@valon-technologies/gestalt 0.0.1-alpha.10 → 0.0.1-alpha.12

package/src/plugin.ts

@@ -7,6 +7,15 @@ import {
   schemaToParameters,
   writeCatalogYaml,
 } from "./catalog.ts";
+import {
+  type HTTPAck,
+  type HTTPBinding,
+  type HTTPRequestBody,
+  type HTTPSecurityScheme,
+  type PluginManifestMetadata,
+  hasPluginManifestMetadata,
+  writeManifestMetadataYaml,
+} from "./manifest-metadata.ts";
 import {
   errorMessage,
   type MaybePromise,
@@ -14,7 +23,15 @@ import {
   type Request,
   responseBrand,
   type Response,
+  type Subject,
 } from "./api.ts";
+import {
+  cloneHTTPSubjectRequest,
+  cloneHTTPSubjectResolutionContext,
+  type HTTPSubjectRequest,
+  type HTTPSubjectResolutionContext,
+  type HTTPSubjectResolver,
+} from "./http-subject.ts";
 import { RuntimeProvider, type RuntimeProviderOptions } from "./provider.ts";
 import type { Schema } from "./schema.ts";
 
@@ -82,6 +99,9 @@ export interface PluginDefinitionOptions extends RuntimeProviderOptions {
   connectionMode?: ConnectionMode;
   authTypes?: string[];
   connectionParams?: Record<string, ConnectionParamDefinition>;
+  securitySchemes?: Record<string, HTTPSecurityScheme>;
+  http?: Record<string, HTTPBinding>;
+  resolveHTTPSubject?: HTTPSubjectResolver;
   iconSvg?: string;
   operations: Array<OperationDefinition<any, any>>;
   sessionCatalog?: SessionCatalogHandler;
@@ -134,8 +154,11 @@ export class PluginProvider extends RuntimeProvider {
   readonly connectionMode: ConnectionMode;
   readonly authTypes: string[];
   readonly connectionParams: Record<string, ConnectionParamDefinition>;
+  readonly securitySchemes: Record<string, HTTPSecurityScheme>;
+  readonly http: Record<string, HTTPBinding>;
 
   private readonly sessionCatalogHandler: SessionCatalogHandler | undefined;
+  private readonly httpSubjectResolver: HTTPSubjectResolver | undefined;
   private readonly operations = new Map<string, OperationDefinition<any, any>>();
 
   constructor(options: PluginDefinitionOptions) {
@@ -144,6 +167,9 @@ export class PluginProvider extends RuntimeProvider {
     this.connectionMode = options.connectionMode ?? "unspecified";
     this.authTypes = [...(options.authTypes ?? [])];
     this.connectionParams = normalizeConnectionParams(options.connectionParams);
+    this.securitySchemes = normalizeHTTPSecuritySchemes(options.securitySchemes);
+    this.http = normalizeHTTPBindings(options.http);
+    this.httpSubjectResolver = options.resolveHTTPSubject;
     this.sessionCatalogHandler = options.sessionCatalog;
 
     for (const rawEntry of options.operations) {
@@ -174,6 +200,20 @@ export class PluginProvider extends RuntimeProvider {
     return await this.sessionCatalogHandler?.(request);
   }
 
+  /**
+   * Resolves the concrete Gestalt subject for a verified hosted HTTP request,
+   * if the plugin opts into subject resolution.
+   */
+  async resolveHTTPSubject(
+    request: HTTPSubjectRequest,
+    context: HTTPSubjectResolutionContext,
+  ): Promise<Subject | null | undefined> {
+    return await this.httpSubjectResolver?.(
+      cloneHTTPSubjectRequest(request),
+      cloneHTTPSubjectResolutionContext(context),
+    );
+  }
+
   /**
    * Returns the static catalog emitted during provider startup.
    */
@@ -255,6 +295,38 @@ export class PluginProvider extends RuntimeProvider {
     return catalogToJson(this.staticCatalog());
   }
 
