@tangle-network/agent-integrations 0.26.0 → 0.28.0

package/dist/bin/tangle-catalog-runtime.js

@@ -4,11 +4,15 @@ import {
   buildTangleCatalogRuntimePackageManifest,
   renderTangleCatalogRuntimePnpmAddCommand,
   startTangleCatalogRuntimeNodeServer
-} from "../chunk-ALCIWTIR.js";
+} from "../chunk-UWRYFPJW.js";
+import "../chunk-SVQ4PHDZ.js";
+import "../chunk-H4XYLS7T.js";
 import "../chunk-4JQ754PA.js";
 import "../chunk-376UBTNB.js";
-import "../chunk-GA4VTE3U.js";
+import "../chunk-JU25UDN2.js";
 import "../chunk-2TW2QKGZ.js";
+import "../chunk-P24T3MLM.js";
+import "../chunk-ATYHZXLL.js";
 
 // src/bin/tangle-catalog-runtime.ts
 var args = new Set(process.argv.slice(2));

package/dist/bin/tangle-catalog-runtime.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/bin/tangle-catalog-runtime.ts"],"sourcesContent":["#!/usr/bin/env node\nimport {\n  buildTangleCatalogRuntimePackageManifest,\n  renderTangleCatalogRuntimePnpmAddCommand,\n} from '../tangle-catalog.js'\nimport { auditTangleCatalogRuntimePackages } from '../tangle-catalog-runtime.js'\nimport { startTangleCatalogRuntimeNodeServer } from '../tangle-catalog-runtime-server.js'\n\nconst args = new Set(process.argv.slice(2))\nif (args.has('--print-package-json')) {\n  console.log(JSON.stringify(buildTangleCatalogRuntimePackageManifest({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }), null, 2))\n  process.exit(0)\n}\n\nif (args.has('--print-pnpm-add')) {\n  console.log(renderTangleCatalogRuntimePnpmAddCommand({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }))\n  process.exit(0)\n}\n\nif (args.has('--audit-packages')) {\n  const connectorIds = process.env.TANGLE_CATALOG_AUDIT_CONNECTORS\n    ?.split(',')\n    .map((id) => id.trim())\n    .filter(Boolean)\n  console.log(JSON.stringify(await auditTangleCatalogRuntimePackages({ connectorIds }), null, 2))\n  process.exit(0)\n}\n\nconst secret = process.env.TANGLE_CATALOG_RUNTIME_SECRET\nif (!secret || secret.length < 32) {\n  console.error('TANGLE_CATALOG_RUNTIME_SECRET must be set to at least 32 characters.')\n  process.exit(1)\n}\n\nconst authResolverUrl = process.env.TANGLE_CATALOG_AUTH_RESOLVER_URL\nconst authResolverSecret = process.env.TANGLE_CATALOG_AUTH_RESOLVER_SECRET\nif (Boolean(authResolverUrl) !== Boolean(authResolverSecret)) {\n  console.error('TANGLE_CATALOG_AUTH_RESOLVER_URL and TANGLE_CATALOG_AUTH_RESOLVER_SECRET must be set together.')\n  process.exit(1)\n}\n\nconst port = Number(process.env.PORT ?? process.env.TANGLE_CATALOG_RUNTIME_PORT ?? 4109)\nif (!Number.isInteger(port) || port < 1 || port > 65_535) {\n  console.error('PORT must be an integer between 1 and 65535.')\n  process.exit(1)\n}\n\nconst server = await startTangleCatalogRuntimeNodeServer({\n  secret,\n  host: process.env.HOST ?? process.env.TANGLE_CATALOG_RUNTIME_HOST ?? '0.0.0.0',\n  port,\n  authResolver: authResolverUrl && authResolverSecret\n    ? {\n        endpoint: authResolverUrl,\n        secret: authResolverSecret,\n      }\n    : false,\n  onLog: (event) => {\n    const line = JSON.stringify({\n      level: event.level,\n      message: event.message,\n      ...event.metadata,\n    })\n    if (event.level === 'error') console.error(line)\n    else console.log(line)\n  },\n})\n\nconsole.log(JSON.stringify({\n  level: 'info',\n  message: 'Tangle catalog runtime listening.',\n  url: server.url,\n}))\n\nfor (const signal of ['SIGINT', 'SIGTERM'] as const) {\n  process.once(signal, async () => {\n    await server.close()\n    process.exit(0)\n  })\n}\n"],"mappings":";;;;;;;;;;;;;AAQA,IAAM,OAAO,IAAI,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC;AAC1C,IAAI,KAAK,IAAI,sBAAsB,GAAG;AACpC,UAAQ,IAAI,KAAK,UAAU,yCAAyC;AAAA,IAClE,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,GAAG,MAAM,CAAC,CAAC;AACZ,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,UAAQ,IAAI,yCAAyC;AAAA,IACnD,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,CAAC;AACF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,QAAM,eAAe,QAAQ,IAAI,iCAC7B,MAAM,GAAG,EACV,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EACrB,OAAO,OAAO;AACjB,UAAQ,IAAI,KAAK,UAAU,MAAM,kCAAkC,EAAE,aAAa,CAAC,GAAG,MAAM,CAAC,CAAC;AAC9F,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,QAAQ,IAAI;AAC3B,IAAI,CAAC,UAAU,OAAO,SAAS,IAAI;AACjC,UAAQ,MAAM,sEAAsE;AACpF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,kBAAkB,QAAQ,IAAI;AACpC,IAAM,qBAAqB,QAAQ,IAAI;AACvC,IAAI,QAAQ,eAAe,MAAM,QAAQ,kBAAkB,GAAG;AAC5D,UAAQ,MAAM,gGAAgG;AAC9G,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,OAAO,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B,IAAI;AACvF,IAAI,CAAC,OAAO,UAAU,IAAI,KAAK,OAAO,KAAK,OAAO,OAAQ;AACxD,UAAQ,MAAM,8CAA8C;AAC5D,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,MAAM,oCAAoC;AAAA,EACvD;AAAA,EACA,MAAM,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B;AAAA,EACrE;AAAA,EACA,cAAc,mBAAmB,qBAC7B;AAAA,IACE,UAAU;AAAA,IACV,QAAQ;AAAA,EACV,IACA;AAAA,EACJ,OAAO,CAAC,UAAU;AAChB,UAAM,OAAO,KAAK,UAAU;AAAA,MAC1B,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,GAAG,MAAM;AAAA,IACX,CAAC;AACD,QAAI,MAAM,UAAU,QAAS,SAAQ,MAAM,IAAI;AAAA,QAC1C,SAAQ,IAAI,IAAI;AAAA,EACvB;AACF,CAAC;AAED,QAAQ,IAAI,KAAK,UAAU;AAAA,EACzB,OAAO;AAAA,EACP,SAAS;AAAA,EACT,KAAK,OAAO;AACd,CAAC,CAAC;AAEF,WAAW,UAAU,CAAC,UAAU,SAAS,GAAY;AACnD,UAAQ,KAAK,QAAQ,YAAY;AAC/B,UAAM,OAAO,MAAM;AACnB,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../src/bin/tangle-catalog-runtime.ts"],"sourcesContent":["#!/usr/bin/env node\nimport {\n  buildTangleCatalogRuntimePackageManifest,\n  renderTangleCatalogRuntimePnpmAddCommand,\n} from '../tangle-catalog.js'\nimport { auditTangleCatalogRuntimePackages } from '../tangle-catalog-runtime.js'\nimport { startTangleCatalogRuntimeNodeServer } from '../tangle-catalog-runtime-server.js'\n\nconst args = new Set(process.argv.slice(2))\nif (args.has('--print-package-json')) {\n  console.log(JSON.stringify(buildTangleCatalogRuntimePackageManifest({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }), null, 2))\n  process.exit(0)\n}\n\nif (args.has('--print-pnpm-add')) {\n  console.log(renderTangleCatalogRuntimePnpmAddCommand({\n    agentIntegrationsVersion: process.env.TANGLE_AGENT_INTEGRATIONS_VERSION,\n  }))\n  process.exit(0)\n}\n\nif (args.has('--audit-packages')) {\n  const connectorIds = process.env.TANGLE_CATALOG_AUDIT_CONNECTORS\n    ?.split(',')\n    .map((id) => id.trim())\n    .filter(Boolean)\n  console.log(JSON.stringify(await auditTangleCatalogRuntimePackages({ connectorIds }), null, 2))\n  process.exit(0)\n}\n\nconst secret = process.env.TANGLE_CATALOG_RUNTIME_SECRET\nif (!secret || secret.length < 32) {\n  console.error('TANGLE_CATALOG_RUNTIME_SECRET must be set to at least 32 characters.')\n  process.exit(1)\n}\n\nconst authResolverUrl = process.env.TANGLE_CATALOG_AUTH_RESOLVER_URL\nconst authResolverSecret = process.env.TANGLE_CATALOG_AUTH_RESOLVER_SECRET\nif (Boolean(authResolverUrl) !== Boolean(authResolverSecret)) {\n  console.error('TANGLE_CATALOG_AUTH_RESOLVER_URL and TANGLE_CATALOG_AUTH_RESOLVER_SECRET must be set together.')\n  process.exit(1)\n}\n\nconst port = Number(process.env.PORT ?? process.env.TANGLE_CATALOG_RUNTIME_PORT ?? 