npm - @tangle-network/agent-integrations - Versions diffs - 0.6.0 → 0.7.1 - Mend

@tangle-network/agent-integrations 0.6.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +146 -144
package/dist/index.d.ts +56 -1
package/dist/index.js +547 -0
package/dist/index.js.map +1 -1
package/docs/integration-coverage-checklist.md +9 -6
package/examples/basic-hub.ts +47 -0
package/examples/declarative-rest.ts +27 -0
package/examples/first-party-adapter.ts +32 -0
package/package.json +2 -1

package/README.md CHANGED Viewed

@@ -1,156 +1,158 @@
-# Agent Integrations
-`@tangle-network/agent-integrations` is a vendor-neutral integration layer for
-apps, sandboxes, and agents that need user-authorized connections such as email,
-calendar, Slack, CRM, storage, webhooks, and workflow triggers.
-The package does not pick a single integration vendor. Nango, Pipedream,
-Zapier-style platforms, Activepieces, executor services, and first-party
-connectors should all sit behind the same provider interface.
-## Mental Model
+# @tangle-network/agent-integrations
+Vendor-neutral integration contracts for agent apps, sandboxes, and generated
+software that need user-authorized access to external systems.
+The package standardizes connector catalogs, user connections, scoped sandbox
+capabilities, action invocation, trigger events, provider adapters, and
+first-party connector adapters. Product code can route through Nango, Pipedream,
+Activepieces, a custom gateway, or first-party adapters without changing the
+agent-facing tool contract.
+## Contents
+- [What It Provides](#what-it-provides)
+- [Architecture](#architecture)
+- [Install](#install)
+- [Core Primitives](#core-primitives)
+- [Provider Strategy](#provider-strategy)
+- [Executable Coverage](#executable-coverage)
+- [Examples](#examples)
+- [Security Model](#security-model)
+- [Development](#development)
+## What It Provides
+- A normalized connector/action/trigger catalog.
+- User-owned connection records that reference secrets without storing raw
+  credentials in public shapes.
+- Short-lived capability tokens for sandbox-safe access to a subset of a user's
+  connection.
+- Policy checks for read/write/destructive actions.
+- Invocation-envelope validation before sandbox tool calls reach the hub.
+- A generic HTTP provider boundary for hosted integration gateways.
+- A first-party `ConnectorAdapter` boundary for direct provider execution.
+- A declarative REST adapter factory for promoting REST APIs from reviewed specs.
+- A broad coverage catalog for planning hundreds of integrations without
+  pretending every catalog item is executable.
+## Architecture
 ```txt
-Connector catalog -> User connection -> Scoped capability -> Action or trigger
+connector catalog
+  -> user connection
+  -> scoped capability
+  -> policy decision
+  -> provider/action invocation
+  -> audit-safe result or normalized trigger event
 ```
-- **Connectors** describe what can be connected: Gmail, Google Calendar, Slack,
-  HubSpot, webhooks, internal tools.
-- **Connections** are user/team-owned grants. They carry secret references, not
-  raw credentials.
-- **Capabilities** are short-lived, sandbox-safe tokens that authorize a subset
-  of actions on a connection.
-- **Actions** are read/write/destructive operations.
-- **Triggers** normalize inbound events from providers into one event shape.
+Main boundaries:
-## Why This Exists
+- `IntegrationHub`: product-facing facade for catalogs, connections,
+  capabilities, and action invocation.
+- `IntegrationProvider`: vendor or gateway implementation boundary.
+- `ConnectorAdapter`: first-party connector boundary for direct API execution.
+- `IntegrationActionGuard`: optional cross-cutting hook for idempotency,
+  approval, audit logging, rate limits, and conflict handling.
-Agent Builder and sandbox apps need to support prompts like:
+## Install
-```txt
-At Gmail, build me an app that summarizes unread support emails and drafts replies.
