@tangle-network/agent-integrations 0.32.0 → 0.33.0

package/dist/registry.d.ts

@@ -1,17 +1,7 @@
-import { C as ConnectorAdapter, R as ResolvedDataSource, d as ConnectorCredentials } from './tangle-id-Dj0ipP4E.js';
-import './errors-Bg3_rxnQ.js';
-import './connect/index.js';
-import './middleware/index.js';
-import './connectors/index.js';
-import './connectors/adapters/index.js';
-import { Server, IncomingMessage, ServerResponse } from 'node:http';
+import { b as IntegrationConnector, h as IntegrationCatalogSource } from './core-types-D5Dc65Ud.js';
+import './types-XdpvaIzW.js';
 
 type IntegrationSupportTier = 'catalogOnly' | 'setupReady' | 'gatewayExecutable' | 'firstPartyExecutable' | 'sandboxExecutable';
-interface IntegrationCatalogSource {
-    id: string;
-    connectors: IntegrationConnector[];
-    precedence?: number;
-}
 interface IntegrationRegistrySourceRef {
     sourceId: string;
     providerId: string;
@@ -85,2415 +75,4 @@ declare function summarizeIntegrationRegistry(registry: IntegrationRegistry): In
 declare function canonicalConnectorId(id: string, aliases?: Record<string, string>): string;
 declare function inferIntegrationSupportTier(connector: IntegrationConnector): IntegrationSupportTier;
 
-/** OAuth client credentials the host resolves at start/exchange time.
- *  The lib never reads env or any vault — kept edge-runtime-safe. */
-interface OAuthClientCredentials {
-    clientId: string;
-    clientSecret: string;
-}
-interface ConnectorAdapterProviderOptions {
-    id?: string;
-    kind?: IntegrationProviderKind;
-    adapters: ConnectorAdapter[];
-    resolveDataSource: (connection: IntegrationConnection) => Promise<ResolvedDataSource> | ResolvedDataSource;
-    /** Invoked when an adapter rotates credentials during executeRead /
-     *  executeMutation (e.g. an OAuth access token refreshed on expiry). The
-     *  host re-encrypts + persists the rotated envelope so the next expiry
-     *  does not force a reconnect. Carries the connection so the host can
-     *  resolve the secretRef. */
-    onCredentialsRotated?: (event: {
-        connection: IntegrationConnection;
-        credentials: ConnectorCredentials;
-    }) => Promise<void> | void;
-    /** Resolve OAuth client_id / client_secret for an oauth2 adapter at
-     *  start- and exchange-time. Host owns env, vault, and per-tenant
-     *  overrides. Return null to refuse the flow (lib will throw
-     *  `config_missing`). The lib never logs the secret nor includes it
-     *  in thrown error messages. */
-    resolveOAuthClient?: (input: {
-        connectorId: string;
-    }) => Promise<OAuthClientCredentials | null> | OAuthClientCredentials | null;
-    /** Fetch implementation forwarded to the OAuth token exchange. Default
-     *  is `globalThis.fetch`. Tests inject a mock. */
-    fetchImpl?: typeof fetch;
-    now?: () => Date;
-}
-declare function createConnectorAdapterProvider(options: ConnectorAdapterProviderOptions): IntegrationProvider;
-declare function adapterManifestsToConnectors(adapters: ConnectorAdapter[], providerId?: string): IntegrationConnector[];
-declare function createConnectorAdapterCatalogSource(options: {
-    id?: string;
-    providerId?: string;
-    adapters: ConnectorAdapter[];
-    precedence?: number;
-}): IntegrationCatalogSource;
-declare function manifestToConnector(providerId: string, adapter: ConnectorAdapter): IntegrationConnector;
-
-interface IntegrationSecretStore {
-    get(ref: SecretRef): Promise<ConnectorCredentials | undefined> | ConnectorCredentials | undefined;
-    put(ref: SecretRef, credentials: ConnectorCredentials): Promise<void> | void;
-    delete?(ref: SecretRef): Promise<void> | void;
-}
-/** Single-use record stashed at OAuth-start and consumed once at callback to
- *  guard against CSRF / replay. The hub injects its own durable
- *  implementation (KV/Redis/D1) so the callback can land on any worker. */
-interface IntegrationOAuthState {
-    /** Opaque value round-tripped through the provider redirect. */
-    state: string;
-    /** Provider the auth flow targets. */
-    providerId: string;
-    /** Connector the user is connecting. */
-    connectorId: string;
-    /** Owner initiating the flow. */
-    owner: IntegrationActor;
-    /** Scopes requested at start; verified against the granted scopes on callback. */
-    requestedScopes: string[];
-    /** Redirect URI used at start; MUST match exactly on callback exchange. */
-    redirectUri: string;
-    /** PKCE code_verifier, when the connector uses PKCE. */
-    codeVerifier?: string;
-    /** Absolute expiry (UTC ms since epoch). consume() MUST treat an expired
-     *  record as a miss. */
-    expiresAt: number;
-    /** Arbitrary non-secret context the host pinned at start-time. */
-    metadata?: Record<string, unknown>;
-}
-/** Outcome of consuming an OAuth state record. Callers MUST inspect `ok`
- *  before using `state`; a miss (`unknown`/`expired`) is the CSRF/replay
- *  guard firing, not an exception. */
-type IntegrationOAuthStateOutcome = {
-    ok: true;
-    state: IntegrationOAuthState;
-} | {
-    ok: false;
-    reason: 'unknown' | 'expired';
-};
-/** Host-injectable store for single-use OAuth-start records. The default is
- *  in-memory for local/dev and tests; multi-tenant hubs inject a durable
- *  encrypted store so callbacks survive worker hops. consume() MUST be
- *  single-use: a second consume of the same state returns `{ ok: false }`. */
-interface IntegrationOAuthStateStore {
-    put(state: IntegrationOAuthState): Promise<void> | void;
-    consume(state: string): Promise<IntegrationOAuthStateOutcome> | IntegrationOAuthStateOutcome;
-    sweep?(now: number): Promise<void> | void;
-}
-interface ConnectionCredentialResolverOptions {
-    secrets: IntegrationSecretStore;
-    connections?: IntegrationConnectionStore;
-    adapters?: ConnectorAdapter[];
-    now?: () => Date;
-    markConnectionError?: (connection: IntegrationConnection, error: Error) => Promise<void> | void;
-}
-declare class InMemoryIntegrationSecretStore implements IntegrationSecretStore {
-    private readonly secrets;
-    get(ref: SecretRef): ConnectorCredentials | undefined;
-    put(ref: SecretRef, credentials: ConnectorCredentials): void;
-    delete(ref: SecretRef): void;
-}
-/** Test/dev double for {@link IntegrationOAuthStateStore}. Production hubs
- *  inject a durable implementation; this one keeps records in a Map and
- *  enforces the single-use + expiry contract. */
-declare class InMemoryIntegrationOAuthStateStore implements IntegrationOAuthStateStore {
-    private readonly states;
-    put(state: IntegrationOAuthState): void;
-    consume(state: string): IntegrationOAuthStateOutcome;
-    sweep(now: number): void;
-}
-declare function createConnectionCredentialResolver(options: ConnectionCredentialResolverOptions): (connection: IntegrationConnection) => Promise<ResolvedDataSource>;
-declare function resolveConnectionCredentials(input: IntegrationConnection, options: ConnectionCredentialResolverOptions): Promise<ConnectorCredentials>;
-type CredentialBackedAdapterProviderOptions = Omit<ConnectorAdapterProviderOptions, 'resolveDataSource' | 'onCredentialsRotated'> & ConnectionCredentialResolverOptions & {
-    /** Fired after the provider re-persists rotated credentials to the
-     *  secret + connection stores. Receives the hub-shaped event including
-     *  the resolved secretRef so the host can drive external re-encryption
-     *  or telemetry. */
-    onCredentialsRotated?: (event: IntegrationCredentialsRotatedEvent) => Promise<void> | void;
-};
-declare function createCredentialBackedAdapterProvider(options: CredentialBackedAdapterProviderOptions): IntegrationProvider;
-declare function revokeConnection(input: {
-    connection: IntegrationConnection;
-    connections?: IntegrationConnectionStore;
-    secrets?: IntegrationSecretStore;
-    now?: () => Date;
-}): Promise<IntegrationConnection>;
-
-type IntegrationAuditEventType = 'connection.created' | 'connection.updated' | 'connection.revoked' | 'grant.created' | 'grant.revoked' | 'capability.issued' | 'action.invoked' | 'action.failed' | 'trigger.subscribed' | 'trigger.received' | 'workflow.installed' | 'approval.requested' | 'approval.resolved' | 'healthcheck.completed';
-interface IntegrationAuditEvent {
-    id: string;
-    type: IntegrationAuditEventType;
-    occurredAt: string;
-    actor?: IntegrationActor;
-    connectionId?: string;
-    providerId?: string;
-    connectorId?: string;
-    action?: string;
-    risk?: IntegrationConnectorAction['risk'];
-    dataClass?: IntegrationDataClass;
-    ok?: boolean;
-    message?: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationAuditSink {
-    record(event: IntegrationAuditEvent): Promise<void> | void;
-}
-interface IntegrationAuditStore extends IntegrationAuditSink {
-    list(filter?: IntegrationAuditFilter): Promise<IntegrationAuditEvent[]> | IntegrationAuditEvent[];
-}
-interface IntegrationAuditFilter {
-    type?: IntegrationAuditEventType;
-    actor?: IntegrationActor;
-    connectionId?: string;
-    providerId?: string;
-    connectorId?: string;
-    action?: string;
-}
-declare class InMemoryIntegrationAuditStore implements IntegrationAuditStore {
-    private readonly events;
-    record(event: IntegrationAuditEvent): void;
-    list(filter?: IntegrationAuditFilter): IntegrationAuditEvent[];
-}
-declare function createIntegrationAuditEvent(input: Omit<IntegrationAuditEvent, 'id' | 'occurredAt'> & {
-    id?: string;
-    occurredAt?: string | Date;
-    now?: () => Date;
-}): IntegrationAuditEvent;
-declare function createAuditingActionGuard(options: {
-    sink: IntegrationAuditSink;
-    subject?: IntegrationActor;
-    now?: () => Date;
-    includeInputPreview?: boolean;
-}): IntegrationActionGuard;
-declare function sanitizeAuditConnection(connection: IntegrationConnection): Record<string, unknown>;
-
-type IntegrationApprovalStatus = 'pending' | 'approved' | 'denied' | 'expired';
-interface IntegrationApprovalRecord {
-    id: string;
-    request: IntegrationApprovalRequest;
-    status: IntegrationApprovalStatus;
-    requestedAt: string;
-    resolvedAt?: string;
-    resolvedBy?: IntegrationActor;
-    reason?: string;
-    expiresAt?: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationApprovalStore {
-    get(approvalId: string): Promise<IntegrationApprovalRecord | undefined> | IntegrationApprovalRecord | undefined;
-    put(record: IntegrationApprovalRecord): Promise<void> | void;
-    list(filter?: IntegrationApprovalFilter): Promise<IntegrationApprovalRecord[]> | IntegrationApprovalRecord[];
-}
-interface IntegrationApprovalFilter {
-    status?: IntegrationApprovalStatus;
-    connectionId?: string;
-    connectorId?: string;
-    action?: string;
-    actor?: IntegrationActor;
-}
-interface ApprovalBackedPolicyOptions {
-    base: IntegrationPolicyEngine;
-    store: IntegrationApprovalStore;
-    audit?: IntegrationAuditSink;
-    now?: () => Date;
-    approvalTtlMs?: number;
-}
-declare class InMemoryIntegrationApprovalStore implements IntegrationApprovalStore {
-    private readonly records;
-    get(approvalId: string): IntegrationApprovalRecord | undefined;
-    put(record: IntegrationApprovalRecord): void;
-    list(filter?: IntegrationApprovalFilter): IntegrationApprovalRecord[];
-}
-declare class ApprovalBackedPolicyEngine implements IntegrationPolicyEngine {
-    private readonly base;
-    private readonly store;
-    private readonly audit;
-    private readonly now;
-    private readonly approvalTtlMs;
-    constructor(options: ApprovalBackedPolicyOptions);
-    decide(ctx: IntegrationGuardContext & {
-        subject: IntegrationActor;
-    }): Promise<IntegrationPolicyDecision>;
-    private findApprovedRecord;
-}
-declare function createApprovalBackedPolicyEngine(options: ApprovalBackedPolicyOptions): ApprovalBackedPolicyEngine;
-declare function resolveIntegrationApproval(input: {
-    store: IntegrationApprovalStore;
-    approvalId: string;
-    approved: boolean;
-    resolvedBy: IntegrationActor;
-    reason?: string;
-    metadata?: Record<string, unknown>;
-    audit?: IntegrationAuditSink;
-    now?: () => Date;
-}): Promise<IntegrationApprovalRecord>;
-
-declare const CANONICAL_INTEGRATION_ACTIONS: {
-    readonly googleCalendarEventsList: "google-calendar.events.list";
-    readonly googleCalendarEventsCreate: "google-calendar.events.create";
-    readonly gmailMessagesSearch: "gmail.messages.search";
-    readonly gmailMessagesSend: "gmail.messages.send";
-    readonly googleDriveFilesSearch: "google-drive.files.search";
-    readonly googleDriveFilesRead: "google-drive.files.read";
-    readonly githubRepositoriesGet: "github.repositories.get";
-    readonly githubIssuesSearch: "github.issues.search";
-    readonly githubIssuesCreate: "github.issues.create";
-    readonly githubPullRequestsComment: "github.pull-requests.comment";
-    readonly slackChannelsList: "slack.channels.list";
-    readonly slackMessagesSearch: "slack.messages.search";
-    readonly slackMessagesPost: "slack.messages.post";
-    readonly providerHttpRequest: "provider.http.request";
-};
-type CanonicalIntegrationActionId = typeof CANONICAL_INTEGRATION_ACTIONS[keyof typeof CANONICAL_INTEGRATION_ACTIONS];
-interface CanonicalLaunchConnectorOptions {
-    providerId?: string;
-    includeProviderPassthrough?: boolean;
-}
-declare function buildCanonicalLaunchConnectors(options?: CanonicalLaunchConnectorOptions): IntegrationConnector[];
-declare function canonicalActionConnectorId(actionId: string): string | undefined;
-
-interface IntegrationToolDefinition {
-    name: string;
-    title: string;
-    description: string;
-    providerId: string;
-    connectorId: string;
-    connectorTitle: string;
-    category: IntegrationConnectorCategory;
-    action: IntegrationConnectorAction;
-    risk: IntegrationActionRisk;
-    dataClass: IntegrationDataClass;
-    requiredScopes: string[];
-    inputSchema?: unknown;
-    outputSchema?: unknown;
-    tags: string[];
-    supportTier?: IntegrationSupportTier;
-    runnable?: boolean;
-}
-interface IntegrationCatalogView {
-    connectors: IntegrationConnector[];
-    conflicts: IntegrationRegistry['entries'][number]['conflicts'];
-    summary: IntegrationRegistrySummary;
-    tools: IntegrationToolDefinition[];
-    runtimeTools: IntegrationToolDefinition[];
-    discoveryTools: IntegrationToolDefinition[];
-}
-interface IntegrationToolSearchFilters {
-    providerId?: string;
-    connectorId?: string;
-    category?: IntegrationConnectorCategory;
-    maxRisk?: IntegrationActionRisk;
-    dataClass?: IntegrationDataClass;
-    limit?: number;
-}
-interface IntegrationToolSearchResult {
-    tool: IntegrationToolDefinition;
-    score: number;
-    matched: string[];
-}
-interface McpToolDefinition {
-    name: string;
-    description: string;
-    inputSchema: unknown;
-}
-declare function integrationToolName(providerId: string, connectorId: string, actionId: string): string;
-declare function parseIntegrationToolName(name: string): {
-    providerId: string;
-    connectorId: string;
-    actionId: string;
-};
-declare function buildIntegrationToolCatalog(connectors: IntegrationConnector[]): IntegrationToolDefinition[];
-/** Flatten a single (connector, action) pair into the tool descriptor the
- *  catalog exposes. The inverse of {@link parseIntegrationToolName} +
- *  {@link integrationToolName}: every tool name round-trips back to exactly
- *  this shape via {@link describeIntegrationTool}. */
-declare function flattenIntegrationToolDefinition(connector: IntegrationConnector, action: IntegrationConnectorAction): IntegrationToolDefinition;
-/** Resolve a single tool's full descriptor from an opaque
- *  `int_<provider>_<connector>_<action>` name against a composed registry.
