providerId));
-}
-function integrationCoverageChecklistMarkdown() {
-  const specs = listIntegrationCoverageSpecs();
-  const lines = [
-    "# Agent Integrations Coverage Checklist",
-    "",
-    "Generated from `listIntegrationCoverageSpecs()`. Catalog presence means the product can plan/request/connect the integration; executable first-party adapters are promoted separately behind the same provider contract.",
-    "",
-    "## Summary",
-    "",
-    `- Total cataloged integrations: ${specs.length}`,
-    `- Tier 0: ${specs.filter((spec) => spec.priority === "tier_0").length}`,
-    `- Tier 1: ${specs.filter((spec) => spec.priority === "tier_1").length}`,
-    `- Tier 2: ${specs.filter((spec) => spec.priority === "tier_2").length}`,
-    `- Long tail: ${specs.filter((spec) => spec.priority === "long_tail").length}`,
-    "",
-    "## Checklist",
-    ""
-  ];
-  for (const spec of specs) {
-    lines.push(`- [ ] ${spec.priority} / ${spec.category} / ${spec.title} (${spec.id}) - ${spec.domains.join(", ")}`);
-  }
-  return `${lines.join("\n")}
-`;
-}
-function specToConnector(spec, providerId) {
-  const actions = actionPack(spec.actionPack, spec.scopes ?? []);
-  return {
-    id: spec.id,
-    providerId,
-    title: spec.title,
-    category: spec.category,
-    auth: spec.auth,
-    scopes: spec.scopes ?? [],
-    actions,
-    triggers: triggersFor(spec.actionPack, spec.scopes ?? []),
-    metadata: {
-      source: "coverage-catalog",
-      priority: spec.priority,
-      domains: spec.domains,
-      providerKinds: spec.providerKinds,
-      executable: false
-    }
-  };
-}
-function actionPack(pack, scopes) {
-  const readScope = scopes.find((scope2) => scope2.endsWith(".read")) ?? scopes[0];
-  const writeScope = scopes.find((scope2) => scope2.endsWith(".write")) ?? scopes[1] ?? readScope;
-  const scope = (value) => value ? [value] : [];
-  const read = (id, title, description) => ({
-    id,
-    title,
-    description,
-    risk: "read",
-    requiredScopes: scope(readScope),
-    dataClass: dataClassFor2(pack),
-    inputSchema: objectSchema()
-  });
-  const write = (id, title, description) => ({
-    id,
-    title,
-    description,
-    risk: "write",
-    requiredScopes: scope(writeScope),
-    dataClass: dataClassFor2(pack),
-    approvalRequired: true,
-    inputSchema: objectSchema()
-  });
-  const destructive = (id, title, description) => ({
-    id,
-    title,
-    description,
-    risk: "destructive",
-    requiredScopes: scope(writeScope),
-    dataClass: dataClassFor2(pack),
-    approvalRequired: true,
-    inputSchema: objectSchema()
-  });
-  switch (pack) {
-    case "email":
-      return [read("messages.search", "Search messages", "Search messages and threads."), read("messages.read", "Read message", "Read a message by id."), write("drafts.create", "Create draft", "Create an email draft."), write("messages.send", "Send message", "Send or reply to an email message.")];
-    case "calendar":
-      return [read("events.search", "Search events", "Search calendar events."), read("availability.read", "Read availability", "Read availability windows."), write("events.create", "Create event", "Create a calendar event."), write("events.update", "Update event", "Update a calendar event."), destructive("events.cancel", "Cancel event", "Cancel a calendar event.")];
-    case "chat":
-      return [read("messages.search", "Search messages", "Search channel or direct messages."), read("channels.list", "List channels", "List channels or rooms."), write("messages.post", "Send message", "Send a message to a channel or direct message."), write("threads.reply", "Reply in thread", "Reply to a thread or conversation.")];
-    case "crm":
-      return [read("records.search", "Search records", "Search contacts, companies, and deals."), read("records.read", "Read record", "Read a CRM record."), write("records.upsert", "Upsert record", "Create or update a CRM record."), write("notes.create", "Create note", "Add a note or activity.")];
-    case "storage":
-      return [read("files.search", "Search files", "Search files and folders."), read("files.read", "Read file", "Read file metadata or content."), write("files.upload", "Upload file", "Upload a file."), write("files.update", "Update file", "Update file metadata or content.")];
-    case "docs":
-      return [read("documents.search", "Search documents", "Search documents or pages."), read("documents.read", "Read document", "Read a document."), write("documents.create", "Create document", "Create a document or page."), write("documents.update", "Update document", "Update a document or page.")];
-    case "database":
-      return [read("records.query", "Query records", "Query rows, records, or objects."), read("records.read", "Read record", "Read one row, record, or object."), write("records.upsert", "Upsert record", "Create or update a row, record, or object."), destructive("records.delete", "Delete record", "Delete a row, record, or object.")];
-    case "project":
-      return [read("tasks.search", "Search tasks", "Search tasks, tickets, or issues."), read("tasks.read", "Read task", "Read a task, ticket, or issue."), write("tasks.create", "Create task", "Create a task, ticket, or issue."), write("tasks.update", "Update task", "Update a task, ticket, or issue.")];
-    case "support":
-      return [read("tickets.search", "Search tickets", "Search support tickets or conversations."), read("customers.read", "Read customer", "Read a customer profile."), write("tickets.reply", "Reply to ticket", "Reply to a support ticket."), write("tickets.update", "Update ticket", "Update ticket status, tags, or assignee.")];
-    case "marketing":
-      return [read("contacts.search", "Search contacts", "Search marketing contacts or audiences."), read("campaigns.read", "Read campaign", "Read campaign metadata and performance."), write("contacts.upsert", "Upsert contact", "Create or update a contact."), write("campaigns.create", "Create campaign", "Create a campaign draft.")];
-    case "sales":
-      return [read("prospects.search", "Search prospects", "Search prospects, leads, or accounts."), read("activities.read", "Read activities", "Read sales activity history."), write("prospects.upsert", "Upsert prospect", "Create or update a prospect."), write("sequence.enqueue", "Enroll in sequence", "Enroll a prospect in a sales sequence.")];
-    case "commerce":
-      return [read("orders.search", "Search orders", "Search orders."), read("customers.read", "Read customer", "Read customer and purchase history."), write("orders.update", "Update order", "Update order metadata or fulfillment state."), write("products.update", "Update product", "Update product metadata.")];
-    case "finance":
-      return [read("transactions.search", "Search transactions", "Search transactions, invoices, or payments."), read("accounts.read", "Read account", "Read account or customer financial record."), write("invoices.create", "Create invoice", "Create an invoice or payment object."), write("records.sync", "Sync record", "Sync a finance or accounting record.")];
-    case "hr":
-      return [read("people.search", "Search people", "Search employees, candidates, or contractors."), read("people.read", "Read person", "Read a person profile."), write("people.update", "Update person", "Update a person profile."), write("events.create", "Create HR event", "Create a recruiting or HR event.")];
-    case "dev":
-      return [read("resources.search", "Search resources", "Search issues, repos, deployments, logs, or incidents."), read("resources.read", "Read resource", "Read a developer resource."), write("resources.create", "Create resource", "Create an issue, deployment, incident, or config."), write("resources.update", "Update resource", "Update a developer resource.")];
-    case "ai":
-      return [read("models.list", "List models", "List available models or endpoints."), write("responses.create", "Create response", "Create an AI response or job."), write("embeddings.create", "Create embeddings", "Create embeddings or vector jobs."), read("usage.read", "Read usage", "Read usage metadata.")];
-    case "analytics":
-      return [read("reports.query", "Query reports", "Query analytics reports."), read("events.search", "Search events", "Search analytics events."), write("events.track", "Track event", "Track an analytics event."), write("audiences.sync", "Sync audience", "Sync an audience or cohort.")];
-    case "workflow":
-      return [read("runs.search", "Search runs", "Search workflow runs or jobs."), read("templates.list", "List templates", "List workflow templates."), write("runs.start", "Start run", "Start a workflow run."), write("webhooks.dispatch", "Dispatch webhook", "Dispatch a workflow webhook.")];
-    case "webhook":
-      return [write("requests.send", "Send request", "Send an HTTP request or webhook event."), read("events.search", "Search events", "Search received webhook events."), write("subscriptions.create", "Create subscription", "Create a webhook subscription."), destructive("subscriptions.delete", "Delete subscription", "Delete a webhook subscription.")];
-  }
-}
-function triggersFor(pack, scopes) {
-  const readScope = scopes.find((scope) => scope.endsWith(".read")) ?? scopes[0];
-  const requiredScopes2 = readScope ? [readScope] : [];
-  if (pack === "email") return [{ id: "message.received", title: "Message received", requiredScopes: requiredScopes2, dataClass: "private" }];
-  if (pack === "calendar") return [{ id: "event.changed", title: "Event changed", requiredScopes: requiredScopes2, dataClass: "private" }];
-  if (pack === "chat") return [{ id: "message.posted", title: "Message posted", requiredScopes: requiredScopes2, dataClass: "private" }];
-  if (pack === "crm") return [{ id: "record.changed", title: "Record changed", requiredScopes: requiredScopes2, dataClass: "private" }];
-  if (pack === "support") return [{ id: "ticket.changed", title: "Ticket changed", requiredScopes: requiredScopes2, dataClass: "private" }];
-  if (pack === "commerce") return [{ id: "order.changed", title: "Order changed", requiredScopes: requiredScopes2, dataClass: "sensitive" }];
-  if (pack === "finance") return [{ id: "transaction.changed", title: "Transaction changed", requiredScopes: requiredScopes2, dataClass: "sensitive" }];
-  if (pack === "workflow" || pack === "webhook") return [{ id: "event.received", title: "Event received", requiredScopes: requiredScopes2, dataClass: "internal" }];
-  return void 0;
-}
-function scopesFor(id, pack) {
-  if (pack === "webhook") return [];
-  return [`${id}.read`, `${id}.write`];
-}
-function providerKindsFor(auth) {
-  if (auth === "none") return ["first_party", "pipedream", "activepieces", "custom"];
-  return DEFAULT_PROVIDER_KINDS;
-}
-function dataClassFor2(pack) {
-  if (pack === "finance" || pack === "commerce" || pack === "hr") return "sensitive";
-  if (pack === "workflow" || pack === "webhook" || pack === "dev" || pack === "analytics") return "internal";
-  return "private";
-}
-function objectSchema() {
-  return { type: "object", additionalProperties: true, properties: {} };
-}
-
-// src/specs/families.ts
-var INTEGRATION_FAMILIES = {
-  google: {
-    id: "google",
-    title: "Google OAuth",
-    authMode: "oauth2",
-    consoleUrl: "https://console.cloud.google.com/apis/credentials",
-    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-    tokenUrl: "https://oauth2.googleapis.com/token",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/google/callback",
-    credentialFields: [
-      { label: "Client ID", env: "GOOGLE_OAUTH_CLIENT_ID", description: "Google OAuth client ID.", example: "1234567890-abc.apps.googleusercontent.com", regex: "^[0-9]+-[a-zA-Z0-9_-]+\\.apps\\.googleusercontent\\.com$", secret: false },
-      { label: "Client Secret", env: "GOOGLE_OAUTH_CLIENT_SECRET", description: "Google OAuth client secret.", example: "GOCSPX-...", secret: true }
-    ],
-    consoleSteps: [
-      { id: "project", title: "Select project", detail: "Open Google Cloud Console and select the project that owns the OAuth client." },
-      { id: "consent", title: "Configure consent screen", detail: "Configure OAuth consent, app name, support email, and publishing status appropriate for the deployment." },
-      { id: "client", title: "Create web client", detail: "Create an OAuth client of type Web application." },
-      { id: "redirect", title: "Add redirect URI", detail: "Add {redirectUri} as an authorized redirect URI.", copyValue: "{redirectUri}" },
-      { id: "scopes", title: "Add scopes", detail: "Add the provider scopes listed in this spec." }
-    ],
-    knownQuirks: [
-      { id: "offline-access", severity: "warning", message: "Use access_type=offline and prompt=consent when refresh tokens are required." },
-      { id: "verification", severity: "warning", message: "Sensitive or restricted scopes may require Google verification before broad external use." }
-    ],
-    lifecycle: { supportsRefresh: true, supportsRevoke: true, supportsIncrementalAuth: true, recommendedHealthcheckIntervalHours: 24 }
-  },
-  "microsoft-graph": {
-    id: "microsoft-graph",
-    title: "Microsoft Graph OAuth",