+```sh
+pnpm add @tangle-network/agent-integrations
 ```
-The generated app should be able to request Gmail access, instantiate inside the
-user's sandbox, and let the agent read/write through a scoped integration
-capability. The sandbox should never receive reusable provider secrets.
-## Core Usage
-### Product Flow
-For Agent Builder and sandbox apps, the intended flow is:
-```txt
-generated app declares required tools
-  -> app searches the integration catalog by intent
-  -> user connects the missing accounts
-  -> runtime issues a short-lived capability to the sandbox
-  -> reads run immediately
-  -> writes pause for policy approval
-  -> every call returns an audit-safe result
+## Core Primitives
+| Primitive | Purpose |
+|---|---|
+| `IntegrationConnector` | Normalized catalog entry for a provider connection. |
+| `IntegrationConnection` | User/team/agent-owned grant with scopes and secret references. |
+| `IntegrationHub` | Facade for provider catalogs, connection storage, capabilities, and invocation. |
+| `IntegrationCapability` | Short-lived authorization for a specific subject, connection, scope set, and action set. |
+| `buildIntegrationToolCatalog` | Converts connector actions into agent/tool definitions. |
+| `searchIntegrationTools` | Intent search over normalized integration tools. |
+| `buildIntegrationCoverageConnectors` | Planning catalog for 100+ high-value integrations. |
+| `buildIntegrationInvocationEnvelope` | Sandbox-safe action envelope. |
+| `validateIntegrationInvocationEnvelope` | Runtime validation for tool/action consistency and input limits. |
+| `createHttpIntegrationProvider` | Adapter for hosted integration gateways. |
+| `createConnectorAdapterProvider` | Runs first-party `ConnectorAdapter`s through the same provider contract. |
+| `declarativeRestConnector` | Builds REST-backed first-party adapters from compact specs. |
+## Provider Strategy
+The package deliberately avoids vendor lock-in.
+- Use a hosted gateway when it compresses long-tail OAuth/API coverage.
+- Promote high-volume, sensitive, or strategically important integrations to
+  first-party adapters.
+- Keep product and sandbox code on `IntegrationHub` contracts so provider changes
+  do not alter generated apps or agent tool calls.
+- Treat catalog coverage and executable coverage as different states.
+See [Provider Decision Matrix](./docs/provider-decision-matrix.md).
+## Executable Coverage
+Current first-party adapters:
+- Google Calendar
+- Microsoft Calendar
+- Google Sheets
+- Slack
+- Slack Events
+- HubSpot
+- Notion database
+- Stripe payments pack
+- Stripe webhook receiver
+- Twilio SMS
+- Generic webhook
+- GitHub
+- GitLab
+- Airtable
+- Asana
+- Salesforce
+Broad planning coverage is generated from
+`buildIntegrationCoverageConnectors()` and tracked in
+[Integration Coverage Checklist](./docs/integration-coverage-checklist.md).
+## Examples
+Runnable examples live in [`examples/`](./examples):
+- [`examples/basic-hub.ts`](./examples/basic-hub.ts) - catalog search,
+  connection storage, capability issue, and action invocation.
+- [`examples/first-party-adapter.ts`](./examples/first-party-adapter.ts) -
+  first-party adapter provider wiring.
+- [`examples/declarative-rest.ts`](./examples/declarative-rest.ts) - compact
+  REST connector spec.
+The README stays short; examples are separate so they can be copied and expanded
+without obscuring the package contract.
+## Security Model
+- Capability tokens expire.
+- Capability tokens do not contain provider credentials.
+- Connection records carry secret references, not raw secrets.
+- Write and destructive actions can require approval.
+- Invocation envelopes validate action/tool consistency, idempotency keys,
+  metadata shape, known tools, and input size.
+- Action invocation checks ownership, connection status, scopes, allowed actions,
+  and expiration.
+- `IntegrationActionGuard` can enforce idempotency, approval, audit logging,
+  conflict handling, and rate limits across all providers.
