@tangle-network/agent-integrations 0.31.0 → 0.33.0

package/dist/tangle-catalog-runtime.d.ts

@@ -1,8 +1,3 @@
-export { T as TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER, N as TangleCatalogAuthResolverOptions, O as TangleCatalogHttpAuthResolverOptions, P as TangleCatalogHttpAuthResolverRequest, Q as TangleCatalogInstalledPackageExecutorOptions, S as TangleCatalogRuntimeHandlerOptions, U as TangleCatalogRuntimeHttpRequest, V as TangleCatalogRuntimeHttpResponse, W as TangleCatalogRuntimeInvocation, X as TangleCatalogRuntimeModuleAction, Y as TangleCatalogRuntimePackageCoverageOptions, Z as TangleCatalogRuntimePackageCoverageRow, _ as auditTangleCatalogRuntimePackages, $ as createTangleCatalogCredentialAuthResolver, a0 as createTangleCatalogHttpAuthResolver, a1 as createTangleCatalogInstalledPackageExecutor, a2 as createTangleCatalogRuntimeHandler, a3 as signTangleCatalogRuntimeRequest, a4 as tangleCatalogAuthValue, a5 as verifyTangleCatalogRuntimeSignature } from './registry.js';
-import './tangle-id-Dj0ipP4E.js';
-import './errors-Bg3_rxnQ.js';
-import './connect/index.js';
-import './middleware/index.js';
-import './connectors/index.js';
-import './connectors/adapters/index.js';
-import 'node:http';
+export { h as TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER, i as TangleCatalogAuthResolverOptions, T as TangleCatalogHttpAuthResolverOptions, j as TangleCatalogHttpAuthResolverRequest, a as TangleCatalogInstalledPackageExecutorOptions, n as TangleCatalogRuntimeHandlerOptions, o as TangleCatalogRuntimeHttpRequest, p as TangleCatalogRuntimeHttpResponse, q as TangleCatalogRuntimeInvocation, r as TangleCatalogRuntimeModuleAction, s as TangleCatalogRuntimePackageCoverageOptions, t as TangleCatalogRuntimePackageCoverageRow, w as auditTangleCatalogRuntimePackages, D as createTangleCatalogCredentialAuthResolver, E as createTangleCatalogHttpAuthResolver, G as createTangleCatalogInstalledPackageExecutor, H as createTangleCatalogRuntimeHandler, K as signTangleCatalogRuntimeRequest, L as tangleCatalogAuthValue, N as verifyTangleCatalogRuntimeSignature } from './tangle-catalog-runtime-2HddXxoM.js';
+import './core-types-D5Dc65Ud.js';
+import './types-XdpvaIzW.js';

package/dist/tangle-catalog-runtime.js

@@ -8,16 +8,16 @@ import {
   signTangleCatalogRuntimeRequest,
   tangleCatalogAuthValue,
   verifyTangleCatalogRuntimeSignature
-} from "./chunk-M2RFFAMB.js";
-import "./chunk-JCHD6L3B.js";
-import "./chunk-CDY2ETYT.js";
+} from "./chunk-XO2RSS6Y.js";
+import "./chunk-43VQSANC.js";
+import "./chunk-YPZORI3G.js";
 import "./chunk-H4XYLS7T.js";
-import "./chunk-S2MVWQYL.js";
-import "./chunk-VVC7U7W7.js";
+import "./chunk-RF3RH374.js";
+import "./chunk-7T5YTVER.js";
 import "./chunk-376UBTNB.js";
-import "./chunk-F4YILONK.js";
+import "./chunk-6N23S4JY.js";
 import "./chunk-2TW2QKGZ.js";
-import "./chunk-Q5X3QNHR.js";
+import "./chunk-NQ7OPDUM.js";
 export {
   TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER,
   auditTangleCatalogRuntimePackages,

