@tangle-network/agent-integrations 0.29.0 → 0.30.0

package/dist/{chunk-TUX6MJJ4.js → chunk-M2RFFAMB.js}

@@ -5,7 +5,7 @@ import {
 import {
   integrationSpecToConnector,
   listIntegrationSpecs
-} from "./chunk-4JQ754PA.js";
+} from "./chunk-VVC7U7W7.js";
 
 // src/activepieces-catalog.ts
 import { readFileSync } from "fs";
@@ -135,8 +135,9 @@ function buildActivepiecesConnectors(options = {}) {
     const override = getActivepiecesOverride(entry.id);
     const category = override?.category ?? entry.category;
     const scopes = [`${entry.id}.read`, `${entry.id}.write`];
-    const catalogActions = entry.actions.length > 0 ? entry.actions.map((action) => toAction(applyActionOverride(action, override), scopes, dataClassFor(category))) : defaultActions(entry.id, scopes, dataClassFor(category));
+    const catalogActions = entry.actions.map((action) => toAction(applyActionOverride(action, override), scopes, dataClassFor(category)));
     const catalogTriggers = entry.triggers.map((trigger2) => toTrigger(trigger2, scopes, dataClassFor(category)));
+    const entryExecutable = executable && catalogActions.length > 0;
     return {
       id: entry.id,
       providerId,
@@ -148,10 +149,10 @@ function buildActivepiecesConnectors(options = {}) {
       triggers: options.includeCatalogActions ? catalogTriggers : void 0,
       metadata: {
         source: "activepieces-community",
-        executable,
+        executable: entryExecutable,
         runtime: "activepieces-piece",
-        catalogOnly: !executable,
-        supportTier: executable ? "gatewayExecutable" : "catalogOnly",
+        catalogOnly: !entryExecutable,
+        supportTier: entryExecutable ? "gatewayExecutable" : "catalogOnly",
         catalogActionCount: catalogActions.length,
         catalogTriggerCount: catalogTriggers.length,
         npmPackage: entry.npmPackage,
@@ -190,28 +191,6 @@ function toTrigger(trigger2, scopes, dataClass) {
     payloadSchema: { type: "object", additionalProperties: true, properties: {} }
   };
 }
-function defaultActions(id, scopes, dataClass) {
-  return [
-    {
-      id: "records.search",
-      title: "Search records",
-      risk: "read",
-      requiredScopes: [scopes[0]],
-      dataClass,
-      inputSchema: { type: "object", additionalProperties: true, properties: {} }
-    },
-    {
-      id: "records.upsert",
-      title: "Upsert record",
-      risk: "write",
-      requiredScopes: [scopes[1]],
-      dataClass,
-      approvalRequired: true,
-      inputSchema: { type: "object", additionalProperties: true, properties: {} },
-      description: `Create or update a ${id} record through a catalog-backed connector.`
-    }
-  ];
-}
 function dataClassFor(category) {
   if (category === "database" || category === "storage" || category === "email") return "private";
   if (category === "crm" || category === "chat" || category === "docs") return "private";
@@ -222,6 +201,300 @@ function dataClassFor(category) {
 // src/index.ts
 import { createHmac as createHmac2, randomUUID as randomUUID5, timingSafeEqual as timingSafeEqual2 } from "crypto";
 
+// src/adapter-provider.ts
+function createConnectorAdapterProvider(options) {
+  const providerId = options.id ?? "first-party";
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  const adapters = /* @__PURE__ */ new Map();
+  for (const adapter of options.adapters) {
+    adapters.set(adapter.manifest.kind, adapter);
+  }
+  return {
+    id: providerId,
+    kind: options.kind ?? "first_party",
+    listConnectors: () => [...adapters.values()].map((adapter) => manifestToConnector(providerId, adapter)),
+    async invokeAction(connection, request) {
+      const adapter = adapters.get(connection.connectorId);
+      if (!adapter) {
+        throw new IntegrationError(`Connector adapter ${connection.connectorId} not found.`, "connector_not_found");
+      }
+      const capability = adapter.manifest.capabilities.find((candidate) => candidate.name === request.action);
+      if (!capability) {
+        throw new IntegrationError(`Capability ${request.action} is not defined by ${connection.connectorId}.`, "action_not_found");
+      }
+      const source = await options.resolveDataSource(connection);
+      let rotated;
+      const invocation = {
+        source,
+        capabilityName: request.action,
+        args: toRecord(request.input),
+        idempotencyKey: request.idempotencyKey ?? `idem_${connection.id}_${request.action}_${now().getTime()}`,
+        expectedEtag: typeof request.metadata?.expectedEtag === "string" ? request.metadata.expectedEtag : void 0,
+        callSessionId: typeof request.metadata?.callSessionId === "string" ? request.metadata.callSessionId : void 0,
+        onCredentialsRotated: options.onCredentialsRotated ? (credentials) => {
+          rotated = credentials;
+        } : void 0
+      };
+      const persistRotation = async () => {
+        if (rotated && options.onCredentialsRotated) {
+          await options.onCredentialsRotated({ connection, credentials: rotated });
+        }
+      };
+      if (capability.class === "read") {
+        if (!adapter.executeRead) {
+          throw new IntegrationError(`Connector ${connection.connectorId} does not implement reads.`, "action_not_found");
+        }
+        const result = await adapter.executeRead(invocation);
+        await persistRotation();
+        return readResultToAction(request, result);
+      }
+      if (capability.class === "mutation") {
+        if (!adapter.executeMutation) {
+          throw new IntegrationError(`Connector ${connection.connectorId} does not implement mutations.`, "action_not_found");
+        }
+        const result = await adapter.executeMutation(invocation);
+        await persistRotation();
+        return mutationResultToAction(request, result);
+      }
+      throw new IntegrationError(`Capability ${request.action} is not invokable as an action.`, "action_not_found");
