@tangle-network/agent-integrations 0.25.2 → 0.25.3

package/dist/connectors/adapters/index.d.ts

@@ -0,0 +1 @@
+export { G as GoogleCalendarOptions, p as GoogleSheetsOptions, H as HubSpotOptions, M as MicrosoftCalendarOptions, N as NotionDatabaseOptions, s as RestConnectorSpec, t as RestCredentialPlacement, u as RestOperationSpec, v as RestRequestSpec, S as SlackOptions, w as airtableConnector, x as asanaConnector, z as declarativeRestConnector, B as githubConnector, F as gitlabConnector, J as googleCalendar, K as googleSheets, L as hubspot, O as microsoftCalendar, P as notionDatabase, Q as salesforceConnector, T as slack, U as slackEventsConnector, V as stripePackConnector, W as stripeWebhookReceiverConnector, X as twilioSmsConnector, Z as webhookConnector } from '../../index-BNb1A0Id.js';

package/dist/connectors/adapters/index.js

@@ -0,0 +1,39 @@
+import {
+  airtableConnector,
+  asanaConnector,
+  declarativeRestConnector,
+  githubConnector,
+  gitlabConnector,
+  googleCalendar,
+  googleSheets,
+  hubspot,
+  microsoftCalendar,
+  notionDatabase,
+  salesforceConnector,
+  slack,
+  slackEventsConnector,
+  stripePackConnector,
+  stripeWebhookReceiverConnector,
+  twilioSmsConnector,
+  webhookConnector
+} from "../../chunk-IDX3KIPA.js";
+export {
+  airtableConnector,
+  asanaConnector,
+  declarativeRestConnector,
+  githubConnector,
+  gitlabConnector,
+  googleCalendar,
+  googleSheets,
+  hubspot,
+  microsoftCalendar,
+  notionDatabase,
+  salesforceConnector,
+  slack,
+  slackEventsConnector,
+  stripePackConnector,
+  stripeWebhookReceiverConnector,
+  twilioSmsConnector,
+  webhookConnector
+};
+//# sourceMappingURL=index.js.map

package/dist/connectors/adapters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/connectors/index.d.ts