- *  Returns undefined when the name is malformed, the connector is unknown,
- *  or the action is not defined by that connector. Powers `/tools/describe`
- *  without callers re-implementing parse → byId → action → flatten. */
-declare function describeIntegrationTool(registry: IntegrationRegistry, toolName: string): IntegrationToolDefinition | undefined;
-declare function buildIntegrationCatalogView(input: {
-    discoveryRegistry: IntegrationRegistry;
-    executableRegistry?: IntegrationRegistry;
-}): IntegrationCatalogView;
-declare function searchIntegrationTools(catalog: IntegrationToolDefinition[], query: string, filters?: IntegrationToolSearchFilters): IntegrationToolSearchResult[];
-declare function toMcpTools(tools: IntegrationToolDefinition[]): McpToolDefinition[];
-
-type IntegrationRequirementMode = 'read' | 'write' | 'trigger';
-type IntegrationRequirementStatus = 'ready' | 'missing_connection' | 'not_executable' | 'unknown_connector';
-interface IntegrationRequirement {
-    id: string;
-    connectorId: string;
-    reason: string;
-    mode: IntegrationRequirementMode;
-    requiredActions?: string[];
-    requiredTriggers?: string[];
-    requiredScopes?: string[];
-    optional?: boolean;
-}
-interface IntegrationManifest {
-    id: string;
-    title?: string;
-    owner?: IntegrationActor;
-    requirements: IntegrationRequirement[];
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationRequirementResolution {
-    requirement: IntegrationRequirement;
-    status: IntegrationRequirementStatus;
-    connector?: IntegrationConnector;
-    registryEntry?: IntegrationRegistryEntry;
-    connection?: IntegrationConnection;
-    missingScopes: string[];
-    missingActions: string[];
-    missingTriggers: string[];
-    message: string;
-}
-interface IntegrationManifestResolution {
-    manifest: IntegrationManifest;
-    owner: IntegrationActor;
-    ready: IntegrationRequirementResolution[];
-    missing: IntegrationRequirementResolution[];
-    optionalMissing: IntegrationRequirementResolution[];
-}
-interface IntegrationGrant {
-    id: string;
-    manifestId: string;
-    requirementId: string;
-    owner: IntegrationActor;
-    grantee: IntegrationActor;
-    connectionId: string;
-    connectorId: string;
-    scopes: string[];
-    allowedActions: string[];
-    allowedTriggers: string[];
-    status: 'active' | 'revoked';
-    createdAt: string;
-    updatedAt: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationGrantStore {
-    get(grantId: string): Promise<IntegrationGrant | undefined> | IntegrationGrant | undefined;
-    put(grant: IntegrationGrant): Promise<void> | void;
-    listByManifest(manifestId: string, grantee?: IntegrationActor): Promise<IntegrationGrant[]> | IntegrationGrant[];
-    listByGrantee(grantee: IntegrationActor): Promise<IntegrationGrant[]> | IntegrationGrant[];
-    listByIds?(grantIds: string[]): Promise<IntegrationGrant[]> | IntegrationGrant[];
-    delete?(grantId: string): Promise<void> | void;
-}
-interface IntegrationCapabilityBinding {
-    requirementId: string;
-    connectorId: string;
-    connectionId: string;
-    grantId: string;
-    scopes: string[];
-    allowedActions: string[];
-    allowedTriggers: string[];
-    capability: IssuedIntegrationCapability;
-}
-interface IntegrationSandboxBundle {
-    manifestId: string;
-    subject: IntegrationActor;
-    capabilities: IntegrationCapabilityBinding[];
-    connectors: IntegrationConnector[];
-    tools: IntegrationToolDefinition[];
-    expiresAt: string;
-}
-interface IntegrationRuntimeHub {
-    listRegistry(): Promise<IntegrationRegistry> | IntegrationRegistry;
-    listConnections(owner: IntegrationActor): Promise<IntegrationConnection[]> | IntegrationConnection[];
-    getConnection(connectionId: string): Promise<IntegrationConnection | undefined> | IntegrationConnection | undefined;
-    issueCapability(input: {
-        subject: IntegrationActor;
-        connectionId: string;
-        scopes: string[];
-        allowedActions: string[];
-        ttlMs: number;
-        metadata?: Record<string, unknown>;
-    }): Promise<IssuedIntegrationCapability> | IssuedIntegrationCapability;
-}
-interface IntegrationRuntimeOptions {
-    hub: IntegrationRuntimeHub;
-    grants?: IntegrationGrantStore;
-    now?: () => Date;
-}
-declare class InMemoryIntegrationGrantStore implements IntegrationGrantStore {
-    private readonly grants;
-    get(grantId: string): IntegrationGrant | undefined;
-    put(grant: IntegrationGrant): void;
-    listByManifest(manifestId: string, grantee?: IntegrationActor): IntegrationGrant[];
-    listByGrantee(grantee: IntegrationActor): IntegrationGrant[];
-    listByIds(grantIds: string[]): IntegrationGrant[];
-    delete(grantId: string): void;
-}
-declare class IntegrationRuntime {
-    private readonly hub;
-    private readonly grants;
-    private readonly now;
-    constructor(options: IntegrationRuntimeOptions);
-    registry(): Promise<IntegrationRegistry>;
-    resolveManifest(manifest: IntegrationManifest, owner: IntegrationActor): Promise<IntegrationManifestResolution>;
-    createGrants(input: {
-        manifest: IntegrationManifest;
-        owner: IntegrationActor;
-        grantee: IntegrationActor;
-        metadata?: Record<string, unknown>;
-    }): Promise<IntegrationGrant[]>;
-    buildSandboxBundle(input: {
-        manifestId?: string;
-        grantIds?: string[];
-        owner: IntegrationActor;
-        subject: IntegrationActor;
-        ttlMs: number;
-        grantee?: IntegrationActor;
-    }): Promise<IntegrationSandboxBundle>;
-    private resolveBundleGrants;
-}
-declare function createIntegrationRuntime(options: IntegrationRuntimeOptions): IntegrationRuntime;
-
-declare const DEFAULT_INTEGRATION_BRIDGE_ENV = "TANGLE_INTEGRATION_BUNDLE";
-interface IntegrationBridgePayload {
-    version: 1;
-    manifestId: string;
-    subject: IntegrationSandboxBundle['subject'];
-    expiresAt: string;
-    tools: IntegrationBridgeToolBinding[];
-}
-interface IntegrationBridgeToolBinding {
-    name: string;
-    title: string;
-    connectorId: string;
-    connectionId: string;
-    action: string;
-    risk: string;
-    dataClass: string;
-    requiredScopes: string[];
-    capabilityToken: string;
-}
-declare function buildIntegrationBridgePayload(bundle: IntegrationSandboxBundle): IntegrationBridgePayload;
-declare function encodeIntegrationBridgePayload(payload: IntegrationBridgePayload): string;
-declare function decodeIntegrationBridgePayload(encoded: string): IntegrationBridgePayload;
-declare function buildIntegrationBridgeEnvironment(bundle: IntegrationSandboxBundle, options?: {
-    envVar?: string;
-}): Record<string, string>;
-declare function parseIntegrationBridgeEnvironment(env: Record<string, string | undefined>, options?: {
-    envVar?: string;
-}): IntegrationBridgePayload;
-declare function redactIntegrationBridgePayload(payload: IntegrationBridgePayload): IntegrationBridgePayload;
-
-interface TangleIntegrationsClientOptions {
-    endpoint: string;
-    bridge?: IntegrationBridgePayload;
-    env?: Record<string, string | undefined>;
-    envVar?: string;
-    fetchImpl?: typeof fetch;
-    getCapabilityToken?: (tool: IntegrationBridgeToolBinding) => string | Promise<string>;
-}
-interface TangleIntegrationInvokeInput<TInput = unknown> {
-    tool: string;
-    input?: TInput;
-    idempotencyKey?: string;
-    dryRun?: boolean;
-    metadata?: Record<string, unknown>;
-}
-interface TangleIntegrationInvokeResult<TOutput = unknown> {
-    status: 'ok' | 'approval_required' | 'failed';
-    action: string;
-    output?: TOutput;
-    approval?: unknown;
-    error?: string;
-    metadata?: Record<string, unknown>;
-}
-declare class TangleIntegrationsClient {
-    private readonly endpoint;
-    private readonly bridge;
-    private readonly fetchImpl;
-    private readonly getCapabilityToken;
-    constructor(options: TangleIntegrationsClientOptions);
-    tools(): IntegrationBridgeToolBinding[];
-    findTool(toolOrAction: string): IntegrationBridgeToolBinding;
-    invoke<TOutput = unknown, TInput = unknown>(input: TangleIntegrationInvokeInput<TInput>): Promise<TangleIntegrationInvokeResult<TOutput>>;
-}
-declare function createTangleIntegrationsClient(options: TangleIntegrationsClientOptions): TangleIntegrationsClient;
-
-type IntegrationHealthcheckStatus = 'healthy' | 'degraded' | 'unhealthy' | 'unknown';
-interface IntegrationHealthcheckCheck {
-    id: string;
-    status: IntegrationHealthcheckStatus;
-    message: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationHealthcheckResult {
-    connectionId: string;
-    providerId: string;
-    connectorId: string;
-    status: IntegrationHealthcheckStatus;
-    checkedAt: string;
-    checks: IntegrationHealthcheckCheck[];
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationHealthcheckStore {
-    put(result: IntegrationHealthcheckResult): Promise<void> | void;
-    get(connectionId: string): Promise<IntegrationHealthcheckResult | undefined> | IntegrationHealthcheckResult | undefined;
-    list(): Promise<IntegrationHealthcheckResult[]> | IntegrationHealthcheckResult[];
-}
-declare class InMemoryIntegrationHealthcheckStore implements IntegrationHealthcheckStore {
-    private readonly results;
-    put(result: IntegrationHealthcheckResult): void;
-    get(connectionId: string): IntegrationHealthcheckResult | undefined;
-    list(): IntegrationHealthcheckResult[];
-}
-declare function runIntegrationHealthcheck(input: {
-    connection: IntegrationConnection;
-    connector?: IntegrationConnector;
-    registry?: IntegrationRegistry;
-    test?: (connection: IntegrationConnection, connector: IntegrationConnector) => Promise<IntegrationActionResult | boolean> | IntegrationActionResult | boolean;
-    audit?: IntegrationAuditSink;
-    now?: () => Date;
-}): Promise<IntegrationHealthcheckResult>;
-declare function runIntegrationHealthchecks(input: {
-    connections: IntegrationConnection[];
-    registry?: IntegrationRegistry;
-    store?: IntegrationHealthcheckStore;
-    audit?: IntegrationAuditSink;
-    now?: () => Date;
-    test?: (connection: IntegrationConnection, connector: IntegrationConnector) => Promise<IntegrationActionResult | boolean> | IntegrationActionResult | boolean;
-}): Promise<IntegrationHealthcheckResult[]>;
-declare function healthcheckRequest(action?: string): IntegrationActionRequest;
-
-/**
- * @stable Integration Hub consumer client.
- *
- * The third client-shaped surface a product needs, alongside the two that
- * already ship:
- *
- *   - `createTangleIntegrationsClient` (`client.ts`) — the *invoke* client.
- *     Capability-token auth, runs INSIDE a sandbox / generated app, single
- *     endpoint `/v1/integrations/invoke`.
- *   - `startConnectFlow` / `finishConnectFlow` (`connect/index.ts`) — the
- *     *user-consent* flow, mirrors `/cross-site/*`.
- *   - **this** — the S2S *management* client. A product BACKEND (blueprint-
- *     agent, sandbox, gtm-agent, tax-agent, legal-agent, evals, …) drives the
- *     `/v1/integrations/{resolve-manifest,grants,capabilities/bundle,
- *     healthchecks/run}` management surface on `id.tangle.tools` on behalf of
- *     an identified user.
- *
- * Every consumer needs the identical client — the wire protocol, the
- * `{ success, data }` envelope, the auth header shape are all platform-owned.
- * Re-implementing a bespoke fetch loop per product forks the protocol and the
- * copies drift. This module is that shared implementation. It mirrors the
- * `connect/index.ts` design rule one-for-one: DO NOT invent the wire protocol
- * — speak exactly what `products/platform/api/src/routes/integrations.ts`
- * serves.
- *
- * Two auth modes — the route layer (`authMiddleware`) accepts either:
- *
- *   - `service`  — a `svc_*` service token + `X-Service-Name`. The acting
- *     user travels in `X-Platform-User-Id`. The platform honors that header
- *     only for service tokens whose `SERVICE_SCOPES` set contains
- *     `impersonate:user`; a token without it is rejected (403). Reaches the
- *     four management paths the platform allowlists for service tokens.
- *   - `user-key` — a per-user `sk-tan-*` API key (minted via the connect
- *     flow). The key identifies the user; no impersonation header. Reaches
- *     every route the user themselves can.
- *
- * The capability-token `invoke` endpoint is intentionally NOT exposed here —
- * that is `createTangleIntegrationsClient`'s job and uses a different auth.
- */
-
-type IntegrationHubAuth = {
-    mode: 'service';
-    /** The `svc_*` token issued to this product. */
-    serviceToken: string;
-    /** Registered service name — sent as `X-Service-Name`. Required
-     *  because one token may be shared across services, in which case the
-     *  platform demands the header to disambiguate. */
-    serviceName: string;
-} | {
-    mode: 'user-key';
-    /** A per-user `sk-tan-*` key bound to the acting user. */
-    apiKey: string;
-};
-interface IntegrationHubClientOptions {
-    /** The product / consumer identifier (e.g. `blueprint-agent`). Sent as the
-     *  `product` field of resolve-manifest calls; recorded platform-side. */
-    product: string;
-    /** Service-token or per-user-key auth. */
-    auth: IntegrationHubAuth;
-    /** Platform base URL. Defaults to `https://id.tangle.tools`. */
-    endpoint?: string;
-    /** Injected for tests. Defaults to the global `fetch`. */
-    fetchImpl?: typeof fetch;
-    /** Per-request timeout in ms. Default 10_000. */
-    timeoutMs?: number;
-    /** Max attempts on transient (network / 502 / 503 / 504) failures.
