@tangle-network/agent-integrations 0.25.7 → 0.27.0

package/dist/{chunk-WC63AI4Q.js → chunk-JU25UDN2.js}

@@ -1,55 +1,12 @@
-// src/connectors/types.ts
-var ResourceContention = class extends Error {
-  constructor(message, alternatives = [], currentState) {
-    super(message);
-    this.alternatives = alternatives;
-    this.currentState = currentState;
-  }
-  alternatives;
-  currentState;
-  name = "ResourceContention";
-};
-var CredentialsExpired = class extends Error {
-  constructor(message, dataSourceId) {
-    super(message);
-    this.dataSourceId = dataSourceId;
-  }
-  dataSourceId;
-  name = "CredentialsExpired";
-};
-function validateConnectorManifest(manifest) {
-  const issues = [];
-  if (!manifest.kind.trim()) issues.push({ path: "kind", message: "kind is required" });
-  if (!manifest.displayName.trim()) issues.push({ path: "displayName", message: "displayName is required" });
-  const seen = /* @__PURE__ */ new Set();
-  for (const [index, capability] of manifest.capabilities.entries()) {
-    const path = `capabilities[${index}]`;
-    if (!capability.name.trim()) issues.push({ path: `${path}.name`, message: "capability name is required" });
-    if (seen.has(capability.name)) issues.push({ path: `${path}.name`, message: `duplicate capability name: ${capability.name}` });
-    seen.add(capability.name);
-    if (capability.class === "mutation") {
-      if (!capability.cas) issues.push({ path: `${path}.cas`, message: "mutation capability must declare a CAS strategy" });
-      if (manifest.defaultConsistencyModel === "authoritative" && capability.cas === "none") {
-        issues.push({ path: `${path}.cas`, message: 'authoritative mutations cannot use cas="none"' });
-      }
-    }
-  }
-  if (manifest.rateLimit) {
-    if (!Number.isFinite(manifest.rateLimit.requests) || manifest.rateLimit.requests <= 0) {
-      issues.push({ path: "rateLimit.requests", message: "rateLimit.requests must be positive" });
-    }
-    if (!Number.isFinite(manifest.rateLimit.windowMs) || manifest.rateLimit.windowMs <= 0) {
-      issues.push({ path: "rateLimit.windowMs", message: "rateLimit.windowMs must be positive" });
-    }
-  }
-  return { ok: issues.length === 0, issues };
-}
-function assertValidConnectorManifest(manifest) {
-  const result = validateConnectorManifest(manifest);
-  if (!result.ok) {
-    throw new Error(`Invalid connector manifest ${manifest.kind || "<unknown>"}: ${result.issues.map((issue) => `${issue.path}: ${issue.message}`).join("; ")}`);
-  }
-}
+import {
+  firstHeader,
+  verifySlackSignature,
+  verifyStripeSignature
+} from "./chunk-2TW2QKGZ.js";
+import {
+  CredentialsExpired,
+  ResourceContention
+} from "./chunk-ATYHZXLL.js";
 
 // src/connectors/oauth.ts
 import { createHash, randomBytes } from "crypto";
@@ -462,11 +419,320 @@ function readMetaString(meta, key) {
   return v;
 }
 
+// src/connectors/adapters/google-drive.ts
+var SCOPES_READONLY = ["https://www.googleapis.com/auth/drive.readonly"];
+var SCOPE_WATCH = "https://www.googleapis.com/auth/drive";
+var AUTH_URL2 = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
+var API = "https://www.googleapis.com/drive/v3";
+function googleDrive(opts) {
+  const { clientId, clientSecret } = opts;
+  const timeoutMs = opts.timeoutMs ?? 3e4;
+  const scopes = opts.includeWatchScope ? [...SCOPES_READONLY, SCOPE_WATCH] : SCOPES_READONLY;
+  const adapter = {
+    manifest: {
+      kind: "google-drive",
+      displayName: "Google Drive",
+      description: "Read and watch files in the user's Google Drive. List a folder, fetch a document's contents (Docs/Sheets/PDFs/.docx), and subscribe to folder changes via push notifications.",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL2,
+        tokenUrl: TOKEN_URL2,
+        scopes,
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET",
+        extraAuthParams: { access_type: "offline", prompt: "consent", include_granted_scopes: "true" }
+      },
+      category: "storage",
+      defaultConsistencyModel: "authoritative",
+      rateLimit: { requests: 1e3, windowMs: 6e4, scope: "oauth-client" },
+      capabilities: [
+        {
+          name: "list_files",
+          class: "read",
+          description: `List files visible to the connected Drive account. Optionally scope to a folder by id and/or pass a Drive query string (e.g., "mimeType='application/pdf' and modifiedTime > '2025-01-01T00:00:00Z'").`,
+          parameters: {
+            type: "object",
+            properties: {
+              folderId: { type: "string", description: "Drive folder id; when present, restricts to direct children." },
+              query: { type: "string", description: "Optional Drive query expression; appended with AND if folderId is set." },
+              pageSize: { type: "integer", minimum: 1, maximum: 1e3, default: 100 },
+              pageToken: { type: "string", description: "Continuation token returned by a previous call." }
+            }
+          }
+        },
+        {
+          name: "read_file",
+          class: "read",
+          description: "Read a file's contents. Google-native types are exported (Docs \u2192 text/plain by default, Sheets \u2192 text/csv, Slides \u2192 application/pdf); binary types are returned as base64.",
+          parameters: {
+            type: "object",
+            properties: {
+              fileId: { type: "string" },
+              exportMime: {
+                type: "string",
+                description: "Export mime override for Google-native types. Defaults: Docs=text/plain, Sheets=text/csv, Slides=application/pdf."
+              }
+            },
+            required: ["fileId"]
+          }
+        },
+        {
+          name: "watch_folder",
+          class: "mutation",
+          description: "Create a push-notification channel for a folder. Drive POSTs change notifications to `address`; the channel expires at `expiration` (max 7 days). Pass the same channelId on retry to replay the existing channel.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          requiredScopes: [SCOPE_WATCH],
+          parameters: {
+            type: "object",
+            properties: {
+              folderId: { type: "string" },
+              channelId: { type: "string", description: "Caller-controlled UUID; also used as idempotency key." },
+              address: { type: "string", description: "HTTPS URL Drive will POST change notifications to." },
+              ttlMs: { type: "integer", minimum: 6e4, description: "Channel lifetime in ms. Drive caps at 7 days." }
+            },
+            required: ["folderId", "channelId", "address"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      const accessToken = await ensureFreshAccessToken2(inv.source.credentials, clientId, clientSecret);
+      if (inv.capabilityName === "list_files") return listFiles(inv, accessToken, timeoutMs);
+      if (inv.capabilityName === "read_file") return readFile(inv, accessToken, timeoutMs);
+      throw new Error(`google-drive: unknown read capability ${inv.capabilityName}`);
+    },
+    async executeMutation(inv) {
+      if (inv.capabilityName !== "watch_folder") {
+        throw new Error(`google-drive: unknown mutation capability ${inv.capabilityName}`);
+      }
+      const accessToken = await ensureFreshAccessToken2(inv.source.credentials, clientId, clientSecret);
+      return watchFolder(inv, accessToken, timeoutMs);
+    },
+    async exchangeOAuth(input) {
+      const tokens = await exchangeAuthorizationCode({
+        tokenUrl: TOKEN_URL2,
+        clientId,
+        clientSecret,
+        code: input.code,
+        codeVerifier: input.codeVerifier,
+        redirectUri: input.redirectUri
+      });
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: tokens.accessToken,
+          refreshToken: tokens.refreshToken,
+          expiresAt: tokens.expiresIn ? Date.now() + tokens.expiresIn * 1e3 : void 0
+        },
+        scopes: tokens.scope?.split(/\s+/) ?? scopes,
+        metadata: {}
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        throw new Error("google-drive.refreshToken: missing refresh token");
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL2,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = await ensureFreshAccessToken2(source.credentials, clientId, clientSecret);
+        const res = await fetch(`${API}/about?fields=user`, {
+          headers: { authorization: `Bearer ${accessToken}` },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401 || res.status === 403) {
+          return { ok: false, reason: `Google rejected Drive token (${res.status}) \u2014 reconnect required` };
+        }
+        if (!res.ok) return { ok: false, reason: `Google Drive returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+async function listFiles(inv, accessToken, timeoutMs) {
+  const args = inv.args ?? {};
+  const q = [];
+  if (args.folderId) q.push(`'${args.folderId.replace(/'/g, "\\'")}' in parents`);
+  if (args.query) q.push(`(${args.query})`);
+  q.push("trashed = false");
+  const params = new URLSearchParams({
+    q: q.join(" and "),
+    pageSize: String(args.pageSize ?? 100),
+    fields: "nextPageToken, files(id,name,mimeType,modifiedTime,size,md5Checksum,parents)"
+  });
+  if (args.pageToken) params.set("pageToken", args.pageToken);
+  const res = await fetch(`${API}/files?${params.toString()}`, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (res.status === 401 || res.status === 403) {
+    throw new CredentialsExpired(`Google Drive rejected token (${res.status})`, inv.source.id);
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`google-drive list_files ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  return {