-    authMode: "oauth2",
-    consoleUrl: "https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade",
-    authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
-    tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/microsoft/callback",
-    credentialFields: [
-      { label: "Client ID", env: "MS_OAUTH_CLIENT_ID", description: "Microsoft Entra application client ID.", example: "00000000-0000-0000-0000-000000000000", regex: "^[0-9a-fA-F-]{36}$", secret: false },
-      { label: "Client Secret", env: "MS_OAUTH_CLIENT_SECRET", description: "Microsoft Entra client secret value.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "app", title: "Register app", detail: "Create or open an app registration in Microsoft Entra." },
-      { id: "redirect", title: "Add redirect URI", detail: "Add {redirectUri} as a Web redirect URI.", copyValue: "{redirectUri}" },
-      { id: "secret", title: "Create secret", detail: "Create a client secret and store the secret value, not the secret ID." },
-      { id: "permissions", title: "Add Graph permissions", detail: "Add the delegated Graph scopes listed in this spec and grant admin consent where required." }
-    ],
-    knownQuirks: [
-      { id: "tenant-common", severity: "info", message: "The common tenant supports multi-tenant OAuth; single-tenant deployments should override the tenant segment." },
-      { id: "admin-consent", severity: "warning", message: "Some Graph scopes require tenant admin consent." }
-    ],
-    lifecycle: { supportsRefresh: true, supportsRevoke: true, supportsIncrementalAuth: true, recommendedHealthcheckIntervalHours: 24 }
-  },
-  atlassian: {
-    id: "atlassian",
-    title: "Atlassian OAuth",
-    authMode: "oauth2",
-    consoleUrl: "https://developer.atlassian.com/console/myapps/",
-    authorizationUrl: "https://auth.atlassian.com/authorize",
-    tokenUrl: "https://auth.atlassian.com/oauth/token",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/atlassian/callback",
-    credentialFields: [
-      { label: "Client ID", description: "Atlassian OAuth client ID.", secret: false },
-      { label: "Client Secret", description: "Atlassian OAuth client secret.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "app", title: "Create OAuth app", detail: "Create an OAuth 2.0 app in the Atlassian developer console." },
-      { id: "redirect", title: "Add callback URL", detail: "Add {redirectUri} as the callback URL.", copyValue: "{redirectUri}" },
-      { id: "apis", title: "Enable APIs", detail: "Enable the Jira or Confluence APIs required by this connector." }
-    ],
-    lifecycle: { supportsRefresh: true, supportsRevoke: false, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  salesforce: {
-    id: "salesforce",
-    title: "Salesforce OAuth",
-    authMode: "oauth2",
-    consoleUrl: "https://login.salesforce.com",
-    authorizationUrl: "https://login.salesforce.com/services/oauth2/authorize",
-    tokenUrl: "https://login.salesforce.com/services/oauth2/token",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/salesforce/callback",
-    credentialFields: [
-      { label: "Client ID", env: "SALESFORCE_OAUTH_CLIENT_ID", description: "Salesforce connected app consumer key.", secret: false },
-      { label: "Client Secret", env: "SALESFORCE_OAUTH_CLIENT_SECRET", description: "Salesforce connected app consumer secret.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "connected-app", title: "Create connected app", detail: "Create a Salesforce connected app with OAuth enabled." },
-      { id: "callback", title: "Add callback URL", detail: "Add {redirectUri} as the callback URL.", copyValue: "{redirectUri}" },
-      { id: "scopes", title: "Select scopes", detail: "Add api and refresh_token/offline_access, plus any connector-specific scopes." }
-    ],
-    knownQuirks: [
-      { id: "instance-url", severity: "critical", message: "Runtime calls must use the instance_url returned by the token response." }
-    ],
-    lifecycle: { supportsRefresh: true, supportsRevoke: true, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  hubspot: {
-    id: "hubspot",
-    title: "HubSpot OAuth",
-    authMode: "oauth2",
-    consoleUrl: "https://developers.hubspot.com/",
-    authorizationUrl: "https://app.hubspot.com/oauth/authorize",
-    tokenUrl: "https://api.hubapi.com/oauth/v1/token",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/hubspot/callback",
-    credentialFields: [
-      { label: "Client ID", env: "HUBSPOT_OAUTH_CLIENT_ID", description: "HubSpot app client ID.", secret: false },
-      { label: "Client Secret", env: "HUBSPOT_OAUTH_CLIENT_SECRET", description: "HubSpot app client secret.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "app", title: "Create private/public app", detail: "Create a HubSpot app and configure OAuth." },
-      { id: "redirect", title: "Add redirect URL", detail: "Add {redirectUri} to the app redirect URLs.", copyValue: "{redirectUri}" },
-      { id: "scopes", title: "Add CRM scopes", detail: "Add the CRM object scopes listed in this spec." }
-    ],
-    lifecycle: { supportsRefresh: true, supportsRevoke: true, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  slack: {
-    id: "slack",
-    title: "Slack OAuth",
-    authMode: "oauth2",
-    consoleUrl: "https://api.slack.com/apps",
-    authorizationUrl: "https://slack.com/oauth/v2/authorize",
-    tokenUrl: "https://slack.com/api/oauth.v2.access",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/slack/callback",
-    credentialFields: [
-      { label: "Client ID", env: "SLACK_OAUTH_CLIENT_ID", description: "Slack app client ID.", secret: false },
-      { label: "Client Secret", env: "SLACK_OAUTH_CLIENT_SECRET", description: "Slack app client secret.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "app", title: "Create Slack app", detail: "Create or open a Slack app." },
-      { id: "redirect", title: "Add redirect URL", detail: "Add {redirectUri} under OAuth & Permissions.", copyValue: "{redirectUri}" },
-      { id: "scopes", title: "Add bot scopes", detail: "Add the bot token scopes listed in this spec and reinstall the app." }
-    ],
-    knownQuirks: [
-      { id: "bot-token", severity: "info", message: "Slack usually returns a bot access token; refresh tokens require token rotation." }
-    ],
-    lifecycle: { supportsRefresh: false, supportsRevoke: true, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  notion: {
-    id: "notion",
-    title: "Notion OAuth",
-    authMode: "oauth2",
-    consoleUrl: "https://www.notion.so/my-integrations",
-    authorizationUrl: "https://api.notion.com/v1/oauth/authorize",
-    tokenUrl: "https://api.notion.com/v1/oauth/token",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/notion/callback",
-    credentialFields: [
-      { label: "Client ID", env: "NOTION_OAUTH_CLIENT_ID", description: "Notion integration OAuth client ID.", secret: false },
-      { label: "Client Secret", env: "NOTION_OAUTH_CLIENT_SECRET", description: "Notion integration OAuth client secret.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "integration", title: "Create integration", detail: "Create a Notion public integration." },
-      { id: "redirect", title: "Add redirect URI", detail: "Add {redirectUri} as the redirect URI.", copyValue: "{redirectUri}" },
-      { id: "capabilities", title: "Select capabilities", detail: "Enable read/update/insert capabilities matching this connector." }
-    ],
-    lifecycle: { supportsRefresh: true, supportsRevoke: true, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  "standard-oauth2": {
-    id: "standard-oauth2",
-    title: "Standard OAuth 2.0",
-    authMode: "oauth2",
-    redirectUriTemplate: "https://{host}/api/integrations/oauth/{kind}/callback",
-    credentialFields: [
-      { label: "Client ID", description: "OAuth client ID.", secret: false },
-      { label: "Client Secret", description: "OAuth client secret.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "app", title: "Create OAuth app", detail: "Create an OAuth app in the provider console." },
-      { id: "redirect", title: "Add redirect URI", detail: "Add {redirectUri} as an allowed redirect URI.", copyValue: "{redirectUri}" },
-      { id: "scopes", title: "Add scopes", detail: "Add the scopes listed in this spec." }
-    ],
-    lifecycle: { supportsRefresh: true, supportsRevoke: false, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  "api-key": {
-    id: "api-key",
-    title: "API key",
-    authMode: "api_key",
-    credentialFields: [
-      { label: "API Key", description: "Provider API key or token.", example: "sk_...", secret: true }
-    ],
-    consoleSteps: [
-      { id: "token", title: "Create token", detail: "Create an API key/token in the provider console with the minimum required permissions." }
-    ],
-    lifecycle: { supportsRefresh: false, supportsRevoke: true, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  hmac: {
-    id: "hmac",
-    title: "HMAC secret",
-    authMode: "hmac",
-    credentialFields: [
-      { label: "Signing Secret", description: "Webhook signing secret.", secret: true }
-    ],
-    consoleSteps: [
-      { id: "secret", title: "Configure signing secret", detail: "Configure the shared signing secret in the sender and receiver." }
-    ],
-    lifecycle: { supportsRefresh: false, supportsRevoke: true, supportsIncrementalAuth: false, recommendedHealthcheckIntervalHours: 24 }
-  },
-  none: {
-    id: "none",
-    title: "No authentication",
-    authMode: "none",
-    credentialFields: [],
-    consoleSteps: [
-      { id: "configure", title: "Configure endpoint", detail: "No provider credentials are required." }
-    ],
-    lifecycle: { supportsRefresh: false, supportsRevoke: false, supportsIncrementalAuth: false }
-  }
-};
-function getIntegrationFamily(id) {
-  return INTEGRATION_FAMILIES[id];
-}
-
-// src/specs/overrides.ts
-var INTEGRATION_OVERRIDES = {
-  // ── Stripe pack ────────────────────────────────────────────────────
-  // Stripe issues two key types: secret keys (sk_*) and restricted keys
-  // (rk_*). For voice-agent workloads, restricted keys are the right call
-  // — least-privilege scoped to the specific resources the agent can
-  // touch. The hint nudges operators toward that path.
-  "stripe-pack": {
-    consoleUrl: "https://dashboard.stripe.com/apikeys",
-    credentialFields: [
-      {
-        label: "Stripe secret key",
-        description: "Restricted key recommended. Dashboard \u2192 Developers \u2192 API keys \u2192 Create restricted key. Grant write access on Customers, Invoices, and Checkout Sessions.",
-        example: "sk_live_\u2026 or rk_live_\u2026 (use sk_test_\u2026 / rk_test_\u2026 for staging)",
-        regex: "^(sk|rk)_(live|test)_[A-Za-z0-9]+$",
-        secret: true
-      }
-    ],
-    consoleSteps: [
-      {
-        id: "open-keys",
-        title: "Open Stripe API keys",
-        detail: "Visit https://dashboard.stripe.com/apikeys",
-        copyValue: "https://dashboard.stripe.com/apikeys"
-      },
-      {
-        id: "create-restricted",
-        title: "Create a restricted key",
-        detail: 'Click "Create restricted key". Name it something descriptive (e.g. "ph0ny voice agent \u2014 prod"). Grant WRITE on Customers, Invoices, and Checkout Sessions. Leave everything else NONE.'
-      },
-      {
-        id: "paste",
-        title: "Paste the key",
-        detail: "Copy the key Stripe shows once (rk_live_\u2026 or sk_live_\u2026). Paste it into ph0ny. The key is sealed before persistence."
-      }
-    ]
-  },
-  // ── Twilio SMS ─────────────────────────────────────────────────────
-  // Twilio's REST API uses Basic auth with two parts: Account SID
-  // (public-ish, AC…) + Auth Token (secret). The default api-key family
-  // only exposes one field, which doesn't fit. Providing both fields
-  // explicitly lets the consumer's UI render two inputs.
-  "twilio-sms": {
-    consoleUrl: "https://console.twilio.com/",
-    credentialFields: [
-      {
-        label: "Account SID",
-        description: "Your Twilio Account SID. Console \u2192 Account \u2192 API keys & tokens.",
-        example: "AC\u2026 (34 hex chars)",
-        regex: "^AC[a-f0-9]{32}$",
-        secret: false
-      },
-      {
-        label: "Auth Token",
-        description: "Your Twilio Auth Token (or Standard API Key secret). Use a non-primary auth token in production so rotating it won't break other Twilio integrations.",
-        secret: true
-      }
-    ],
-    consoleSteps: [
-      {
-        id: "open",
-        title: "Open Twilio console",
-        detail: "Visit https://console.twilio.com/",
-        copyValue: "https://console.twilio.com/"
-      },
-      {
-        id: "find",
-        title: "Find your Account SID + Auth Token",
-        detail: "Account info is on the dashboard home. For better security, create a Standard API Key (Account \u2192 API keys & tokens \u2192 Create API Key) and use the SID + Secret pair instead of the primary auth token."
-      },
-      {
-        id: "paste",
-        title: "Paste both values",
-        detail: "Account SID is non-secret; Auth Token is sealed before persistence."
