@tangle-network/agent-integrations 0.25.2 → 0.25.3

package/dist/tangle-catalog-runtime.d.ts

@@ -0,0 +1,4 @@
+export { T as TangleCatalogAuthResolverOptions, w as TangleCatalogHttpAuthResolverOptions, x as TangleCatalogHttpAuthResolverRequest, y as TangleCatalogInstalledPackageExecutorOptions, z as TangleCatalogRuntimeHandlerOptions, A as TangleCatalogRuntimeHttpRequest, B as TangleCatalogRuntimeHttpResponse, C as TangleCatalogRuntimeInvocation, D as TangleCatalogRuntimeModuleAction, E as TangleCatalogRuntimePackageCoverageOptions, F as TangleCatalogRuntimePackageCoverageRow, G as auditTangleCatalogRuntimePackages, H as createTangleCatalogCredentialAuthResolver, J as createTangleCatalogHttpAuthResolver, K as createTangleCatalogInstalledPackageExecutor, L as createTangleCatalogRuntimeHandler, N as tangleCatalogAuthValue } from './registry.js';
+import './index-BNb1A0Id.js';
+import './connectors/index.js';
+import 'node:http';

package/dist/tangle-catalog-runtime.js

@@ -0,0 +1,22 @@
+import {
+  auditTangleCatalogRuntimePackages,
+  createTangleCatalogCredentialAuthResolver,
+  createTangleCatalogHttpAuthResolver,
+  createTangleCatalogInstalledPackageExecutor,
+  createTangleCatalogRuntimeHandler,
+  tangleCatalogAuthValue
+} from "./chunk-MU3UTIOX.js";
+import "./chunk-FQAT4IEE.js";
+import "./chunk-6KWCC42J.js";
+import "./chunk-4JQ754PA.js";
+import "./chunk-376UBTNB.js";
+import "./chunk-IDX3KIPA.js";
+export {
+  auditTangleCatalogRuntimePackages,
+  createTangleCatalogCredentialAuthResolver,
+  createTangleCatalogHttpAuthResolver,
+  createTangleCatalogInstalledPackageExecutor,
+  createTangleCatalogRuntimeHandler,
+  tangleCatalogAuthValue
+};
+//# sourceMappingURL=tangle-catalog-runtime.js.map

package/dist/tangle-catalog-runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/docs/platform-control-plane.md

@@ -0,0 +1,54 @@
+# Platform Control Plane Adoption
+
+Use this package when one product owns user connections and many runtimes need
+safe access to those connections.
+
+```txt
+central platform
+  owns OAuth apps, connection storage, grants, approvals, audit, healthchecks
+
+sandbox / generated app / agent runtime
+  receives a short-lived capability bundle
+  calls /v1/integrations/invoke
+  never receives provider refresh tokens or API keys
+```
+
+## Required Flow
+
+1. Product code turns app requirements into an `IntegrationManifest`.
+2. Platform resolves the manifest against the user's active connections.
+3. Missing connections or scopes return a user-facing connect/consent action.
+4. Platform creates `IntegrationGrant` records for the approved grantee.
+5. Platform issues a short-lived bundle with `buildSandboxBundle()`.
+6. Runtime receives only `TANGLE_INTEGRATION_BUNDLE`.
+7. Generated app code calls `createTangleIntegrationsClient()`.
+8. Platform verifies capability, policy, approval, idempotency, and audit before
+   invoking the provider.
+
+## Durable Installs
+
+Preview runs can build bundles by `manifestId` and `grantee`. Installed apps and
+published templates often need a narrower path: bind one app instance to known
+pre-created grants. Use explicit grant ids:
+
+```ts
+const bundle = await runtime.buildSandboxBundle({
+  grantIds: ['grant_calendar_read'],
+  subject: { type: 'sandbox', id: 'sandbox_123' },
+  grantee: { type: 'app', id: 'installed_app_123' },
+  ttlMs: 15 * 60_000,
+})
+```
+
+The runtime fails closed if a grant id is unknown, belongs to another grantee, or
+belongs to a different manifest than the requested `manifestId`.
+
+## Production Gates
+
+- Catalog-only connectors are discoverable, not executable.
+- Runtime code receives capability tokens only.
+- Writes require approval unless product policy explicitly allows them.
+- Destructive actions are denied by default.
+- Every invoke has an audit event and an idempotency key.
+- Revoke deletes credentials and stops future bundles from including the grant.
+- Resume/long-running runtimes refresh bundles before expiry.

package/docs/production-completion-checklist.md

@@ -20,6 +20,8 @@ provider credentials.
 - [x] Persistent grants from user-owned connections to apps, agents, sandboxes,
       and generated software.
 - [x] Sandbox bundles with short-lived capability tokens and tool definitions.
+- [x] Explicit grant-id bundle issuance for installed apps, published templates,
+      and durable app instances.
 - [x] Bridge payload/env helpers for sandbox processes and executor-style CLIs.
 - [x] Sandbox invocation host that validates envelopes before hub invocation and
       normalizes success, failure, and approval-required results.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tangle-network/agent-integrations",
-  "version": "0.25.2",
+  "version": "0.25.3",
   "description": "Vendor-neutral integration contracts and runtime helpers for sandbox and agent apps.",
   "homepage": "https://github.com/tangle-network/agent-integrations#readme",
   "repository": {
@@ -19,10 +19,40 @@
       "import": "./dist/index.js",
       "default": "./dist/index.js"
     },
+    "./catalog": {
+      "types": "./dist/catalog.d.ts",
+      "import": "./dist/catalog.js",
+      "default": "./dist/catalog.js"
+    },
+    "./connectors": {
+      "types": "./dist/connectors/index.d.ts",
+      "import": "./dist/connectors/index.js",
+      "default": "./dist/connectors/index.js"
+    },
+    "./connectors/adapters": {
+      "types": "./dist/connectors/adapters/index.d.ts",
+      "import": "./dist/connectors/adapters/index.js",
+      "default": "./dist/connectors/adapters/index.js"
+    },
+    "./registry": {
+      "types": "./dist/registry.d.ts",
+      "import": "./dist/registry.js",
+      "default": "./dist/registry.js"
+    },
+    "./runtime": {
+      "types": "./dist/runtime.d.ts",
+      "import": "./dist/runtime.js",
+      "default": "./dist/runtime.js"
+    },
     "./specs": {
       "types": "./dist/specs.d.ts",
       "import": "./dist/specs.js",
       "default": "./dist/specs.js"
+    },
+    "./tangle-catalog-runtime": {
+      "types": "./dist/tangle-catalog-runtime.d.ts",
+      "import": "./dist/tangle-catalog-runtime.js",
+      "default": "./dist/tangle-catalog-runtime.js"
     }
   },
   "bin": {