@tangle-network/agent-integrations 0.25.7 → 0.26.0

package/dist/registry.d.ts

@@ -1,4 +1,4 @@
-import { C as ConnectorAdapter, R as ResolvedDataSource, a as ConnectorCredentials } from './index-BQY5ry2s.js';
+import { C as ConnectorAdapter, R as ResolvedDataSource, a as ConnectorCredentials } from './index-D4D4CEKX.js';
 import './connectors/index.js';
 import { Server, IncomingMessage, ServerResponse } from 'node:http';
 
@@ -512,6 +512,143 @@ declare function revokeConnection(input: {
     now?: () => Date;
 }): Promise<IntegrationConnection>;
 
+/**
+ * Workspace capability discovery — answers "what can this workspace do?"
+ * with a typed list of MCP-shape tool descriptors that the agent runtime
+ * can flatten into a planner's tool registry.
+ *
+ * The agent runtime's gating question is one level above the existing
+ * connector catalog ("which integrations exist?") and one level below
+ * the issued capability-token surface ("temporarily delegate scope X
+ * via this signed token"). This module bridges the two:
+ *
+ *   discoverWorkspaceCapabilities({ owner, connectors, connections, scopes })
+ *     → WorkspaceCapability[]
+ *
+ * A `WorkspaceCapability` is hand-shaped to be cheap to emit alongside a
+ * connector manifest and trivial to render into:
+ *   - an LLM tool-choice JSON array
+ *   - an MCP `tools/list` response
+ *   - a UI surface ("Connect Gmail to enable: send_reply, list_messages…")
+ *
+ * What this is NOT:
+ *   - A capability-token issuer. That stays in IntegrationHub.issueCapability.
+ *   - A connector registry. That stays in IntegrationRegistry / catalog.
+ *
+ * Scopes are the load-bearing input: a connector advertises N actions,
+ * but only the subset whose `requiredScopes` are a subset of the
+ * connection's `grantedScopes` is reachable. The discovery function
+ * filters on that automatically.
+ *
+ * Stability: `@stable` — additions to WorkspaceCapability must be
+ * additive and non-breaking.
+ */
+
+/** MCP-shape tool descriptor. Mirrors the
+ *  [Model Context Protocol tool schema](https://modelcontextprotocol.io/specification)
+ *  closely enough that consumers can pipe a WorkspaceCapability straight
+ *  into a `tools/list` response. */
+interface WorkspaceToolSchema {
+    name: string;
+    description?: string;
+    /** JSON-schema describing the action's input. */
+    inputSchema?: unknown;
+    /** Optional JSON-schema describing the action's output. */
+    outputSchema?: unknown;
+}
+/** One discoverable capability — an action a connector exposes that the
+ *  workspace has the connection + scopes to invoke. */
+interface WorkspaceCapability {
+    /** Stable, fully-qualified id. Format `<connector-id>.<action-id>`. */
+    id: string;
+    /** Human label safe for UI. */
+    title: string;
+    /** Optional one-line description. */
+    description?: string;
+    /** Connector category for grouping. */
+    category: IntegrationConnectorCategory;
+    /** Connector that hosts this capability. */
+    connectorId: string;
+    /** Provider that hosts this connector (first-party, gateway, …). */
+    providerId: string;
+    /** Underlying action id on the connector. */
+    actionId: string;
+    /** Scopes required to invoke. The discovery function only returns
+     *  capabilities whose required scopes are a subset of the connection's
+     *  grantedScopes. */
+    scopes: string[];
+    /** Risk class — useful for UI ("write" / "destructive" lights). */
+    risk: IntegrationActionRisk;
+    /** Data class of the action's output, when known. */
+    dataClass: IntegrationDataClass;
+    /** MCP-shape tool schema the agent runtime can register directly. */
+    toolSchema: WorkspaceToolSchema;
+    /** True iff the workspace has an active connection backing this
+     *  capability. False capabilities (advertised by the connector but
+     *  not yet connected) are included when `includeUnconnected: true`
+     *  is passed — useful for "connect to unlock" UI affordances. */
+    connected: boolean;
+    /** Connection id backing this capability. Undefined when
+     *  `connected: false`. */
+    connectionId?: string;
+    /** Whether the action requires explicit approval before invocation. */
+    approvalRequired?: boolean;
+}
+/** Optional inbound trigger surface. Same shape as a capability so the
+ *  consumer can render both with one component. */
+interface WorkspaceTrigger {
+    id: string;
+    title: string;
+    description?: string;
+    category: IntegrationConnectorCategory;
+    connectorId: string;
+    providerId: string;
+    triggerId: string;
+    scopes: string[];
+    dataClass: IntegrationDataClass;
+    connected: boolean;
+    connectionId?: string;
+}
+interface DiscoverWorkspaceCapabilitiesInput {
+    /** Workspace owner. Used to scope the connection lookup when `store`
+     *  is supplied (the canonical production path). */
+    owner: IntegrationActor;
+    /** Either an explicit connection list (test/fixture path) or a store
+     *  the function should query for connections by owner. Exactly one
+     *  of `connections` / `store` MUST be provided. */
+    connections?: IntegrationConnection[];
+    store?: IntegrationConnectionStore;
+    /** Either an explicit connector list (test/fixture path) or a set of
+     *  providers the function should query via `listConnectors()`. */
+    connectors?: IntegrationConnector[];
+    providers?: IntegrationProvider[];
+    /** Include capabilities whose connector is in the catalog but the
+     *  workspace has no active connection for. Useful to render
+     *  "connect to unlock" affordances. Default: false. */
+    includeUnconnected?: boolean;
+    /** When true, include capabilities even if some required scopes are
+     *  missing from the connection grant. The default `false` hides such
+     *  capabilities — the agent runtime never sees them. */
+    includeMissingScopes?: boolean;
+}
+interface WorkspaceCapabilityDiscovery {
+    capabilities: WorkspaceCapability[];
+    triggers: WorkspaceTrigger[];
+    /** Counts grouped by connector for telemetry / UI badges. */
+    countsByConnector: Record<string, number>;
+    /** Connectors the workspace is connected to but the planner cannot
+     *  reach any actions on (e.g., zero scopes granted, or all actions
+     *  require an additional scope). */
+    unreachableConnectors: Array<{
+        connectorId: string;
+        reason: string;
+    }>;
+}
+/** Resolve workspace-visible capabilities + triggers. Pure with respect
+ *  to the inputs — caller decides whether to back `connections` and
+ *  `connectors` with persistent state or static fixtures. */
+declare function discoverWorkspaceCapabilities(input: DiscoverWorkspaceCapabilitiesInput): Promise<WorkspaceCapabilityDiscovery>;
+
 type IntegrationErrorCode = 'missing_connection' | 'missing_grant' | 'approval_required' | 'approval_denied' | 'connection_revoked' | 'connection_expired' | 'scope_missing' | 'action_denied' | 'action_not_found' | 'trigger_not_found' | 'provider_rate_limited' | 'provider_auth_failed' | 'provider_unavailable' | 'provider_error' | 'capability_expired' | 'capability_invalid' | 'manifest_invalid' | 'passthrough_disabled' | 'input_invalid' | 'unknown';
 interface IntegrationUserAction {
     type: 'connect' | 'reconnect' | 'approve' | 'retry' | 'contact_support' | 'change_request';
@@ -1999,4 +2136,4 @@ declare function createHttpIntegrationProvider(options: HttpIntegrationProviderO
 declare function signCapability(capability: IntegrationCapability, secret: string): string;
 declare function verifyCapabilityToken(token: string, secret: string): IntegrationCapability;
 