-      }
-    ],
-    knownQuirks: [
-      {
-        id: "subaccount-tokens",
-        severity: "info",
-        message: "If you use Twilio subaccounts, paste the SID/Token of the subaccount that owns the phone numbers your agent calls \u2014 not the master account."
-      }
-    ]
-  }
-};
-function getIntegrationOverride(kind) {
-  return INTEGRATION_OVERRIDES[kind];
-}
-
-// src/specs/registry.ts
-var EXECUTABLE_KINDS = /* @__PURE__ */ new Set([
-  "google-calendar",
-  "google-sheets",
-  "outlook-calendar",
-  "microsoft-calendar",
-  "slack",
-  "hubspot",
-  "notion",
-  "notion-database",
-  "salesforce",
-  "github",
-  "gitlab",
-  "airtable",
-  "asana",
-  "stripe",
-  "stripe-pack",
-  "twilio",
-  "twilio-sms",
-  "webhook"
-]);
-var KIND_ALIASES = {
-  "outlook-calendar": "microsoft-calendar",
-  notion: "notion-database",
-  stripe: "stripe-pack",
-  twilio: "twilio-sms"
-};
-function listIntegrationSpecs() {
-  const connectors = new Map(buildIntegrationCoverageConnectors({ providerId: "spec" }).map((c) => [c.id, c]));
-  return listIntegrationCoverageSpecs().map((coverage) => {
-    const connector = connectors.get(coverage.id);
-    if (!connector) throw new Error(`missing coverage connector for ${coverage.id}`);
-    return specFromCoverage(coverage, connector);
-  });
-}
-function getIntegrationSpec(kind) {
-  const canonical = KIND_ALIASES[kind] ?? kind;
-  return listIntegrationSpecs().find((spec) => spec.kind === canonical || KIND_ALIASES[spec.kind] === canonical);
-}
-function listExecutableIntegrationSpecs() {
-  return listIntegrationSpecs().filter((spec) => spec.status === "executable");
-}
-function integrationSpecToConnector(spec, providerId = "spec") {
-  return {
-    id: spec.kind,
-    providerId,
-    title: spec.title,
-    category: spec.category,
-    auth: spec.auth.mode === "api_key" ? "api_key" : spec.auth.mode === "oauth2" ? "oauth2" : spec.auth.mode === "none" ? "none" : "custom",
-    scopes: spec.permissions.flatMap((permission) => permission.providerScopes),
-    actions: spec.actions,
-    triggers: spec.triggers,
-    metadata: {
-      ...spec.metadata ?? {},
-      source: "integration-spec",
-      status: spec.status,
-      family: spec.family,
-      plannerHints: spec.plannerHints
-    }
-  };
-}
-function specFromCoverage(coverage, connector) {
-  const kind = KIND_ALIASES[coverage.id] ?? coverage.id;
-  const family = familyFor(coverage);
-  const familySpec = getIntegrationFamily(family);
-  const permissions = permissionsFor(coverage, connector.actions);
-  const auth = authFor(coverage, family, permissions);
-  const status = statusFor(kind);
-  const override = getIntegrationOverride(kind) ?? getIntegrationOverride(coverage.id);
-  const knownQuirks = override?.knownQuirks ? [...familySpec.knownQuirks ?? [], ...override.knownQuirks] : familySpec.knownQuirks;
-  return {
-    kind,
-    title: connector.title,
-    category: connector.category,
-    status,
-    family,
-    auth,
-    permissions,
-    actions: connector.actions,
-    triggers: connector.triggers,
-    setup: {
-      consoleUrl: override?.consoleUrl ?? familySpec.consoleUrl,
-      consoleSteps: override?.consoleSteps ?? familySpec.consoleSteps,
-      credentialFields: override?.credentialFields ?? credentialFieldsFor(auth),
-      redirectUriTemplate: auth.mode === "oauth2" ? auth.redirectUriTemplate : familySpec.redirectUriTemplate,
-      knownQuirks,
-      postSetup: override?.postSetup,
-      healthcheck: override?.healthcheck ?? healthcheckFor(kind, status, auth)
-    },
-    lifecycle: familySpec.lifecycle,
-    plannerHints: plannerHintsFor(coverage, connector.actions),
-    metadata: { priority: coverage.priority, domains: coverage.domains }
-  };
-}
-function familyFor(spec) {
-  if (hmacKinds.has(spec.id)) return "hmac";
-  if (spec.auth === "none") return "none";
-  if (spec.id.startsWith("google-") || spec.domains.includes("google")) return "google";
-  if (spec.id.startsWith("microsoft-") || ["outlook-mail", "outlook-calendar", "onedrive", "sharepoint"].includes(spec.id)) return "microsoft-graph";
-  if (["jira", "confluence", "trello", "bitbucket"].includes(spec.id)) return "atlassian";
-  if (spec.id === "salesforce") return "salesforce";
-  if (spec.id === "hubspot") return "hubspot";
-  if (spec.id === "slack") return "slack";
-  if (spec.id === "notion") return "notion";
-  if (apiKeyKinds.has(spec.id)) return "api-key";
-  return "standard-oauth2";
-}
-var apiKeyKinds = /* @__PURE__ */ new Set(["github", "gitlab", "airtable", "asana", "stripe", "twilio", "sendgrid", "postmark"]);
-var hmacKinds = /* @__PURE__ */ new Set(["webhook"]);
-function authFor(spec, family, permissions) {
-  const f = INTEGRATION_FAMILIES[family];
-  if (family === "none") return { mode: "none" };
-  if (family === "hmac") {
-    return { mode: "hmac", credential: f.credentialFields[0], signatureHeader: `${spec.id}-signature` };
-  }
-  if (family === "api-key") {
-    return { mode: "api_key", credential: apiKeyFieldFor(spec.id), placement: apiKeyPlacementFor(spec.id) };
-  }
-  const scopes = permissions.flatMap(
-    (permission) => permission.providerScopes.map((providerScope) => ({
-      normalized: permission.normalized,
-      providerScope,
-      title: permission.title,
-      reason: permission.reason,
-      risk: permission.risk,
-      dataClass: permission.dataClass
-    }))
-  );
-  return {
-    mode: "oauth2",
-    authorizationUrl: f.authorizationUrl ?? `https://example.invalid/${spec.id}/authorize`,
-    tokenUrl: f.tokenUrl ?? `https://example.invalid/${spec.id}/token`,
-    clientIdEnv: f.credentialFields.find((field) => !field.secret)?.env,
-    clientSecretEnv: f.credentialFields.find((field) => field.secret)?.env,
-    scopes,
-    extraAuthParams: extraAuthParamsFor(family),
-    redirectUriTemplate: (f.redirectUriTemplate ?? "https://{host}/api/integrations/oauth/{kind}/callback").replace("{kind}", spec.id),
-    pkce: family === "google" || family === "microsoft-graph" ? "supported" : "unsupported"
-  };
-}
-function credentialFieldsFor(auth) {
-  if (auth.mode === "api_key" || auth.mode === "hmac") return [auth.credential];
-  if (auth.mode === "oauth2") {
-    return [
-      { label: "Client ID", env: auth.clientIdEnv, description: "OAuth client ID.", secret: false },
-      { label: "Client Secret", env: auth.clientSecretEnv, description: "OAuth client secret.", secret: true }
-    ];
-  }
-  return [];
-}
-function permissionsFor(spec, actions) {
-  const dataClass = dataClassFor3(actions);
-  const readScope = providerScopeFor(spec, "read");
-  const writeScope = providerScopeFor(spec, "write");
-  const permissions = [
-    {
-      normalized: `${spec.actionPack}.read`,
-      providerScopes: readScope ? [readScope] : [],
-      title: `${spec.title} read`,
-      risk: "read",
-      dataClass,
-      reason: `Read ${spec.title} data for user-authorized agent workflows.`
-    }
-  ];
-  if (actions.some((a) => a.risk !== "read")) {
-    permissions.push({
-      normalized: `${spec.actionPack}.write`,
-      providerScopes: writeScope ? [writeScope] : [],
-      title: `${spec.title} write`,
-      risk: "write",
-      dataClass,
-      reason: `Create or update ${spec.title} resources after policy approval.`
-    });
-  }
-  return permissions;
-}
-function providerScopeFor(spec, mode) {
-  const explicit = explicitScopes[spec.id]?.[mode];
-  if (explicit) return explicit;
-  if (spec.auth === "none") return "";
-  return `${spec.id}.${mode}`;
-}
-var explicitScopes = {
-  gmail: { read: "https://www.googleapis.com/auth/gmail.readonly", write: "https://www.googleapis.com/auth/gmail.modify" },
-  "google-calendar": { read: "https://www.googleapis.com/auth/calendar.readonly", write: "https://www.googleapis.com/auth/calendar" },
-  "google-sheets": { read: "https://www.googleapis.com/auth/spreadsheets.readonly", write: "https://www.googleapis.com/auth/spreadsheets" },
-  "google-drive": { read: "https://www.googleapis.com/auth/drive.readonly", write: "https://www.googleapis.com/auth/drive.file" },
-  "google-docs": { read: "https://www.googleapis.com/auth/documents.readonly", write: "https://www.googleapis.com/auth/documents" },
-  "outlook-mail": { read: "Mail.Read", write: "Mail.Send" },
-  "outlook-calendar": { read: "Calendars.Read", write: "Calendars.ReadWrite" },
-  "microsoft-teams": { read: "ChannelMessage.Read.All", write: "ChannelMessage.Send" },
-  onedrive: { read: "Files.Read", write: "Files.ReadWrite" },
-  sharepoint: { read: "Sites.Read.All", write: "Sites.ReadWrite.All" },
-  slack: { read: "channels:read", write: "chat:write" },
-  hubspot: { read: "crm.objects.contacts.read", write: "crm.objects.contacts.write" },
-  salesforce: { read: "api", write: "api" },
-  notion: { read: "", write: "" },
-  github: { read: "repo:read", write: "repo" },
-  gitlab: { read: "read_api", write: "api" },
-  airtable: { read: "data.records:read", write: "data.records:write" },
-  asana: { read: "default", write: "default" },
-  stripe: { read: "read_only", write: "standard" },
-  twilio: { read: "api_key", write: "api_key" }
-};
-function plannerHintsFor(spec, actions) {
-  return {
-    useFor: spec.domains.map((domain) => domain.replace(/-/g, " ")),
-    dataFreshness: ["calendar", "chat", "commerce", "finance", "support"].includes(spec.actionPack) ? "near_realtime" : "eventual",
-    writeRisk: actions.some((a) => a.risk === "destructive") ? "high" : actions.some((a) => a.risk === "write") ? "medium" : "low"
-  };
-}
-function healthcheckFor(kind, status, auth) {
-  if (status !== "executable") {
-    return { id: `${kind}.static`, level: "static", description: "Catalog-only integration; no executable connector healthcheck is available yet." };
-  }
-  if (auth.mode === "oauth2") {
-    return { id: `${kind}.connection`, level: "connection", description: "Validate a user connection by calling the connector test endpoint." };
-  }
-  if (auth.mode === "api_key") {
-    return { id: `${kind}.connection`, level: "connection", description: "Validate API credentials by calling the connector test endpoint." };
-  }
-  if (auth.mode === "hmac") {
-    return { id: `${kind}.webhook`, level: "webhook", description: "Validate webhook signing configuration with a signed test payload." };
-  }
-  return { id: `${kind}.static`, level: "static", description: "No credentials are required." };
-}
-function statusFor(kind) {
-  return EXECUTABLE_KINDS.has(kind) ? "executable" : "catalog";
-}
-function dataClassFor3(actions) {
-  if (actions.some((a) => a.dataClass === "secret")) return "secret";
-  if (actions.some((a) => a.dataClass === "sensitive")) return "sensitive";
-  if (actions.some((a) => a.dataClass === "private")) return "private";
-  if (actions.some((a) => a.dataClass === "internal")) return "internal";
-  return "public";
-}
-function apiKeyFieldFor(kind) {
-  return {
-    label: `${kind} API key`,
-    description: `API key or token for ${kind}.`,
-    example: kind === "stripe" ? "sk_live_..." : void 0,
-    secret: true
-  };
-}
-function apiKeyPlacementFor(kind) {
-  if (kind === "gitlab") return "header";
-  return "bearer";
-}
-function extraAuthParamsFor(family) {
-  if (family === "google") return { access_type: "offline", prompt: "consent", include_granted_scopes: "true" };
-  if (family === "notion") return { owner: "user" };
-  return void 0;
-}
-
 // src/registry.ts
 var DEFAULT_ALIASES = {
   notion: "notion-database",
@@ -1247,8 +408,8 @@ function mergeActions(candidates) {
 function mergeTriggers(candidates) {
   const out = /* @__PURE__ */ new Map();
   for (const candidate of toolBindableCandidates(candidates)) {
-    for (const trigger of candidate.connector.triggers ?? []) {
-      if (!out.has(trigger.id)) out.set(trigger.id, trigger);
+    for (const trigger2 of candidate.connector.triggers ?? []) {
+      if (!out.has(trigger2.id)) out.set(trigger2.id, trigger2);
     }
   }
   return out.size > 0 ? [...out.values()] : void 0;
@@ -1521,6 +682,228 @@ function approvalInputHash(input) {
   return createHash("sha256").update(JSON.stringify(input ?? null)).digest("base64url");
 }
 
+// src/actions.ts
+var CANONICAL_INTEGRATION_ACTIONS = {
+  googleCalendarEventsList: "google-calendar.events.list",
+  googleCalendarEventsCreate: "google-calendar.events.create",
+  gmailMessagesSearch: "gmail.messages.search",
+  gmailMessagesSend: "gmail.messages.send",
+  googleDriveFilesSearch: "google-drive.files.search",
+  googleDriveFilesRead: "google-drive.files.read",
+  githubRepositoriesGet: "github.repositories.get",
+  githubIssuesSearch: "github.issues.search",
+  githubIssuesCreate: "github.issues.create",
+  githubPullRequestsComment: "github.pull-requests.comment",
+  slackChannelsList: "slack.channels.list",
+  slackMessagesSearch: "slack.messages.search",
+  slackMessagesPost: "slack.messages.post",
+  providerHttpRequest: "provider.http.request"
+};
+function buildCanonicalLaunchConnectors(options = {}) {
+  const providerId = options.providerId ?? "tangle-platform";
+  const connectors = [
+    googleCalendarConnector(providerId),
+    gmailConnector(providerId),
+    googleDriveConnector(providerId),
+    githubConnector(providerId),
+    slackConnector(providerId)
+  ];
+  if (!options.includeProviderPassthrough) return connectors;