+    }
+  };
+}
+function adapterManifestsToConnectors(adapters, providerId = "first-party") {
+  return adapters.map((adapter) => manifestToConnector(providerId, adapter));
+}
+function createConnectorAdapterCatalogSource(options) {
+  const sourceId = options.id ?? "first-party";
+  return {
+    id: sourceId,
+    precedence: options.precedence,
+    connectors: adapterManifestsToConnectors(options.adapters, options.providerId ?? sourceId)
+  };
+}
+function manifestToConnector(providerId, adapter) {
+  const manifest = adapter.manifest;
+  return {
+    id: manifest.kind,
+    providerId,
+    title: manifest.displayName,
+    category: mapCategory(manifest.category),
+    auth: mapAuth(manifest.auth.kind),
+    scopes: manifest.auth.kind === "oauth2" ? manifest.auth.scopes : [],
+    actions: manifest.capabilities.filter((capability) => capability.class === "read" || capability.class === "mutation").map((capability) => ({
+      id: capability.name,
+      title: titleFromName(capability.name),
+      risk: capability.class === "read" ? "read" : capability.externalEffect ? "destructive" : "write",
+      requiredScopes: capability.requiredScopes ?? [],
+      dataClass: inferDataClass(manifest.category),
+      description: capability.description,
+      approvalRequired: capability.class === "mutation",
+      inputSchema: capability.parameters
+    })),
+    metadata: {
+      source: "first-party-adapter",
+      supportTier: "firstPartyExecutable",
+      executable: true
+    }
+  };
+}
+function readResultToAction(request, result) {
+  return {
+    ok: true,
+    action: request.action,
+    output: result.data,
+    metadata: {
+      etag: result.etag,
+      fetchedAt: result.fetchedAt
+    }
+  };
+}
+function mutationResultToAction(request, result) {
+  if (result.status === "committed") {
+    return {
+      ok: true,
+      action: request.action,
+      output: result.data,
+      metadata: {
+        etagAfter: result.etagAfter,
+        committedAt: result.committedAt,
+        idempotentReplay: result.idempotentReplay
+      }
+    };
+  }
+  if (result.status === "conflict") {
+    return {
+      ok: false,
+      action: request.action,
+      output: {
+        conflict: true,
+        message: result.message,
+        alternatives: result.alternatives,
+        currentState: result.currentState
+      }
+    };
+  }
+  return {
+    ok: false,
+    action: request.action,
+    output: {
+      rateLimited: true,
+      retryAfterMs: result.retryAfterMs,
+      message: result.message
+    }
+  };
+}
+function mapAuth(kind) {
+  if (kind === "oauth2") return "oauth2";
+  if (kind === "api-key") return "api_key";
+  if (kind === "none") return "none";
+  return "custom";
+}
+function mapCategory(category) {
+  if (category === "comms") return "chat";
+  if (category === "spreadsheet") return "database";
+  if (category === "doc") return "docs";
+  if (category === "commerce") return "workflow";
+  return category === "other" ? "other" : category;
+}
+function inferDataClass(category) {
+  if (category === "commerce") return "sensitive";
+  if (category === "webhook") return "internal";
+  return "private";
+}
+function titleFromName(name) {
+  return name.split(/[._-]/g).filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
+}
+function toRecord(input) {
+  if (input && typeof input === "object" && !Array.isArray(input)) return input;
+  return {};
+}
+
+// src/credentials.ts
+var InMemoryIntegrationSecretStore = class {
+  secrets = /* @__PURE__ */ new Map();
+  get(ref) {
+    return this.secrets.get(secretKey(ref));
+  }
+  put(ref, credentials) {
+    this.secrets.set(secretKey(ref), credentials);
+  }
+  delete(ref) {
+    this.secrets.delete(secretKey(ref));
+  }
+};
+var InMemoryIntegrationOAuthStateStore = class {
+  states = /* @__PURE__ */ new Map();
+  put(state) {
+    this.states.set(state.state, state);
+  }
+  consume(state) {
+    const record = this.states.get(state);
+    this.states.delete(state);
+    if (!record) return { ok: false, reason: "unknown" };
+    if (record.expiresAt <= Date.now()) return { ok: false, reason: "expired" };
+    return { ok: true, state: record };
+  }
+  sweep(now) {
+    for (const [key, record] of this.states) {
+      if (record.expiresAt <= now) this.states.delete(key);
+    }
+  }
+};
+function createConnectionCredentialResolver(options) {
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  return async function resolveDataSource(connection) {
+    const credentials = await resolveConnectionCredentials(connection, {
+      secrets: options.secrets,
+      connections: options.connections,
+      adapters: options.adapters,
+      now,
+      markConnectionError: options.markConnectionError
+    });
+    return {
+      id: connection.id,
+      projectId: String(connection.metadata?.projectId ?? connection.owner.id),
+      publishedAgentId: typeof connection.metadata?.publishedAgentId === "string" ? connection.metadata.publishedAgentId : null,
+      kind: connection.connectorId,
+      label: connection.account?.displayName ?? connection.account?.email ?? connection.connectorId,
+      consistencyModel: typeof connection.metadata?.consistencyModel === "string" ? connection.metadata.consistencyModel : "authoritative",
+      scopes: connection.grantedScopes,
+      metadata: connection.metadata ?? {},
+      credentials,
+      status: connection.status === "active" ? "active" : connection.status === "revoked" ? "revoked" : "error"
+    };
+  };
+}
+async function resolveConnectionCredentials(input, options) {
+  if (input.status !== "active") throw new Error(`Connection ${input.id} is ${input.status}.`);
+  if (!input.secretRef) return { kind: "none" };
+  const current = await options.secrets.get(input.secretRef);
+  if (!current) throw new Error(`Secret ${input.secretRef.provider}/${input.secretRef.id} not found.`);
