@tangle-network/agent-integrations 0.25.6 → 0.26.0

package/README.md

@@ -172,6 +172,8 @@ OAuth credentials.
 | `buildCanonicalLaunchConnectors` | Product-ready launch action schemas for Calendar, Gmail, Drive, GitHub, and Slack. |
 | `validateProviderPassthroughRequest` | Policy-gated provider-native HTTP escape hatch validation. |
 | `buildIntegrationToolCatalog` | Converts connector actions into agent/tool definitions. |
+| `discoverWorkspaceCapabilities` | Per-workspace capability discovery: scope-gated, MCP-shape tool descriptors for agent runtime binding. |
+| `WebhookRouter` (+ `stripeWebhookProvider`, `docusealWebhookProvider`, `slackWebhookProvider`, `gmailWebhookProvider`, `gdriveWebhookProvider`, `genericHmacWebhookProvider`) | Inbound webhook router: verify signature, parse, idempotency dedup, async deliver. |
 | `searchIntegrationTools` | Intent search over normalized integration tools. |
 | `buildDefaultIntegrationRegistry` | Composes setup specs and vendored catalog metadata into one deduplicated connector registry. |
 | `composeIntegrationRegistry` | Merges arbitrary catalog sources with explicit aliases, precedence, support tiers, and conflict diagnostics. |
@@ -317,13 +319,16 @@ package-runtime execution.
 Current first-party adapters:
 
 - Google Calendar
-- Microsoft Calendar
+- Google Drive
 - Google Sheets
+- Gmail
+- Microsoft Calendar
 - Slack
 - Slack Events
 - HubSpot
 - Notion database
-- Stripe payments pack
+- DocuSeal
+- Stripe payments pack (customers, invoices, checkout, subscriptions, billing portal)
 - Stripe webhook receiver
 - Twilio SMS
 - Generic webhook
@@ -349,6 +354,10 @@ Runnable examples live in [`examples/`](./examples):
   REST connector spec.
 - [`examples/calendar-exercise-app.ts`](./examples/calendar-exercise-app.ts) -
   generated-app golden path: manifest, consent copy, bridge env, and invoke.
+- [`examples/discover-capabilities.ts`](./examples/discover-capabilities.ts) -
+  per-workspace capability discovery for agent tool-registry binding.
+- [`examples/webhook-router.ts`](./examples/webhook-router.ts) - inbound
+  webhook router with Stripe, DocuSeal, and Slack providers wired in.
 
 The README stays short; examples are separate so they can be copied and expanded
 without obscuring the package contract.

package/dist/bin/tangle-catalog-runtime.js

@@ -4,10 +4,11 @@ import {
   buildTangleCatalogRuntimePackageManifest,
   renderTangleCatalogRuntimePnpmAddCommand,
   startTangleCatalogRuntimeNodeServer
-} from "../chunk-S54DPRDU.js";
+} from "../chunk-ALCIWTIR.js";
 import "../chunk-4JQ754PA.js";
 import "../chunk-376UBTNB.js";
-import "../chunk-WC63AI4Q.js";
+import "../chunk-GA4VTE3U.js";
+import "../chunk-2TW2QKGZ.js";
 
 // src/bin/tangle-catalog-runtime.ts
 var args = new Set(process.argv.slice(2));