+  return connectors.map((connector) => ({
+    ...connector,
+    actions: [...connector.actions, providerPassthroughAction(connector.id)]
+  }));
+}
+function canonicalActionConnectorId(actionId) {
+  if (actionId.startsWith("google-calendar.")) return "google-calendar";
+  if (actionId.startsWith("gmail.")) return "gmail";
+  if (actionId.startsWith("google-drive.")) return "google-drive";
+  if (actionId.startsWith("github.")) return "github";
+  if (actionId.startsWith("slack.")) return "slack";
+  if (actionId === CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest) return void 0;
+  return actionId.split(".")[0];
+}
+function googleCalendarConnector(providerId) {
+  return {
+    id: "google-calendar",
+    providerId,
+    title: "Google Calendar",
+    category: "calendar",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/calendar.readonly", "https://www.googleapis.com/auth/calendar.events"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsList,
+        title: "List calendar events",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/calendar.readonly"],
+        dataClass: "private",
+        description: "Read events from a Google Calendar over a bounded time range.",
+        inputSchema: objectSchema({
+          calendarId: { type: "string", default: "primary" },
+          timeMin: { type: "string", description: "RFC3339 lower bound." },
+          timeMax: { type: "string", description: "RFC3339 upper bound." }
+        }, ["timeMin", "timeMax"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsCreate,
+        title: "Create calendar event",
+        risk: "write",
+        requiredScopes: ["https://www.googleapis.com/auth/calendar.events"],
+        dataClass: "private",
+        approvalRequired: true,
+        description: "Create an event on a Google Calendar after user approval.",
+        inputSchema: objectSchema({
+          calendarId: { type: "string", default: "primary" },
+          start: { type: "string", description: "RFC3339 start time." },
+          end: { type: "string", description: "RFC3339 end time." },
+          summary: { type: "string" },
+          description: { type: "string" },
+          attendees: { type: "array", items: { type: "string" } }
+        }, ["start", "end", "summary"])
+      }
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function gmailConnector(providerId) {
+  return {
+    id: "gmail",
+    providerId,
+    title: "Gmail",
+    category: "email",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/gmail.readonly", "https://www.googleapis.com/auth/gmail.send"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.gmailMessagesSearch,
+        title: "Search Gmail messages",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
+        dataClass: "private",
+        description: "Search user Gmail messages and return bounded message metadata/snippets.",
+        inputSchema: objectSchema({ query: { type: "string" }, maxResults: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.gmailMessagesSend,
+        title: "Send Gmail message",
+        risk: "write",
+        requiredScopes: ["https://www.googleapis.com/auth/gmail.send"],
+        dataClass: "private",
+        approvalRequired: true,
+        description: "Send an email from the user account after approval.",
+        inputSchema: objectSchema({
+          to: { type: "array", items: { type: "string" } },
+          subject: { type: "string" },
+          body: { type: "string" }
+        }, ["to", "subject", "body"])
+      }
+    ],
+    triggers: [{
+      id: "gmail.messages.received",
+      title: "Gmail message received",
+      requiredScopes: ["https://www.googleapis.com/auth/gmail.readonly"],
+      dataClass: "private",
+      description: "Triggered when a new matching Gmail message is received."
+    }],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function googleDriveConnector(providerId) {
+  return {
+    id: "google-drive",
+    providerId,
+    title: "Google Drive",
+    category: "storage",
+    auth: "oauth2",
+    scopes: ["https://www.googleapis.com/auth/drive.readonly", "https://www.googleapis.com/auth/drive.file"],
+    actions: [
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleDriveFilesSearch,
+        title: "Search Drive files",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/drive.readonly"],
+        dataClass: "private",
+        description: "Search user-visible Google Drive files.",
+        inputSchema: objectSchema({ query: { type: "string" }, maxResults: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])
+      },
+      {
+        id: CANONICAL_INTEGRATION_ACTIONS.googleDriveFilesRead,
+        title: "Read Drive file",
+        risk: "read",
+        requiredScopes: ["https://www.googleapis.com/auth/drive.readonly"],
+        dataClass: "private",
+        description: "Read metadata and content for an authorized Drive file.",
+        inputSchema: objectSchema({ fileId: { type: "string" } }, ["fileId"])
+      }
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function githubConnector(providerId) {
+  return {
+    id: "github",
+    providerId,
+    title: "GitHub",
+    category: "workflow",
+    auth: "oauth2",
+    scopes: ["repo", "read:user"],
+    actions: [
+      readAction(CANONICAL_INTEGRATION_ACTIONS.githubRepositoriesGet, "Read repository metadata", ["repo"], objectSchema({ owner: { type: "string" }, repo: { type: "string" } }, ["owner", "repo"])),
+      readAction(CANONICAL_INTEGRATION_ACTIONS.githubIssuesSearch, "Search issues and pull requests", ["repo"], objectSchema({ query: { type: "string" }, limit: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.githubIssuesCreate, "Create issue", ["repo"], objectSchema({ owner: { type: "string" }, repo: { type: "string" }, title: { type: "string" }, body: { type: "string" } }, ["owner", "repo", "title"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.githubPullRequestsComment, "Comment on pull request", ["repo"], objectSchema({ owner: { type: "string" }, repo: { type: "string" }, pullNumber: { type: "integer" }, body: { type: "string" } }, ["owner", "repo", "pullNumber", "body"]))
+    ],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function slackConnector(providerId) {
+  return {
+    id: "slack",
+    providerId,
+    title: "Slack",
+    category: "chat",
+    auth: "oauth2",
+    scopes: ["channels:read", "search:read", "chat:write"],
+    actions: [
+      readAction(CANONICAL_INTEGRATION_ACTIONS.slackChannelsList, "List Slack channels", ["channels:read"], objectSchema({ limit: { type: "integer", minimum: 1, maximum: 200 } })),
+      readAction(CANONICAL_INTEGRATION_ACTIONS.slackMessagesSearch, "Search Slack messages", ["search:read"], objectSchema({ query: { type: "string" }, count: { type: "integer", minimum: 1, maximum: 50 } }, ["query"])),
+      writeAction(CANONICAL_INTEGRATION_ACTIONS.slackMessagesPost, "Post Slack message", ["chat:write"], objectSchema({ channel: { type: "string" }, text: { type: "string" }, blocks: { type: "array" } }, ["channel", "text"]))
+    ],
+    triggers: [trigger("slack.message.posted", "Slack message posted", ["channels:read"])],
+    metadata: { source: "canonical-launch", supportTier: "setupReady" }
+  };
+}
+function readAction(id, title, scopes, inputSchema) {
+  return { id, title, risk: "read", requiredScopes: scopes, dataClass: "private", inputSchema };
+}
+function writeAction(id, title, scopes, inputSchema) {
+  return { id, title, risk: "write", requiredScopes: scopes, dataClass: "private", approvalRequired: true, inputSchema };
+}
+function trigger(id, title, scopes) {
+  return { id, title, requiredScopes: scopes, dataClass: "private" };
+}
+function providerPassthroughAction(connectorId) {
+  return {
+    id: CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest,
+    title: "Provider HTTP request",
+    risk: "write",
+    requiredScopes: [],
+    dataClass: "sensitive",
+    approvalRequired: true,
+    description: `Controlled provider-native passthrough for ${connectorId}. Disabled by default by platform policy.`,
+    inputSchema: objectSchema({
+      method: { type: "string", enum: ["GET", "POST", "PUT", "PATCH", "DELETE"] },
+      path: { type: "string" },
+      query: { type: "object" },
+      body: { type: "object" }
+    }, ["method", "path"])
+  };
+}
+function objectSchema(properties, required = []) {
+  return { type: "object", additionalProperties: false, properties, required };
+}
+
 // src/bridge.ts
 var DEFAULT_INTEGRATION_BRIDGE_ENV = "TANGLE_INTEGRATION_BUNDLE";
 function buildIntegrationBridgePayload(bundle) {
@@ -1586,6 +969,219 @@ function assertBridgePayload(value) {
   if (!Array.isArray(payload.tools)) throw new Error("Invalid integration bridge tools.");
 }
 
+// src/errors.ts
+var IntegrationRuntimeError = class extends Error {
+  code;
+  status;
+  userAction;
+  metadata;
+  constructor(input) {
+    super(input.message);
+    this.name = "IntegrationRuntimeError";
+    this.code = input.code;
+    this.status = input.status ?? statusForCode(input.code);
+    this.userAction = input.userAction;
+    this.metadata = input.metadata;
+  }
+};
+function normalizeIntegrationError(error) {
+  if (error instanceof IntegrationRuntimeError) {
+    return {
+      ok: false,
+      code: error.code,
+      message: error.message,
+      status: error.status,
+      userAction: error.userAction,
+      metadata: redactUnknown2(error.metadata)
+    };
+  }
+  const message = error instanceof Error ? error.message : String(error ?? "Unknown integration error.");
+  return {
+    ok: false,
+    code: inferCode(message),
+    message,
+    status: 500
+  };
+}
+function statusForCode(code) {
+  if (code === "missing_connection" || code === "missing_grant") return 409;
+  if (code === "approval_required") return 202;
+  if (code === "approval_denied") return 403;
+  if (code === "connection_revoked" || code === "connection_expired" || code === "provider_auth_failed") return 401;
+  if (code === "scope_missing" || code === "action_denied" || code === "passthrough_disabled") return 403;
+  if (code === "action_not_found" || code === "manifest_invalid" || code === "input_invalid") return 400;
+  if (code === "provider_rate_limited") return 429;
+  if (code === "provider_unavailable") return 503;
+  if (code === "capability_expired" || code === "capability_invalid") return 401;
+  return 500;
+}
+function inferCode(message) {
+  if (/approval/i.test(message)) return "approval_required";
+  if (/scope/i.test(message)) return "scope_missing";
+  if (/expired/i.test(message)) return "connection_expired";
+  if (/revoked/i.test(message)) return "connection_revoked";
+  if (/rate.?limit|429/i.test(message)) return "provider_rate_limited";
+  if (/unauth|forbidden|401|403/i.test(message)) return "provider_auth_failed";
+  return "unknown";
+}
+function redactUnknown2(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown2);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential|refresh/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown2(child);
+    }
+  }
+  return out;
+}
+
+// src/client.ts
+var TangleIntegrationsClient = class {
+  endpoint;
+  bridge;
+  fetchImpl;
+  getCapabilityToken;
+  constructor(options) {
+    this.endpoint = options.endpoint.replace(/\/$/, "");
+    this.bridge = options.bridge ?? parseIntegrationBridgeEnvironment(
+      options.env ?? readProcessEnv(),
+      { envVar: options.envVar ?? DEFAULT_INTEGRATION_BRIDGE_ENV }
+    );
+    this.fetchImpl = options.fetchImpl ?? fetch;
+    this.getCapabilityToken = options.getCapabilityToken ?? ((tool) => tool.capabilityToken);
+  }
+  tools() {
+    return [...this.bridge.tools];
+  }
+  findTool(toolOrAction) {
+    const found = this.bridge.tools.find(
+      (tool) => tool.name === toolOrAction || tool.action === toolOrAction || `${tool.connectorId}.${tool.action}` === toolOrAction
+    );
+    if (!found) {
+      throw new IntegrationRuntimeError({
+        code: "action_not_found",
+        message: `Integration tool ${toolOrAction} is not available in this runtime.`,
+        metadata: { available: this.bridge.tools.map((tool) => ({ name: tool.name, action: tool.action, connectorId: tool.connectorId })) }
+      });
+    }
+    return found;
+  }
+  async invoke(input) {
+    try {
+      const tool = this.findTool(input.tool);
+      const token = await this.getCapabilityToken(tool);
+      const response = await this.fetchImpl(`${this.endpoint}/v1/integrations/invoke`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${token}`
+        },
+        body: JSON.stringify({
+          action: tool.action,
+          input: input.input,
+          idempotencyKey: input.idempotencyKey ?? defaultIdempotencyKey(tool.action),
+          dryRun: input.dryRun,
+          metadata: input.metadata
+        })
+      });
+      const json = await response.json().catch(() => void 0);
+      if (!response.ok && !json) {
+        return { status: "failed", action: tool.action, error: `Integration invoke failed with HTTP ${response.status}` };
+      }
+      return json ?? { status: "failed", action: tool.action, error: "Integration invoke returned an empty response." };
+    } catch (error) {
+      const normalized = normalizeIntegrationError(error);