package/dist/tangle-id-DA_qj-O_.d.ts

@@ -0,0 +1,192 @@
+import { C as ConnectorAdapter } from './types-XdpvaIzW.js';
+
+/**
+ * @stable Tangle Identity — `id.tangle.tools` connector + verifier.
+ *
+ * This is the *identity* substrate every Tangle product (legal, tax, gtm,
+ * creative, agent-builder, sandbox, evals, …) sits on. The shape mirrors
+ * what `tcloud` and the sandbox `PlatformClient` already implement against
+ * the platform repo at `agent-dev-container-collab-m1/products/platform`,
+ * so consumers can switch from a hand-rolled fetch loop to this adapter
+ * without changing the wire protocol.
+ *
+ * What it covers, end-to-end:
+ *
+ *   verify_token({ token })
+ *     → { kind: 'api_key' | 'session', valid, userId?, workspaceId?, scopes, expiresAt? }
+ *     Verifies a single credential. Two token shapes are recognized:
+ *       - `sk-tan-*` API keys — POST /v1/keys/verify with the service token.
+ *         Returns `userId`, `keyId`, `product`, granted scopes (`allowedModels`
+ *         + product flag), and budget metadata.
+ *       - Better Auth session cookies / Bearer session tokens — GET
+ *         /api/auth/get-session with the credential forwarded as-is.
+ *         Returns the user row.
+ *     Wrong-issuer / tampered / expired all surface as `{ valid: false }`
+ *     with a stable `reason`. Never throws on bad-token; only throws when
+ *     id.tangle.tools itself is unreachable or returns a 5xx (lets callers
+ *     fail closed without confusing token failures with platform failures).
+ *
+ *   get_user({ userId })
+ *     → { id, email, name?, image? }
+ *     Read-only profile lookup. Service-token authenticated. Used by
+ *     `requireTangleAuth` middleware to hydrate the request context when
+ *     a downstream wants the user's email without re-verifying.
+ *
+ *   list_workspaces({ userId })
+ *     → { workspaces: [{ id, name, role, isPersonal }] }
+ *     A workspace = a Tangle team. Personal workspace is rendered with
+ *     `isPersonal: true` (own id === userId on the platform schema).
+ *     Mirrors `GET /v1/teams` on the platform side.
+ *
+ *   switch_workspace({ workspaceId })
+ *     → { ok: true, workspaceId, scopes }
+ *     Stateless on this adapter — the caller persists the workspaceId in
+ *     its own session. The connector returns the workspace's effective
+ *     scope set so the caller can immediately filter capability discovery
+ *     against the new workspace's grant matrix.
+ *
+ *   revoke_session({ token })
+ *     → { ok: true }
+ *     For session tokens: POST /api/auth/sign-out. For API keys: DELETE
+ *     /v1/keys/{id}. The adapter detects the kind from the prefix.
+ *
+ * Auth:
+ *   - **Service token** (`Bearer svc_*`) is required for `verify_token` of
+ *     `sk-tan-*` keys, `get_user`, `list_workspaces`, and `revoke_session`
+ *     of API keys.
+ *   - **Session cookie / Bearer session** is forwarded as-is for session
+ *     verification and session revocation.
+ *
+ * The adapter is stateless. Caller resolves `serviceToken` + `baseUrl` from
+ * env (`TANGLE_PLATFORM_URL`, `TANGLE_SERVICE_TOKEN`) and passes them at
+ * construction. The adapter never reads from `process.env` itself — this
+ * keeps it CF Worker compatible (no Node-only env semantics) and lets
+ * tests inject a fake fetch + service token in one place.
+ */
+
+/** Default platform URL (matches `DEFAULT_PLATFORM_URL` in tcloud). */
+declare const DEFAULT_TANGLE_PLATFORM_URL = "https://id.tangle.tools";
+/** API-key prefix the platform issues. Used to disambiguate token kind
+ *  without a round-trip. */
+declare const TANGLE_API_KEY_PREFIX = "sk-tan-";
+/** Service-token prefix. Mirrored from the platform's middleware so we
+ *  can refuse to forward service tokens through the user-session path. */
+declare const TANGLE_SERVICE_TOKEN_PREFIX = "svc_";
+interface TangleIdentityOptions {
+    /** Base URL of the id.tangle.tools deployment (no trailing slash). */
+    baseUrl?: string;
+    /**
+     * Service token (`svc_*`) used for S2S calls (verify, provision, etc.).
+     * Required for API-key verification and the user/workspace read paths.
+     * Omit only for session-only flows on a deployment that exposes those
+     * routes unauthenticated (rare; never in production).
+     */
+    serviceToken?: string;
+    /** Service identity claimed in the `X-Service-Name` header. */
+    serviceName?: string;
+    /** Injected fetch — defaults to global. Tests pass a vi mock. */
+    fetchImpl?: typeof fetch;
+    /** Per-call timeout override (default {@link PLATFORM_FETCH_TIMEOUT_MS}). */
+    timeoutMs?: number;
+}
+/** Stable result of a token verification. `valid: false` is returned for
+ *  every recognizable bad-token shape (expired, tampered, wrong issuer,
+ *  unknown kind); only true platform unreachability throws. */