package/dist/bin/tangle-catalog-runtime.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/bin/tangle-catalog-runtime.ts"],"sourcesContent":["#!/usr/bin/env node\nimport {\n  buildTangleCatalogRuntimePackageManifest,\n  renderTangleCatalogRuntimePnpmAddCommand,\n} from '../tangle-catalog.js'\nimport { auditTangleCatalogRuntimePackages } from '../tangle-catalog-runtime.js'\nimport { startTangleCatalogRuntimeNodeServer } from '../tangle-catalog-runtime-server.js'\n\nconst args = new Set(process.argv.slice(2))\nif (args.has('--print-package-json')) {\n  console.log(JSON.stringify(buildTangleCatalogRuntimePackageManifest({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }), null, 2))\n  process.exit(0)\n}\n\nif (args.has('--print-pnpm-add')) {\n  console.log(renderTangleCatalogRuntimePnpmAddCommand({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }))\n  process.exit(0)\n}\n\nif (args.has('--audit-packages')) {\n  const connectorIds = process.env.TANGLE_CATALOG_AUDIT_CONNECTORS\n    ?.split(',')\n    .map((id) => id.trim())\n    .filter(Boolean)\n  console.log(JSON.stringify(await auditTangleCatalogRuntimePackages({ connectorIds }), null, 2))\n  process.exit(0)\n}\n\nconst secret = process.env.TANGLE_CATALOG_RUNTIME_SECRET\nif (!secret || secret.length < 32) {\n  console.error('TANGLE_CATALOG_RUNTIME_SECRET must be set to at least 32 characters.')\n  process.exit(1)\n}\n\nconst authResolverUrl = process.env.TANGLE_CATALOG_AUTH_RESOLVER_URL\nconst authResolverSecret = process.env.TANGLE_CATALOG_AUTH_RESOLVER_SECRET\nif (Boolean(authResolverUrl) !== Boolean(authResolverSecret)) {\n  console.error('TANGLE_CATALOG_AUTH_RESOLVER_URL and TANGLE_CATALOG_AUTH_RESOLVER_SECRET must be set together.')\n  process.exit(1)\n}\n\nconst port = Number(process.env.PORT ?? process.env.TANGLE_CATALOG_RUNTIME_PORT ?? 4109)\nif (!Number.isInteger(port) || port < 1 || port > 65_535) {\n  console.error('PORT must be an integer between 1 and 65535.')\n  process.exit(1)\n}\n\nconst server = await startTangleCatalogRuntimeNodeServer({\n  secret,\n  host: process.env.HOST ?? process.env.TANGLE_CATALOG_RUNTIME_HOST ?? '0.0.0.0',\n  port,\n  authResolver: authResolverUrl && authResolverSecret\n    ? {\n        endpoint: authResolverUrl,\n        secret: authResolverSecret,\n      }\n    : false,\n  onLog: (event) => {\n    const line = JSON.stringify({\n      level: event.level,\n      message: event.message,\n      ...event.metadata,\n    })\n    if (event.level === 'error') console.error(line)\n    else console.log(line)\n  },\n})\n\nconsole.log(JSON.stringify({\n  level: 'info',\n  message: 'Tangle catalog runtime listening.',\n  url: server.url,\n}))\n\nfor (const signal of ['SIGINT', 'SIGTERM'] as const) {\n  process.once(signal, async () => {\n    await server.close()\n    process.exit(0)\n  })\n}\n"],"mappings":";;;;;;;;;;;;AAQA,IAAM,OAAO,IAAI,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC;AAC1C,IAAI,KAAK,IAAI,sBAAsB,GAAG;AACpC,UAAQ,IAAI,KAAK,UAAU,yCAAyC;AAAA,IAClE,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,GAAG,MAAM,CAAC,CAAC;AACZ,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,UAAQ,IAAI,yCAAyC;AAAA,IACnD,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,CAAC;AACF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,QAAM,eAAe,QAAQ,IAAI,iCAC7B,MAAM,GAAG,EACV,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EACrB,OAAO,OAAO;AACjB,UAAQ,IAAI,KAAK,UAAU,MAAM,kCAAkC,EAAE,aAAa,CAAC,GAAG,MAAM,CAAC,CAAC;AAC9F,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,QAAQ,IAAI;AAC3B,IAAI,CAAC,UAAU,OAAO,SAAS,IAAI;AACjC,UAAQ,MAAM,sEAAsE;AACpF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,kBAAkB,QAAQ,IAAI;AACpC,IAAM,qBAAqB,QAAQ,IAAI;AACvC,IAAI,QAAQ,eAAe,MAAM,QAAQ,kBAAkB,GAAG;AAC5D,UAAQ,MAAM,gGAAgG;AAC9G,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,OAAO,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B,IAAI;AACvF,IAAI,CAAC,OAAO,UAAU,IAAI,KAAK,OAAO,KAAK,OAAO,OAAQ;AACxD,UAAQ,MAAM,8CAA8C;AAC5D,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,MAAM,oCAAoC;AAAA,EACvD;AAAA,EACA,MAAM,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B;AAAA,EACrE;AAAA,EACA,cAAc,mBAAmB,qBAC7B;AAAA,IACE,UAAU;AAAA,IACV,QAAQ;AAAA,EACV,IACA;AAAA,EACJ,OAAO,CAAC,UAAU;AAChB,UAAM,OAAO,KAAK,UAAU;AAAA,MAC1B,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,GAAG,MAAM;AAAA,IACX,CAAC;AACD,QAAI,MAAM,UAAU,QAAS,SAAQ,MAAM,IAAI;AAAA,QAC1C,SAAQ,IAAI,IAAI;AAAA,EACvB;AACF,CAAC;AAED,QAAQ,IAAI,KAAK,UAAU;AAAA,EACzB,OAAO;AAAA,EACP,SAAS;AAAA,EACT,KAAK,OAAO;AACd,CAAC,CAAC;AAEF,WAAW,UAAU,CAAC,UAAU,SAAS,GAAY;AACnD,UAAQ,KAAK,QAAQ,YAAY;AAC/B,UAAM,OAAO,MAAM;AACnB,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../src/bin/tangle-catalog-runtime.ts"],"sourcesContent":["#!