+    data: { files: json.files ?? [], nextPageToken: json.nextPageToken },
+    fetchedAt: Date.now()
+  };
+}
+var GOOGLE_NATIVE_DEFAULTS = {
+  "application/vnd.google-apps.document": "text/plain",
+  "application/vnd.google-apps.spreadsheet": "text/csv",
+  "application/vnd.google-apps.presentation": "application/pdf"
+};
+async function readFile(inv, accessToken, timeoutMs) {
+  const { fileId, exportMime } = inv.args ?? {};
+  const metaRes = await fetch(`${API}/files/${encodeURIComponent(fileId)}?fields=id,name,mimeType,modifiedTime`, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (metaRes.status === 401 || metaRes.status === 403) {
+    throw new CredentialsExpired(`Google Drive rejected token (${metaRes.status})`, inv.source.id);
+  }
+  if (metaRes.status === 404) {
+    throw new Error(`google-drive read_file: file ${fileId} not found`);
+  }
+  if (!metaRes.ok) {
+    const text = await metaRes.text().catch(() => "");
+    throw new Error(`google-drive read_file meta ${metaRes.status}: ${text.slice(0, 200)}`);
+  }
+  const meta = await metaRes.json();
+  const isNative = meta.mimeType.startsWith("application/vnd.google-apps.");
+  const fetchedAt = Date.now();
+  if (isNative) {
+    const targetMime = exportMime ?? GOOGLE_NATIVE_DEFAULTS[meta.mimeType] ?? "text/plain";
+    const res2 = await fetch(`${API}/files/${encodeURIComponent(fileId)}/export?mimeType=${encodeURIComponent(targetMime)}`, {
+      headers: { authorization: `Bearer ${accessToken}` },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+    if (!res2.ok) {
+      const text = await res2.text().catch(() => "");
+      throw new Error(`google-drive read_file export ${res2.status}: ${text.slice(0, 200)}`);
+    }
+    const isTextLike2 = /^text\/|application\/(json|xml|csv|javascript)/.test(targetMime);
+    if (isTextLike2) {
+      const content = await res2.text();
+      return {
+        data: { name: meta.name, mimeType: targetMime, content, encoding: "utf-8", modifiedTime: meta.modifiedTime },
+        fetchedAt
+      };
+    }
+    const buf2 = Buffer.from(await res2.arrayBuffer());
+    return {
+      data: { name: meta.name, mimeType: targetMime, content: buf2.toString("base64"), encoding: "base64", modifiedTime: meta.modifiedTime },
+      fetchedAt
+    };
+  }
+  const res = await fetch(`${API}/files/${encodeURIComponent(fileId)}?alt=media`, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`google-drive read_file media ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const isTextLike = /^text\/|application\/(json|xml|csv|javascript)/.test(meta.mimeType);
+  if (isTextLike) {
+    const content = await res.text();
+    return {
+      data: { name: meta.name, mimeType: meta.mimeType, content, encoding: "utf-8", modifiedTime: meta.modifiedTime },
+      fetchedAt
+    };
+  }
+  const buf = Buffer.from(await res.arrayBuffer());
+  return {
+    data: { name: meta.name, mimeType: meta.mimeType, content: buf.toString("base64"), encoding: "base64", modifiedTime: meta.modifiedTime },
+    fetchedAt
+  };
+}
+async function watchFolder(inv, accessToken, timeoutMs) {
+  const { folderId, channelId, address, ttlMs } = inv.args;
+  const body = {
+    id: channelId,
+    type: "web_hook",
+    address
+  };
+  if (ttlMs && ttlMs > 0) body.expiration = String(Date.now() + ttlMs);
+  const res = await fetch(`${API}/files/${encodeURIComponent(folderId)}/watch`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${accessToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (res.status === 401 || res.status === 403) {
+    throw new CredentialsExpired(`Google Drive rejected token (${res.status})`, inv.source.id);
+  }
+  if (res.status === 409) {
+    const cached = inv.source.metadata.watchedChannels?.[channelId];
+    return {
+      status: "committed",
+      data: { channelId, resourceId: cached?.resourceId, expiration: cached?.expiration },
+      committedAt: Date.now(),
+      idempotentReplay: true
+    };
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`google-drive watch_folder ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  return {
+    status: "committed",
+    data: { channelId: json.id, resourceId: json.resourceId, expiration: json.expiration },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function ensureFreshAccessToken2(creds, clientId, clientSecret) {
+  if (creds.kind !== "oauth2") {
+    throw new Error("google-drive: expected oauth2 credentials");
+  }
+  if (creds.accessToken && (!creds.expiresAt || creds.expiresAt > Date.now() + 6e4)) {
+    return creds.accessToken;
+  }
+  if (!creds.refreshToken) {
+    throw new CredentialsExpired("Google Drive access token expired and no refresh token", "");
+  }
+  const refreshed = await refreshAccessToken({
+    tokenUrl: TOKEN_URL2,
+    clientId,
+    clientSecret,
+    refreshToken: creds.refreshToken
+  });
+  creds.accessToken = refreshed.accessToken;
+  creds.expiresAt = refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0;
+  if (refreshed.refreshToken) creds.refreshToken = refreshed.refreshToken;
+  return creds.accessToken;
+}
+
 // src/connectors/adapters/google-sheets.ts
 import { createHash as createHash2 } from "crypto";
 var SCOPES2 = ["https://www.googleapis.com/auth/spreadsheets"];
-var AUTH_URL2 = "https://accounts.google.com/o/oauth2/v2/auth";
-var TOKEN_URL2 = "https://oauth2.googleapis.com/token";
+var AUTH_URL3 = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL3 = "https://oauth2.googleapis.com/token";
 function googleSheets(opts) {
   const { clientId, clientSecret } = opts;
   const adapter = {
@@ -476,8 +742,8 @@ function googleSheets(opts) {
       description: "Bind your agent's knowledge base or pricing/availability lookup to a live Google Sheet. Edit the sheet, and the agent picks up changes \u2014 no redeploys.",
       auth: {
         kind: "oauth2",
-        authorizationUrl: AUTH_URL2,
-        tokenUrl: TOKEN_URL2,
+        authorizationUrl: AUTH_URL3,
+        tokenUrl: TOKEN_URL3,
         scopes: SCOPES2,
         clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
         clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET",
@@ -544,7 +810,7 @@ function googleSheets(opts) {
     },
     async executeRead(inv) {
       const meta = readSheetMeta(inv.source.metadata);
-      const accessToken = await ensureFreshAccessToken2(inv.source.credentials, clientId, clientSecret);
+      const accessToken = await ensureFreshAccessToken3(inv.source.credentials, clientId, clientSecret);
       const rows = await fetchAllRows(accessToken, meta);
       const limit = clampLimit(inv.args.limit, 100);
       let filtered = rows;
@@ -571,7 +837,7 @@ function googleSheets(opts) {
         throw new Error(`google-sheets: unknown mutation ${inv.capabilityName}`);
       }
       const meta = readSheetMeta(inv.source.metadata);
-      const accessToken = await ensureFreshAccessToken2(inv.source.credentials, clientId, clientSecret);
+      const accessToken = await ensureFreshAccessToken3(inv.source.credentials, clientId, clientSecret);
       const { rowKey, patch, expectedFingerprint } = inv.args;
       const rows = await fetchAllRows(accessToken, meta);
       const target = rows.find((r) => normalizeKey(r.values[meta.keyColumn]) === normalizeKey(rowKey));
@@ -627,7 +893,7 @@ function googleSheets(opts) {
     },
     async exchangeOAuth(input) {
       const tokens = await exchangeAuthorizationCode({
-        tokenUrl: TOKEN_URL2,
+        tokenUrl: TOKEN_URL3,
         clientId,
         clientSecret,
         code: input.code,
@@ -652,7 +918,7 @@ function googleSheets(opts) {
         throw new Error("google-sheets.refreshToken: missing refresh token");
       }
       const refreshed = await refreshAccessToken({
-        tokenUrl: TOKEN_URL2,
+        tokenUrl: TOKEN_URL3,
         clientId,
         clientSecret,
         refreshToken: creds.refreshToken
@@ -666,7 +932,7 @@ function googleSheets(opts) {
     },
     async test(source) {
       try {
-        const accessToken = await ensureFreshAccessToken2(source.credentials, clientId, clientSecret);
+        const accessToken = await ensureFreshAccessToken3(source.credentials, clientId, clientSecret);
         const meta = readSheetMeta(source.metadata);
         if (!meta.spreadsheetId) {
           return { ok: false, reason: "spreadsheetId not configured \u2014 pick a sheet in the connection settings" };
@@ -764,7 +1030,7 @@ function columnIndexToLetter(idx) {
   }
   return s;
 }
-async function ensureFreshAccessToken2(creds, clientId, clientSecret) {
+async function ensureFreshAccessToken3(creds, clientId, clientSecret) {
   if (creds.kind !== "oauth2") {
     throw new Error("google-sheets: expected oauth2 credentials");
   }
@@ -775,7 +1041,403 @@ async function ensureFreshAccessToken2(creds, clientId, clientSecret) {
     throw new CredentialsExpired("Google Sheets access token expired and no refresh token", "");
   }
   const refreshed = await refreshAccessToken({
-    tokenUrl: TOKEN_URL2,
+    tokenUrl: TOKEN_URL3,
+    clientId,
+    clientSecret,
+    refreshToken: creds.refreshToken
+  });
+  creds.accessToken = refreshed.accessToken;
+  creds.expiresAt = refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0;
+  if (refreshed.refreshToken) creds.refreshToken = refreshed.refreshToken;
+  return creds.accessToken;
+}
+
+// src/connectors/adapters/gmail.ts
+var SCOPE_READ = "https://www.googleapis.com/auth/gmail.readonly";
+var SCOPE_SEND = "https://www.googleapis.com/auth/gmail.send";
+var SCOPE_MODIFY = "https://www.googleapis.com/auth/gmail.modify";
+var AUTH_URL4 = "https://accounts.google.com/o/oauth2/v2/auth";
+var TOKEN_URL4 = "https://oauth2.googleapis.com/token";