+  /**
+   * Returns generated manifest-backed HTTP/security metadata for the provider.
+   */
+  staticManifestMetadata(): PluginManifestMetadata {
+    const metadata: PluginManifestMetadata = {};
+    if (Object.keys(this.securitySchemes).length > 0) {
+      metadata.securitySchemes = cloneHTTPSecuritySchemes(this.securitySchemes);
+    }
+    if (Object.keys(this.http).length > 0) {
+      metadata.http = cloneHTTPBindings(this.http);
+    }
+    return metadata;
+  }
+
+  /**
+   * Reports whether the provider emits manifest metadata in addition to catalog metadata.
+   */
+  supportsManifestMetadata(): boolean {
+    return hasPluginManifestMetadata(this.staticManifestMetadata());
+  }
+
+  /**
+   * Writes generated manifest metadata to disk as YAML.
+   */
+  writeManifestMetadata(path: string): void {
+    const metadata = this.staticManifestMetadata();
+    if (!hasPluginManifestMetadata(metadata)) {
+      return;
+    }
+    writeManifestMetadataYaml(path, metadata);
+  }
+
   /**
    * Executes an operation against validated input and request metadata.
    */
@@ -349,6 +421,136 @@ function normalizeConnectionParams(
   return output;
 }
 
+function normalizeHTTPSecuritySchemes(
+  input: Record<string, HTTPSecurityScheme> | undefined,
+): Record<string, HTTPSecurityScheme> {
+  const output: Record<string, HTTPSecurityScheme> = {};
+  for (const [key, value] of Object.entries(input ?? {})) {
+    output[key] = cloneHTTPSecurityScheme(value);
+  }
+  return output;
+}
+
+function cloneHTTPSecuritySchemes(
+  input: Record<string, HTTPSecurityScheme>,
+): Record<string, HTTPSecurityScheme> {
+  const output: Record<string, HTTPSecurityScheme> = {};
+  for (const [key, value] of Object.entries(input)) {
+    output[key] = cloneHTTPSecurityScheme(value);
+  }
+  return output;
+}
+
+function cloneHTTPSecurityScheme(value: HTTPSecurityScheme): HTTPSecurityScheme {
+  const output: HTTPSecurityScheme = {};
+  if (value.type !== undefined) {
+    output.type = value.type;
+  }
+  if (value.description !== undefined) {
+    output.description = value.description;
+  }
+  if (value.signatureHeader !== undefined) {
+    output.signatureHeader = value.signatureHeader;
+  }
+  if (value.signaturePrefix !== undefined) {
+    output.signaturePrefix = value.signaturePrefix;
+  }
+  if (value.payloadTemplate !== undefined) {
+    output.payloadTemplate = value.payloadTemplate;
+  }
+  if (value.timestampHeader !== undefined) {
+    output.timestampHeader = value.timestampHeader;
+  }
+  if (value.maxAgeSeconds !== undefined) {
+    output.maxAgeSeconds = value.maxAgeSeconds;
+  }
+  if (value.name !== undefined) {
+    output.name = value.name;
+  }
+  if (value.in !== undefined) {
+    output.in = value.in;
+  }
+  if (value.scheme !== undefined) {
+    output.scheme = value.scheme;
+  }
+  if (value.secret) {
+    output.secret = {
+      ...value.secret,
+    };
+  }
+  return output;
+}
+
+function normalizeHTTPBindings(
+  input: Record<string, HTTPBinding> | undefined,
+): Record<string, HTTPBinding> {
+  const output: Record<string, HTTPBinding> = {};
+  for (const [key, value] of Object.entries(input ?? {})) {
+    output[key] = cloneHTTPBinding(value);
+  }
+  return output;
+}
+
+function cloneHTTPBindings(
+  input: Record<string, HTTPBinding>,
+): Record<string, HTTPBinding> {
+  const output: Record<string, HTTPBinding> = {};
+  for (const [key, value] of Object.entries(input)) {
+    output[key] = cloneHTTPBinding(value);
+  }
+  return output;
+}
+
+function cloneHTTPBinding(value: HTTPBinding): HTTPBinding {
+  const output: HTTPBinding = {
+    path: value.path,
+    method: value.method,
+    security: value.security,
+    target: value.target,
+  };
+  if (value.requestBody) {
+    output.requestBody = cloneHTTPRequestBody(value.requestBody);
+  }
+  if (value.ack) {
+    output.ack = cloneHTTPAck(value.ack);
+  }
+  return output;
+}
+
+function cloneHTTPRequestBody(value: HTTPRequestBody): HTTPRequestBody {
+  const output: HTTPRequestBody = {};
+  if (value.required !== undefined) {
+    output.required = value.required;
+  }
+  if (value.content) {
+    output.content = {};
+    for (const key of Object.keys(value.content)) {
+      output.content[key] = {};
+    }
+  }
+  return output;
+}
+
+function cloneHTTPAck(value: HTTPAck): HTTPAck {
+  const output: HTTPAck = {};
+  if (value.status !== undefined) {
+    output.status = value.status;
+  }
+  if (value.headers) {
+    output.headers = {
+      ...value.headers,
+    };
+  }
+  if (value.body !== undefined) {
+    output.body = cloneHTTPBodyValue(value.body);
+  }
+  return output;
+}
+
+function cloneHTTPBodyValue<T>(value: T): T {
+  return structuredClone(value);
+}
+
 function isResponse(value: unknown): value is Response<unknown> {
   if (typeof value !== "object" || value === null) {
     return false;

