@tangle-network/agent-integrations 0.25.2 → 0.25.4

package/dist/chunk-IDX3KIPA.js

@@ -0,0 +1,3233 @@
+// src/connectors/types.ts
+var ResourceContention = class extends Error {
+  constructor(message, alternatives = [], currentState) {
+    super(message);
+    this.alternatives = alternatives;
+    this.currentState = currentState;
+  }
+  alternatives;
+  currentState;
+  name = "ResourceContention";
+};
+var CredentialsExpired = class extends Error {
+  constructor(message, dataSourceId) {
+    super(message);
+    this.dataSourceId = dataSourceId;
+  }
+  dataSourceId;
+  name = "CredentialsExpired";
+};
+function validateConnectorManifest(manifest) {
+  const issues = [];
+  if (!manifest.kind.trim()) issues.push({ path: "kind", message: "kind is required" });
+  if (!manifest.displayName.trim()) issues.push({ path: "displayName", message: "displayName is required" });
+  const seen = /* @__PURE__ */ new Set();
+  for (const [index, capability] of manifest.capabilities.entries()) {
+    const path = `capabilities[${index}]`;
+    if (!capability.name.trim()) issues.push({ path: `${path}.name`, message: "capability name is required" });
+    if (seen.has(capability.name)) issues.push({ path: `${path}.name`, message: `duplicate capability name: ${capability.name}` });
+    seen.add(capability.name);
+    if (capability.class === "mutation") {
+      if (!capability.cas) issues.push({ path: `${path}.cas`, message: "mutation capability must declare a CAS strategy" });
+      if (manifest.defaultConsistencyModel === "authoritative" && capability.cas === "none") {
+        issues.push({ path: `${path}.cas`, message: 'authoritative mutations cannot use cas="none"' });
+      }
+    }
+  }
+  if (manifest.rateLimit) {
+    if (!Number.isFinite(manifest.rateLimit.requests) || manifest.rateLimit.requests <= 0) {
+      issues.push({ path: "rateLimit.requests", message: "rateLimit.requests must be positive" });
+    }
+    if (!Number.isFinite(manifest.rateLimit.windowMs) || manifest.rateLimit.windowMs <= 0) {
+      issues.push({ path: "rateLimit.windowMs", message: "rateLimit.windowMs must be positive" });
+    }
+  }
+  return { ok: issues.length === 0, issues };
+}
+function assertValidConnectorManifest(manifest) {
+  const result = validateConnectorManifest(manifest);
+  if (!result.ok) {
+    throw new Error(`Invalid connector manifest ${manifest.kind || "<unknown>"}: ${result.issues.map((issue) => `${issue.path}: ${issue.message}`).join("; ")}`);
+  }
+}
+
+// src/connectors/oauth.ts
+import { createHash, randomBytes } from "crypto";
+var PENDING_TTL_MS = 10 * 60 * 1e3;
+var InMemoryOAuthFlowStore = class {
+  pendingFlows = /* @__PURE__ */ new Map();
+  put(state, flow) {
+    this.pendingFlows.set(state, flow);
+  }
+  consume(state) {
+    const flow = this.pendingFlows.get(state);
+    this.pendingFlows.delete(state);
+    if (!flow || flow.expiresAt <= Date.now()) return void 0;
+    return flow;
+  }
+  sweep(now) {
+    for (const [k, v] of this.pendingFlows) {
+      if (v.expiresAt <= now) this.pendingFlows.delete(k);
+    }
+  }
+  clear() {
+    this.pendingFlows.clear();
+  }
+};
+var defaultFlowStore = new InMemoryOAuthFlowStore();
+function startOAuthFlow(input) {
+  const store = input.store ?? defaultFlowStore;
+  const now = input.now ?? Date.now();
+  store.sweep?.(now);
+  const codeVerifier = base64Url(randomBytes(48));
+  const codeChallenge = base64Url(createHash("sha256").update(codeVerifier).digest());
+  const state = base64Url(randomBytes(24));
+  store.put(state, {
+    codeVerifier,
+    state,
+    projectId: input.projectId,
+    kind: input.kind,
+    label: input.label,
+    redirectUri: input.redirectUri,
+    expiresAt: now + PENDING_TTL_MS
+  });
+  const url = new URL(input.authorizationUrl);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", input.clientId);
+  url.searchParams.set("redirect_uri", input.redirectUri);
+  url.searchParams.set("scope", input.scopes.join(" "));
+  url.searchParams.set("state", state);
+  url.searchParams.set("code_challenge", codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  if (input.extraAuthParams) {
+    for (const [k, v] of Object.entries(input.extraAuthParams)) {
+      url.searchParams.set(k, v);
+    }
+  }
+  return { authorizationUrl: url.toString(), state };
+}
+async function consumePendingFlow(state, store = defaultFlowStore) {
+  await store.sweep?.(Date.now());
+  const flow = await store.consume(state);
+  if (!flow) {
+    throw new Error("Unknown or expired OAuth state: possible CSRF, replay, or stale flow");
+  }
+  return flow;
+}
+async function exchangeAuthorizationCode(input) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: input.clientId,
+    client_secret: input.clientSecret,
+    code: input.code,
+    redirect_uri: input.redirectUri,
+    code_verifier: input.codeVerifier
+  });
+  const res = await (input.fetchImpl ?? fetch)(input.tokenUrl, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded", accept: "application/json" },
+    body,
+    signal: input.signal
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`OAuth token exchange failed: ${res.status} ${res.statusText} \u2014 ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  return {
+    accessToken: json.access_token,
+    refreshToken: json.refresh_token,
+    expiresIn: json.expires_in,
+    scope: json.scope,
+    tokenType: json.token_type
+  };
+}
+async function refreshAccessToken(input) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: input.clientId,
+    client_secret: input.clientSecret,
+    refresh_token: input.refreshToken
+  });
+  const res = await (input.fetchImpl ?? fetch)(input.tokenUrl, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded", accept: "application/json" },
+    body,
+    signal: input.signal
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`OAuth refresh failed: ${res.status} ${res.statusText} \u2014 ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  return {
+    accessToken: json.access_token,
+    // Some providers omit refresh_token on refresh — keep the previous one
+    // in that case (caller passes through if undefined).
+    refreshToken: json.refresh_token,
+    expiresIn: json.expires_in,
+    scope: json.scope,
+    tokenType: json.token_type
+  };
+}
+function base64Url(buf) {
+  return buf.toString("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function _resetPendingFlowsForTests() {
+  defaultFlowStore.clear?.();
+}
+
+// src/connectors/adapters/google-calendar.ts
+var SCOPES = ["https://www.googleapis.com/auth/calendar"];
+var AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL = "https://oauth2.googleapis.com/token";
+function googleCalendar(opts) {
+  const { clientId, clientSecret } = opts;
+  const adapter = {
+    manifest: {
+      kind: "google-calendar",
+      displayName: "Google Calendar",
+      description: "Let your agent check availability and book against a Google Calendar. Conflict-resolved: two callers can't grab the same slot \u2014 the second one is offered the next free time.",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL,
+        tokenUrl: TOKEN_URL,
+        scopes: SCOPES,
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET",
+        extraAuthParams: { access_type: "offline", prompt: "consent", include_granted_scopes: "true" }
+      },
+      category: "calendar",
+      defaultConsistencyModel: "authoritative",
+      // Google Calendar's per-project quota is ~600 req/min before
+      // throttling kicks in (Calendar API "Queries per minute per user",
+      // shared per OAuth client). We meter at that rate locally so the
+      // FIRST chatty agent doesn't push the shared client into Google's
+      // throttle pool and degrade everyone else's quota.
+      rateLimit: { requests: 600, windowMs: 6e4, scope: "oauth-client" },
+      capabilities: [
+        {
+          name: "list_availability",
+          class: "read",
+          description: "Look up busy/free times on the connected calendar between timeMin and timeMax (RFC3339 timestamps).",
+          parameters: {
+            type: "object",
+            properties: {
+              timeMin: { type: "string", description: "RFC3339 lower bound (inclusive)" },
+              timeMax: { type: "string", description: "RFC3339 upper bound (exclusive)" }
+            },
+            required: ["timeMin", "timeMax"]
+          }
+        },
+        {
+          name: "book_slot",
+          class: "mutation",
+          description: "Reserve a time window on the connected calendar. Returns conflict + alternatives if the slot is no longer free.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              start: { type: "string", description: "RFC3339 start time" },
+              end: { type: "string", description: "RFC3339 end time" },
+              summary: { type: "string", description: "Event title shown on the calendar" },
+              description: { type: "string", description: "Optional event description" },
+              attendees: {
+                type: "array",
+                items: { type: "string", description: "email" }
+              }
+            },
+            required: ["start", "end", "summary"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      if (inv.capabilityName !== "list_availability") {
+        throw new Error(`google-calendar: unknown read capability ${inv.capabilityName}`);
+      }
+      const calendarId = readMetaString(inv.source.metadata, "calendarId");
+      const { timeMin, timeMax } = inv.args;
+      const accessToken = await ensureFreshAccessToken(inv.source.credentials, clientId, clientSecret);
+      const fb = await freebusyQuery({ accessToken, calendarId, timeMin, timeMax });
+      return {
+        data: { busy: fb.busy },
+        fetchedAt: Date.now()
+      };
+    },
+    async executeMutation(inv) {
+      if (inv.capabilityName !== "book_slot") {
+        throw new Error(`google-calendar: unknown mutation capability ${inv.capabilityName}`);
+      }
+      const calendarId = readMetaString(inv.source.metadata, "calendarId");
+      const { start, end, summary, description, attendees } = inv.args;
+      const accessToken = await ensureFreshAccessToken(inv.source.credentials, clientId, clientSecret);
+      const fb = await freebusyQuery({ accessToken, calendarId, timeMin: start, timeMax: end });
+      if (fb.busy.length > 0) {
+        const startMs = Date.parse(start);
+        const endMs = Date.parse(end);
+        const durMs = endMs - startMs;
+        const alternatives = await findNextFreeSlots({
+          accessToken,
+          calendarId,
+          searchFromMs: endMs,
+          durationMs: durMs,
+          wanted: 3
+        });
+        throw new ResourceContention(
+          `requested slot ${start}\u2013${end} is no longer free`,
+          alternatives,
+          { busy: fb.busy }
+        );
+      }
+      const requestId = inv.idempotencyKey.replace(/[^a-zA-Z0-9_:.-]/g, "_").slice(0, 1024);
+      const event = {
+        summary,
+        description,
+        start: { dateTime: start },
+        end: { dateTime: end },
+        attendees: attendees?.map((email) => ({ email }))
+      };
+      const res = await fetch(
+        `https://www.googleapis.com/calendar/v3/calendars/${encodeURIComponent(calendarId)}/events?conferenceDataVersion=0&sendUpdates=none&requestId=${encodeURIComponent(requestId)}`,
+        {
+          method: "POST",
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+            "content-type": "application/json"
+          },
+          body: JSON.stringify(event),
+          signal: AbortSignal.timeout(15e3)
+        }
+      );
+      if (res.status === 409) {
+        const dup = await res.json().catch(() => ({}));
+        return {
+          status: "committed",
+          data: dup,
+          etagAfter: dup.etag,
+          committedAt: Date.now(),
+          idempotentReplay: true
+        };
+      }
+      if (res.status === 401 || res.status === 403) {
+        throw new CredentialsExpired(`Google Calendar rejected token (${res.status})`, inv.source.id);
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`google-calendar book_slot ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const created = await res.json();
+      return {
+        status: "committed",
+        data: { eventId: created.id, htmlLink: created.htmlLink },
+        etagAfter: created.etag,
+        committedAt: Date.now(),
+        idempotentReplay: false
+      };
+    },
+    async exchangeOAuth(input) {
+      const tokens = await exchangeAuthorizationCode({
+        tokenUrl: TOKEN_URL,
+        clientId,
+        clientSecret,
+        code: input.code,
+        codeVerifier: input.codeVerifier,
+        redirectUri: input.redirectUri
+      });
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: tokens.accessToken,
+          refreshToken: tokens.refreshToken,
+          expiresAt: tokens.expiresIn ? Date.now() + tokens.expiresIn * 1e3 : void 0
+        },
+        scopes: tokens.scope?.split(/\s+/) ?? SCOPES,
+        metadata: { calendarId: "primary" }
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        throw new Error("google-calendar.refreshToken: missing refresh token");
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = await ensureFreshAccessToken(source.credentials, clientId, clientSecret);
+        const calendarId = readMetaString(source.metadata, "calendarId");
+        const url = `https://www.googleapis.com/calendar/v3/calendars/${encodeURIComponent(calendarId)}`;
+        const res = await fetch(url, {
+          headers: { authorization: `Bearer ${accessToken}` },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401 || res.status === 403) {
+          return { ok: false, reason: `Google rejected token (${res.status}) \u2014 reconnect required` };
+        }
+        if (!res.ok) return { ok: false, reason: `Google returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+async function freebusyQuery(input) {
+  const res = await fetch("https://www.googleapis.com/calendar/v3/freeBusy", {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${input.accessToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify({
+      timeMin: input.timeMin,
+      timeMax: input.timeMax,
+      items: [{ id: input.calendarId }]
+    }),
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`freebusy ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  return { busy: json.calendars?.[input.calendarId]?.busy ?? [] };
+}
+async function findNextFreeSlots(input) {
+  const horizonMs = input.searchFromMs + 14 * 24 * 60 * 60 * 1e3;
+  const out = [];
+  let cursor = input.searchFromMs;
+  while (cursor < horizonMs && out.length < input.wanted) {
+    const windowEnd = Math.min(cursor + 24 * 60 * 60 * 1e3, horizonMs);
+    const fb = await freebusyQuery({
+      accessToken: input.accessToken,
+      calendarId: input.calendarId,
+      timeMin: new Date(cursor).toISOString(),
+      timeMax: new Date(windowEnd).toISOString()
+    });
+    const busy = fb.busy.map((b) => ({ s: Date.parse(b.start), e: Date.parse(b.end) })).filter((b) => Number.isFinite(b.s) && Number.isFinite(b.e)).sort((a, b) => a.s - b.s);
+    let pos = cursor;
+    for (const b of busy) {
+      if (out.length >= input.wanted) break;
+      if (b.s > pos && b.s - pos >= input.durationMs) {
+        out.push({ start: new Date(pos).toISOString(), end: new Date(pos + input.durationMs).toISOString() });
+      }
+      pos = Math.max(pos, b.e);
+    }
+    if (out.length < input.wanted && windowEnd - pos >= input.durationMs) {
+      out.push({ start: new Date(pos).toISOString(), end: new Date(pos + input.durationMs).toISOString() });
+    }
+    cursor = windowEnd;
+  }
+  return out.slice(0, input.wanted);
+}
+async function ensureFreshAccessToken(creds, clientId, clientSecret) {
+  if (creds.kind !== "oauth2") {
+    throw new Error("google-calendar: expected oauth2 credentials");
+  }
+  if (creds.accessToken && (!creds.expiresAt || creds.expiresAt > Date.now() + 6e4)) {
+    return creds.accessToken;
+  }
+  if (!creds.refreshToken) {
+    throw new CredentialsExpired("Google Calendar access token expired and no refresh token", "");
+  }
+  const refreshed = await refreshAccessToken({
+    tokenUrl: TOKEN_URL,
+    clientId,
+    clientSecret,
+    refreshToken: creds.refreshToken
+  });
+  creds.accessToken = refreshed.accessToken;
+  creds.expiresAt = refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0;
+  if (refreshed.refreshToken) creds.refreshToken = refreshed.refreshToken;
+  return creds.accessToken;
+}
+function readMetaString(meta, key) {
+  const v = meta[key];
+  if (typeof v !== "string" || v.length === 0) {
+    throw new Error(`google-calendar DataSource.metadata.${key} is missing`);
+  }
+  return v;
+}
+
+// src/connectors/adapters/google-sheets.ts
+import { createHash as createHash2 } from "crypto";
+var SCOPES2 = ["https://www.googleapis.com/auth/spreadsheets"];
+var AUTH_URL2 = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
+function googleSheets(opts) {
+  const { clientId, clientSecret } = opts;
+  const adapter = {
+    manifest: {
+      kind: "google-sheets",
+      displayName: "Google Sheets",
+      description: "Bind your agent's knowledge base or pricing/availability lookup to a live Google Sheet. Edit the sheet, and the agent picks up changes \u2014 no redeploys.",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL2,
+        tokenUrl: TOKEN_URL2,
+        scopes: SCOPES2,
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET",
+        extraAuthParams: { access_type: "offline", prompt: "consent", include_granted_scopes: "true" }
+      },
+      category: "spreadsheet",
+      defaultConsistencyModel: "cache",
+      // Sheets API caps OAuth-client-wide reads + writes at 300 req/min
+      // each (Google's published quotas: "Read requests per minute per
+      // project" and the matching write bucket). We meter the tighter of
+      // the two so neither side exhausts before us.