+var API2 = "https://gmail.googleapis.com/gmail/v1/users/me";
+function gmail(opts) {
+  const { clientId, clientSecret } = opts;
+  const timeoutMs = opts.timeoutMs ?? 3e4;
+  const scopes = opts.scopes ?? [SCOPE_READ, SCOPE_SEND, SCOPE_MODIFY];
+  const adapter = {
+    manifest: {
+      kind: "gmail",
+      displayName: "Gmail",
+      description: "Read inbox messages by label or query, fetch a single message including MIME bodies and attachment manifests, reply on a thread, and watch a label for new mail (Cloud Pub/Sub push).",
+      auth: {
+        kind: "oauth2",
+        authorizationUrl: AUTH_URL4,
+        tokenUrl: TOKEN_URL4,
+        scopes,
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET",
+        extraAuthParams: { access_type: "offline", prompt: "consent", include_granted_scopes: "true" }
+      },
+      category: "comms",
+      defaultConsistencyModel: "authoritative",
+      rateLimit: { requests: 250, windowMs: 1e3, scope: "oauth-client" },
+      capabilities: [
+        {
+          name: "list_messages",
+          class: "read",
+          description: "List inbox messages. Filter by labelIds (default INBOX) and/or a Gmail query (e.g., 'from:billing@stripe.com newer_than:7d'). Returns headers (from/to/subject/date) not bodies.",
+          requiredScopes: [SCOPE_READ],
+          parameters: {
+            type: "object",
+            properties: {
+              labelIds: { type: "array", items: { type: "string" }, description: 'Default: ["INBOX"]' },
+              query: { type: "string", description: "Gmail query syntax." },
+              maxResults: { type: "integer", minimum: 1, maximum: 500, default: 25 },
+              pageToken: { type: "string" }
+            }
+          }
+        },
+        {
+          name: "read_message",
+          class: "read",
+          description: "Read a single Gmail message including parsed text and html bodies and a flat manifest of attachments. Bodies are inlined; attachment bytes are not.",
+          requiredScopes: [SCOPE_READ],
+          parameters: {
+            type: "object",
+            properties: {
+              id: { type: "string" }
+            },
+            required: ["id"]
+          }
+        },
+        {
+          name: "send_reply",
+          class: "mutation",
+          description: "Send a reply on a thread. Pulls In-Reply-To/References from the latest message in the thread. Body is text/plain.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          requiredScopes: [SCOPE_SEND, SCOPE_READ],
+          parameters: {
+            type: "object",
+            properties: {
+              threadId: { type: "string" },
+              body: { type: "string", description: "text/plain body" },
+              replyAll: { type: "boolean", default: false },
+              cc: { type: "array", items: { type: "string" } }
+            },
+            required: ["threadId", "body"]
+          }
+        },
+        {
+          name: "watch_label",
+          class: "mutation",
+          description: "Register a Cloud Pub/Sub topic to receive push notifications when a label changes. Returns the upstream historyId + expiration. Re-issue every 7 days.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          requiredScopes: [SCOPE_MODIFY],
+          parameters: {
+            type: "object",
+            properties: {
+              labelIds: { type: "array", items: { type: "string" }, description: 'Default: ["INBOX"]' },
+              topicName: { type: "string", description: "projects/<id>/topics/<name>" },
+              labelFilterAction: { type: "string", enum: ["include", "exclude"], default: "include" }
+            },
+            required: ["topicName"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      const accessToken = await ensureFreshAccessToken4(inv.source.credentials, clientId, clientSecret);
+      if (inv.capabilityName === "list_messages") return listMessages(inv, accessToken, timeoutMs);
+      if (inv.capabilityName === "read_message") return readMessage(inv, accessToken, timeoutMs);
+      throw new Error(`gmail: unknown read capability ${inv.capabilityName}`);
+    },
+    async executeMutation(inv) {
+      const accessToken = await ensureFreshAccessToken4(inv.source.credentials, clientId, clientSecret);
+      if (inv.capabilityName === "send_reply") return sendReply(inv, accessToken, timeoutMs);
+      if (inv.capabilityName === "watch_label") return watchLabel(inv, accessToken, timeoutMs);
+      throw new Error(`gmail: unknown mutation capability ${inv.capabilityName}`);
+    },
+    async exchangeOAuth(input) {
+      const tokens = await exchangeAuthorizationCode({
+        tokenUrl: TOKEN_URL4,
+        clientId,
+        clientSecret,
+        code: input.code,
+        codeVerifier: input.codeVerifier,
+        redirectUri: input.redirectUri
+      });
+      return {
+        credentials: {
+          kind: "oauth2",
+          accessToken: tokens.accessToken,
+          refreshToken: tokens.refreshToken,
+          expiresAt: tokens.expiresIn ? Date.now() + tokens.expiresIn * 1e3 : void 0
+        },
+        scopes: tokens.scope?.split(/\s+/) ?? scopes,
+        metadata: {}
+      };
+    },
+    async refreshToken(creds) {
+      if (creds.kind !== "oauth2" || !creds.refreshToken) {
+        throw new Error("gmail.refreshToken: missing refresh token");
+      }
+      const refreshed = await refreshAccessToken({
+        tokenUrl: TOKEN_URL4,
+        clientId,
+        clientSecret,
+        refreshToken: creds.refreshToken
+      });
+      return {
+        kind: "oauth2",
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken ?? creds.refreshToken,
+        expiresAt: refreshed.expiresIn ? Date.now() + refreshed.expiresIn * 1e3 : void 0
+      };
+    },
+    async test(source) {
+      try {
+        const accessToken = await ensureFreshAccessToken4(source.credentials, clientId, clientSecret);
+        const res = await fetch(`${API2}/profile`, {
+          headers: { authorization: `Bearer ${accessToken}` },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401 || res.status === 403) {
+          return { ok: false, reason: `Google rejected Gmail token (${res.status}) \u2014 reconnect required` };
+        }
+        if (!res.ok) return { ok: false, reason: `Gmail returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+async function listMessages(inv, accessToken, timeoutMs) {
+  const args = inv.args ?? {};
+  const params = new URLSearchParams({
+    maxResults: String(args.maxResults ?? 25)
+  });
+  for (const id of args.labelIds ?? ["INBOX"]) params.append("labelIds", id);
+  if (args.query) params.set("q", args.query);
+  if (args.pageToken) params.set("pageToken", args.pageToken);
+  const listRes = await fetch(`${API2}/messages?${params.toString()}`, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (listRes.status === 401 || listRes.status === 403) {
+    throw new CredentialsExpired(`Gmail rejected token (${listRes.status})`, inv.source.id);
+  }
+  if (!listRes.ok) {
+    const text = await listRes.text().catch(() => "");
+    throw new Error(`gmail list_messages ${listRes.status}: ${text.slice(0, 200)}`);
+  }
+  const listJson = await listRes.json();
+  const ids = listJson.messages ?? [];
+  const metas = await Promise.all(
+    ids.map(async ({ id }) => {
+      const res = await fetch(`${API2}/messages/${encodeURIComponent(id)}?format=metadata&metadataHeaders=From&metadataHeaders=To&metadataHeaders=Subject&metadataHeaders=Date`, {
+        headers: { authorization: `Bearer ${accessToken}` },
+        signal: AbortSignal.timeout(timeoutMs)
+      });
+      if (!res.ok) return null;
+      return await res.json();
+    })
+  );
+  const messages = metas.filter((m) => Boolean(m)).map(toMessageSummary);
+  return {
+    data: { messages, nextPageToken: listJson.nextPageToken },
+    fetchedAt: Date.now()
+  };
+}
+function toMessageSummary(meta) {
+  const headers = new Map((meta.payload?.headers ?? []).map((h) => [h.name.toLowerCase(), h.value]));
+  return {
+    id: meta.id,
+    threadId: meta.threadId,
+    snippet: meta.snippet,
+    internalDate: meta.internalDate,
+    labelIds: meta.labelIds ?? [],
+    from: headers.get("from"),
+    to: headers.get("to"),
+    subject: headers.get("subject"),
+    date: headers.get("date")
+  };
+}
+async function readMessage(inv, accessToken, timeoutMs) {
+  const { id } = inv.args;
+  const res = await fetch(`${API2}/messages/${encodeURIComponent(id)}?format=full`, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (res.status === 401 || res.status === 403) {
+    throw new CredentialsExpired(`Gmail rejected token (${res.status})`, inv.source.id);
+  }
+  if (res.status === 404) {
+    throw new Error(`gmail read_message: message ${id} not found`);
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`gmail read_message ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const full = await res.json();
+  const headers = new Map((full.payload?.headers ?? []).map((h) => [h.name.toLowerCase(), h.value]));
+  const body = {};
+  const attachments = [];
+  walkParts(full.payload, body, attachments);
+  return {
+    data: {
+      id: full.id,
+      threadId: full.threadId,
+      internalDate: full.internalDate,
+      labelIds: full.labelIds ?? [],
+      from: headers.get("from"),
+      to: headers.get("to"),
+      cc: headers.get("cc"),
+      subject: headers.get("subject"),
+      date: headers.get("date"),
+      body,
+      attachments
+    },
+    fetchedAt: Date.now()
+  };
+}
+function walkParts(part, body, attachments) {
+  if (!part) return;
+  if (part.body?.data && part.mimeType === "text/plain" && !body.text) {