4109)\nif (!Number.isInteger(port) || port < 1 || port > 65_535) {\n  console.error('PORT must be an integer between 1 and 65535.')\n  process.exit(1)\n}\n\nconst server = await startTangleCatalogRuntimeNodeServer({\n  secret,\n  host: process.env.HOST ?? process.env.TANGLE_CATALOG_RUNTIME_HOST ?? '0.0.0.0',\n  port,\n  authResolver: authResolverUrl && authResolverSecret\n    ? {\n        endpoint: authResolverUrl,\n        secret: authResolverSecret,\n      }\n    : false,\n  onLog: (event) => {\n    const line = JSON.stringify({\n      level: event.level,\n      message: event.message,\n      ...event.metadata,\n    })\n    if (event.level === 'error') console.error(line)\n    else console.log(line)\n  },\n})\n\nconsole.log(JSON.stringify({\n  level: 'info',\n  message: 'Tangle catalog runtime listening.',\n  url: server.url,\n}))\n\nfor (const signal of ['SIGINT', 'SIGTERM'] as const) {\n  process.once(signal, async () => {\n    await server.close()\n    process.exit(0)\n  })\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAQA,IAAM,OAAO,IAAI,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC;AAC1C,IAAI,KAAK,IAAI,sBAAsB,GAAG;AACpC,UAAQ,IAAI,KAAK,UAAU,yCAAyC;AAAA,IAClE,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,GAAG,MAAM,CAAC,CAAC;AACZ,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,UAAQ,IAAI,yCAAyC;AAAA,IACnD,0BAA0B,QAAQ,IAAI;AAAA,EACxC,CAAC,CAAC;AACF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAI,KAAK,IAAI,kBAAkB,GAAG;AAChC,QAAM,eAAe,QAAQ,IAAI,iCAC7B,MAAM,GAAG,EACV,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EACrB,OAAO,OAAO;AACjB,UAAQ,IAAI,KAAK,UAAU,MAAM,kCAAkC,EAAE,aAAa,CAAC,GAAG,MAAM,CAAC,CAAC;AAC9F,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,QAAQ,IAAI;AAC3B,IAAI,CAAC,UAAU,OAAO,SAAS,IAAI;AACjC,UAAQ,MAAM,sEAAsE;AACpF,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,kBAAkB,QAAQ,IAAI;AACpC,IAAM,qBAAqB,QAAQ,IAAI;AACvC,IAAI,QAAQ,eAAe,MAAM,QAAQ,kBAAkB,GAAG;AAC5D,UAAQ,MAAM,gGAAgG;AAC9G,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,OAAO,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B,IAAI;AACvF,IAAI,CAAC,OAAO,UAAU,IAAI,KAAK,OAAO,KAAK,OAAO,OAAQ;AACxD,UAAQ,MAAM,8CAA8C;AAC5D,UAAQ,KAAK,CAAC;AAChB;AAEA,IAAM,SAAS,MAAM,oCAAoC;AAAA,EACvD;AAAA,EACA,MAAM,QAAQ,IAAI,QAAQ,QAAQ,IAAI,+BAA+B;AAAA,EACrE;AAAA,EACA,cAAc,mBAAmB,qBAC7B;AAAA,IACE,UAAU;AAAA,IACV,QAAQ;AAAA,EACV,IACA;AAAA,EACJ,OAAO,CAAC,UAAU;AAChB,UAAM,OAAO,KAAK,UAAU;AAAA,MAC1B,OAAO,MAAM;AAAA,MACb,SAAS,MAAM;AAAA,MACf,GAAG,MAAM;AAAA,IACX,CAAC;AACD,QAAI,MAAM,UAAU,QAAS,SAAQ,MAAM,IAAI;AAAA,QAC1C,SAAQ,IAAI,IAAI;AAAA,EACvB;AACF,CAAC;AAED,QAAQ,IAAI,KAAK,UAAU;AAAA,EACzB,OAAO;AAAA,EACP,SAAS;AAAA,EACT,KAAK,OAAO;AACd,CAAC,CAAC;AAEF,WAAW,UAAU,CAAC,UAAU,SAAS,GAAY;AACnD,UAAQ,KAAK,QAAQ,YAAY;AAC/B,UAAM,OAAO,MAAM;AACnB,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;","names":[]}

package/dist/catalog.d.ts

@@ -1,4 +1,8 @@
 export { I as IntegrationCatalogView, a as IntegrationToolDefinition, b as IntegrationToolSearchFilters, c as IntegrationToolSearchResult, M as McpToolDefinition, d as buildIntegrationCatalogView, e as buildIntegrationToolCatalog, i as integrationToolName, p as parseIntegrationToolName, s as searchIntegrationTools, t as toMcpTools } from './registry.js';
-import './index-D4D4CEKX.js';
+import './tangle-id-CTU4kGId.js';
+import './errors-Bg3_rxnQ.js';
+import './connect/index.js';
+import './middleware/index.js';
 import './connectors/index.js';
+import './connectors/adapters/index.js';
 import 'node:http';

package/dist/catalog.js

@@ -5,11 +5,15 @@ import {
   parseIntegrationToolName,
   searchIntegrationTools,