+      rateLimit: { requests: 300, windowMs: 6e4, scope: "oauth-client" },
+      capabilities: [
+        {
+          name: "list_rows",
+          class: "read",
+          description: "Return rows from the connected sheet. Each row is keyed by the header cells declared at connect time.",
+          parameters: {
+            type: "object",
+            properties: {
+              limit: { type: "integer", minimum: 1, maximum: 500, default: 100 }
+            }
+          }
+        },
+        {
+          name: "query_rows",
+          class: "read",
+          description: "Return rows matching every key=value pair in `predicate` (string equality, case-insensitive).",
+          parameters: {
+            type: "object",
+            properties: {
+              predicate: {
+                type: "object",
+                additionalProperties: { type: "string" }
+              },
+              limit: { type: "integer", minimum: 1, maximum: 500, default: 100 }
+            },
+            required: ["predicate"]
+          }
+        },
+        {
+          name: "update_row",
+          class: "mutation",
+          description: "Update a row identified by `rowKey` (the value in the configured key column). Patch is a {column: newValue} map. Returns conflict if the row changed since the agent last read it.",
+          cas: "optimistic-read-verify",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              rowKey: { type: "string", description: "Value in the key column identifying the row to update." },
+              patch: {
+                type: "object",
+                additionalProperties: { type: "string" }
+              },
+              expectedFingerprint: {
+                type: "string",
+                description: "Optional. The fingerprint the agent read on its last list_rows/query_rows call. If supplied and stale, the update is rejected with conflict."
+              }
+            },
+            required: ["rowKey", "patch"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      const meta = readSheetMeta(inv.source.metadata);
+      const accessToken = await ensureFreshAccessToken2(inv.source.credentials, clientId, clientSecret);
+      const rows = await fetchAllRows(accessToken, meta);
+      const limit = clampLimit(inv.args.limit, 100);
+      let filtered = rows;
+      if (inv.capabilityName === "query_rows") {
+        const predicate = inv.args.predicate ?? {};
+        filtered = rows.filter((row) => matchesPredicate(row, predicate));
+      } else if (inv.capabilityName !== "list_rows") {
+        throw new Error(`google-sheets: unknown read ${inv.capabilityName}`);
+      }
+      const sliced = filtered.slice(0, limit);
+      return {
+        data: {
+          rows: sliced.map((r) => ({ ...r.values, _fingerprint: r.fingerprint, _rowIndex: r.rowIndex })),
+          total: filtered.length,
+          truncated: filtered.length > sliced.length
+        },
+        etag: meta.etag,
+        // currently undefined — Sheets values.get doesn't surface etag; row-level fingerprints are the conflict signal
+        fetchedAt: Date.now()
+      };
+    },
+    async executeMutation(inv) {
+      if (inv.capabilityName !== "update_row") {
+        throw new Error(`google-sheets: unknown mutation ${inv.capabilityName}`);
+      }
+      const meta = readSheetMeta(inv.source.metadata);
+      const accessToken = await ensureFreshAccessToken2(inv.source.credentials, clientId, clientSecret);
+      const { rowKey, patch, expectedFingerprint } = inv.args;
+      const rows = await fetchAllRows(accessToken, meta);
+      const target = rows.find((r) => normalizeKey(r.values[meta.keyColumn]) === normalizeKey(rowKey));
+      if (!target) {
+        throw new ResourceContention(
+          `row with key "${rowKey}" not found`,
+          [],
+          { availableRows: rows.length }
+        );
+      }
+      if (expectedFingerprint && expectedFingerprint !== target.fingerprint) {
+        throw new ResourceContention(
+          `row "${rowKey}" was modified since the agent last read it; re-read and try again`,
+          [],
+          { current: target.values, currentFingerprint: target.fingerprint }
+        );
+      }
+      const updatedValues = meta.headers.map(
+        (h) => h in patch ? String(patch[h]) : target.values[h] ?? ""
+      );
+      const range = `${meta.sheetName}!A${target.rowIndex + 1}:${columnIndexToLetter(meta.headers.length - 1)}${target.rowIndex + 1}`;
+      const url = `https://sheets.googleapis.com/v4/spreadsheets/${encodeURIComponent(meta.spreadsheetId)}/values/${encodeURIComponent(range)}?valueInputOption=USER_ENTERED`;
+      const res = await fetch(url, {
+        method: "PUT",
+        headers: {
+          authorization: `Bearer ${accessToken}`,
+          "content-type": "application/json"
+        },
+        body: JSON.stringify({ values: [updatedValues] }),
+        signal: AbortSignal.timeout(15e3)
+      });
+      if (res.status === 401 || res.status === 403) {
+        throw new CredentialsExpired(`Google Sheets rejected token (${res.status})`, inv.source.id);
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`google-sheets update_row ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const updatedValuesByHeader = Object.fromEntries(
+        meta.headers.map((h, i) => [h, updatedValues[i] ?? ""])
+      );
+      return {
+        status: "committed",
+        data: {
+          row: updatedValuesByHeader,
+          fingerprint: rowFingerprint(updatedValuesByHeader),
+          updatedRange: range
+        },
+        etagAfter: rowFingerprint(updatedValuesByHeader),
+        committedAt: Date.now(),
+        idempotentReplay: false
+      };
+    },
+    async exchangeOAuth(input) {
+      const tokens = await exchangeAuthorizationCode({
+        tokenUrl: TOKEN_URL2,
+        clientId,
+        clientSecret,
+        code: input.code,
+        codeVerifier: input.codeVerifier,
+        redirectUri: input.redirectUri
+      });
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: tokens.accessToken,
+          refreshToken: tokens.refreshToken,
+          expiresAt: tokens.expiresIn ? Date.now() + tokens.expiresIn * 1e3 : void 0
+        },
+        scopes: tokens.scope?.split(/\s+/) ?? SCOPES2,
+        // Operator must select the spreadsheet + range post-connect; we
+        // can't infer it during the OAuth handshake.
+        metadata: { spreadsheetId: "", sheetName: "Sheet1", headerRow: 1, keyColumn: "" }
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        throw new Error("google-sheets.refreshToken: missing refresh token");
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL2,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = await ensureFreshAccessToken2(source.credentials, clientId, clientSecret);
+        const meta = readSheetMeta(source.metadata);
+        if (!meta.spreadsheetId) {
+          return { ok: false, reason: "spreadsheetId not configured \u2014 pick a sheet in the connection settings" };
+        }
+        const url = `https://sheets.googleapis.com/v4/spreadsheets/${encodeURIComponent(meta.spreadsheetId)}?fields=spreadsheetId,properties.title`;
+        const res = await fetch(url, {
+          headers: { authorization: `Bearer ${accessToken}` },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401 || res.status === 403) {
+          return { ok: false, reason: `Google rejected token (${res.status}) \u2014 reconnect required` };
+        }
+        if (!res.ok) return { ok: false, reason: `Google returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+function readSheetMeta(meta) {
+  const spreadsheetId = String(meta.spreadsheetId ?? "");
+  const sheetName = String(meta.sheetName ?? "Sheet1");
+  const headerRow = Number(meta.headerRow ?? 1);
+  const keyColumn = String(meta.keyColumn ?? "");
+  const headers = Array.isArray(meta.headers) ? meta.headers.map(String) : [];
+  if (!spreadsheetId || !keyColumn) {
+    throw new Error("google-sheets metadata missing spreadsheetId or keyColumn");
+  }
+  return { spreadsheetId, sheetName, headerRow, keyColumn, headers };
+}
+async function fetchAllRows(accessToken, meta) {
+  const range = `${meta.sheetName}`;
+  const url = `https://sheets.googleapis.com/v4/spreadsheets/${encodeURIComponent(meta.spreadsheetId)}/values/${encodeURIComponent(range)}`;
+  const res = await fetch(url, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (res.status === 401 || res.status === 403) {
+    throw new CredentialsExpired(`Google Sheets rejected token (${res.status})`, "");
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`google-sheets values.get ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  const grid = json.values ?? [];
+  if (grid.length === 0) return [];
+  const headers = meta.headers.length > 0 ? meta.headers : grid[meta.headerRow - 1] ?? [];
+  if (headers.length === 0) return [];
+  const dataRows = grid.slice(meta.headerRow);
+  return dataRows.map((rowCells, i) => {
+    const values = {};
+    for (let c = 0; c < headers.length; c++) {
+      values[headers[c]] = (rowCells[c] ?? "").toString();
+    }
+    return {
+      // rowIndex is the absolute row in the sheet (1-indexed) where this
+      // row's data lives. Header is at meta.headerRow. So this row is at
+      // headerRow + i + 1 (1-indexed).
+      rowIndex: meta.headerRow + i,
+      values,
+      fingerprint: rowFingerprint(values)
+    };
+  });
+}
+function rowFingerprint(values) {
+  const keys = Object.keys(values).sort();
+  const blob = keys.map((k) => `${k}=${values[k]}`).join("
");
+  return createHash2("sha256").update(blob).digest("hex").slice(0, 16);
+}
+function matchesPredicate(row, predicate) {
+  for (const [k, v] of Object.entries(predicate)) {
+    const cell = row.values[k];
+    if (cell === void 0) return false;
+    if (cell.toLowerCase().trim() !== String(v).toLowerCase().trim()) return false;
+  }
+  return true;
+}
+function normalizeKey(s) {
+  return (s ?? "").trim().toLowerCase();
+}
+function clampLimit(v, dflt) {
+  const n = typeof v === "number" ? v : Number(v);
+  if (!Number.isFinite(n) || n <= 0) return dflt;
+  return Math.min(Math.max(1, Math.floor(n)), 500);
+}
+function columnIndexToLetter(idx) {
+  let n = idx;
+  let s = "";
+  while (n >= 0) {
+    s = String.fromCharCode(n % 26 + 65) + s;
+    n = Math.floor(n / 26) - 1;
+  }
+  return s;
+}
+async function ensureFreshAccessToken2(creds, clientId, clientSecret) {
+  if (creds.kind !== "oauth2") {
+    throw new Error("google-sheets: expected oauth2 credentials");
+  }
+  if (creds.accessToken && (!creds.expiresAt || creds.expiresAt > Date.now() + 6e4)) {
+    return creds.accessToken;
+  }
+  if (!creds.refreshToken) {
+    throw new CredentialsExpired("Google Sheets access token expired and no refresh token", "");
+  }
+  const refreshed = await refreshAccessToken({
+    tokenUrl: TOKEN_URL2,
+    clientId,
+    clientSecret,
+    refreshToken: creds.refreshToken
+  });
+  creds.accessToken = refreshed.accessToken;
+  creds.expiresAt = refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0;
+  if (refreshed.refreshToken) creds.refreshToken = refreshed.refreshToken;
+  return creds.accessToken;
+}
+
+// src/connectors/adapters/microsoft-calendar.ts
+var SCOPES3 = [
+  "https://graph.microsoft.com/Calendars.ReadWrite",
+  // offline_access is required to receive a refresh_token from the v2.0
+  // endpoint; without it Graph hands back access tokens only and the
+  // connection silently dies after ~1 hour.