+    body.text = decodeBase64Url(part.body.data);
+  } else if (part.body?.data && part.mimeType === "text/html" && !body.html) {
+    body.html = decodeBase64Url(part.body.data);
+  }
+  if (part.filename && part.body?.attachmentId) {
+    attachments.push({
+      filename: part.filename,
+      mimeType: part.mimeType ?? "application/octet-stream",
+      attachmentId: part.body.attachmentId,
+      size: part.body.size ?? 0
+    });
+  }
+  for (const child of part.parts ?? []) walkParts(child, body, attachments);
+}
+function decodeBase64Url(s) {
+  return Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf-8");
+}
+function encodeBase64Url(s) {
+  return Buffer.from(s, "utf-8").toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function sendReply(inv, accessToken, timeoutMs) {
+  const { threadId, body, replyAll, cc } = inv.args;
+  const threadRes = await fetch(`${API2}/threads/${encodeURIComponent(threadId)}?format=metadata&metadataHeaders=From&metadataHeaders=To&metadataHeaders=Cc&metadataHeaders=Subject&metadataHeaders=Message-ID&metadataHeaders=References`, {
+    headers: { authorization: `Bearer ${accessToken}` },
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (threadRes.status === 401 || threadRes.status === 403) {
+    throw new CredentialsExpired(`Gmail rejected token (${threadRes.status})`, inv.source.id);
+  }
+  if (!threadRes.ok) {
+    const text = await threadRes.text().catch(() => "");
+    throw new Error(`gmail send_reply thread fetch ${threadRes.status}: ${text.slice(0, 200)}`);
+  }
+  const thread = await threadRes.json();
+  const last = thread.messages?.[thread.messages.length - 1];
+  if (!last) throw new Error(`gmail send_reply: thread ${threadId} has no messages`);
+  const lastHeaders = new Map((last.payload?.headers ?? []).map((h) => [h.name.toLowerCase(), h.value]));
+  const inReplyTo = lastHeaders.get("message-id");
+  const refsHeader = lastHeaders.get("references");
+  const refs = refsHeader ? `${refsHeader} ${inReplyTo ?? ""}`.trim() : inReplyTo;
+  const fromHeader = lastHeaders.get("from");
+  const toHeader = lastHeaders.get("to");
+  const ccHeader = lastHeaders.get("cc");
+  const subject = lastHeaders.get("subject") ?? "";
+  const rfcHeaders = [];
+  if (fromHeader) rfcHeaders.push(`To: ${fromHeader}`);
+  if (replyAll) {
+    const extra = [toHeader, ccHeader].filter(Boolean).join(", ");
+    if (extra) rfcHeaders.push(`Cc: ${extra}`);
+  }
+  if (cc?.length) {
+    const existing = rfcHeaders.findIndex((h) => h.startsWith("Cc: "));
+    if (existing >= 0) rfcHeaders[existing] = `${rfcHeaders[existing]}, ${cc.join(", ")}`;
+    else rfcHeaders.push(`Cc: ${cc.join(", ")}`);
+  }
+  rfcHeaders.push(`Subject: ${subject.toLowerCase().startsWith("re:") ? subject : "Re: " + subject}`);
+  if (inReplyTo) rfcHeaders.push(`In-Reply-To: ${inReplyTo}`);
+  if (refs) rfcHeaders.push(`References: ${refs}`);
+  rfcHeaders.push(`X-Tangle-Idempotency-Key: ${inv.idempotencyKey}`);
+  rfcHeaders.push('Content-Type: text/plain; charset="UTF-8"');
+  rfcHeaders.push("MIME-Version: 1.0");
+  const raw = `${rfcHeaders.join("\r\n")}\r
+\r
+${body}`;
+  const sendBody = { threadId, raw: encodeBase64Url(raw) };
+  const sendRes = await fetch(`${API2}/messages/send`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${accessToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(sendBody),
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (sendRes.status === 401 || sendRes.status === 403) {
+    throw new CredentialsExpired(`Gmail rejected token (${sendRes.status})`, inv.source.id);
+  }
+  if (!sendRes.ok) {
+    const text = await sendRes.text().catch(() => "");
+    throw new Error(`gmail send_reply ${sendRes.status}: ${text.slice(0, 200)}`);
+  }
+  const sent = await sendRes.json();
+  return {
+    status: "committed",
+    data: { id: sent.id, threadId: sent.threadId, labelIds: sent.labelIds ?? [] },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function watchLabel(inv, accessToken, timeoutMs) {
+  const { labelIds, topicName, labelFilterAction } = inv.args;
+  const body = {
+    topicName,
+    labelIds: labelIds ?? ["INBOX"],
+    labelFilterAction: labelFilterAction ?? "include"
+  };
+  const res = await fetch(`${API2}/watch`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${accessToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (res.status === 401 || res.status === 403) {
+    throw new CredentialsExpired(`Gmail rejected token (${res.status})`, inv.source.id);
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`gmail watch_label ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  return {
+    status: "committed",
+    data: { historyId: json.historyId, expiration: json.expiration, topicName, labelIds: body.labelIds },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function ensureFreshAccessToken4(creds, clientId, clientSecret) {
+  if (creds.kind !== "oauth2") {
+    throw new Error("gmail: expected oauth2 credentials");
+  }
+  if (creds.accessToken && (!creds.expiresAt || creds.expiresAt > Date.now() + 6e4)) {
+    return creds.accessToken;
+  }
+  if (!creds.refreshToken) {
+    throw new CredentialsExpired("Gmail access token expired and no refresh token", "");
+  }
+  const refreshed = await refreshAccessToken({
+    tokenUrl: TOKEN_URL4,
     clientId,
     clientSecret,
     refreshToken: creds.refreshToken
@@ -794,8 +1456,8 @@ var SCOPES3 = [
   // connection silently dies after ~1 hour.
   "offline_access"
 ];
-var AUTH_URL3 = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-var TOKEN_URL3 = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+var AUTH_URL5 = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+var TOKEN_URL5 = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
 function microsoftCalendar(opts) {
   const { clientId, clientSecret } = opts;
   const adapter = {
@@ -805,8 +1467,8 @@ function microsoftCalendar(opts) {
       description: "Let your agent check availability and book against an Outlook / Microsoft 365 calendar. Conflict-resolved via Graph's getSchedule pre-flight; etag-guarded on event updates.",
       auth: {
         kind: "oauth2",
-        authorizationUrl: AUTH_URL3,
-        tokenUrl: TOKEN_URL3,
+        authorizationUrl: AUTH_URL5,
+        tokenUrl: TOKEN_URL5,
         scopes: SCOPES3,
         clientIdEnv: "MS_OAUTH_CLIENT_ID",
         clientSecretEnv: "MS_OAUTH_CLIENT_SECRET"
@@ -858,7 +1520,7 @@ function microsoftCalendar(opts) {
       }
       const userPrincipal = readMetaString2(inv.source.metadata, "userPrincipal");
       const { timeMin, timeMax } = inv.args;
-      const accessToken = await ensureFreshAccessToken3(inv.source.credentials, clientId, clientSecret);
+      const accessToken = await ensureFreshAccessToken5(inv.source.credentials, clientId, clientSecret);
       const busy = await getScheduleBusy({ accessToken, userPrincipal, timeMin, timeMax });
       return {
         data: { busy },
@@ -871,7 +1533,7 @@ function microsoftCalendar(opts) {
       }
       const userPrincipal = readMetaString2(inv.source.metadata, "userPrincipal");
       const { start, end, summary, description, attendees } = inv.args;
-      const accessToken = await ensureFreshAccessToken3(inv.source.credentials, clientId, clientSecret);
+      const accessToken = await ensureFreshAccessToken5(inv.source.credentials, clientId, clientSecret);
       const busy = await getScheduleBusy({ accessToken, userPrincipal, timeMin: start, timeMax: end });
       if (busy.length > 0) {
         const startMs = Date.parse(start);
@@ -936,7 +1598,7 @@ function microsoftCalendar(opts) {
         throw new Error("Microsoft OAuth client not configured (MS_OAUTH_CLIENT_ID / _SECRET)");
       }
       const tokens = await exchangeAuthorizationCode({
-        tokenUrl: TOKEN_URL3,
+        tokenUrl: TOKEN_URL5,
         clientId,
         clientSecret,
         code: input.code,
@@ -961,7 +1623,7 @@ function microsoftCalendar(opts) {
         throw new Error("microsoft-calendar.refreshToken: missing refresh token");
       }
       const refreshed = await refreshAccessToken({
-        tokenUrl: TOKEN_URL3,
+        tokenUrl: TOKEN_URL5,
         clientId,
         clientSecret,
         refreshToken: creds.refreshToken
@@ -975,7 +1637,7 @@ function microsoftCalendar(opts) {
     },
     async test(source) {
       try {
-        const accessToken = await ensureFreshAccessToken3(source.credentials, clientId, clientSecret);
+        const accessToken = await ensureFreshAccessToken5(source.credentials, clientId, clientSecret);
         const res = await fetch("https://graph.microsoft.com/v1.0/me?$select=id", {
           headers: { authorization: `Bearer ${accessToken}` },
           signal: AbortSignal.timeout(8e3)
@@ -1048,7 +1710,7 @@ async function findNextFreeSlots2(input) {
   }
   return out.slice(0, input.wanted);
 }
-async function ensureFreshAccessToken3(creds, clientId, clientSecret) {
+async function ensureFreshAccessToken5(creds, clientId, clientSecret) {
   if (creds.kind !== "oauth2") {
     throw new Error("microsoft-calendar: expected oauth2 credentials");
   }
@@ -1059,7 +1721,7 @@ async function ensureFreshAccessToken3(creds, clientId, clientSecret) {
     throw new CredentialsExpired("Microsoft Calendar access token expired and no refresh token", "");
   }
   const refreshed = await refreshAccessToken({
-    tokenUrl: TOKEN_URL3,
+    tokenUrl: TOKEN_URL5,
     clientId,
     clientSecret,
     refreshToken: creds.refreshToken
@@ -1082,9 +1744,9 @@ var SCOPES4 = [
   "crm.objects.contacts.read",
   "crm.objects.contacts.write"
 ];
-var AUTH_URL4 = "https://app.hubspot.com/oauth/authorize";