+type TangleTokenVerifyResult = {
+    valid: true;
+    kind: 'api_key' | 'session';
+    userId: string;
+    /** Active workspace at the moment of issue, if the credential is
+     *  workspace-scoped (team-owned API key). Personal credentials
+     *  return the user's personal workspace (== `userId`). */
+    workspaceId: string;
+    scopes: string[];
+    /** Wall-clock ms epoch when the credential expires. Undefined for
+     *  non-expiring credentials (most session cookies are sliding). */
+    expiresAt?: number;
+    /** Stable id of the credential row, when known (key.id for API
+     *  keys, session.id for sessions). Useful for revoke + audit. */
+    credentialId?: string;
+    /** Product the credential is scoped to, when known. */
+    product?: string;
+    /** Owner shape — `user` for personal credentials, `team` for
+     *  team-owned API keys. Always matches the workspace's owner type. */
+    ownerType: 'user' | 'team';
+} | {
+    valid: false;
+    /** Stable reason code: `tampered`, `expired`, `revoked`,
+     *  `wrong_issuer`, `unknown_kind`, `service_token_refused`. */
+    reason: TangleTokenVerifyFailure;
+};
+type TangleTokenVerifyFailure = 'tampered' | 'expired' | 'revoked' | 'wrong_issuer' | 'unknown_kind' | 'service_token_refused' | 'malformed';
+interface TangleUserSummary {
+    id: string;
+    email?: string;
+    name?: string | null;
+    image?: string | null;
+}
+interface TangleWorkspaceSummary {
+    id: string;
+    name: string;
+    role: 'owner' | 'admin' | 'member';
+    isPersonal: boolean;
+    /** Effective scope set for the calling user inside this workspace.
+     *  Sourced from the team's plan + per-product policy on the platform. */
+    scopes: string[];
+}
+/** Thrown when id.tangle.tools is unreachable or returns 5xx. NOT thrown
+ *  for bad-token responses — those round-trip as `{ valid: false }`. */
+declare class TangleIdentityUnreachableError extends Error {
+    readonly name = "TangleIdentityUnreachableError";
+    readonly status?: number;
+    constructor(message: string, opts?: {
+        status?: number;
+        cause?: unknown;
+    });
+}
+/** Build a `ConnectorAdapter` exposing id.tangle.tools as a first-party
+ *  integration. The adapter participates in the standard discovery /
+ *  capability gating loop, so a product can list identity ops alongside
+ *  Gmail / Stripe / etc. in the same tool registry. */
+declare function tangleIdentity(opts?: TangleIdentityOptions): ConnectorAdapter;
+/** Low-level HTTP client used by the adapter. Exported so consumers
+ *  (middleware, connect routes, custom apps) can hit id.tangle.tools
+ *  without going through the connector pipeline. */
+interface TangleIdentityClient {
+    verifyToken(token: string): Promise<TangleTokenVerifyResult>;
+    getUser(userId: string): Promise<TangleUserSummary>;
+    listWorkspaces(userId: string): Promise<TangleWorkspaceSummary[]>;
+    switchWorkspace(userId: string, workspaceId: string): Promise<{
+        ok: true;
+        workspaceId: string;
+        scopes: string[];
+    }>;
+    revokeSession(token: string): Promise<void>;
+    /** Create a new workspace owned by `userId`. The platform's
+     *  `POST /v1/teams` returns the persisted row. Idempotent on
+     *  `(ownerId, name)` upstream; conflicts are unwrapped to the
+     *  existing row, not surfaced as errors. */
+    createWorkspace(userId: string, spec: {
+        name: string;
+        slug?: string;
+    }): Promise<TangleWorkspaceSummary>;
+    /** Delete a workspace. Refuses to delete the user's personal
+     *  workspace (the platform-side `/v1/teams/{id}` returns 409). */
+    deleteWorkspace(workspaceId: string): Promise<void>;
+    /** Invite a member to a workspace by email. Idempotent: re-issuing
+     *  the same invite returns the existing pending invitation row. */
+    inviteMember(workspaceId: string, email: string, role?: TangleWorkspaceSummary['role']): Promise<TangleInvitationSummary>;
+    /** Remove a member from a workspace by `userId`. 404 is a no-op. */
+    removeMember(workspaceId: string, userId: string): Promise<void>;
+    ping(): Promise<boolean>;
+}
+interface TangleInvitationSummary {
+    id: string;
+    workspaceId: string;
+    email: string;
+    role: TangleWorkspaceSummary['role'];
+    status: 'pending' | 'accepted' | 'revoked';
+}
+declare function createTangleIdentityClient(opts?: TangleIdentityOptions): TangleIdentityClient;
+
+export { DEFAULT_TANGLE_PLATFORM_URL as D, type TangleIdentityOptions as T, type TangleUserSummary as a, type TangleIdentityClient as b, type TangleTokenVerifyFailure as c, TANGLE_API_KEY_PREFIX as d, TANGLE_SERVICE_TOKEN_PREFIX as e, TangleIdentityUnreachableError as f, type TangleTokenVerifyResult as g, type TangleWorkspaceSummary as h, createTangleIdentityClient as i, tangleIdentity as t };