   toMcpTools
-} from "./chunk-ALCIWTIR.js";
+} from "./chunk-UWRYFPJW.js";
+import "./chunk-SVQ4PHDZ.js";
+import "./chunk-H4XYLS7T.js";
 import "./chunk-4JQ754PA.js";
 import "./chunk-376UBTNB.js";
-import "./chunk-GA4VTE3U.js";
+import "./chunk-JU25UDN2.js";
 import "./chunk-2TW2QKGZ.js";
+import "./chunk-P24T3MLM.js";
+import "./chunk-ATYHZXLL.js";
 export {
   buildIntegrationCatalogView,
   buildIntegrationToolCatalog,

package/dist/chunk-ATYHZXLL.js

@@ -0,0 +1,457 @@
+// src/connectors/types.ts
+var ResourceContention = class extends Error {
+  constructor(message, alternatives = [], currentState) {
+    super(message);
+    this.alternatives = alternatives;
+    this.currentState = currentState;
+  }
+  alternatives;
+  currentState;
+  name = "ResourceContention";
+};
+var CredentialsExpired = class extends Error {
+  constructor(message, dataSourceId) {
+    super(message);
+    this.dataSourceId = dataSourceId;
+  }
+  dataSourceId;
+  name = "CredentialsExpired";
+};
+function validateConnectorManifest(manifest) {
+  const issues = [];
+  if (!manifest.kind.trim()) issues.push({ path: "kind", message: "kind is required" });
+  if (!manifest.displayName.trim()) issues.push({ path: "displayName", message: "displayName is required" });
+  const seen = /* @__PURE__ */ new Set();
+  for (const [index, capability] of manifest.capabilities.entries()) {
+    const path = `capabilities[${index}]`;
+    if (!capability.name.trim()) issues.push({ path: `${path}.name`, message: "capability name is required" });
+    if (seen.has(capability.name)) issues.push({ path: `${path}.name`, message: `duplicate capability name: ${capability.name}` });
+    seen.add(capability.name);
+    if (capability.class === "mutation") {
+      if (!capability.cas) issues.push({ path: `${path}.cas`, message: "mutation capability must declare a CAS strategy" });
+      if (manifest.defaultConsistencyModel === "authoritative" && capability.cas === "none") {
+        issues.push({ path: `${path}.cas`, message: 'authoritative mutations cannot use cas="none"' });
+      }
+    }
+  }
+  if (manifest.rateLimit) {
+    if (!Number.isFinite(manifest.rateLimit.requests) || manifest.rateLimit.requests <= 0) {
+      issues.push({ path: "rateLimit.requests", message: "rateLimit.requests must be positive" });
+    }
+    if (!Number.isFinite(manifest.rateLimit.windowMs) || manifest.rateLimit.windowMs <= 0) {
+      issues.push({ path: "rateLimit.windowMs", message: "rateLimit.windowMs must be positive" });
+    }
+  }
+  return { ok: issues.length === 0, issues };
+}
+function assertValidConnectorManifest(manifest) {
+  const result = validateConnectorManifest(manifest);
+  if (!result.ok) {
+    throw new Error(`Invalid connector manifest ${manifest.kind || "<unknown>"}: ${result.issues.map((issue) => `${issue.path}: ${issue.message}`).join("; ")}`);
+  }
+}
+
+// src/connectors/adapters/tangle-id.ts
+var DEFAULT_TANGLE_PLATFORM_URL = "https://id.tangle.tools";
+var PLATFORM_FETCH_TIMEOUT_MS = 5e3;
+var TANGLE_API_KEY_PREFIX = "sk-tan-";
+var TANGLE_SERVICE_TOKEN_PREFIX = "svc_";
+var TangleIdentityUnreachableError = class extends Error {
+  name = "TangleIdentityUnreachableError";
+  status;
+  constructor(message, opts) {
+    super(message, opts);
+    this.status = opts?.status;
+  }
+};
+function tangleIdentity(opts = {}) {
+  const client = createTangleIdentityClient(opts);
+  const adapter = {
+    manifest: {
+      kind: "tangle-id",
+      displayName: "Tangle Identity",
