@tangle-network/agent-integrations 0.31.0 → 0.33.0

package/dist/{chunk-M2RFFAMB.js → chunk-XO2RSS6Y.js}

@@ -5,7 +5,7 @@ import {
 import {
   integrationSpecToConnector,
   listIntegrationSpecs
-} from "./chunk-VVC7U7W7.js";
+} from "./chunk-7T5YTVER.js";
 
 // src/activepieces-catalog.ts
 import { readFileSync } from "fs";
@@ -201,10 +201,21 @@ function dataClassFor(category) {
 // src/index.ts
 import { createHmac as createHmac2, randomUUID as randomUUID5, timingSafeEqual as timingSafeEqual2 } from "crypto";
 
+// src/core-error.ts
+var IntegrationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "IntegrationError";
+  }
+  code;
+};
+
 // src/adapter-provider.ts
 function createConnectorAdapterProvider(options) {
   const providerId = options.id ?? "first-party";
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  const fetchImpl = options.fetchImpl ?? globalThis.fetch?.bind(globalThis);
   const adapters = /* @__PURE__ */ new Map();
   for (const adapter of options.adapters) {
     adapters.set(adapter.manifest.kind, adapter);
@@ -213,6 +224,159 @@ function createConnectorAdapterProvider(options) {
     id: providerId,
     kind: options.kind ?? "first_party",
     listConnectors: () => [...adapters.values()].map((adapter) => manifestToConnector(providerId, adapter)),
+    async startAuth(request) {
+      const adapter = adapters.get(request.connectorId);
+      if (!adapter) {
+        throw new IntegrationError(
+          `Connector adapter ${request.connectorId} not found.`,
+          "connector_not_found"
+        );
+      }
+      const auth = adapter.manifest.auth;
+      if (auth.kind !== "oauth2") {
+        throw new IntegrationError(
+          `Connector ${request.connectorId} does not support OAuth2 authorization (auth kind: ${auth.kind}).`,
+          "auth_not_supported"
+        );
+      }
+      if (!options.resolveOAuthClient) {
+        throw new IntegrationError(
+          `OAuth client resolver missing on adapter provider; cannot start auth for ${request.connectorId}.`,
+          "config_missing"
+        );
+      }
+      const client = await options.resolveOAuthClient({ connectorId: request.connectorId });
+      if (!client || !client.clientId || !client.clientSecret) {
+        throw new IntegrationError(
+          `OAuth client credentials unavailable for ${request.connectorId}.`,
+          "config_missing"
+        );
+      }
+      const scopes = request.requestedScopes && request.requestedScopes.length > 0 ? request.requestedScopes : auth.scopes;
+      const url = new URL(auth.authorizationUrl);
+      url.searchParams.set("response_type", "code");
+      url.searchParams.set("client_id", client.clientId);
+      url.searchParams.set("redirect_uri", request.redirectUri);
+      if (scopes.length > 0) {
+        url.searchParams.set("scope", scopes.join(" "));
+      }
+      const state = request.state ?? randomState();
+      url.searchParams.set("state", state);
+      if (auth.extraAuthParams) {
+        for (const [key, value] of Object.entries(auth.extraAuthParams)) {
+          url.searchParams.set(key, value);
+        }
+      }
+      return {
+        providerId,
+        connectorId: request.connectorId,
+        authUrl: url.toString(),
+        state,
+        metadata: request.metadata
+      };
+    },
+    async completeAuth(request) {
+      const adapter = adapters.get(request.connectorId);
+      if (!adapter) {
+        throw new IntegrationError(
+          `Connector adapter ${request.connectorId} not found.`,
+          "connector_not_found"
+        );
+      }
+      const auth = adapter.manifest.auth;
+      if (auth.kind !== "oauth2") {
+        throw new IntegrationError(
+          `Connector ${request.connectorId} does not support OAuth2 authorization (auth kind: ${auth.kind}).`,
+          "auth_not_supported"
+        );
+      }
+      if (!request.code) {
+        throw new IntegrationError(