package/dist/{tangle-id-Dj0ipP4E.d.ts → types-XdpvaIzW.d.ts}

@@ -391,170 +391,4 @@ interface ConnectorManifestValidationResult {
 declare function validateConnectorManifest(manifest: ConnectorManifest): ConnectorManifestValidationResult;
 declare function assertValidConnectorManifest(manifest: ConnectorManifest): void;
 
-/**
- * @stable Tangle Identity — `id.tangle.tools` connector + verifier.
- *
- * This is the *identity* substrate every Tangle product (legal, tax, gtm,
- * creative, agent-builder, sandbox, evals, …) sits on. The shape mirrors
- * what `tcloud` and the sandbox `PlatformClient` already implement against
- * the platform repo at `agent-dev-container-collab-m1/products/platform`,
- * so consumers can switch from a hand-rolled fetch loop to this adapter
- * without changing the wire protocol.
- *
- * What it covers, end-to-end:
- *
- *   verify_token({ token })
- *     → { kind: 'api_key' | 'session', valid, userId?, workspaceId?, scopes, expiresAt? }
- *     Verifies a single credential. Two token shapes are recognized:
- *       - `sk-tan-*` API keys — POST /v1/keys/verify with the service token.
- *         Returns `userId`, `keyId`, `product`, granted scopes (`allowedModels`
- *         + product flag), and budget metadata.
- *       - Better Auth session cookies / Bearer session tokens — GET
- *         /api/auth/get-session with the credential forwarded as-is.
- *         Returns the user row.
- *     Wrong-issuer / tampered / expired all surface as `{ valid: false }`
- *     with a stable `reason`. Never throws on bad-token; only throws when
- *     id.tangle.tools itself is unreachable or returns a 5xx (lets callers
- *     fail closed without confusing token failures with platform failures).
- *
- *   get_user({ userId })
- *     → { id, email, name?, image? }
- *     Read-only profile lookup. Service-token authenticated. Used by
- *     `requireTangleAuth` middleware to hydrate the request context when
- *     a downstream wants the user's email without re-verifying.
- *
- *   list_workspaces({ userId })
- *     → { workspaces: [{ id, name, role, isPersonal }] }
- *     A workspace = a Tangle team. Personal workspace is rendered with
- *     `isPersonal: true` (own id === userId on the platform schema).
- *     Mirrors `GET /v1/teams` on the platform side.
- *
- *   switch_workspace({ workspaceId })
- *     → { ok: true, workspaceId, scopes }
- *     Stateless on this adapter — the caller persists the workspaceId in
- *     its own session. The connector returns the workspace's effective
- *     scope set so the caller can immediately filter capability discovery
- *     against the new workspace's grant matrix.
- *
- *   revoke_session({ token })
- *     → { ok: true }
- *     For session tokens: POST /api/auth/sign-out. For API keys: DELETE
- *     /v1/keys/{id}. The adapter detects the kind from the prefix.
- *
- * Auth:
- *   - **Service token** (`Bearer svc_*`) is required for `verify_token` of
- *     `sk-tan-*` keys, `get_user`, `list_workspaces`, and `revoke_session`
- *     of API keys.
- *   - **Session cookie / Bearer session** is forwarded as-is for session
- *     verification and session revocation.
- *
- * The adapter is stateless. Caller resolves `serviceToken` + `baseUrl` from
- * env (`TANGLE_PLATFORM_URL`, `TANGLE_SERVICE_TOKEN`) and passes them at
- * construction. The adapter never reads from `process.env` itself — this