-var TOKEN_URL4 = "https://api.hubapi.com/oauth/v1/token";
-var API = "https://api.hubapi.com";
+var AUTH_URL6 = "https://app.hubspot.com/oauth/authorize";
+var TOKEN_URL6 = "https://api.hubapi.com/oauth/v1/token";
+var API3 = "https://api.hubapi.com";
 function hubspot(opts) {
   const { clientId, clientSecret } = opts;
   const adapter = {
@@ -1094,8 +1756,8 @@ function hubspot(opts) {
       description: "Look up callers in HubSpot, upsert contacts without duplicates, and log call notes as CRM activities. Three capabilities \u2014 the voice-agent's CRM hot path.",
       auth: {
         kind: "oauth2",
-        authorizationUrl: AUTH_URL4,
-        tokenUrl: TOKEN_URL4,
+        authorizationUrl: AUTH_URL6,
+        tokenUrl: TOKEN_URL6,
         scopes: SCOPES4,
         clientIdEnv: "HUBSPOT_OAUTH_CLIENT_ID",
         clientSecretEnv: "HUBSPOT_OAUTH_CLIENT_SECRET"
@@ -1154,8 +1816,8 @@ function hubspot(opts) {
         throw new Error(`hubspot: unknown read capability ${inv.capabilityName}`);
       }
       const { email } = inv.args;
-      const accessToken = await ensureFreshAccessToken4(inv.source.credentials, clientId, clientSecret);
-      const res = await fetch(`${API}/crm/v3/objects/contacts/search`, {
+      const accessToken = await ensureFreshAccessToken6(inv.source.credentials, clientId, clientSecret);
+      const res = await fetch(`${API3}/crm/v3/objects/contacts/search`, {
         method: "POST",
         headers: {
           authorization: `Bearer ${accessToken}`,
@@ -1187,7 +1849,7 @@ function hubspot(opts) {
       };
     },
     async executeMutation(inv) {
-      const accessToken = await ensureFreshAccessToken4(inv.source.credentials, clientId, clientSecret);
+      const accessToken = await ensureFreshAccessToken6(inv.source.credentials, clientId, clientSecret);
       if (inv.capabilityName === "upsert_contact") {
         return upsertContact(inv, accessToken);
       }
@@ -1201,7 +1863,7 @@ function hubspot(opts) {
         throw new Error("HubSpot OAuth client not configured (HUBSPOT_OAUTH_CLIENT_ID / _SECRET)");
       }
       const tokens = await exchangeAuthorizationCode({
-        tokenUrl: TOKEN_URL4,
+        tokenUrl: TOKEN_URL6,
         clientId,
         clientSecret,
         code: input.code,
@@ -1224,7 +1886,7 @@ function hubspot(opts) {
         throw new Error("hubspot.refreshToken: missing refresh token");
       }
       const refreshed = await refreshAccessToken({
-        tokenUrl: TOKEN_URL4,
+        tokenUrl: TOKEN_URL6,
         clientId,
         clientSecret,
         refreshToken: creds.refreshToken
@@ -1238,8 +1900,8 @@ function hubspot(opts) {
     },
     async test(source) {
       try {
-        const accessToken = await ensureFreshAccessToken4(source.credentials, clientId, clientSecret);
-        const res = await fetch(`${API}/oauth/v1/access-tokens/${encodeURIComponent(accessToken)}`, {
+        const accessToken = await ensureFreshAccessToken6(source.credentials, clientId, clientSecret);
+        const res = await fetch(`${API3}/oauth/v1/access-tokens/${encodeURIComponent(accessToken)}`, {
           signal: AbortSignal.timeout(8e3)
         });
         if (res.status === 401 || res.status === 403 || res.status === 404) {
@@ -1257,7 +1919,7 @@ function hubspot(opts) {
 async function upsertContact(inv, accessToken) {
   const { email, properties } = inv.args;
   const idemKey = sanitizeIdempotencyKey(inv.idempotencyKey);
-  const url = `${API}/crm/v3/objects/contacts/batch/upsert?idempotencyKey=${encodeURIComponent(idemKey)}`;
+  const url = `${API3}/crm/v3/objects/contacts/batch/upsert?idempotencyKey=${encodeURIComponent(idemKey)}`;
   const body = {
     inputs: [
       {
@@ -1303,7 +1965,7 @@ async function upsertContact(inv, accessToken) {
 async function createNote(inv, accessToken) {
   const { contactId, body } = inv.args;
   const idemKey = sanitizeIdempotencyKey(inv.idempotencyKey);
-  const url = `${API}/crm/v3/objects/notes/batch/create?idempotencyKey=${encodeURIComponent(idemKey)}`;
+  const url = `${API3}/crm/v3/objects/notes/batch/create?idempotencyKey=${encodeURIComponent(idemKey)}`;
   const payload = {
     inputs: [
       {
@@ -1356,7 +2018,7 @@ async function createNote(inv, accessToken) {
 function sanitizeIdempotencyKey(k) {
   return k.replace(/[^A-Za-z0-9_-]/g, "_").slice(0, 64);
 }
-async function ensureFreshAccessToken4(creds, clientId, clientSecret) {
+async function ensureFreshAccessToken6(creds, clientId, clientSecret) {
   if (creds.kind !== "oauth2") {
     throw new Error("hubspot: expected oauth2 credentials");
   }
@@ -1367,7 +2029,7 @@ async function ensureFreshAccessToken4(creds, clientId, clientSecret) {
     throw new CredentialsExpired("HubSpot access token expired and no refresh token", "");
   }
   const refreshed = await refreshAccessToken({
-    tokenUrl: TOKEN_URL4,
+    tokenUrl: TOKEN_URL6,
     clientId,
     clientSecret,
     refreshToken: creds.refreshToken
@@ -1380,9 +2042,9 @@ async function ensureFreshAccessToken4(creds, clientId, clientSecret) {
 
 // src/connectors/adapters/slack.ts
 var SCOPES5 = ["chat:write", "users:read", "users:read.email", "channels:read"];
-var AUTH_URL5 = "https://slack.com/oauth/v2/authorize";
-var TOKEN_URL5 = "https://slack.com/api/oauth.v2.access";
-var API2 = "https://slack.com/api";
+var AUTH_URL7 = "https://slack.com/oauth/v2/authorize";
+var TOKEN_URL7 = "https://slack.com/api/oauth.v2.access";
+var API4 = "https://slack.com/api";
 function slack(opts) {
   const { clientId, clientSecret } = opts;
   const adapter = {
@@ -1398,8 +2060,8 @@ function slack(opts) {
       description: "Post messages from the agent into Slack, look up users by email, and list channels. Advisory surface \u2014 Slack posts are informational, not transactional.",
       auth: {
         kind: "oauth2",
-        authorizationUrl: AUTH_URL5,
-        tokenUrl: TOKEN_URL5,
+        authorizationUrl: AUTH_URL7,
+        tokenUrl: TOKEN_URL7,
         scopes: SCOPES5,
         clientIdEnv: "SLACK_OAUTH_CLIENT_ID",
         clientSecretEnv: "SLACK_OAUTH_CLIENT_SECRET"
@@ -1451,7 +2113,7 @@ function slack(opts) {
       const accessToken = readBotToken(inv.source.credentials);
       if (inv.capabilityName === "lookup_user") {
         const { email } = inv.args;
-        const url = `${API2}/users.lookupByEmail?email=${encodeURIComponent(email)}`;
+        const url = `${API4}/users.lookupByEmail?email=${encodeURIComponent(email)}`;
         const json = await slackGet(url, accessToken, inv.source.id);
         if (!json.ok) {
           if (json.error === "users_not_found") {
@@ -1471,7 +2133,7 @@ function slack(opts) {
           limit: String(Math.min(Math.max(1, limit ?? 200), 1e3)),
           types: types ?? "public_channel,private_channel"
         });
-        const json = await slackGet(`${API2}/conversations.list?${params.toString()}`, accessToken, inv.source.id);
+        const json = await slackGet(`${API4}/conversations.list?${params.toString()}`, accessToken, inv.source.id);
         if (!json.ok) {
           throw new Error(`slack list_channels: ${json.error ?? "unknown"}`);
         }
@@ -1489,7 +2151,7 @@ function slack(opts) {
       }
       const accessToken = readBotToken(inv.source.credentials);
       const { channel, text, blocks } = inv.args;
-      const res = await fetch(`${API2}/chat.postMessage`, {
+      const res = await fetch(`${API4}/chat.postMessage`, {
         method: "POST",
         headers: {
           authorization: `Bearer ${accessToken}`,
@@ -1524,7 +2186,7 @@ function slack(opts) {
         throw new Error("Slack OAuth client not configured (SLACK_OAUTH_CLIENT_ID / _SECRET)");
       }
       const tokens = await exchangeAuthorizationCode({
-        tokenUrl: TOKEN_URL5,
+        tokenUrl: TOKEN_URL7,
         clientId,
         clientSecret,
         code: input.code,
@@ -1547,7 +2209,7 @@ function slack(opts) {
         return creds;
       }
       const refreshed = await refreshAccessToken({
-        tokenUrl: TOKEN_URL5,
+        tokenUrl: TOKEN_URL7,
         clientId,
         clientSecret,
         refreshToken: creds.refreshToken
@@ -1562,7 +2224,7 @@ function slack(opts) {
     async test(source) {
       try {
         const accessToken = readBotToken(source.credentials);
-        const res = await fetch(`${API2}/auth.test`, {
+        const res = await fetch(`${API4}/auth.test`, {
           method: "POST",
           headers: { authorization: `Bearer ${accessToken}` },
           signal: AbortSignal.timeout(8e3)
@@ -1602,9 +2264,9 @@ async function slackGet(url, accessToken, dataSourceId) {
 }
 
 // src/connectors/adapters/notion-database.ts
-var AUTH_URL6 = "https://api.notion.com/v1/oauth/authorize";
-var TOKEN_URL6 = "https://api.notion.com/v1/oauth/token";
-var API3 = "https://api.notion.com/v1";
+var AUTH_URL8 = "https://api.notion.com/v1/oauth/authorize";
+var TOKEN_URL8 = "https://api.notion.com/v1/oauth/token";
+var API5 = "https://api.notion.com/v1";
 var NOTION_VERSION = "2022-06-28";
 function notionDatabase(opts) {
   const { clientId, clientSecret } = opts;
@@ -1615,8 +2277,8 @@ function notionDatabase(opts) {
       description: "Query a Notion database, create new pages, and update existing ones with optimistic concurrency via last_edited_time.",
       auth: {
         kind: "oauth2",
-        authorizationUrl: AUTH_URL6,
-        tokenUrl: TOKEN_URL6,
+        authorizationUrl: AUTH_URL8,
+        tokenUrl: TOKEN_URL8,
         // Notion does not use OAuth scopes — the workspace owner picks
         // which pages/databases the integration sees during install. We
         // declare an empty scope list so the consent screen renders cleanly.