-     *  Default 2 — i.e. one retry. */
-    maxAttempts?: number;
-}
-/** Thrown for every non-2xx response and every transport failure. Carries the
- *  HTTP status and the platform error code so callers can branch precisely
- *  (`403` + `impersonate` → the service token lacks the scope; `409` /
- *  `missing_connection` → prompt the user to connect). */
-declare class IntegrationHubRequestError extends Error {
-    readonly name = "IntegrationHubRequestError";
-    /** HTTP status, or 0 for a network-level failure. */
-    readonly status: number;
-    /** Platform error code (`VALIDATION_ERROR`, `scope_missing`, …) or
-     *  `network_error` / `http_error` when no structured code was returned. */
-    readonly code: string;
-    /** `METHOD /path` the request targeted. */
-    readonly endpoint: string;
-    /** True when the failure class is transient and a retry could succeed. */
-    readonly retryable: boolean;
-    constructor(input: {
-        status: number;
-        code: string;
-        message: string;
-        endpoint: string;
-        retryable: boolean;
-    });
-}
-interface ResolveManifestInput {
-    /** The acting user — the connection owner. */
-    userId: string;
-    manifest: IntegrationManifest;
-    /** Overrides the client-level `product` for this call. */
-    product?: string;
-}
-interface CreateGrantsInput {
-    /** The acting user — the connection owner. */
-    userId: string;
-    /** Who the grant is FOR (the sandbox / agent / app that will invoke). */
-    grantee: IntegrationActor;
-    manifest: IntegrationManifest;
-    metadata?: Record<string, unknown>;
-}
-interface ListGrantsInput {
-    /** The acting user — the connection owner. */
-    userId: string;
-    /** Optional grantee filter; both fields travel together as query params. */
-    grantee?: IntegrationActor;
-}
-interface MintCapabilityBundleInput {
-    /** The acting user — must own every connection behind the grants. */
-    userId: string;
-    /** Who the capability bundle is issued TO (the sandbox / agent process). */
-    subject: IntegrationActor;
-    /** Mint from every grant of a manifest … */
-    manifestId?: string;
-    /** … or from an explicit grant id list. Exactly one of the two is required. */
-    grantIds?: string[];
-    grantee?: IntegrationActor;
-    /** Bundle TTL in ms. Platform clamps to [1s, 60m]; default 15m. */
-    ttlMs?: number;
-}
-interface CapabilityBundleResult {
-    bundle: IntegrationSandboxBundle;
-    /** Bridge environment variables to inject into the sandbox process —
-     *  `buildIntegrationBridgeEnvironment(bundle)`, computed platform-side. */
-    env: Record<string, string>;
-}
-interface CheckConnectorInput {
-    /** The acting user. */
-    userId: string;
-    /** Connector to probe — `github`, `google-calendar`, `tangle-id`, … */
-    connectorId: string;
-    /** Defaults to `read`. */
-    mode?: IntegrationRequirementMode;
-    requiredScopes?: string[];
-    requiredActions?: string[];
-}
-interface CheckConnectorResult {
-    /** True when the user has an active connection satisfying the requirement. */
-    connected: boolean;
-    /** The satisfying connection, present iff `connected`. */
-    connection?: IntegrationConnection;
-    /** The full requirement resolution — status, missing scopes/actions, message. */
-    resolution: IntegrationRequirementResolution;
-}
-/**
- * S2S management client for the `id.tangle.tools` integration hub. One per
- * product; methods are stateless and safe to call concurrently.
- */
-declare class IntegrationHubClient {
-    private readonly endpoint;
-    private readonly product;
-    private readonly auth;
-    private readonly fetchImpl;
-    private readonly timeoutMs;
-    private readonly maxAttempts;
-    constructor(options: IntegrationHubClientOptions);
-    /**
-     * Resolve a manifest against a user's connections. The returned
-     * `ready` / `missing` split is the canonical way to ask "does this user
-     * have the connections this work needs" — the raw connection list is not
-     * reachable by a service token by design.
-     */
-    resolveManifest(input: ResolveManifestInput): Promise<IntegrationManifestResolution>;
-    /**
-     * Convenience over {@link resolveManifest} — probe a single connector and
-     * get back a boolean plus the satisfying connection. The Surface-A quest
-     * primitive ("is the user's GitHub linked?").
-     */
-    checkConnector(input: CheckConnectorInput): Promise<CheckConnectorResult>;
-    /** Create grants for every satisfiable requirement of a manifest. The
-     *  platform rejects the call if any non-optional requirement is missing a
-     *  connection. */
-    createGrants(input: CreateGrantsInput): Promise<IntegrationGrant[]>;
-    /** List the acting user's grants, optionally filtered to one grantee. */
-    listGrants(input: ListGrantsInput): Promise<IntegrationGrant[]>;
-    /** Mint a short-lived capability bundle for a sandbox / agent process.
-     *  Provider credentials never leave the platform — the bundle carries only
-     *  scoped, expiring capability tokens. */
-    mintCapabilityBundle(input: MintCapabilityBundleInput): Promise<CapabilityBundleResult>;
-    /** Run live healthchecks across all of the acting user's connections. */
-    runHealthchecks(input: {
-        userId: string;
-    }): Promise<IntegrationHealthcheckResult[]>;
-    private buildHeaders;
-    private request;
-}
-declare function createIntegrationHubClient(options: IntegrationHubClientOptions): IntegrationHubClient;
-
-interface ConsentSummary {
-    title: string;
-    body: string;
-    bullets: string[];
-    primaryAction: string;
-    risk: 'read' | 'write' | 'destructive';
-    connectorIds: string[];
-}
-interface RenderConsentOptions {
-    appName?: string;
-    connectors?: IntegrationConnector[];
-}
-declare function renderConsentSummary(manifestOrResolution: IntegrationManifest | IntegrationManifestResolution, options?: RenderConsentOptions): ConsentSummary;
-declare function renderApprovalCopy(input: {
-    appName: string;
-    connectorTitle: string;
-    action: IntegrationConnectorAction;
-    approvalId?: string;
-}): ConsentSummary;
-
-/**
- * Workspace capability discovery — answers "what can this workspace do?"
- * with a typed list of MCP-shape tool descriptors that the agent runtime
- * can flatten into a planner's tool registry.
- *
- * The agent runtime's gating question is one level above the existing
- * connector catalog ("which integrations exist?") and one level below
- * the issued capability-token surface ("temporarily delegate scope X
- * via this signed token"). This module bridges the two:
- *
- *   discoverWorkspaceCapabilities({ owner, connectors, connections, scopes })
- *     → WorkspaceCapability[]
- *
- * A `WorkspaceCapability` is hand-shaped to be cheap to emit alongside a
- * connector manifest and trivial to render into:
- *   - an LLM tool-choice JSON array
- *   - an MCP `tools/list` response
- *   - a UI surface ("Connect Gmail to enable: send_reply, list_messages…")
- *
- * What this is NOT:
- *   - A capability-token issuer. That stays in IntegrationHub.issueCapability.
- *   - A connector registry. That stays in IntegrationRegistry / catalog.
- *
- * Scopes are the load-bearing input: a connector advertises N actions,
- * but only the subset whose `requiredScopes` are a subset of the
- * connection's `grantedScopes` is reachable. The discovery function
- * filters on that automatically.
- *
- * Stability: `@stable` — additions to WorkspaceCapability must be
- * additive and non-breaking.
- */
-
-/** MCP-shape tool descriptor. Mirrors the
- *  [Model Context Protocol tool schema](https://modelcontextprotocol.io/specification)
- *  closely enough that consumers can pipe a WorkspaceCapability straight
- *  into a `tools/list` response. */
-interface WorkspaceToolSchema {
-    name: string;
-    description?: string;
-    /** JSON-schema describing the action's input. */
-    inputSchema?: unknown;
-    /** Optional JSON-schema describing the action's output. */
-    outputSchema?: unknown;
-}
-/** One discoverable capability — an action a connector exposes that the
- *  workspace has the connection + scopes to invoke. */
-interface WorkspaceCapability {
-    /** Stable, fully-qualified id. Format `<connector-id>.<action-id>`. */
-    id: string;
-    /** Human label safe for UI. */
-    title: string;
-    /** Optional one-line description. */
-    description?: string;
-    /** Connector category for grouping. */
-    category: IntegrationConnectorCategory;
-    /** Connector that hosts this capability. */
-    connectorId: string;
-    /** Provider that hosts this connector (first-party, gateway, …). */
-    providerId: string;
-    /** Underlying action id on the connector. */
-    actionId: string;
-    /** Scopes required to invoke. The discovery function only returns
-     *  capabilities whose required scopes are a subset of the connection's
-     *  grantedScopes. */
-    scopes: string[];
-    /** Risk class — useful for UI ("write" / "destructive" lights). */
-    risk: IntegrationActionRisk;
-    /** Data class of the action's output, when known. */
-    dataClass: IntegrationDataClass;
-    /** MCP-shape tool schema the agent runtime can register directly. */
-    toolSchema: WorkspaceToolSchema;
-    /** True iff the workspace has an active connection backing this
-     *  capability. False capabilities (advertised by the connector but
-     *  not yet connected) are included when `includeUnconnected: true`
-     *  is passed — useful for "connect to unlock" UI affordances. */
-    connected: boolean;
-    /** Connection id backing this capability. Undefined when
-     *  `connected: false`. */
-    connectionId?: string;
-    /** Whether the action requires explicit approval before invocation. */
-    approvalRequired?: boolean;
-}
-/** Optional inbound trigger surface. Same shape as a capability so the
- *  consumer can render both with one component. */
-interface WorkspaceTrigger {
-    id: string;
-    title: string;
-    description?: string;
-    category: IntegrationConnectorCategory;
-    connectorId: string;
-    providerId: string;
-    triggerId: string;
-    scopes: string[];
-    dataClass: IntegrationDataClass;
-    connected: boolean;
-    connectionId?: string;
-}
-interface DiscoverWorkspaceCapabilitiesInput {
-    /** Workspace owner. Used to scope the connection lookup when `store`
-     *  is supplied (the canonical production path). */
-    owner: IntegrationActor;
-    /** Either an explicit connection list (test/fixture path) or a store
-     *  the function should query for connections by owner. Exactly one
-     *  of `connections` / `store` MUST be provided. */
-    connections?: IntegrationConnection[];
-    store?: IntegrationConnectionStore;
-    /** Either an explicit connector list (test/fixture path) or a set of
-     *  providers the function should query via `listConnectors()`. */
-    connectors?: IntegrationConnector[];
-    providers?: IntegrationProvider[];
-    /** Include capabilities whose connector is in the catalog but the
-     *  workspace has no active connection for. Useful to render
-     *  "connect to unlock" affordances. Default: false. */
-    includeUnconnected?: boolean;
-    /** When true, include capabilities even if some required scopes are
-     *  missing from the connection grant. The default `false` hides such
-     *  capabilities — the agent runtime never sees them. */
-    includeMissingScopes?: boolean;
-}
-interface WorkspaceCapabilityDiscovery {
-    capabilities: WorkspaceCapability[];
-    triggers: WorkspaceTrigger[];
-    /** Counts grouped by connector for telemetry / UI badges. */
-    countsByConnector: Record<string, number>;
-    /** Connectors the workspace is connected to but the planner cannot
-     *  reach any actions on (e.g., zero scopes granted, or all actions
-     *  require an additional scope). */
-    unreachableConnectors: Array<{
-        connectorId: string;
-        reason: string;
-    }>;
-}
-/** Resolve workspace-visible capabilities + triggers. Pure with respect
- *  to the inputs — caller decides whether to back `connections` and
- *  `connectors` with persistent state or static fixtures. */
-declare function discoverWorkspaceCapabilities(input: DiscoverWorkspaceCapabilitiesInput): Promise<WorkspaceCapabilityDiscovery>;
-/**
- * Filter a {@link WorkspaceCapabilityDiscovery} result by the calling
- * user's effective id.tangle.tools workspace scopes. Pair with the
- * `tangleIdentity()` adapter's `list_workspaces` / `switch_workspace`
- * output to keep what the agent runtime sees aligned with what the
- * workspace's plan actually permits.
- *
- * Semantics:
- *   - Every workspace scope is matched against every capability's
- *     `scopes` list. Wildcard scopes (`tangle:*`, `<connectorId>:*`) are
- *     respected — a workspace with `tangle:*` sees everything; a
- *     workspace with `gmail:*` sees every gmail capability regardless of
- *     the upstream OAuth scope.
- *   - When `workspaceScopes` is empty, returns the discovery as-is (no
- *     workspace gate). Pass an explicit `denyByDefault: true` to flip
- *     that to "empty workspace sees nothing" — matches the platform's
- *     fail-closed posture for production tenants.
- *
- * Pure with respect to the inputs — no side effects.