@@ -0,0 +1,180 @@
+export { A as AuthSpec, b as CASStrategy, c as Capability, d as CapabilityClass, e as CapabilityMutation, f as CapabilityMutationResult, g as CapabilityParameterSchema, h as CapabilityRead, i as CapabilityReadResult, C as ConnectorAdapter, a as ConnectorCredentials, j as ConnectorInvocation, k as ConnectorManifest, l as ConnectorManifestValidationIssue, m as ConnectorManifestValidationResult, n as ConsistencyModel, o as CredentialsExpired, D as DataSourceMetadata, E as EventHandlerResult, G as GoogleCalendarOptions, p as GoogleSheetsOptions, H as HubSpotOptions, I as InboundEvent, M as MicrosoftCalendarOptions, N as NotionDatabaseOptions, q as RateLimitSpec, R as ResolvedDataSource, r as ResourceContention, s as RestConnectorSpec, t as RestCredentialPlacement, u as RestOperationSpec, v as RestRequestSpec, S as SlackOptions, w as airtableConnector, x as asanaConnector, y as assertValidConnectorManifest, z as declarativeRestConnector, B as githubConnector, F as gitlabConnector, J as googleCalendar, K as googleSheets, L as hubspot, O as microsoftCalendar, P as notionDatabase, Q as salesforceConnector, T as slack, U as slackEventsConnector, V as stripePackConnector, W as stripeWebhookReceiverConnector, X as twilioSmsConnector, Y as validateConnectorManifest, Z as webhookConnector } from '../index-BNb1A0Id.js';
+
+/**
+ * Generic OAuth2 helper used by every oauth-shaped connector (Google
+ * Calendar, Sheets, Drive, HubSpot, Salesforce, Zoom, ...).
+ *
+ * Everything PKCE-aware. Opaque-state CSRF guard. Refresh-token aware.
+ * No connector-specific logic lives here — adapters hand a `clientId`,
+ * `clientSecret`, `tokenUrl`, optional `extraAuthParams` and the rest is
+ * mechanical.
+ *
+ * State and code_verifier are kept in a short-TTL flow store keyed by the
+ * opaque `state` we round-trip through the provider. The default store is
+ * in-memory for local/dev and tests. Production deployments should inject a
+ * durable store backed by KV/Redis/D1/etc. so callbacks can land on any worker.
+ */
+interface PendingOAuthFlow {
+    /** code_verifier for PKCE. */
+    codeVerifier: string;
+    /** Opaque-state value also returned in the OAuth redirect. */
+    state: string;
+    /** Project the user is connecting under. */
+    projectId: string;
+    /** Connector kind (e.g. 'google-calendar'). */
+    kind: string;
+    /** Operator-supplied label that becomes DataSource.label. */
+    label: string;
+    /** When we drop the entry. */
+    expiresAt: number;
+    /** The redirectUri we used in the start step — must match exactly on
+     *  the callback exchange. */
+    redirectUri: string;
+}
+interface OAuthFlowStore {
+    put(state: string, flow: PendingOAuthFlow): Promise<void> | void;
+    consume(state: string): Promise<PendingOAuthFlow | undefined> | PendingOAuthFlow | undefined;
+    sweep?(now: number): Promise<void> | void;
+    clear?(): Promise<void> | void;
+}
+declare class InMemoryOAuthFlowStore implements OAuthFlowStore {
+    private readonly pendingFlows;
+    put(state: string, flow: PendingOAuthFlow): void;
+    consume(state: string): PendingOAuthFlow | undefined;
+    sweep(now: number): void;
+    clear(): void;
+}
+interface StartOAuthInput {
+    projectId: string;
+    kind: string;
+    label: string;
+    authorizationUrl: string;
+    scopes: string[];
+    clientId: string;
+    redirectUri: string;
+    /** Optional extra query params; Google needs `access_type=offline` and
+     *  `prompt=consent` to issue refresh tokens reliably. */
+    extraAuthParams?: Record<string, string>;
+    /** Optional flow store. Use a durable store in distributed production
+     *  runtimes; omitted means local in-memory storage. */
+    store?: OAuthFlowStore;
+    /** Override clock for tests. */
+    now?: number;
+}
+interface StartOAuthOutput {
+    /** URL the SPA should redirect the user to. */
+    authorizationUrl: string;
+    /** State token — caller stashes this in localStorage to verify on
+     *  callback. */
+    state: string;
+}
+/** Build the authorization URL + state. SPA navigates the user there;
+ *  user consents; provider redirects back to redirectUri with `code` +
+ *  `state`. The caller's callback then invokes `consumePendingFlow`. */
+declare function startOAuthFlow(input: StartOAuthInput): StartOAuthOutput;
+/** Look up + remove the pending flow record. Throws if state is unknown
+ *  or expired (CSRF guard / replay protection). */
+declare function consumePendingFlow(state: string, store?: OAuthFlowStore): Promise<PendingOAuthFlow>;
+interface ExchangeCodeInput {
+    tokenUrl: string;
+    clientId: string;
+    clientSecret: string;
+    code: string;
+    codeVerifier: string;
+    redirectUri: string;
+    fetchImpl?: typeof fetch;
+    signal?: AbortSignal;
+}
+interface OAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    scope?: string;
+    tokenType?: string;
+}
+/** POST authorization code → token endpoint. Provider-agnostic; if a
+ *  provider returns a non-standard JSON shape, the adapter wraps this
+ *  call rather than reaching into the helper. */
+declare function exchangeAuthorizationCode(input: ExchangeCodeInput): Promise<OAuthTokens>;
+interface RefreshInput {
+    tokenUrl: string;
+    clientId: string;
+    clientSecret: string;
+    refreshToken: string;
+    fetchImpl?: typeof fetch;
+    signal?: AbortSignal;
+}
+/** Refresh an access token. Returns the new tokens — the connector layer
+ *  is responsible for re-encrypting + persisting the envelope. */
+declare function refreshAccessToken(input: RefreshInput): Promise<OAuthTokens>;
+/** Test-only — drop pending flows between unit-test runs. */
+declare function _resetPendingFlowsForTests(): void;
+
+/**
+ * Inbound webhook signature verifiers — provider-specific HMAC schemes.
+ *
+ * Each signature scheme is a pure function:
+ *   (rawBody: string, headers, secret, now?) → boolean
+ *
+ * Constant-time comparison via `crypto.timingSafeEqual`. Timestamps are
+ * checked against a configurable tolerance to bound replay risk; the default
+ * mirrors the upstream provider's documented window (Stripe: 5 min, Slack: 5 min).
+ *
+ * These verifiers are the building blocks for any inbound-webhook receiver
+ * (a route + a `verify` call + a per-event handler). They live in this
+ * package so every consumer of the integration substrate gets correct
+ * verification — not just one product reimplementing it.
+ */
+/** Default replay-protection window. Providers commonly use 5 minutes. */
+declare const DEFAULT_SIGNATURE_TOLERANCE_SECONDS: number;
+interface ParsedStripeSignatureHeader {
+    t: number;
+    sigs: string[];
+}
+declare function parseStripeSignatureHeader(header: string): ParsedStripeSignatureHeader | null;
+interface StripeVerifyOptions {
+    /** Replay-protection window in seconds. Default 300. */
+    toleranceSeconds?: number;
+    /** Override `now()` for tests. UTC seconds. */
+    now?: number;
+}
+/** Verify a Stripe webhook signature against the raw request body. */
+declare function verifyStripeSignature(rawBody: string, signatureHeader: string, secret: string, options?: StripeVerifyOptions): boolean;
+interface SlackVerifyOptions {
+    toleranceSeconds?: number;
+    now?: number;
+}
+declare function verifySlackSignature(rawBody: string, signatureHeader: string, timestampHeader: string, secret: string, options?: SlackVerifyOptions): boolean;
+interface GenericHmacVerifyOptions {
+    /** sha256 (default) | sha1 | sha512 — matches the algorithm the receiver
+     *  computed at sign time. */
+    algorithm?: 'sha256' | 'sha1' | 'sha512';
+    /** Optional prefix the receiver prepends to the signature in the header
+     *  (e.g., `'sha256='`). Stripped before constant-time comparison. */
+    signaturePrefix?: string;
+    /** Lowercase comparison (most providers emit hex-lowercase). Default true. */
+    lowercaseHex?: boolean;
+}
+declare function verifyHmacSignature(rawBody: string, signatureHeader: string, secret: string, options?: GenericHmacVerifyOptions): boolean;
+interface TwilioVerifyOptions {
+    /** Skip verification when the auth token isn't configured. Useful in
+     *  dev where the receiver wants to accept any payload. Default `false`
+     *  — production should always require a configured token. */
+    skipWhenAuthTokenMissing?: boolean;
+    /** When true, sign the raw body instead of the URL-encoded sorted-params
+     *  reduction. Twilio uses raw-body signing for `application/json`
+     *  webhook bodies. Default `false`. */
+    bodyAsRaw?: boolean;
+    /** When `bodyAsRaw` is true, the raw body to sign. Ignored otherwise. */
+    rawBody?: string;
+}
+/** Verify a Twilio webhook signature. */
+declare function verifyTwilioSignature(input: {
+    authToken: string | null | undefined;
+    signatureHeader: string | string[] | undefined;
+    fullUrl: string | null | undefined;
+    params: Record<string, string> | undefined;
+}, options?: TwilioVerifyOptions): boolean;
+declare function firstHeader(headers: Record<string, string | string[] | undefined>, name: string): string | undefined;
+
+export { DEFAULT_SIGNATURE_TOLERANCE_SECONDS, type ExchangeCodeInput, type GenericHmacVerifyOptions, InMemoryOAuthFlowStore, type OAuthFlowStore, type OAuthTokens, type ParsedStripeSignatureHeader, type PendingOAuthFlow, type RefreshInput, type SlackVerifyOptions, type StartOAuthInput, type StartOAuthOutput, type StripeVerifyOptions, type TwilioVerifyOptions, _resetPendingFlowsForTests, consumePendingFlow, exchangeAuthorizationCode, firstHeader, parseStripeSignatureHeader, refreshAccessToken, startOAuthFlow, verifyHmacSignature, verifySlackSignature, verifyStripeSignature, verifyTwilioSignature };