/usr/bin/env node\nimport {\n  buildTangleCatalogRuntimePackageManifest,\n  renderTangleCatalogRuntimePnpmAddCommand,\n} from '../tangle-catalog.js'\nimport { auditTangleCatalogRuntimePackages } from '../tangle-catalog-runtime.js'\nimport { startTangleCatalogRuntimeNodeServer } from '../tangle-catalog-runtime-server.js'\n\nconst args = new Set(process.argv.slice(2))\nif (args.has('--print-package-json')) {\n  console.log(JSON.stringify(buildTangleCatalogRuntimePackageManifest({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }), null, 2))\n  process.exit(0)\n}\n\nif (args.has('--print-pnpm-add')) {\n  console.log(renderTangleCatalogRuntimePnpmAddCommand({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }))\n  process.exit(0)\n}\n\nif (args.has('--audit-packages')) {\n  const connectorIds = process.env.TANGLE_CATALOG_AUDIT_CONNECTORS\n    ?.split(',')\n    .map((id) => id.trim())\n    .filter(Boolean)\n  console.log(JSON.stringify(await auditTangleCatalogRuntimePackages({ connectorIds }), null, 2))\n  process.exit(0)\n}\n\nconst secret = process.env.TANGLE_CATALOG_RUNTIME_SECRET\nif (!secret || secret.length < 32) {\n  console.error('TANGLE_CATALOG_RUNTIME_SECRET must be set to at least 32 characters.')\n  process.exit(1)\n}\n\nconst authResolverUrl = process.env.TANGLE_CATALOG_AUTH_RESOLVER_URL\nconst authResolverSecret = process.env.TANGLE_CATALOG_AUTH_RESOLVER_SECRET\nif (Boolean(authResolverUrl) !== Boolean(authResolverSecret)) {\n  console.error('TANGLE_CATALOG_AUTH_RESOLVER_URL and TANGLE_CATALOG_AUTH_RESOLVER_SECRET must be set together.')\n  process.exit(1)\n}\n\nconst port = Number(process.env.PORT ?? process.env.TANGLE_CATALOG_RUNTIME_PORT ?? 4109)\nif (!Number.isInteger(port) || port < 1 || port > 65_535) {\n  console.error('PORT must be an integer between 1 and 65535.')\n  process.exit(1)\n}\n\nconst server = await startTangleCatalogRuntimeNodeServer({\n  secret,\n  host: process.env.HOST ?? process.env.TANGLE_CATALOG_RUNTIME_HOST ?? '0.0.0.0',\n  port,\n  authResolver: authResolverUrl && authResolverSecret\n    ? {\n        endpoint: authResolverUrl,\n        secret: authResolverSecret,\n      }\n    : false,\n  onLog: (event) => {\n    const line = JSON.stringify({\n      level: event.level,\n      message: event.message,\n      ...event.metadata,\n    })\n    if (event.level === 'error') console.error(line)\n    else console.log(line)\n  },\n})\n\nconsole.log(JSON.stringify({\n  level: 'info',\n  message: 'Tangle catalog runtime listening.',\n  url: server.url,\n}))\n\nfor (const signal of ['SIGINT', 'SIGTERM'] as const) {\n  process.once(signal, async () => {\n    await server.close()\n    process.exit(0)\n  })\n}\n"],"mappings":";;;;;;;;;;;;;AAQA,IAAM,OAAO,IAAI,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC;AAC1C,IAAI,KAAK,IAAI,sBAAsB,GAAG;AACpC,UAAQ,IAAI,KAAK,UAAU,yCAAyC;AAAA,IAClE,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,GAAG,MAAM,CAAC,CAAC;AACZ,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,UAAQ,IAAI,yCAAyC;AAAA,IACnD,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,CAAC;AACF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,QAAM,eAAe,QAAQ,IAAI,iCAC7B,MAAM,GAAG,EACV,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EACrB,OAAO,OAAO;AACjB,UAAQ,IAAI,KAAK,UAAU,MAAM,kCAAkC,EAAE,aAAa,CAAC,GAAG,MAAM,CAAC,CAAC;AAC9F,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,QAAQ,IAAI;AAC3B,IAAI,CAAC,UAAU,OAAO,SAAS,IAAI;AACjC,UAAQ,MAAM,sEAAsE;AACpF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,kBAAkB,QAAQ,IAAI;AACpC,IAAM,qBAAqB,QAAQ,IAAI;AACvC,IAAI,QAAQ,eAAe,MAAM,QAAQ,kBAAkB,GAAG;AAC5D,UAAQ,MAAM,gGAAgG;AAC9G,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,OAAO,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B,IAAI;AACvF,IAAI,CAAC,OAAO,UAAU,IAAI,KAAK,OAAO,KAAK,OAAO,OAAQ;AACxD,UAAQ,MAAM,8CAA8C;AAC5D,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,MAAM,oCAAoC;AAAA,EACvD;AAAA,EACA,MAAM,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B;AAAA,EACrE;AAAA,EACA,cAAc,mBAAmB,qBAC7B;AAAA,IACE,UAAU;AAAA,IACV,QAAQ;AAAA,EACV,IACA;AAAA,EACJ,OAAO,CAAC,UAAU;AAChB,UAAM,OAAO,KAAK,UAAU;AAAA,MAC1B,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,GAAG,MAAM;AAAA,IACX,CAAC;AACD,QAAI,MAAM,UAAU,QAAS,SAAQ,MAAM,IAAI;AAAA,QAC1C,SAAQ,IAAI,IAAI;AAAA,EACvB;AACF,CAAC;AAED,QAAQ,IAAI,KAAK,UAAU;AAAA,EACzB,OAAO;AAAA,EACP,SAAS;AAAA,EACT,KAAK,OAAO;AACd,CAAC,CAAC;AAEF,WAAW,UAAU,CAAC,UAAU,SAAS,GAAY;AACnD,UAAQ,KAAK,QAAQ,YAAY;AAC/B,UAAM,OAAO,MAAM;AACnB,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;","names":[]}