+  "offline_access"
+];
+var AUTH_URL3 = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+var TOKEN_URL3 = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+function microsoftCalendar(opts) {
+  const { clientId, clientSecret } = opts;
+  const adapter = {
+    manifest: {
+      kind: "microsoft-calendar",
+      displayName: "Microsoft Calendar (Outlook 365)",
+      description: "Let your agent check availability and book against an Outlook / Microsoft 365 calendar. Conflict-resolved via Graph's getSchedule pre-flight; etag-guarded on event updates.",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL3,
+        tokenUrl: TOKEN_URL3,
+        scopes: SCOPES3,
+        clientIdEnv: "MS_OAUTH_CLIENT_ID",
+        clientSecretEnv: "MS_OAUTH_CLIENT_SECRET"
+        // Microsoft v2.0 doesn't need extra params to issue a refresh_token
+        // as long as `offline_access` is in scopes (above).
+      },
+      category: "calendar",
+      defaultConsistencyModel: "authoritative",
+      capabilities: [
+        {
+          name: "list_availability",
+          class: "read",
+          description: "Look up busy windows on the connected Outlook calendar between timeMin and timeMax (RFC3339 timestamps).",
+          parameters: {
+            type: "object",
+            properties: {
+              timeMin: { type: "string", description: "ISO8601 lower bound (inclusive)" },
+              timeMax: { type: "string", description: "ISO8601 upper bound (exclusive)" }
+            },
+            required: ["timeMin", "timeMax"]
+          }
+        },
+        {
+          name: "book_slot",
+          class: "mutation",
+          description: "Reserve a time window on the connected Outlook calendar. Returns conflict + alternatives if the slot is no longer free.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              start: { type: "string", description: "ISO8601 start time" },
+              end: { type: "string", description: "ISO8601 end time" },
+              summary: { type: "string", description: "Event title (subject)" },
+              description: { type: "string", description: "Optional event body" },
+              attendees: {
+                type: "array",
+                items: { type: "string", description: "attendee email" }
+              }
+            },
+            required: ["start", "end", "summary"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      if (inv.capabilityName !== "list_availability") {
+        throw new Error(`microsoft-calendar: unknown read capability ${inv.capabilityName}`);
+      }
+      const userPrincipal = readMetaString2(inv.source.metadata, "userPrincipal");
+      const { timeMin, timeMax } = inv.args;
+      const accessToken = await ensureFreshAccessToken3(inv.source.credentials, clientId, clientSecret);
+      const busy = await getScheduleBusy({ accessToken, userPrincipal, timeMin, timeMax });
+      return {
+        data: { busy },
+        fetchedAt: Date.now()
+      };
+    },
+    async executeMutation(inv) {
+      if (inv.capabilityName !== "book_slot") {
+        throw new Error(`microsoft-calendar: unknown mutation capability ${inv.capabilityName}`);
+      }
+      const userPrincipal = readMetaString2(inv.source.metadata, "userPrincipal");
+      const { start, end, summary, description, attendees } = inv.args;
+      const accessToken = await ensureFreshAccessToken3(inv.source.credentials, clientId, clientSecret);
+      const busy = await getScheduleBusy({ accessToken, userPrincipal, timeMin: start, timeMax: end });
+      if (busy.length > 0) {
+        const startMs = Date.parse(start);
+        const endMs = Date.parse(end);
+        const durMs = endMs - startMs;
+        const alternatives = await findNextFreeSlots2({
+          accessToken,
+          userPrincipal,
+          searchFromMs: endMs,
+          durationMs: durMs,
+          wanted: 3
+        });
+        throw new ResourceContention(
+          `requested slot ${start}\u2013${end} is no longer free`,
+          alternatives,
+          { busy }
+        );
+      }
+      const event = {
+        subject: summary,
+        body: description ? { contentType: "text", content: description } : void 0,
+        start: { dateTime: start, timeZone: "UTC" },
+        end: { dateTime: end, timeZone: "UTC" },
+        attendees: attendees?.map((email) => ({
+          emailAddress: { address: email },
+          type: "required"
+        }))
+      };
+      const res = await fetch("https://graph.microsoft.com/v1.0/me/events", {
+        method: "POST",
+        headers: {
+          authorization: `Bearer ${accessToken}`,
+          "content-type": "application/json"
+        },
+        body: JSON.stringify(event),
+        signal: AbortSignal.timeout(15e3)
+      });
+      if (res.status === 401 || res.status === 403) {
+        throw new CredentialsExpired(`Microsoft Graph rejected token (${res.status})`, inv.source.id);
+      }
+      if (res.status === 412 || res.status === 409) {
+        throw new ResourceContention(
+          `Microsoft Graph reported conflict on book_slot (${res.status})`,
+          []
+        );
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`microsoft-calendar book_slot ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const created = await res.json();
+      return {
+        status: "committed",
+        data: { eventId: created.id, webLink: created.webLink },
+        etagAfter: created["@odata.etag"],
+        committedAt: Date.now(),
+        idempotentReplay: false
+      };
+    },
+    async exchangeOAuth(input) {
+      if (!clientId || !clientSecret) {
+        throw new Error("Microsoft OAuth client not configured (MS_OAUTH_CLIENT_ID / _SECRET)");
+      }
+      const tokens = await exchangeAuthorizationCode({
+        tokenUrl: TOKEN_URL3,
+        clientId,
+        clientSecret,
+        code: input.code,
+        codeVerifier: input.codeVerifier,
+        redirectUri: input.redirectUri
+      });
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: tokens.accessToken,
+          refreshToken: tokens.refreshToken,
+          expiresAt: tokens.expiresIn ? Date.now() + tokens.expiresIn * 1e3 : void 0
+        },
+        scopes: tokens.scope?.split(/\s+/) ?? SCOPES3,
+        // Operator picks the shared mailbox / room calendar post-connect.
+        // Default to the authenticated user's own primary calendar via 'me'.
+        metadata: { userPrincipal: "me" }
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        throw new Error("microsoft-calendar.refreshToken: missing refresh token");
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL3,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = await ensureFreshAccessToken3(source.credentials, clientId, clientSecret);
+        const res = await fetch("https://graph.microsoft.com/v1.0/me?$select=id", {
+          headers: { authorization: `Bearer ${accessToken}` },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401 || res.status === 403) {
+          return { ok: false, reason: `Microsoft rejected token (${res.status}) \u2014 reconnect required` };
+        }
+        if (!res.ok) return { ok: false, reason: `Microsoft Graph returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+async function getScheduleBusy(input) {
+  const target = input.userPrincipal === "me" ? "me" : input.userPrincipal;
+  const url = "https://graph.microsoft.com/v1.0/me/calendar/getSchedule";
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${input.accessToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify({
+      schedules: [target],
+      startTime: { dateTime: input.timeMin, timeZone: "UTC" },
+      endTime: { dateTime: input.timeMax, timeZone: "UTC" },
+      availabilityViewInterval: 30
+    }),
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (res.status === 401 || res.status === 403) {
+    throw new CredentialsExpired(`Microsoft Graph rejected token (${res.status})`, "");
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`microsoft-calendar getSchedule ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  const items = json.value?.[0]?.scheduleItems ?? [];
+  return items.filter((it) => it.status && it.status !== "free" && it.start && it.end).map((it) => ({ start: it.start.dateTime, end: it.end.dateTime }));
+}
+async function findNextFreeSlots2(input) {
+  const horizonMs = input.searchFromMs + 14 * 24 * 60 * 60 * 1e3;
+  const out = [];
+  let cursor = input.searchFromMs;
+  while (cursor < horizonMs && out.length < input.wanted) {
+    const windowEnd = Math.min(cursor + 24 * 60 * 60 * 1e3, horizonMs);
+    const busy = await getScheduleBusy({
+      accessToken: input.accessToken,
+      userPrincipal: input.userPrincipal,
+      timeMin: new Date(cursor).toISOString(),
+      timeMax: new Date(windowEnd).toISOString()
+    });
+    const norm = busy.map((b) => ({ s: Date.parse(b.start), e: Date.parse(b.end) })).filter((b) => Number.isFinite(b.s) && Number.isFinite(b.e)).sort((a, b) => a.s - b.s);
+    let pos = cursor;
+    for (const b of norm) {
+      if (out.length >= input.wanted) break;
+      if (b.s > pos && b.s - pos >= input.durationMs) {
+        out.push({ start: new Date(pos).toISOString(), end: new Date(pos + input.durationMs).toISOString() });
+      }
+      pos = Math.max(pos, b.e);
+    }
+    if (out.length < input.wanted && windowEnd - pos >= input.durationMs) {
+      out.push({ start: new Date(pos).toISOString(), end: new Date(pos + input.durationMs).toISOString() });
+    }
+    cursor = windowEnd;
+  }
+  return out.slice(0, input.wanted);
+}
+async function ensureFreshAccessToken3(creds, clientId, clientSecret) {
+  if (creds.kind !== "oauth2") {
+    throw new Error("microsoft-calendar: expected oauth2 credentials");
+  }
+  if (creds.accessToken && (!creds.expiresAt || creds.expiresAt > Date.now() + 6e4)) {
+    return creds.accessToken;
+  }
+  if (!creds.refreshToken) {
+    throw new CredentialsExpired("Microsoft Calendar access token expired and no refresh token", "");
+  }
+  const refreshed = await refreshAccessToken({
+    tokenUrl: TOKEN_URL3,
+    clientId,
+    clientSecret,
+    refreshToken: creds.refreshToken
+  });
+  creds.accessToken = refreshed.accessToken;
+  creds.expiresAt = refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0;
+  if (refreshed.refreshToken) creds.refreshToken = refreshed.refreshToken;
+  return creds.accessToken;
+}
+function readMetaString2(meta, key) {
+  const v = meta[key];
+  if (typeof v !== "string" || v.length === 0) {
+    throw new Error(`microsoft-calendar DataSource.metadata.${key} is missing`);
+  }
+  return v;
+}
+
+// src/connectors/adapters/hubspot.ts
+var SCOPES4 = [
+  "crm.objects.contacts.read",
+  "crm.objects.contacts.write"
+];
+var AUTH_URL4 = "https://app.hubspot.com/oauth/authorize";
+var TOKEN_URL4 = "https://api.hubapi.com/oauth/v1/token";
+var API = "https://api.hubapi.com";
+function hubspot(opts) {
+  const { clientId, clientSecret } = opts;
+  const adapter = {
+    manifest: {
+      kind: "hubspot",
+      displayName: "HubSpot CRM",
+      description: "Look up callers in HubSpot, upsert contacts without duplicates, and log call notes as CRM activities. Three capabilities \u2014 the voice-agent's CRM hot path.",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL4,
+        tokenUrl: TOKEN_URL4,
+        scopes: SCOPES4,
+        clientIdEnv: "HUBSPOT_OAUTH_CLIENT_ID",
+        clientSecretEnv: "HUBSPOT_OAUTH_CLIENT_SECRET"
+      },
+      category: "crm",
+      defaultConsistencyModel: "authoritative",
+      capabilities: [
+        {
+          name: "find_contact",
+          class: "read",
+          description: "Search HubSpot contacts by email. Returns the first match or {found:false}.",
+          parameters: {
+            type: "object",
+            properties: { email: { type: "string", description: "Email to search for (case-insensitive)." } },
+            required: ["email"]
+          }
+        },
+        {
+          name: "upsert_contact",
+          class: "mutation",
+          description: "Create-or-update a contact identified by email. Returns the contact id and a `created` flag indicating whether the row was new.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              email: { type: "string" },
+              properties: {
+                type: "object",
+                additionalProperties: { type: "string" },
+                description: "Property map (firstname, lastname, phone, company, \u2026)."