@@ -1691,7 +2353,7 @@ function notionDatabase(opts) {
       };
       if (filter) body.filter = filter;
       if (startCursor) body.start_cursor = startCursor;
-      const res = await fetch(`${API3}/databases/${encodeURIComponent(databaseId)}/query`, {
+      const res = await fetch(`${API5}/databases/${encodeURIComponent(databaseId)}/query`, {
         method: "POST",
         headers: notionHeaders(accessToken),
         body: JSON.stringify(body),
@@ -1730,7 +2392,7 @@ function notionDatabase(opts) {
         redirect_uri: input.redirectUri,
         code_verifier: input.codeVerifier
       });
-      const res = await fetch(TOKEN_URL6, {
+      const res = await fetch(TOKEN_URL8, {
         method: "POST",
         headers: {
           authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`,
@@ -1769,7 +2431,7 @@ function notionDatabase(opts) {
         throw new Error("notion-database.refreshToken: missing refresh token");
       }
       const refreshed = await refreshAccessToken({
-        tokenUrl: TOKEN_URL6,
+        tokenUrl: TOKEN_URL8,
         clientId,
         clientSecret,
         refreshToken: creds.refreshToken
@@ -1784,7 +2446,7 @@ function notionDatabase(opts) {
     async test(source) {
       try {
         const accessToken = readToken(source.credentials);
-        const res = await fetch(`${API3}/users/me`, {
+        const res = await fetch(`${API5}/users/me`, {
           headers: notionHeaders(accessToken),
           signal: AbortSignal.timeout(8e3)
         });
@@ -1801,7 +2463,7 @@ function notionDatabase(opts) {
 async function createPage(inv, accessToken) {
   const databaseId = readMetaString3(inv.source.metadata, "databaseId");
   const { properties } = inv.args;
-  const res = await fetch(`${API3}/pages`, {
+  const res = await fetch(`${API5}/pages`, {
     method: "POST",
     headers: {
       ...notionHeaders(accessToken),
@@ -1835,7 +2497,7 @@ async function createPage(inv, accessToken) {
 async function updatePage(inv, accessToken) {
   const { pageId, properties, expectedLastEditedTime } = inv.args;
   if (expectedLastEditedTime) {
-    const headRes = await fetch(`${API3}/pages/${encodeURIComponent(pageId)}`, {
+    const headRes = await fetch(`${API5}/pages/${encodeURIComponent(pageId)}`, {
       headers: notionHeaders(accessToken),
       signal: AbortSignal.timeout(1e4)
     });
@@ -1855,7 +2517,7 @@ async function updatePage(inv, accessToken) {
       );
     }
   }
-  const res = await fetch(`${API3}/pages/${encodeURIComponent(pageId)}`, {
+  const res = await fetch(`${API5}/pages/${encodeURIComponent(pageId)}`, {
     method: "PATCH",
     headers: notionHeaders(accessToken),
     body: JSON.stringify({ properties }),
@@ -1901,6 +2563,304 @@ function readMetaString3(meta, key) {
   return v;
 }
 
+// src/connectors/adapters/docuseal.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var DEFAULT_BASE = "https://api.docuseal.com";
+function readDocuSealCredentials(creds) {
+  if (creds.kind === "api-key" && typeof creds.apiKey === "string" && creds.apiKey.length > 0) {
+    return { apiKey: creds.apiKey };
+  }
+  if (creds.kind === "custom" && creds.values && typeof creds.values.apiKey === "string" && creds.values.apiKey.length > 0) {
+    const webhookSecret = typeof creds.values.webhookSecret === "string" ? creds.values.webhookSecret : void 0;
+    return { apiKey: creds.values.apiKey, webhookSecret };
+  }
+  throw new Error("docuseal: expected api-key credentials (apiKey + optional webhookSecret)");
+}
+function docuseal(opts = {}) {
+  const baseUrl = (opts.baseUrl ?? DEFAULT_BASE).replace(/\/$/, "");
+  const timeoutMs = opts.timeoutMs ?? 3e4;
+  const adapter = {
+    manifest: {
+      kind: "docuseal",
+      displayName: "DocuSeal",
+      description: "Send documents for e-signature via DocuSeal, poll submission status, void in-flight submissions, and react to push events when submitters sign.",
+      auth: {
+        kind: "api-key",
+        hint: "Paste a DocuSeal personal API key (settings \u2192 API). Optional webhook secret enables push-driven workflows."
+      },
+      category: "doc",
+      defaultConsistencyModel: "authoritative",
+      capabilities: [
+        {
+          name: "get_submission",
+          class: "read",
+          description: "Fetch the current status of a DocuSeal submission and each submitter.",
+          parameters: {
+            type: "object",
+            properties: { submissionId: { type: "string" } },
+            required: ["submissionId"]
+          }
+        },
+        {
+          name: "create_submission",
+          class: "mutation",
+          description: "Send a template for signature to one or more submitters. external_id is the idempotency key; retries return the original submission.",
+          cas: "native-idempotency",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              templateId: { type: "string" },
+              submitters: {
+                type: "array",
+                items: {
+                  type: "object",
+                  properties: {
+                    email: { type: "string" },
+                    name: { type: "string" },
+                    role: { type: "string" },
+                    values: { type: "object", additionalProperties: true }
+                  },
+                  required: ["email"]
+                }
+              },
+              sendEmail: { type: "boolean", default: true },
+              message: { type: "string" }
+            },
+            required: ["templateId", "submitters"]
+          }
+        },
+        {
+          name: "void_submission",
+          class: "mutation",
+          description: "Cancel an in-flight submission. CAS via updated_at \u2014 concurrent voids return ResourceContention.",
+          cas: "etag-if-match",
+          externalEffect: true,
+          parameters: {
+            type: "object",
+            properties: {
+              submissionId: { type: "string" },
+              reason: { type: "string" }
+            },
+            required: ["submissionId"]
+          }
+        }
+      ]
+    },
+    async executeRead(inv) {
+      if (inv.capabilityName !== "get_submission") {
+        throw new Error(`docuseal: unknown read capability ${inv.capabilityName}`);
+      }
+      const { apiKey } = readDocuSealCredentials(inv.source.credentials);
+      const { submissionId } = inv.args;
+      const res = await fetch(`${baseUrl}/submissions/${encodeURIComponent(submissionId)}`, {
+        headers: { "X-Auth-Token": apiKey, accept: "application/json" },
+        signal: AbortSignal.timeout(timeoutMs)
+      });
+      if (res.status === 401) throw new CredentialsExpired("DocuSeal rejected API key (401)", inv.source.id);
+      if (res.status === 404) {
+        throw new Error(`docuseal get_submission: submission ${submissionId} not found`);
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`docuseal get_submission ${res.status}: ${text.slice(0, 200)}`);
+      }
+      const json = await res.json();
+      return {
+        data: normalizeSubmission(json),
+        etag: json.updated_at,
+        fetchedAt: Date.now()
+      };
+    },
+    async executeMutation(inv) {
+      const { apiKey } = readDocuSealCredentials(inv.source.credentials);
+      if (inv.capabilityName === "create_submission") return createSubmission(inv, apiKey, baseUrl, timeoutMs);
+      if (inv.capabilityName === "void_submission") return voidSubmission(inv, apiKey, baseUrl, timeoutMs);
+      throw new Error(`docuseal: unknown mutation capability ${inv.capabilityName}`);
+    },
+    verifySignature({ rawBody, headers, source }) {
+      const creds = (() => {
+        try {
+          return readDocuSealCredentials(source.credentials);
+        } catch {
+          return null;
+        }
+      })();
+      if (!creds?.webhookSecret) return { valid: false, reason: "missing_webhook_secret" };
+      const sig = firstHeader(headers, "x-docuseal-signature");
+      if (!sig) return { valid: false, reason: "missing_signature_header" };
+      const expected = createHmac("sha256", creds.webhookSecret).update(rawBody).digest("hex");
+      const a = Buffer.from(sig.toLowerCase(), "utf-8");
+      const b = Buffer.from(expected, "utf-8");
+      if (a.length !== b.length) return { valid: false, reason: "invalid_signature" };
+      return timingSafeEqual(a, b) ? { valid: true } : { valid: false, reason: "invalid_signature" };
+    },
+    async handleInboundEvent({ rawBody }) {
+      let parsed;
+      try {
+        parsed = JSON.parse(rawBody);
+      } catch {
+        return { events: [], response: { status: 400, body: { error: "invalid_json" } } };
+      }
+      if (!parsed || typeof parsed !== "object") {
+        return { events: [], response: { status: 400, body: { error: "invalid_payload" } } };
+      }
+      const evt = parsed;
+      const eventType = typeof evt.event_type === "string" ? `docuseal.${evt.event_type}` : "docuseal.unknown";
+      const providerEventId = typeof evt.event_id === "string" ? evt.event_id : void 0;
+      const events = [
+        {
+          eventType,
+          providerEventId,
+          payload: evt
+        }
+      ];
+      return { events };
+    },
+    async test(source) {
+      try {
+        const { apiKey } = readDocuSealCredentials(source.credentials);
+        const res = await fetch(`${baseUrl}/templates?limit=1`, {
+          headers: { "X-Auth-Token": apiKey },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (res.status === 401) return { ok: false, reason: "DocuSeal rejected API key (401) \u2014 reconnect required" };
+        if (!res.ok) return { ok: false, reason: `DocuSeal returned ${res.status}` };
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+function normalizeSubmission(s) {
+  return {
+    submissionId: String(s.id),
+    status: s.status ?? "pending",
+    updatedAt: s.updated_at,
+    createdAt: s.created_at,
+    completedAt: s.completed_at ?? void 0,
+    auditLogUrl: s.audit_log_url,
+    combinedDocumentUrl: s.combined_document_url,
+    submitters: (s.submitters ?? []).map((sub) => ({
+      email: sub.email,
+      name: sub.name,
+      role: sub.role,
+      slug: sub.slug,
+      status: sub.status ?? "awaiting",
+      completedAt: sub.completed_at ?? void 0,
+      url: sub.embed_src
+    }))
+  };
+}
+async function createSubmission(inv, apiKey, baseUrl, timeoutMs) {
+  const { templateId, submitters, sendEmail, message } = inv.args;
+  const body = {
+    template_id: templateId,
+    external_id: inv.idempotencyKey,
+    send_email: sendEmail ?? true,
+    message,
+    submitters: submitters.map((s) => ({