+      return { status: "failed", action: input.tool, error: normalized.message, metadata: { code: normalized.code, userAction: normalized.userAction } };
+    }
+  }
+};
+function createTangleIntegrationsClient(options) {
+  return new TangleIntegrationsClient(options);
+}
+function defaultIdempotencyKey(action) {
+  return `${action}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
+}
+function readProcessEnv() {
+  if (typeof process !== "undefined" && process.env) return process.env;
+  return {};
+}
+
+// src/consent.ts
+function renderConsentSummary(manifestOrResolution, options = {}) {
+  const manifest = "manifest" in manifestOrResolution ? manifestOrResolution.manifest : manifestOrResolution;
+  const appName = options.appName ?? manifest.title ?? manifest.id;
+  const requirements = manifest.requirements;
+  const risk = aggregateRisk(requirements, options.connectors);
+  const connectorIds = unique2(requirements.map((requirement) => requirement.connectorId));
+  const first = requirements[0];
+  const body = first ? sentenceForRequirement(appName, first) : `${appName} does not request integrations.`;
+  return {
+    title: `${appName} wants to use ${humanList(connectorIds.map(titleize))}`,
+    body,
+    bullets: requirements.map((requirement) => bulletForRequirement(requirement, options.connectors)),
+    primaryAction: risk === "read" ? "Allow access" : risk === "write" ? "Review and allow" : "Review destructive access",
+    risk,
+    connectorIds
+  };
+}
+function renderApprovalCopy(input) {
+  return {
+    title: `${input.appName} wants to ${input.action.title.toLowerCase()}`,
+    body: `${input.appName} is requesting permission to run "${input.action.title}" on ${input.connectorTitle}.`,
+    bullets: [
+      `Risk: ${input.action.risk}`,
+      `Data: ${input.action.dataClass}`,
+      ...input.approvalId ? [`Approval id: ${input.approvalId}`] : []
+    ],
+    primaryAction: input.action.risk === "read" ? "Allow" : "Approve action",
+    risk: input.action.risk,
+    connectorIds: []
+  };
+}
+function sentenceForRequirement(appName, requirement) {
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "read") {
+    return `${appName} wants to read your Google Calendar to find schedule-aware recommendations.`;
+  }
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "write") {
+    return `${appName} wants to create or update Google Calendar events after your approval.`;
+  }
+  if (requirement.mode === "read") return `${appName} wants to read ${titleize(requirement.connectorId)} data.`;
+  if (requirement.mode === "write") return `${appName} wants to write ${titleize(requirement.connectorId)} data after approval.`;
+  return `${appName} wants to subscribe to ${titleize(requirement.connectorId)} events.`;
+}
+function bulletForRequirement(requirement, connectors = []) {
+  const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+  const actions = requirement.requiredActions?.length ? requirement.requiredActions.map((id) => connector?.actions.find((action) => action.id === id)?.title ?? id) : requirement.requiredTriggers ?? [];
+  return `${titleize(requirement.connectorId)}: ${requirement.reason}${actions.length ? ` (${actions.join(", ")})` : ""}`;
+}
+function aggregateRisk(requirements, connectors = []) {
+  let rank = 0;
+  for (const requirement of requirements) {
+    if (requirement.mode === "write") rank = Math.max(rank, 1);
+    const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+    for (const actionId of requirement.requiredActions ?? []) {
+      const risk = connector?.actions.find((action) => action.id === actionId)?.risk;
+      if (risk === "write") rank = Math.max(rank, 1);
+      if (risk === "destructive") rank = Math.max(rank, 2);
+    }
+  }
+  return rank === 2 ? "destructive" : rank === 1 ? "write" : "read";
+}
+function humanList(values) {
+  if (values.length <= 1) return values[0] ?? "integrations";
+  if (values.length === 2) return `${values[0]} and ${values[1]}`;
+  return `${values.slice(0, -1).join(", ")}, and ${values.at(-1)}`;
+}
+function titleize(value) {
+  return value.split(/[-_.]/g).filter(Boolean).map((part) => part[0].toUpperCase() + part.slice(1)).join(" ");
+}
+function unique2(values) {
+  return [...new Set(values)];
+}
+
 // src/adapter-provider.ts
 function createConnectorAdapterProvider(options) {
   const providerId = options.id ?? "first-party";
@@ -2077,80 +1673,330 @@ async function runIntegrationHealthcheck(input) {
   }));
   return result;
 }
-async function runIntegrationHealthchecks(input) {
-  const results = [];
-  for (const connection of input.connections) {
-    const result = await runIntegrationHealthcheck({
-      connection,
-      registry: input.registry,
-      test: input.test,
-      audit: input.audit,
-      now: input.now
-    });
-    await input.store?.put(result);
-    results.push(result);
+async function runIntegrationHealthchecks(input) {
+  const results = [];
+  for (const connection of input.connections) {
+    const result = await runIntegrationHealthcheck({
+      connection,
+      registry: input.registry,
+      test: input.test,
+      audit: input.audit,
+      now: input.now
+    });
+    await input.store?.put(result);
+    results.push(result);
+  }
+  return results;
+}
+function healthcheckRequest(action = "healthcheck") {
+  return {
+    connectionId: "__healthcheck__",
+    action,
+    input: {},
+    dryRun: true,
+    metadata: { healthcheck: true }
+  };
+}
+function connectionStatusCheck(connection, now) {
+  if (connection.status !== "active") {
+    return { id: "connection-active", status: "unhealthy", message: `Connection is ${connection.status}.` };
+  }
+  if (connection.expiresAt && Date.parse(connection.expiresAt) <= now().getTime()) {
+    return { id: "connection-active", status: "unhealthy", message: "Connection credentials are expired." };
+  }
+  return { id: "connection-active", status: "healthy", message: "Connection is active." };
+}
+function connectorExecutableCheck(connector) {
+  const executable = connector.actions.length > 0 || (connector.triggers?.length ?? 0) > 0;
+  if (!executable) {
+    return { id: "connector-executable", status: "degraded", message: `${connector.title} is catalog-only.` };
+  }
+  return { id: "connector-executable", status: "healthy", message: `${connector.title} has executable actions or triggers.` };
+}
+function scopeShapeCheck(connection, connector) {
+  const declaredScopes = new Set(connector.scopes);
+  const undeclared = connection.grantedScopes.filter((scope) => !declaredScopes.has(scope));
+  if (connector.scopes.length === 0 && connection.grantedScopes.length > 0) {
+    return { id: "scope-shape", status: "unknown", message: "Connector does not declare a scope catalog.", metadata: { grantedScopes: connection.grantedScopes } };
+  }
+  if (undeclared.length > 0) {
+    return { id: "scope-shape", status: "degraded", message: "Connection has scopes not declared by the connector.", metadata: { undeclared } };
+  }
+  return { id: "scope-shape", status: "healthy", message: "Granted scopes match the connector shape." };
+}
+async function liveHealthcheck(connection, connector, test) {
+  try {
+    const result = await test(connection, connector);
+    const ok = typeof result === "boolean" ? result : result.ok;
+    return {
+      id: "provider-live-test",
+      status: ok ? "healthy" : "unhealthy",
+      message: ok ? "Provider live test passed." : "Provider live test failed.",
+      metadata: typeof result === "boolean" ? void 0 : { action: result.action, warnings: result.warnings }
+    };
+  } catch (error) {
+    return {
+      id: "provider-live-test",
+      status: "unhealthy",
+      message: error instanceof Error ? error.message : "Provider live test failed."
+    };
+  }
+}
+function rollupHealthStatus(checks) {
+  if (checks.some((check) => check.status === "unhealthy")) return "unhealthy";
+  if (checks.some((check) => check.status === "degraded")) return "degraded";
+  if (checks.some((check) => check.status === "unknown")) return "unknown";
+  return "healthy";
+}
+
+// src/manifest.ts
+function validateIntegrationManifest(manifest) {
+  const issues = [];
+  if (!manifest.id?.trim()) issues.push({ path: "id", message: "Manifest id is required." });
+  if (!Array.isArray(manifest.requirements)) issues.push({ path: "requirements", message: "Requirements must be an array." });
+  const ids = /* @__PURE__ */ new Set();
+  for (const [index, requirement] of (manifest.requirements ?? []).entries()) {
+    const path = `requirements[${index}]`;
+    if (!requirement.id?.trim()) issues.push({ path: `${path}.id`, message: "Requirement id is required." });
+    if (ids.has(requirement.id)) issues.push({ path: `${path}.id`, message: `Duplicate requirement id ${requirement.id}.` });
+    ids.add(requirement.id);
+    if (!requirement.connectorId?.trim()) issues.push({ path: `${path}.connectorId`, message: "Connector id is required." });
+    if (!["read", "write", "trigger"].includes(requirement.mode)) issues.push({ path: `${path}.mode`, message: "Mode must be read, write, or trigger." });
+    if (!requirement.reason?.trim()) issues.push({ path: `${path}.reason`, message: "Human-readable reason is required." });
+    if (requirement.mode !== "trigger" && !requirement.requiredActions?.length) {
+      issues.push({ path: `${path}.requiredActions`, message: "Non-trigger requirements should list required actions." });
+    }
+    if (requirement.mode === "trigger" && !requirement.requiredTriggers?.length) {
+      issues.push({ path: `${path}.requiredTriggers`, message: "Trigger requirements should list required triggers." });
+    }
+  }
+  return { ok: issues.length === 0, issues };
+}
+function assertValidIntegrationManifest(manifest) {
+  const result = validateIntegrationManifest(manifest);
+  if (!result.ok) {
+    throw new Error(`Invalid integration manifest: ${result.issues.map((issue) => `${issue.path}: ${issue.message}`).join("; ")}`);
+  }
+}
+function inferIntegrationManifestFromTools(options) {
+  const byConnector = /* @__PURE__ */ new Map();
+  for (const item of options.tools) {
+    const action = typeof item === "string" ? item : item.action;
+    const connectorId = typeof item === "string" ? canonicalActionConnectorId(action) : item.connectorId ?? canonicalActionConnectorId(action);
+    if (!connectorId) continue;
+    const mode = typeof item === "string" ? inferMode(action) : item.mode ?? inferMode(action);
+    const id = `${connectorId}-${mode}`;
+    const existing = byConnector.get(id);
+    const reason = typeof item === "string" ? defaultReason(connectorId, mode) : item.reason ?? defaultReason(connectorId, mode);
+    if (existing) {
+      byConnector.set(id, {
+        ...existing,
+        requiredActions: unique3([...existing.requiredActions ?? [], action]),
+        requiredScopes: unique3([...existing.requiredScopes ?? [], ...typeof item === "string" ? [] : item.scopes ?? []])
+      });
+    } else {
+      byConnector.set(id, {
+        id,
+        connectorId,
+        mode,
+        reason,
+        requiredActions: mode === "trigger" ? void 0 : [action],
+        requiredScopes: typeof item === "string" ? void 0 : item.scopes
+      });
+    }
+  }
+  const manifest = {
+    id: options.manifestId,
+    title: options.title,
+    requirements: [...byConnector.values()],
+    metadata: options.metadata
+  };
+  assertValidIntegrationManifest(manifest);
+  return manifest;
+}
+function explainMissingRequirements(resolution) {
+  return [...resolution.missing, ...resolution.optionalMissing].map((item) => ({
+    requirementId: item.requirement.id,
+    connectorId: item.requirement.connectorId,
+    status: item.status,
+    message: item.message,
+    userAction: item.requirement.optional ? "ignore_optional" : item.status === "not_executable" ? "enable" : "connect"
+  }));
+}
+function calendarExercisePlannerManifest(id = "exercise-calendar-planner") {
+  return {
+    id,
+    title: "Exercise Calendar Planner",
+    requirements: [{
+      id: "calendar-read",
+      connectorId: "google-calendar",
+      mode: "read",
+      reason: "Read busy and free calendar windows to recommend exercise sessions.",
+      requiredActions: [CANONICAL_INTEGRATION_ACTIONS.googleCalendarEventsList],
+      requiredScopes: ["https://www.googleapis.com/auth/calendar.readonly"]
+    }]
+  };
+}
+function inferMode(action) {
+  if (/(create|send|post|update|delete|write|comment|request)$/i.test(action)) return "write";
+  return "read";
+}
+function defaultReason(connectorId, mode) {
+  if (connectorId === "google-calendar" && mode === "read") return "Read calendar availability for the generated app.";
+  if (connectorId === "google-calendar" && mode === "write") return "Create or update calendar events after user approval.";
+  return `${mode === "read" ? "Read from" : mode === "write" ? "Write to" : "Subscribe to"} ${connectorId} for this app.`;
+}
+function unique3(values) {
+  return [...new Set(values)];
+}
+
+// src/passthrough.ts
+var PROVIDER_PASSTHROUGH_ACTION = CANONICAL_INTEGRATION_ACTIONS.providerHttpRequest;
+function validateProviderPassthroughRequest(input, policy) {
+  if (!policy.enabled) {
+    throw new IntegrationRuntimeError({
+      code: "passthrough_disabled",
+      message: "Provider-native passthrough is disabled for this connector."