package/src/runtime.ts

@@ -40,9 +40,12 @@ import {
   CatalogSchema as ProtoCatalogSchema,
   ConnectionMode as ProviderConnectionMode,
   GetSessionCatalogResponseSchema,
+  ResolveHTTPSubjectResponseSchema,
   OperationResultSchema,
   ProviderMetadataSchema,
+  type HTTPSubjectRequest as ProtoHTTPSubjectRequest,
   type RequestContext as ProtoRequestContext,
+  type ResolveHTTPSubjectRequest as ProtoResolveHTTPSubjectRequest,
   IntegrationProvider as IntegrationProviderService,
   StartProviderResponseSchema,
   type ExecuteRequest,
@@ -68,6 +71,11 @@ import {
 import { CacheProvider, isCacheProvider } from "./cache.ts";
 import { SecretsProvider, isSecretsProvider } from "./secrets.ts";
 import { catalogToYaml, type Catalog } from "./catalog.ts";
+import {
+  HTTPSubjectResolutionError,
+  type HTTPSubjectRequest,
+  type HTTPSubjectResolutionContext,
+} from "./http-subject.ts";
 import {
   PluginProvider,
   connectionModeToProtoValue,
@@ -106,6 +114,11 @@ export const ENV_PROVIDER_PARENT_PID = "GESTALT_PLUGIN_PARENT_PID";
  * Environment variable used to request static catalog generation.
  */
 export const ENV_WRITE_CATALOG = "GESTALT_PLUGIN_WRITE_CATALOG";
+/**
+ * Environment variable used to request generated manifest metadata export.
+ */
+export const ENV_WRITE_MANIFEST_METADATA =
+  "GESTALT_PLUGIN_WRITE_MANIFEST_METADATA";
 /**
  * Protocol version currently implemented by the TypeScript runtime.
  */
@@ -288,13 +301,19 @@ export async function runLoadedProvider(
   }
 
   const catalogPath = process.env[ENV_WRITE_CATALOG];
-  if (catalogPath) {
+  const manifestMetadataPath = process.env[ENV_WRITE_MANIFEST_METADATA];
+  if (catalogPath || manifestMetadataPath) {
     if (!isPluginProvider(provider)) {
       throw new Error(
-        "static catalog generation is only supported for plugin providers",
+        "static catalog and manifest metadata generation are only supported for plugin providers",
       );
     }
-    writeFileSync(catalogPath, catalogToYaml(provider.staticCatalog()), "utf8");
+    if (catalogPath) {
+      writeFileSync(catalogPath, catalogToYaml(provider.staticCatalog()), "utf8");
+    }
+    if (manifestMetadataPath && provider.supportsManifestMetadata()) {
+      provider.writeManifestMetadata(manifestMetadataPath);
+    }
     return;
   }
 
@@ -508,6 +527,36 @@ export function createProviderService(
         ),
       );
     },
+    async resolveHTTPSubject(request: ProtoResolveHTTPSubjectRequest) {
+      let subject;
+      try {
+        subject = await provider.resolveHTTPSubject(
+          providerHTTPSubjectRequest(request.request),
+          providerHTTPSubjectResolutionContext(request.context),
+        );
+      } catch (error) {
+        if (error instanceof HTTPSubjectResolutionError) {
+          return create(ResolveHTTPSubjectResponseSchema, {
+            rejectStatus: error.status,
+            rejectMessage: error.message,
+          });
+        }
+        throw new ConnectError(
+          `resolve http subject: ${errorMessage(error)}`,
+          Code.Unknown,
+        );
+      }
+      return create(ResolveHTTPSubjectResponseSchema, subject
+        ? {
+            subject: {
+              id: subject.id,
+              kind: subject.kind,
+              displayName: subject.displayName,
+              authSource: subject.authSource,
+            },
+          }
+        : {});
+    },
     async getSessionCatalog(request: GetSessionCatalogRequest) {
       let catalog: Catalog | Record<string, unknown> | null | undefined;
       try {
@@ -741,6 +790,48 @@ function providerRequest(
   };
 }
 