- * keeps it CF Worker compatible (no Node-only env semantics) and lets
- * tests inject a fake fetch + service token in one place.
- */
-
-/** Default platform URL (matches `DEFAULT_PLATFORM_URL` in tcloud). */
-declare const DEFAULT_TANGLE_PLATFORM_URL = "https://id.tangle.tools";
-/** API-key prefix the platform issues. Used to disambiguate token kind
- *  without a round-trip. */
-declare const TANGLE_API_KEY_PREFIX = "sk-tan-";
-/** Service-token prefix. Mirrored from the platform's middleware so we
- *  can refuse to forward service tokens through the user-session path. */
-declare const TANGLE_SERVICE_TOKEN_PREFIX = "svc_";
-interface TangleIdentityOptions {
-    /** Base URL of the id.tangle.tools deployment (no trailing slash). */
-    baseUrl?: string;
-    /**
-     * Service token (`svc_*`) used for S2S calls (verify, provision, etc.).
-     * Required for API-key verification and the user/workspace read paths.
-     * Omit only for session-only flows on a deployment that exposes those
-     * routes unauthenticated (rare; never in production).
-     */
-    serviceToken?: string;
-    /** Service identity claimed in the `X-Service-Name` header. */
-    serviceName?: string;
-    /** Injected fetch — defaults to global. Tests pass a vi mock. */
-    fetchImpl?: typeof fetch;
-    /** Per-call timeout override (default {@link PLATFORM_FETCH_TIMEOUT_MS}). */
-    timeoutMs?: number;
-}
-/** Stable result of a token verification. `valid: false` is returned for
- *  every recognizable bad-token shape (expired, tampered, wrong issuer,
- *  unknown kind); only true platform unreachability throws. */
-type TangleTokenVerifyResult = {
-    valid: true;
-    kind: 'api_key' | 'session';
-    userId: string;
-    /** Active workspace at the moment of issue, if the credential is
-     *  workspace-scoped (team-owned API key). Personal credentials
-     *  return the user's personal workspace (== `userId`). */
-    workspaceId: string;
-    scopes: string[];
-    /** Wall-clock ms epoch when the credential expires. Undefined for
-     *  non-expiring credentials (most session cookies are sliding). */
-    expiresAt?: number;
-    /** Stable id of the credential row, when known (key.id for API
-     *  keys, session.id for sessions). Useful for revoke + audit. */
-    credentialId?: string;
-    /** Product the credential is scoped to, when known. */
-    product?: string;
-    /** Owner shape — `user` for personal credentials, `team` for
-     *  team-owned API keys. Always matches the workspace's owner type. */
-    ownerType: 'user' | 'team';
-} | {
-    valid: false;
-    /** Stable reason code: `tampered`, `expired`, `revoked`,
-     *  `wrong_issuer`, `unknown_kind`, `service_token_refused`. */
-    reason: TangleTokenVerifyFailure;
-};
-type TangleTokenVerifyFailure = 'tampered' | 'expired' | 'revoked' | 'wrong_issuer' | 'unknown_kind' | 'service_token_refused' | 'malformed';
-interface TangleUserSummary {
-    id: string;
-    email?: string;
-    name?: string | null;
-    image?: string | null;
-}
-interface TangleWorkspaceSummary {
-    id: string;
-    name: string;
-    role: 'owner' | 'admin' | 'member';
-    isPersonal: boolean;
-    /** Effective scope set for the calling user inside this workspace.
-     *  Sourced from the team's plan + per-product policy on the platform. */
-    scopes: string[];
-}