+              }
+            },
+            required: ["email"]
+          }
+        },
+        {
+          name: "create_note",
+          class: "mutation",
+          description: "Log a note engagement against a contact. Append-only \u2014 note bodies do not conflict.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              contactId: { type: "string" },
+              body: { type: "string", description: "Note body (HTML or plain text)." }
+            },
+            required: ["contactId", "body"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      if (inv.capabilityName !== "find_contact") {
+        throw new Error(`hubspot: unknown read capability ${inv.capabilityName}`);
+      }
+      const { email } = inv.args;
+      const accessToken = await ensureFreshAccessToken4(inv.source.credentials, clientId, clientSecret);
+      const res = await fetch(`${API}/crm/v3/objects/contacts/search`, {
+        method: "POST",
+        headers: {
+          authorization: `Bearer ${accessToken}`,
+          "content-type": "application/json"
+        },
+        body: JSON.stringify({
+          filterGroups: [
+            {
+              filters: [{ propertyName: "email", operator: "EQ", value: email.toLowerCase() }]
+            }
+          ],
+          properties: ["email", "firstname", "lastname", "phone", "company"],
+          limit: 1
+        }),
+        signal: AbortSignal.timeout(1e4)
+      });
+      if (res.status === 401) {
+        throw new CredentialsExpired(`HubSpot rejected token (401)`, inv.source.id);
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`hubspot find_contact ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const json = await res.json();
+      const first = json.results?.[0];
+      return {
+        data: first ? { found: true, contact: { id: first.id, properties: first.properties } } : { found: false },
+        fetchedAt: Date.now()
+      };
+    },
+    async executeMutation(inv) {
+      const accessToken = await ensureFreshAccessToken4(inv.source.credentials, clientId, clientSecret);
+      if (inv.capabilityName === "upsert_contact") {
+        return upsertContact(inv, accessToken);
+      }
+      if (inv.capabilityName === "create_note") {
+        return createNote(inv, accessToken);
+      }
+      throw new Error(`hubspot: unknown mutation capability ${inv.capabilityName}`);
+    },
+    async exchangeOAuth(input) {
+      if (!clientId || !clientSecret) {
+        throw new Error("HubSpot OAuth client not configured (HUBSPOT_OAUTH_CLIENT_ID / _SECRET)");
+      }
+      const tokens = await exchangeAuthorizationCode({
+        tokenUrl: TOKEN_URL4,
+        clientId,
+        clientSecret,
+        code: input.code,
+        codeVerifier: input.codeVerifier,
+        redirectUri: input.redirectUri
+      });
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: tokens.accessToken,
+          refreshToken: tokens.refreshToken,
+          expiresAt: tokens.expiresIn ? Date.now() + tokens.expiresIn * 1e3 : void 0
+        },
+        scopes: tokens.scope?.split(/\s+/) ?? SCOPES4,
+        metadata: {}
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        throw new Error("hubspot.refreshToken: missing refresh token");
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL4,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = await ensureFreshAccessToken4(source.credentials, clientId, clientSecret);
+        const res = await fetch(`${API}/oauth/v1/access-tokens/${encodeURIComponent(accessToken)}`, {
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401 || res.status === 403 || res.status === 404) {
+          return { ok: false, reason: `HubSpot rejected token (${res.status}) \u2014 reconnect required` };
+        }
+        if (!res.ok) return { ok: false, reason: `HubSpot returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+async function upsertContact(inv, accessToken) {
+  const { email, properties } = inv.args;
+  const idemKey = sanitizeIdempotencyKey(inv.idempotencyKey);
+  const url = `${API}/crm/v3/objects/contacts/batch/upsert?idempotencyKey=${encodeURIComponent(idemKey)}`;
+  const body = {
+    inputs: [
+      {
+        idProperty: "email",
+        id: email.toLowerCase(),
+        properties: { email: email.toLowerCase(), ...properties ?? {} }
+      }
+    ]
+  };
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${accessToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (res.status === 401) {
+    throw new CredentialsExpired(`HubSpot rejected token (401)`, inv.source.id);
+  }
+  if (res.status === 409) {
+    const text = await res.text().catch(() => "");
+    throw new ResourceContention(`hubspot upsert_contact conflict: ${text.slice(0, 200)}`);
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`hubspot upsert_contact ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  const first = json.results?.[0];
+  if (!first) {
+    throw new Error("hubspot upsert_contact: empty results array");
+  }
+  const created = first.createdAt && first.updatedAt && first.createdAt === first.updatedAt;
+  return {
+    status: "committed",
+    data: { contactId: first.id, created: Boolean(created) },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function createNote(inv, accessToken) {
+  const { contactId, body } = inv.args;
+  const idemKey = sanitizeIdempotencyKey(inv.idempotencyKey);
+  const url = `${API}/crm/v3/objects/notes/batch/create?idempotencyKey=${encodeURIComponent(idemKey)}`;
+  const payload = {
+    inputs: [
+      {
+        properties: {
+          hs_note_body: body,
+          hs_timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        },
+        associations: [
+          {
+            to: { id: contactId },
+            // 202 = note→contact association type id (standard HubSpot mapping)
+            types: [{ associationCategory: "HUBSPOT_DEFINED", associationTypeId: 202 }]
+          }
+        ]
+      }
+    ]
+  };
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${accessToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(payload),
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (res.status === 401) {
+    throw new CredentialsExpired(`HubSpot rejected token (401)`, inv.source.id);
+  }
+  if (res.status === 409) {
+    const text = await res.text().catch(() => "");
+    throw new ResourceContention(`hubspot create_note conflict: ${text.slice(0, 200)}`);
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`hubspot create_note ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  const first = json.results?.[0];
+  if (!first) {
+    throw new Error("hubspot create_note: empty results array");
+  }
+  return {
+    status: "committed",
+    data: { noteId: first.id },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+function sanitizeIdempotencyKey(k) {
+  return k.replace(/[^A-Za-z0-9_-]/g, "_").slice(0, 64);
+}
+async function ensureFreshAccessToken4(creds, clientId, clientSecret) {
+  if (creds.kind !== "oauth2") {
+    throw new Error("hubspot: expected oauth2 credentials");
+  }
+  if (creds.accessToken && (!creds.expiresAt || creds.expiresAt > Date.now() + 6e4)) {
+    return creds.accessToken;
+  }
+  if (!creds.refreshToken) {
+    throw new CredentialsExpired("HubSpot access token expired and no refresh token", "");
+  }
+  const refreshed = await refreshAccessToken({
+    tokenUrl: TOKEN_URL4,
+    clientId,
+    clientSecret,
+    refreshToken: creds.refreshToken
+  });
+  creds.accessToken = refreshed.accessToken;
+  creds.expiresAt = refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0;
+  if (refreshed.refreshToken) creds.refreshToken = refreshed.refreshToken;
+  return creds.accessToken;
+}
+
+// src/connectors/adapters/slack.ts
+var SCOPES5 = ["chat:write", "users:read", "users:read.email", "channels:read"];
+var AUTH_URL5 = "https://slack.com/oauth/v2/authorize";
+var TOKEN_URL5 = "https://slack.com/api/oauth.v2.access";
+var API2 = "https://slack.com/api";
+function slack(opts) {
+  const { clientId, clientSecret } = opts;
+  const adapter = {
+    manifest: {
+      // The inbound Events API receiver registers kind `slack-inbound`
+      // (hmac signing-secret auth). This connector — kind `slack` —
+      // carries the OAuth bot-token outbound surface. Two kinds, one
+      // logical product, deliberately split because the credential shapes
+      // are different (HMAC secret vs bot OAuth) and operators commonly
+      // wire one without the other.
+      kind: "slack",
+      displayName: "Slack",
+      description: "Post messages from the agent into Slack, look up users by email, and list channels. Advisory surface \u2014 Slack posts are informational, not transactional.",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL5,
+        tokenUrl: TOKEN_URL5,
+        scopes: SCOPES5,
+        clientIdEnv: "SLACK_OAUTH_CLIENT_ID",
+        clientSecretEnv: "SLACK_OAUTH_CLIENT_SECRET"
+      },
+      category: "comms",
+      defaultConsistencyModel: "advisory",
+      capabilities: [
+        {
+          name: "post_message",
+          class: "mutation",
+          description: "Post a message from the bot to a channel or user DM. Append-only \u2014 no CAS.",
+          cas: "none",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              channel: { type: "string", description: "Channel id (C\u2026) or user id (U\u2026) for DM." },
+              text: { type: "string" },
+              blocks: { type: "array", description: "Optional Slack Block Kit blocks." }
+            },
+            required: ["channel"]
+          }
+        },
+        {
+          name: "lookup_user",
+          class: "read",
+          description: "Look up a Slack workspace user by email.",
+          parameters: {
+            type: "object",
+            properties: { email: { type: "string" } },
+            required: ["email"]
+          }
+        },
+        {
+          name: "list_channels",
+          class: "read",
+          description: "List channels visible to the bot. `types` defaults to public_channel,private_channel.",
+          parameters: {
+            type: "object",
+            properties: {
+              types: { type: "string", description: "Comma-separated channel types." },
+              limit: { type: "integer", minimum: 1, maximum: 1e3, default: 200 }
+            }
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      const accessToken = readBotToken(inv.source.credentials);
+      if (inv.capabilityName === "lookup_user") {
+        const { email } = inv.args;
+        const url = `${API2}/users.lookupByEmail?email=${encodeURIComponent(email)}`;
+        const json = await slackGet(url, accessToken, inv.source.id);
+        if (!json.ok) {
+          if (json.error === "users_not_found") {
+            return { data: { found: false }, fetchedAt: Date.now() };
+          }
+          throw new Error(`slack lookup_user: ${json.error ?? "unknown"}`);
+        }
+        const u = json.user;
+        return {
+          data: { found: true, user: u ? { id: u.id, name: u.name, realName: u.real_name } : null },
+          fetchedAt: Date.now()
+        };
+      }
+      if (inv.capabilityName === "list_channels") {
+        const { types, limit } = inv.args;
+        const params = new URLSearchParams({
+          limit: String(Math.min(Math.max(1, limit ?? 200), 1e3)),
+          types: types ?? "public_channel,private_channel"
+        });
+        const json = await slackGet(`${API2}/conversations.list?${params.toString()}`, accessToken, inv.source.id);
+        if (!json.ok) {
+          throw new Error(`slack list_channels: ${json.error ?? "unknown"}`);
+        }
+        const channels = json.channels ?? [];
+        return {
+          data: { channels: channels.map((c) => ({ id: c.id, name: c.name, isPrivate: c.is_private ?? false })) },
+          fetchedAt: Date.now()
+        };
+      }
+      throw new Error(`slack: unknown read capability ${inv.capabilityName}`);
+    },
+    async executeMutation(inv) {
+      if (inv.capabilityName !== "post_message") {
+        throw new Error(`slack: unknown mutation capability ${inv.capabilityName}`);
+      }
+      const accessToken = readBotToken(inv.source.credentials);
+      const { channel, text, blocks } = inv.args;
+      const res = await fetch(`${API2}/chat.postMessage`, {
+        method: "POST",
+        headers: {
+          authorization: `Bearer ${accessToken}`,
+          "content-type": "application/json; charset=utf-8"
+        },
+        body: JSON.stringify({ channel, text, blocks }),
+        signal: AbortSignal.timeout(15e3)
+      });
+      if (res.status === 401) {
+        throw new CredentialsExpired("Slack rejected token (401)", inv.source.id);
+      }
+      if (!res.ok) {
+        const t = await res.text().catch(() => "");
+        throw new Error(`slack post_message HTTP ${res.status}: ${t.slice(0, 200)}`);
+      }
+      const json = await res.json();
+      if (!json.ok) {
+        if (json.error === "invalid_auth" || json.error === "token_expired" || json.error === "not_authed" || json.error === "token_revoked") {
+          throw new CredentialsExpired(`Slack rejected token: ${json.error}`, inv.source.id);
+        }
+        throw new Error(`slack post_message: ${json.error ?? "unknown"}`);
+      }
+      return {
+        status: "committed",
+        data: { ts: json.ts, channel: json.channel },
+        committedAt: Date.now(),
+        idempotentReplay: false
+      };
+    },
+    async exchangeOAuth(input) {
+      if (!clientId || !clientSecret) {
+        throw new Error("Slack OAuth client not configured (SLACK_OAUTH_CLIENT_ID / _SECRET)");
+      }
+      const tokens = await exchangeAuthorizationCode({
+        tokenUrl: TOKEN_URL5,
+        clientId,
+        clientSecret,
+        code: input.code,
+        codeVerifier: input.codeVerifier,
+        redirectUri: input.redirectUri
+      });
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: tokens.accessToken,
+          refreshToken: tokens.refreshToken,
+          expiresAt: tokens.expiresIn ? Date.now() + tokens.expiresIn * 1e3 : void 0
+        },
+        scopes: tokens.scope?.split(/[,\s]+/) ?? SCOPES5,
+        metadata: {}
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        return creds;
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL5,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = readBotToken(source.credentials);
+        const res = await fetch(`${API2}/auth.test`, {
+          method: "POST",
+          headers: { authorization: `Bearer ${accessToken}` },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (!res.ok) return { ok: false, reason: `Slack returned ${res.status}` };
+        const json = await res.json();
+        if (!json.ok) {
+          return { ok: false, reason: `Slack auth.test: ${json.error ?? "unknown"} \u2014 reconnect required` };
+        }
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+function readBotToken(creds) {
+  if (creds.kind !== "oauth2" || typeof creds.accessToken !== "string") {
+    throw new Error("slack: expected oauth2 credentials");
+  }
+  return creds.accessToken;
+}
+async function slackGet(url, accessToken, dataSourceId) {
+  const res = await fetch(url, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (res.status === 401) {
+    throw new CredentialsExpired("Slack rejected token (401)", dataSourceId);
+  }
+  if (!res.ok) {
+    const t = await res.text().catch(() => "");
+    throw new Error(`slack HTTP ${res.status}: ${t.slice(0, 200)}`);
+  }
+  return await res.json();
+}
+
+// src/connectors/adapters/notion-database.ts
+var AUTH_URL6 = "https://api.notion.com/v1/oauth/authorize";
+var TOKEN_URL6 = "https://api.notion.com/v1/oauth/token";
+var API3 = "https://api.notion.com/v1";
+var NOTION_VERSION = "2022-06-28";
+function notionDatabase(opts) {
+  const { clientId, clientSecret } = opts;
+  const adapter = {
+    manifest: {
+      kind: "notion-database",
+      displayName: "Notion (database)",
+      description: "Query a Notion database, create new pages, and update existing ones with optimistic concurrency via last_edited_time.",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL6,
+        tokenUrl: TOKEN_URL6,
+        // Notion does not use OAuth scopes — the workspace owner picks
+        // which pages/databases the integration sees during install. We
+        // declare an empty scope list so the consent screen renders cleanly.
+        scopes: [],
+        clientIdEnv: "NOTION_OAUTH_CLIENT_ID",
+        clientSecretEnv: "NOTION_OAUTH_CLIENT_SECRET",
+        extraAuthParams: { owner: "user" }
+      },
+      category: "doc",
+      defaultConsistencyModel: "authoritative",
+      capabilities: [
+        {
+          name: "query_database",
+          class: "read",
+          description: "Query the connected Notion database with an optional filter object (Notion query DSL).",
+          parameters: {
+            type: "object",
+            properties: {
+              filter: { type: "object", description: "Notion API filter object \u2014 passed through verbatim." },
+              pageSize: { type: "integer", minimum: 1, maximum: 100, default: 50 },
+              startCursor: { type: "string" }
+            }
+          }
+        },
+        {
+          name: "create_page",
+          class: "mutation",
+          description: "Create a new page inside the connected database.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              properties: {
+                type: "object",
+                description: "Notion property map keyed by property name."
+              }
+            },
+            required: ["properties"]
+          }
+        },
+        {
+          name: "update_page",
+          class: "mutation",
+          description: "Update properties on an existing page. If `expectedLastEditedTime` is supplied and stale, the update is rejected with conflict.",
+          cas: "etag-if-match",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              pageId: { type: "string" },
+              properties: { type: "object" },
+              expectedLastEditedTime: {
+                type: "string",
+                description: "RFC3339 timestamp the agent observed on its last read. Drift triggers ResourceContention."