+      description: "Verify Tangle session cookies and API keys issued by id.tangle.tools, resolve user + workspace identity, and gate capability discovery against the calling workspace scopes.",
+      auth: { kind: "api-key", hint: "Tangle platform service token (svc_*)." },
+      category: "other",
+      defaultConsistencyModel: "authoritative",
+      // 50 req/s per service token matches the platform's documented
+      // S2S budget. We meter on our side so a chatty product doesn't
+      // burn the shared service-token quota and block the rest.
+      rateLimit: { requests: 50, windowMs: 1e3, scope: "oauth-client" },
+      capabilities: [
+        {
+          name: "verify_token",
+          class: "read",
+          description: "Verify a session cookie or sk-tan-* API key. Returns { valid, userId, workspaceId, scopes, expiresAt } or { valid: false, reason }.",
+          parameters: {
+            type: "object",
+            properties: {
+              token: { type: "string", minLength: 1 }
+            },
+            required: ["token"]
+          }
+        },
+        {
+          name: "get_user",
+          class: "read",
+          description: "Read the user profile (id, email, name, image) for a verified userId.",
+          parameters: {
+            type: "object",
+            properties: { userId: { type: "string", minLength: 1 } },
+            required: ["userId"]
+          }
+        },
+        {
+          name: "list_workspaces",
+          class: "read",
+          description: "List workspaces (teams + the personal workspace) the user belongs to, with role + effective scopes.",
+          parameters: {
+            type: "object",
+            properties: { userId: { type: "string", minLength: 1 } },
+            required: ["userId"]
+          }
+        },
+        {
+          name: "switch_workspace",
+          class: "mutation",
+          description: "Resolve a workspace by id and return its effective scope set. Stateless on this adapter \u2014 caller persists the workspaceId in its own session store.",
+          parameters: {
+            type: "object",
+            properties: {
+              userId: { type: "string", minLength: 1 },
+              workspaceId: { type: "string", minLength: 1 }
+            },
+            required: ["userId", "workspaceId"]
+          },
+          cas: "native-idempotency",
+          externalEffect: false
+        },
+        {
+          name: "revoke_session",
+          class: "mutation",
+          description: "Revoke a session token or API key. Idempotent.",
+          parameters: {
+            type: "object",
+            properties: { token: { type: "string", minLength: 1 } },
+            required: ["token"]
+          },
+          cas: "native-idempotency",
+          externalEffect: true
+        }
+      ]
+    },
+    async executeRead(inv) {
+      if (inv.capabilityName === "verify_token") {
+        const token = readStringArg(inv.args, "token");
+        const result = await client.verifyToken(token);
+        return { data: result, fetchedAt: Date.now() };
+      }
+      if (inv.capabilityName === "get_user") {
+        const userId = readStringArg(inv.args, "userId");
+        const user = await client.getUser(userId);
+        return { data: user, fetchedAt: Date.now() };
+      }
+      if (inv.capabilityName === "list_workspaces") {
+        const userId = readStringArg(inv.args, "userId");
+        const workspaces = await client.listWorkspaces(userId);
+        return { data: { workspaces }, fetchedAt: Date.now() };
+      }