-/** Thrown when id.tangle.tools is unreachable or returns 5xx. NOT thrown
- *  for bad-token responses — those round-trip as `{ valid: false }`. */
-declare class TangleIdentityUnreachableError extends Error {
-    readonly name = "TangleIdentityUnreachableError";
-    readonly status?: number;
-    constructor(message: string, opts?: {
-        status?: number;
-        cause?: unknown;
-    });
-}
-/** Build a `ConnectorAdapter` exposing id.tangle.tools as a first-party
- *  integration. The adapter participates in the standard discovery /
- *  capability gating loop, so a product can list identity ops alongside
- *  Gmail / Stripe / etc. in the same tool registry. */
-declare function tangleIdentity(opts?: TangleIdentityOptions): ConnectorAdapter;
-/** Low-level HTTP client used by the adapter. Exported so consumers
- *  (middleware, connect routes, custom apps) can hit id.tangle.tools
- *  without going through the connector pipeline. */
-interface TangleIdentityClient {
-    verifyToken(token: string): Promise<TangleTokenVerifyResult>;
-    getUser(userId: string): Promise<TangleUserSummary>;
-    listWorkspaces(userId: string): Promise<TangleWorkspaceSummary[]>;
-    switchWorkspace(userId: string, workspaceId: string): Promise<{
-        ok: true;
-        workspaceId: string;
-        scopes: string[];
-    }>;
-    revokeSession(token: string): Promise<void>;
-    ping(): Promise<boolean>;
-}
-declare function createTangleIdentityClient(opts?: TangleIdentityOptions): TangleIdentityClient;
-
-export { type AuthSpec as A, assertValidConnectorManifest as B, type ConnectorAdapter as C, DEFAULT_TANGLE_PLATFORM_URL as D, type EventHandlerResult as E, createTangleIdentityClient as F, tangleIdentity as G, validateConnectorManifest as H, type InboundEvent as I, type ResolvedDataSource as R, type TangleIdentityOptions as T, type TangleUserSummary as a, type TangleIdentityClient as b, type TangleTokenVerifyFailure as c, type ConnectorCredentials as d, type CASStrategy as e, type Capability as f, type CapabilityClass as g, type CapabilityMutation as h, type CapabilityMutationResult as i, type CapabilityParameterSchema as j, type CapabilityRead as k, type CapabilityReadResult as l, type ConnectorInvocation as m, type ConnectorManifest as n, type ConnectorManifestValidationIssue as o, type ConnectorManifestValidationResult as p, type ConsistencyModel as q, CredentialsExpired as r, type DataSourceMetadata as s, type RateLimitSpec as t, ResourceContention as u, TANGLE_API_KEY_PREFIX as v, TANGLE_SERVICE_TOKEN_PREFIX as w, TangleIdentityUnreachableError as x, type TangleTokenVerifyResult as y, type TangleWorkspaceSummary as z };
+export { type AuthSpec as A, type ConnectorAdapter as C, type DataSourceMetadata as D, type EventHandlerResult as E, type InboundEvent as I, type ResolvedDataSource as R, type ConnectorCredentials as a, type CASStrategy as b, type Capability as c, type CapabilityClass as d, type CapabilityMutation as e, type CapabilityMutationResult as f, type CapabilityParameterSchema as g, type CapabilityRead as h, type CapabilityReadResult as i, type ConnectorInvocation as j, type ConnectorManifest as k, type ConnectorManifestValidationIssue as l, type ConnectorManifestValidationResult as m, type ConsistencyModel as n, CredentialsExpired as o, type RateLimitSpec as p, ResourceContention as q, assertValidConnectorManifest as r, validateConnectorManifest as v };