- */
-declare function filterDiscoveryByWorkspaceScopes(discovery: WorkspaceCapabilityDiscovery, workspaceScopes: string[], opts?: {
-    denyByDefault?: boolean;
-}): WorkspaceCapabilityDiscovery;
-
-interface IntegrationWorkflowDefinition {
-    id: string;
-    title?: string;
-    manifest: IntegrationManifest;
-    trigger: {
-        requirementId: string;
-        triggerId: string;
-        targetUrl?: string;
-    };
-    metadata?: Record<string, unknown>;
-}
-interface InstalledIntegrationWorkflow {
-    id: string;
-    workflowId: string;
-    manifestId: string;
-    owner: IntegrationActor;
-    grantee: IntegrationActor;
-    triggerGrantId: string;
-    subscription: IntegrationTriggerSubscription;
-    status: 'active' | 'paused' | 'error';
-    createdAt: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationWorkflowStore {
-    put(workflow: InstalledIntegrationWorkflow): Promise<void> | void;
-    get(id: string): Promise<InstalledIntegrationWorkflow | undefined> | InstalledIntegrationWorkflow | undefined;
-    list(): Promise<InstalledIntegrationWorkflow[]> | InstalledIntegrationWorkflow[];
-    listByWorkflow(workflowId: string): Promise<InstalledIntegrationWorkflow[]> | InstalledIntegrationWorkflow[];
-    listByOwner(owner: IntegrationActor): Promise<InstalledIntegrationWorkflow[]> | InstalledIntegrationWorkflow[];
-}
-interface IntegrationWorkflowRuntimeHub {
-    subscribeTrigger(connectionId: string, trigger: string, targetUrl?: string): Promise<IntegrationTriggerSubscription> | IntegrationTriggerSubscription;
-}
-interface IntegrationWorkflowRuntimeOptions {
-    runtime: IntegrationRuntime;
-    hub: IntegrationWorkflowRuntimeHub;
-    grants: IntegrationGrantStore;
-    store?: IntegrationWorkflowStore;
-    now?: () => Date;
-}
-declare class InMemoryIntegrationWorkflowStore implements IntegrationWorkflowStore {
-    private readonly workflows;
-    put(workflow: InstalledIntegrationWorkflow): void;
-    get(id: string): InstalledIntegrationWorkflow | undefined;
-    list(): InstalledIntegrationWorkflow[];
-    listByWorkflow(workflowId: string): InstalledIntegrationWorkflow[];
-    listByOwner(owner: IntegrationActor): InstalledIntegrationWorkflow[];
-}
-declare class IntegrationWorkflowRuntime {
-    private readonly runtime;
-    private readonly hub;
-    private readonly grants;
-    private readonly store;
-    private readonly now;
-    constructor(options: IntegrationWorkflowRuntimeOptions);
-    install(input: {
-        workflow: IntegrationWorkflowDefinition;
-        owner: IntegrationActor;
-        grantee: IntegrationActor;
-    }): Promise<InstalledIntegrationWorkflow>;
-    dispatchEvent<T = unknown>(event: IntegrationTriggerEvent<T>, handler: (input: {
-        event: IntegrationTriggerEvent<T>;
-        workflows: InstalledIntegrationWorkflow[];
-    }) => Promise<void> | void): Promise<{
-        matched: InstalledIntegrationWorkflow[];
-    }>;
-}
-declare function createIntegrationWorkflowRuntime(options: IntegrationWorkflowRuntimeOptions): IntegrationWorkflowRuntime;
-
-interface StoredIntegrationEvent {
-    id: string;
-    sourceId: string;
-    connectorId: string;
-    eventType: string;
-    providerEventId?: string;
-    receivedAt: string;
-    payload: Record<string, unknown>;
-    dispatchedAt?: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationEventStore {
-    put(event: StoredIntegrationEvent): Promise<void> | void;
-    hasProviderEvent(sourceId: string, providerEventId: string): Promise<boolean> | boolean;
-    list(): Promise<StoredIntegrationEvent[]> | StoredIntegrationEvent[];
-}
-interface IntegrationWebhookReceiverResult {
-    status: number;
-    body: unknown;
-    headers?: Record<string, string>;
-    received: StoredIntegrationEvent[];
-    duplicates: StoredIntegrationEvent[];
-}
-declare class InMemoryIntegrationEventStore implements IntegrationEventStore {
-    private readonly events;
-    private readonly providerIds;
-    put(event: StoredIntegrationEvent): void;
-    hasProviderEvent(sourceId: string, providerEventId: string): boolean;
-    list(): StoredIntegrationEvent[];
-}
-declare function receiveIntegrationWebhook(input: {
-    adapter: ConnectorAdapter;
-    source: ResolvedDataSource;
-    rawBody: string;
-    headers: Record<string, string | string[] | undefined>;
-    store: IntegrationEventStore;
-    workflowRuntime?: IntegrationWorkflowRuntime;
-    allowUnsignedWebhook?: boolean;
-    now?: () => Date;
-}): Promise<IntegrationWebhookReceiverResult>;
-declare function storedEventToTriggerEvent(event: StoredIntegrationEvent, source: ResolvedDataSource): IntegrationTriggerEvent;
-
-interface IntegrationIdempotencyRecord {
-    key: string;
-    requestHash: string;
-    result: IntegrationActionResult;
-    createdAt: string;
-}
-interface IntegrationIdempotencyStore {
-    get(key: string): Promise<IntegrationIdempotencyRecord | undefined> | IntegrationIdempotencyRecord | undefined;
-    put(record: IntegrationIdempotencyRecord): Promise<void> | void;
-}
-interface IntegrationRateLimitDecision {
-    allowed: boolean;
-    retryAfterMs?: number;
-    reason?: string;
-}
-interface IntegrationRateLimiter {
-    check(ctx: IntegrationGuardContext): Promise<IntegrationRateLimitDecision> | IntegrationRateLimitDecision;
-}
-declare class InMemoryIntegrationIdempotencyStore implements IntegrationIdempotencyStore {
-    private readonly records;
-    get(key: string): IntegrationIdempotencyRecord | undefined;
-    put(record: IntegrationIdempotencyRecord): void;
-}
-declare class DefaultIntegrationActionGuard implements IntegrationActionGuard {
-    private readonly idempotency;
-    private readonly audit;
-    private readonly rateLimiter;
-    private readonly requireIdempotencyForMutations;
-    private readonly now;
-    constructor(options?: {
-        idempotency?: IntegrationIdempotencyStore;
-        audit?: IntegrationAuditSink;
-        rateLimiter?: IntegrationRateLimiter;
-        requireIdempotencyForMutations?: boolean;
-        now?: () => Date;
-    });
-    invokeAction(ctx: IntegrationGuardContext, proceed: () => Promise<IntegrationActionResult>): Promise<IntegrationActionResult>;
-    private writeIdempotency;
-}
-declare function createDefaultIntegrationActionGuard(options?: ConstructorParameters<typeof DefaultIntegrationActionGuard>[0]): DefaultIntegrationActionGuard;
-
-interface ManifestValidationIssue {
-    path: string;
-    message: string;
-}
-interface ManifestValidationResult {
-    ok: boolean;
-    issues: ManifestValidationIssue[];
-}
-interface InferIntegrationRequirementsOptions {
-    manifestId: string;
-    title?: string;
-    tools: Array<string | {
-        action: string;
-        reason?: string;
-        mode?: IntegrationRequirementMode;
-        connectorId?: string;
-        scopes?: string[];
-    }>;
-    metadata?: Record<string, unknown>;
-}
-interface MissingRequirementExplanation {
-    requirementId: string;
-    connectorId: string;
-    status: string;
-    message: string;
-    userAction: 'connect' | 'enable' | 'ignore_optional';
-}
-declare function validateIntegrationManifest(manifest: IntegrationManifest): ManifestValidationResult;
-declare function assertValidIntegrationManifest(manifest: IntegrationManifest): void;
-declare function inferIntegrationManifestFromTools(options: InferIntegrationRequirementsOptions): IntegrationManifest;
-declare function explainMissingRequirements(resolution: IntegrationManifestResolution): MissingRequirementExplanation[];
-declare function calendarExercisePlannerManifest(id?: string): IntegrationManifest;
-
-interface ProviderHttpRequestInput {
-    method: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
-    path: string;
-    query?: Record<string, string | number | boolean | undefined>;
-    headers?: Record<string, string>;
-    body?: unknown;
-}
-interface ProviderPassthroughPolicy {
-    enabled: boolean;
-    allowedMethods?: ProviderHttpRequestInput['method'][];
-    allowedPathPrefixes?: string[];
-    maxBodyBytes?: number;
-}
-declare const PROVIDER_PASSTHROUGH_ACTION: "provider.http.request";
-declare function validateProviderPassthroughRequest(input: ProviderHttpRequestInput, policy: ProviderPassthroughPolicy): void;
-
-type IntegrationPolicyEffect = 'allow' | 'require_approval' | 'deny';
-interface IntegrationPolicyRule {
-    id: string;
-    effect: IntegrationPolicyEffect;
-    reason: string;
-    providerId?: string;
-    connectorId?: string;
-    action?: string;
-    maxRisk?: IntegrationActionRisk;
-    risk?: IntegrationActionRisk;
-    dataClass?: IntegrationDataClass;
-}
-interface StaticIntegrationPolicyOptions {
-    rules?: IntegrationPolicyRule[];
-    defaultReadEffect?: IntegrationPolicyEffect;
-    defaultWriteEffect?: IntegrationPolicyEffect;
-    defaultDestructiveEffect?: IntegrationPolicyEffect;
-    now?: () => Date;
-}
-interface IntegrationApprovalResolution {
-    approvalId: string;
-    approved: boolean;
-    resolvedBy: string;
-    resolvedAt: string;
-    reason?: string;
-    metadata?: Record<string, unknown>;
-}
-declare class StaticIntegrationPolicyEngine implements IntegrationPolicyEngine {
-    private readonly rules;
-    private readonly defaultReadEffect;
-    private readonly defaultWriteEffect;
-    private readonly defaultDestructiveEffect;
-    private readonly now;
-    constructor(options?: StaticIntegrationPolicyOptions);
-    decide(ctx: IntegrationGuardContext & {
-        subject: {
-            type: string;
-            id: string;
-        };
-    }): IntegrationPolicyDecision;
-    private defaultEffect;
-}
-declare function createDefaultIntegrationPolicyEngine(options?: Omit<StaticIntegrationPolicyOptions, 'rules'>): StaticIntegrationPolicyEngine;
-declare function buildApprovalRequest(ctx: IntegrationGuardContext & {
-    subject: {
-        type: string;
-        id: string;
-    };
-}, reason: string, requestedAt: Date): IntegrationApprovalRequest;
-declare function redactApprovalRequest(request: IntegrationApprovalRequest): IntegrationApprovalRequest;
-
-interface PlatformIntegrationPolicyPresetOptions extends Omit<StaticIntegrationPolicyOptions, 'defaultReadEffect' | 'defaultWriteEffect' | 'defaultDestructiveEffect'> {
-    allowWritesWithoutApproval?: boolean;
-    allowDestructiveActions?: boolean;
-    allowProviderPassthrough?: boolean;
-}
-declare function createPlatformIntegrationPolicyPreset(options?: PlatformIntegrationPolicyPresetOptions): StaticIntegrationPolicyEngine;
-
-interface CatalogExecutorInvocation {
-    connection: IntegrationConnection;
-    request: IntegrationActionRequest;
-    connector: IntegrationConnector;
-    action: IntegrationConnector['actions'][number];
-}
-interface CatalogExecutorProviderOptions {
-    id: string;
-    kind: IntegrationProviderKind;
-    connectors: IntegrationConnector[];
-    startAuth?: (request: StartAuthRequest) => Promise<StartAuthResult> | StartAuthResult;
-    completeAuth?: (request: CompleteAuthRequest) => Promise<IntegrationConnection> | IntegrationConnection;
-    executeAction: (invocation: CatalogExecutorInvocation) => Promise<IntegrationActionResult> | IntegrationActionResult;
-    subscribeTrigger?: (connection: IntegrationConnection, trigger: NonNullable<IntegrationConnector['triggers']>[number], targetUrl?: string) => Promise<IntegrationTriggerSubscription> | IntegrationTriggerSubscription;
-    unsubscribeTrigger?: (subscriptionId: string) => Promise<void> | void;
-    normalizeTriggerEvent?: (raw: unknown) => Promise<IntegrationTriggerEvent> | IntegrationTriggerEvent;
-}
-declare function createCatalogExecutorProvider(options: CatalogExecutorProviderOptions): IntegrationProvider;
-
-interface IntegrationInvocationEnvelope {
-    kind: 'integration.invocation';
-    capabilityToken: string;
-    toolName: string;
-    action: string;
-    input?: unknown;
-    idempotencyKey: string;
-    dryRun?: boolean;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationInvocationEnvelopeValidationOptions {
-    connectors?: IntegrationConnector[];
-    maxInputBytes?: number;
-    requireKnownTool?: boolean;
-}
-type NormalizedIntegrationResult = {
-    status: 'ok';
-    action: string;
-    output?: unknown;
-    metadata?: Record<string, unknown>;
-} | {
-    status: 'approval_required';
-    action: string;
-    approval: IntegrationApprovalRequest;
-    metadata?: Record<string, unknown>;
-} | {
-    status: 'failed';
-    action: string;
-    error: string;
-    metadata?: Record<string, unknown>;
-};
-interface IntegrationSandboxHostHub {
-    invokeWithCapability(token: string, request: InvokeWithCapabilityRequest): Promise<IntegrationActionResult> | IntegrationActionResult;
-}
-interface IntegrationSandboxHostOptions extends IntegrationInvocationEnvelopeValidationOptions {
-    hub: IntegrationSandboxHostHub;
-}
-declare function buildIntegrationInvocationEnvelope(input: {
-    capabilityToken: string;
-    toolName: string;
-    args?: unknown;
-    idempotencyKey: string;
-    dryRun?: boolean;
-    metadata?: Record<string, unknown>;
-}): IntegrationInvocationEnvelope;
-declare function invocationRequestFromEnvelope(envelope: IntegrationInvocationEnvelope): InvokeWithCapabilityRequest;
-declare function validateIntegrationInvocationEnvelope(envelope: IntegrationInvocationEnvelope, options?: IntegrationInvocationEnvelopeValidationOptions): void;
-declare function redactInvocationEnvelope(envelope: IntegrationInvocationEnvelope): Omit<IntegrationInvocationEnvelope, 'capabilityToken'> & {
-    capabilityToken: '[REDACTED]';
-};
-declare function redactCapability(capability: IntegrationCapability): IntegrationCapability;
-declare function normalizeIntegrationResult(result: IntegrationActionResult): NormalizedIntegrationResult;
-declare function dispatchIntegrationInvocation(envelope: IntegrationInvocationEnvelope, options: IntegrationSandboxHostOptions): Promise<NormalizedIntegrationResult>;
-declare class IntegrationSandboxHost {
-    private readonly options;
-    constructor(options: IntegrationSandboxHostOptions);
-    dispatch(envelope: IntegrationInvocationEnvelope): Promise<NormalizedIntegrationResult>;
-}
-
-interface ImportCatalogOptions {
-    providerId: string;
-    connectorId: string;
-    connectorTitle: string;
-    category?: IntegrationConnectorCategory;
-    auth?: IntegrationConnector['auth'];
-    scopes?: string[];
-    dataClass?: IntegrationDataClass;
-    defaultRisk?: IntegrationActionRisk;
-}