+              }
+            },
+            required: ["pageId", "properties"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      if (inv.capabilityName !== "query_database") {
+        throw new Error(`notion-database: unknown read capability ${inv.capabilityName}`);
+      }
+      const accessToken = readToken(inv.source.credentials);
+      const databaseId = readMetaString3(inv.source.metadata, "databaseId");
+      const { filter, pageSize, startCursor } = inv.args;
+      const body = {
+        page_size: Math.min(Math.max(1, pageSize ?? 50), 100)
+      };
+      if (filter) body.filter = filter;
+      if (startCursor) body.start_cursor = startCursor;
+      const res = await fetch(`${API3}/databases/${encodeURIComponent(databaseId)}/query`, {
+        method: "POST",
+        headers: notionHeaders(accessToken),
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(1e4)
+      });
+      if (res.status === 401) {
+        throw new CredentialsExpired("Notion rejected token (401)", inv.source.id);
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`notion-database query_database ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const json = await res.json();
+      return {
+        data: {
+          results: json.results ?? [],
+          hasMore: json.has_more ?? false,
+          nextCursor: json.next_cursor ?? null
+        },
+        fetchedAt: Date.now()
+      };
+    },
+    async executeMutation(inv) {
+      const accessToken = readToken(inv.source.credentials);
+      if (inv.capabilityName === "create_page") return createPage(inv, accessToken);
+      if (inv.capabilityName === "update_page") return updatePage(inv, accessToken);
+      throw new Error(`notion-database: unknown mutation capability ${inv.capabilityName}`);
+    },
+    async exchangeOAuth(input) {
+      if (!clientId || !clientSecret) {
+        throw new Error("Notion OAuth client not configured (NOTION_OAUTH_CLIENT_ID / _SECRET)");
+      }
+      const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code: input.code,
+        redirect_uri: input.redirectUri,
+        code_verifier: input.codeVerifier
+      });
+      const res = await fetch(TOKEN_URL6, {
+        method: "POST",
+        headers: {
+          authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`,
+          "content-type": "application/x-www-form-urlencoded",
+          accept: "application/json",
+          "Notion-Version": NOTION_VERSION
+        },
+        body
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`Notion OAuth token exchange failed: ${res.status} \u2014 ${text.slice(0, 200)}`);
+      }
+      const json = await res.json();
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: json.access_token,
+          refreshToken: json.refresh_token
+        },
+        scopes: [],
+        metadata: {
+          botId: json.bot_id,
+          workspaceId: json.workspace_id,
+          workspaceName: json.workspace_name,
+          // Operator picks the database in a follow-up step; default empty.
+          databaseId: ""
+        }
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        if (creds.kind === "oauth2" && creds.accessToken && !creds.expiresAt) {
+          return creds;
+        }
+        throw new Error("notion-database.refreshToken: missing refresh token");
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL6,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = readToken(source.credentials);
+        const res = await fetch(`${API3}/users/me`, {
+          headers: notionHeaders(accessToken),
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401) return { ok: false, reason: "Notion rejected token (401) \u2014 reconnect required" };
+        if (!res.ok) return { ok: false, reason: `Notion returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+async function createPage(inv, accessToken) {
+  const databaseId = readMetaString3(inv.source.metadata, "databaseId");
+  const { properties } = inv.args;
+  const res = await fetch(`${API3}/pages`, {
+    method: "POST",
+    headers: {
+      ...notionHeaders(accessToken),
+      "Idempotency-Key": inv.idempotencyKey
+    },
+    body: JSON.stringify({
+      parent: { database_id: databaseId },
+      properties
+    }),
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (res.status === 401) {
+    throw new CredentialsExpired("Notion rejected token (401)", inv.source.id);
+  }
+  if (res.status === 409) {
+    throw new ResourceContention("Notion idempotency-key conflict \u2014 different args under same key");
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`notion-database create_page ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const created = await res.json();
+  return {
+    status: "committed",
+    data: { pageId: created.id, url: created.url, lastEditedTime: created.last_edited_time },
+    etagAfter: created.last_edited_time,
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function updatePage(inv, accessToken) {
+  const { pageId, properties, expectedLastEditedTime } = inv.args;
+  if (expectedLastEditedTime) {
+    const headRes = await fetch(`${API3}/pages/${encodeURIComponent(pageId)}`, {
+      headers: notionHeaders(accessToken),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (headRes.status === 401) {
+      throw new CredentialsExpired("Notion rejected token (401)", inv.source.id);
+    }
+    if (!headRes.ok) {
+      const text = await headRes.text().catch(() => "");
+      throw new Error(`notion-database update_page (preflight) ${headRes.status}: ${text.slice(0, 200)}`);
+    }
+    const page = await headRes.json();
+    if (page.last_edited_time && page.last_edited_time !== expectedLastEditedTime) {
+      throw new ResourceContention(
+        `Notion page ${pageId} was modified since the agent last read it`,
+        [],
+        { last_edited_time: page.last_edited_time, properties: page.properties }
+      );
+    }
+  }
+  const res = await fetch(`${API3}/pages/${encodeURIComponent(pageId)}`, {
+    method: "PATCH",
+    headers: notionHeaders(accessToken),
+    body: JSON.stringify({ properties }),
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (res.status === 401) {
+    throw new CredentialsExpired("Notion rejected token (401)", inv.source.id);
+  }
+  if (res.status === 409 || res.status === 412) {
+    throw new ResourceContention(`Notion update_page conflict (${res.status})`);
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`notion-database update_page ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const updated = await res.json();
+  return {
+    status: "committed",
+    data: { pageId: updated.id, url: updated.url, lastEditedTime: updated.last_edited_time },
+    etagAfter: updated.last_edited_time,
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+function notionHeaders(accessToken) {
+  return {
+    authorization: `Bearer ${accessToken}`,
+    "Notion-Version": NOTION_VERSION,
+    "content-type": "application/json"
+  };
+}
+function readToken(creds) {
+  if (creds.kind !== "oauth2" || typeof creds.accessToken !== "string") {
+    throw new Error("notion-database: expected oauth2 credentials");
+  }
+  return creds.accessToken;
+}
+function readMetaString3(meta, key) {
+  const v = meta[key];
+  if (typeof v !== "string" || v.length === 0) {
+    throw new Error(`notion-database DataSource.metadata.${key} is missing`);
+  }
+  return v;
+}
+
+// src/connectors/adapters/declarative-rest.ts
+function declarativeRestConnector(spec) {
+  const capabilities = spec.capabilities.map(operationToCapability);
+  const adapter = {
+    manifest: {
+      kind: spec.kind,
+      displayName: spec.displayName,
+      description: spec.description,
+      auth: spec.auth,
+      category: spec.category,
+      defaultConsistencyModel: spec.defaultConsistencyModel,
+      capabilities
+    },
+    async executeRead(inv) {
+      const op = readOperation(spec, inv.capabilityName, "read");
+      const response = await executeRestRequest(spec, op.request, inv);
+      return {
+        data: response.data,
+        etag: response.etag,
+        fetchedAt: Date.now()
+      };
+    },
+    async executeMutation(inv) {
+      const op = readOperation(spec, inv.capabilityName, "mutation");
+      const response = await executeRestRequest(spec, op.request, inv);
+      return {
+        status: "committed",
+        data: response.data,
+        etagAfter: response.etag,
+        committedAt: Date.now(),
+        idempotentReplay: false
+      };
+    },
+    async test(source) {
+      if (!spec.test) return { ok: true };
+      try {
+        await executeRestRequest(spec, spec.test, {
+          source,
+          capabilityName: "__test__",
+          args: {},
+          idempotencyKey: "test"
+        });
+        return { ok: true };
+      } catch (error) {
+        return { ok: false, reason: error instanceof Error ? error.message : "unknown error" };
+      }
+    }
+  };
+  return adapter;
+}
+function operationToCapability(op) {
+  const base = {
+    name: op.name,
+    description: op.description,
+    parameters: op.parameters,
+    requiredScopes: op.requiredScopes
+  };
+  if (op.class === "read") {
+    return { ...base, class: "read" };
+  }
+  return {
+    ...base,
+    class: "mutation",
+    cas: op.cas ?? "native-idempotency",
+    externalEffect: op.externalEffect ?? true
+  };
+}
+function readOperation(spec, name, expected) {
+  const op = spec.capabilities.find((candidate) => candidate.name === name);
+  if (!op || op.class !== expected) {
+    throw new Error(`${spec.kind}: unknown ${expected} capability ${name}`);
+  }
+  return op;
+}
+async function executeRestRequest(spec, request, inv) {
+  const baseUrl = resolveBaseUrl(spec.baseUrl, inv.source.metadata);
+  const url = new URL(interpolate(request.path, inv.args), baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`);
+  for (const [key, value] of Object.entries(request.query ?? {})) {
+    const rendered = renderQueryValue(value, inv.args);
+    if (rendered !== void 0 && rendered !== "") url.searchParams.set(key, String(rendered));
+  }
+  const headers = {
+    accept: "application/json",
+    ...spec.defaultHeaders,
+    ...renderHeaders(request.headers ?? {}, inv.args)
+  };
+  applyCredentials(headers, url, spec.credentialPlacement ?? { kind: "bearer" }, inv.source.credentials);
+  if (inv.expectedEtag) headers["if-match"] = inv.expectedEtag;
+  if (request.method !== "GET" && request.method !== "DELETE") {
+    headers["content-type"] = headers["content-type"] ?? "application/json";
+  }
+  const res = await fetch(url, {
+    method: request.method,
+    headers,
+    body: request.method === "GET" || request.method === "DELETE" ? void 0 : JSON.stringify(resolveBody(request.body, inv.args)),
+    signal: AbortSignal.timeout(2e4)
+  });
+  if (res.status === 401 || res.status === 403) {
+    throw new CredentialsExpired(`${spec.displayName} rejected credentials (${res.status})`, inv.source.id);
+  }
+  if (res.status === 409 || res.status === 412) {
+    return {
+      data: {
+        status: "conflict",
+        message: await safeErrorText(res)
+      },
+      etag: res.headers.get("etag") ?? void 0
+    };
+  }
+  if (res.status === 429) {
+    return {
+      data: {
+        status: "rate-limited",
+        retryAfter: res.headers.get("retry-after") ?? void 0,
+        message: await safeErrorText(res)
+      }
+    };
+  }
+  if (!res.ok) {
+    throw new Error(`${spec.kind} ${request.method} ${url.pathname} HTTP ${res.status}: ${(await safeErrorText(res)).slice(0, 300)}`);
+  }
+  const text = await res.text();
+  const data = text ? JSON.parse(text) : null;
+  return { data, etag: res.headers.get("etag") ?? void 0 };
+}
+function resolveBaseUrl(baseUrl, metadata) {
+  if (typeof baseUrl === "string") return baseUrl;
+  const value = metadata[baseUrl.metadataKey];
+  if (typeof value === "string" && value.trim()) return value;
+  if (baseUrl.fallback) return baseUrl.fallback;
+  throw new Error(`missing metadata.${baseUrl.metadataKey} base URL`);
+}
+function applyCredentials(headers, url, placement, credentials) {
+  const token = credentialToken(credentials);
+  if (placement.kind === "bearer") headers.authorization = `Bearer ${token}`;
+  if (placement.kind === "header") headers[placement.header] = `${placement.prefix ?? ""}${token}`;
+  if (placement.kind === "query") url.searchParams.set(placement.parameter, token);
+}
+function credentialToken(credentials) {
+  if (credentials.kind === "oauth2") return credentials.accessToken;
+  if (credentials.kind === "api-key") return credentials.apiKey;
+  throw new Error(`declarative REST connectors require oauth2 or api-key credentials, got ${credentials.kind}`);
+}
+function resolveBody(body, args) {
+  if (!body || body === "args") return args;
+  if (typeof body === "string") return renderValue(body, args);
+  return renderObject(body, args);
+}
+function renderHeaders(headers, args) {
+  return Object.fromEntries(Object.entries(headers).map(([key, value]) => [key, interpolate(value, args)]));
+}
+function renderObject(input, args) {
+  return Object.fromEntries(Object.entries(input).map(([key, value]) => [key, renderValue(value, args)]));
+}
+function renderValue(value, args) {
+  if (typeof value === "string") {
+    const exact = value.match(/^\{([a-zA-Z0-9_.-]+)\}$/);
+    if (exact) return readRequiredPath(args, exact[1]);
+    return interpolate(value, args);
+  }
+  return value;
+}
+function renderQueryValue(value, args) {
+  if (typeof value !== "string") return value;
+  const exact = value.match(/^\{([a-zA-Z0-9_.-]+)\}$/);
+  if (exact) return readPath(args, exact[1]);
+  try {
+    return interpolate(value, args);
+  } catch {
+    return void 0;
+  }
+}
+function interpolate(template, args) {
+  return template.replace(/\{([a-zA-Z0-9_.-]+)\}/g, (_match, key) => {
+    const value = readPath(args, key);
+    if (value === void 0 || value === null) {
+      throw new Error(`missing required argument: ${key}`);
+    }
+    return encodeURIComponent(String(value));
+  });
+}
+function readRequiredPath(input, path) {
+  const value = readPath(input, path);
+  if (value === void 0 || value === null) throw new Error(`missing required argument: ${path}`);
+  return value;
+}
+function readPath(input, path) {
+  return path.split(".").reduce((value, part) => {
+    if (value && typeof value === "object" && part in value) {
+      return value[part];
+    }
+    return void 0;
+  }, input);
+}
+async function safeErrorText(res) {
+  return await res.text().catch(() => res.statusText) || res.statusText;
+}
+
+// src/connectors/adapters/twilio-sms.ts
+var API4 = "https://api.twilio.com/2010-04-01";
+var LOOKUP_API = "https://lookups.twilio.com/v1";
+var twilioSmsConnector = {
+  manifest: {
+    kind: "twilio-sms",
+    displayName: "Twilio SMS",
+    description: "Send outbound SMS, look up phone numbers, and audit recent messages. Twilio's native Idempotency-Key prevents duplicate sends on retry.",
+    auth: {
+      kind: "api-key",
+      hint: 'Paste your Twilio credentials as "AccountSid:AuthToken" (e.g. "AC123\u2026:abc\u2026"). API-key style "AccountSid:KeySid:Secret" is also accepted.'