+  if (!isExpiredOauth(current, options.now ?? (() => /* @__PURE__ */ new Date()))) return current;
+  const adapter = options.adapters?.find((candidate) => candidate.manifest.kind === input.connectorId);
+  if (!adapter?.refreshToken) return current;
+  try {
+    const refreshed = await adapter.refreshToken(current);
+    await options.secrets.put(input.secretRef, refreshed);
+    if (options.connections) {
+      await options.connections.put({
+        ...input,
+        status: "active",
+        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString(),
+        expiresAt: refreshed.kind === "oauth2" && refreshed.expiresAt ? new Date(refreshed.expiresAt).toISOString() : input.expiresAt
+      });
+    }
+    return refreshed;
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error("Credential refresh failed.");
+    await options.markConnectionError?.(input, err);
+    if (options.connections) {
+      await options.connections.put({
+        ...input,
+        status: "expired",
+        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    throw err;
+  }
+}
+function createCredentialBackedAdapterProvider(options) {
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  return createConnectorAdapterProvider({
+    ...options,
+    resolveDataSource: createConnectionCredentialResolver(options),
+    onCredentialsRotated: async ({ connection, credentials }) => {
+      if (connection.secretRef) {
+        await options.secrets.put(connection.secretRef, credentials);
+      }
+      if (options.connections) {
+        await options.connections.put({
+          ...connection,
+          status: "active",
+          updatedAt: now().toISOString(),
+          expiresAt: credentials.kind === "oauth2" && credentials.expiresAt ? new Date(credentials.expiresAt).toISOString() : connection.expiresAt
+        });
+      }
+      await options.onCredentialsRotated?.({ connection, secretRef: connection.secretRef, credentials });
+    }
+  });
+}
+async function revokeConnection(input) {
+  if (input.connection.secretRef) await input.secrets?.delete?.(input.connection.secretRef);
+  const revoked = {
+    ...input.connection,
+    status: "revoked",
+    updatedAt: (input.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
+  };
+  await input.connections?.put(revoked);
+  return revoked;
+}
+function isExpiredOauth(credentials, now) {
+  return credentials.kind === "oauth2" && typeof credentials.expiresAt === "number" && credentials.expiresAt <= now().getTime() && Boolean(credentials.refreshToken);
+}
+function secretKey(ref) {
+  return `${ref.provider}:${ref.id}`;
+}
+
 // src/audit.ts
 import { randomUUID } from "crypto";
 var InMemoryIntegrationAuditStore = class {
@@ -798,340 +1071,90 @@ var TangleIntegrationsClient = class {
       const normalized = normalizeIntegrationError(error);
       return { status: "failed", action: input.tool, error: normalized.message, metadata: { code: normalized.code, userAction: normalized.userAction } };
     }
-  }
-};
-function createTangleIntegrationsClient(options) {
-  return new TangleIntegrationsClient(options);
-}
-function defaultIdempotencyKey(action) {
-  return `${action}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
-}
-function readProcessEnv() {
-  if (typeof process !== "undefined" && process.env) return process.env;
-  return {};
-}
-
-// src/consent.ts
-function renderConsentSummary(manifestOrResolution, options = {}) {
-  const manifest = "manifest" in manifestOrResolution ? manifestOrResolution.manifest : manifestOrResolution;
-  const appName = options.appName ?? manifest.title ?? manifest.id;
-  const requirements = manifest.requirements;
-  const risk = aggregateRisk(requirements, options.connectors);
-  const connectorIds = unique(requirements.map((requirement) => requirement.connectorId));
-  const first = requirements[0];
-  const body = first ? sentenceForRequirement(appName, first) : `${appName} does not request integrations.`;
-  return {
-    title: `${appName} wants to use ${humanList(connectorIds.map(titleize))}`,
-    body,
-    bullets: requirements.map((requirement) => bulletForRequirement(requirement, options.connectors)),
-    primaryAction: risk === "read" ? "Allow access" : risk === "write" ? "Review and allow" : "Review destructive access",
-    risk,
-    connectorIds
-  };
-}
-function renderApprovalCopy(input) {
-  return {
-    title: `${input.appName} wants to ${input.action.title.toLowerCase()}`,
-    body: `${input.appName} is requesting permission to run "${input.action.title}" on ${input.connectorTitle}.`,
-    bullets: [
-      `Risk: ${input.action.risk}`,
-      `Data: ${input.action.dataClass}`,
-      ...input.approvalId ? [`Approval id: ${input.approvalId}`] : []
-    ],
-    primaryAction: input.action.risk === "read" ? "Allow" : "Approve action",
-    risk: input.action.risk,
-    connectorIds: []
-  };
-}
-function sentenceForRequirement(appName, requirement) {
-  if (requirement.connectorId === "google-calendar" && requirement.mode === "read") {
-    return `${appName} wants to read your Google Calendar to find schedule-aware recommendations.`;
-  }
-  if (requirement.connectorId === "google-calendar" && requirement.mode === "write") {
-    return `${appName} wants to create or update Google Calendar events after your approval.`;
-  }
-  if (requirement.mode === "read") return `${appName} wants to read ${titleize(requirement.connectorId)} data.`;
-  if (requirement.mode === "write") return `${appName} wants to write ${titleize(requirement.connectorId)} data after approval.`;
-  return `${appName} wants to subscribe to ${titleize(requirement.connectorId)} events.`;
-}
-function bulletForRequirement(requirement, connectors = []) {
-  const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
-  const actions = requirement.requiredActions?.length ? requirement.requiredActions.map((id) => connector?.actions.find((action) => action.id === id)?.title ?? id) : requirement.requiredTriggers ?? [];