-export { type HealthcheckSpec as $, type TangleCatalogHttpAuthResolverRequest as A, type TangleCatalogInstalledPackageExecutorOptions as B, type TangleCatalogRuntimeHandlerOptions as C, type ComposeIntegrationRegistryOptions, type TangleCatalogRuntimeHttpRequest as D, type TangleCatalogRuntimeHttpResponse as E, type TangleCatalogRuntimeInvocation as F, type TangleCatalogRuntimeModuleAction as G, type TangleCatalogRuntimePackageCoverageOptions as H, type IntegrationCatalogView as I, type IntegrationCatalogSource, type IntegrationRegistry, type IntegrationRegistryConflict, type IntegrationRegistryEntry, type IntegrationRegistrySourceRef, type IntegrationRegistrySummary, type IntegrationSupportTier, type TangleCatalogRuntimePackageCoverageRow as J, auditTangleCatalogRuntimePackages as K, createTangleCatalogCredentialAuthResolver as L, type McpToolDefinition as M, createTangleCatalogHttpAuthResolver as N, createTangleCatalogInstalledPackageExecutor as O, createTangleCatalogRuntimeHandler as P, signTangleCatalogRuntimeRequest as Q, tangleCatalogAuthValue as R, verifyTangleCatalogRuntimeSignature as S, TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER as T, type ApiKeyAuthSpec as U, type ConsoleStep as V, type CredentialFieldSpec as W, type CredentialValidationInput as X, type CredentialValidationResult as Y, type CustomAuthSpec as Z, type HealthcheckPlan as _, type IntegrationToolDefinition as a, type GatewayCatalogTrigger as a$, type HmacAuthSpec as a0, INTEGRATION_FAMILIES as a1, type IntegrationAuthMode as a2, type IntegrationAuthSpec as a3, type IntegrationFamilyId as a4, type IntegrationFamilySpec as a5, type IntegrationLifecycleSpec as a6, type IntegrationPlannerHints as a7, type IntegrationSetupSpec as a8, type IntegrationSpec as a9, validateIntegrationSpec as aA, ACTIVEPIECES_OVERRIDES as aB, ACTIVEPIECES_PUBLIC_CATALOG_URL as aC, ACTIVEPIECES_RUNTIME_SIGNATURE_HEADER as aD, type ActivepiecesCatalogAuthField as aE, type ActivepiecesCatalogEntry as aF, type ActivepiecesExecutorInvocation as aG, type ActivepiecesExecutorProviderOptions as aH, type ActivepiecesHttpExecutorOptions as aI, type ActivepiecesPieceOverride as aJ, type ActivepiecesRuntimeRequest as aK, ApprovalBackedPolicyEngine as aL, type ApprovalBackedPolicyOptions as aM, CANONICAL_INTEGRATION_ACTIONS as aN, type CanonicalIntegrationActionId as aO, type CanonicalLaunchConnectorOptions as aP, type CatalogExecutorInvocation as aQ, type CatalogExecutorProviderOptions as aR, type CompleteAuthRequest as aS, type ConnectionCredentialResolverOptions as aT, type ConnectorAdapterProviderOptions as aU, type ConsentSummary as aV, DEFAULT_INTEGRATION_BRIDGE_ENV as aW, DefaultIntegrationActionGuard as aX, type GatewayCatalogAction as aY, type GatewayCatalogEntry as aZ, type GatewayCatalogProviderOptions as a_, type IntegrationSpecStatus as aa, type IntegrationSpecValidationIssue as ab, type IntegrationSpecValidationResult as ac, type NoneAuthSpec as ad, type NormalizedPermission as ae, type OAuth2AuthSpec as af, type PermissionDescriptor as ag, type PostSetupCheck as ah, type Quirk as ai, type RenderSpecOptions as aj, type RenderedConsoleStep as ak, type ScopeDescriptor as al, assertValidIntegrationSpec as am, buildHealthcheckPlan as an, consoleStepsToText as ao, getIntegrationFamily as ap, getIntegrationSpec as aq, integrationSpecToConnector as ar, listExecutableIntegrationSpecs as as, listIntegrationSpecs as at, renderAgentToolDescription as au, renderConsoleSteps as av, renderRunbookMarkdown as aw, specAuthToConnectorAuth as ax, validateCredentialFormat as ay, validateCredentialSet as az, type IntegrationToolSearchFilters as b, type IntegrationProviderKind as b$, type GraphqlOperationSpec as b0, type HttpIntegrationProviderOptions as b1, type ImportCatalogOptions as b2, InMemoryConnectionStore as b3, InMemoryIntegrationApprovalStore as b4, InMemoryIntegrationAuditStore as b5, InMemoryIntegrationEventStore as b6, InMemoryIntegrationHealthcheckStore as b7, InMemoryIntegrationIdempotencyStore as b8, InMemoryIntegrationSecretStore as b9, type IntegrationConnectionStore as bA, type IntegrationConnector as bB, type IntegrationConnectorAction as bC, type IntegrationConnectorCategory as bD, type IntegrationConnectorTrigger as bE, type IntegrationCoveragePriority as bF, type IntegrationCoverageSpec as bG, type IntegrationDataClass as bH, IntegrationError as bI, type IntegrationErrorCode as bJ, type IntegrationEventStore as bK, type IntegrationGuardContext as bL, type IntegrationHealthcheckCheck as bM, type IntegrationHealthcheckResult as bN, type IntegrationHealthcheckStatus as bO, type IntegrationHealthcheckStore as bP, IntegrationHub as bQ, type IntegrationHubOptions as bR, type IntegrationIdempotencyRecord as bS, type IntegrationIdempotencyStore as bT, type IntegrationInvocationEnvelope as bU, type IntegrationInvocationEnvelopeValidationOptions as bV, type IntegrationPolicyDecision as bW, type IntegrationPolicyEffect as bX, type IntegrationPolicyEngine as bY, type IntegrationPolicyRule as bZ, type IntegrationProvider as b_, InMemoryIntegrationWorkflowStore as ba, type InferIntegrationRequirementsOptions as bb, type InstalledIntegrationWorkflow as bc, type IntegrationActionGuard as bd, type IntegrationActionPack as be, type IntegrationActionRequest as bf, type IntegrationActionResult as bg, type IntegrationActionRisk as bh, type IntegrationActor as bi, type IntegrationApprovalFilter as bj, type IntegrationApprovalRecord as bk, type IntegrationApprovalRequest as bl, type IntegrationApprovalResolution as bm, type IntegrationApprovalStatus as bn, type IntegrationApprovalStore as bo, type IntegrationAuditEvent as bp, type IntegrationAuditEventType as bq, type IntegrationAuditFilter as br, type IntegrationAuditSink as bs, type IntegrationAuditStore as bt, type IntegrationBridgePayload as bu, buildDefaultIntegrationRegistry, type IntegrationBridgeToolBinding as bv, type IntegrationCapability as bw, type IntegrationCatalogFreshnessOptions as bx, type IntegrationCatalogFreshnessResult as by, type IntegrationConnection as bz, type IntegrationToolSearchResult as c, adapterManifestsToConnectors as c$, type IntegrationRateLimitDecision as c0, type IntegrationRateLimiter as c1, IntegrationRuntimeError as c2, IntegrationSandboxHost as c3, type IntegrationSandboxHostHub as c4, type IntegrationSandboxHostOptions as c5, type IntegrationSecretStore as c6, type