+    },
+    category: "comms",
+    defaultConsistencyModel: "authoritative",
+    capabilities: [
+      {
+        name: "send_sms",
+        class: "mutation",
+        description: "Send an SMS from the configured Twilio number to the supplied destination.",
+        cas: "native-idempotency",
+        externalEffect: true,
+        parameters: {
+          type: "object",
+          properties: {
+            to: { type: "string", description: "E.164 destination, e.g. +14155551212" },
+            body: { type: "string", description: "Message body (\u22641600 chars after Twilio segments)." },
+            from: { type: "string", description: "Optional E.164 sender; falls back to metadata.fromNumber." }
+          },
+          required: ["to", "body"]
+        }
+      },
+      {
+        name: "lookup_number",
+        class: "read",
+        description: "Validate a phone number and (if your account has Lookup) retrieve carrier metadata.",
+        parameters: {
+          type: "object",
+          properties: {
+            phoneNumber: { type: "string", description: "E.164 number to look up." },
+            includeCarrier: { type: "boolean", default: false }
+          },
+          required: ["phoneNumber"]
+        }
+      },
+      {
+        name: "find_recent_messages",
+        class: "read",
+        description: "Return up to `limit` recent Messages on the account, optionally filtered by To or From.",
+        parameters: {
+          type: "object",
+          properties: {
+            to: { type: "string", description: "Optional E.164 filter on the To address." },
+            from: { type: "string", description: "Optional E.164 filter on the From address." },
+            limit: { type: "integer", minimum: 1, maximum: 100, default: 20 }
+          }
+        }
+      }
+    ]
+  },
+  async executeRead(inv) {
+    const auth = parseAuth(inv.source.credentials);
+    if (inv.capabilityName === "lookup_number") {
+      const { phoneNumber, includeCarrier } = inv.args;
+      const url = `${LOOKUP_API}/PhoneNumbers/${encodeURIComponent(phoneNumber)}${includeCarrier ? "?Type=carrier" : ""}`;
+      const res = await fetch(url, {
+        headers: { authorization: basicAuth(auth) },
+        signal: AbortSignal.timeout(1e4)
+      });
+      if (res.status === 401) throw new CredentialsExpired("Twilio rejected credentials (401)", inv.source.id);
+      if (res.status === 404) {
+        return { data: { valid: false }, fetchedAt: Date.now() };
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`twilio-sms lookup_number ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const json = await res.json();
+      return {
+        data: {
+          valid: true,
+          phoneNumber: json.phone_number,
+          countryCode: json.country_code,
+          carrier: json.carrier
+        },
+        fetchedAt: Date.now()
+      };
+    }
+    if (inv.capabilityName === "find_recent_messages") {
+      const { to, from, limit } = inv.args;
+      const params = new URLSearchParams();
+      params.set("PageSize", String(Math.min(Math.max(1, limit ?? 20), 100)));
+      if (to) params.set("To", to);
+      if (from) params.set("From", from);
+      const url = `${API4}/Accounts/${encodeURIComponent(auth.accountSid)}/Messages.json?${params.toString()}`;
+      const res = await fetch(url, {
+        headers: { authorization: basicAuth(auth) },
+        signal: AbortSignal.timeout(1e4)
+      });
+      if (res.status === 401) throw new CredentialsExpired("Twilio rejected credentials (401)", inv.source.id);
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`twilio-sms find_recent_messages ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const json = await res.json();
+      return {
+        data: { messages: json.messages ?? [] },
+        fetchedAt: Date.now()
+      };
+    }
+    throw new Error(`twilio-sms: unknown read capability ${inv.capabilityName}`);
+  },
+  async executeMutation(inv) {
+    if (inv.capabilityName !== "send_sms") {
+      throw new Error(`twilio-sms: unknown mutation capability ${inv.capabilityName}`);
+    }
+    const auth = parseAuth(inv.source.credentials);
+    const { to, body, from } = inv.args;
+    const fromNumber = from ?? readMetaString4(inv.source.metadata, "fromNumber");
+    const formBody = new URLSearchParams({ To: to, From: fromNumber, Body: body });
+    const url = `${API4}/Accounts/${encodeURIComponent(auth.accountSid)}/Messages.json`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        authorization: basicAuth(auth),
+        "content-type": "application/x-www-form-urlencoded",
+        "idempotency-key": inv.idempotencyKey
+      },
+      body: formBody,
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (res.status === 401) throw new CredentialsExpired("Twilio rejected credentials (401)", inv.source.id);
+    if (res.status === 409) {
+      throw new ResourceContention("Twilio idempotency-key conflict \u2014 different args under same key");
+    }
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(`twilio-sms send_sms ${res.status}: ${text.slice(0, 200)}`);
+    }
+    const created = await res.json();
+    return {
+      status: "committed",
+      data: { messageSid: created.sid, deliveryStatus: created.status, to: created.to, from: created.from },
+      committedAt: Date.now(),
+      idempotentReplay: false
+    };
+  },
+  async test(source) {
+    try {
+      const auth = parseAuth(source.credentials);
+      const res = await fetch(`${API4}/Accounts/${encodeURIComponent(auth.accountSid)}.json`, {
+        headers: { authorization: basicAuth(auth) },
+        signal: AbortSignal.timeout(8e3)
+      });
+      if (res.status === 401) return { ok: false, reason: "Twilio rejected credentials (401) \u2014 reconnect required" };
+      if (!res.ok) return { ok: false, reason: `Twilio returned ${res.status}` };
+      return { ok: true };
+    } catch (err) {
+      return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+    }
+  }
+};
+function parseAuth(creds) {
+  if (creds.kind !== "api-key" || typeof creds.apiKey !== "string") {
+    throw new Error("twilio-sms: expected api-key credentials");
+  }
+  const parts = creds.apiKey.split(":");
+  if (parts.length === 2) {
+    const [accountSid, authToken] = parts;
+    if (!accountSid.startsWith("AC")) {
+      throw new Error('twilio-sms: AccountSid must start with "AC"');
+    }
+    return { accountSid, username: accountSid, password: authToken };
+  }
+  if (parts.length === 3) {
+    const [accountSid, keySid, secret] = parts;
+    if (!accountSid.startsWith("AC")) {
+      throw new Error('twilio-sms: AccountSid must start with "AC"');
+    }
+    return { accountSid, username: keySid, password: secret };
+  }
+  throw new Error('twilio-sms: apiKey must be "AccountSid:AuthToken" or "AccountSid:KeySid:Secret"');
+}
+function basicAuth(auth) {
+  return `Basic ${Buffer.from(`${auth.username}:${auth.password}`).toString("base64")}`;
+}
+function readMetaString4(meta, key) {
+  const v = meta[key];
+  if (typeof v !== "string" || v.length === 0) {
+    throw new Error(`twilio-sms DataSource.metadata.${key} is missing`);
+  }
+  return v;
+}
+
+// src/connectors/adapters/stripe-pack.ts
+var API5 = "https://api.stripe.com/v1";
+var stripePackConnector = {
+  manifest: {
+    kind: "stripe-pack",
+    displayName: "Stripe (customers, invoices, checkout)",
+    description: "Look up Stripe customers, draft invoices, and spin up hosted Checkout sessions from a single Stripe restricted key. Idempotency-Key forwarded on every mutation.",
+    auth: {
+      kind: "api-key",
+      hint: "Paste a Stripe restricted key (rk_live_\u2026) with read access on customers and write access on invoices + checkout sessions."
+    },
+    category: "commerce",
+    defaultConsistencyModel: "authoritative",
+    capabilities: [
+      {
+        name: "find_customer",
+        class: "read",
+        description: "Search Stripe customers by email. Returns the first match or {found:false}.",
+        parameters: {
+          type: "object",
+          properties: { email: { type: "string" } },
+          required: ["email"]
+        }
+      },
+      {
+        name: "create_invoice",
+        class: "mutation",
+        description: "Draft + finalize a Stripe invoice for a customer with line items. Idempotency-Key guarantees at-most-once.",
+        cas: "native-idempotency",
+        externalEffect: true,
+        parameters: {
+          type: "object",
+          properties: {
+            customerId: { type: "string" },
+            items: {
+              type: "array",
+              items: {
+                type: "object",
+                properties: {
+                  description: { type: "string" },
+                  amount: { type: "integer", description: "Amount in the smallest currency unit (cents)." },
+                  currency: { type: "string", description: "3-letter ISO currency code, lowercase." },
+                  quantity: { type: "integer", minimum: 1, default: 1 }
+                },
+                required: ["amount", "currency"]
+              }
+            },
+            autoFinalize: { type: "boolean", default: true }
+          },
+          required: ["customerId", "items"]
+        }
+      },
+      {
+        name: "create_checkout_session",
+        class: "mutation",
+        description: "Create a Stripe Checkout session and return its hosted URL. Idempotency-Key guarantees at-most-once.",
+        cas: "native-idempotency",
+        externalEffect: true,
+        parameters: {
+          type: "object",
+          properties: {
+            customerId: { type: "string" },
+            mode: { type: "string", enum: ["payment", "subscription"], default: "payment" },
+            successUrl: { type: "string" },
+            cancelUrl: { type: "string" },
+            lineItems: {
+              type: "array",
+              items: {
+                type: "object",
+                properties: {
+                  price: { type: "string", description: "Stripe price id (price_...)" },
+                  quantity: { type: "integer", minimum: 1, default: 1 }
+                },
+                required: ["price"]
+              }
+            }
+          },
+          required: ["successUrl", "cancelUrl", "lineItems"]
+        }
+      }
+    ]
+  },
+  async executeRead(inv) {
+    if (inv.capabilityName !== "find_customer") {
+      throw new Error(`stripe-pack: unknown read capability ${inv.capabilityName}`);
+    }
+    const apiKey = readApiKey(inv.source.credentials);
+    const { email } = inv.args;
+    const url = `${API5}/customers/search?query=${encodeURIComponent(`email:'${email.toLowerCase()}'`)}&limit=1`;
+    const res = await fetch(url, {
+      headers: { authorization: `Bearer ${apiKey}` },
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (res.status === 401) {
+      throw new CredentialsExpired("Stripe rejected API key (401)", inv.source.id);
+    }
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(`stripe-pack find_customer ${res.status}: ${text.slice(0, 200)}`);
+    }
+    const json = await res.json();
+    const first = json.data?.[0];
+    return {
+      data: first ? { found: true, customer: { id: first.id, email: first.email, name: first.name, phone: first.phone } } : { found: false },
+      fetchedAt: Date.now()
+    };
+  },
+  async executeMutation(inv) {
+    const apiKey = readApiKey(inv.source.credentials);
+    if (inv.capabilityName === "create_invoice") return createInvoice(inv, apiKey);
+    if (inv.capabilityName === "create_checkout_session") return createCheckoutSession(inv, apiKey);
+    throw new Error(`stripe-pack: unknown mutation capability ${inv.capabilityName}`);
+  },
+  async test(source) {
+    try {
+      const apiKey = readApiKey(source.credentials);
+      const res = await fetch(`${API5}/account`, {
+        headers: { authorization: `Bearer ${apiKey}` },
+        signal: AbortSignal.timeout(8e3)
+      });
+      if (res.status === 401) {
+        return { ok: false, reason: "Stripe rejected API key (401) \u2014 reconnect required" };
+      }
+      if (!res.ok) return { ok: false, reason: `Stripe returned ${res.status}` };
+      return { ok: true };
+    } catch (err) {
+      return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+    }
+  }
+};
+async function createInvoice(inv, apiKey) {
+  const { customerId, items, autoFinalize } = inv.args;
+  const idemKey = inv.idempotencyKey;
+  for (let i = 0; i < items.length; i++) {
+    const it = items[i];
+    const body = new URLSearchParams({
+      customer: customerId,
+      amount: String(it.amount),
+      currency: it.currency.toLowerCase(),
+      quantity: String(it.quantity ?? 1)
+    });
+    if (it.description) body.set("description", it.description);
+    const res = await fetch(`${API5}/invoiceitems`, {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${apiKey}`,
+        "content-type": "application/x-www-form-urlencoded",
+        "idempotency-key": `${idemKey}-item-${i}`
+      },
+      body,
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (res.status === 401) throw new CredentialsExpired("Stripe rejected API key (401)", inv.source.id);
+    if (res.status === 409) {
+      throw new ResourceContention("Stripe invoiceitem conflict \u2014 retry rejected by idempotency check");
+    }
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(`stripe-pack create_invoice (item ${i}) ${res.status}: ${text.slice(0, 200)}`);
+    }
+  }
+  const invBody = new URLSearchParams({
+    customer: customerId,
+    auto_advance: autoFinalize === false ? "false" : "true",
+    collection_method: "send_invoice",
+    days_until_due: "14"
+  });
+  const invRes = await fetch(`${API5}/invoices`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${apiKey}`,
+      "content-type": "application/x-www-form-urlencoded",
+      "idempotency-key": `${idemKey}-invoice`
+    },
+    body: invBody,
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (invRes.status === 401) throw new CredentialsExpired("Stripe rejected API key (401)", inv.source.id);
+  if (invRes.status === 409) {
+    throw new ResourceContention("Stripe invoice conflict \u2014 retry rejected by idempotency check");
+  }
+  if (!invRes.ok) {
+    const text = await invRes.text().catch(() => "");
+    throw new Error(`stripe-pack create_invoice ${invRes.status}: ${text.slice(0, 200)}`);
+  }
+  const created = await invRes.json();
+  return {
+    status: "committed",
+    data: { invoiceId: created.id, hostedInvoiceUrl: created.hosted_invoice_url, status: created.status },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function createCheckoutSession(inv, apiKey) {
+  const { customerId, mode, successUrl, cancelUrl, lineItems } = inv.args;
+  const body = new URLSearchParams({
+    mode: mode ?? "payment",
+    success_url: successUrl,
+    cancel_url: cancelUrl
+  });
+  if (customerId) body.set("customer", customerId);
+  lineItems.forEach((it, i) => {
+    body.set(`line_items[${i}][price]`, it.price);
+    body.set(`line_items[${i}][quantity]`, String(it.quantity ?? 1));
+  });
+  const res = await fetch(`${API5}/checkout/sessions`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${apiKey}`,
+      "content-type": "application/x-www-form-urlencoded",
+      "idempotency-key": inv.idempotencyKey
+    },
+    body,
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (res.status === 401) throw new CredentialsExpired("Stripe rejected API key (401)", inv.source.id);
+  if (res.status === 409) {
+    throw new ResourceContention("Stripe checkout session conflict \u2014 retry rejected by idempotency check");
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`stripe-pack create_checkout_session ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const created = await res.json();
+  return {
+    status: "committed",
+    data: { sessionId: created.id, url: created.url, paymentStatus: created.payment_status },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+function readApiKey(creds) {
+  if (creds.kind !== "api-key" || typeof creds.apiKey !== "string" || creds.apiKey.length === 0) {
+    throw new Error("stripe-pack: expected api-key credentials");
+  }
+  return creds.apiKey;
+}
+
+// src/connectors/adapters/webhook.ts
+import { createHmac } from "crypto";
+var webhookConnector = {
+  manifest: {
+    kind: "webhook",
+    displayName: "Webhook (custom URL)",
+    description: "Fire signed HTTP POSTs from your agent to any URL you control. The escape hatch when there's no native connector \u2014 receive the agent's intent, run your own logic, return a result.",
+    auth: { kind: "hmac" },
+    category: "webhook",
+    defaultConsistencyModel: "advisory",
+    capabilities: [
+      {
+        name: "post_event",
+        class: "mutation",
+        description: "Send a JSON event to the configured webhook URL. The receiver SHOULD return 200 on accept and 409 on conflict (the agent will offer alternatives if you include them in the response).",
+        cas: "native-idempotency",
+        externalEffect: true,
+        parameters: {
+          type: "object",
+          additionalProperties: true,
+          description: "Whatever JSON the operator declared at connect time. The DataSource.metadata.requestSchema is the source of truth at runtime."