+      email: s.email,
+      name: s.name,
+      role: s.role,
+      values: s.values
+    }))
+  };
+  const res = await fetch(`${baseUrl}/submissions`, {
+    method: "POST",
+    headers: {
+      "X-Auth-Token": apiKey,
+      "content-type": "application/json",
+      accept: "application/json"
+    },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (res.status === 401) throw new CredentialsExpired("DocuSeal rejected API key (401)", inv.source.id);
+  if (res.status === 429) {
+    const retryAfter = Number(res.headers.get("retry-after") ?? "5");
+    return {
+      status: "rate-limited",
+      retryAfterMs: Number.isFinite(retryAfter) ? retryAfter * 1e3 : 5e3,
+      message: "DocuSeal rate-limited create_submission"
+    };
+  }
+  if (res.status === 409) {
+    const conflictJson = await res.json().catch(() => ({}));
+    const original = conflictJson.submission ?? conflictJson;
+    return {
+      status: "committed",
+      data: normalizeSubmission(original),
+      etagAfter: original.updated_at,
+      committedAt: Date.now(),
+      idempotentReplay: true
+    };
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`docuseal create_submission ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const created = await res.json();
+  const sub = Array.isArray(created) ? created[0] : created;
+  if (!sub) {
+    throw new Error("docuseal create_submission: empty response body");
+  }
+  return {
+    status: "committed",
+    data: normalizeSubmission(sub),
+    etagAfter: sub.updated_at,
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function voidSubmission(inv, apiKey, baseUrl, timeoutMs) {
+  const { submissionId, reason } = inv.args;
+  const headers = {
+    "X-Auth-Token": apiKey,
+    accept: "application/json"
+  };
+  if (inv.expectedEtag) headers["if-match"] = inv.expectedEtag;
+  if (reason) headers["x-docuseal-void-reason"] = reason;
+  const res = await fetch(`${baseUrl}/submissions/${encodeURIComponent(submissionId)}`, {
+    method: "DELETE",
+    headers,
+    signal: AbortSignal.timeout(timeoutMs)
+  });
+  if (res.status === 401) throw new CredentialsExpired("DocuSeal rejected API key (401)", inv.source.id);
+  if (res.status === 404) {
+    throw new Error(`docuseal void_submission: submission ${submissionId} not found`);
+  }
+  if (res.status === 412) {
+    throw new ResourceContention(`docuseal void_submission: submission ${submissionId} updated since last read`);
+  }
+  if (res.status === 429) {
+    const retryAfter = Number(res.headers.get("retry-after") ?? "5");
+    return {
+      status: "rate-limited",
+      retryAfterMs: Number.isFinite(retryAfter) ? retryAfter * 1e3 : 5e3,
+      message: "DocuSeal rate-limited void_submission"
+    };
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`docuseal void_submission ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json().catch(() => ({}));
+  return {
+    status: "committed",
+    data: {
+      submissionId,
+      status: "voided",
+      voidedAt: json.updated_at ?? (/* @__PURE__ */ new Date()).toISOString()
+    },
+    etagAfter: json.updated_at,
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+
 // src/connectors/adapters/declarative-rest.ts
 function declarativeRestConnector(spec) {
   const capabilities = spec.capabilities.map(operationToCapability);
@@ -2100,7 +3060,7 @@ async function safeErrorText(res) {
 }
 
 // src/connectors/adapters/twilio-sms.ts
-var API4 = "https://api.twilio.com/2010-04-01";
+var API6 = "https://api.twilio.com/2010-04-01";
 var LOOKUP_API = "https://lookups.twilio.com/v1";
 var twilioSmsConnector = {
   manifest: {
@@ -2192,7 +3152,7 @@ var twilioSmsConnector = {
       params.set("PageSize", String(Math.min(Math.max(1, limit ?? 20), 100)));
       if (to) params.set("To", to);
       if (from) params.set("From", from);
-      const url = `${API4}/Accounts/${encodeURIComponent(auth.accountSid)}/Messages.json?${params.toString()}`;
+      const url = `${API6}/Accounts/${encodeURIComponent(auth.accountSid)}/Messages.json?${params.toString()}`;
       const res = await fetch(url, {
         headers: { authorization: basicAuth(auth) },
         signal: AbortSignal.timeout(1e4)
@@ -2218,7 +3178,7 @@ var twilioSmsConnector = {
     const { to, body, from } = inv.args;
     const fromNumber = from ?? readMetaString4(inv.source.metadata, "fromNumber");
     const formBody = new URLSearchParams({ To: to, From: fromNumber, Body: body });
-    const url = `${API4}/Accounts/${encodeURIComponent(auth.accountSid)}/Messages.json`;
+    const url = `${API6}/Accounts/${encodeURIComponent(auth.accountSid)}/Messages.json`;
     const res = await fetch(url, {
       method: "POST",
       headers: {
@@ -2248,7 +3208,7 @@ var twilioSmsConnector = {
   async test(source) {
     try {
       const auth = parseAuth(source.credentials);
-      const res = await fetch(`${API4}/Accounts/${encodeURIComponent(auth.accountSid)}.json`, {
+      const res = await fetch(`${API6}/Accounts/${encodeURIComponent(auth.accountSid)}.json`, {
         headers: { authorization: basicAuth(auth) },
         signal: AbortSignal.timeout(8e3)
       });
@@ -2293,15 +3253,15 @@ function readMetaString4(meta, key) {
 }
 
 // src/connectors/adapters/stripe-pack.ts
-var API5 = "https://api.stripe.com/v1";
+var API7 = "https://api.stripe.com/v1";
 var stripePackConnector = {
   manifest: {
     kind: "stripe-pack",
-    displayName: "Stripe (customers, invoices, checkout)",
-    description: "Look up Stripe customers, draft invoices, and spin up hosted Checkout sessions from a single Stripe restricted key. Idempotency-Key forwarded on every mutation.",
+    displayName: "Stripe (customers, invoices, checkout, subscriptions)",
+    description: "Look up Stripe customers, draft invoices, spin up hosted Checkout sessions, manage subscriptions, and hand off to the customer billing portal \u2014 all from one Stripe restricted key. Idempotency-Key forwarded on every mutation.",
     auth: {
       kind: "api-key",
-      hint: "Paste a Stripe restricted key (rk_live_\u2026) with read access on customers and write access on invoices + checkout sessions."
+      hint: "Paste a Stripe restricted key (rk_live_\u2026) with read on customers + subscriptions and write on invoices + checkout + subscriptions + billing portal."
     },
     category: "commerce",
     defaultConsistencyModel: "authoritative",
@@ -2316,6 +3276,20 @@ var stripePackConnector = {
           required: ["email"]
         }
       },
+      {
+        name: "list_subscriptions",
+        class: "read",
+        description: "List a customer's subscriptions. Optionally filter by status ('active', 'past_due', 'canceled', 'all').",
+        parameters: {
+          type: "object",
+          properties: {
+            customerId: { type: "string" },
+            status: { type: "string", enum: ["active", "past_due", "unpaid", "canceled", "incomplete", "trialing", "all"], default: "all" },
+            limit: { type: "integer", minimum: 1, maximum: 100, default: 10 }
+          },
+          required: ["customerId"]
+        }
+      },
       {
         name: "create_invoice",
         class: "mutation",
@@ -2371,16 +3345,47 @@ var stripePackConnector = {
           },
           required: ["successUrl", "cancelUrl", "lineItems"]
         }
+      },
+      {
+        name: "cancel_subscription",
+        class: "mutation",
+        description: "Cancel a subscription. Default cancels immediately; pass atPeriodEnd=true to schedule cancellation for the end of the current billing period.",
+        cas: "native-idempotency",
+        externalEffect: true,
+        parameters: {
+          type: "object",
+          properties: {
+            subscriptionId: { type: "string" },
+            atPeriodEnd: { type: "boolean", default: false }
+          },
+          required: ["subscriptionId"]
+        }
+      },
+      {
+        name: "create_billing_portal_session",
+        class: "mutation",
+        description: "Create a Stripe billing portal session and return its URL. Hand-off for the customer to self-serve cancel/upgrade/update-card.",
+        cas: "native-idempotency",
+        externalEffect: true,
+        parameters: {
+          type: "object",
+          properties: {
+            customerId: { type: "string" },
+            returnUrl: { type: "string" }
+          },
+          required: ["customerId", "returnUrl"]
+        }
       }
     ]
   },
   async executeRead(inv) {
+    const apiKey = readApiKey(inv.source.credentials);
+    if (inv.capabilityName === "list_subscriptions") return listSubscriptions(inv, apiKey);
     if (inv.capabilityName !== "find_customer") {
       throw new Error(`stripe-pack: unknown read capability ${inv.capabilityName}`);
     }
-    const apiKey = readApiKey(inv.source.credentials);
     const { email } = inv.args;
-    const url = `${API5}/customers/search?query=${encodeURIComponent(`email:'${email.toLowerCase()}'`)}&limit=1`;
+    const url = `${API7}/customers/search?query=${encodeURIComponent(`email:'${email.toLowerCase()}'`)}&limit=1`;
     const res = await fetch(url, {
       headers: { authorization: `Bearer ${apiKey}` },
       signal: AbortSignal.timeout(1e4)
@@ -2403,12 +3408,14 @@ var stripePackConnector = {
     const apiKey = readApiKey(inv.source.credentials);
     if (inv.capabilityName === "create_invoice") return createInvoice(inv, apiKey);
     if (inv.capabilityName === "create_checkout_session") return createCheckoutSession(inv, apiKey);
+    if (inv.capabilityName === "cancel_subscription") return cancelSubscription(inv, apiKey);
+    if (inv.capabilityName === "create_billing_portal_session") return createBillingPortalSession(inv, apiKey);
     throw new Error(`stripe-pack: unknown mutation capability ${inv.capabilityName}`);
   },
   async test(source) {
     try {
       const apiKey = readApiKey(source.credentials);
-      const res = await fetch(`${API5}/account`, {
+      const res = await fetch(`${API7}/account`, {
         headers: { authorization: `Bearer ${apiKey}` },
         signal: AbortSignal.timeout(8e3)
       });
@@ -2434,7 +3441,7 @@ async function createInvoice(inv, apiKey) {
       quantity: String(it.quantity ?? 1)
     });
     if (it.description) body.set("description", it.description);
-    const res = await fetch(`${API5}/invoiceitems`, {
+    const res = await fetch(`${API7}/invoiceitems`, {
       method: "POST",
       headers: {
         authorization: `Bearer ${apiKey}`,
@@ -2459,7 +3466,7 @@ async function createInvoice(inv, apiKey) {
     collection_method: "send_invoice",
     days_until_due: "14"
   });
-  const invRes = await fetch(`${API5}/invoices`, {