-  return `${titleize(requirement.connectorId)}: ${requirement.reason}${actions.length ? ` (${actions.join(", ")})` : ""}`;
-}
-function aggregateRisk(requirements, connectors = []) {
-  let rank = 0;
-  for (const requirement of requirements) {
-    if (requirement.mode === "write") rank = Math.max(rank, 1);
-    const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
-    for (const actionId of requirement.requiredActions ?? []) {
-      const risk = connector?.actions.find((action) => action.id === actionId)?.risk;
-      if (risk === "write") rank = Math.max(rank, 1);
-      if (risk === "destructive") rank = Math.max(rank, 2);
-    }
-  }
-  return rank === 2 ? "destructive" : rank === 1 ? "write" : "read";
-}
-function humanList(values) {
-  if (values.length <= 1) return values[0] ?? "integrations";
-  if (values.length === 2) return `${values[0]} and ${values[1]}`;
-  return `${values.slice(0, -1).join(", ")}, and ${values.at(-1)}`;
-}
-function titleize(value) {
-  return value.split(/[-_.]/g).filter(Boolean).map((part) => part[0].toUpperCase() + part.slice(1)).join(" ");
-}
-function unique(values) {
-  return [...new Set(values)];
-}
-
-// src/adapter-provider.ts
-function createConnectorAdapterProvider(options) {
-  const providerId = options.id ?? "first-party";
-  const now = options.now ?? (() => /* @__PURE__ */ new Date());
-  const adapters = /* @__PURE__ */ new Map();
-  for (const adapter of options.adapters) {
-    adapters.set(adapter.manifest.kind, adapter);
-  }
-  return {
-    id: providerId,
-    kind: options.kind ?? "first_party",
-    listConnectors: () => [...adapters.values()].map((adapter) => manifestToConnector(providerId, adapter)),
-    async invokeAction(connection, request) {
-      const adapter = adapters.get(connection.connectorId);
-      if (!adapter) {
-        throw new IntegrationError(`Connector adapter ${connection.connectorId} not found.`, "connector_not_found");
-      }
-      const capability = adapter.manifest.capabilities.find((candidate) => candidate.name === request.action);
-      if (!capability) {
-        throw new IntegrationError(`Capability ${request.action} is not defined by ${connection.connectorId}.`, "action_not_found");
-      }
-      const source = await options.resolveDataSource(connection);
-      const invocation = {
-        source,
-        capabilityName: request.action,
-        args: toRecord(request.input),
-        idempotencyKey: request.idempotencyKey ?? `idem_${connection.id}_${request.action}_${now().getTime()}`,
-        expectedEtag: typeof request.metadata?.expectedEtag === "string" ? request.metadata.expectedEtag : void 0,
-        callSessionId: typeof request.metadata?.callSessionId === "string" ? request.metadata.callSessionId : void 0
-      };
-      if (capability.class === "read") {
-        if (!adapter.executeRead) {
-          throw new IntegrationError(`Connector ${connection.connectorId} does not implement reads.`, "action_not_found");
-        }
-        const result = await adapter.executeRead(invocation);
-        return readResultToAction(request, result);
-      }
-      if (capability.class === "mutation") {
-        if (!adapter.executeMutation) {
-          throw new IntegrationError(`Connector ${connection.connectorId} does not implement mutations.`, "action_not_found");
-        }
-        const result = await adapter.executeMutation(invocation);
-        return mutationResultToAction(request, result);
-      }
-      throw new IntegrationError(`Capability ${request.action} is not invokable as an action.`, "action_not_found");
-    }
-  };
-}
-function adapterManifestsToConnectors(adapters, providerId = "first-party") {
-  return adapters.map((adapter) => manifestToConnector(providerId, adapter));
-}
-function createConnectorAdapterCatalogSource(options) {
-  const sourceId = options.id ?? "first-party";
-  return {
-    id: sourceId,
-    precedence: options.precedence,
-    connectors: adapterManifestsToConnectors(options.adapters, options.providerId ?? sourceId)
-  };
-}
-function manifestToConnector(providerId, adapter) {
-  const manifest = adapter.manifest;
-  return {
-    id: manifest.kind,
-    providerId,
-    title: manifest.displayName,
-    category: mapCategory(manifest.category),
-    auth: mapAuth(manifest.auth.kind),
-    scopes: manifest.auth.kind === "oauth2" ? manifest.auth.scopes : [],
-    actions: manifest.capabilities.filter((capability) => capability.class === "read" || capability.class === "mutation").map((capability) => ({
-      id: capability.name,
-      title: titleFromName(capability.name),
-      risk: capability.class === "read" ? "read" : capability.externalEffect ? "destructive" : "write",
-      requiredScopes: capability.requiredScopes ?? [],
-      dataClass: inferDataClass(manifest.category),
-      description: capability.description,
-      approvalRequired: capability.class === "mutation",
-      inputSchema: capability.parameters
-    })),
-    metadata: {
-      source: "first-party-adapter",
-      supportTier: "firstPartyExecutable",
-      executable: true
-    }
-  };
-}
-function readResultToAction(request, result) {
-  return {
-    ok: true,
-    action: request.action,
-    output: result.data,
-    metadata: {
-      etag: result.etag,
-      fetchedAt: result.fetchedAt
-    }
-  };
-}
-function mutationResultToAction(request, result) {
-  if (result.status === "committed") {
-    return {
-      ok: true,
-      action: request.action,
-      output: result.data,
-      metadata: {
-        etagAfter: result.etagAfter,
-        committedAt: result.committedAt,
-        idempotentReplay: result.idempotentReplay
-      }
-    };
-  }
-  if (result.status === "conflict") {
-    return {
-      ok: false,
-      action: request.action,
-      output: {
-        conflict: true,
-        message: result.message,
-        alternatives: result.alternatives,