+          `Authorization code missing on completeAuth for ${request.connectorId}.`,
+          "config_missing"
+        );
+      }
+      if (!options.resolveOAuthClient) {
+        throw new IntegrationError(
+          `OAuth client resolver missing on adapter provider; cannot complete auth for ${request.connectorId}.`,
+          "config_missing"
+        );
+      }
+      const client = await options.resolveOAuthClient({ connectorId: request.connectorId });
+      if (!client || !client.clientId || !client.clientSecret) {
+        throw new IntegrationError(
+          `OAuth client credentials unavailable for ${request.connectorId}.`,
+          "config_missing"
+        );
+      }
+      if (!fetchImpl) {
+        throw new IntegrationError(
+          "No fetch implementation available; inject fetchImpl into createConnectorAdapterProvider.",
+          "config_missing"
+        );
+      }
+      const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code: request.code,
+        client_id: client.clientId,
+        client_secret: client.clientSecret,
+        redirect_uri: request.redirectUri
+      });
+      let res;
+      try {
+        res = await fetchImpl(auth.tokenUrl, {
+          method: "POST",
+          headers: {
+            "content-type": "application/x-www-form-urlencoded",
+            accept: "application/json"
+          },
+          body
+        });
+      } catch (cause) {
+        throw new IntegrationError(
+          `OAuth token exchange transport error for ${request.connectorId}: ${cause?.message ?? "unknown"}`,
+          "provider_failure"
+        );
+      }
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new IntegrationError(
+          `OAuth token exchange failed for ${request.connectorId}: ${res.status} ${res.statusText} \u2014 ${text.slice(0, 200)}`,
+          "provider_failure"
+        );
+      }
+      let json;
+      try {
+        json = await res.json();
+      } catch {
+        throw new IntegrationError(
+          `OAuth token exchange returned non-JSON body for ${request.connectorId}.`,
+          "provider_failure"
+        );
+      }
+      if (!json.access_token) {
+        throw new IntegrationError(
+          `OAuth token exchange returned no access_token for ${request.connectorId}.`,
+          "provider_failure"
+        );
+      }
+      const grantedScopes = typeof json.scope === "string" && json.scope.length > 0 ? json.scope.split(/[\s,]+/).filter(Boolean) : [];
+      const issued = now();
+      const issuedIso = issued.toISOString();
+      const expiresAt = typeof json.expires_in === "number" && json.expires_in > 0 ? new Date(issued.getTime() + json.expires_in * 1e3).toISOString() : void 0;
+      return {
+        id: randomConnectionId(),
+        owner: request.owner,
+        providerId,
+        connectorId: request.connectorId,
+        status: "active",
+        grantedScopes,
+        createdAt: issuedIso,
+        updatedAt: issuedIso,
+        expiresAt,
+        metadata: request.metadata
+      };
+    },
     async invokeAction(connection, request) {
       const adapter = adapters.get(connection.connectorId);
       if (!adapter) {
@@ -368,6 +532,25 @@ function toRecord(input) {
   if (input && typeof input === "object" && !Array.isArray(input)) return input;
   return {};
 }
+function randomState() {
+  const bytes = new Uint8Array(24);
+  globalThis.crypto.getRandomValues(bytes);
+  return base64UrlEncode(bytes);
+}
+function randomConnectionId() {
+  if (typeof globalThis.crypto?.randomUUID === "function") {
+    return `conn_${globalThis.crypto.randomUUID().replace(/-/g, "")}`;
+  }
+  const bytes = new Uint8Array(16);
+  globalThis.crypto.getRandomValues(bytes);
+  return `conn_${base64UrlEncode(bytes)}`;
+}
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (const b of bytes) bin += String.fromCharCode(b);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
 