package/docs/integration-execution-audit.md

@@ -22,8 +22,8 @@ This audit separates product contracts from implementation backends:
 | Catalog connectors with auth field metadata | 648 |
 | Custom-auth connectors with auth field metadata | 11 |
 | Runtime package dependencies declared by this package | 0 |
-| Setup specs | 142 |
-| Executable setup specs | 14 |
+| Setup specs | 143 |
+| Executable setup specs | 15 |
 | Catalog/setup-only specs | 128 |
 | Tangle first-class contracts | 669 |
 | Contracts with runtime packages | 669 |
@@ -31,7 +31,7 @@ This audit separates product contracts from implementation backends:
 | Contracts with mapped triggers | 669 |
 | Contracts with mapped auth | 669 |
 | Native adapter backends | 10 |
-| Native adapter surfaces shipped | 16 |
+| Native adapter surfaces shipped | 17 |
 | Package-runtime backends | 659 |
 | Runtime manifest dependencies | 670 |
 | Tangle catalog connectors exposable behind runtime | 669 |
@@ -74,6 +74,7 @@ These are direct in-repo implementations. They are not the only first-class cont
 - `slack`
 - `notion-database`
 - `twilio-sms`
+- `phony`
 - `stripe-pack`
 - `webhook`
 - `stripe`
@@ -95,6 +96,7 @@ Executable setup specs:
 - `hubspot`
 - `microsoft-calendar`
 - `notion-database`
+- `phony`
 - `salesforce`
 - `slack`
 - `stripe-pack`
@@ -107,7 +109,7 @@ Executable setup specs:
 | --- | --- | --- |
 | Tangle first-class contracts | Done | 669 connectors have Tangle-owned action/trigger/auth/runtime contracts. |
 | Connector discovery/catalog search | Done | 669 catalog connectors, 3790 actions, 998 triggers normalized into Tangle catalog shapes. |
-| Native adapter execution | Done for listed native backends | 16 reviewed native adapter surfaces ship from this package; 10 overlap the 669 catalog contracts. |
+| Native adapter execution | Done for listed native backends | 17 reviewed native adapter surfaces ship from this package; 10 overlap the 669 catalog contracts. |
 | OAuth/API-key setup metadata | Partial | 142 setup specs exist; 14 are executable setup specs and 128 are catalog/setup-only. |
 | Package-runtime action execution | Wiring done; runtime deployment/smoke pending | 659 contracts use package-runtime backends with package names and 3790 catalog upstream action names. |
 | Runtime dependency manifest | Done | `buildTangleCatalogRuntimePackageManifest()` emits 670 dependencies for a complete package-runtime worker install. |
@@ -186,7 +188,7 @@ Manual custom auth mapping gap: none.
    There are 998 catalog triggers and 998 upstream trigger names. The provider flow supports trigger subscribe/unsubscribe/normalize hooks. Runtime services still need live webhook/polling smoke verification.
 
 5. **Native adapter coverage is intentionally smaller than contract breadth.**
-   This repo ships 16 native adapter surfaces. 10 overlap the 669 catalog contracts; the other first-class contracts use package-runtime backends.
+   This repo ships 17 native adapter surfaces. 10 overlap the 669 catalog contracts; the other first-class contracts use package-runtime backends.
 
 ## Concrete Launch Interpretation
 

package/docs/integration-execution-matrix.json

@@ -69773,6 +69773,38 @@
       "executable_setup_spec"
     ]
   },
+  {
+    "id": "phony",
+    "title": "phony",
+    "category": "internal",
+    "catalogAuth": null,
+    "setupAuth": {
+      "mode": "api_key",
+      "credential": {
+        "label": "phony API key",
+        "description": "API key or token for phony.",
+        "secret": true
+      },
+      "placement": "bearer"
+    },
+    "runtimePackage": null,
+    "actionCount": null,
+    "triggerCount": null,
+    "setupStatus": "executable",
+    "tangleContractStatus": "native_backed",
+    "implementationKind": "native_adapter",
+    "nativeAdapter": true,
+    "catalogActionMappings": null,
+    "quality": {
+      "tangleContract": true,
+      "authFieldsMapped": true,
+      "actionNamesMapped": true,
+      "triggerNamesMapped": true,
+      "runtimePackageMapped": false,
+      "nativeAdapter": true
+    },
+    "missing": []
+  },
   {
     "id": "photoroom",
     "title": "API key",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tangle-network/agent-integrations",
-  "version": "0.31.0",
+  "version": "0.33.0",
   "description": "Vendor-neutral integration contracts and runtime helpers for sandbox and agent apps.",
   "homepage": "https://github.com/tangle-network/agent-integrations#readme",
   "repository": {
@@ -93,6 +93,15 @@
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "audit:execution": "pnpm build >/dev/null && node scripts/audit-integration-execution.mjs",
+    "prepare": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit"
+  },
   "devDependencies": {
     "@activepieces/piece-gmail": "0.12.3",
     "@activepieces/piece-hackernews": "0.4.3",
@@ -109,12 +118,5 @@
     "node": ">=20"
   },
   "license": "MIT",
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
-    "audit:execution": "pnpm build >/dev/null && node scripts/audit-integration-execution.mjs",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "typecheck": "tsc --noEmit"
-  }
-}
+  "packageManager": "pnpm@10.28.0"
+}