+    });
+  }
+  if (!input.path.startsWith("/")) {
+    throw new IntegrationRuntimeError({ code: "input_invalid", message: "Provider passthrough path must start with /." });
+  }
+  if (policy.allowedMethods?.length && !policy.allowedMethods.includes(input.method)) {
+    throw new IntegrationRuntimeError({ code: "action_denied", message: `Provider passthrough method ${input.method} is not allowed.` });
+  }
+  if (policy.allowedPathPrefixes?.length && !policy.allowedPathPrefixes.some((prefix) => input.path.startsWith(prefix))) {
+    throw new IntegrationRuntimeError({ code: "action_denied", message: `Provider passthrough path ${input.path} is not allowed.` });
+  }
+  const maxBodyBytes = policy.maxBodyBytes ?? 64 * 1024;
+  const bodyBytes = Buffer.byteLength(JSON.stringify(input.body ?? null), "utf8");
+  if (bodyBytes > maxBodyBytes) {
+    throw new IntegrationRuntimeError({ code: "input_invalid", message: `Provider passthrough body exceeds ${maxBodyBytes} bytes.` });
+  }
+  for (const key of Object.keys(input.headers ?? {})) {
+    if (/authorization|cookie|token|secret|api[_-]?key/i.test(key)) {
+      throw new IntegrationRuntimeError({ code: "input_invalid", message: `Provider passthrough header ${key} is not caller-settable.` });
+    }
+  }
+}
+
+// src/policy.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var StaticIntegrationPolicyEngine = class {
+  rules;
+  defaultReadEffect;
+  defaultWriteEffect;
+  defaultDestructiveEffect;
+  now;
+  constructor(options = {}) {
+    this.rules = options.rules ?? [];
+    this.defaultReadEffect = options.defaultReadEffect ?? "allow";
+    this.defaultWriteEffect = options.defaultWriteEffect ?? "require_approval";
+    this.defaultDestructiveEffect = options.defaultDestructiveEffect ?? "deny";
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  decide(ctx) {
+    const action = ctx.action;
+    if (!action) return { decision: "deny", reason: "Integration action is missing from connector catalog." };
+    const matched = this.rules.find((rule) => ruleMatches(rule, ctx));
+    const effect = matched?.effect ?? this.defaultEffect(action.risk);
+    const reason = matched?.reason ?? defaultReason2(effect, action.risk);
+    if (effect === "allow") return { decision: "allow", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
+    if (effect === "deny") return { decision: "deny", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
+    return {
+      decision: "require_approval",
+      reason,
+      approval: buildApprovalRequest(ctx, reason, this.now()),
+      metadata: matched ? { ruleId: matched.id } : void 0
+    };
+  }
+  defaultEffect(risk) {
+    if (risk === "read") return this.defaultReadEffect;
+    if (risk === "write") return this.defaultWriteEffect;
+    return this.defaultDestructiveEffect;
+  }
+};
+function createDefaultIntegrationPolicyEngine(options = {}) {
+  return new StaticIntegrationPolicyEngine(options);
+}
+function buildApprovalRequest(ctx, reason, requestedAt) {
+  if (!ctx.action) {
+    throw new Error("Cannot build approval request without an action descriptor.");
   }
-  return results;
+  return {
+    id: `approval_${randomUUID2()}`,
+    connectionId: ctx.connection.id,
+    providerId: ctx.connection.providerId,
+    connectorId: ctx.connection.connectorId,
+    action: ctx.request.action,
+    actor: { type: ctx.subject.type, id: ctx.subject.id },
+    risk: ctx.action.risk,
+    dataClass: ctx.action.dataClass,
+    reason,
+    requestedAt: requestedAt.toISOString(),
+    inputPreview: previewInput(ctx.request.input)
+  };
 }
-function healthcheckRequest(action = "healthcheck") {
+function redactApprovalRequest(request) {
   return {
-    connectionId: "__healthcheck__",
-    action,
-    input: {},
-    dryRun: true,
-    metadata: { healthcheck: true }
+    ...request,
+    inputPreview: redactUnknown3(request.inputPreview)
   };
 }
-function connectionStatusCheck(connection, now) {
-  if (connection.status !== "active") {
-    return { id: "connection-active", status: "unhealthy", message: `Connection is ${connection.status}.` };
-  }
-  if (connection.expiresAt && Date.parse(connection.expiresAt) <= now().getTime()) {
-    return { id: "connection-active", status: "unhealthy", message: "Connection credentials are expired." };
-  }
-  return { id: "connection-active", status: "healthy", message: "Connection is active." };
+function ruleMatches(rule, ctx) {
+  if (!ctx.action) return false;
+  if (rule.providerId && rule.providerId !== ctx.connection.providerId) return false;
+  if (rule.connectorId && rule.connectorId !== ctx.connection.connectorId) return false;
+  if (rule.action && rule.action !== ctx.request.action) return false;
+  if (rule.risk && rule.risk !== ctx.action.risk) return false;
+  if (rule.maxRisk && riskRank(ctx.action.risk) > riskRank(rule.maxRisk)) return false;
+  if (rule.dataClass && rule.dataClass !== ctx.action.dataClass) return false;
+  return true;
 }
-function connectorExecutableCheck(connector) {
-  const executable = connector.actions.length > 0 || (connector.triggers?.length ?? 0) > 0;
-  if (!executable) {
-    return { id: "connector-executable", status: "degraded", message: `${connector.title} is catalog-only.` };
-  }
-  return { id: "connector-executable", status: "healthy", message: `${connector.title} has executable actions or triggers.` };
+function riskRank(risk) {
+  if (risk === "read") return 0;
+  if (risk === "write") return 1;
+  return 2;
 }
-function scopeShapeCheck(connection, connector) {
-  const declaredScopes = new Set(connector.scopes);
-  const undeclared = connection.grantedScopes.filter((scope) => !declaredScopes.has(scope));
-  if (connector.scopes.length === 0 && connection.grantedScopes.length > 0) {
-    return { id: "scope-shape", status: "unknown", message: "Connector does not declare a scope catalog.", metadata: { grantedScopes: connection.grantedScopes } };
-  }
-  if (undeclared.length > 0) {
-    return { id: "scope-shape", status: "degraded", message: "Connection has scopes not declared by the connector.", metadata: { undeclared } };
-  }
-  return { id: "scope-shape", status: "healthy", message: "Granted scopes match the connector shape." };
+function defaultReason2(effect, risk) {
+  if (effect === "allow") return `${risk} integration action allowed by default policy.`;
+  if (effect === "deny") return `${risk} integration action denied by default policy.`;
+  return `${risk} integration action requires approval by default policy.`;
 }
-async function liveHealthcheck(connection, connector, test) {
-  try {
-    const result = await test(connection, connector);
-    const ok = typeof result === "boolean" ? result : result.ok;
-    return {
-      id: "provider-live-test",
-      status: ok ? "healthy" : "unhealthy",
-      message: ok ? "Provider live test passed." : "Provider live test failed.",
-      metadata: typeof result === "boolean" ? void 0 : { action: result.action, warnings: result.warnings }
-    };
-  } catch (error) {
-    return {
-      id: "provider-live-test",
-      status: "unhealthy",
-      message: error instanceof Error ? error.message : "Provider live test failed."
-    };
+function previewInput(input) {
+  return redactUnknown3(input);
+}
+function redactUnknown3(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown3);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
+      out[key] = "[REDACTED]";
+    } else {
+      out[key] = redactUnknown3(child);
+    }
   }
+  return out;
 }
-function rollupHealthStatus(checks) {
-  if (checks.some((check) => check.status === "unhealthy")) return "unhealthy";
-  if (checks.some((check) => check.status === "degraded")) return "degraded";
-  if (checks.some((check) => check.status === "unknown")) return "unknown";
-  return "healthy";
+
+// src/presets.ts
+function createPlatformIntegrationPolicyPreset(options = {}) {
+  return new StaticIntegrationPolicyEngine({
+    ...options,
+    defaultReadEffect: "allow",
+    defaultWriteEffect: options.allowWritesWithoutApproval ? "allow" : "require_approval",
+    defaultDestructiveEffect: options.allowDestructiveActions ? "require_approval" : "deny",
+    rules: [
+      ...options.allowProviderPassthrough ? [] : [{
+        id: "deny-provider-native-passthrough",
+        action: "provider.http.request",
+        effect: "deny",
+        reason: "Provider-native passthrough is disabled by default. Promote the connector action or enable passthrough explicitly."