IntegrationTriggerEvent as c7, type IntegrationTriggerSubscription as c8, type IntegrationUserAction as c9, type StartedTangleCatalogRuntimeNodeServer as cA, StaticIntegrationPolicyEngine as cB, type StaticIntegrationPolicyOptions as cC, type StoredIntegrationEvent as cD, TANGLE_INTEGRATIONS_CATALOG_PROVIDER_ID as cE, TANGLE_INTEGRATIONS_CATALOG_SOURCE as cF, type TangleCatalogExecutorInvocation as cG, type TangleCatalogExecutorProviderOptions as cH, type TangleCatalogHttpExecutorInvocation as cI, type TangleCatalogHttpExecutorOptions as cJ, type TangleCatalogRuntimeActionRequest as cK, type TangleCatalogRuntimeNodeServerOptions as cL, type TangleCatalogRuntimePackageManifest as cM, type TangleCatalogRuntimePackageManifestOptions as cN, type TangleCatalogRuntimePiece as cO, type TangleCatalogRuntimeRequest as cP, type TangleCatalogTriggerInvocation as cQ, type TangleIntegrationCatalogEntry as cR, type TangleIntegrationCatalogFreshnessOptions as cS, type TangleIntegrationCatalogFreshnessResult as cT, type TangleIntegrationContract as cU, type TangleIntegrationContractStatus as cV, type TangleIntegrationImplementationKind as cW, type TangleIntegrationInvokeInput as cX, type TangleIntegrationInvokeResult as cY, TangleIntegrationsClient as cZ, type TangleIntegrationsClientOptions as c_, type IntegrationWebhookReceiverResult as ca, canonicalConnectorId, type IntegrationWorkflowDefinition as cb, IntegrationWorkflowRuntime as cc, type IntegrationWorkflowRuntimeHub as cd, type IntegrationWorkflowRuntimeOptions as ce, type IntegrationWorkflowStore as cf, type InvokeWithCapabilityRequest as cg, type IssueCapabilityRequest as ch, type IssuedIntegrationCapability as ci, type ManifestValidationIssue as cj, type ManifestValidationResult as ck, type McpCatalog as cl, type McpCatalogTool as cm, type MissingRequirementExplanation as cn, type NormalizedIntegrationError as co, composeIntegrationRegistry, type NormalizedIntegrationResult as cp, type OpenApiDocument as cq, type OpenApiOperation as cr, PROVIDER_PASSTHROUGH_ACTION as cs, type PlatformIntegrationPolicyPresetOptions as ct, type ProviderHttpRequestInput as cu, type ProviderPassthroughPolicy as cv, type RenderConsentOptions as cw, type SecretRef as cx, type StartAuthRequest as cy, type StartAuthResult as cz, buildIntegrationCatalogView as d, redactApprovalRequest as d$, assertValidIntegrationManifest as d0, auditIntegrationCatalogFreshness as d1, auditTangleIntegrationCatalogFreshness as d2, buildActivepiecesConnectors as d3, buildActivepiecesRuntimeRequest as d4, buildApprovalRequest as d5, buildCanonicalLaunchConnectors as d6, buildIntegrationBridgeEnvironment as d7, buildIntegrationBridgePayload as d8, buildIntegrationCoverageConnectors as d9, createTangleCatalogRuntimeNodeRequestListener as dA, createTangleIntegrationsClient as dB, decodeIntegrationBridgePayload as dC, dispatchIntegrationInvocation as dD, encodeIntegrationBridgePayload as dE, explainMissingRequirements as dF, extractActivepiecesPublicPieceCount as dG, extractExternalCatalogPublicCount as dH, getActivepiecesOverride as dI, healthcheckRequest as dJ, importGraphqlConnector as dK, importMcpConnector as dL, importOpenApiConnector as dM, inferIntegrationManifestFromTools as dN, integrationCoverageChecklistMarkdown as dO, invocationRequestFromEnvelope as dP, listActivepiecesCatalogEntries as dQ, listIntegrationCoverageSpecs as dR, listTangleIntegrationCatalogEntries as dS, listTangleIntegrationCatalogRuntimePackages as dT, listTangleIntegrationContracts as dU, manifestToConnector as dV, normalizeGatewayCatalog as dW, normalizeIntegrationError as dX, normalizeIntegrationResult as dY, parseIntegrationBridgeEnvironment as dZ, receiveIntegrationWebhook as d_, buildIntegrationInvocationEnvelope as da, buildTangleCatalogRuntimePackageManifest as db, buildTangleCatalogRuntimeRequest as dc, buildTangleIntegrationCatalogConnectors as dd, calendarExercisePlannerManifest as de, canonicalActionConnectorId as df, createActivepiecesExecutorProvider as dg, createActivepiecesHttpExecutor as dh, createApprovalBackedPolicyEngine as di, createAuditingActionGuard as dj, createCatalogExecutorProvider as dk, createConnectionCredentialResolver as dl, createConnectorAdapterCatalogSource as dm, createConnectorAdapterProvider as dn, createCredentialBackedAdapterProvider as dp, createDefaultIntegrationActionGuard as dq, createDefaultIntegrationPolicyEngine as dr, createGatewayCatalogProvider as ds, createHttpIntegrationProvider as dt, createIntegrationAuditEvent as du, createIntegrationWorkflowRuntime as dv, createMockIntegrationProvider as dw, createPlatformIntegrationPolicyPreset as dx, createTangleCatalogExecutorProvider as dy, createTangleCatalogHttpExecutor as dz, buildIntegrationToolCatalog as e, redactCapability as e0, redactIntegrationBridgePayload as e1, redactInvocationEnvelope as e2, renderApprovalCopy as e3, renderConsentSummary as e4, renderTangleCatalogRuntimePnpmAddCommand as e5, resolveConnectionCredentials as e6, resolveIntegrationApproval as e7, revokeConnection as e8, runIntegrationHealthcheck as e9, runIntegrationHealthchecks as ea, sanitizeAuditConnection as eb, sanitizeConnection as ec, signActivepiecesRuntimeRequest as ed, signCapability as ee, startTangleCatalogRuntimeNodeServer as ef, statusForCode as eg, storedEventToTriggerEvent as eh, validateIntegrationInvocationEnvelope as ei, validateIntegrationManifest as ej, validateProviderPassthroughRequest as ek, verifyActivepiecesRuntimeSignature as el, verifyCapabilityToken as em, InMemoryIntegrationGrantStore as f, type IntegrationCapabilityBinding as g, type IntegrationGrant as h, integrationToolName as i, inferIntegrationSupportTier, type IntegrationGrantStore as j, type IntegrationManifest as k, type IntegrationManifestResolution as l, type IntegrationRequirement as m, type IntegrationRequirementMode as n, type IntegrationRequirementResolution as o, parseIntegrationToolName as p, type IntegrationRequirementStatus as q, IntegrationRuntime as r, searchIntegrationTools as s, summarizeIntegrationRegistry, toMcpTools as t, type IntegrationRuntimeHub as u, type IntegrationRuntimeOptions as v, type IntegrationSandboxBundle as w, createIntegrationRuntime as x, type TangleCatalogAuthResolverOptions as y, type TangleCatalogHttpAuthResolverOptions as z };