package/dist/catalog.d.ts

@@ -1,4 +1,4 @@
 export { I as IntegrationCatalogView, a as IntegrationToolDefinition, b as IntegrationToolSearchFilters, c as IntegrationToolSearchResult, M as McpToolDefinition, d as buildIntegrationCatalogView, e as buildIntegrationToolCatalog, i as integrationToolName, p as parseIntegrationToolName, s as searchIntegrationTools, t as toMcpTools } from './registry.js';
-import './index-BQY5ry2s.js';
+import './index-D4D4CEKX.js';
 import './connectors/index.js';
 import 'node:http';

package/dist/catalog.js

@@ -5,10 +5,11 @@ import {
   parseIntegrationToolName,
   searchIntegrationTools,
   toMcpTools
-} from "./chunk-S54DPRDU.js";
+} from "./chunk-ALCIWTIR.js";
 import "./chunk-4JQ754PA.js";
 import "./chunk-376UBTNB.js";
-import "./chunk-WC63AI4Q.js";
+import "./chunk-GA4VTE3U.js";
+import "./chunk-2TW2QKGZ.js";
 export {
   buildIntegrationCatalogView,
   buildIntegrationToolCatalog,

package/dist/chunk-2TW2QKGZ.js

@@ -0,0 +1,94 @@
+// src/connectors/webhooks.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var DEFAULT_SIGNATURE_TOLERANCE_SECONDS = 5 * 60;
+function parseStripeSignatureHeader(header) {
+  const acc = { sigs: [] };
+  for (const part of header.split(",")) {
+    const idx = part.indexOf("=");
+    if (idx < 0) continue;
+    const key = part.slice(0, idx).trim();
+    const val = part.slice(idx + 1).trim();
+    if (key === "t") {
+      const n = Number(val);
+      if (Number.isFinite(n)) acc.ts = n;
+    } else if (key === "v1") {
+      acc.sigs.push(val);
+    }
+  }
+  if (acc.ts === void 0 || acc.sigs.length === 0) return null;
+  return { t: acc.ts, sigs: acc.sigs };
+}
+function verifyStripeSignature(rawBody, signatureHeader, secret, options = {}) {
+  const parsed = parseStripeSignatureHeader(signatureHeader);
+  if (!parsed) return false;
+  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS;
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - parsed.t) > tolerance) return false;
+  const expected = createHmac("sha256", secret).update(`${parsed.t}.${rawBody}`).digest("hex");
+  const expectedBuf = Buffer.from(expected, "utf8");
+  for (const sig of parsed.sigs) {
+    const sigBuf = Buffer.from(sig, "utf8");
+    if (sigBuf.length !== expectedBuf.length) continue;
+    if (timingSafeEqual(sigBuf, expectedBuf)) return true;
+  }
+  return false;
+}
+function verifySlackSignature(rawBody, signatureHeader, timestampHeader, secret, options = {}) {
+  if (!signatureHeader.startsWith("v0=")) return false;
+  const ts = Number(timestampHeader);
+  if (!Number.isFinite(ts)) return false;
+  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS;
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - ts) > tolerance) return false;
+  const expected = "v0=" + createHmac("sha256", secret).update(`v0:${ts}:${rawBody}`).digest("hex");
+  const expectedBuf = Buffer.from(expected, "utf8");
+  const sigBuf = Buffer.from(signatureHeader, "utf8");
+  if (sigBuf.length !== expectedBuf.length) return false;
+  return timingSafeEqual(sigBuf, expectedBuf);
+}
+function verifyHmacSignature(rawBody, signatureHeader, secret, options = {}) {
+  const algorithm = options.algorithm ?? "sha256";
+  const prefix = options.signaturePrefix ?? "";
+  const lower = options.lowercaseHex ?? true;
+  let candidate = signatureHeader;
+  if (prefix) {
+    if (!candidate.startsWith(prefix)) return false;
+    candidate = candidate.slice(prefix.length);
+  }
+  if (lower) candidate = candidate.toLowerCase();
+  const expected = createHmac(algorithm, secret).update(rawBody).digest("hex");
+  const expectedBuf = Buffer.from(expected, "utf8");
+  const sigBuf = Buffer.from(candidate, "utf8");
+  if (sigBuf.length !== expectedBuf.length) return false;
+  return timingSafeEqual(sigBuf, expectedBuf);
+}
+function verifyTwilioSignature(input, options = {}) {
+  if (!input.authToken) {
+    return options.skipWhenAuthTokenMissing === true;
+  }
+  const signature = input.signatureHeader;
+  if (!signature || Array.isArray(signature)) return false;
+  if (!input.fullUrl) return false;
+  const data = options.bodyAsRaw === true ? input.fullUrl + (options.rawBody ?? "") : Object.keys(input.params ?? {}).sort().reduce((acc, key) => acc + key + (input.params[key] ?? ""), input.fullUrl);
+  const expected = createHmac("sha1", input.authToken).update(data).digest("base64");
+  const expectedBuf = Buffer.from(expected);
+  const sigBuf = Buffer.from(signature);
+  if (expectedBuf.length !== sigBuf.length) return false;
+  return timingSafeEqual(expectedBuf, sigBuf);
+}
+function firstHeader(headers, name) {
+  const v = headers[name] ?? headers[name.toLowerCase()] ?? Object.entries(headers).find(([key]) => key.toLowerCase() === name.toLowerCase())?.[1];
+  if (Array.isArray(v)) return v[0];
+  return typeof v === "string" ? v : void 0;
+}
+
+export {
+  DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
+  parseStripeSignatureHeader,
+  verifyStripeSignature,
+  verifySlackSignature,
+  verifyHmacSignature,
+  verifyTwilioSignature,
+  firstHeader
+};
+//# sourceMappingURL=chunk-2TW2QKGZ.js.map