-        currentState: result.currentState
-      }
-    };
-  }
-  return {
-    ok: false,
-    action: request.action,
-    output: {
-      rateLimited: true,
-      retryAfterMs: result.retryAfterMs,
-      message: result.message
-    }
-  };
-}
-function mapAuth(kind) {
-  if (kind === "oauth2") return "oauth2";
-  if (kind === "api-key") return "api_key";
-  if (kind === "none") return "none";
-  return "custom";
-}
-function mapCategory(category) {
-  if (category === "comms") return "chat";
-  if (category === "spreadsheet") return "database";
-  if (category === "doc") return "docs";
-  if (category === "commerce") return "workflow";
-  return category === "other" ? "other" : category;
-}
-function inferDataClass(category) {
-  if (category === "commerce") return "sensitive";
-  if (category === "webhook") return "internal";
-  return "private";
+  }
+};
+function createTangleIntegrationsClient(options) {
+  return new TangleIntegrationsClient(options);
 }
-function titleFromName(name) {
-  return name.split(/[._-]/g).filter(Boolean).map((part) => part.slice(0, 1).toUpperCase() + part.slice(1)).join(" ");
+function defaultIdempotencyKey(action) {
+  return `${action}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
 }
-function toRecord(input) {
-  if (input && typeof input === "object" && !Array.isArray(input)) return input;
+function readProcessEnv() {
+  if (typeof process !== "undefined" && process.env) return process.env;
   return {};
 }
 
-// src/credentials.ts
-var InMemoryIntegrationSecretStore = class {
-  secrets = /* @__PURE__ */ new Map();
-  get(ref) {
-    return this.secrets.get(secretKey(ref));
-  }
-  put(ref, credentials) {
-    this.secrets.set(secretKey(ref), credentials);
+// src/consent.ts
+function renderConsentSummary(manifestOrResolution, options = {}) {
+  const manifest = "manifest" in manifestOrResolution ? manifestOrResolution.manifest : manifestOrResolution;
+  const appName = options.appName ?? manifest.title ?? manifest.id;
+  const requirements = manifest.requirements;
+  const risk = aggregateRisk(requirements, options.connectors);
+  const connectorIds = unique(requirements.map((requirement) => requirement.connectorId));
+  const first = requirements[0];
+  const body = first ? sentenceForRequirement(appName, first) : `${appName} does not request integrations.`;
+  return {
+    title: `${appName} wants to use ${humanList(connectorIds.map(titleize))}`,
+    body,
+    bullets: requirements.map((requirement) => bulletForRequirement(requirement, options.connectors)),
+    primaryAction: risk === "read" ? "Allow access" : risk === "write" ? "Review and allow" : "Review destructive access",
+    risk,
+    connectorIds
+  };
+}
+function renderApprovalCopy(input) {
+  return {
+    title: `${input.appName} wants to ${input.action.title.toLowerCase()}`,
+    body: `${input.appName} is requesting permission to run "${input.action.title}" on ${input.connectorTitle}.`,
+    bullets: [
+      `Risk: ${input.action.risk}`,
+      `Data: ${input.action.dataClass}`,
+      ...input.approvalId ? [`Approval id: ${input.approvalId}`] : []
+    ],
+    primaryAction: input.action.risk === "read" ? "Allow" : "Approve action",
+    risk: input.action.risk,
+    connectorIds: []
+  };
+}
+function sentenceForRequirement(appName, requirement) {
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "read") {
+    return `${appName} wants to read your Google Calendar to find schedule-aware recommendations.`;
   }
-  delete(ref) {
-    this.secrets.delete(secretKey(ref));
+  if (requirement.connectorId === "google-calendar" && requirement.mode === "write") {
+    return `${appName} wants to create or update Google Calendar events after your approval.`;
   }
-};
-function createConnectionCredentialResolver(options) {
-  const now = options.now ?? (() => /* @__PURE__ */ new Date());
-  return async function resolveDataSource(connection) {
-    const credentials = await resolveConnectionCredentials(connection, {
-      secrets: options.secrets,
-      connections: options.connections,
-      adapters: options.adapters,
-      now,
-      markConnectionError: options.markConnectionError
-    });
-    return {
-      id: connection.id,
-      projectId: String(connection.metadata?.projectId ?? connection.owner.id),
-      publishedAgentId: typeof connection.metadata?.publishedAgentId === "string" ? connection.metadata.publishedAgentId : null,
-      kind: connection.connectorId,
-      label: connection.account?.displayName ?? connection.account?.email ?? connection.connectorId,
-      consistencyModel: typeof connection.metadata?.consistencyModel === "string" ? connection.metadata.consistencyModel : "authoritative",
-      scopes: connection.grantedScopes,
-      metadata: connection.metadata ?? {},
-      credentials,
-      status: connection.status === "active" ? "active" : connection.status === "revoked" ? "revoked" : "error"
-    };
-  };
+  if (requirement.mode === "read") return `${appName} wants to read ${titleize(requirement.connectorId)} data.`;
+  if (requirement.mode === "write") return `${appName} wants to write ${titleize(requirement.connectorId)} data after approval.`;
+  return `${appName} wants to subscribe to ${titleize(requirement.connectorId)} events.`;
 }
-async function resolveConnectionCredentials(input, options) {
-  if (input.status !== "active") throw new Error(`Connection ${input.id} is ${input.status}.`);
-  if (!input.secretRef) return { kind: "none" };
-  const current = await options.secrets.get(input.secretRef);
-  if (!current) throw new Error(`Secret ${input.secretRef.provider}/${input.secretRef.id} not found.`);
-  if (!isExpiredOauth(current, options.now ?? (() => /* @__PURE__ */ new Date()))) return current;
-  const adapter = options.adapters?.find((candidate) => candidate.manifest.kind === input.connectorId);
-  if (!adapter?.refreshToken) return current;
-  try {
-    const refreshed = await adapter.refreshToken(current);