+export { type HealthcheckSpec as $, type TangleCatalogHttpAuthResolverRequest as A, type TangleCatalogInstalledPackageExecutorOptions as B, type TangleCatalogRuntimeHandlerOptions as C, type ComposeIntegrationRegistryOptions, type TangleCatalogRuntimeHttpRequest as D, type TangleCatalogRuntimeHttpResponse as E, type TangleCatalogRuntimeInvocation as F, type TangleCatalogRuntimeModuleAction as G, type TangleCatalogRuntimePackageCoverageOptions as H, type IntegrationCatalogView as I, type IntegrationCatalogSource, type IntegrationRegistry, type IntegrationRegistryConflict, type IntegrationRegistryEntry, type IntegrationRegistrySourceRef, type IntegrationRegistrySummary, type IntegrationSupportTier, type TangleCatalogRuntimePackageCoverageRow as J, auditTangleCatalogRuntimePackages as K, createTangleCatalogCredentialAuthResolver as L, type McpToolDefinition as M, createTangleCatalogHttpAuthResolver as N, createTangleCatalogInstalledPackageExecutor as O, createTangleCatalogRuntimeHandler as P, signTangleCatalogRuntimeRequest as Q, tangleCatalogAuthValue as R, verifyTangleCatalogRuntimeSignature as S, TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER as T, type ApiKeyAuthSpec as U, type ConsoleStep as V, type CredentialFieldSpec as W, type CredentialValidationInput as X, type CredentialValidationResult as Y, type CustomAuthSpec as Z, type HealthcheckPlan as _, type IntegrationToolDefinition as a, type GatewayCatalogProviderOptions as a$, type HmacAuthSpec as a0, INTEGRATION_FAMILIES as a1, type IntegrationAuthMode as a2, type IntegrationAuthSpec as a3, type IntegrationFamilyId as a4, type IntegrationFamilySpec as a5, type IntegrationLifecycleSpec as a6, type IntegrationPlannerHints as a7, type IntegrationSetupSpec as a8, type IntegrationSpec as a9, validateIntegrationSpec as aA, ACTIVEPIECES_OVERRIDES as aB, ACTIVEPIECES_PUBLIC_CATALOG_URL as aC, ACTIVEPIECES_RUNTIME_SIGNATURE_HEADER as aD, type ActivepiecesCatalogAuthField as aE, type ActivepiecesCatalogEntry as aF, type ActivepiecesExecutorInvocation as aG, type ActivepiecesExecutorProviderOptions as aH, type ActivepiecesHttpExecutorOptions as aI, type ActivepiecesPieceOverride as aJ, type ActivepiecesRuntimeRequest as aK, ApprovalBackedPolicyEngine as aL, type ApprovalBackedPolicyOptions as aM, CANONICAL_INTEGRATION_ACTIONS as aN, type CanonicalIntegrationActionId as aO, type CanonicalLaunchConnectorOptions as aP, type CatalogExecutorInvocation as aQ, type CatalogExecutorProviderOptions as aR, type CompleteAuthRequest as aS, type ConnectionCredentialResolverOptions as aT, type ConnectorAdapterProviderOptions as aU, type ConsentSummary as aV, DEFAULT_INTEGRATION_BRIDGE_ENV as aW, DefaultIntegrationActionGuard as aX, type DiscoverWorkspaceCapabilitiesInput as aY, type GatewayCatalogAction as aZ, type GatewayCatalogEntry as a_, type IntegrationSpecStatus as aa, type IntegrationSpecValidationIssue as ab, type IntegrationSpecValidationResult as ac, type NoneAuthSpec as ad, type NormalizedPermission as ae, type OAuth2AuthSpec as af, type PermissionDescriptor as ag, type PostSetupCheck as ah, type Quirk as ai, type RenderSpecOptions as aj, type RenderedConsoleStep as ak, type ScopeDescriptor as al, assertValidIntegrationSpec as am, buildHealthcheckPlan as an, consoleStepsToText as ao, getIntegrationFamily as ap, getIntegrationSpec as aq, integrationSpecToConnector as ar, listExecutableIntegrationSpecs as as, listIntegrationSpecs as at, renderAgentToolDescription as au, renderConsoleSteps as av, renderRunbookMarkdown as aw, specAuthToConnectorAuth as ax, validateCredentialFormat as ay, validateCredentialSet as az, type IntegrationToolSearchFilters as b, type IntegrationProvider as b$, type GatewayCatalogTrigger as b0, type GraphqlOperationSpec as b1, type HttpIntegrationProviderOptions as b2, type ImportCatalogOptions as b3, InMemoryConnectionStore as b4, InMemoryIntegrationApprovalStore as b5, InMemoryIntegrationAuditStore as b6, InMemoryIntegrationEventStore as b7, InMemoryIntegrationHealthcheckStore as b8, InMemoryIntegrationIdempotencyStore as b9, type IntegrationConnection as bA, type IntegrationConnectionStore as bB, type IntegrationConnector as bC, type IntegrationConnectorAction as bD, type IntegrationConnectorCategory as bE, type IntegrationConnectorTrigger as bF, type IntegrationCoveragePriority as bG, type IntegrationCoverageSpec as bH, type IntegrationDataClass as bI, IntegrationError as bJ, type IntegrationErrorCode as bK, type IntegrationEventStore as bL, type IntegrationGuardContext as bM, type IntegrationHealthcheckCheck as bN, type IntegrationHealthcheckResult as bO, type IntegrationHealthcheckStatus as bP, type IntegrationHealthcheckStore as bQ, IntegrationHub as bR, type IntegrationHubOptions as bS, type IntegrationIdempotencyRecord as bT, type IntegrationIdempotencyStore as bU, type IntegrationInvocationEnvelope as bV, type IntegrationInvocationEnvelopeValidationOptions as bW, type IntegrationPolicyDecision as bX, type IntegrationPolicyEffect as bY, type IntegrationPolicyEngine as bZ, type IntegrationPolicyRule as b_, InMemoryIntegrationSecretStore as ba, InMemoryIntegrationWorkflowStore as bb, type InferIntegrationRequirementsOptions as bc, type InstalledIntegrationWorkflow as bd, type IntegrationActionGuard as be, type IntegrationActionPack as bf, type IntegrationActionRequest as bg, type IntegrationActionResult as bh, type IntegrationActionRisk as bi, type IntegrationActor as bj, type IntegrationApprovalFilter as bk, type IntegrationApprovalRecord as bl, type IntegrationApprovalRequest as bm, type IntegrationApprovalResolution as bn, type IntegrationApprovalStatus as bo, type IntegrationApprovalStore as bp, type IntegrationAuditEvent as bq, type IntegrationAuditEventType as br, type IntegrationAuditFilter as bs, type IntegrationAuditSink as bt, type IntegrationAuditStore as bu, buildDefaultIntegrationRegistry, type IntegrationBridgePayload as bv, type IntegrationBridgeToolBinding as bw, type IntegrationCapability as bx, type IntegrationCatalogFreshnessOptions as by, type IntegrationCatalogFreshnessResult as bz, type IntegrationToolSearchResult as c, type TangleIntegrationsClientOptions as c$, type IntegrationProviderKind as c0, type IntegrationRateLimitDecision as c1, type IntegrationRateLimiter as c2, IntegrationRuntimeError as c3, IntegrationSandboxHost as c4, type IntegrationSandboxHostHub as c5, type IntegrationSandboxHostOptions as c6, type IntegrationSecretStore as c7, type IntegrationTriggerEvent as c8, type IntegrationTriggerSubscription