@valon-technologies/gestalt 0.0.1-alpha.18 → 0.0.1-alpha.20

package/src/protocol-internal.ts

@@ -0,0 +1,19 @@
+import type { JsonObject } from "@bufbuild/protobuf";
+
+import {
+  jsonObjectFromStruct,
+  structFromObject,
+  type JsonObjectInput,
+} from "./protocol.ts";
+
+export function optionalStruct(
+  value?: JsonObjectInput | undefined,
+): JsonObject | undefined {
+  return value === undefined ? undefined : structFromObject(value);
+}
+
+export function optionalObjectFromStruct(
+  value?: JsonObject | undefined,
+): JsonObjectInput | undefined {
+  return value === undefined ? undefined : jsonObjectFromStruct(value);
+}

package/src/protocol.ts

@@ -0,0 +1,186 @@
+import {
+  create,
+  fromJson,
+  toJson,
+  type JsonObject,
+  type JsonValue,
+} from "@bufbuild/protobuf";
+import {
+  StructSchema,
+  TimestampSchema,
+  ValueSchema,
+  type Struct,
+  type Timestamp,
+  type Value,
+} from "@bufbuild/protobuf/wkt";
+
+const MIN_TIMESTAMP_SECONDS = -62_135_596_800n;
+const MAX_TIMESTAMP_SECONDS = 253_402_300_799n;
+const MIN_TIMESTAMP_SECONDS_NUMBER = Number(MIN_TIMESTAMP_SECONDS);
+const MAX_TIMESTAMP_SECONDS_NUMBER = Number(MAX_TIMESTAMP_SECONDS);
+
+/** Primitive values accepted in protobuf JSON payloads. */
+export type JsonPrimitiveInput = null | boolean | number | string;
+/** Native value accepted by SDK-owned protocol helpers before runtime validation. */
+export type JsonInput = JsonPrimitiveInput | readonly unknown[] | object;
+/** Native object accepted by SDK-owned Struct helpers before runtime validation. */
+export type JsonObjectInput = object;
+/** Alias for google.protobuf.Struct at protocol boundaries. */
+export type { Struct };
+/** Alias for google.protobuf.Value at protocol boundaries. */
+export type { Value };
+/** Alias for google.protobuf.Timestamp at protocol boundaries. */
+export type { Timestamp };
+
+/** Schema for google.protobuf.Struct. */
+export { StructSchema };
+/** Schema for google.protobuf.Value. */
+export { ValueSchema };
+/** Schema for google.protobuf.Timestamp. */
+export { TimestampSchema };
+
+/** Returns a protobuf Struct-compatible JSON object for generated message fields. */
+export function structFromObject(value: JsonObjectInput = {}): JsonObject {
+  return normalizeJsonObject(value, "struct", new WeakSet<object>());
+}
+
+/** Returns a protobuf Struct-compatible JSON object for generated message fields. */
+export function structFromJsonObject(value: JsonObject = {}): JsonObject {
+  return structFromObject(value);
+}
+
+/** Converts a protobuf Struct-compatible field value back to a JSON object. */
+export function jsonObjectFromStruct(value?: JsonObject | undefined): JsonObject {
+  return value === undefined ? {} : { ...value };
+}
+
+/** Converts a JSON-compatible native value into a protobuf Value message. */
+export function valueFromJson(value: JsonInput): Value {
+  return fromJson(ValueSchema, jsonFromInput(value));
+}
+
+/** Converts a protobuf Value message into its JSON value. */
+export function jsonFromValue(value?: Value | undefined): JsonValue {
+  if (value === undefined) {
+    return null;
+  }
+  return toJson(ValueSchema, value);
+}
+
+/** Converts a valid JavaScript Date into a protobuf Timestamp message. */
+export function timestampFromDate(value: Date): Timestamp {
+  const millis = value.getTime();
+  if (Number.isNaN(millis)) {
+    throw new TypeError("timestampFromDate expects a valid Date");
+  }
+  const seconds = Math.floor(millis / 1000);
+  if (
+    seconds < MIN_TIMESTAMP_SECONDS_NUMBER ||
+    seconds > MAX_TIMESTAMP_SECONDS_NUMBER
+  ) {
+    throw new RangeError("Date is outside the protobuf Timestamp range");