+      }],
+      ...options.rules ?? []
+    ]
+  });
 }
 
 // src/connectors/types.ts
@@ -5013,7 +4859,7 @@ var repoParams = {
   },
   required: ["owner", "repo"]
 };
-var githubConnector = declarativeRestConnector({
+var githubConnector2 = declarativeRestConnector({
   kind: "github",
   displayName: "GitHub",
   description: "Search repositories/issues and create or update GitHub issues through a user-scoped token.",
@@ -5348,7 +5194,7 @@ var salesforceConnector = declarativeRestConnector({
 });
 
 // src/catalog.ts
-var riskRank = {
+var riskRank2 = {
   read: 0,
   write: 1,
   destructive: 2
@@ -5371,7 +5217,7 @@ function buildIntegrationToolCatalog(connectors) {
   const tools = [];
   for (const connector of connectors) {
     for (const action of connector.actions) {
-      const tags = unique2([
+      const tags = unique4([
         connector.id,
         connector.providerId,
         connector.title,
@@ -5410,7 +5256,7 @@ function searchIntegrationTools(catalog, query, filters = {}) {
     if (filters.connectorId && tool.connectorId !== filters.connectorId) return false;
     if (filters.category && tool.category !== filters.category) return false;
     if (filters.dataClass && tool.dataClass !== filters.dataClass) return false;
-    if (filters.maxRisk && riskRank[tool.risk] > riskRank[filters.maxRisk]) return false;
+    if (filters.maxRisk && riskRank2[tool.risk] > riskRank2[filters.maxRisk]) return false;
     return true;
   });
   const scored = filtered.map((tool) => scoreTool(tool, terms));
@@ -5444,7 +5290,7 @@ function scoreTool(tool, terms) {
     }
   }
   if (tool.risk === "read") score += 0.25;
-  return { tool, score, matched: unique2(matched) };
+  return { tool, score, matched: unique4(matched) };
 }
 function tokenize(value) {
   return value.toLowerCase().split(/[^a-z0-9]+/g).map((part) => part.trim()).filter(Boolean);
@@ -5455,110 +5301,10 @@ function encodeToolPart(value) {
 function decodeToolPart(value) {
   return Buffer.from(value.replace(/\./g, "_"), "base64url").toString("utf8");
 }
-function unique2(values) {
+function unique4(values) {
   return [...new Set(values)];
 }
 
-// src/policy.ts
-import { randomUUID as randomUUID2 } from "crypto";
-var StaticIntegrationPolicyEngine = class {
-  rules;
-  defaultReadEffect;
-  defaultWriteEffect;
-  defaultDestructiveEffect;
-  now;
-  constructor(options = {}) {
-    this.rules = options.rules ?? [];
-    this.defaultReadEffect = options.defaultReadEffect ?? "allow";
-    this.defaultWriteEffect = options.defaultWriteEffect ?? "require_approval";
-    this.defaultDestructiveEffect = options.defaultDestructiveEffect ?? "deny";
-    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
-  }
-  decide(ctx) {
-    const action = ctx.action;
-    if (!action) return { decision: "deny", reason: "Integration action is missing from connector catalog." };
-    const matched = this.rules.find((rule) => ruleMatches(rule, ctx));
-    const effect = matched?.effect ?? this.defaultEffect(action.risk);
-    const reason = matched?.reason ?? defaultReason(effect, action.risk);
-    if (effect === "allow") return { decision: "allow", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
-    if (effect === "deny") return { decision: "deny", reason, metadata: matched ? { ruleId: matched.id } : void 0 };
-    return {
-      decision: "require_approval",
-      reason,
-      approval: buildApprovalRequest(ctx, reason, this.now()),
-      metadata: matched ? { ruleId: matched.id } : void 0
-    };
-  }
-  defaultEffect(risk) {
-    if (risk === "read") return this.defaultReadEffect;
-    if (risk === "write") return this.defaultWriteEffect;
-    return this.defaultDestructiveEffect;
-  }
-};
-function createDefaultIntegrationPolicyEngine(options = {}) {
-  return new StaticIntegrationPolicyEngine(options);
-}
-function buildApprovalRequest(ctx, reason, requestedAt) {
-  if (!ctx.action) {
-    throw new Error("Cannot build approval request without an action descriptor.");
-  }
-  return {
-    id: `approval_${randomUUID2()}`,
-    connectionId: ctx.connection.id,
-    providerId: ctx.connection.providerId,
-    connectorId: ctx.connection.connectorId,
-    action: ctx.request.action,
-    actor: { type: ctx.subject.type, id: ctx.subject.id },
-    risk: ctx.action.risk,
-    dataClass: ctx.action.dataClass,
-    reason,
-    requestedAt: requestedAt.toISOString(),
-    inputPreview: previewInput(ctx.request.input)
-  };
-}
-function redactApprovalRequest(request) {
-  return {
-    ...request,
-    inputPreview: redactUnknown2(request.inputPreview)
-  };
-}
-function ruleMatches(rule, ctx) {
-  if (!ctx.action) return false;
-  if (rule.providerId && rule.providerId !== ctx.connection.providerId) return false;
-  if (rule.connectorId && rule.connectorId !== ctx.connection.connectorId) return false;
-  if (rule.action && rule.action !== ctx.request.action) return false;
-  if (rule.risk && rule.risk !== ctx.action.risk) return false;
-  if (rule.maxRisk && riskRank2(ctx.action.risk) > riskRank2(rule.maxRisk)) return false;
-  if (rule.dataClass && rule.dataClass !== ctx.action.dataClass) return false;
-  return true;
-}
-function riskRank2(risk) {
-  if (risk === "read") return 0;
-  if (risk === "write") return 1;
-  return 2;
-}
-function defaultReason(effect, risk) {
-  if (effect === "allow") return `${risk} integration action allowed by default policy.`;
-  if (effect === "deny") return `${risk} integration action denied by default policy.`;
-  return `${risk} integration action requires approval by default policy.`;
-}
-function previewInput(input) {
-  return redactUnknown2(input);
-}
-function redactUnknown2(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown2);
-  if (!value || typeof value !== "object") return value;
-  const out = {};
-  for (const [key, child] of Object.entries(value)) {
-    if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
-      out[key] = "[REDACTED]";
-    } else {
-      out[key] = redactUnknown2(child);
-    }
-  }
-  return out;
-}
-
 // src/sandbox.ts
 function buildIntegrationInvocationEnvelope(input) {
   const parsed = parseIntegrationToolName(input.toolName);
@@ -5617,13 +5363,13 @@ function redactInvocationEnvelope(envelope) {
   return {
     ...envelope,
     capabilityToken: "[REDACTED]",
-    input: redactUnknown3(envelope.input)
+    input: redactUnknown4(envelope.input)
   };
 }
 function redactCapability(capability) {
   return {
     ...capability,
-    metadata: redactUnknown3(capability.metadata)
+    metadata: redactUnknown4(capability.metadata)
   };
 }
 function normalizeIntegrationResult(result) {
@@ -5676,15 +5422,15 @@ var IntegrationSandboxHost = class {
     return dispatchIntegrationInvocation(envelope, this.options);
   }
 };
-function redactUnknown3(value) {
-  if (Array.isArray(value)) return value.map(redactUnknown3);
+function redactUnknown4(value) {
+  if (Array.isArray(value)) return value.map(redactUnknown4);
   if (!value || typeof value !== "object") return value;
   const out = {};
   for (const [key, child] of Object.entries(value)) {
     if (/token|secret|password|authorization|api[_-]?key|credential/i.test(key)) {
       out[key] = "[REDACTED]";
     } else {
-      out[key] = redactUnknown3(child);
+      out[key] = redactUnknown4(child);
     }
   }
   return out;
@@ -5750,7 +5496,7 @@ function importMcpConnector(catalog, options) {
   }));
 }
 function connectorFromActions(options, actions) {
-  const scopes = unique3([
+  const scopes = unique5([
     ...options.scopes ?? [],
     ...actions.flatMap((action) => action.requiredScopes)
   ]);
@@ -5782,7 +5528,7 @@ function riskFromMcpTool(tool, fallback) {
 }
 function scopesFromOpenApiOperation(operation, fallback) {
   const scopes = (operation.security ?? []).flatMap((entry) => Object.values(entry).flat());
-  return unique3(scopes.length > 0 ? scopes : fallback);
+  return unique5(scopes.length > 0 ? scopes : fallback);
 }
 function openApiInputSchema(path, method, operation) {
   return {
@@ -5802,7 +5548,7 @@ function titleFromId(id) {
 function isObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function unique3(values) {
+function unique5(values) {
   return [...new Set(values)];
 }
 
@@ -5853,7 +5599,7 @@ function normalizeGatewayCatalog(entries, options) {
       title,
       category: normalizeCategory(entry.category),
       auth: normalizeAuth(entry.auth),
-      scopes: unique4([
+      scopes: unique6([
         ...entry.scopes ?? [],
         ...actions.flatMap((action) => action.requiredScopes)
       ]),
@@ -5883,7 +5629,7 @@ function normalizeActions(actions, fallbackScopes) {
       id,
       title: action.title ?? action.name ?? titleFromId2(id),
       risk: normalizeRisk(action.risk),
-      requiredScopes: unique4([
+      requiredScopes: unique6([
         ...action.requiredScopes ?? [],
         ...action.scopes ?? [],
         ...action.requiredScopes?.length || action.scopes?.length ? [] : fallbackScopes
@@ -5897,21 +5643,21 @@ function normalizeActions(actions, fallbackScopes) {
   }).filter((action) => action.id);
 }
 function normalizeTriggers(triggers, fallbackScopes) {
-  const normalized = triggers.map((trigger) => {
-    const id = slug2(trigger.id ?? trigger.key ?? trigger.name ?? trigger.title ?? "");
+  const normalized = triggers.map((trigger2) => {
+    const id = slug2(trigger2.id ?? trigger2.key ?? trigger2.name ?? trigger2.title ?? "");
     return {
       id,
-      title: trigger.title ?? trigger.name ?? titleFromId2(id),
-      requiredScopes: unique4([
-        ...trigger.requiredScopes ?? [],
-        ...trigger.scopes ?? [],
-        ...trigger.requiredScopes?.length || trigger.scopes?.length ? [] : fallbackScopes
+      title: trigger2.title ?? trigger2.name ?? titleFromId2(id),
+      requiredScopes: unique6([
+        ...trigger2.requiredScopes ?? [],
+        ...trigger2.scopes ?? [],
+        ...trigger2.requiredScopes?.length || trigger2.scopes?.length ? [] : fallbackScopes
       ]),
-      dataClass: normalizeDataClass(trigger.dataClass),
-      description: trigger.description,
-      payloadSchema: trigger.payloadSchema
+      dataClass: normalizeDataClass(trigger2.dataClass),
+      description: trigger2.description,
+      payloadSchema: trigger2.payloadSchema
     };
-  }).filter((trigger) => trigger.id);
+  }).filter((trigger2) => trigger2.id);
   return normalized.length > 0 ? normalized : void 0;
 }
 function defaultActionsFor(category, scopes) {
@@ -5991,7 +5737,7 @@ function slug2(value) {
 function titleFromId2(id) {
   return id.split("-").filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
 }
-function unique4(values) {
+function unique6(values) {
   return [...new Set(values)];
 }
 
@@ -6079,7 +5825,7 @@ var IntegrationRuntime = class {
       const connector = {
         ...entry.connector,
         actions: entry.connector.actions.filter((action) => grant.allowedActions.includes(action.id)),
-        triggers: entry.connector.triggers?.filter((trigger) => grant.allowedTriggers.includes(trigger.id)),
+        triggers: entry.connector.triggers?.filter((trigger2) => grant.allowedTriggers.includes(trigger2.id)),
         scopes: entry.connector.scopes.filter((scope) => grant.scopes.includes(scope))
       };
       const capability = await this.hub.issueCapability({
@@ -6173,32 +5919,32 @@ function missing(requirement, status, message, connector, registryEntry2) {
 }
 function requiredActions(requirement, connector) {
   if (requirement.mode === "trigger") return [];
-  if (requirement.requiredActions?.length) return unique5(requirement.requiredActions);
+  if (requirement.requiredActions?.length) return unique7(requirement.requiredActions);
   const actions = connector.actions.filter((action) => {
     if (requirement.mode === "read") return action.risk === "read";
     if (requirement.mode === "write") return action.risk !== "read";
     return false;
   });
-  return unique5(actions.map((action) => action.id));
+  return unique7(actions.map((action) => action.id));
 }
 function requiredTriggers(requirement, connector) {
-  if (requirement.requiredTriggers?.length) return unique5(requirement.requiredTriggers);
+  if (requirement.requiredTriggers?.length) return unique7(requirement.requiredTriggers);
   if (requirement.mode !== "trigger") return [];
-  return unique5((connector.triggers ?? []).map((trigger) => trigger.id));
+  return unique7((connector.triggers ?? []).map((trigger2) => trigger2.id));
 }
 function requiredScopes(requirement, connector) {
-  if (requirement.requiredScopes?.length) return unique5(requirement.requiredScopes);
+  if (requirement.requiredScopes?.length) return unique7(requirement.requiredScopes);