+function providerHTTPSubjectRequest(
+  request?: ProtoHTTPSubjectRequest,
+): HTTPSubjectRequest {
+  return {
+    binding: request?.binding ?? "",
+    method: request?.method ?? "",
+    path: request?.path ?? "",
+    contentType: request?.contentType ?? "",
+    headers: providerStringLists(request?.headers),
+    query: providerStringLists(request?.query),
+    params: objectFromUnknown(request?.params),
+    rawBody: new Uint8Array(request?.rawBody ?? new Uint8Array()),
+    securityScheme: request?.securityScheme ?? "",
+    verifiedSubject: request?.verifiedSubject ?? "",
+    verifiedClaims: {
+      ...(request?.verifiedClaims ?? {}),
+    },
+  };
+}
+
+function providerHTTPSubjectResolutionContext(
+  requestContext?: ProtoRequestContext,
+): HTTPSubjectResolutionContext {
+  const request = providerRequest("", {}, requestContext);
+  return {
+    subject: request.subject,
+    credential: request.credential,
+    access: request.access,
+    workflow: request.workflow,
+  };
+}
+
+function providerStringLists(
+  input: Record<string, { values?: string[] }> | undefined,
+): Record<string, string[]> {
+  const output: Record<string, string[]> = {};
+  for (const [key, value] of Object.entries(input ?? {})) {
+    output[key] = [...(value.values ?? [])];
+  }
+  return output;
+}
+
 function providerRuntimeEntry(
   kind: ProviderKind,
 ): ProviderRuntimeEntry {

package/src/s3.ts

@@ -1,5 +1,3 @@
-import { connect } from "node:net";
-
 import { create } from "@bufbuild/protobuf";
 import { EmptySchema } from "@bufbuild/protobuf/wkt";
 import {
@@ -503,9 +501,9 @@ export class S3 {
       throw new Error(`${envName} is not set`);
     }
     const transport = createGrpcTransport({
-      baseUrl: "http://localhost",
+      baseUrl: unixSocketBaseUrl(socketPath),
       nodeOptions: {
-        createConnection: () => connect(socketPath),
+        path: socketPath,
       },
     });
     this.client = createClient(S3Service, transport);
@@ -740,6 +738,15 @@ export class S3Object {
   }
 }
 
+function unixSocketBaseUrl(socketPath: string): string {
+  let hash = 0x811c9dc5;
+  for (const char of socketPath) {
+    hash ^= char.charCodeAt(0);
+    hash = Math.imul(hash, 0x01000193);
+  }
+  return `http://unix-${(hash >>> 0).toString(16)}.local`;
+}
+
 async function invokeS3Provider<T>(label: string, fn: () => Promise<T>): Promise<T> {
   try {
     return await fn();

package/src/workflow-manager.ts

@@ -6,37 +6,69 @@ import { createGrpcTransport } from "@connectrpc/connect-node";
 
 import {
   WorkflowManagerCreateScheduleRequestSchema,
+  WorkflowManagerCreateEventTriggerRequestSchema,
   WorkflowManagerDeleteScheduleRequestSchema,
+  WorkflowManagerDeleteEventTriggerRequestSchema,
   WorkflowManagerGetScheduleRequestSchema,
+  WorkflowManagerGetEventTriggerRequestSchema,
   WorkflowManagerHost as WorkflowManagerHostService,
   WorkflowManagerPauseScheduleRequestSchema,
+  WorkflowManagerPauseEventTriggerRequestSchema,
+  WorkflowManagerPublishEventRequestSchema,
   WorkflowManagerResumeScheduleRequestSchema,
+  WorkflowManagerResumeEventTriggerRequestSchema,
   WorkflowManagerUpdateScheduleRequestSchema,
+  WorkflowManagerUpdateEventTriggerRequestSchema,
   type ManagedWorkflowSchedule,
+  type ManagedWorkflowEventTrigger,
+  type WorkflowEvent,
 } from "../gen/v1/workflow_pb.ts";
 import type { Request } from "./api.ts";
 
 export const ENV_WORKFLOW_MANAGER_SOCKET = "GESTALT_WORKFLOW_MANAGER_SOCKET";
 