as c9, type StartAuthResult as cA, type StartedTangleCatalogRuntimeNodeServer as cB, StaticIntegrationPolicyEngine as cC, type StaticIntegrationPolicyOptions as cD, type StoredIntegrationEvent as cE, TANGLE_INTEGRATIONS_CATALOG_PROVIDER_ID as cF, TANGLE_INTEGRATIONS_CATALOG_SOURCE as cG, type TangleCatalogExecutorInvocation as cH, type TangleCatalogExecutorProviderOptions as cI, type TangleCatalogHttpExecutorInvocation as cJ, type TangleCatalogHttpExecutorOptions as cK, type TangleCatalogRuntimeActionRequest as cL, type TangleCatalogRuntimeNodeServerOptions as cM, type TangleCatalogRuntimePackageManifest as cN, type TangleCatalogRuntimePackageManifestOptions as cO, type TangleCatalogRuntimePiece as cP, type TangleCatalogRuntimeRequest as cQ, type TangleCatalogTriggerInvocation as cR, type TangleIntegrationCatalogEntry as cS, type TangleIntegrationCatalogFreshnessOptions as cT, type TangleIntegrationCatalogFreshnessResult as cU, type TangleIntegrationContract as cV, type TangleIntegrationContractStatus as cW, type TangleIntegrationImplementationKind as cX, type TangleIntegrationInvokeInput as cY, type TangleIntegrationInvokeResult as cZ, TangleIntegrationsClient as c_, type IntegrationUserAction as ca, canonicalConnectorId, type IntegrationWebhookReceiverResult as cb, type IntegrationWorkflowDefinition as cc, IntegrationWorkflowRuntime as cd, type IntegrationWorkflowRuntimeHub as ce, type IntegrationWorkflowRuntimeOptions as cf, type IntegrationWorkflowStore as cg, type InvokeWithCapabilityRequest as ch, type IssueCapabilityRequest as ci, type IssuedIntegrationCapability as cj, type ManifestValidationIssue as ck, type ManifestValidationResult as cl, type McpCatalog as cm, type McpCatalogTool as cn, type MissingRequirementExplanation as co, composeIntegrationRegistry, type NormalizedIntegrationError as cp, type NormalizedIntegrationResult as cq, type OpenApiDocument as cr, type OpenApiOperation as cs, PROVIDER_PASSTHROUGH_ACTION as ct, type PlatformIntegrationPolicyPresetOptions as cu, type ProviderHttpRequestInput as cv, type ProviderPassthroughPolicy as cw, type RenderConsentOptions as cx, type SecretRef as cy, type StartAuthRequest as cz, buildIntegrationCatalogView as d, manifestToConnector as d$, type WorkspaceCapability as d0, type WorkspaceCapabilityDiscovery as d1, type WorkspaceToolSchema as d2, type WorkspaceTrigger as d3, adapterManifestsToConnectors as d4, assertValidIntegrationManifest as d5, auditIntegrationCatalogFreshness as d6, auditTangleIntegrationCatalogFreshness as d7, buildActivepiecesConnectors as d8, buildActivepiecesRuntimeRequest as d9, createIntegrationWorkflowRuntime as dA, createMockIntegrationProvider as dB, createPlatformIntegrationPolicyPreset as dC, createTangleCatalogExecutorProvider as dD, createTangleCatalogHttpExecutor as dE, createTangleCatalogRuntimeNodeRequestListener as dF, createTangleIntegrationsClient as dG, decodeIntegrationBridgePayload as dH, discoverWorkspaceCapabilities as dI, dispatchIntegrationInvocation as dJ, encodeIntegrationBridgePayload as dK, explainMissingRequirements as dL, extractActivepiecesPublicPieceCount as dM, extractExternalCatalogPublicCount as dN, getActivepiecesOverride as dO, healthcheckRequest as dP, importGraphqlConnector as dQ, importMcpConnector as dR, importOpenApiConnector as dS, inferIntegrationManifestFromTools as dT, integrationCoverageChecklistMarkdown as dU, invocationRequestFromEnvelope as dV, listActivepiecesCatalogEntries as dW, listIntegrationCoverageSpecs as dX, listTangleIntegrationCatalogEntries as dY, listTangleIntegrationCatalogRuntimePackages as dZ, listTangleIntegrationContracts as d_, buildApprovalRequest as da, buildCanonicalLaunchConnectors as db, buildIntegrationBridgeEnvironment as dc, buildIntegrationBridgePayload as dd, buildIntegrationCoverageConnectors as de, buildIntegrationInvocationEnvelope as df, buildTangleCatalogRuntimePackageManifest as dg, buildTangleCatalogRuntimeRequest as dh, buildTangleIntegrationCatalogConnectors as di, calendarExercisePlannerManifest as dj, canonicalActionConnectorId as dk, createActivepiecesExecutorProvider as dl, createActivepiecesHttpExecutor as dm, createApprovalBackedPolicyEngine as dn, createAuditingActionGuard as dp, createCatalogExecutorProvider as dq, createConnectionCredentialResolver as dr, createConnectorAdapterCatalogSource as ds, createConnectorAdapterProvider as dt, createCredentialBackedAdapterProvider as du, createDefaultIntegrationActionGuard as dv, createDefaultIntegrationPolicyEngine as dw, createGatewayCatalogProvider as dx, createHttpIntegrationProvider as dy, createIntegrationAuditEvent as dz, buildIntegrationToolCatalog as e, normalizeGatewayCatalog as e0, normalizeIntegrationError as e1, normalizeIntegrationResult as e2, parseIntegrationBridgeEnvironment as e3, receiveIntegrationWebhook as e4, redactApprovalRequest as e5, redactCapability as e6, redactIntegrationBridgePayload as e7, redactInvocationEnvelope as e8, renderApprovalCopy as e9, renderConsentSummary as ea, renderTangleCatalogRuntimePnpmAddCommand as eb, resolveConnectionCredentials as ec, resolveIntegrationApproval as ed, revokeConnection as ee, runIntegrationHealthcheck as ef, runIntegrationHealthchecks as eg, sanitizeAuditConnection as eh, sanitizeConnection as ei, signActivepiecesRuntimeRequest as ej, signCapability as ek, startTangleCatalogRuntimeNodeServer as el, statusForCode as em, storedEventToTriggerEvent as en, validateIntegrationInvocationEnvelope as eo, validateIntegrationManifest as ep, validateProviderPassthroughRequest as eq, verifyActivepiecesRuntimeSignature as er, verifyCapabilityToken as es, InMemoryIntegrationGrantStore as f, type IntegrationCapabilityBinding as g, type IntegrationGrant as h, integrationToolName as i, inferIntegrationSupportTier, type IntegrationGrantStore as j, type IntegrationManifest as k, type IntegrationManifestResolution as l, type IntegrationRequirement as m, type IntegrationRequirementMode as n, type IntegrationRequirementResolution as o, parseIntegrationToolName as p, type IntegrationRequirementStatus as q, IntegrationRuntime as r, searchIntegrationTools as s, summarizeIntegrationRegistry, toMcpTools as t, type IntegrationRuntimeHub as u, type IntegrationRuntimeOptions as v, type IntegrationSandboxBundle as w, createIntegrationRuntime as x, type TangleCatalogAuthResolverOptions as y, type TangleCatalogHttpAuthResolverOptions as z };