+        }
+      },
+      {
+        name: "fetch_state",
+        class: "read",
+        description: "GET the configured webhook URL with the agent-supplied query params. Returns whatever JSON the receiver responds with.",
+        parameters: {
+          type: "object",
+          additionalProperties: true
+        }
+      }
+    ]
+  },
+  async executeRead(inv) {
+    const url = readMetaString5(inv.source.metadata, "url");
+    const params = inv.args && typeof inv.args === "object" ? inv.args : {};
+    const u = new URL(url);
+    for (const [k, v] of Object.entries(params)) {
+      u.searchParams.set(k, typeof v === "string" ? v : JSON.stringify(v));
+    }
+    const res = await fetch(u.toString(), {
+      method: "GET",
+      headers: signHeaders(inv.source.credentials, "", inv.idempotencyKey),
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (!res.ok) {
+      throw new Error(`webhook fetch_state ${res.status}: ${(await res.text()).slice(0, 200)}`);
+    }
+    const data = await res.json();
+    return {
+      data,
+      etag: res.headers.get("etag") ?? void 0,
+      fetchedAt: Date.now()
+    };
+  },
+  async executeMutation(inv) {
+    const url = readMetaString5(inv.source.metadata, "url");
+    const body = JSON.stringify(inv.args ?? {});
+    const res = await fetch(url, {
+      method: "POST",
+      headers: signHeaders(inv.source.credentials, body, inv.idempotencyKey),
+      body,
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (res.status === 409) {
+      const json = await res.json().catch(() => ({}));
+      return {
+        status: "conflict",
+        alternatives: json.alternatives ?? [],
+        message: json.message ?? "webhook receiver returned 409"
+      };
+    }
+    if (!res.ok) {
+      throw new Error(`webhook post_event ${res.status}: ${(await res.text()).slice(0, 200)}`);
+    }
+    const data = await res.json().catch(() => ({}));
+    return {
+      status: "committed",
+      data,
+      etagAfter: res.headers.get("etag") ?? void 0,
+      committedAt: Date.now(),
+      idempotentReplay: false
+    };
+  },
+  async test(source) {
+    try {
+      const url = readMetaString5(source.metadata, "url");
+      const res = await fetch(url, {
+        method: "HEAD",
+        headers: signHeaders(source.credentials, "", `health-${Date.now()}`),
+        signal: AbortSignal.timeout(8e3)
+      });
+      if (res.status >= 500) return { ok: false, reason: `webhook returned ${res.status}` };
+      return { ok: true };
+    } catch (err) {
+      return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+    }
+  }
+};
+function readMetaString5(meta, key) {
+  const v = meta[key];
+  if (typeof v !== "string" || v.length === 0) {
+    throw new Error(`webhook DataSource.metadata.${key} is missing`);
+  }
+  return v;
+}
+function signHeaders(creds, body, idempotencyKey) {
+  const ts = Math.floor(Date.now() / 1e3).toString();
+  const headers = {
+    "content-type": "application/json",
+    "x-phony-timestamp": ts,
+    "x-phony-idempotency-key": idempotencyKey
+  };
+  if (creds.kind === "hmac" && typeof creds.secret === "string" && creds.secret.length > 0) {
+    const sig = createHmac("sha256", creds.secret).update(`${ts}.${body}`).digest("hex");
+    headers["x-phony-signature"] = `sha256=${sig}`;
+  }
+  return headers;
+}
+
+// src/connectors/webhooks.ts
+import { createHmac as createHmac2, timingSafeEqual } from "crypto";
+var DEFAULT_SIGNATURE_TOLERANCE_SECONDS = 5 * 60;
+function parseStripeSignatureHeader(header) {
+  const acc = { sigs: [] };
+  for (const part of header.split(",")) {
+    const idx = part.indexOf("=");
+    if (idx < 0) continue;
+    const key = part.slice(0, idx).trim();
+    const val = part.slice(idx + 1).trim();
+    if (key === "t") {
+      const n = Number(val);
+      if (Number.isFinite(n)) acc.ts = n;
+    } else if (key === "v1") {
+      acc.sigs.push(val);
+    }
+  }
+  if (acc.ts === void 0 || acc.sigs.length === 0) return null;
+  return { t: acc.ts, sigs: acc.sigs };
+}
+function verifyStripeSignature(rawBody, signatureHeader, secret, options = {}) {
+  const parsed = parseStripeSignatureHeader(signatureHeader);
+  if (!parsed) return false;
+  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS;
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - parsed.t) > tolerance) return false;
+  const expected = createHmac2("sha256", secret).update(`${parsed.t}.${rawBody}`).digest("hex");
+  const expectedBuf = Buffer.from(expected, "utf8");
+  for (const sig of parsed.sigs) {
+    const sigBuf = Buffer.from(sig, "utf8");
+    if (sigBuf.length !== expectedBuf.length) continue;
+    if (timingSafeEqual(sigBuf, expectedBuf)) return true;
+  }
+  return false;
+}
+function verifySlackSignature(rawBody, signatureHeader, timestampHeader, secret, options = {}) {
+  if (!signatureHeader.startsWith("v0=")) return false;
+  const ts = Number(timestampHeader);
+  if (!Number.isFinite(ts)) return false;
+  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS;
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - ts) > tolerance) return false;
+  const expected = "v0=" + createHmac2("sha256", secret).update(`v0:${ts}:${rawBody}`).digest("hex");
+  const expectedBuf = Buffer.from(expected, "utf8");
+  const sigBuf = Buffer.from(signatureHeader, "utf8");
+  if (sigBuf.length !== expectedBuf.length) return false;
+  return timingSafeEqual(sigBuf, expectedBuf);
+}
+function verifyHmacSignature(rawBody, signatureHeader, secret, options = {}) {
+  const algorithm = options.algorithm ?? "sha256";
+  const prefix = options.signaturePrefix ?? "";
+  const lower = options.lowercaseHex ?? true;
+  let candidate = signatureHeader;
+  if (prefix) {
+    if (!candidate.startsWith(prefix)) return false;
+    candidate = candidate.slice(prefix.length);
+  }
+  if (lower) candidate = candidate.toLowerCase();
+  const expected = createHmac2(algorithm, secret).update(rawBody).digest("hex");
+  const expectedBuf = Buffer.from(expected, "utf8");
+  const sigBuf = Buffer.from(candidate, "utf8");
+  if (sigBuf.length !== expectedBuf.length) return false;
+  return timingSafeEqual(sigBuf, expectedBuf);
+}
+function verifyTwilioSignature(input, options = {}) {
+  if (!input.authToken) {
+    return options.skipWhenAuthTokenMissing === true;
+  }
+  const signature = input.signatureHeader;
+  if (!signature || Array.isArray(signature)) return false;
+  if (!input.fullUrl) return false;
+  const data = options.bodyAsRaw === true ? input.fullUrl + (options.rawBody ?? "") : Object.keys(input.params ?? {}).sort().reduce((acc, key) => acc + key + (input.params[key] ?? ""), input.fullUrl);
+  const expected = createHmac2("sha1", input.authToken).update(data).digest("base64");
+  const expectedBuf = Buffer.from(expected);
+  const sigBuf = Buffer.from(signature);
+  if (expectedBuf.length !== sigBuf.length) return false;
+  return timingSafeEqual(expectedBuf, sigBuf);
+}
+function firstHeader(headers, name) {
+  const v = headers[name] ?? headers[name.toLowerCase()] ?? Object.entries(headers).find(([key]) => key.toLowerCase() === name.toLowerCase())?.[1];
+  if (Array.isArray(v)) return v[0];
+  return typeof v === "string" ? v : void 0;
+}
+
+// src/connectors/adapters/stripe-webhook-receiver.ts
+var stripeWebhookReceiverConnector = {
+  manifest: {
+    kind: "stripe",
+    displayName: "Stripe (inbound events)",
+    description: "Receive Stripe webhook events from your own Stripe account. Paste your endpoint signing secret (whsec_*) at connect time; we'll verify every push and feed events to your agent's runtime.",
+    auth: { kind: "hmac" },
+    category: "commerce",
+    // Inbound-only. Stripe events are advisory in this incarnation — the
+    // agent reacts to them but doesn't compete for writes against the same
+    // resource.
+    defaultConsistencyModel: "advisory",
+    capabilities: []
+  },
+  verifySignature({ rawBody, headers, source }) {
+    if (source.credentials.kind !== "hmac") return { valid: false, reason: "missing_hmac_secret" };
+    const sig = firstHeader(headers, "stripe-signature");
+    if (!sig) return { valid: false, reason: "missing_stripe_signature_header" };
+    const ok = verifyStripeSignature(rawBody, sig, source.credentials.secret);
+    return ok ? { valid: true } : { valid: false, reason: "invalid_signature" };
+  },
+  async handleInboundEvent({ rawBody }) {
+    let parsed;
+    try {
+      parsed = JSON.parse(rawBody);
+    } catch {
+      return { events: [], response: { status: 400, body: { error: "invalid_json" } } };
+    }
+    if (!parsed || typeof parsed !== "object") {
+      return { events: [], response: { status: 400, body: { error: "invalid_payload" } } };
+    }
+    const evt = parsed;
+    const eventType = typeof evt.type === "string" ? evt.type : "stripe.unknown";
+    const providerEventId = typeof evt.id === "string" ? evt.id : void 0;
+    const events = [
+      {
+        eventType,
+        providerEventId,
+        payload: evt
+      }
+    ];
+    return { events };
+  },
+  async test(source) {
+    if (source.credentials.kind !== "hmac" || !source.credentials.secret) {
+      return { ok: false, reason: "webhook secret not configured" };
+    }
+    return { ok: true };
+  }
+};
+
+// src/connectors/adapters/slack-events.ts
+var slackEventsConnector = {
+  manifest: {
+    // NOTE: `slack` is owned by the OAuth bot connector in slack.ts (post_message,
+    // lookup_user, list_channels). This adapter is the HMAC-only inbound-events
+    // sibling — distinct kind so a customer can stand up the Events API receiver
+    // without granting bot OAuth, and so the registry doesn't reject duplicate
+    // kinds at boot.
+    kind: "slack-inbound",
+    displayName: "Slack (Events API)",
+    description: "Receive workspace events (messages, reactions, app mentions, \u2026) from Slack's Events API. Outbound bot messaging will land in a follow-up.",
+    auth: { kind: "hmac" },
+    category: "comms",
+    // Inbound-only. Events are advisory in this incarnation — agents observe
+    // and react, no CAS.