+      throw new Error(`tangle-id: unknown read capability ${inv.capabilityName}`);
+    },
+    async executeMutation(inv) {
+      if (inv.capabilityName === "switch_workspace") {
+        const userId = readStringArg(inv.args, "userId");
+        const workspaceId = readStringArg(inv.args, "workspaceId");
+        const result = await client.switchWorkspace(userId, workspaceId);
+        return {
+          status: "committed",
+          data: result,
+          committedAt: Date.now(),
+          idempotentReplay: false
+        };
+      }
+      if (inv.capabilityName === "revoke_session") {
+        const token = readStringArg(inv.args, "token");
+        await client.revokeSession(token);
+        return {
+          status: "committed",
+          data: { ok: true },
+          committedAt: Date.now(),
+          idempotentReplay: false
+        };
+      }
+      throw new Error(`tangle-id: unknown mutation capability ${inv.capabilityName}`);
+    },
+    async test(source) {
+      try {
+        const ok = await client.ping();
+        if (!ok) return { ok: false, reason: "id.tangle.tools /health returned non-200" };
+        return { ok: true };
+      } catch (err) {
+        if (err instanceof CredentialsExpired) {
+          return { ok: false, reason: "service token rejected \u2014 rotate TANGLE_SERVICE_TOKEN" };
+        }
+        return { ok: false, reason: err instanceof Error ? err.message : String(err) };
+      }
+    }
+  };
+  return adapter;
+}
+function createTangleIdentityClient(opts = {}) {
+  const baseUrl = (opts.baseUrl ?? DEFAULT_TANGLE_PLATFORM_URL).replace(/\/+$/, "");
+  const serviceToken = opts.serviceToken;
+  const serviceName = opts.serviceName ?? "integrations";
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const timeoutMs = opts.timeoutMs ?? PLATFORM_FETCH_TIMEOUT_MS;
+  function s2sHeaders() {
+    if (!serviceToken) {
+      throw new TangleIdentityUnreachableError(
+        "tangle-id: serviceToken is required for service-to-service calls (verify, get_user, list_workspaces, revoke)"
+      );
+    }
+    return {
+      "content-type": "application/json",
+      authorization: `Bearer ${serviceToken}`,
+      "x-service-name": serviceName
+    };
+  }
+  async function jsonFetch(path, init) {
+    let res;
+    try {
+      res = await fetchImpl(`${baseUrl}${path}`, {
+        ...init,
+        signal: init.signal ?? AbortSignal.timeout(timeoutMs)
+      });
+    } catch (err) {
+      throw new TangleIdentityUnreachableError(
+        `tangle-id: request to ${path} failed`,
+        { cause: err }
+      );
+    }
+    return res;
+  }
+  async function readErrorDetail(res) {
+    try {
+      const text = await res.text();
+      return text.trim().slice(0, 200);
+    } catch {
+      return "";
+    }
+  }
+  async function verifyApiKey(token) {
+    const res = await jsonFetch("/v1/keys/verify", {
+      method: "POST",
+      headers: s2sHeaders(),
+      body: JSON.stringify({ key: token })
+    });
+    if (res.status === 401) {
+      return { valid: false, reason: "service_token_refused" };
+    }
+    if (!res.ok) {
+      throw new TangleIdentityUnreachableError(
+        `tangle-id: /v1/keys/verify returned ${res.status}: ${await readErrorDetail(res)}`,
+        { status: res.status }
+      );
+    }
+    const body = await res.json().catch(() => null);
+    if (!body || typeof body.valid !== "boolean") {
+      return { valid: false, reason: "malformed" };
+    }
+    if (!body.valid || !body.userId) {
+      return { valid: false, reason: "revoked" };
+    }