package/dist/connectors/index.js

@@ -0,0 +1,74 @@
+import "../chunk-376UBTNB.js";
+import {
+  CredentialsExpired,
+  DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
+  InMemoryOAuthFlowStore,
+  ResourceContention,
+  _resetPendingFlowsForTests,
+  airtableConnector,
+  asanaConnector,
+  assertValidConnectorManifest,
+  consumePendingFlow,
+  declarativeRestConnector,
+  exchangeAuthorizationCode,
+  firstHeader,
+  githubConnector,
+  gitlabConnector,
+  googleCalendar,
+  googleSheets,
+  hubspot,
+  microsoftCalendar,
+  notionDatabase,
+  parseStripeSignatureHeader,
+  refreshAccessToken,
+  salesforceConnector,
+  slack,
+  slackEventsConnector,
+  startOAuthFlow,
+  stripePackConnector,
+  stripeWebhookReceiverConnector,
+  twilioSmsConnector,
+  validateConnectorManifest,
+  verifyHmacSignature,
+  verifySlackSignature,
+  verifyStripeSignature,
+  verifyTwilioSignature,
+  webhookConnector
+} from "../chunk-IDX3KIPA.js";
+export {
+  CredentialsExpired,
+  DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
+  InMemoryOAuthFlowStore,
+  ResourceContention,
+  _resetPendingFlowsForTests,
+  airtableConnector,
+  asanaConnector,
+  assertValidConnectorManifest,
+  consumePendingFlow,
+  declarativeRestConnector,
+  exchangeAuthorizationCode,
+  firstHeader,
+  githubConnector,
+  gitlabConnector,
+  googleCalendar,
+  googleSheets,
+  hubspot,
+  microsoftCalendar,
+  notionDatabase,
+  parseStripeSignatureHeader,
+  refreshAccessToken,
+  salesforceConnector,
+  slack,
+  slackEventsConnector,
+  startOAuthFlow,
+  stripePackConnector,
+  stripeWebhookReceiverConnector,
+  twilioSmsConnector,
+  validateConnectorManifest,
+  verifyHmacSignature,
+  verifySlackSignature,
+  verifyStripeSignature,
+  verifyTwilioSignature,
+  webhookConnector
+};
+//# sourceMappingURL=index.js.map

package/dist/connectors/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}