 // src/credentials.ts
 var InMemoryIntegrationSecretStore = class {
@@ -1013,6 +1196,116 @@ function assertBridgePayload(value) {
   if (!Array.isArray(payload.tools)) throw new Error("Invalid integration bridge tools.");
 }
 
+// src/apps.ts
+var TangleAppsClient = class {
+  endpoint;
+  fetchImpl;
+  constructor(options) {
+    this.endpoint = options.endpoint.replace(/\/$/, "");
+    this.fetchImpl = options.fetchImpl ?? fetch;
+  }
+  /**
+   * Register a product as an app (ONE-TIME, with the owner's bearer — a Tangle
+   * session or `sk-tan-*` key). Returns the client_id + the once-shown
+   * client_secret; persist the secret immediately (never retrievable again).
+   */
+  async registerApp(input, ownerBearer) {
+    const data = await this.request(
+      "POST",
+      "/v1/apps",
+      input,
+      ownerBearer
+    );
+    return { ...data.app, clientSecret: data.clientSecret };
+  }
+  /** List the caller's registered apps (no secrets). */
+  async listApps(ownerBearer) {
+    const data = await this.request("GET", "/v1/apps", void 0, ownerBearer);
+    return data.apps ?? [];
+  }
+  /** Revoke an app and cascade-kill its grants + tokens. */
+  revokeApp(appId, ownerBearer) {
+    return this.request("POST", `/v1/apps/${encodeURIComponent(appId)}/revoke`, {}, ownerBearer);
+  }
+  /**
+   * Durable re-mint: mint a fresh single-use `sk-tan-broker-` token against an
+   * existing consented grant using ONLY the app credentials — no user session,
+   * no `agc_` code. The runtime path: one call per `/v1/hub/exec`.
+   */
+  async mintBrokerToken(input) {
+    const data = await this.request(
+      "POST",
+      `/v1/apps/grants/${encodeURIComponent(input.grantId)}/mint-broker-token`,
+      {
+        client_id: input.clientId,
+        client_secret: input.clientSecret,
+        grant_id: input.grantId,
+        ...input.ttlSeconds ? { ttl_seconds: input.ttlSeconds } : {}
+      }
+    );
+    return toBrokerToken(data);
+  }
+  /**
+   * Exchange an `agc_` authorization code (from the user's one-time consent)
+   * for the first broker token + the durable grant. Use on the consent
+   * callback; afterward `mintBrokerToken` is enough.
+   */
+  async exchangeAuthCode(input) {
+    const data = await this.request("POST", "/v1/apps/oauth/token", {
+      grant_type: "authorization_code",
+      client_id: input.clientId,
+      client_secret: input.clientSecret,
+      code: input.code,
+      redirect_uri: input.redirectUri,
+      ...input.connectionId ? { connection_id: input.connectionId } : {}
+    });
+    return toBrokerToken(data);
+  }
+  async request(method, path, body, bearer) {
+    try {
+      const headers = { accept: "application/json" };
+      if (bearer) headers.authorization = `Bearer ${bearer}`;
+      if (body !== void 0) headers["content-type"] = "application/json";
+      const response = await this.fetchImpl(`${this.endpoint}${path}`, {
+        method,
+        headers,
+        body: body !== void 0 ? JSON.stringify(body) : void 0
+      });
+      const json = await response.json().catch(() => void 0);
+      if (!response.ok || json && json.success === false) {
+        const platformCode = json?.error && typeof json.error === "object" ? json.error.code : void 0;
+        const message = json?.error && typeof json.error === "object" && json.error.message || (typeof json?.error === "string" ? json.error : `Tangle apps request failed (HTTP ${response.status})`);
+        throw new IntegrationRuntimeError({
+          code: platformCode === "BROKER_DISABLED" ? "passthrough_disabled" : "unknown",
+          message,
+          status: response.status,
+          metadata: { platformCode, path }
+        });
+      }
+      return (json && "data" in json ? json.data : json) ?? {};
+    } catch (error) {
+      if (error instanceof IntegrationRuntimeError) throw error;
+      const normalized = normalizeIntegrationError(error);
+      throw new IntegrationRuntimeError({
+        code: normalized.code,
+        message: normalized.message,
+        metadata: { path, userAction: normalized.userAction }
+      });
+    }
+  }
+};
+function createTangleAppsClient(options) {
+  return new TangleAppsClient(options);
+}
+function toBrokerToken(data) {
+  return {
+    accessToken: data.access_token,
+    expiresIn: data.expires_in,
+    scope: data.scope,
+    connectionId: data.connection_id
+  };
+}
+
 // src/client.ts
 var TangleIntegrationsClient = class {
   endpoint;
@@ -3419,14 +3712,6 @@ function sameActor2(a, b) {
 }
 
 // src/index.ts
-var IntegrationError = class extends Error {
-  constructor(message, code) {
-    super(message);
-    this.code = code;
-    this.name = "IntegrationError";
-  }
-  code;
-};
 var InMemoryConnectionStore = class {
   connections = /* @__PURE__ */ new Map();
   get(connectionId) {
@@ -3735,7 +4020,7 @@ function createHttpIntegrationProvider(options) {
   };
 }
 function signCapability(capability, secret) {
-  const payload = base64UrlEncode(JSON.stringify(capability));
+  const payload = base64UrlEncode2(JSON.stringify(capability));
   const signature = hmac(payload, secret);
   return `${payload}.${signature}`;
 }
@@ -3779,7 +4064,7 @@ function constantTimeEqual(a, b) {
   const right = Buffer.from(b);
   return left.length === right.length && timingSafeEqual2(left, right);
 }
-function base64UrlEncode(value) {
+function base64UrlEncode2(value) {
   return Buffer.from(value, "utf8").toString("base64url");
 }
 function base64UrlDecode(value) {
@@ -4540,6 +4825,7 @@ export {
   summarizeIntegrationRegistry,
   canonicalConnectorId,
   inferIntegrationSupportTier,
+  IntegrationError,
   createConnectorAdapterProvider,
   adapterManifestsToConnectors,
   createConnectorAdapterCatalogSource,
@@ -4568,6 +4854,8 @@ export {
   buildIntegrationBridgeEnvironment,
   parseIntegrationBridgeEnvironment,
   redactIntegrationBridgePayload,
+  TangleAppsClient,
+  createTangleAppsClient,
   TangleIntegrationsClient,
   createTangleIntegrationsClient,
   renderConsentSummary,
@@ -4623,7 +4911,6 @@ export {
   InMemoryIntegrationWorkflowStore,
   IntegrationWorkflowRuntime,
   createIntegrationWorkflowRuntime,
-  IntegrationError,
   InMemoryConnectionStore,
   IntegrationHub,
   sanitizeConnection,
@@ -4632,4 +4919,4 @@ export {
   signCapability,
   verifyCapabilityToken
 };
-//# sourceMappingURL=chunk-M2RFFAMB.js.map
+//# sourceMappingURL=chunk-XO2RSS6Y.js.map