+    const scopes = Array.isArray(body.allowedModels) ? body.allowedModels.filter((value) => typeof value === "string") : [];
+    if (body.product) scopes.push(`product:${body.product}`);
+    const expiresAt = typeof body.expiresAt === "string" && body.expiresAt ? Date.parse(body.expiresAt) : void 0;
+    return {
+      valid: true,
+      kind: "api_key",
+      userId: body.userId,
+      workspaceId: body.ownerType === "team" && body.ownerId ? body.ownerId : body.userId,
+      ownerType: body.ownerType ?? "user",
+      scopes,
+      ...Number.isFinite(expiresAt) ? { expiresAt } : {},
+      ...body.keyId ? { credentialId: body.keyId } : {},
+      ...body.product ? { product: body.product } : {}
+    };
+  }
+  async function verifySession(token) {
+    const res = await jsonFetch("/api/auth/get-session", {
+      method: "GET",
+      headers: {
+        accept: "application/json",
+        authorization: `Bearer ${token}`
+      }
+    });
+    if (res.status === 401 || res.status === 403) {
+      return { valid: false, reason: "expired" };
+    }
+    if (!res.ok) {
+      throw new TangleIdentityUnreachableError(
+        `tangle-id: /api/auth/get-session returned ${res.status}: ${await readErrorDetail(res)}`,
+        { status: res.status }
+      );
+    }
+    const body = await res.json().catch(() => null);
+    if (!body || !body.user || typeof body.user.id !== "string") {
+      return { valid: false, reason: "expired" };
+    }
+    const expiresAtRaw = body.session?.expiresAt;
+    const expiresAt = expiresAtRaw ? Date.parse(expiresAtRaw) : NaN;
+    return {
+      valid: true,
+      kind: "session",
+      userId: body.user.id,
+      workspaceId: body.session?.activeTeamId || body.user.id,
+      ownerType: body.session?.activeTeamId ? "team" : "user",
+      scopes: [],
+      ...Number.isFinite(expiresAt) ? { expiresAt } : {},
+      ...body.session?.id ? { credentialId: body.session.id } : {}
+    };
+  }
+  return {
+    async verifyToken(token) {
+      if (!token || typeof token !== "string") {
+        return { valid: false, reason: "malformed" };
+      }
+      if (token.startsWith(TANGLE_SERVICE_TOKEN_PREFIX)) {
+        return { valid: false, reason: "service_token_refused" };
+      }
+      if (token.startsWith(TANGLE_API_KEY_PREFIX)) {
+        return verifyApiKey(token);
+      }
+      return verifySession(token);
+    },
+    async getUser(userId) {
+      if (!userId) {
+        throw new TangleIdentityUnreachableError("tangle-id: getUser requires a non-empty userId");
+      }
+      const res = await jsonFetch(`/v1/users/${encodeURIComponent(userId)}`, {
+        method: "GET",
+        headers: s2sHeaders()
+      });
+      if (res.status === 404) {
+        throw new TangleIdentityUnreachableError(`tangle-id: user ${userId} not found`, { status: 404 });
+      }
+      if (!res.ok) {
+        throw new TangleIdentityUnreachableError(
+          `tangle-id: /v1/users/${userId} returned ${res.status}: ${await readErrorDetail(res)}`,
+          { status: res.status }
+        );
+      }
+      const body = await res.json().catch(() => null);
+      const data = body?.data;
+      if (!data || typeof data.id !== "string") {
+        throw new TangleIdentityUnreachableError("tangle-id: /v1/users response had an invalid shape");
+      }
+      return {
+        id: data.id,
+        ...typeof data.email === "string" ? { email: data.email } : {},
+        ...data.name !== void 0 ? { name: data.name } : {},
+        ...data.image !== void 0 ? { image: data.image } : {}
+      };
+    },