-interface OpenApiDocument {
-    openapi?: string;
-    swagger?: string;
-    info?: {
-        title?: string;
-    };
-    paths?: Record<string, Record<string, OpenApiOperation | unknown>>;
-}
-interface OpenApiOperation {
-    operationId?: string;
-    summary?: string;
-    description?: string;
-    parameters?: unknown[];
-    requestBody?: unknown;
-    responses?: unknown;
-    security?: Array<Record<string, string[]>>;
-    tags?: string[];
-}
-interface GraphqlOperationSpec {
-    name: string;
-    kind: 'query' | 'mutation';
-    description?: string;
-    inputSchema?: unknown;
-    outputSchema?: unknown;
-    requiredScopes?: string[];
-}
-interface McpCatalogTool {
-    name: string;
-    description?: string;
-    inputSchema?: unknown;
-    annotations?: {
-        readOnlyHint?: boolean;
-        destructiveHint?: boolean;
-        openWorldHint?: boolean;
-        title?: string;
-    };
-}
-interface McpCatalog {
-    tools: McpCatalogTool[];
-}
-declare function importOpenApiConnector(document: OpenApiDocument, options: ImportCatalogOptions): IntegrationConnector;
-declare function importGraphqlConnector(operations: GraphqlOperationSpec[], options: ImportCatalogOptions): IntegrationConnector;
-declare function importMcpConnector(catalog: McpCatalog, options: ImportCatalogOptions): IntegrationConnector;
-
-interface GatewayCatalogProviderOptions {
-    id: string;
-    kind: Extract<IntegrationProviderKind, 'nango' | 'pipedream' | 'activepieces' | 'tangle_catalog' | 'zapier' | 'executor' | 'custom'>;
-    fetchCatalog: () => Promise<GatewayCatalogEntry[]> | GatewayCatalogEntry[];
-    startAuth?: (request: StartAuthRequest) => Promise<StartAuthResult> | StartAuthResult;
-    completeAuth?: (request: CompleteAuthRequest) => Promise<IntegrationConnection> | IntegrationConnection;
-    invokeAction?: (connection: IntegrationConnection, request: IntegrationActionRequest) => Promise<IntegrationActionResult> | IntegrationActionResult;
-    cacheTtlMs?: number;
-    now?: () => Date;
-}
-interface GatewayCatalogEntry {
-    id?: string;
-    key?: string;
-    name?: string;
-    title?: string;
-    category?: string;
-    auth?: 'oauth2' | 'api_key' | 'none' | 'custom' | string;
-    scopes?: string[];
-    actions?: GatewayCatalogAction[];
-    triggers?: GatewayCatalogTrigger[];
-    metadata?: Record<string, unknown>;
-}
-interface GatewayCatalogAction {
-    id?: string;
-    key?: string;
-    name?: string;
-    title?: string;
-    description?: string;
-    risk?: 'read' | 'write' | 'destructive' | string;
-    scopes?: string[];
-    requiredScopes?: string[];
-    dataClass?: IntegrationDataClass | string;
-    approvalRequired?: boolean;
-    inputSchema?: unknown;
-    outputSchema?: unknown;
-}
-interface GatewayCatalogTrigger {
-    id?: string;
-    key?: string;
-    name?: string;
-    title?: string;
-    description?: string;
-    scopes?: string[];
-    requiredScopes?: string[];
-    dataClass?: IntegrationDataClass | string;
-    payloadSchema?: unknown;
-}
-declare function createGatewayCatalogProvider(options: GatewayCatalogProviderOptions): IntegrationProvider;
-declare function normalizeGatewayCatalog(entries: GatewayCatalogEntry[], options: {
-    providerId: string;
-    providerKind: IntegrationProviderKind;
-}): IntegrationConnector[];
-
-interface ActivepiecesCatalogEntry {
-    id: string;
-    title: string;
-    description: string;
-    npmPackage?: string;
-    version?: string;
-    category: IntegrationConnectorCategory;
-    auth: IntegrationConnector['auth'];
-    authFields?: ActivepiecesCatalogAuthField[];
-    domains: string[];
-    actions: Array<{
-        id: string;
-        title: string;
-        risk: IntegrationActionRisk;
-        upstreamName?: string;
-    }>;
-    triggers: Array<{
-        id: string;
-        title: string;
-        upstreamName?: string;
-    }>;
-    source: {
-        repository: string;
-        path: string;
-        license: 'MIT';
-    };
-}
-interface ActivepiecesCatalogAuthField {
-    key: string;
-    label: string;
-    required: boolean;
-    secret: boolean;
-    kind: 'text' | 'number' | 'boolean' | 'select' | 'object' | 'unknown';
-    description?: string;
-}
-declare function listActivepiecesCatalogEntries(): ActivepiecesCatalogEntry[];
-declare function buildActivepiecesConnectors(options?: {
-    providerId?: string;
-    includeCatalogActions?: boolean;
-    executable?: boolean;
-}): IntegrationConnector[];
-
-interface ActivepiecesPieceOverride {
-    category?: IntegrationConnectorCategory;
-    actionRisks?: Record<string, IntegrationActionRisk>;
-    approvalRequired?: Record<string, boolean>;
-}
-declare const ACTIVEPIECES_OVERRIDES: Record<string, ActivepiecesPieceOverride>;
-declare function getActivepiecesOverride(id: string): ActivepiecesPieceOverride | undefined;
-
-interface ActivepiecesExecutorInvocation {
-    connection: IntegrationConnection;
-    request: IntegrationActionRequest;
-    connector: IntegrationConnector;
-    catalogEntry: ActivepiecesCatalogEntry;
-    piece: {
-        id: string;
-        npmPackage?: string;
-        version?: string;
-        actionId: string;
-        upstreamActionName?: string;
-    };
-}
-interface ActivepiecesExecutorProviderOptions {
-    id?: string;
-    connectors?: IntegrationConnector[];
-    startAuth?: (request: StartAuthRequest) => Promise<StartAuthResult> | StartAuthResult;
-    completeAuth?: (request: CompleteAuthRequest) => Promise<IntegrationConnection> | IntegrationConnection;
-    executeAction: (invocation: ActivepiecesExecutorInvocation) => Promise<IntegrationActionResult> | IntegrationActionResult;
-}
-declare function createActivepiecesExecutorProvider(options: ActivepiecesExecutorProviderOptions): IntegrationProvider;
-
-declare const ACTIVEPIECES_RUNTIME_SIGNATURE_HEADER = "x-tangle-activepieces-signature";
-declare const TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER = "x-tangle-catalog-signature";
-interface TangleCatalogRuntimeActionRequest {
-    id: string;
-    input: unknown;
-    idempotencyKey?: string;
-    dryRun?: boolean;
-    metadata?: Record<string, unknown>;
-}
-interface TangleCatalogRuntimePiece {
-    id: string;
-    packageName?: string;
-    version?: string;
-    actionId: string;
-    upstreamActionName?: string;
-}
-interface TangleCatalogHttpExecutorOptions {
-    endpoint: string;
-    path?: string;
-    signatureHeader?: string;
-    secret?: string;
-    fetchImpl?: typeof fetch;
-    headers?: Record<string, string>;
-    timeoutMs?: number;
-    requestId?: () => string;
-}
-interface TangleCatalogHttpExecutorInvocation extends Omit<ActivepiecesExecutorInvocation, 'catalogEntry' | 'piece'> {
-    catalogEntry: unknown;
-    piece: TangleCatalogRuntimePiece;
-}
-/**
- * @deprecated Use the Tangle catalog runtime types. This name is kept only for
- * compatibility with the upstream catalog ingestion backend.
- */
-interface ActivepiecesRuntimeRequest {
-    version: 1;
-    requestId: string;
-    providerId: string;
-    connection: IntegrationConnection;
-    connector: Pick<IntegrationConnector, 'id' | 'title' | 'auth' | 'scopes' | 'metadata'>;
-    piece: ActivepiecesExecutorInvocation['piece'];
-    action: TangleCatalogRuntimeActionRequest;
-}
-/**
- * @deprecated Use `TangleCatalogHttpExecutorOptions`.
- */
-type ActivepiecesHttpExecutorOptions = TangleCatalogHttpExecutorOptions;
-/**
- * @deprecated Use `createTangleCatalogHttpExecutor`.
- */
-declare function createActivepiecesHttpExecutor(options: ActivepiecesHttpExecutorOptions): ActivepiecesExecutorProviderOptions['executeAction'];
-/**
- * @deprecated Use `buildTangleCatalogRuntimeRequest`.
- */
-declare function buildActivepiecesRuntimeRequest(invocation: ActivepiecesExecutorInvocation, requestId?: string): ActivepiecesRuntimeRequest;
-/**
- * @deprecated Use `signTangleCatalogRuntimeRequest`.
- */
-declare function signActivepiecesRuntimeRequest(serializedBody: string, secret: string): string;
-/**
- * @deprecated Use `verifyTangleCatalogRuntimeSignature`.
- */
-declare function verifyActivepiecesRuntimeSignature(serializedBody: string, signature: string | null | undefined, secret: string): boolean;
-interface TangleCatalogRuntimeRequest {
-    version: 1;
-    requestId: string;
-    providerId: string;
-    connection: IntegrationConnection;
-    connector: Pick<IntegrationConnector, 'id' | 'title' | 'auth' | 'scopes' | 'metadata'>;
-    piece: TangleCatalogRuntimePiece;
-    action: TangleCatalogRuntimeActionRequest;
-}
-declare function createTangleCatalogHttpExecutor(options: TangleCatalogHttpExecutorOptions): (invocation: TangleCatalogHttpExecutorInvocation) => Promise<IntegrationActionResult>;
-declare function buildTangleCatalogRuntimeRequest(invocation: TangleCatalogHttpExecutorInvocation, requestId?: string): TangleCatalogRuntimeRequest;
-declare const signTangleCatalogRuntimeRequest: typeof signActivepiecesRuntimeRequest;
-declare const verifyTangleCatalogRuntimeSignature: typeof verifyActivepiecesRuntimeSignature;
-
-interface IntegrationCatalogFreshnessOptions {
-    liveActivepieces?: boolean;
-    minActivepiecesConnectors?: number;
-    staleConnectorDelta?: number;
-    fetchImpl?: typeof fetch;
-}
-interface IntegrationCatalogFreshnessResult {
-    ok: boolean;
-    generatedAt: string;
-    local: {
-        activepiecesEntries: number;
-        activepiecesConnectors: number;
-        activepiecesActions: number;
-        activepiecesTriggers: number;
-        executableActivepiecesConnectors: number;
-        executableActivepiecesActions: number;
-        executableActivepiecesTriggers: number;
-        executableToolDefinitions: number;
-        unsupportedExecutableConnectorIds: string[];
-        registryEntries: number;
-        registrySummary: IntegrationRegistrySummary;
-        conflictSamples: IntegrationRegistryConflict[];
-    };
-    upstream?: {
-        activepiecesPieces?: number;
-        activepiecesDelta?: number;
-        checkedUrl: string;
-        warning?: string;
-    };
-    warnings: string[];
-}
-declare const ACTIVEPIECES_PUBLIC_CATALOG_URL = "https://www.activepieces.com/pieces";
-declare function extractActivepiecesPublicPieceCount(html: string): number | undefined;
-declare function auditIntegrationCatalogFreshness(options?: IntegrationCatalogFreshnessOptions): Promise<IntegrationCatalogFreshnessResult>;
-
-declare const TANGLE_INTEGRATIONS_CATALOG_PROVIDER_ID = "tangle-catalog";
-declare const TANGLE_INTEGRATIONS_CATALOG_SOURCE = "tangle-integrations-catalog";
-type TangleIntegrationImplementationKind = 'native_adapter' | 'package_runtime';
-type TangleIntegrationContractStatus = 'contract_ready' | 'runtime_backed' | 'native_backed';
-interface TangleIntegrationCatalogEntry {
-    id: string;
-    title: string;
-    description: string;
-    category: IntegrationConnector['category'];
-    auth: IntegrationConnector['auth'];
-    authFields?: ActivepiecesCatalogEntry['authFields'];
-    domains: string[];
-    actions: Array<{
-        id: string;
-        title: string;
-        risk: IntegrationConnector['actions'][number]['risk'];
-        upstreamName?: string;
-    }>;
-    triggers: Array<{
-        id: string;
-        title: string;
-        upstreamName?: string;
-    }>;
-}
-interface TangleIntegrationContract {
-    id: string;
-    title: string;
-    description: string;
-    category: IntegrationConnector['category'];
-    auth: IntegrationConnector['auth'];
-    authFields: NonNullable<ActivepiecesCatalogEntry['authFields']>;
-    actions: Array<{
-        id: string;
-        title: string;
-        risk: IntegrationConnector['actions'][number]['risk'];
-        upstreamName: string;
-    }>;
-    triggers: Array<{
-        id: string;
-        title: string;
-        upstreamName: string;
-    }>;
-    implementation: {
-        kind: TangleIntegrationImplementationKind;
-        runtimePackage?: string;
-        version?: string;
-    };
-    status: TangleIntegrationContractStatus;
-    quality: {
-        tangleContract: true;
-        authFieldsMapped: boolean;
-        actionNamesMapped: boolean;
-        triggerNamesMapped: boolean;
-        runtimePackageMapped: boolean;
-        nativeAdapter: boolean;
-    };
-}
-interface TangleCatalogRuntimePackageManifestOptions {
-    name?: string;
-    includeAgentIntegrationsPackage?: boolean;
-    agentIntegrationsVersion?: string;
-    additionalDependencies?: Record<string, string>;
-}
-interface TangleCatalogRuntimePackageManifest {
-    name: string;
-    private: true;
-    type: 'module';
-    dependencies: Record<string, string>;
-    tangle: {
-        integrationContracts: number;
-        packageRuntimeBackends: number;
-        generatedFrom: typeof TANGLE_INTEGRATIONS_CATALOG_SOURCE;
-    };
-}
-interface TangleCatalogExecutorInvocation {
-    connection: IntegrationConnection;
-    request: IntegrationActionRequest;
-    connector: IntegrationConnector;
-    catalogEntry: TangleIntegrationCatalogEntry;
-    piece: {
-        id: string;
-        packageName?: string;
-        version?: string;
-        actionId: string;
-        upstreamActionName?: string;
-    };
-}
-interface TangleCatalogTriggerInvocation {
-    connection: IntegrationConnection;
-    connector: IntegrationConnector;
-    catalogEntry: TangleIntegrationCatalogEntry;
-    trigger: NonNullable<IntegrationConnector['triggers']>[number];
-    targetUrl?: string;
-    piece: {
-        id: string;
-        packageName?: string;
-        version?: string;
-        triggerId: string;
-        upstreamTriggerName?: string;
-    };
-}
-interface TangleCatalogExecutorProviderOptions {
-    id?: string;
-    connectors?: IntegrationConnector[];
-    startAuth?: (request: StartAuthRequest) => Promise<StartAuthResult> | StartAuthResult;
-    completeAuth?: (request: CompleteAuthRequest) => Promise<IntegrationConnection> | IntegrationConnection;
-    executeAction: (invocation: TangleCatalogExecutorInvocation) => Promise<IntegrationActionResult> | IntegrationActionResult;
-    subscribeTrigger?: (invocation: TangleCatalogTriggerInvocation) => Promise<IntegrationTriggerSubscription> | IntegrationTriggerSubscription;
-    unsubscribeTrigger?: (subscriptionId: string) => Promise<void> | void;
-    normalizeTriggerEvent?: (raw: unknown) => Promise<IntegrationTriggerEvent> | IntegrationTriggerEvent;
-}
-type TangleIntegrationCatalogFreshnessOptions = IntegrationCatalogFreshnessOptions;