   const actionIds = new Set(requiredActions(requirement, connector));
   const triggerIds = new Set(requiredTriggers(requirement, connector));
-  return unique5([
+  return unique7([
     ...connector.actions.filter((action) => actionIds.has(action.id)).flatMap((action) => action.requiredScopes),
-    ...(connector.triggers ?? []).filter((trigger) => triggerIds.has(trigger.id)).flatMap((trigger) => trigger.requiredScopes)
+    ...(connector.triggers ?? []).filter((trigger2) => triggerIds.has(trigger2.id)).flatMap((trigger2) => trigger2.requiredScopes)
   ]);
 }
 function sameActor(a, b) {
   return a.type === b.type && a.id === b.id;
 }
-function unique5(values) {
+function unique7(values) {
   return [...new Set(values)];
 }
 
@@ -6284,123 +6030,6 @@ function sameActor2(a, b) {
   return a.type === b.type && a.id === b.id;
 }
 
-// src/specs/types.ts
-function specAuthToConnectorAuth(auth) {
-  if (auth.mode === "api_key") return "api_key";
-  if (auth.mode === "oauth2") return "oauth2";
-  if (auth.mode === "none") return "none";
-  return "custom";
-}
-
-// src/specs/renderers.ts
-function renderConsoleSteps(spec, options) {
-  const redirectUri = renderRedirectUri(spec, options);
-  return spec.setup.consoleSteps.map((step) => ({
-    ...step,
-    detail: renderTemplate(step.detail, spec, options, redirectUri),
-    copyValue: step.copyValue ? renderTemplate(step.copyValue, spec, options, redirectUri) : void 0
-  }));
-}
-function renderRunbookMarkdown(spec, options) {
-  const steps = renderConsoleSteps(spec, options);
-  const lines = [
-    `# ${spec.title} Integration Setup`,
-    "",
-    `- Kind: \`${spec.kind}\``,
-    `- Status: \`${spec.status}\``,
-    `- Auth: \`${spec.auth.mode}\``,
-    `- Family: \`${spec.family}\``
-  ];
-  if (spec.setup.consoleUrl) lines.push(`- Console: ${spec.setup.consoleUrl}`);
-  if (spec.setup.redirectUriTemplate) lines.push(`- Redirect URI: \`${renderRedirectUri(spec, options)}\``);
-  lines.push("", "## Credentials", "");
-  for (const field of spec.setup.credentialFields) {
-    lines.push(`- ${field.secret ? "[secret] " : ""}${field.label}${field.env ? ` (\`${field.env}\`)` : ""}: ${field.description}`);
-  }
-  lines.push("", "## Permissions", "");
-  for (const permission of spec.permissions) {
-    lines.push(`- \`${permission.normalized}\`: ${permission.providerScopes.length ? permission.providerScopes.map((scope) => `\`${scope}\``).join(", ") : "no provider scope"} - ${permission.reason}`);
-  }
-  lines.push("", "## Console Steps", "");
-  for (const [i, step] of steps.entries()) {
-    lines.push(`${i + 1}. ${step.title}: ${step.detail}`);
-  }
-  if (spec.setup.knownQuirks?.length) {
-    lines.push("", "## Known Quirks", "");
-    for (const quirk of spec.setup.knownQuirks) lines.push(`- ${quirk.severity}: ${quirk.message}`);
-  }
-  return `${lines.join("\n")}
-`;
-}
-function renderAgentToolDescription(spec) {
-  const hints = spec.plannerHints;
-  const useFor = hints?.useFor?.length ? `Use for ${hints.useFor.join(", ")}.` : `Use for ${spec.title} workflows.`;
-  const risk = hints ? `Freshness: ${hints.dataFreshness}. Write risk: ${hints.writeRisk}.` : "";
-  return `${spec.title} (${spec.kind}). ${useFor} ${risk}`.trim();
-}
-function buildHealthcheckPlan(spec) {
-  const healthcheck = spec.setup.healthcheck ?? { id: `${spec.kind}.static`, level: "static", description: "No healthcheck defined." };
-  const requires = [];
-  if (healthcheck.level === "connection") requires.push("connection_credentials");
-  if (healthcheck.level === "client_config" && spec.auth.mode === "oauth2") requires.push("client_id", "client_secret");
-  if (spec.auth.mode === "api_key") requires.push("api_key");
-  if (spec.auth.mode === "hmac") requires.push("hmac_secret");
-  return {
-    kind: spec.kind,
-    healthcheck,
-    requires,
-    message: healthcheck.description
-  };
-}
-function renderTemplate(template, spec, options, redirectUri) {
-  return template.replaceAll("{host}", options.host).replaceAll("{kind}", spec.kind).replaceAll("{redirectUri}", redirectUri ?? renderRedirectUri(spec, options));
-}
-function renderRedirectUri(spec, options) {
-  return (options.callbackPath ?? spec.setup.redirectUriTemplate ?? "").replaceAll("{host}", options.host).replaceAll("{kind}", spec.kind);
-}
-function consoleStepsToText(steps) {
-  return steps.map((step, index) => `${index + 1}. ${step.title}: ${step.detail}`).join("\n");
-}
-
-// src/specs/validation.ts
-function validateIntegrationSpec(spec) {
-  const issues = [];
-  if (!spec.kind.trim()) issues.push({ path: "kind", message: "kind is required" });
-  if (!spec.title.trim()) issues.push({ path: "title", message: "title is required" });
-  if (!spec.actions.length) issues.push({ path: "actions", message: "at least one action is required" });
-  if (!spec.permissions.length) issues.push({ path: "permissions", message: "at least one permission is required" });
-  if (spec.auth.mode === "oauth2") {
-    if (!spec.auth.authorizationUrl) issues.push({ path: "auth.authorizationUrl", message: "authorizationUrl is required" });
-    if (!spec.auth.tokenUrl) issues.push({ path: "auth.tokenUrl", message: "tokenUrl is required" });
-    if (!spec.auth.redirectUriTemplate) issues.push({ path: "auth.redirectUriTemplate", message: "redirectUriTemplate is required" });
-  }
-  const actionIds = /* @__PURE__ */ new Set();
-  for (const [index, action] of spec.actions.entries()) {
-    if (actionIds.has(action.id)) issues.push({ path: `actions[${index}].id`, message: `duplicate action id ${action.id}` });
-    actionIds.add(action.id);
-  }
-  return { ok: issues.length === 0, issues };
-}
-function assertValidIntegrationSpec(spec) {
-  const result = validateIntegrationSpec(spec);
-  if (!result.ok) {
-    throw new Error(`Invalid integration spec ${spec.kind}: ${result.issues.map((i) => `${i.path}: ${i.message}`).join("; ")}`);
-  }
-}
-function validateCredentialFormat(field, value) {
-  if (!value.trim()) return { ok: false, field: field.label, message: `${field.label} is required` };
-  if (field.regex && !new RegExp(field.regex).test(value)) {
-    return { ok: false, field: field.label, message: `${field.label} does not match expected format` };
-  }
-  return { ok: true, field: field.label };
-}
-function validateCredentialSet(spec, values) {
-  return spec.setup.credentialFields.map((field) => {
-    const key = field.env ?? field.label;
-    return validateCredentialFormat(field, values[key] ?? "");
-  });
-}
-
 // src/index.ts
 var IntegrationError = class extends Error {
   constructor(message, code) {
@@ -6485,8 +6114,8 @@ var IntegrationHub = class {
       id: `cap_${randomUUID3()}`,
       subject: request.subject,
       connectionId: request.connectionId,
-      scopes: unique6(request.scopes),
-      allowedActions: unique6(request.allowedActions),
+      scopes: unique8(request.scopes),
+      allowedActions: unique8(request.allowedActions),
       issuedAt: now.toISOString(),
       expiresAt: new Date(now.getTime() + request.ttlMs).toISOString(),
       metadata: request.metadata
@@ -6539,18 +6168,18 @@ var IntegrationHub = class {
     }
     return proceed();
   }
-  async subscribeTrigger(connectionId, trigger, targetUrl) {
+  async subscribeTrigger(connectionId, trigger2, targetUrl) {
     const connection = await this.requireConnection(connectionId);
     this.assertConnectionActive(connection);
     const provider = this.requireProvider(connection.providerId);
     const connector = await this.requireConnector(provider, connection.connectorId);
-    const spec = connector.triggers?.find((candidate) => candidate.id === trigger);
-    if (!spec) throw new IntegrationError(`Trigger ${trigger} is not defined by connector ${connector.id}.`, "action_not_found");
+    const spec = connector.triggers?.find((candidate) => candidate.id === trigger2);
+    if (!spec) throw new IntegrationError(`Trigger ${trigger2} is not defined by connector ${connector.id}.`, "action_not_found");
     assertScopes(connection, spec.requiredScopes);
     if (!provider.subscribeTrigger) {
       throw new IntegrationError(`Provider ${provider.id} does not support triggers.`, "auth_not_supported");
     }
-    return provider.subscribeTrigger(connection, trigger, targetUrl);
+    return provider.subscribeTrigger(connection, trigger2, targetUrl);
   }
   requireProvider(providerId) {
     const provider = this.providers.get(providerId);
@@ -6635,10 +6264,10 @@ function createMockIntegrationProvider(options = {}) {
       action: request.action,
       output: { echo: request.input ?? null }
     },
-    subscribeTrigger: (connection, trigger, targetUrl) => ({
-      id: `sub_${connection.id}_${trigger}`,
+    subscribeTrigger: (connection, trigger2, targetUrl) => ({
+      id: `sub_${connection.id}_${trigger2}`,
       connectionId: connection.id,
-      trigger,
+      trigger: trigger2,
       targetUrl,
       status: "active",
       createdAt: (/* @__PURE__ */ new Date(0)).toISOString()
@@ -6666,10 +6295,10 @@ function createHttpIntegrationProvider(options) {
         request
       }, options.bearer);
     },
-    async subscribeTrigger(connection, trigger, targetUrl) {
+    async subscribeTrigger(connection, trigger2, targetUrl) {
       return postJson(fetcher, `${baseUrl}/triggers/subscribe`, {
         connection,
-        trigger,
+        trigger: trigger2,
         targetUrl
       }, options.bearer);
     },
@@ -6732,12 +6361,13 @@ function base64UrlEncode(value) {
 function base64UrlDecode(value) {
   return Buffer.from(value, "base64url").toString("utf8");
 }
-function unique6(values) {
+function unique8(values) {
   return [...new Set(values)];
 }
 export {
   ACTIVEPIECES_OVERRIDES,
   ApprovalBackedPolicyEngine,
+  CANONICAL_INTEGRATION_ACTIONS,
   CredentialsExpired,
   DEFAULT_INTEGRATION_BRIDGE_ENV,
   DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
@@ -6756,17 +6386,22 @@ export {
   IntegrationError,
   IntegrationHub,
   IntegrationRuntime,
+  IntegrationRuntimeError,
   IntegrationSandboxHost,
   IntegrationWorkflowRuntime,
+  PROVIDER_PASSTHROUGH_ACTION,
   ResourceContention,
   StaticIntegrationPolicyEngine,
+  TangleIntegrationsClient,
   _resetPendingFlowsForTests,
   airtableConnector,
   asanaConnector,
   assertValidConnectorManifest,
+  assertValidIntegrationManifest,
   assertValidIntegrationSpec,
   buildActivepiecesConnectors,
   buildApprovalRequest,
+  buildCanonicalLaunchConnectors,
   buildDefaultIntegrationRegistry,
   buildHealthcheckPlan,
   buildIntegrationBridgeEnvironment,
@@ -6774,6 +6409,8 @@ export {
   buildIntegrationCoverageConnectors,
   buildIntegrationInvocationEnvelope,
   buildIntegrationToolCatalog,
+  calendarExercisePlannerManifest,
+  canonicalActionConnectorId,
   canonicalConnectorId,
   composeIntegrationRegistry,
   consoleStepsToText,
@@ -6791,16 +6428,19 @@ export {
   createIntegrationRuntime,
   createIntegrationWorkflowRuntime,
   createMockIntegrationProvider,
+  createPlatformIntegrationPolicyPreset,
+  createTangleIntegrationsClient,
   declarativeRestConnector,
   decodeIntegrationBridgePayload,
   dispatchIntegrationInvocation,
   encodeIntegrationBridgePayload,
   exchangeAuthorizationCode,
+  explainMissingRequirements,
   firstHeader,
   getActivepiecesOverride,
   getIntegrationFamily,
   getIntegrationSpec,
-  githubConnector,
+  githubConnector2 as githubConnector,
   gitlabConnector,
   googleCalendar,
   googleSheets,
@@ -6809,6 +6449,7 @@ export {
   importGraphqlConnector,
   importMcpConnector,
   importOpenApiConnector,
+  inferIntegrationManifestFromTools,
   inferIntegrationSupportTier,
   integrationCoverageChecklistMarkdown,
   integrationSpecToConnector,
@@ -6821,6 +6462,7 @@ export {
   manifestToConnector,
   microsoftCalendar,
   normalizeGatewayCatalog,
+  normalizeIntegrationError,
   normalizeIntegrationResult,
   notionDatabase,
   parseIntegrationBridgeEnvironment,
@@ -6833,6 +6475,8 @@ export {
   redactInvocationEnvelope,
   refreshAccessToken,
   renderAgentToolDescription,
+  renderApprovalCopy,
+  renderConsentSummary,
   renderConsoleSteps,
   renderRunbookMarkdown,
   resolveConnectionCredentials,
@@ -6849,6 +6493,7 @@ export {
   slackEventsConnector,
   specAuthToConnectorAuth,
   startOAuthFlow,
+  statusForCode,
   storedEventToTriggerEvent,
   stripePackConnector,
   stripeWebhookReceiverConnector,
@@ -6859,7 +6504,9 @@ export {
   validateCredentialFormat,
   validateCredentialSet,
   validateIntegrationInvocationEnvelope,
+  validateIntegrationManifest,
   validateIntegrationSpec,
+  validateProviderPassthroughRequest,
   verifyCapabilityToken,
   verifyHmacSignature,
   verifySlackSignature,