package/dist/chunk-2TW2QKGZ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/connectors/webhooks.ts"],"sourcesContent":["/**\n * Inbound webhook signature verifiers — provider-specific HMAC schemes.\n *\n * Each signature scheme is a pure function:\n *   (rawBody: string, headers, secret, now?) → boolean\n *\n * Constant-time comparison via `crypto.timingSafeEqual`. Timestamps are\n * checked against a configurable tolerance to bound replay risk; the default\n * mirrors the upstream provider's documented window (Stripe: 5 min, Slack: 5 min).\n *\n * These verifiers are the building blocks for any inbound-webhook receiver\n * (a route + a `verify` call + a per-event handler). They live in this\n * package so every consumer of the integration substrate gets correct\n * verification — not just one product reimplementing it.\n */\n\nimport { createHmac, timingSafeEqual } from 'node:crypto'\n\n/** Default replay-protection window. Providers commonly use 5 minutes. */\nexport const DEFAULT_SIGNATURE_TOLERANCE_SECONDS = 5 * 60\n\n// ─── Stripe ─────────────────────────────────────────────────────────────\n//\n// Stripe signs webhooks with a single header `Stripe-Signature` of the form\n//\n//   t=<timestamp>,v1=<sig1>,v1=<sig2>,...\n//\n// where `t` is the Unix timestamp the event was generated, and each `v1`\n// is `HMAC-SHA256(secret, \"<t>.<rawBody>\")`. Multiple `v1` entries appear\n// during secret rotation — any one matching is sufficient.\n//\n// https://stripe.com/docs/webhooks/signatures\n\nexport interface ParsedStripeSignatureHeader {\n  t: number\n  sigs: string[]\n}\n\nexport function parseStripeSignatureHeader(header: string): ParsedStripeSignatureHeader | null {\n  const acc: { ts?: number; sigs: string[] } = { sigs: [] }\n  for (const part of header.split(',')) {\n    const idx = part.indexOf('=')\n    if (idx < 0) continue\n    const key = part.slice(0, idx).trim()\n    const val = part.slice(idx + 1).trim()\n    if (key === 't') {\n      const n = Number(val)\n      if (Number.isFinite(n)) acc.ts = n\n    } else if (key === 'v1') {\n      acc.sigs.push(val)\n    }\n  }\n  if (acc.ts === undefined || acc.sigs.length === 0) return null\n  return { t: acc.ts, sigs: acc.sigs }\n}\n\nexport interface StripeVerifyOptions {\n  /** Replay-protection window in seconds. Default 300. */\n  toleranceSeconds?: number\n  /** Override `now()` for tests. UTC seconds. */\n  now?: number\n}\n\n/** Verify a Stripe webhook signature against the raw request body. */\nexport function verifyStripeSignature(\n  rawBody: string,\n  signatureHeader: string,\n  secret: string,\n  options: StripeVerifyOptions = {},\n): boolean {\n  const parsed = parseStripeSignatureHeader(signatureHeader)\n  if (!parsed) return false\n  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS\n  const now = options.now ?? Math.floor(Date.now() / 1000)\n  if (Math.abs(now - parsed.t) > tolerance) return false\n  const expected = createHmac('sha256', secret).update(`${parsed.t}.${rawBody}`).digest('hex')\n  const expectedBuf = Buffer.from(expected, 'utf8')\n  for (const sig of parsed.sigs) {\n    const sigBuf = Buffer.from(sig, 'utf8')\n    if (sigBuf.length !== expectedBuf.length) continue\n    if (timingSafeEqual(sigBuf, expectedBuf)) return true\n  }\n  return false\n}\n\n// ─── Slack ──────────────────────────────────────────────────────────────\n//\n// Slack signs request bodies with two headers:\n//\n//   X-Slack-Signature:         v0=<HMAC-SHA256(secret, \"v0:<ts>:<body>\")>\n//   X-Slack-Request-Timestamp: <ts>\n//\n// https://api.slack.com/authentication/verifying-requests-from-slack\n\nexport interface SlackVerifyOptions {\n  toleranceSeconds?: number\n  now?: number\n}\n\nexport function verifySlackSignature(\n  rawBody: string,\n  signatureHeader: string,\n  timestampHeader: string,\n  secret: string,\n  options: SlackVerifyOptions = {},\n): boolean {\n  if (!signatureHeader.startsWith('v0=')) return false\n  const ts = Number(timestampHeader)\n  if (!Number.isFinite(ts)) return false\n  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS\n  const now = options.now ?? Math.floor(Date.now() / 1000)\n  if (Math.abs(now - ts) > tolerance) return false\n  const expected = 'v0=' + createHmac('sha256', secret).update(`v0:${ts}:${rawBody}`).digest('hex')\n  const expectedBuf = Buffer.from(expected, 'utf8')\n  const sigBuf = Buffer.from(signatureHeader, 'utf8')\n  if (sigBuf.length !