+  const invRes = await fetch(`${API7}/invoices`, {
     method: "POST",
     headers: {
       authorization: `Bearer ${apiKey}`,
@@ -2497,7 +3504,7 @@ async function createCheckoutSession(inv, apiKey) {
     body.set(`line_items[${i}][price]`, it.price);
     body.set(`line_items[${i}][quantity]`, String(it.quantity ?? 1));
   });
-  const res = await fetch(`${API5}/checkout/sessions`, {
+  const res = await fetch(`${API7}/checkout/sessions`, {
     method: "POST",
     headers: {
       authorization: `Bearer ${apiKey}`,
@@ -2523,6 +3530,118 @@ async function createCheckoutSession(inv, apiKey) {
     idempotentReplay: false
   };
 }
+async function listSubscriptions(inv, apiKey) {
+  const { customerId, status, limit } = inv.args;
+  const params = new URLSearchParams({ customer: customerId, limit: String(limit ?? 10) });
+  if (status && status !== "all") params.set("status", status);
+  else params.set("status", "all");
+  const res = await fetch(`${API7}/subscriptions?${params.toString()}`, {
+    headers: { authorization: `Bearer ${apiKey}` },
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (res.status === 401) {
+    throw new CredentialsExpired("Stripe rejected API key (401)", inv.source.id);
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`stripe-pack list_subscriptions ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const json = await res.json();
+  const subscriptions = (json.data ?? []).map((sub) => ({
+    id: sub.id,
+    status: sub.status,
+    currentPeriodEnd: sub.current_period_end,
+    cancelAtPeriodEnd: sub.cancel_at_period_end ?? false,
+    items: (sub.items?.data ?? []).map((it) => ({
+      priceId: it.price?.id,
+      productId: it.price?.product,
+      unitAmount: it.price?.unit_amount,
+      currency: it.price?.currency,
+      interval: it.price?.recurring?.interval
+    }))
+  }));
+  return {
+    data: { subscriptions },
+    fetchedAt: Date.now()
+  };
+}
+async function cancelSubscription(inv, apiKey) {
+  const { subscriptionId, atPeriodEnd } = inv.args;
+  let res;
+  if (atPeriodEnd) {
+    const body = new URLSearchParams({ cancel_at_period_end: "true" });
+    res = await fetch(`${API7}/subscriptions/${encodeURIComponent(subscriptionId)}`, {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${apiKey}`,
+        "content-type": "application/x-www-form-urlencoded",
+        "idempotency-key": inv.idempotencyKey
+      },
+      body,
+      signal: AbortSignal.timeout(15e3)
+    });
+  } else {
+    res = await fetch(`${API7}/subscriptions/${encodeURIComponent(subscriptionId)}`, {
+      method: "DELETE",
+      headers: {
+        authorization: `Bearer ${apiKey}`,
+        "idempotency-key": inv.idempotencyKey
+      },
+      signal: AbortSignal.timeout(15e3)
+    });
+  }
+  if (res.status === 401) throw new CredentialsExpired("Stripe rejected API key (401)", inv.source.id);
+  if (res.status === 404) throw new Error(`stripe-pack cancel_subscription: subscription ${subscriptionId} not found`);
+  if (res.status === 409) {
+    throw new ResourceContention("Stripe subscription conflict \u2014 retry rejected by idempotency check");
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`stripe-pack cancel_subscription ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const updated = await res.json();
+  return {
+    status: "committed",
+    data: {
+      id: updated.id,
+      status: updated.status,
+      cancelAtPeriodEnd: updated.cancel_at_period_end ?? false,
+      canceledAt: updated.canceled_at,
+      currentPeriodEnd: updated.current_period_end
+    },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
+async function createBillingPortalSession(inv, apiKey) {
+  const { customerId, returnUrl } = inv.args;
+  const body = new URLSearchParams({ customer: customerId, return_url: returnUrl });
+  const res = await fetch(`${API7}/billing_portal/sessions`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${apiKey}`,
+      "content-type": "application/x-www-form-urlencoded",
+      "idempotency-key": inv.idempotencyKey
+    },
+    body,
+    signal: AbortSignal.timeout(15e3)
+  });
+  if (res.status === 401) throw new CredentialsExpired("Stripe rejected API key (401)", inv.source.id);
+  if (res.status === 409) {
+    throw new ResourceContention("Stripe billing portal session conflict \u2014 retry rejected by idempotency check");
+  }
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`stripe-pack create_billing_portal_session ${res.status}: ${text.slice(0, 200)}`);
+  }
+  const created = await res.json();
+  return {
+    status: "committed",
+    data: { sessionId: created.id, url: created.url, returnUrl: created.return_url },
+    committedAt: Date.now(),
+    idempotentReplay: false
+  };
+}
 function readApiKey(creds) {
   if (creds.kind !== "api-key" || typeof creds.apiKey !== "string" || creds.apiKey.length === 0) {
     throw new Error("stripe-pack: expected api-key credentials");
@@ -2531,7 +3650,7 @@ function readApiKey(creds) {
 }
 
 // src/connectors/adapters/webhook.ts
-import { createHmac } from "crypto";
+import { createHmac as createHmac2 } from "crypto";
 var webhookConnector = {
   manifest: {
     kind: "webhook",
@@ -2645,96 +3764,12 @@ function signHeaders(creds, body, idempotencyKey) {
     "x-phony-idempotency-key": idempotencyKey
   };
   if (creds.kind === "hmac" && typeof creds.secret === "string" && creds.secret.length > 0) {
-    const sig = createHmac("sha256", creds.secret).update(`${ts}.${body}`).digest("hex");
+    const sig = createHmac2("sha256", creds.secret).update(`${ts}.${body}`).digest("hex");
     headers["x-phony-signature"] = `sha256=${sig}`;
   }
   return headers;
 }
 
-// src/connectors/webhooks.ts
-import { createHmac as createHmac2, timingSafeEqual } from "crypto";
-var DEFAULT_SIGNATURE_TOLERANCE_SECONDS = 5 * 60;
-function parseStripeSignatureHeader(header) {
-  const acc = { sigs: [] };
-  for (const part of header.split(",")) {
-    const idx = part.indexOf("=");
-    if (idx < 0) continue;
-    const key = part.slice(0, idx).trim();
-    const val = part.slice(idx + 1).trim();
-    if (key === "t") {
-      const n = Number(val);
-      if (Number.isFinite(n)) acc.ts = n;
-    } else if (key === "v1") {
-      acc.sigs.push(val);
-    }
-  }
-  if (acc.ts === void 0 || acc.sigs.length === 0) return null;
-  return { t: acc.ts, sigs: acc.sigs };
-}
-function verifyStripeSignature(rawBody, signatureHeader, secret, options = {}) {
-  const parsed = parseStripeSignatureHeader(signatureHeader);
-  if (!parsed) return false;
-  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS;
-  const now = options.now ?? Math.floor(Date.now() / 1e3);
-  if (Math.abs(now - parsed.t) > tolerance) return false;
-  const expected = createHmac2("sha256", secret).update(`${parsed.t}.${rawBody}`).digest("hex");
-  const expectedBuf = Buffer.from(expected, "utf8");
-  for (const sig of parsed.sigs) {
-    const sigBuf = Buffer.from(sig, "utf8");
-    if (sigBuf.length !== expectedBuf.length) continue;
-    if (timingSafeEqual(sigBuf, expectedBuf)) return true;
-  }
-  return false;
-}
-function verifySlackSignature(rawBody, signatureHeader, timestampHeader, secret, options = {}) {
-  if (!signatureHeader.startsWith("v0=")) return false;
-  const ts = Number(timestampHeader);
-  if (!Number.isFinite(ts)) return false;
-  const tolerance = options.toleranceSeconds ?? DEFAULT_SIGNATURE_TOLERANCE_SECONDS;
-  const now = options.now ?? Math.floor(Date.now() / 1e3);
-  if (Math.abs(now - ts) > tolerance) return false;
-  const expected = "v0=" + createHmac2("sha256", secret).update(`v0:${ts}:${rawBody}`).digest("hex");
-  const expectedBuf = Buffer.from(expected, "utf8");
-  const sigBuf = Buffer.from(signatureHeader, "utf8");
-  if (sigBuf.length !== expectedBuf.length) return false;
-  return timingSafeEqual(sigBuf, expectedBuf);
-}
-function verifyHmacSignature(rawBody, signatureHeader, secret, options = {}) {
-  const algorithm = options.algorithm ?? "sha256";
-  const prefix = options.signaturePrefix ?? "";
-  const lower = options.lowercaseHex ?? true;
-  let candidate = signatureHeader;
-  if (prefix) {
-    if (!candidate.startsWith(prefix)) return false;
-    candidate = candidate.slice(prefix.length);
-  }
-  if (lower) candidate = candidate.toLowerCase();
-  const expected = createHmac2(algorithm, secret).update(rawBody).digest("hex");
-  const expectedBuf = Buffer.from(expected, "utf8");
-  const sigBuf = Buffer.from(candidate, "utf8");
-  if (sigBuf.length !== expectedBuf.length) return false;
-  return timingSafeEqual(sigBuf, expectedBuf);
-}
-function verifyTwilioSignature(input, options = {}) {
-  if (!input.authToken) {
-    return options.skipWhenAuthTokenMissing === true;
-  }
-  const signature = input.signatureHeader;
-  if (!signature || Array.isArray(signature)) return false;
-  if (!input.fullUrl) return false;
-  const data = options.bodyAsRaw === true ? input.fullUrl + (options.rawBody ?? "") : Object.keys(input.params ?? {}).sort().reduce((acc, key) => acc + key + (input.params[key] ?? ""), input.fullUrl);
-  const expected = createHmac2("sha1", input.authToken).update(data).digest("base64");
-  const expectedBuf = Buffer.from(expected);
-  const sigBuf = Buffer.from(signature);
-  if (expectedBuf.length !== sigBuf.length) return false;
-  return timingSafeEqual(expectedBuf, sigBuf);
-}
-function firstHeader(headers, name) {
-  const v = headers[name] ?? headers[name.toLowerCase()] ?? Object.entries(headers).find(([key]) => key.toLowerCase() === name.toLowerCase())?.[1];
-  if (Array.isArray(v)) return v[0];
-  return typeof v === "string" ? v : void 0;
-}
-
 // src/connectors/adapters/stripe-webhook-receiver.ts
 var stripeWebhookReceiverConnector = {
   manifest: {
@@ -3195,29 +4230,21 @@ var salesforceConnector = declarativeRestConnector({
 });
 
 export {
-  ResourceContention,
-  CredentialsExpired,
-  validateConnectorManifest,
-  assertValidConnectorManifest,
   InMemoryOAuthFlowStore,
   startOAuthFlow,
   consumePendingFlow,
   exchangeAuthorizationCode,
   refreshAccessToken,
   _resetPendingFlowsForTests,
-  DEFAULT_SIGNATURE_TOLERANCE_SECONDS,
-  parseStripeSignatureHeader,
-  verifyStripeSignature,
-  verifySlackSignature,
-  verifyHmacSignature,
-  verifyTwilioSignature,
-  firstHeader,
   googleCalendar,
+  googleDrive,
   googleSheets,
+  gmail,
   microsoftCalendar,
   hubspot,
   slack,
   notionDatabase,
+  docuseal,
   declarativeRestConnector,
   twilioSmsConnector,
   stripePackConnector,
@@ -3230,4 +4257,4 @@ export {
   asanaConnector,
   salesforceConnector
 };
-//# sourceMappingURL=chunk-WC63AI4Q.js.map
+//# sourceMappingURL=chunk-JU25UDN2.js.map