+## Development
+```sh
+pnpm install
+pnpm typecheck
+pnpm test
+pnpm build
 ```
-The SDK surface for that flow is:
-- `buildIntegrationToolCatalog` and `searchIntegrationTools` for discoverable
-  tool catalogs.
-- `buildIntegrationCoverageConnectors` for broad planning coverage across
-  100+ high-value integrations before each one has a first-party executor.
-- `toMcpTools` for MCP-compatible tool export.
-- `IntegrationHub.issueCapability` for scoped sandbox handoff.
-- `createDefaultIntegrationPolicyEngine` for allow / approval / deny decisions.
-- `buildIntegrationInvocationEnvelope` and
-  `validateIntegrationInvocationEnvelope` for sandbox-safe tool calls with
-  action/tool consistency, idempotency-key, metadata-shape, known-tool, and
-  input-size checks.
-- `createConnectorAdapterProvider` to run first-party adapters through the hub.
-```ts
-import {
-  InMemoryConnectionStore,
-  IntegrationHub,
-  buildIntegrationToolCatalog,
-  createMockIntegrationProvider,
-  searchIntegrationTools,
-} from '@tangle-network/agent-integrations'
-const provider = createMockIntegrationProvider()
-const hub = new IntegrationHub({
-  providers: [provider],
-  store: new InMemoryConnectionStore(),
-  capabilitySecret: 'dev-secret',
-})
-const catalog = buildIntegrationToolCatalog(await hub.listConnectors())
-const tools = searchIntegrationTools(catalog, 'search unread gmail', { maxRisk: 'read' })
-const connection = await hub.upsertConnection({
-  id: 'conn_1',
-  owner: { type: 'user', id: 'user_1' },
-  providerId: 'mock',
-  connectorId: 'gmail',
-  status: 'active',
-  grantedScopes: ['email.read'],
-  createdAt: new Date().toISOString(),
-  updatedAt: new Date().toISOString(),
-})
-const capability = await hub.issueCapability({
-  subject: { type: 'sandbox', id: 'sandbox_1' },
-  connectionId: connection.id,
-  scopes: ['email.read'],
-  allowedActions: ['messages.search'],
-  ttlMs: 60_000,
-})
-const result = await hub.invokeWithCapability(capability.token, {
-  action: 'messages.search',
-  input: { q: 'is:unread' },
-})
-```
-## Provider Boundary
-Providers implement OAuth, action execution, and optional triggers. Product code
-should depend on `IntegrationHub`, not on a vendor SDK.
-Provider adapters are expected to store raw credentials in their own secure
-vault or return secret references. Connection records should remain safe to log
-after sanitization.
-For a hosted integration gateway, use the generic HTTP adapter:
-```ts
-import { createHttpIntegrationProvider } from '@tangle-network/agent-integrations'
-const provider = createHttpIntegrationProvider({
-  id: 'gateway',
-  kind: 'pipedream',
-  baseUrl: 'https://integrations.example',
-  bearer: process.env.INTEGRATION_GATEWAY_TOKEN,
-  connectors: [/* normalized connector catalog */],
-})
-```
+## License
-The HTTP adapter keeps product code stable while the backing provider can be
-Nango, Pipedream, Activepieces, a Zapier-style service, or an internal gateway.
-See [Provider Decision Matrix](./docs/provider-decision-matrix.md) for the
-build-vs-buy policy. The short version: use a vendor gateway only to compress
-time-to-coverage, but keep all product and sandbox code on this package's
-contracts so high-volume or strategic connectors can be moved first-party
-without changing agent code.
-## Security Defaults
-- Capabilities expire.
-- Capability tokens contain no provider credential.
-- Secret refs are redacted from public telemetry.
-- Write/destructive actions can be policy-gated.
-- Sandbox invocation envelopes are validated before conversion to hub requests.
-- Action invocation checks connection ownership, status, scopes, allowed
-  actions, and expiration.