package/dist/registry.js

@@ -4,10 +4,11 @@ import {
   composeIntegrationRegistry,
   inferIntegrationSupportTier,
   summarizeIntegrationRegistry
-} from "./chunk-A5I3EYU5.js";
+} from "./chunk-ALCIWTIR.js";
 import "./chunk-4JQ754PA.js";
 import "./chunk-376UBTNB.js";
-import "./chunk-WC63AI4Q.js";
+import "./chunk-GA4VTE3U.js";
+import "./chunk-2TW2QKGZ.js";
 export {
   buildDefaultIntegrationRegistry,
   canonicalConnectorId,

package/dist/runtime.d.ts

@@ -1,4 +1,4 @@
 export { f as InMemoryIntegrationGrantStore, g as IntegrationCapabilityBinding, h as IntegrationGrant, j as IntegrationGrantStore, k as IntegrationManifest, l as IntegrationManifestResolution, m as IntegrationRequirement, n as IntegrationRequirementMode, o as IntegrationRequirementResolution, q as IntegrationRequirementStatus, r as IntegrationRuntime, u as IntegrationRuntimeHub, v as IntegrationRuntimeOptions, w as IntegrationSandboxBundle, x as createIntegrationRuntime } from './registry.js';
-import './index-BQY5ry2s.js';
+import './index-D4D4CEKX.js';
 import './connectors/index.js';
 import 'node:http';

package/dist/runtime.js

@@ -2,10 +2,11 @@ import {
   InMemoryIntegrationGrantStore,
   IntegrationRuntime,
   createIntegrationRuntime
-} from "./chunk-A5I3EYU5.js";
+} from "./chunk-ALCIWTIR.js";
 import "./chunk-4JQ754PA.js";
 import "./chunk-376UBTNB.js";
-import "./chunk-WC63AI4Q.js";
+import "./chunk-GA4VTE3U.js";
+import "./chunk-2TW2QKGZ.js";
 export {
   InMemoryIntegrationGrantStore,
   IntegrationRuntime,