== expectedBuf.length) return false\n  return timingSafeEqual(sigBuf, expectedBuf)\n}\n\n// ─── Generic HMAC ───────────────────────────────────────────────────────\n//\n// For \"we shipped a webhook URL with a shared HMAC secret\" patterns —\n// covers any custom integration where the operator picks the message\n// format. The signed message is the literal `rawBody` (no timestamp\n// prefix); replay protection is the caller's responsibility (use a\n// nonce header + a small dedup cache).\n\nexport interface GenericHmacVerifyOptions {\n  /** sha256 (default) | sha1 | sha512 — matches the algorithm the receiver\n   *  computed at sign time. */\n  algorithm?: 'sha256' | 'sha1' | 'sha512'\n  /** Optional prefix the receiver prepends to the signature in the header\n   *  (e.g., `'sha256='`). Stripped before constant-time comparison. */\n  signaturePrefix?: string\n  /** Lowercase comparison (most providers emit hex-lowercase). Default true. */\n  lowercaseHex?: boolean\n}\n\nexport function verifyHmacSignature(\n  rawBody: string,\n  signatureHeader: string,\n  secret: string,\n  options: GenericHmacVerifyOptions = {},\n): boolean {\n  const algorithm = options.algorithm ?? 'sha256'\n  const prefix = options.signaturePrefix ?? ''\n  const lower = options.lowercaseHex ?? true\n  let candidate = signatureHeader\n  if (prefix) {\n    if (!candidate.startsWith(prefix)) return false\n    candidate = candidate.slice(prefix.length)\n  }\n  if (lower) candidate = candidate.toLowerCase()\n  const expected = createHmac(algorithm, secret).update(rawBody).digest('hex')\n  const expectedBuf = Buffer.from(expected, 'utf8')\n  const sigBuf = Buffer.from(candidate, 'utf8')\n  if (sigBuf.length !== expectedBuf.length) return false\n  return timingSafeEqual(sigBuf, expectedBuf)\n}\n\n// ─── Twilio ─────────────────────────────────────────────────────────────\n//\n// Twilio's webhook signature scheme is unlike Stripe/Slack — it doesn't\n// sign the raw body. It signs the concatenation of:\n//\n//     fullUrl + sortedConcatenatedParams\n//\n// where `fullUrl` is the public URL Twilio called (scheme + host + path\n// + query, exactly as Twilio constructed it from your console config),\n// and `sortedConcatenatedParams` is `key1+value1+key2+value2+...` over\n// the alphabetically-sorted keys of the POST body params (form-encoded).\n//\n// For JSON-bodied Twilio webhooks (Conversations API), the body is signed\n// as raw bytes — pass `{ bodyAsRaw: true, rawBody }` for that path.\n//\n// HMAC-SHA1, base64-encoded. Header: `X-Twilio-Signature`.\n//\n// https://www.twilio.com/docs/usage/webhooks/webhooks-security\n\nexport interface TwilioVerifyOptions {\n  /** Skip verification when the auth token isn't configured. Useful in\n   *  dev where the receiver wants to accept any payload. Default `false`\n   *  — production should always require a configured token. */\n  skipWhenAuthTokenMissing?: boolean\n  /** When true, sign the raw body instead of the URL-encoded sorted-params\n   *  reduction. Twilio uses raw-body signing for `application/json`\n   *  webhook bodies. Default `false`. */\n  bodyAsRaw?: boolean\n  /** When `bodyAsRaw` is true, the raw body to sign. Ignored otherwise. */\n  rawBody?: string\n}\n\n/** Verify a Twilio webhook signature. */\nexport function verifyTwilioSignature(\n  input: {\n    authToken: string | null | undefined\n    signatureHeader: string | string[] | undefined\n    fullUrl: string | null | undefined\n    params: Record<string, string> | undefined\n  },\n  options: TwilioVerifyOptions = {},\n): boolean {\n  if (!input.authToken) {\n    return options.skipWhenAuthTokenMissing === true\n  }\n  const signature = input.signatureHeader\n  if (!signature || Array.isArray(signature)) return false\n  if (!input.fullUrl) return false\n\n  const data = options.bodyAsRaw === true\n    ? input.fullUrl + (options.rawBody ?? '')\n    : Object.keys(input.params ?? {})\n        .sort()\n        .reduce((acc, key) => acc + key + (input.params![key] ?? ''), input.fullUrl)\n\n  const expected = createHmac('sha1', input.authToken).update(data).digest('base64')\n  const expectedBuf = Buffer.from(expected)\n  const sigBuf = Buffer.from(signature)\n  if (expectedBuf.length !