-- Optional `IntegrationActionGuard` wraps every action invocation for
-  idempotency, audit logging, conflict detection, rate limits, and
-  approval gates.
+MIT

package/dist/index.d.ts CHANGED Viewed

@@ -789,6 +789,51 @@ interface NotionDatabaseOptions {
 }
 declare function notionDatabase(opts: NotionDatabaseOptions): ConnectorAdapter;
+type RestCredentialPlacement = {
+    kind: 'bearer';
+} | {
+    kind: 'header';
+    header: string;
+    prefix?: string;
+} | {
+    kind: 'query';
+    parameter: string;
+};
+interface RestConnectorSpec {
+    kind: string;
+    displayName: string;
+    description: string;
+    auth: ConnectorAdapter['manifest']['auth'];
+    category: ConnectorAdapter['manifest']['category'];
+    defaultConsistencyModel: ConnectorAdapter['manifest']['defaultConsistencyModel'];
+    baseUrl: string | {
+        metadataKey: string;
+        fallback?: string;
+    };
+    credentialPlacement?: RestCredentialPlacement;
+    defaultHeaders?: Record<string, string>;
+    capabilities: RestOperationSpec[];
+    test?: RestRequestSpec;
+}
+interface RestOperationSpec {
+    name: string;
+    class: 'read' | 'mutation';
+    description: string;
+    parameters: Record<string, unknown>;
+    requiredScopes?: string[];
+    request: RestRequestSpec;
+    cas?: 'etag-if-match' | 'native-idempotency' | 'optimistic-read-verify' | 'none';
+    externalEffect?: boolean;
+}
+interface RestRequestSpec {
+    method: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
+    path: string;
+    query?: Record<string, string | number | boolean | undefined>;
+    headers?: Record<string, string>;
+    body?: 'args' | string | Record<string, unknown>;
+}
+declare function declarativeRestConnector(spec: RestConnectorSpec): ConnectorAdapter;
 /**
  * Twilio SMS connector — outbound texts + recent-message lookup. The
  * agent's "send the caller a confirmation link" surface.
@@ -922,6 +967,16 @@ declare const stripeWebhookReceiverConnector: ConnectorAdapter;
 declare const slackEventsConnector: ConnectorAdapter;
+declare const githubConnector: ConnectorAdapter;
+declare const gitlabConnector: ConnectorAdapter;
+declare const airtableConnector: ConnectorAdapter;
+declare const asanaConnector: ConnectorAdapter;
+declare const salesforceConnector: ConnectorAdapter;
 interface IntegrationToolDefinition {
     name: string;
     title: string;
@@ -1446,4 +1501,4 @@ declare function createHttpIntegrationProvider(options: HttpIntegrationProviderO
 declare function signCapability(capability: IntegrationCapability, secret: string): string;
 declare function verifyCapabilityToken(token: string, secret: string): IntegrationCapability;
-export { type AuthSpec, type CASStrategy, type Capability, type CapabilityClass, type CapabilityMutation, type CapabilityMutationResult, type CapabilityParameterSchema, type CapabilityRead, type CapabilityReadResult, type CompleteAuthRequest, type ConnectorAdapter, type ConnectorAdapterProviderOptions, type ConnectorCredentials, type ConnectorInvocation, type ConnectorManifest, type ConnectorManifestValidationIssue, type ConnectorManifestValidationResult, type ConsistencyModel, CredentialsExpired, DEFAULT_SIGNATURE_TOLERANCE_SECONDS, type DataSourceMetadata, type EventHandlerResult, type ExchangeCodeInput, type GenericHmacVerifyOptions, type GoogleCalendarOptions, type GoogleSheetsOptions, type GraphqlOperationSpec, type HttpIntegrationProviderOptions, type HubSpotOptions, type ImportCatalogOptions, InMemoryConnectionStore, InMemoryOAuthFlowStore, type InboundEvent, type