 export type ManagedWorkflowScheduleMessage = ManagedWorkflowSchedule;
+export type ManagedWorkflowEventTriggerMessage = ManagedWorkflowEventTrigger;
+export type WorkflowEventMessage = WorkflowEvent;
 export type WorkflowManagerCreateScheduleInput = MessageInitShape<
   typeof WorkflowManagerCreateScheduleRequestSchema
 >;
+export type WorkflowManagerCreateTriggerInput = MessageInitShape<
+  typeof WorkflowManagerCreateEventTriggerRequestSchema
+>;
 export type WorkflowManagerGetScheduleInput = MessageInitShape<
   typeof WorkflowManagerGetScheduleRequestSchema
 >;
+export type WorkflowManagerGetTriggerInput = MessageInitShape<
+  typeof WorkflowManagerGetEventTriggerRequestSchema
+>;
 export type WorkflowManagerUpdateScheduleInput = MessageInitShape<
   typeof WorkflowManagerUpdateScheduleRequestSchema
 >;
+export type WorkflowManagerUpdateTriggerInput = MessageInitShape<
+  typeof WorkflowManagerUpdateEventTriggerRequestSchema
+>;
 export type WorkflowManagerDeleteScheduleInput = MessageInitShape<
   typeof WorkflowManagerDeleteScheduleRequestSchema
 >;
+export type WorkflowManagerDeleteTriggerInput = MessageInitShape<
+  typeof WorkflowManagerDeleteEventTriggerRequestSchema
+>;
 export type WorkflowManagerPauseScheduleInput = MessageInitShape<
   typeof WorkflowManagerPauseScheduleRequestSchema
 >;
+export type WorkflowManagerPauseTriggerInput = MessageInitShape<
+  typeof WorkflowManagerPauseEventTriggerRequestSchema
+>;
 export type WorkflowManagerResumeScheduleInput = MessageInitShape<
   typeof WorkflowManagerResumeScheduleRequestSchema
 >;
+export type WorkflowManagerResumeTriggerInput = MessageInitShape<
+  typeof WorkflowManagerResumeEventTriggerRequestSchema
+>;
+export type WorkflowManagerPublishEventInput = MessageInitShape<
+  typeof WorkflowManagerPublishEventRequestSchema
+>;
 
 export class WorkflowManager {
   private readonly client: Client<typeof WorkflowManagerHostService>;
@@ -116,6 +148,69 @@ export class WorkflowManager {
       invocationToken: this.invocationToken,
     });
   }
+
+  async createTrigger(
+    request: WorkflowManagerCreateTriggerInput,
+  ): Promise<ManagedWorkflowEventTriggerMessage> {
+    return await this.client.createEventTrigger({
+      ...request,
+      invocationToken: this.invocationToken,
+    });
+  }
+
+  async getTrigger(
+    request: WorkflowManagerGetTriggerInput,
+  ): Promise<ManagedWorkflowEventTriggerMessage> {
+    return await this.client.getEventTrigger({
+      ...request,
+      invocationToken: this.invocationToken,
+    });
+  }
+
+  async updateTrigger(
+    request: WorkflowManagerUpdateTriggerInput,
+  ): Promise<ManagedWorkflowEventTriggerMessage> {
+    return await this.client.updateEventTrigger({
+      ...request,
+      invocationToken: this.invocationToken,
+    });
+  }
+
+  async deleteTrigger(
+    request: WorkflowManagerDeleteTriggerInput,
+  ): Promise<void> {
+    await this.client.deleteEventTrigger({
+      ...request,
+      invocationToken: this.invocationToken,
+    });
+  }
+
+  async pauseTrigger(
+    request: WorkflowManagerPauseTriggerInput,
+  ): Promise<ManagedWorkflowEventTriggerMessage> {
+    return await this.client.pauseEventTrigger({
+      ...request,
+      invocationToken: this.invocationToken,
+    });
+  }
+
+  async resumeTrigger(
+    request: WorkflowManagerResumeTriggerInput,
+  ): Promise<ManagedWorkflowEventTriggerMessage> {
+    return await this.client.resumeEventTrigger({
+      ...request,
+      invocationToken: this.invocationToken,
+    });
+  }
+
+  async publishEvent(
+    request: WorkflowManagerPublishEventInput,
+  ): Promise<WorkflowEventMessage> {
+    return await this.client.publishEvent({
+      ...request,
+      invocationToken: this.invocationToken,
+    });
+  }
 }
 
 function normalizeInvocationToken(requestOrToken: Request | string): string {