== sigBuf.length) return false\n  return timingSafeEqual(expectedBuf, sigBuf)\n}\n\n// ─── Header helper ──────────────────────────────────────────────────────\n//\n// Most fastify/express adapters expose request headers as\n// `Record<string, string | string[] | undefined>`. This helper picks the\n// first canonical value for a given name (case-insensitive).\n\nexport function firstHeader(\n  headers: Record<string, string | string[] | undefined>,\n  name: string,\n): string | undefined {\n  const v = headers[name]\n    ?? headers[name.toLowerCase()]\n    ?? Object.entries(headers).find(([key]) => key.toLowerCase() === name.toLowerCase())?.[1]\n  if (Array.isArray(v)) return v[0]\n  return typeof v === 'string' ? v : undefined\n}\n"],"mappings":";AAgBA,SAAS,YAAY,uBAAuB;AAGrC,IAAM,sCAAsC,IAAI;AAmBhD,SAAS,2BAA2B,QAAoD;AAC7F,QAAM,MAAuC,EAAE,MAAM,CAAC,EAAE;AACxD,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,MAAM,KAAK,QAAQ,GAAG;AAC5B,QAAI,MAAM,EAAG;AACb,UAAM,MAAM,KAAK,MAAM,GAAG,GAAG,EAAE,KAAK;AACpC,UAAM,MAAM,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK;AACrC,QAAI,QAAQ,KAAK;AACf,YAAM,IAAI,OAAO,GAAG;AACpB,UAAI,OAAO,SAAS,CAAC,EAAG,KAAI,KAAK;AAAA,IACnC,WAAW,QAAQ,MAAM;AACvB,UAAI,KAAK,KAAK,GAAG;AAAA,IACnB;AAAA,EACF;AACA,MAAI,IAAI,OAAO,UAAa,IAAI,KAAK,WAAW,EAAG,QAAO;AAC1D,SAAO,EAAE,GAAG,IAAI,IAAI,MAAM,IAAI,KAAK;AACrC;AAUO,SAAS,sBACd,SACA,iBACA,QACA,UAA+B,CAAC,GACvB;AACT,QAAM,SAAS,2BAA2B,eAAe;AACzD,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,YAAY,QAAQ,oBAAoB;AAC9C,QAAM,MAAM,QAAQ,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACvD,MAAI,KAAK,IAAI,MAAM,OAAO,CAAC,IAAI,UAAW,QAAO;AACjD,QAAM,WAAW,WAAW,UAAU,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,OAAO,EAAE,EAAE,OAAO,KAAK;AAC3F,QAAM,cAAc,OAAO,KAAK,UAAU,MAAM;AAChD,aAAW,OAAO,OAAO,MAAM;AAC7B,UAAM,SAAS,OAAO,KAAK,KAAK,MAAM;AACtC,QAAI,OAAO,WAAW,YAAY,OAAQ;AAC1C,QAAI,gBAAgB,QAAQ,WAAW,EAAG,QAAO;AAAA,EACnD;AACA,SAAO;AACT;AAgBO,SAAS,qBACd,SACA,iBACA,iBACA,QACA,UAA8B,CAAC,GACtB;AACT,MAAI,CAAC,gBAAgB,WAAW,KAAK,EAAG,QAAO;AAC/C,QAAM,KAAK,OAAO,eAAe;AACjC,MAAI,CAAC,OAAO,SAAS,EAAE,EAAG,QAAO;AACjC,QAAM,YAAY,QAAQ,oBAAoB;AAC9C,QAAM,MAAM,QAAQ,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACvD,MAAI,KAAK,IAAI,MAAM,EAAE,IAAI,UAAW,QAAO;AAC3C,QAAM,WAAW,QAAQ,WAAW,UAAU,MAAM,EAAE,OAAO,MAAM,EAAE,IAAI,OAAO,EAAE,EAAE,OAAO,KAAK;AAChG,QAAM,cAAc,OAAO,KAAK,UAAU,MAAM;AAChD,QAAM,SAAS,OAAO,KAAK,iBAAiB,MAAM;AAClD,MAAI,OAAO,WAAW,YAAY,OAAQ,QAAO;AACjD,SAAO,gBAAgB,QAAQ,WAAW;AAC5C;AAqBO,SAAS,oBACd,SACA,iBACA,QACA,UAAoC,CAAC,GAC5B;AACT,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,SAAS,QAAQ,mBAAmB;AAC1C,QAAM,QAAQ,QAAQ,gBAAgB;AACtC,MAAI,YAAY;AAChB,MAAI,QAAQ;AACV,QAAI,CAAC,UAAU,WAAW,MAAM,EAAG,QAAO;AAC1C,gBAAY,UAAU,MAAM,OAAO,MAAM;AAAA,EAC3C;AACA,MAAI,MAAO,aAAY,UAAU,YAAY;AAC7C,QAAM,WAAW,WAAW,WAAW,MAAM,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC3E,QAAM,cAAc,OAAO,KAAK,UAAU,MAAM;AAChD,QAAM,SAAS,OAAO,KAAK,WAAW,MAAM;AAC5C,MAAI,OAAO,WAAW,YAAY,OAAQ,QAAO;AACjD,SAAO,gBAAgB,QAAQ,WAAW;AAC5C;AAmCO,SAAS,sBACd,OAMA,UAA+B,CAAC,GACvB;AACT,MAAI,CAAC,MAAM,WAAW;AACpB,WAAO,QAAQ,6BAA6B;AAAA,EAC9C;AACA,QAAM,YAAY,MAAM;AACxB,MAAI,CAAC,aAAa,MAAM,QAAQ,SAAS,EAAG,QAAO;AACnD,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,OAAO,QAAQ,cAAc,OAC/B,MAAM,WAAW,QAAQ,WAAW,MACpC,OAAO,KAAK,MAAM,UAAU,CAAC,CAAC,EAC3B,KAAK,EACL,OAAO,CAAC,KAAK,QAAQ,MAAM,OAAO,MAAM,OAAQ,GAAG,KAAK,KAAK,MAAM,OAAO;AAEjF,QAAM,WAAW,WAAW,QAAQ,MAAM,SAAS,EAAE,OAAO,IAAI,EAAE,OAAO,QAAQ;AACjF,QAAM,cAAc,OAAO,KAAK,QAAQ;AACxC,QAAM,SAAS,OAAO,KAAK,SAAS;AACpC,MAAI,YAAY,WAAW,OAAO,OAAQ,QAAO;AACjD,SAAO,gBAAgB,aAAa,MAAM;AAC5C;AAQO,SAAS,YACd,SACA,MACoB;AACpB,QAAM,IAAI,QAAQ,IAAI,KACjB,QAAQ,KAAK,YAAY,CAAC,KAC1B,OAAO,QAAQ,OAAO,EAAE,KAAK,CAAC,CAAC,GAAG,MAAM,IAAI,YAAY,MAAM,KAAK,YAAY,CAAC,IAAI,CAAC;AAC1F,MAAI,MAAM,QAAQ,CAAC,EAAG,QAAO,EAAE,CAAC;AAChC,SAAO,OAAO,MAAM,WAAW,IAAI;AACrC;","names":[]}