IntegrationActionGuard, type IntegrationActionPack, type IntegrationActionRequest, type IntegrationActionResult, type IntegrationActionRisk, type IntegrationActor, type IntegrationApprovalRequest, type IntegrationApprovalResolution, type IntegrationCapability, type IntegrationConnection, type IntegrationConnectionStore, type IntegrationConnector, type IntegrationConnectorAction, type IntegrationConnectorCategory, type IntegrationConnectorTrigger, type IntegrationCoveragePriority, type IntegrationCoverageSpec, type IntegrationDataClass, IntegrationError, type IntegrationGuardContext, IntegrationHub, type IntegrationHubOptions, type IntegrationInvocationEnvelope, type IntegrationInvocationEnvelopeValidationOptions, type IntegrationPolicyDecision, type IntegrationPolicyEffect, type IntegrationPolicyEngine, type IntegrationPolicyRule, type IntegrationProvider, type IntegrationProviderKind, type IntegrationToolDefinition, type IntegrationToolSearchFilters, type IntegrationToolSearchResult, type IntegrationTriggerEvent, type IntegrationTriggerSubscription, type InvokeWithCapabilityRequest, type IssueCapabilityRequest, type IssuedIntegrationCapability, type McpCatalog, type McpCatalogTool, type McpToolDefinition, type MicrosoftCalendarOptions, type NormalizedIntegrationResult, type NotionDatabaseOptions, type OAuthFlowStore, type OAuthTokens, type OpenApiDocument, type OpenApiOperation, type ParsedStripeSignatureHeader, type PendingOAuthFlow, type RateLimitSpec, type RefreshInput, type ResolvedDataSource, ResourceContention, type SecretRef, type SlackOptions, type SlackVerifyOptions, type StartAuthRequest, type StartAuthResult, type StartOAuthInput, type StartOAuthOutput, StaticIntegrationPolicyEngine, type StaticIntegrationPolicyOptions, type StripeVerifyOptions, type TwilioVerifyOptions, _resetPendingFlowsForTests, assertValidConnectorManifest, buildApprovalRequest, buildIntegrationCoverageConnectors, buildIntegrationInvocationEnvelope, buildIntegrationToolCatalog, consumePendingFlow, createConnectorAdapterProvider, createDefaultIntegrationPolicyEngine, createHttpIntegrationProvider, createMockIntegrationProvider, exchangeAuthorizationCode, firstHeader, googleCalendar, googleSheets, hubspot, importGraphqlConnector, importMcpConnector, importOpenApiConnector, integrationCoverageChecklistMarkdown, integrationToolName, invocationRequestFromEnvelope, listIntegrationCoverageSpecs, manifestToConnector, microsoftCalendar, normalizeIntegrationResult, notionDatabase, parseIntegrationToolName, parseStripeSignatureHeader, redactApprovalRequest, redactCapability, redactInvocationEnvelope, refreshAccessToken, sanitizeConnection, searchIntegrationTools, signCapability, slack, slackEventsConnector, startOAuthFlow, stripePackConnector, stripeWebhookReceiverConnector, toMcpTools, twilioSmsConnector, validateConnectorManifest, validateIntegrationInvocationEnvelope, verifyCapabilityToken, verifyHmacSignature, verifySlackSignature, verifyStripeSignature, verifyTwilioSignature, webhookConnector };
+export { type AuthSpec, type CASStrategy, type Capability, type CapabilityClass, type CapabilityMutation, type CapabilityMutationResult, type CapabilityParameterSchema, type CapabilityRead, type CapabilityReadResult, type CompleteAuthRequest, type ConnectorAdapter, type ConnectorAdapterProviderOptions, type ConnectorCredentials, type ConnectorInvocation, type ConnectorManifest, type ConnectorManifestValidationIssue, type ConnectorManifestValidationResult, type ConsistencyModel, CredentialsExpired, DEFAULT_SIGNATURE_TOLERANCE_SECONDS, type