-interface TangleIntegrationCatalogFreshnessResult {
-    ok: boolean;
-    generatedAt: string;
-    local: {
-        catalogEntries: number;
-        catalogConnectors: number;
-        catalogActions: number;
-        catalogTriggers: number;
-        executableCatalogConnectors: number;
-        executableCatalogActions: number;
-        executableCatalogTriggers: number;
-        executableToolDefinitions: number;
-        unsupportedExecutableConnectorIds: string[];
-        registryEntries: number;
-        registrySummary: Awaited<ReturnType<typeof auditIntegrationCatalogFreshness>>['local']['registrySummary'];
-        conflictSamples: Awaited<ReturnType<typeof auditIntegrationCatalogFreshness>>['local']['conflictSamples'];
-    };
-    upstream?: {
-        externalEntries?: number;
-        externalDelta?: number;
-        checkedUrl: string;
-        warning?: string;
-    };
-    warnings: string[];
-}
-declare function listTangleIntegrationCatalogEntries(): TangleIntegrationCatalogEntry[];
-declare function listTangleIntegrationContracts(): TangleIntegrationContract[];
-declare function listTangleIntegrationCatalogRuntimePackages(): Array<{
-    connectorId: string;
-    packageName: string;
-    version?: string;
-}>;
-declare function buildTangleCatalogRuntimePackageManifest(options?: TangleCatalogRuntimePackageManifestOptions): TangleCatalogRuntimePackageManifest;
-declare function renderTangleCatalogRuntimePnpmAddCommand(options?: {
-    includeAgentIntegrationsPackage?: boolean;
-    agentIntegrationsVersion?: string;
-}): string;
-declare function buildTangleIntegrationCatalogConnectors(options?: {
-    providerId?: string;
-    includeCatalogActions?: boolean;
-    executable?: boolean;
-}): IntegrationConnector[];
-declare function createTangleCatalogExecutorProvider(options: TangleCatalogExecutorProviderOptions): IntegrationProvider;
-declare const extractExternalCatalogPublicCount: typeof extractActivepiecesPublicPieceCount;
-declare function auditTangleIntegrationCatalogFreshness(options?: TangleIntegrationCatalogFreshnessOptions): Promise<TangleIntegrationCatalogFreshnessResult>;
-
-interface TangleCatalogRuntimeInvocation {
-    request: TangleCatalogRuntimeRequest;
-    connection: IntegrationConnection;
-    connector: IntegrationConnector;
-    action: IntegrationConnectorAction;
-}
-interface TangleCatalogRuntimeHandlerOptions {
-    secret?: string;
-    requireSignature?: boolean;
-    signatureHeader?: string;
-    connectors?: IntegrationConnector[];
-    maxBodyBytes?: number;
-    executeAction: (invocation: TangleCatalogRuntimeInvocation) => Promise<IntegrationActionResult> | IntegrationActionResult;
-}
-interface TangleCatalogInstalledPackageExecutorOptions {
-    moduleLoader?: (packageName: string) => Promise<unknown> | unknown;
-    actionAliases?: Record<string, Record<string, string>>;
-    allowFuzzyActionMatch?: boolean;
-    resolveAuth?: (connection: IntegrationConnection) => Promise<unknown> | unknown;
-    beforeRun?: (invocation: TangleCatalogRuntimeInvocation) => Promise<void> | void;
-}
-interface TangleCatalogAuthResolverOptions {
-    secrets: IntegrationSecretStore;
-    mapCredentials?: (input: {
-        connection: IntegrationConnection;
-        credentials: ConnectorCredentials;
-        connectorId: string;
-    }) => unknown;
-}
-interface TangleCatalogHttpAuthResolverOptions {
-    endpoint: string;
-    secret: string;
-    path?: string;
-    timeoutMs?: number;
-    fetchImpl?: typeof fetch;
-    headers?: Record<string, string>;
-    requestId?: () => string;
-}
-interface TangleCatalogHttpAuthResolverRequest {
-    version: 1;
-    requestId: string;
-    providerId: string;
-    connectorId: string;
-    connectionId: string;
-    secretRef?: IntegrationConnection['secretRef'];
-}
-interface TangleCatalogRuntimeModuleAction {
-    name?: string;
-    displayName?: string;
-    run?: (context: {
-        auth: unknown;
-        propsValue: unknown;
-        input: unknown;
-        connection: IntegrationConnection;
-        request: TangleCatalogRuntimeRequest;
-    }) => Promise<unknown> | unknown;
-}
-interface TangleCatalogRuntimeHttpRequest {
-    body: string | Uint8Array | TangleCatalogRuntimeRequest;
-    headers?: Headers | Record<string, string | string[] | undefined>;
-}
-interface TangleCatalogRuntimeHttpResponse {
-    status: number;
-    headers: Record<string, string>;
-    body: IntegrationActionResult | {
-        ok: false;
-        action: string;
-        output: {
-            code: string;
-            message: string;
-        };
-    };
-}
-interface TangleCatalogRuntimePackageCoverageRow {
-    connectorId: string;
-    packageName: string;
-    packageInstalled: boolean;
-    packageLoads: boolean;
-    pieceExportFound: boolean;
-    actionMappingsVerified: number;
-    actionMappingsTotal: number;
-    triggerMappingsFound: number;
-    triggerMappingsTotal: number;
-    triggerHostingSupported: boolean;
-    error?: string;
-}
-interface TangleCatalogRuntimePackageCoverageOptions {
-    connectorIds?: string[];
-    moduleLoader?: (packageName: string) => Promise<unknown> | unknown;
-}
-declare function createTangleCatalogRuntimeHandler(options: TangleCatalogRuntimeHandlerOptions): (input: TangleCatalogRuntimeHttpRequest) => Promise<TangleCatalogRuntimeHttpResponse>;
-declare function createTangleCatalogInstalledPackageExecutor(options?: TangleCatalogInstalledPackageExecutorOptions): TangleCatalogRuntimeHandlerOptions['executeAction'];
-declare function auditTangleCatalogRuntimePackages(options?: TangleCatalogRuntimePackageCoverageOptions): Promise<TangleCatalogRuntimePackageCoverageRow[]>;
-declare function createTangleCatalogCredentialAuthResolver(options: TangleCatalogAuthResolverOptions): (connection: IntegrationConnection) => Promise<unknown>;
-declare function createTangleCatalogHttpAuthResolver(options: TangleCatalogHttpAuthResolverOptions): (connection: IntegrationConnection) => Promise<unknown>;
-declare function tangleCatalogAuthValue(credentials: ConnectorCredentials): unknown;
-
-interface TangleCatalogRuntimeNodeServerOptions {
-    secret: string;
-    host?: string;
-    port?: number;
-    path?: string;
-    maxBodyBytes?: number;
-    requireSignature?: boolean;
-    authResolver?: false | TangleCatalogHttpAuthResolverOptions;
-    executor?: Omit<TangleCatalogInstalledPackageExecutorOptions, 'resolveAuth'> & {
-        resolveAuth?: TangleCatalogInstalledPackageExecutorOptions['resolveAuth'];
-    };
-    onLog?: (event: {
-        level: 'info' | 'warn' | 'error';
-        message: string;
-        metadata?: Record<string, unknown>;
-    }) => void;
-}
-interface StartedTangleCatalogRuntimeNodeServer {
-    server: Server;
-    url: string;
-    close: () => Promise<void>;
-}
-declare function createTangleCatalogRuntimeNodeRequestListener(options: TangleCatalogRuntimeNodeServerOptions): (request: IncomingMessage, response: ServerResponse) => Promise<void>;
-declare function startTangleCatalogRuntimeNodeServer(options: TangleCatalogRuntimeNodeServerOptions): Promise<StartedTangleCatalogRuntimeNodeServer>;
-
-type IntegrationCoveragePriority = 'tier_0' | 'tier_1' | 'tier_2' | 'long_tail';
-interface IntegrationCoverageSpec {
-    id: string;
-    title: string;
-    category: IntegrationConnectorCategory;
-    auth: IntegrationConnector['auth'];
-    priority: IntegrationCoveragePriority;
-    providerKinds: IntegrationProviderKind[];
-    domains: string[];
-    actionPack: IntegrationActionPack;
-    scopes?: string[];
-}
-type IntegrationActionPack = 'email' | 'calendar' | 'chat' | 'crm' | 'storage' | 'docs' | 'database' | 'project' | 'support' | 'marketing' | 'sales' | 'commerce' | 'finance' | 'hr' | 'dev' | 'ai' | 'analytics' | 'workflow' | 'webhook';
-declare function listIntegrationCoverageSpecs(): IntegrationCoverageSpec[];
-declare function buildIntegrationCoverageConnectors(options?: {
-    providerId?: string;
-    priorities?: IntegrationCoveragePriority[];
-    categories?: IntegrationConnectorCategory[];
-    actionPacks?: IntegrationActionPack[];
-}): IntegrationConnector[];
-declare function integrationCoverageChecklistMarkdown(): string;
-
-type IntegrationAuthMode = 'oauth2' | 'api_key' | 'hmac' | 'none' | 'custom';
-type IntegrationSpecStatus = 'catalog' | 'executable' | 'deprecated';
-type IntegrationFamilyId = 'google' | 'microsoft-graph' | 'atlassian' | 'salesforce' | 'hubspot' | 'slack' | 'notion' | 'standard-oauth2' | 'api-key' | 'hmac' | 'none';
-type NormalizedPermission = `${string}.read` | `${string}.write` | `${string}.delete` | `${string}.admin`;
-interface IntegrationSpec {
-    kind: string;
-    title: string;
-    category: IntegrationConnectorCategory;
-    status: IntegrationSpecStatus;
-    family: IntegrationFamilyId;
-    auth: IntegrationAuthSpec;
-    permissions: PermissionDescriptor[];
-    actions: IntegrationConnectorAction[];
-    triggers?: IntegrationConnectorTrigger[];
-    setup: IntegrationSetupSpec;
-    lifecycle?: IntegrationLifecycleSpec;
-    plannerHints?: IntegrationPlannerHints;
-    metadata?: Record<string, unknown>;
-}
-type IntegrationAuthSpec = OAuth2AuthSpec | ApiKeyAuthSpec | HmacAuthSpec | NoneAuthSpec | CustomAuthSpec;
-interface OAuth2AuthSpec {
-    mode: 'oauth2';
-    authorizationUrl: string;
-    tokenUrl: string;
-    clientIdEnv?: string;
-    clientSecretEnv?: string;
-    scopes: ScopeDescriptor[];
-    extraAuthParams?: Record<string, string>;
-    redirectUriTemplate: string;
-    pkce?: 'required' | 'supported' | 'unsupported';
-}
-interface ApiKeyAuthSpec {
-    mode: 'api_key';
-    credential: CredentialFieldSpec;
-    placement?: 'bearer' | 'header' | 'query' | 'basic';
-}
-interface HmacAuthSpec {
-    mode: 'hmac';
-    credential: CredentialFieldSpec;
-    signatureHeader?: string;
-}
-interface NoneAuthSpec {
-    mode: 'none';
-}
-interface CustomAuthSpec {
-    mode: 'custom';
-    description: string;
-}
-interface ScopeDescriptor {
-    normalized: NormalizedPermission;
-    providerScope: string;
-    title: string;
-    reason: string;
-    risk: IntegrationActionRisk;
-    dataClass: IntegrationDataClass;
-}
-interface PermissionDescriptor {
-    normalized: NormalizedPermission;
-    providerScopes: string[];
-    title: string;
-    risk: IntegrationActionRisk;
-    dataClass: IntegrationDataClass;
-    reason: string;
-}
-interface CredentialFieldSpec {
-    label: string;
-    description: string;
-    env?: string;
-    example?: string;
-    regex?: string;
-    secret: boolean;
-}
-interface ConsoleStep {
-    id: string;
-    title: string;
-    detail: string;
-    copyValue?: string;
-}
-interface Quirk {
-    id: string;
-    severity: 'info' | 'warning' | 'critical';
-    message: string;
-}
-interface PostSetupCheck {
-    id: string;
-    title: string;
-    detail: string;
-}
-interface HealthcheckSpec {
-    id: string;
-    level: 'client_config' | 'connection' | 'webhook' | 'static';
-    method?: 'GET' | 'POST';
-    url?: string;
-    expectedStatus?: number[];
-    description: string;
-}
-interface IntegrationSetupSpec {
-    consoleUrl?: string;
-    consoleSteps: ConsoleStep[];
-    credentialFields: CredentialFieldSpec[];
-    redirectUriTemplate?: string;
-    knownQuirks?: Quirk[];
-    postSetup?: PostSetupCheck[];
-    healthcheck?: HealthcheckSpec;
-}
-interface IntegrationLifecycleSpec {
-    supportsRefresh: boolean;
-    supportsRevoke: boolean;
-    supportsIncrementalAuth: boolean;
-    recommendedHealthcheckIntervalHours?: number;
-    freshnessSloMinutes?: number;
-}
-interface IntegrationPlannerHints {
-    useFor: string[];
-    avoidFor?: string[];
-    dataFreshness: 'realtime' | 'near_realtime' | 'eventual' | 'manual';
-    writeRisk: 'low' | 'medium' | 'high';
-}
-interface IntegrationFamilySpec {
-    id: IntegrationFamilyId;
-    title: string;
-    authMode: IntegrationAuthMode;
-    consoleUrl?: string;
-    authorizationUrl?: string;
-    tokenUrl?: string;
-    redirectUriTemplate?: string;
-    credentialFields: CredentialFieldSpec[];
-    consoleSteps: ConsoleStep[];
-    knownQuirks?: Quirk[];
-    lifecycle: IntegrationLifecycleSpec;
-}
-interface IntegrationSpecValidationIssue {
-    path: string;
-    message: string;
-}
-interface IntegrationSpecValidationResult {
-    ok: boolean;
-    issues: IntegrationSpecValidationIssue[];
-}
-interface RenderSpecOptions {
-    host: string;
-    callbackPath?: string;
-}
-interface RenderedConsoleStep extends ConsoleStep {
-    detail: string;
-    copyValue?: string;
-}
-interface CredentialValidationInput {
-    field: CredentialFieldSpec;
-    value: string;
-}
-interface CredentialValidationResult {
-    ok: boolean;
-    field: string;
-    message?: string;
-}
-interface HealthcheckPlan {
-    kind: string;
-    healthcheck: HealthcheckSpec;
-    requires: Array<'client_id' | 'client_secret' | 'api_key' | 'hmac_secret' | 'connection_credentials'>;
-    message: string;
-}
-declare function specAuthToConnectorAuth(auth: IntegrationAuthSpec): IntegrationConnector['auth'];
-
-declare const INTEGRATION_FAMILIES: Record<IntegrationFamilyId, IntegrationFamilySpec>;
-declare function getIntegrationFamily(id: IntegrationFamilyId): IntegrationFamilySpec;
-
-declare function listIntegrationSpecs(): IntegrationSpec[];
-declare function getIntegrationSpec(kind: string): IntegrationSpec | undefined;
-/** Auth-driving descriptor the hub uses to start a connect flow per provider
- *  instead of hard-coding scopes/auth kind. Derived from the spec catalog
- *  ({@link getIntegrationSpec}); undefined when the kind is not in the
- *  catalog. */
-interface ConnectorAuthSpec {
-    kind: string;
-    authKind: 'oauth2' | 'api_key' | 'none' | 'custom';
-    /** Provider scopes to request in the authorization grant. Empty for
-     *  api_key / none / custom. */
-    requestedScopes: string[];
-    /** OAuth-only: authorization + token endpoints and PKCE posture. Present
-     *  only when authKind === 'oauth2'. */
-    authorizationUrl?: string;
-    tokenUrl?: string;
-    pkce?: 'required' | 'supported' | 'unsupported';
-    redirectUriTemplate?: string;
-    clientIdEnv?: string;
-    clientSecretEnv?: string;
-    extraAuthParams?: Record<string, string>;
-}
-declare function resolveConnectorAuthSpec(kind: string): ConnectorAuthSpec | undefined;
-declare function listExecutableIntegrationSpecs(): IntegrationSpec[];
-declare function integrationSpecToConnector(spec: IntegrationSpec, providerId?: string): IntegrationConnector;