package/dist/specs.d.ts

@@ -1,4 +1,4 @@
 export { U as ApiKeyAuthSpec, V as ConsoleStep, W as CredentialFieldSpec, X as CredentialValidationInput, Y as CredentialValidationResult, Z as CustomAuthSpec, _ as HealthcheckPlan, $ as HealthcheckSpec, a0 as HmacAuthSpec, a1 as INTEGRATION_FAMILIES, a2 as IntegrationAuthMode, a3 as IntegrationAuthSpec, a4 as IntegrationFamilyId, a5 as IntegrationFamilySpec, a6 as IntegrationLifecycleSpec, a7 as IntegrationPlannerHints, a8 as IntegrationSetupSpec, a9 as IntegrationSpec, aa as IntegrationSpecStatus, ab as IntegrationSpecValidationIssue, ac as IntegrationSpecValidationResult, ad as NoneAuthSpec, ae as NormalizedPermission, af as OAuth2AuthSpec, ag as PermissionDescriptor, ah as PostSetupCheck, ai as Quirk, aj as RenderSpecOptions, ak as RenderedConsoleStep, al as ScopeDescriptor, am as assertValidIntegrationSpec, an as buildHealthcheckPlan, ao as consoleStepsToText, ap as getIntegrationFamily, aq as getIntegrationSpec, ar as integrationSpecToConnector, as as listExecutableIntegrationSpecs, at as listIntegrationSpecs, au as renderAgentToolDescription, av as renderConsoleSteps, aw as renderRunbookMarkdown, ax as specAuthToConnectorAuth, ay as validateCredentialFormat, az as validateCredentialSet, aA as validateIntegrationSpec } from './registry.js';
-import './index-BQY5ry2s.js';
+import './index-D4D4CEKX.js';
 import './connectors/index.js';
 import 'node:http';

package/dist/tangle-catalog-runtime.d.ts

@@ -1,4 +1,4 @@
 export { T as TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER, y as TangleCatalogAuthResolverOptions, z as TangleCatalogHttpAuthResolverOptions, A as TangleCatalogHttpAuthResolverRequest, B as TangleCatalogInstalledPackageExecutorOptions, C as TangleCatalogRuntimeHandlerOptions, D as TangleCatalogRuntimeHttpRequest, E as TangleCatalogRuntimeHttpResponse, F as TangleCatalogRuntimeInvocation, G as TangleCatalogRuntimeModuleAction, H as TangleCatalogRuntimePackageCoverageOptions, J as TangleCatalogRuntimePackageCoverageRow, K as auditTangleCatalogRuntimePackages, L as createTangleCatalogCredentialAuthResolver, N as createTangleCatalogHttpAuthResolver, O as createTangleCatalogInstalledPackageExecutor, P as createTangleCatalogRuntimeHandler, Q as signTangleCatalogRuntimeRequest, R as tangleCatalogAuthValue, S as verifyTangleCatalogRuntimeSignature } from './registry.js';
-import './index-BQY5ry2s.js';
+import './index-D4D4CEKX.js';
 import './connectors/index.js';
 import 'node:http';

package/dist/tangle-catalog-runtime.js

@@ -8,10 +8,11 @@ import {
   signTangleCatalogRuntimeRequest,
   tangleCatalogAuthValue,
   verifyTangleCatalogRuntimeSignature
-} from "./chunk-A5I3EYU5.js";
+} from "./chunk-ALCIWTIR.js";
 import "./chunk-4JQ754PA.js";
 import "./chunk-376UBTNB.js";
-import "./chunk-WC63AI4Q.js";
+import "./chunk-GA4VTE3U.js";
+import "./chunk-2TW2QKGZ.js";
 export {
   TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER,
   auditTangleCatalogRuntimePackages,