-    await options.secrets.put(input.secretRef, refreshed);
-    if (options.connections) {
-      await options.connections.put({
-        ...input,
-        status: "active",
-        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString(),
-        expiresAt: refreshed.kind === "oauth2" && refreshed.expiresAt ? new Date(refreshed.expiresAt).toISOString() : input.expiresAt
-      });
-    }
-    return refreshed;
-  } catch (error) {
-    const err = error instanceof Error ? error : new Error("Credential refresh failed.");
-    await options.markConnectionError?.(input, err);
-    if (options.connections) {
-      await options.connections.put({
-        ...input,
-        status: "expired",
-        updatedAt: (options.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
-      });
+function bulletForRequirement(requirement, connectors = []) {
+  const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+  const actions = requirement.requiredActions?.length ? requirement.requiredActions.map((id) => connector?.actions.find((action) => action.id === id)?.title ?? id) : requirement.requiredTriggers ?? [];
+  return `${titleize(requirement.connectorId)}: ${requirement.reason}${actions.length ? ` (${actions.join(", ")})` : ""}`;
+}
+function aggregateRisk(requirements, connectors = []) {
+  let rank = 0;
+  for (const requirement of requirements) {
+    if (requirement.mode === "write") rank = Math.max(rank, 1);
+    const connector = connectors.find((candidate) => candidate.id === requirement.connectorId);
+    for (const actionId of requirement.requiredActions ?? []) {
+      const risk = connector?.actions.find((action) => action.id === actionId)?.risk;
+      if (risk === "write") rank = Math.max(rank, 1);
+      if (risk === "destructive") rank = Math.max(rank, 2);
     }
-    throw err;
   }
+  return rank === 2 ? "destructive" : rank === 1 ? "write" : "read";
 }
-function createCredentialBackedAdapterProvider(options) {
-  return createConnectorAdapterProvider({
-    ...options,
-    resolveDataSource: createConnectionCredentialResolver(options)
-  });
-}
-async function revokeConnection(input) {
-  if (input.connection.secretRef) await input.secrets?.delete?.(input.connection.secretRef);
-  const revoked = {
-    ...input.connection,
-    status: "revoked",
-    updatedAt: (input.now?.() ?? /* @__PURE__ */ new Date()).toISOString()
-  };
-  await input.connections?.put(revoked);
-  return revoked;
+function humanList(values) {
+  if (values.length <= 1) return values[0] ?? "integrations";
+  if (values.length === 2) return `${values[0]} and ${values[1]}`;
+  return `${values.slice(0, -1).join(", ")}, and ${values.at(-1)}`;
 }
-function isExpiredOauth(credentials, now) {
-  return credentials.kind === "oauth2" && typeof credentials.expiresAt === "number" && credentials.expiresAt <= now().getTime() && Boolean(credentials.refreshToken);
+function titleize(value) {
+  return value.split(/[-_.]/g).filter(Boolean).map((part) => part[0].toUpperCase() + part.slice(1)).join(" ");
 }
-function secretKey(ref) {
-  return `${ref.provider}:${ref.id}`;
+function unique(values) {
+  return [...new Set(values)];
 }
 
 // src/discovery.ts
@@ -2604,12 +2627,12 @@ async function auditTangleCatalogRuntimePackages(options = {}) {
         action.id,
         action.title,
         action.upstreamName
-      ])).length,
+      ], entry.id)).length,
       triggerMappingsFound: entry.triggers.filter((trigger2) => hasRuntimeName(triggers, [
         trigger2.id,
         trigger2.title,
         trigger2.upstreamName
-      ])).length,
+      ], entry.id)).length,
       triggerHostingSupported: entry.triggers.length === 0 || triggers.length > 0
     });
   }
@@ -2699,28 +2722,93 @@ function findPieceExport(moduleValue, connectorId) {
     mod[connectorId],
     ...Object.values(mod)
   ];
-  return values.find((value) => Boolean(value) && typeof value === "object" && Array.isArray(value.actions));
+  for (const value of values) {
+    const resolved = resolvePiece(value);
+    if (resolved) return resolved;
+  }
+  return void 0;
+}
+function resolvePiece(value) {
+  if (!value || typeof value !== "object" && typeof value !== "function") return void 0;
+  const candidate = value;
+  const ctorName = candidate.constructor?.name;
+  const looksLikePiece = ctorName === "Piece" || "_actions" in candidate || "_triggers" in candidate || "actions" in candidate || "triggers" in candidate;
+  if (!looksLikePiece) return void 0;
+  const actions = readPieceMembers(candidate, "_actions", "actions");
+  const triggers = readPieceMembers(candidate, "_triggers", "triggers");
+  if (!actions && !triggers) return void 0;
+  return { actions: actions ?? [], triggers: triggers ?? [] };
+}
+function readPieceMembers(piece, privateKey, publicKey) {
+  const raw = coerceMemberCollection(piece[privateKey]) ?? coerceMemberCollection(readPublicMember(piece, publicKey));
+  if (!raw) return void 0;
+  return raw.filter((member) => Boolean(member) && typeof member === "object");
+}
+function readPublicMember(piece, key) {
+  const value = piece[key];
+  if (typeof value !== "function") return value;
+  try {
+    return value.call(piece);
+  } catch {
+    return void 0;
+  }
+}
+function coerceMemberCollection(value) {
+  if (Array.isArray(value)) return value;
+  if (value && typeof value === "object") return Object.values(value);
+  return void 0;
 }
-function hasRuntimeName(values, candidates) {
-  const expected = new Set(candidates.filter((value) => Boolean(value)));
-  return values.filter((value) => Boolean(value) && typeof value === "object").some((value) => [value.name, value.displayName].some((name) => typeof name === "string" && expected.has(name)));
+function hasRuntimeName(members, candidates, connectorId) {
+  const expected = normalizeNameSet(candidates, connectorId);
+  return members.some((member) => {