package/dist/{chunk-S54DPRDU.js → chunk-ALCIWTIR.js}

@@ -1199,6 +1199,100 @@ function secretKey(ref) {
   return `${ref.provider}:${ref.id}`;
 }
 
+// src/discovery.ts
+async function discoverWorkspaceCapabilities(input) {
+  const connections = await resolveConnections(input);
+  const connectors = await resolveConnectors(input);
+  const activeConnectionsByConnector = /* @__PURE__ */ new Map();
+  for (const conn of connections) {
+    if (conn.status !== "active") continue;
+    if (!activeConnectionsByConnector.has(conn.connectorId)) {
+      activeConnectionsByConnector.set(conn.connectorId, conn);
+    }
+  }
+  const capabilities = [];
+  const triggers = [];
+  const countsByConnector = {};
+  const unreachableConnectors = [];
+  for (const connector of connectors) {
+    const connection = activeConnectionsByConnector.get(connector.id);
+    const connected = Boolean(connection);
+    if (!connected && !input.includeUnconnected) continue;
+    const grantedScopes = new Set(connection?.grantedScopes ?? []);
+    let actionsAdded = 0;
+    for (const action of connector.actions) {
+      const missing2 = action.requiredScopes.filter((scope) => !grantedScopes.has(scope));
+      if (connected && missing2.length > 0 && !input.includeMissingScopes) continue;
+      capabilities.push(toCapability(connector, action, connection));
+      actionsAdded += 1;
+    }
+    for (const trigger2 of connector.triggers ?? []) {
+      const missing2 = trigger2.requiredScopes.filter((scope) => !grantedScopes.has(scope));
+      if (connected && missing2.length > 0 && !input.includeMissingScopes) continue;
+      triggers.push(toTrigger2(connector, trigger2, connection));
+    }
+    countsByConnector[connector.id] = actionsAdded;
+    if (connected && actionsAdded === 0 && connector.actions.length > 0) {
+      unreachableConnectors.push({
+        connectorId: connector.id,
+        reason: "all_actions_missing_scope"
+      });
+    }
+  }
+  return { capabilities, triggers, countsByConnector, unreachableConnectors };
+}
+async function resolveConnections(input) {
+  if (input.connections) return input.connections;
+  if (input.store) return await input.store.listByOwner(input.owner);
+  throw new Error("discoverWorkspaceCapabilities: provide either connections or store");
+}
+async function resolveConnectors(input) {
+  if (input.connectors) return input.connectors;
+  if (input.providers) {
+    const lists = await Promise.all(input.providers.map((p) => Promise.resolve(p.listConnectors())));
+    return lists.flat();
+  }
+  throw new Error("discoverWorkspaceCapabilities: provide either connectors or providers");
+}
+function toCapability(connector, action, connection) {
+  return {
+    id: `${connector.id}.${action.id}`,
+    title: action.title,
+    description: action.description,
+    category: connector.category,
+    connectorId: connector.id,
+    providerId: connector.providerId,
+    actionId: action.id,
+    scopes: action.requiredScopes,
+    risk: action.risk,
+    dataClass: action.dataClass,
+    toolSchema: {
+      name: `${connector.id}.${action.id}`,
+      description: action.description,
+      inputSchema: action.inputSchema,
+      outputSchema: action.outputSchema
+    },
+    connected: Boolean(connection),
+    connectionId: connection?.id,
+    approvalRequired: action.approvalRequired
+  };
+}
+function toTrigger2(connector, trigger2, connection) {
+  return {
+    id: `${connector.id}.${trigger2.id}`,
+    title: trigger2.title,
+    description: trigger2.description,
+    category: connector.category,
+    connectorId: connector.id,
+    providerId: connector.providerId,
+    triggerId: trigger2.id,
+    scopes: trigger2.requiredScopes,
+    dataClass: trigger2.dataClass,
+    connected: Boolean(connection),
+    connectionId: connection?.id
+  };
+}
+
 // src/events.ts
 var InMemoryIntegrationEventStore = class {
   events = /* @__PURE__ */ new Map();
@@ -1362,7 +1456,9 @@ var DefaultIntegrationActionGuard = class {
     }
     try {
       const result = await proceed();
-      await this.writeIdempotency(idempotencyKey, requestHash, result);
+      if (result.ok) {
+        await this.writeIdempotency(idempotencyKey, requestHash, result);
+      }
       await this.audit?.record(createIntegrationAuditEvent({
         type: result.ok ? "action.invoked" : "action.failed",
         actor: ctx.connection.owner,
@@ -3400,7 +3496,8 @@ var IntegrationHub = class {
     assertScopes(connection, action.requiredScopes);
     assertScopes({ ...connection, grantedScopes: capability.scopes }, action.requiredScopes);
     const fullRequest = { ...request, connectionId: connection.id };
-    if (this.policy) {
+    const proceed = async () => {
+      if (!this.policy) return provider.invokeAction(connection, fullRequest);
       const decision = await this.policy.decide({
         connection,
         request: fullRequest,
@@ -3418,8 +3515,8 @@ var IntegrationHub = class {
           metadata: { policyDecision: decision.decision, reason: decision.reason, ...decision.metadata }
         };
       }
-    }
-    const proceed = () => Promise.resolve(provider.invokeAction(connection, fullRequest));
+      return provider.invokeAction(connection, fullRequest);
+    };
     if (this.guard) {
       return this.guard.invokeAction({ connection, request: fullRequest, action }, proceed);
     }
@@ -4370,6 +4467,7 @@ export {
   resolveConnectionCredentials,
   createCredentialBackedAdapterProvider,
   revokeConnection,
+  discoverWorkspaceCapabilities,
   InMemoryIntegrationEventStore,
   receiveIntegrationWebhook,
   storedEventToTriggerEvent,
@@ -4428,4 +4526,4 @@ export {
   signCapability,
   verifyCapabilityToken
 };
-//# sourceMappingURL=chunk-S54DPRDU.js.map
+//# sourceMappingURL=chunk-ALCIWTIR.js.map