-
-declare function renderConsoleSteps(spec: IntegrationSpec, options: RenderSpecOptions): RenderedConsoleStep[];
-declare function renderRunbookMarkdown(spec: IntegrationSpec, options: RenderSpecOptions): string;
-declare function renderAgentToolDescription(spec: IntegrationSpec): string;
-declare function buildHealthcheckPlan(spec: IntegrationSpec): HealthcheckPlan;
-declare function consoleStepsToText(steps: ConsoleStep[]): string;
-
-declare function validateIntegrationSpec(spec: IntegrationSpec): IntegrationSpecValidationResult;
-declare function assertValidIntegrationSpec(spec: IntegrationSpec): void;
-declare function validateCredentialFormat(field: CredentialFieldSpec, value: string): CredentialValidationResult;
-declare function validateCredentialSet(spec: IntegrationSpec, values: Record<string, string>): CredentialValidationResult[];
-
-type IntegrationProviderKind = 'first_party' | 'nango' | 'pipedream' | 'zapier' | 'activepieces' | 'tangle_catalog' | 'executor' | 'custom';
-type IntegrationConnectorCategory = 'email' | 'calendar' | 'chat' | 'crm' | 'storage' | 'docs' | 'database' | 'webhook' | 'workflow' | 'internal' | 'other';
-type IntegrationActionRisk = 'read' | 'write' | 'destructive';
-type IntegrationDataClass = 'public' | 'internal' | 'private' | 'sensitive' | 'secret';
-interface IntegrationActor {
-    type: 'user' | 'team' | 'app' | 'agent' | 'sandbox' | 'system';
-    id: string;
-}
-interface IntegrationConnectorAction {
-    id: string;
-    title: string;
-    risk: IntegrationActionRisk;
-    requiredScopes: string[];
-    dataClass: IntegrationDataClass;
-    description?: string;
-    approvalRequired?: boolean;
-    inputSchema?: unknown;
-    outputSchema?: unknown;
-}
-interface IntegrationConnectorTrigger {
-    id: string;
-    title: string;
-    requiredScopes: string[];
-    dataClass: IntegrationDataClass;
-    description?: string;
-    payloadSchema?: unknown;
-}
-interface IntegrationConnector {
-    id: string;
-    providerId: string;
-    title: string;
-    category: IntegrationConnectorCategory;
-    auth: 'oauth2' | 'api_key' | 'none' | 'custom';
-    scopes: string[];
-    actions: IntegrationConnectorAction[];
-    triggers?: IntegrationConnectorTrigger[];
-    metadata?: Record<string, unknown>;
-}
-interface SecretRef {
-    provider: string;
-    id: string;
-    label?: string;
-}
-interface IntegrationConnection {
-    id: string;
-    owner: IntegrationActor;
-    providerId: string;
-    connectorId: string;
-    status: 'pending' | 'active' | 'expired' | 'revoked' | 'error';
-    grantedScopes: string[];
-    account?: {
-        id?: string;
-        email?: string;
-        displayName?: string;
-    };
-    secretRef?: SecretRef;
-    createdAt: string;
-    updatedAt: string;
-    expiresAt?: string;
-    lastUsedAt?: string;
-    metadata?: Record<string, unknown>;
-}
-interface StartAuthRequest {
-    connectorId: string;
-    owner: IntegrationActor;
-    requestedScopes: string[];
-    redirectUri: string;
-    state?: string;
-    metadata?: Record<string, unknown>;
-}
-interface StartAuthResult {
-    providerId: string;
-    connectorId: string;
-    authUrl: string;
-    state: string;
-    expiresAt?: string;
-    metadata?: Record<string, unknown>;
-}
-interface CompleteAuthRequest {
-    connectorId: string;
-    owner: IntegrationActor;
-    code?: string;
-    state: string;
-    redirectUri: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationActionRequest {
-    connectionId: string;
-    action: string;
-    input?: unknown;
-    idempotencyKey?: string;
-    dryRun?: boolean;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationActionResult<T = unknown> {
-    ok: boolean;
-    action: string;
-    output?: T;
-    externalId?: string;
-    warnings?: string[];
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationTriggerSubscription {
-    id: string;
-    connectionId: string;
-    trigger: string;
-    targetUrl?: string;
-    status: 'active' | 'paused' | 'error';
-    createdAt: string;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationTriggerEvent<T = unknown> {
-    id: string;
-    providerId: string;
-    connectorId: string;
-    connectionId: string;
-    trigger: string;
-    occurredAt: string;
-    payload: T;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationProvider {
-    id: string;
-    kind: IntegrationProviderKind;
-    listConnectors(): Promise<IntegrationConnector[]> | IntegrationConnector[];
-    startAuth?(request: StartAuthRequest): Promise<StartAuthResult> | StartAuthResult;
-    completeAuth?(request: CompleteAuthRequest): Promise<IntegrationConnection> | IntegrationConnection;
-    invokeAction(connection: IntegrationConnection, request: IntegrationActionRequest): Promise<IntegrationActionResult> | IntegrationActionResult;
-    subscribeTrigger?(connection: IntegrationConnection, trigger: string, targetUrl?: string): Promise<IntegrationTriggerSubscription> | IntegrationTriggerSubscription;
-    unsubscribeTrigger?(subscriptionId: string): Promise<void> | void;
-    normalizeTriggerEvent?(raw: unknown): Promise<IntegrationTriggerEvent> | IntegrationTriggerEvent;
-}
-interface IntegrationConnectionStore {
-    get(connectionId: string): Promise<IntegrationConnection | undefined> | IntegrationConnection | undefined;
-    put(connection: IntegrationConnection): Promise<void> | void;
-    listByOwner(owner: IntegrationActor): Promise<IntegrationConnection[]> | IntegrationConnection[];
-    delete?(connectionId: string): Promise<void> | void;
-}
-interface IssueCapabilityRequest {
-    subject: IntegrationActor;
-    connectionId: string;
-    scopes: string[];
-    allowedActions: string[];
-    ttlMs: number;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationCapability {
-    id: string;
-    subject: IntegrationActor;
-    connectionId: string;
-    scopes: string[];
-    allowedActions: string[];
-    issuedAt: string;
-    expiresAt: string;
-    metadata?: Record<string, unknown>;
-}
-interface IssuedIntegrationCapability {
-    capability: IntegrationCapability;
-    token: string;
-}
-/**
- * Wraps every action invocation with cross-cutting discipline (idempotency,
- * conflict detection, rate-limiting, audit logging). Optional. When set on
- * the hub, runs BEFORE provider.invokeAction; can short-circuit (return a
- * result directly) or pass through (call `proceed()` to invoke the provider).
- *
- * Why this hook exists: production deployments need conflict-resolution
- * guarantees that span every provider, gateway, and webhook receiver. The
- * canonical implementation is a "MutationGuard" that:
- *   1. Short-circuits on a known idempotency key (returns recorded response).
- *   2. Refuses same-key-different-args (drift detection).
- *   3. Wraps `proceed()` and audit-logs the outcome.
- *   4. Translates upstream conflict signals into a structured result with
- *      alternatives the agent can act on.
- *
- * Implementations live in consumers (every product has different
- * persistence + telemetry needs); this interface is the contract.
- */
-interface IntegrationActionGuard {
-    /** Wrap an invokeAction call. Implementations MUST call `proceed()` to
-     *  invoke the underlying provider unless they're returning a cached or
-     *  short-circuited result.
-     *
-     *  @param ctx connection + request the hub is about to dispatch
-     *  @param proceed call to invoke the wrapped provider; returns the
-     *                 underlying IntegrationActionResult
-     *  @returns the result the hub should return to the caller
-     */
-    invokeAction(ctx: IntegrationGuardContext, proceed: () => Promise<IntegrationActionResult>): Promise<IntegrationActionResult>;
-}
-interface IntegrationGuardContext {
-    connection: IntegrationConnection;
-    request: IntegrationActionRequest;
-    /** The action descriptor from the connector manifest, if discovered. */
-    action?: IntegrationConnectorAction;
-}
-type IntegrationPolicyDecision = {
-    decision: 'allow';
-    reason: string;
-    metadata?: Record<string, unknown>;
-} | {
-    decision: 'require_approval';
-    reason: string;
-    approval: IntegrationApprovalRequest;
-    metadata?: Record<string, unknown>;
-} | {
-    decision: 'deny';
-    reason: string;
-    metadata?: Record<string, unknown>;
-};
-interface IntegrationApprovalRequest {
-    id: string;
-    connectionId: string;
-    providerId: string;
-    connectorId: string;
-    action: string;
-    actor: IntegrationActor;
-    risk: IntegrationActionRisk;
-    dataClass: IntegrationDataClass;
-    reason: string;
-    requestedAt: string;
-    inputPreview?: unknown;
-    metadata?: Record<string, unknown>;
-}
-interface IntegrationPolicyEngine {
-    decide(ctx: IntegrationGuardContext & {
-        subject: IntegrationActor;
-    }): Promise<IntegrationPolicyDecision> | IntegrationPolicyDecision;
-}
-interface IntegrationHubOptions {
-    providers: IntegrationProvider[];
-    store: IntegrationConnectionStore;
-    capabilitySecret: string;
-    /** Optional cross-cutting guard. If provided, every invokeAction call
-     *  passes through it before reaching the provider. See {@link IntegrationActionGuard}. */
-    guard?: IntegrationActionGuard;
-    /** Optional policy engine. Runs after capability/scope checks and before
-     *  provider invocation. Use it to pause writes, deny destructive actions,
-     *  or apply tenant-specific allow rules. */
-    policy?: IntegrationPolicyEngine;
-    /** Host-injectable secret store. Multi-tenant hubs inject a durable
-     *  encrypted store; defaults to {@link InMemoryIntegrationSecretStore} for
-     *  local/dev and tests. The interface is the contract — the lib never
-     *  ships a D1/KV/encryption impl. */
-    secretStore?: IntegrationSecretStore;
-    /** Host-injectable single-use OAuth-state store guarding the start →
-     *  callback CSRF boundary. Defaults to
-     *  {@link InMemoryIntegrationOAuthStateStore}. */
-    oauthStateStore?: IntegrationOAuthStateStore;
-    /** TTL applied to OAuth-state records the hub stashes at startAuth.
-     *  Defaults to 10 minutes. */
-    oauthStateTtlMs?: number;
-    /** Fired whenever a provider surfaces rotated credentials during an
-     *  invoke (e.g. an OAuth access token refreshed on expiry). The host
-     *  re-encrypts + persists the rotated envelope so the next expiry does
-     *  not force a reconnect. The hub also writes the rotated credentials to
-     *  {@link secretStore} when the connection carries a secretRef. */
-    credentialsRotated?: (event: IntegrationCredentialsRotatedEvent) => Promise<void> | void;
-    now?: () => Date;
-}
-/** Emitted when a provider rotates credentials mid-invoke. The host
- *  re-persists `credentials` against `secretRef` (when present) so the
- *  refreshed token survives the call. */
-interface IntegrationCredentialsRotatedEvent {
-    connection: IntegrationConnection;
-    secretRef?: SecretRef;
-    credentials: ConnectorCredentials;
-}
-interface HttpIntegrationProviderOptions {
-    id: string;
-    kind?: IntegrationProviderKind;
-    connectors: IntegrationConnector[];
-    baseUrl: string;
-    bearer?: string;
-    fetchImpl?: typeof fetch;
-}
-interface InvokeWithCapabilityRequest extends Omit<IntegrationActionRequest, 'connectionId'> {
-    connectionId?: never;
-}
-declare class IntegrationError extends Error {
-    readonly code: 'provider_not_found' | 'connector_not_found' | 'connection_not_found' | 'connection_not_active' | 'auth_not_supported' | 'capability_invalid' | 'capability_expired' | 'scope_denied' | 'action_denied' | 'action_not_found' | 'trigger_not_found' | 'approval_required' | 'policy_denied' | 'config_missing' | 'provider_failure';
-    constructor(message: string, code: 'provider_not_found' | 'connector_not_found' | 'connection_not_found' | 'connection_not_active' | 'auth_not_supported' | 'capability_invalid' | 'capability_expired' | 'scope_denied' | 'action_denied' | 'action_not_found' | 'trigger_not_found' | 'approval_required' | 'policy_denied' | 'config_missing' | 'provider_failure');
-}
-declare class InMemoryConnectionStore implements IntegrationConnectionStore {
-    private readonly connections;
-    get(connectionId: string): IntegrationConnection | undefined;
-    put(connection: IntegrationConnection): void;
-    listByOwner(owner: IntegrationActor): IntegrationConnection[];
-    delete(connectionId: string): void;
-}
-declare class IntegrationHub {
-    private readonly providers;
-    private readonly store;
-    private readonly capabilitySecret;
-    private readonly guard;
-    private readonly policy;
-    /** Host-injected (or in-memory default) secret store. The hub re-persists
-     *  rotated credentials here when a connection carries a secretRef. */
-    readonly secretStore: IntegrationSecretStore;
-    private readonly oauthStateStore;
-    private readonly oauthStateTtlMs;
-    private readonly credentialsRotated;
-    private readonly now;
-    constructor(options: IntegrationHubOptions);
-    listConnectors(): Promise<IntegrationConnector[]>;
-    listRegistry(options?: ComposeIntegrationRegistryOptions): Promise<IntegrationRegistry>;
-    startAuth(providerId: string, request: StartAuthRequest): Promise<StartAuthResult>;
-    completeAuth(providerId: string, request: CompleteAuthRequest): Promise<IntegrationConnection>;
-    upsertConnection(connection: IntegrationConnection): Promise<IntegrationConnection>;
-    listConnections(owner: IntegrationActor): Promise<IntegrationConnection[]>;
-    getConnection(connectionId: string): Promise<IntegrationConnection | undefined>;
-    issueCapability(request: IssueCapabilityRequest): Promise<IssuedIntegrationCapability>;
-    verifyCapability(token: string): IntegrationCapability;
-    invokeWithCapability(token: string, request: InvokeWithCapabilityRequest): Promise<IntegrationActionResult>;
-    subscribeTrigger(connectionId: string, trigger: string, targetUrl?: string): Promise<IntegrationTriggerSubscription>;
-    private requireProvider;
-    private requireConnector;
-    private requireConnection;
-    private assertConnectionActive;
-}
-declare function sanitizeConnection(connection: IntegrationConnection): Record<string, unknown>;
-declare function createMockIntegrationProvider(options?: {
-    id?: string;
-    connectors?: IntegrationConnector[];