+    const names = normalizeNameSet([member.name, member.displayName], connectorId);
+    for (const name of names) if (expected.has(name)) return true;
+    return false;
+  });
 }
 function findRuntimeAction(piece, invocation, aliases = {}, allowFuzzyActionMatch = false) {
-  const actions = (piece.actions ?? []).filter((action) => Boolean(action) && typeof action === "object");
+  const actions = piece.actions;
   const explicit = aliases[invocation.connector.id]?.[invocation.action.id];
-  const candidates = new Set([
+  if (explicit) {
+    const exact = actions.find((action) => action.name === explicit || action.displayName === explicit);
+    if (exact) return exact;
+  }
+  const connectorId = invocation.connector.id;
+  const candidates = normalizeNameSet([
     invocation.action.id,
     invocation.action.title,
     invocation.request.piece.upstreamActionName,
     explicit
-  ].filter((value) => Boolean(value)));
+  ], connectorId);
   for (const action of actions) {
-    const names = [action.name, action.displayName].filter((value) => Boolean(value));
-    if (names.some((name) => candidates.has(name))) return action;
-    if (allowFuzzyActionMatch && names.some((name) => [...candidates].some((candidate) => comparable(name) === comparable(candidate)))) return action;
+    const names = normalizeNameSet([action.name, action.displayName], connectorId);
+    for (const name of names) if (candidates.has(name)) return action;
   }
+  void allowFuzzyActionMatch;
   return void 0;
 }
+function normalizeNameSet(values, connectorId) {
+  const out = /* @__PURE__ */ new Set();
+  const conn = comparable(connectorId);
+  for (const value of values) {
+    if (!value) continue;
+    for (const variant of nameVariants(comparable(value), conn)) {
+      if (variant) out.add(variant);
+    }
+  }
+  return out;
+}
+function nameVariants(cmp, conn) {
+  const base = [cmp, cmp.replace(/(action|trigger)$/, "")];
+  const variants = [];
+  for (const value of base) {
+    variants.push(value);
+    if (conn && value.startsWith(conn) && value.length > conn.length) {
+      variants.push(value.slice(conn.length));
+    }
+  }
+  return variants;
+}
 function runtimeFailure(action, code, message) {
   return {
     ok: false,
@@ -2912,16 +3000,6 @@ async function auditIntegrationCatalogFreshness(options = {}) {
       `Activepieces catalog has ${activepiecesConnectors.length} connectors, below floor ${minActivepiecesConnectors}.`
     );
   }
-  if (unsupportedExecutableConnectorIds.length > 0) {
-    warnings.push(
-      `Activepieces executable provider has ${unsupportedExecutableConnectorIds.length} connectors without actions.`
-    );
-  }
-  if (executableTools.length < activepiecesEntries.length) {
-    warnings.push(
-      `Activepieces executable provider produced only ${executableTools.length} tool definitions for ${activepiecesEntries.length} entries.`
-    );
-  }
   let upstream;
   if (options.liveActivepieces) {
     upstream = await checkActivepiecesPublicCatalog({
@@ -3372,6 +3450,12 @@ var IntegrationHub = class {
   capabilitySecret;
   guard;
   policy;
+  /** Host-injected (or in-memory default) secret store. The hub re-persists
+   *  rotated credentials here when a connection carries a secretRef. */
+  secretStore;
+  oauthStateStore;
+  oauthStateTtlMs;
+  credentialsRotated;
   now;
   constructor(options) {
     if (!options.capabilitySecret) {
@@ -3382,6 +3466,10 @@ var IntegrationHub = class {
     this.capabilitySecret = options.capabilitySecret;
     this.guard = options.guard;
     this.policy = options.policy;
+    this.secretStore = options.secretStore ?? new InMemoryIntegrationSecretStore();
+    this.oauthStateStore = options.oauthStateStore ?? new InMemoryIntegrationOAuthStateStore();
+    this.oauthStateTtlMs = options.oauthStateTtlMs ?? 10 * 60 * 1e3;
+    this.credentialsRotated = options.credentialsRotated;
     this.now = options.now ?? (() => /* @__PURE__ */ new Date());
   }
   async listConnectors() {
@@ -3399,11 +3487,33 @@ var IntegrationHub = class {
     const provider = this.requireProvider(providerId);
     if (!provider.startAuth) throw new IntegrationError(`Provider ${providerId} does not support auth start.`, "auth_not_supported");
     await this.requireConnector(provider, request.connectorId);
-    return provider.startAuth(request);
+    const result = await provider.startAuth(request);
+    const record = {
+      state: result.state,
+      providerId,
+      connectorId: request.connectorId,
+      owner: request.owner,
+      requestedScopes: request.requestedScopes,
+      redirectUri: request.redirectUri,
+      expiresAt: this.now().getTime() + this.oauthStateTtlMs,
+      metadata: request.metadata
+    };
+    await this.oauthStateStore.put(record);
+    return result;
   }
   async completeAuth(providerId, request) {
     const provider = this.requireProvider(providerId);
     if (!provider.completeAuth) throw new IntegrationError(`Provider ${providerId} does not support auth completion.`, "auth_not_supported");
+    const outcome = await this.oauthStateStore.consume(request.state);
+    if (!outcome.ok) {
+      throw new IntegrationError(`Integration OAuth state ${outcome.reason}: possible CSRF, replay, or stale flow.`, "capability_invalid");
+    }
+    if (outcome.state.providerId !== providerId || outcome.state.connectorId !== request.connectorId) {
+      throw new IntegrationError("Integration OAuth state does not match completion request.", "capability_invalid");
+    }
+    if (outcome.state.redirectUri !== request.redirectUri) {
+      throw new IntegrationError("Integration OAuth redirect URI does not match the start request.", "capability_invalid");
+    }
     const connection = await provider.completeAuth(request);
     await this.store.put(connection);
     return connection;
@@ -4026,6 +4136,24 @@ function buildDefaultIntegrationRegistry(options = {}) {
   }
   return composeIntegrationRegistry(sources);
 }