+    async listWorkspaces(userId) {
+      const res = await jsonFetch("/v1/teams", {
+        method: "GET",
+        headers: { ...s2sHeaders(), "x-platform-user-id": userId }
+      });
+      if (!res.ok) {
+        throw new TangleIdentityUnreachableError(
+          `tangle-id: /v1/teams returned ${res.status}: ${await readErrorDetail(res)}`,
+          { status: res.status }
+        );
+      }
+      const body = await res.json().catch(() => null);
+      const rows = Array.isArray(body?.data) ? body.data : [];
+      const workspaces = [];
+      for (const row of rows) {
+        if (!row || typeof row.id !== "string" || typeof row.name !== "string") continue;
+        const role = row.role === "owner" || row.role === "admin" ? row.role : "member";
+        const scopes = Array.isArray(row.scopes) ? row.scopes.filter((value) => typeof value === "string") : [];
+        workspaces.push({
+          id: row.id,
+          name: row.name,
+          role,
+          isPersonal: Boolean(row.isPersonal) || row.id === userId,
+          scopes
+        });
+      }
+      return workspaces;
+    },
+    async switchWorkspace(userId, workspaceId) {
+      const workspaces = await this.listWorkspaces(userId);
+      const match = workspaces.find((w) => w.id === workspaceId);
+      if (!match) {
+        throw new TangleIdentityUnreachableError(
+          `tangle-id: workspace ${workspaceId} not found for user ${userId}`,
+          { status: 404 }
+        );
+      }
+      return { ok: true, workspaceId: match.id, scopes: match.scopes };
+    },
+    async revokeSession(token) {
+      if (!token) return;
+      if (token.startsWith(TANGLE_SERVICE_TOKEN_PREFIX)) {
+        throw new TangleIdentityUnreachableError(
+          "tangle-id: refusing to revoke a service token \u2014 rotate it instead"
+        );
+      }
+      if (token.startsWith(TANGLE_API_KEY_PREFIX)) {
+        const v = await verifyApiKey(token);
+        if (!v.valid || !v.credentialId) return;
+        const res2 = await jsonFetch(`/v1/keys/${encodeURIComponent(v.credentialId)}`, {
+          method: "DELETE",
+          headers: s2sHeaders()
+        });
+        if (res2.status === 404) return;
+        if (!res2.ok) {
+          throw new TangleIdentityUnreachableError(
+            `tangle-id: DELETE /v1/keys/${v.credentialId} returned ${res2.status}: ${await readErrorDetail(res2)}`,
+            { status: res2.status }
+          );
+        }
+        return;
+      }
+      const res = await jsonFetch("/api/auth/sign-out", {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${token}`
+        },
+        body: "{}"
+      });
+      if (res.status >= 500) {
+        throw new TangleIdentityUnreachableError(
+          `tangle-id: /api/auth/sign-out returned ${res.status}: ${await readErrorDetail(res)}`,
+          { status: res.status }
+        );
+      }
+    },
+    async ping() {
+      const res = await jsonFetch("/health", { method: "GET" });
+      return res.ok;
+    }
+  };
+}
+function readStringArg(args, key) {
+  const value = args[key];
+  if (typeof value !== "string" || !value) {
+    throw new Error(`tangle-id: missing required argument "${key}"`);
+  }
+  return value;
+}
+
+export {
+  ResourceContention,
+  CredentialsExpired,
+  validateConnectorManifest,
+  assertValidConnectorManifest,
+  DEFAULT_TANGLE_PLATFORM_URL,
+  TANGLE_API_KEY_PREFIX,
+  TANGLE_SERVICE_TOKEN_PREFIX,
+  TangleIdentityUnreachableError,
+  tangleIdentity,
+  createTangleIdentityClient
+};
+//# sourceMappingURL=chunk-ATYHZXLL.js.map