DataSourceMetadata, type EventHandlerResult, type ExchangeCodeInput, type GenericHmacVerifyOptions, type GoogleCalendarOptions, type GoogleSheetsOptions, type GraphqlOperationSpec, type HttpIntegrationProviderOptions, type HubSpotOptions, type ImportCatalogOptions, InMemoryConnectionStore, InMemoryOAuthFlowStore, type InboundEvent, type IntegrationActionGuard, type IntegrationActionPack, type IntegrationActionRequest, type IntegrationActionResult, type IntegrationActionRisk, type IntegrationActor, type IntegrationApprovalRequest, type IntegrationApprovalResolution, type IntegrationCapability, type IntegrationConnection, type IntegrationConnectionStore, type IntegrationConnector, type IntegrationConnectorAction, type IntegrationConnectorCategory, type IntegrationConnectorTrigger, type IntegrationCoveragePriority, type IntegrationCoverageSpec, type IntegrationDataClass, IntegrationError, type IntegrationGuardContext, IntegrationHub, type IntegrationHubOptions, type IntegrationInvocationEnvelope, type IntegrationInvocationEnvelopeValidationOptions, type IntegrationPolicyDecision, type IntegrationPolicyEffect, type IntegrationPolicyEngine, type IntegrationPolicyRule, type IntegrationProvider, type IntegrationProviderKind, type IntegrationToolDefinition, type IntegrationToolSearchFilters, type IntegrationToolSearchResult, type IntegrationTriggerEvent, type IntegrationTriggerSubscription, type InvokeWithCapabilityRequest, type IssueCapabilityRequest, type IssuedIntegrationCapability, type McpCatalog, type McpCatalogTool, type McpToolDefinition, type MicrosoftCalendarOptions, type NormalizedIntegrationResult, type NotionDatabaseOptions, type OAuthFlowStore, type OAuthTokens, type OpenApiDocument, type OpenApiOperation, type ParsedStripeSignatureHeader, type PendingOAuthFlow, type RateLimitSpec, type RefreshInput, type ResolvedDataSource, ResourceContention, type RestConnectorSpec, type RestCredentialPlacement, type RestOperationSpec, type RestRequestSpec, type SecretRef, type SlackOptions, type SlackVerifyOptions, type StartAuthRequest, type StartAuthResult, type StartOAuthInput, type StartOAuthOutput, StaticIntegrationPolicyEngine, type StaticIntegrationPolicyOptions, type StripeVerifyOptions, type TwilioVerifyOptions, _resetPendingFlowsForTests, airtableConnector, asanaConnector, assertValidConnectorManifest, buildApprovalRequest, buildIntegrationCoverageConnectors, buildIntegrationInvocationEnvelope, buildIntegrationToolCatalog, consumePendingFlow, createConnectorAdapterProvider, createDefaultIntegrationPolicyEngine, createHttpIntegrationProvider, createMockIntegrationProvider, declarativeRestConnector, exchangeAuthorizationCode, firstHeader, githubConnector, gitlabConnector, googleCalendar, googleSheets, hubspot, importGraphqlConnector, importMcpConnector, importOpenApiConnector, integrationCoverageChecklistMarkdown, integrationToolName, invocationRequestFromEnvelope, listIntegrationCoverageSpecs, manifestToConnector, microsoftCalendar, normalizeIntegrationResult, notionDatabase, parseIntegrationToolName, parseStripeSignatureHeader, redactApprovalRequest, redactCapability, redactInvocationEnvelope, refreshAccessToken, salesforceConnector, sanitizeConnection, searchIntegrationTools, signCapability, slack, slackEventsConnector, startOAuthFlow, stripePackConnector, stripeWebhookReceiverConnector, toMcpTools, twilioSmsConnector, validateConnectorManifest, validateIntegrationInvocationEnvelope, verifyCapabilityToken, verifyHmacSignature, verifySlackSignature, verifyStripeSignature, verifyTwilioSignature, webhookConnector };