+function classifyIntegrationCatalogExecutability(registry = buildDefaultIntegrationRegistry()) {
+  const packageByConnector = new Map(
+    listActivepiecesCatalogEntries().filter((entry) => entry.npmPackage).map((entry) => [entry.id, entry.npmPackage])
+  );
+  return registry.entries.map((entry) => {
+    const runtimePackage = packageByConnector.get(entry.connector.id);
+    const tierExecutable = entry.supportTier === "firstPartyExecutable" || entry.supportTier === "sandboxExecutable" || entry.supportTier === "gatewayExecutable";
+    return {
+      canonicalId: entry.canonicalId,
+      executable: tierExecutable && entry.connector.actions.length > 0,
+      supportTier: entry.supportTier,
+      authKind: entry.connector.auth,
+      runtimePackage,
+      actionCount: entry.connector.actions.length,
+      triggerCount: entry.connector.triggers?.length ?? 0
+    };
+  });
+}
 function composeIntegrationRegistry(sources, options = {}) {
   const aliases = { ...DEFAULT_ALIASES, ...options.aliases ?? {} };
   const precedence = { ...DEFAULT_SOURCE_PRECEDENCE, ...options.sourcePrecedence ?? {} };
@@ -4227,40 +4355,56 @@ function buildIntegrationToolCatalog(connectors) {
   const tools = [];
   for (const connector of connectors) {
     for (const action of connector.actions) {
-      const tags = unique8([
-        connector.id,
-        connector.providerId,
-        connector.title,
-        connector.category,
-        action.id,
-        action.title,
-        action.risk,
-        action.dataClass,
-        ...connector.scopes ?? [],
-        ...action.requiredScopes ?? []
-      ].flatMap(tokenize));
-      tools.push({
-        name: integrationToolName(connector.providerId, connector.id, action.id),
-        title: `${connector.title}: ${action.title}`,
-        description: action.description ?? `${action.risk} action ${action.id} on ${connector.title}`,
-        providerId: connector.providerId,
-        connectorId: connector.id,
-        connectorTitle: connector.title,
-        category: connector.category,
-        action,
-        risk: action.risk,
-        dataClass: action.dataClass,
-        requiredScopes: action.requiredScopes,
-        inputSchema: action.inputSchema,
-        outputSchema: action.outputSchema,
-        tags,
-        supportTier: toolSupportTier(connector),
-        runnable: toolRunnable(connector)
-      });
+      tools.push(flattenIntegrationToolDefinition(connector, action));
     }
   }
   return tools;
 }
+function flattenIntegrationToolDefinition(connector, action) {
+  const tags = unique8([
+    connector.id,
+    connector.providerId,
+    connector.title,
+    connector.category,
+    action.id,
+    action.title,
+    action.risk,
+    action.dataClass,
+    ...connector.scopes ?? [],
+    ...action.requiredScopes ?? []
+  ].flatMap(tokenize));
+  return {
+    name: integrationToolName(connector.providerId, connector.id, action.id),
+    title: `${connector.title}: ${action.title}`,
+    description: action.description ?? `${action.risk} action ${action.id} on ${connector.title}`,
+    providerId: connector.providerId,
+    connectorId: connector.id,
+    connectorTitle: connector.title,
+    category: connector.category,
+    action,
+    risk: action.risk,
+    dataClass: action.dataClass,
+    requiredScopes: action.requiredScopes,
+    inputSchema: action.inputSchema,
+    outputSchema: action.outputSchema,
+    tags,
+    supportTier: toolSupportTier(connector),
+    runnable: toolRunnable(connector)
+  };
+}
+function describeIntegrationTool(registry, toolName) {
+  let parsed;
+  try {
+    parsed = parseIntegrationToolName(toolName);
+  } catch {
+    return void 0;
+  }
+  const entry = registry.byId.get(parsed.connectorId);
+  if (!entry) return void 0;
+  const action = entry.connector.actions.find((candidate) => candidate.id === parsed.actionId);
+  if (!action) return void 0;
+  return flattenIntegrationToolDefinition(entry.connector, action);
+}
 function buildIntegrationCatalogView(input) {
   const runtimeConnectors = input.executableRegistry?.connectors ?? input.discoveryRegistry.connectors.filter((connector) => toolRunnable(connector));
   const runtimeTools = buildIntegrationToolCatalog(runtimeConnectors);
@@ -4361,6 +4505,8 @@ export {
   integrationToolName,
   parseIntegrationToolName,
   buildIntegrationToolCatalog,
+  flattenIntegrationToolDefinition,
+  describeIntegrationTool,
   buildIntegrationCatalogView,
   searchIntegrationTools,
   toMcpTools,
@@ -4389,10 +4535,21 @@ export {
   extractExternalCatalogPublicCount,
   auditTangleIntegrationCatalogFreshness,
   buildDefaultIntegrationRegistry,
+  classifyIntegrationCatalogExecutability,
   composeIntegrationRegistry,
   summarizeIntegrationRegistry,
   canonicalConnectorId,
   inferIntegrationSupportTier,
+  createConnectorAdapterProvider,
+  adapterManifestsToConnectors,
+  createConnectorAdapterCatalogSource,
+  manifestToConnector,
+  InMemoryIntegrationSecretStore,
+  InMemoryIntegrationOAuthStateStore,
+  createConnectionCredentialResolver,
+  resolveConnectionCredentials,
+  createCredentialBackedAdapterProvider,
+  revokeConnection,
   InMemoryIntegrationAuditStore,
   createIntegrationAuditEvent,
   createAuditingActionGuard,
@@ -4415,15 +4572,6 @@ export {
   createTangleIntegrationsClient,
   renderConsentSummary,
   renderApprovalCopy,
-  createConnectorAdapterProvider,
-  adapterManifestsToConnectors,
-  createConnectorAdapterCatalogSource,
-  manifestToConnector,
-  InMemoryIntegrationSecretStore,
-  createConnectionCredentialResolver,
-  resolveConnectionCredentials,
-  createCredentialBackedAdapterProvider,
-  revokeConnection,
   discoverWorkspaceCapabilities,
   filterDiscoveryByWorkspaceScopes,
   InMemoryIntegrationEventStore,
@@ -4484,4 +4632,4 @@ export {
   signCapability,
   verifyCapabilityToken
 };
-//# sourceMappingURL=chunk-TUX6MJJ4.js.map
+//# sourceMappingURL=chunk-M2RFFAMB.js.map