-    onInvoke?: (connection: IntegrationConnection, request: IntegrationActionRequest) => IntegrationActionResult | Promise<IntegrationActionResult>;
-}): IntegrationProvider;
-declare function createHttpIntegrationProvider(options: HttpIntegrationProviderOptions): IntegrationProvider;
-declare function signCapability(capability: IntegrationCapability, secret: string): string;
-declare function verifyCapabilityToken(token: string, secret: string): IntegrationCapability;
-
-export { createTangleCatalogCredentialAuthResolver as $, type CheckConnectorInput as A, type CheckConnectorResult as B, type CapabilityBundleResult as C, type ComposeIntegrationRegistryOptions, type CreateGrantsInput as D, type IntegrationHubAuth as E, IntegrationHubClient as F, type IntegrationHubClientOptions as G, IntegrationHubRequestError as H, type IntegrationCatalogView as I, type IntegrationCatalogExecutability, type IntegrationCatalogSource, type IntegrationRegistry, type IntegrationRegistryConflict, type IntegrationRegistryEntry, type IntegrationRegistrySourceRef, type IntegrationRegistrySummary, type IntegrationSupportTier, type MintCapabilityBundleInput as J, createIntegrationHubClient as K, type ListGrantsInput as L, type McpToolDefinition as M, type TangleCatalogAuthResolverOptions as N, type TangleCatalogHttpAuthResolverOptions as O, type TangleCatalogHttpAuthResolverRequest as P, type TangleCatalogInstalledPackageExecutorOptions as Q, type ResolveManifestInput as R, type TangleCatalogRuntimeHandlerOptions as S, TANGLE_CATALOG_RUNTIME_SIGNATURE_HEADER as T, type TangleCatalogRuntimeHttpRequest as U, type TangleCatalogRuntimeHttpResponse as V, type TangleCatalogRuntimeInvocation as W, type TangleCatalogRuntimeModuleAction as X, type TangleCatalogRuntimePackageCoverageOptions as Y, type TangleCatalogRuntimePackageCoverageRow as Z, auditTangleCatalogRuntimePackages as _, type IntegrationToolDefinition as a, ApprovalBackedPolicyEngine as a$, createTangleCatalogHttpAuthResolver as a0, createTangleCatalogInstalledPackageExecutor as a1, createTangleCatalogRuntimeHandler as a2, signTangleCatalogRuntimeRequest as a3, tangleCatalogAuthValue as a4, verifyTangleCatalogRuntimeSignature as a5, type ApiKeyAuthSpec as a6, type ConnectorAuthSpec as a7, type ConsoleStep as a8, type CredentialFieldSpec as a9, type ScopeDescriptor as aA, assertValidIntegrationSpec as aB, buildHealthcheckPlan as aC, consoleStepsToText as aD, getIntegrationFamily as aE, getIntegrationSpec as aF, integrationSpecToConnector as aG, listExecutableIntegrationSpecs as aH, listIntegrationSpecs as aI, renderAgentToolDescription as aJ, renderConsoleSteps as aK, renderRunbookMarkdown as aL, resolveConnectorAuthSpec as aM, specAuthToConnectorAuth as aN, validateCredentialFormat as aO, validateCredentialSet as aP, validateIntegrationSpec as aQ, ACTIVEPIECES_OVERRIDES as aR, ACTIVEPIECES_PUBLIC_CATALOG_URL as aS, ACTIVEPIECES_RUNTIME_SIGNATURE_HEADER as aT, type ActivepiecesCatalogAuthField as aU, type ActivepiecesCatalogEntry as aV, type ActivepiecesExecutorInvocation as aW, type ActivepiecesExecutorProviderOptions as aX, type ActivepiecesHttpExecutorOptions as aY, type ActivepiecesPieceOverride as aZ, type ActivepiecesRuntimeRequest as a_, type CredentialValidationInput as aa, type CredentialValidationResult as ab, type CustomAuthSpec as ac, type HealthcheckPlan as ad, type HealthcheckSpec as ae, type HmacAuthSpec as af, INTEGRATION_FAMILIES as ag, type IntegrationAuthMode as ah, type IntegrationAuthSpec as ai, type IntegrationFamilyId as aj, type IntegrationFamilySpec as ak, type IntegrationLifecycleSpec as al, type IntegrationPlannerHints as am, type IntegrationSetupSpec as an, type IntegrationSpec as ao, type IntegrationSpecStatus as ap, type IntegrationSpecValidationIssue as aq, type IntegrationSpecValidationResult as ar, type NoneAuthSpec as as, type NormalizedPermission as at, type OAuth2AuthSpec as au, type PermissionDescriptor as av, type PostSetupCheck as aw, type Quirk as ax, type RenderSpecOptions as ay, type RenderedConsoleStep as az, type IntegrationToolSearchFilters as b, type IntegrationDataClass as b$, type ApprovalBackedPolicyOptions as b0, CANONICAL_INTEGRATION_ACTIONS as b1, type CanonicalIntegrationActionId as b2, type CanonicalLaunchConnectorOptions as b3, type CatalogExecutorInvocation as b4, type CatalogExecutorProviderOptions as b5, type CompleteAuthRequest as b6, type ConnectionCredentialResolverOptions as b7, type ConnectorAdapterProviderOptions as b8, type ConsentSummary as b9, type IntegrationActionRisk as bA, type IntegrationActor as bB, type IntegrationApprovalFilter as bC, type IntegrationApprovalRecord as bD, type IntegrationApprovalRequest as bE, type IntegrationApprovalResolution as bF, type IntegrationApprovalStatus as bG, type IntegrationApprovalStore as bH, type IntegrationAuditEvent as bI, type IntegrationAuditEventType as bJ, type IntegrationAuditFilter as bK, type IntegrationAuditSink as bL, type IntegrationAuditStore as bM, type IntegrationBridgePayload as bN, type IntegrationBridgeToolBinding as bO, type IntegrationCapability as bP, type IntegrationCatalogFreshnessOptions as bQ, type IntegrationCatalogFreshnessResult as bR, type IntegrationConnection as bS, type IntegrationConnectionStore as bT, type IntegrationConnector as bU, type IntegrationConnectorAction as bV, type IntegrationConnectorCategory as bW, type IntegrationConnectorTrigger as bX, type IntegrationCoveragePriority as bY, type IntegrationCoverageSpec as bZ, type IntegrationCredentialsRotatedEvent as b_, type CredentialBackedAdapterProviderOptions as ba, DEFAULT_INTEGRATION_BRIDGE_ENV as bb, DefaultIntegrationActionGuard as bc, type DiscoverWorkspaceCapabilitiesInput as bd, type GatewayCatalogAction as be, type GatewayCatalogEntry as bf, type GatewayCatalogProviderOptions as bg, type GatewayCatalogTrigger as bh, type GraphqlOperationSpec as bi, type HttpIntegrationProviderOptions as bj, type ImportCatalogOptions as bk, InMemoryConnectionStore as bl, InMemoryIntegrationApprovalStore as bm, InMemoryIntegrationAuditStore as bn, InMemoryIntegrationEventStore as bo, InMemoryIntegrationHealthcheckStore as bp, InMemoryIntegrationIdempotencyStore as bq, InMemoryIntegrationOAuthStateStore as br, InMemoryIntegrationSecretStore as bs, InMemoryIntegrationWorkflowStore as bt, type InferIntegrationRequirementsOptions as bu, buildDefaultIntegrationRegistry, type InstalledIntegrationWorkflow as bv, type IntegrationActionGuard as bw, type IntegrationActionPack as bx, type IntegrationActionRequest as by, type IntegrationActionResult as bz, type IntegrationToolSearchResult as c, type TangleCatalogExecutorProviderOptions as c$, IntegrationError as c0, type IntegrationEventStore as c1, type IntegrationGuardContext as c2, type IntegrationHealthcheckCheck as c3, type IntegrationHealthcheckResult as c4, type IntegrationHealthcheckStatus as c5, type IntegrationHealthcheckStore as c6, IntegrationHub as c7, type IntegrationHubOptions as c8, type IntegrationIdempotencyRecord as c9, type InvokeWithCapabilityRequest as cA, type IssueCapabilityRequest as cB, type IssuedIntegrationCapability as cC, type ManifestValidationIssue as cD, type ManifestValidationResult as cE, type McpCatalog as cF, type McpCatalogTool as cG, type MissingRequirementExplanation as cH, type NormalizedIntegrationResult as cI, type OAuthClientCredentials as cJ, type OpenApiDocument as cK, type OpenApiOperation as cL, PROVIDER_PASSTHROUGH_ACTION as cM, type PlatformIntegrationPolicyPresetOptions as cN, type ProviderHttpRequestInput as cO, type ProviderPassthroughPolicy as cP, type RenderConsentOptions as cQ, type SecretRef as cR, type StartAuthRequest as cS, type StartAuthResult as cT, type StartedTangleCatalogRuntimeNodeServer as cU, StaticIntegrationPolicyEngine as cV, type StaticIntegrationPolicyOptions as cW, type StoredIntegrationEvent as cX, TANGLE_INTEGRATIONS_CATALOG_PROVIDER_ID as cY, TANGLE_INTEGRATIONS_CATALOG_SOURCE as cZ, type TangleCatalogExecutorInvocation as c_, type IntegrationIdempotencyStore as ca, canonicalConnectorId, type IntegrationInvocationEnvelope as cb, type IntegrationInvocationEnvelopeValidationOptions as cc, type IntegrationOAuthState as cd, type IntegrationOAuthStateOutcome as ce, type IntegrationOAuthStateStore as cf, type IntegrationPolicyDecision as cg, type IntegrationPolicyEffect as ch, type IntegrationPolicyEngine as ci, type IntegrationPolicyRule as cj, type IntegrationProvider as ck, type IntegrationProviderKind as cl, classifyIntegrationCatalogExecutability, type IntegrationRateLimitDecision as cm, type IntegrationRateLimiter as cn, IntegrationSandboxHost as co, composeIntegrationRegistry, type IntegrationSandboxHostHub as cp, type IntegrationSandboxHostOptions as cq, type IntegrationSecretStore as cr, type IntegrationTriggerEvent as cs, type IntegrationTriggerSubscription as ct, type IntegrationWebhookReceiverResult as cu, type IntegrationWorkflowDefinition as cv, IntegrationWorkflowRuntime as cw, type IntegrationWorkflowRuntimeHub as cx, type IntegrationWorkflowRuntimeOptions as cy, type IntegrationWorkflowStore as cz, buildIntegrationCatalogView as d, discoverWorkspaceCapabilities as d$, type TangleCatalogHttpExecutorInvocation as d0, type TangleCatalogHttpExecutorOptions as d1, type TangleCatalogRuntimeActionRequest as d2, type TangleCatalogRuntimeNodeServerOptions as d3, type TangleCatalogRuntimePackageManifest as d4, type TangleCatalogRuntimePackageManifestOptions as d5, type TangleCatalogRuntimePiece as d6, type TangleCatalogRuntimeRequest as d7, type TangleCatalogTriggerInvocation as d8, type TangleIntegrationCatalogEntry as d9, buildTangleCatalogRuntimePackageManifest as dA, buildTangleCatalogRuntimeRequest as dB, buildTangleIntegrationCatalogConnectors as dC, calendarExercisePlannerManifest as dD, canonicalActionConnectorId as dE, createActivepiecesExecutorProvider as dF, createActivepiecesHttpExecutor as dG, createApprovalBackedPolicyEngine as dH, createAuditingActionGuard as dI, createCatalogExecutorProvider as dJ, createConnectionCredentialResolver as dK, createConnectorAdapterCatalogSource as dL, createConnectorAdapterProvider as dM, createCredentialBackedAdapterProvider as dN, createDefaultIntegrationActionGuard as dO, createDefaultIntegrationPolicyEngine as dP, createGatewayCatalogProvider as dQ, createHttpIntegrationProvider as dR, createIntegrationAuditEvent as dS, createIntegrationWorkflowRuntime as dT, createMockIntegrationProvider as dU, createPlatformIntegrationPolicyPreset as dV, createTangleCatalogExecutorProvider as dW, createTangleCatalogHttpExecutor as dX, createTangleCatalogRuntimeNodeRequestListener as dY, createTangleIntegrationsClient as dZ, decodeIntegrationBridgePayload as d_, type TangleIntegrationCatalogFreshnessOptions as da, type TangleIntegrationCatalogFreshnessResult as db, type TangleIntegrationContract as dc, type TangleIntegrationContractStatus as dd, type TangleIntegrationImplementationKind as de, type TangleIntegrationInvokeInput as df, type TangleIntegrationInvokeResult as dg, TangleIntegrationsClient as dh, type TangleIntegrationsClientOptions as di, type WorkspaceCapability as dj, type WorkspaceCapabilityDiscovery as dk, type WorkspaceToolSchema as dl, type WorkspaceTrigger as dm, adapterManifestsToConnectors as dn, assertValidIntegrationManifest as dp, auditIntegrationCatalogFreshness as dq, auditTangleIntegrationCatalogFreshness as dr, buildActivepiecesConnectors as ds, buildActivepiecesRuntimeRequest as dt, buildApprovalRequest as du, buildCanonicalLaunchConnectors as dv, buildIntegrationBridgeEnvironment as dw, buildIntegrationBridgePayload as dx, buildIntegrationCoverageConnectors as dy, buildIntegrationInvocationEnvelope as dz, buildIntegrationToolCatalog as e, dispatchIntegrationInvocation as e0, encodeIntegrationBridgePayload as e1, explainMissingRequirements as e2, extractActivepiecesPublicPieceCount as e3, extractExternalCatalogPublicCount as e4, filterDiscoveryByWorkspaceScopes as e5, getActivepiecesOverride as e6, healthcheckRequest as e7, importGraphqlConnector as e8, importMcpConnector as e9, sanitizeAuditConnection as eA, sanitizeConnection as eB, signActivepiecesRuntimeRequest as eC, signCapability as eD, startTangleCatalogRuntimeNodeServer as eE, storedEventToTriggerEvent as eF, validateIntegrationInvocationEnvelope as eG, validateIntegrationManifest as eH, validateProviderPassthroughRequest as eI, verifyActivepiecesRuntimeSignature as eJ, verifyCapabilityToken as eK, importOpenApiConnector as ea, inferIntegrationManifestFromTools as eb, integrationCoverageChecklistMarkdown as ec, invocationRequestFromEnvelope as ed, listActivepiecesCatalogEntries as ee, listIntegrationCoverageSpecs as ef, listTangleIntegrationCatalogEntries as eg, listTangleIntegrationCatalogRuntimePackages as eh, listTangleIntegrationContracts as ei, manifestToConnector as ej, normalizeGatewayCatalog as ek, normalizeIntegrationResult as el, parseIntegrationBridgeEnvironment as em, receiveIntegrationWebhook as en, redactApprovalRequest as eo, redactCapability as ep, redactIntegrationBridgePayload as eq, redactInvocationEnvelope as er, renderApprovalCopy as es, renderConsentSummary as et, renderTangleCatalogRuntimePnpmAddCommand as eu, resolveConnectionCredentials as ev, resolveIntegrationApproval as ew, revokeConnection as ex, runIntegrationHealthcheck as ey, runIntegrationHealthchecks as ez, describeIntegrationTool as f, flattenIntegrationToolDefinition as g, InMemoryIntegrationGrantStore as h, integrationToolName as i, inferIntegrationSupportTier, type IntegrationCapabilityBinding as j, type IntegrationGrant as k, type IntegrationGrantStore as l, type IntegrationManifest as m, type IntegrationManifestResolution as n, type IntegrationRequirement as o, parseIntegrationToolName as p, type IntegrationRequirementMode as q, type IntegrationRequirementResolution as r, searchIntegrationTools as s, summarizeIntegrationRegistry, toMcpTools as t, type IntegrationRequirementStatus as u, IntegrationRuntime as v, type IntegrationRuntimeHub as w, type IntegrationRuntimeOptions as x, type IntegrationSandboxBundle as y, createIntegrationRuntime as z };
+export { type ComposeIntegrationRegistryOptions, type IntegrationCatalogExecutability, type IntegrationRegistry, type IntegrationRegistryConflict, type IntegrationRegistryEntry, type IntegrationRegistrySourceRef, type IntegrationRegistrySummary, type IntegrationSupportTier, buildDefaultIntegrationRegistry, canonicalConnectorId, classifyIntegrationCatalogExecutability, composeIntegrationRegistry, inferIntegrationSupportTier, summarizeIntegrationRegistry };