package/dist/webhooks/index.d.ts

@@ -0,0 +1,193 @@
+/**
+ * @stable Provider-agnostic inbound webhook router.
+ *
+ * Consumer hooks a single HTTP handler at `/webhook/:provider/:event`
+ * (or whatever pathing they prefer) and forwards the request through
+ * `WebhookRouter.handle()`. The router:
+ *
+ *   1. Resolves the registered provider entry.
+ *   2. Calls the provider's `verifySignature(rawBody, headers, secrets)`.
+ *      Failure → 401 fast, no downstream work.
+ *   3. Calls the provider's `parse(rawBody, headers)` to extract zero or
+ *      more normalized events.
+ *   4. Enqueues each event for async processing via the consumer-supplied
+ *      `deliver(event)` callback (best-effort fire-and-forget — the
+ *      router does NOT block the HTTP response on the consumer's work).
+ *   5. Returns 200 fast with `{received: events.length}`.
+ *
+ * Replay protection: providers that sign timestamps (Stripe, Slack)
+ * already reject stale signatures inside `verifySignature`. For providers
+ * that don't (DocuSeal, GDrive push), the router exposes a pluggable
+ * `idempotency` hook: if `idempotency.seen(providerEventId)` returns
+ * true, the router 200s without invoking `deliver()`. Consumers wire
+ * this to a durable kv (D1 / Redis / Postgres unique-index).
+ *
+ * Why a router and not a per-provider express app: the runtime contract
+ * a product cares about is "an inbound event came in, here's the
+ * normalized envelope". Verification, parsing, and idempotency-dedup
+ * are mechanical and provider-specific — the router owns them. The
+ * consumer's `deliver()` is the only place product logic runs.
+ *
+ * Stability: `@stable` — additions to `WebhookEnvelope` must be
+ * additive; the router's HTTP contract (paths, status codes) is frozen
+ * at 200 (ok), 400 (bad request), 401 (bad signature), 404 (unknown
+ * provider), 405 (provider has no inbound surface).
+ */
+interface WebhookHeaders {
+    [name: string]: string | string[] | undefined;
+}
+/** Normalized inbound event the router emits after parsing. */
+interface WebhookEnvelope<TPayload = unknown> {
+    /** Provider id (matches the `:provider` path segment). */
+    provider: string;
+    /** Optional event class — e.g., 'customer.subscription.deleted'. The
+     *  provider's parser decides. Used for routing inside `deliver()`. */
+    eventType: string;
+    /** Provider-emitted event id, when present. Used for the idempotency
+     *  short-circuit. */
+    providerEventId?: string;
+    /** Wall-clock receive time. */
+    receivedAt: number;
+    /** Provider payload, normalized to the provider's documented event
+     *  shape. The router does NOT reshape this — `parse()` is the contract. */
+    payload: TPayload;
+    /** Headers passed through for downstream handlers that want them
+     *  (e.g., to extract custom routing metadata). Always lowercased keys. */
+    headers: Record<string, string>;
+}
+type SignatureVerification = {
+    valid: true;
+} | {
+    valid: false;
+    reason: string;
+};
+/** Per-provider plug-in. Stateless — the router calls `verifySignature`
+ *  then `parse` on every request. The provider's HTTP-shape concerns
+ *  (e.g., raw body required) are documented per provider. */
+interface WebhookProvider {
+    /** Stable provider id (`stripe`, `docuseal`, `gdrive`, ...). */
+    id: string;
+    /** Verify the inbound signature. Receives the EXACT raw body string —
+     *  consumers MUST preserve raw bytes through their HTTP server (do not
+     *  parse JSON before forwarding here). */
+    verifySignature(input: {
+        rawBody: string;
+        headers: WebhookHeaders;
+        secret: string;
+    }): SignatureVerification;
+    /** Parse the validated raw body into zero or more normalized events.
+     *  A single push payload may carry multiple events (e.g., Slack bulk
+     *  delivery). Return [] to ack the push as a no-op. */
+    parse(input: {
+        rawBody: string;
+        headers: WebhookHeaders;
+        now?: number;
+    }): WebhookEnvelope[] | Promise<WebhookEnvelope[]>;
+}
+interface WebhookIdempotencyStore {
+    /** Returns true if this providerEventId has been processed already.
+     *  Implementations should be O(1) (Redis SETNX, D1 UNIQUE constraint). */
+    seen(providerEventId: string): Promise<boolean> | boolean;
+    /** Marks a providerEventId as processed. Called AFTER `deliver()` has
+     *  been invoked. */
+    remember(providerEventId: string, ttlMs: number): Promise<void> | void;
+}
+interface WebhookRouterOptions {
+    /** Provider registry. Pass any number of providers; routing is by id. */
+    providers: WebhookProvider[];
+    /** Async callback invoked with every accepted event. Fire-and-forget
+     *  from the router's perspective — the HTTP response is sent before
+     *  this resolves. Throws are caught and reported via `onError`. */
+    deliver(event: WebhookEnvelope): Promise<void> | void;
+    /** Resolve the signing secret for a provider id at request time. The
+     *  router never holds secrets — the consumer's vault resolves them. */
+    resolveSecret(providerId: string, headers: WebhookHeaders): Promise<string | null> | string | null;
+    /** Optional idempotency-dedup hook. Required for providers that don't
+     *  sign timestamps in their signature scheme (DocuSeal, Drive push). */
+    idempotency?: WebhookIdempotencyStore;
+    /** TTL on idempotency entries. Default 7 days — long enough that a
+     *  provider's normal retry-window can't re-deliver. */
+    idempotencyTtlMs?: number;
+    /** Surface delivery errors. Default: console.error. */
+    onError?(err: unknown, context: {
+        provider: string;
+        eventType?: string;
+        providerEventId?: string;
+    }): void;
+    /** Override `now()` for tests. */
+    now?(): number;
+}
+interface WebhookRouterRequest {
+    providerId: string;
+    rawBody: string;
+    headers: WebhookHeaders;
+}
+interface WebhookRouterResponse {
+    status: number;
+    body: unknown;
+    headers?: Record<string, string>;
+}
+/**
+ * Router instance. Stateless aside from the provider registry — safe to
+ * share across requests; build once per process.
+ */
+declare class WebhookRouter {
+    private readonly providers;
+    private readonly deliver;
+    private readonly resolveSecret;
+    private readonly idempotency?;
+    private readonly idempotencyTtlMs;
+    private readonly onError;
+    private readonly nowFn;
+    constructor(opts: WebhookRouterOptions);
+    /** Process one inbound webhook request. Pure with respect to side-
+     *  effects on the router instance — safe to call concurrently. */
+    handle(request: WebhookRouterRequest): Promise<WebhookRouterResponse>;
+    private deliverEach;
+}
+
+/**
+ * Pre-built `WebhookProvider` implementations for the inbound surfaces
+ * the substrate ships first-party verifiers for.
+ *
+ * Each provider implementation is intentionally thin: it delegates
+ * signature verification to the corresponding pure function in
+ * `connectors/webhooks.ts` and parses the body into one or more
+ * normalized `WebhookEnvelope` rows. Anything provider-specific that
+ * doesn't fit cleanly (Slack URL-verification handshake, etc.) is
+ * surfaced via the envelope `eventType` so the consumer's `deliver()`
+ * can branch.
+ */
+
+/** Stripe webhook provider. Signature header `Stripe-Signature`. */
+declare const stripeWebhookProvider: WebhookProvider;
+/** Slack Events API provider. Handles the `url_verification` handshake
+ *  by emitting a synthetic event the consumer's `deliver()` can echo. */
+declare const slackWebhookProvider: WebhookProvider;
+/** DocuSeal webhook provider. Signature header `X-Docuseal-Signature`. */
+declare const docusealWebhookProvider: WebhookProvider;
+/** Gmail push provider. Cloud Pub/Sub posts a JWT-signed envelope; the
+ *  *payload* is base64 JSON describing the changed history range. The
+ *  signature scheme here is the Pub/Sub JWT auth header — when supplied,
+ *  consumers SHOULD verify the JWT against Google's well-known
+ *  certificates. We accept the simpler "Bearer <pubsub-shared-secret>"
+ *  variant by default (matching `verifyHmacSignature`). */
+declare const gmailWebhookProvider: WebhookProvider;
+/** Google Drive push provider. Drive does NOT sign the body — it uses
+ *  the per-channel token (`X-Goog-Channel-Token`) as the shared secret.
+ *  The router compares it constant-time against the resolved secret. */
+declare const gdriveWebhookProvider: WebhookProvider;
+/** Generic HMAC provider — for the long-tail webhook source where the
+ *  caller has standardised on a single sha256-of-body scheme. Header
+ *  `X-Signature` by default; override at provider-build time if needed. */
+declare function genericHmacWebhookProvider(options: {
+    id: string;
+    signatureHeader?: string;
+    algorithm?: 'sha256' | 'sha1' | 'sha512';
+    signaturePrefix?: string;
+    /** Parser to convert the raw body into envelopes. Defaults to
+     *  "one event with eventType=<provider>.event and payload=JSON". */
+    parse?: WebhookProvider['parse'];
+}): WebhookProvider;
+
+export { type SignatureVerification, type WebhookEnvelope, type WebhookHeaders, type WebhookIdempotencyStore, type WebhookProvider, WebhookRouter, type WebhookRouterOptions, type WebhookRouterRequest, type WebhookRouterResponse, docusealWebhookProvider, gdriveWebhookProvider, genericHmacWebhookProvider, gmailWebhookProvider, slackWebhookProvider, stripeWebhookProvider };