+    defaultConsistencyModel: "advisory",
+    capabilities: []
+  },
+  verifySignature({ rawBody, headers, source }) {
+    if (source.credentials.kind !== "hmac") return { valid: false, reason: "missing_hmac_secret" };
+    const sig = firstHeader(headers, "x-slack-signature");
+    const ts = firstHeader(headers, "x-slack-request-timestamp");
+    if (!sig || !ts) return { valid: false, reason: "missing_slack_headers" };
+    const ok = verifySlackSignature(rawBody, sig, ts, source.credentials.secret);
+    return ok ? { valid: true } : { valid: false, reason: "invalid_signature" };
+  },
+  async handleInboundEvent({ rawBody }) {
+    let parsed;
+    try {
+      parsed = JSON.parse(rawBody);
+    } catch {
+      return { events: [], response: { status: 400, body: { error: "invalid_json" } } };
+    }
+    if (!parsed || typeof parsed !== "object") {
+      return { events: [], response: { status: 400, body: { error: "invalid_payload" } } };
+    }
+    const obj = parsed;
+    if (obj.type === "url_verification") {
+      const challenge = typeof obj.challenge === "string" ? obj.challenge : "";
+      return {
+        events: [],
+        response: { status: 200, body: { challenge } }
+      };
+    }
+    if (obj.type === "event_callback") {
+      const inner = obj.event;
+      const innerType = inner && typeof inner === "object" && "type" in inner && typeof inner.type === "string" ? inner.type : "slack.event";
+      const providerEventId = typeof obj.event_id === "string" ? obj.event_id : void 0;
+      const event = {
+        eventType: `slack.${innerType}`,
+        providerEventId,
+        payload: obj
+      };
+      return { events: [event] };
+    }
+    return { events: [] };
+  },
+  async test(source) {
+    if (source.credentials.kind !== "hmac" || !source.credentials.secret) {
+      return { ok: false, reason: "signing secret not configured" };
+    }
+    return { ok: true };
+  }
+};
+
+// src/connectors/adapters/github.ts
+var repoParams = {
+  type: "object",
+  properties: {
+    owner: { type: "string" },
+    repo: { type: "string" }
+  },
+  required: ["owner", "repo"]
+};
+var githubConnector = declarativeRestConnector({
+  kind: "github",
+  displayName: "GitHub",
+  description: "Search repositories/issues and create or update GitHub issues through a user-scoped token.",
+  auth: { kind: "api-key", hint: "GitHub fine-grained personal access token or installation token." },
+  category: "other",
+  defaultConsistencyModel: "authoritative",
+  baseUrl: "https://api.github.com",
+  defaultHeaders: {
+    "x-github-api-version": "2022-11-28"
+  },
+  test: { method: "GET", path: "/user" },
+  capabilities: [
+    {
+      name: "repositories.get",
+      class: "read",
+      description: "Read repository metadata.",
+      parameters: repoParams,
+      request: { method: "GET", path: "/repos/{owner}/{repo}" }
+    },
+    {
+      name: "issues.search",
+      class: "read",
+      description: "Search GitHub issues and pull requests.",
+      parameters: {
+        type: "object",
+        properties: { q: { type: "string" }, per_page: { type: "integer", minimum: 1, maximum: 100 } },
+        required: ["q"]
+      },
+      request: { method: "GET", path: "/search/issues", query: { q: "{q}", per_page: "{per_page}" } }
+    },
+    {
+      name: "issues.create",
+      class: "mutation",
+      description: "Create an issue in a repository.",
+      parameters: {
+        type: "object",
+        properties: {
+          owner: { type: "string" },
+          repo: { type: "string" },
+          title: { type: "string" },
+          body: { type: "string" },
+          labels: { type: "array", items: { type: "string" } }
+        },
+        required: ["owner", "repo", "title"]
+      },
+      request: { method: "POST", path: "/repos/{owner}/{repo}/issues", body: "args" },
+      cas: "native-idempotency"
+    },
+    {
+      name: "issues.update",
+      class: "mutation",
+      description: "Update an issue by number.",
+      parameters: {
+        type: "object",
+        properties: {
+          owner: { type: "string" },
+          repo: { type: "string" },
+          issue_number: { type: "integer" },
+          title: { type: "string" },
+          body: { type: "string" },
+          state: { type: "string", enum: ["open", "closed"] }
+        },
+        required: ["owner", "repo", "issue_number"]
+      },
+      request: { method: "PATCH", path: "/repos/{owner}/{repo}/issues/{issue_number}", body: "args" },
+      cas: "etag-if-match"
+    }
+  ]
+});
+
+// src/connectors/adapters/gitlab.ts
+var gitlabConnector = declarativeRestConnector({
+  kind: "gitlab",
+  displayName: "GitLab",
+  description: "Search GitLab projects/issues and create or update issues through a personal, project, or group token.",
+  auth: { kind: "api-key", hint: "GitLab access token with api/read_api scope." },
+  category: "other",
+  defaultConsistencyModel: "authoritative",
+  baseUrl: { metadataKey: "baseUrl", fallback: "https://gitlab.com/api/v4" },
+  credentialPlacement: { kind: "header", header: "PRIVATE-TOKEN" },
+  test: { method: "GET", path: "/user" },
+  capabilities: [
+    {
+      name: "projects.search",
+      class: "read",
+      description: "Search projects visible to the token.",
+      parameters: {
+        type: "object",
+        properties: { search: { type: "string" }, per_page: { type: "integer", minimum: 1, maximum: 100 } },
+        required: ["search"]
+      },
+      request: { method: "GET", path: "/projects", query: { search: "{search}", per_page: "{per_page}" } }
+    },
+    {
+      name: "issues.search",
+      class: "read",
+      description: "Search issues in a project.",
+      parameters: {
+        type: "object",
+        properties: { projectId: { type: "string" }, search: { type: "string" }, per_page: { type: "integer" } },
+        required: ["projectId", "search"]
+      },
+      request: { method: "GET", path: "/projects/{projectId}/issues", query: { search: "{search}", per_page: "{per_page}" } }
+    },
+    {
+      name: "issues.create",
+      class: "mutation",
+      description: "Create a GitLab project issue.",
+      parameters: {
+        type: "object",
+        properties: { projectId: { type: "string" }, title: { type: "string" }, description: { type: "string" } },
+        required: ["projectId", "title"]
+      },
+      request: { method: "POST", path: "/projects/{projectId}/issues", body: "args" },
+      cas: "native-idempotency"
+    },
+    {
+      name: "issues.update",
+      class: "mutation",
+      description: "Update a GitLab issue.",
+      parameters: {
+        type: "object",
+        properties: { projectId: { type: "string" }, issueIid: { type: "integer" }, title: { type: "string" }, description: { type: "string" }, state_event: { type: "string" } },
+        required: ["projectId", "issueIid"]
+      },
+      request: { method: "PUT", path: "/projects/{projectId}/issues/{issueIid}", body: "args" },
+      cas: "etag-if-match"
+    }
+  ]
+});
+
+// src/connectors/adapters/airtable.ts
+var baseTableParams = {
+  type: "object",
+  properties: {
+    baseId: { type: "string" },
+    tableName: { type: "string" }
+  },
+  required: ["baseId", "tableName"]
+};
+var airtableConnector = declarativeRestConnector({
+  kind: "airtable",
+  displayName: "Airtable",
+  description: "Query and update Airtable records for lightweight operational databases.",
+  auth: { kind: "api-key", hint: "Airtable personal access token." },
+  category: "spreadsheet",
+  defaultConsistencyModel: "authoritative",
+  baseUrl: "https://api.airtable.com",
+  test: { method: "GET", path: "/v0/meta/whoami" },
+  capabilities: [
+    {
+      name: "records.list",
+      class: "read",
+      description: "List records in a table.",
+      parameters: {
+        ...baseTableParams,
+        properties: {
+          ...baseTableParams.properties,
+          maxRecords: { type: "integer", minimum: 1, maximum: 100 },
+          filterByFormula: { type: "string" }
+        }
+      },
+      request: { method: "GET", path: "/v0/{baseId}/{tableName}", query: { maxRecords: "{maxRecords}", filterByFormula: "{filterByFormula}" } }
+    },
+    {
+      name: "records.get",
+      class: "read",
+      description: "Read a single Airtable record.",
+      parameters: {
+        type: "object",
+        properties: { baseId: { type: "string" }, tableName: { type: "string" }, recordId: { type: "string" } },
+        required: ["baseId", "tableName", "recordId"]
+      },
+      request: { method: "GET", path: "/v0/{baseId}/{tableName}/{recordId}" }
+    },
+    {
+      name: "records.create",
+      class: "mutation",
+      description: "Create an Airtable record.",
+      parameters: {
+        type: "object",
+        properties: { baseId: { type: "string" }, tableName: { type: "string" }, fields: { type: "object" } },
+        required: ["baseId", "tableName", "fields"]
+      },
+      request: { method: "POST", path: "/v0/{baseId}/{tableName}", body: { fields: "{fields}" } },
+      cas: "native-idempotency"
+    },
+    {
+      name: "records.update",
+      class: "mutation",
+      description: "Update an Airtable record.",
+      parameters: {
+        type: "object",
+        properties: { baseId: { type: "string" }, tableName: { type: "string" }, recordId: { type: "string" }, fields: { type: "object" } },
+        required: ["baseId", "tableName", "recordId", "fields"]
+      },
+      request: { method: "PATCH", path: "/v0/{baseId}/{tableName}/{recordId}", body: { fields: "{fields}" } },
+      cas: "optimistic-read-verify"
+    }
+  ]
+});
+
+// src/connectors/adapters/asana.ts
+var asanaConnector = declarativeRestConnector({
+  kind: "asana",
+  displayName: "Asana",
+  description: "Search projects/tasks and create or update Asana tasks.",
+  auth: { kind: "api-key", hint: "Asana personal access token." },
+  category: "other",
+  defaultConsistencyModel: "authoritative",
+  baseUrl: "https://app.asana.com/api/1.0",
+  test: { method: "GET", path: "/users/me" },
+  capabilities: [
+    {
+      name: "projects.search",
+      class: "read",
+      description: "List or search projects in a workspace.",
+      parameters: {
+        type: "object",
+        properties: { workspace: { type: "string" }, archived: { type: "boolean" }, limit: { type: "integer" } },
+        required: ["workspace"]
+      },
+      request: { method: "GET", path: "/projects", query: { workspace: "{workspace}", archived: "{archived}", limit: "{limit}" } }
+    },
+    {
+      name: "tasks.search",
+      class: "read",
+      description: "Search tasks in a workspace.",
+      parameters: {
+        type: "object",
+        properties: { workspace: { type: "string" }, text: { type: "string" }, limit: { type: "integer" } },
+        required: ["workspace"]
+      },
+      request: { method: "GET", path: "/workspaces/{workspace}/tasks/search", query: { text: "{text}", limit: "{limit}" } }
+    },
+    {
+      name: "tasks.create",
+      class: "mutation",
+      description: "Create an Asana task.",
+      parameters: {
+        type: "object",
+        properties: { data: { type: "object" } },
+        required: ["data"]
+      },
+      request: { method: "POST", path: "/tasks", body: { data: "{data}" } },
+      cas: "native-idempotency"
+    },
+    {
+      name: "tasks.update",
+      class: "mutation",
+      description: "Update an Asana task.",
+      parameters: {
+        type: "object",
+        properties: { taskGid: { type: "string" }, data: { type: "object" } },
+        required: ["taskGid", "data"]
+      },
+      request: { method: "PUT", path: "/tasks/{taskGid}", body: { data: "{data}" } },
+      cas: "optimistic-read-verify"
+    }
+  ]
+});
+
+// src/connectors/adapters/salesforce.ts
+var salesforceConnector = declarativeRestConnector({
+  kind: "salesforce",
+  displayName: "Salesforce",
+  description: "Query Salesforce records with SOQL and create or update sObjects.",
+  auth: {
+    kind: "oauth2",
+    authorizationUrl: "https://login.salesforce.com/services/oauth2/authorize",
+    tokenUrl: "https://login.salesforce.com/services/oauth2/token",
+    scopes: ["api", "refresh_token"],
+    clientIdEnv: "SALESFORCE_OAUTH_CLIENT_ID",
+    clientSecretEnv: "SALESFORCE_OAUTH_CLIENT_SECRET"
+  },
+  category: "crm",
+  defaultConsistencyModel: "authoritative",
+  baseUrl: { metadataKey: "instanceUrl" },
+  test: { method: "GET", path: "/services/data/v61.0/" },
+  capabilities: [
+    {
+      name: "records.query",
+      class: "read",
+      description: "Run a SOQL query.",
+      parameters: {
+        type: "object",
+        properties: { q: { type: "string" } },
+        required: ["q"]
+      },
+      request: { method: "GET", path: "/services/data/v61.0/query", query: { q: "{q}" } },
+      requiredScopes: ["api"]
+    },
+    {
+      name: "records.get",
+      class: "read",
+      description: "Read a Salesforce sObject record.",
+      parameters: {
+        type: "object",
+        properties: { objectName: { type: "string" }, recordId: { type: "string" } },
+        required: ["objectName", "recordId"]
+      },
+      request: { method: "GET", path: "/services/data/v61.0/sobjects/{objectName}/{recordId}" },
+      requiredScopes: ["api"]
+    },
+    {
+      name: "records.create",
+      class: "mutation",
+      description: "Create a Salesforce sObject record.",
+      parameters: {
+        type: "object",
+        properties: { objectName: { type: "string" }, fields: { type: "object" } },
+        required: ["objectName", "fields"]
+      },
+      request: { method: "POST", path: "/services/data/v61.0/sobjects/{objectName}", body: "{fields}" },
+      cas: "native-idempotency",
+      requiredScopes: ["api"]
+    },
+    {
+      name: "records.update",
+      class: "mutation",
+      description: "Update a Salesforce sObject record.",
+      parameters: {
+        type: "object",
+        properties: { objectName: { type: "string" }, recordId: { type: "string" }, fields: { type: "object" } },
+        required: ["objectName", "recordId", "fields"]
+      },
+      request: { method: "PATCH", path: "/services/data/v61.0/sobjects/{objectName}/{recordId}", body: "{fields}" },
+      cas: "etag-if-match",
+      requiredScopes: ["api"]
+    }
+  ]
+});
+
+export {
+  ResourceContention,
+  CredentialsExpired,
+  validateConnectorManifest,
+  assertValidConnectorManifest,
+  InMemoryOAuthFlowStore,
+  startOAuthFlow,
+  consumePendingFlow,
+  exchangeAuthorizationCode,
+  refreshAccessToken,
+  _resetPendingFlowsForTests,
+  DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
+  parseStripeSignatureHeader,
+  verifyStripeSignature,
+  verifySlackSignature,
+  verifyHmacSignature,
+  verifyTwilioSignature,
+  firstHeader,
+  googleCalendar,
+  googleSheets,
+  microsoftCalendar,
+  hubspot,
+  slack,
+  notionDatabase,
+  declarativeRestConnector,
+  twilioSmsConnector,
+  stripePackConnector,
+  webhookConnector,
+  stripeWebhookReceiverConnector,
+  slackEventsConnector,
+  githubConnector,
+  gitlabConnector,
+  airtableConnector,
+  asanaConnector,
+  salesforceConnector
+};
+//# sourceMappingURL=chunk-IDX3KIPA.js.map