+  }
+  const nanos = Math.trunc((millis - (seconds * 1000)) * 1_000_000);
+  return create(TimestampSchema, {
+    seconds: BigInt(seconds),
+    nanos,
+  });
+}
+
+/** Converts a protobuf Timestamp message into a JavaScript Date. */
+export function dateFromTimestamp(value: Timestamp): Date {
+  if (value.nanos < 0 || value.nanos >= 1_000_000_000) {
+    throw new RangeError("protobuf Timestamp nanos out of range");
+  }
+  if (
+    value.seconds < MIN_TIMESTAMP_SECONDS ||
+    value.seconds > MAX_TIMESTAMP_SECONDS
+  ) {
+    throw new RangeError("protobuf Timestamp seconds out of range");
+  }
+  const millis =
+    (Number(value.seconds) * 1000) + Math.trunc(value.nanos / 1_000_000);
+  const date = new Date(millis);
+  if (Number.isNaN(date.getTime())) {
+    throw new RangeError("protobuf Timestamp seconds out of range");
+  }
+  return date;
+}
+
+/** Returns a protobuf-compatible JSON value from native SDK input. */
+export function jsonFromInput(value: JsonInput): JsonValue {
+  return normalizeJsonValue(value, "value", new WeakSet<object>());
+}
+
+function normalizeJsonObject(
+  value: unknown,
+  path: string,
+  seen: WeakSet<object>,
+): JsonObject {
+  if (!isPlainObject(value)) {
+    throw new TypeError(`${path} must be a plain JSON object`);
+  }
+  if (seen.has(value)) {
+    throw new TypeError(`${path} contains a cycle`);
+  }
+  seen.add(value);
+  try {
+    const output: JsonObject = {};
+    for (const key of Reflect.ownKeys(value)) {
+      if (typeof key !== "string") {
+        throw new TypeError(`${path} keys must be strings`);
+      }
+    }
+    for (const [key, entry] of Object.entries(value)) {
+      output[key] = normalizeJsonValue(entry, `${path}.${key}`, seen);
+    }
+    return output;
+  } finally {
+    seen.delete(value);
+  }
+}
+
+function normalizeJsonValue(
+  value: unknown,
+  path: string,
+  seen: WeakSet<object>,
+): JsonValue {
+  if (value === null) {
+    return null;
+  }
+  if (typeof value === "string" || typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new TypeError(`${path} must be a finite number`);
+    }
+    return value;
+  }
+  if (typeof value === "undefined") {
+    throw new TypeError(`${path} must not be undefined`);
+  }
+  if (typeof value === "bigint" || typeof value === "symbol" || typeof value === "function") {
+    throw new TypeError(`${path} must be JSON-compatible`);
+  }
+  if (Array.isArray(value)) {
+    if (seen.has(value)) {
+      throw new TypeError(`${path} contains a cycle`);
+    }
+    seen.add(value);
+    try {
+      return value.map((entry, index) => normalizeJsonValue(entry, `${path}[${index}]`, seen));
+    } finally {
+      seen.delete(value);
+    }
+  }
+  return normalizeJsonObject(value, path, seen);
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  if (value === null || typeof value !== "object") {
+    return false;
+  }
+  const prototype = Object.getPrototypeOf(value);
+  return prototype === Object.prototype || prototype === null;
+}

package/src/provider-kind.ts

@@ -20,6 +20,12 @@ const PROVIDER_KIND_DEFINITIONS = {
     defaultExportNames: ["authentication", "provider"],
     label: "authentication provider",
   },
+  authorization: {
+    tokens: ["authorization", "authz"],
+    formatToken: "authorization",
+    defaultExportNames: ["authorization", "provider"],
+    label: "authorization provider",
+  },
   cache: {
     tokens: ["cache"],
     formatToken: "cache",
@@ -72,9 +78,7 @@ const EXTERNAL_PROVIDER_KIND_TOKEN_SET = new Set<string>(
 
 const EXTERNAL_PROVIDER_KIND_MAP = new Map<string, ProviderKind>(
   Object.entries(PROVIDER_KIND_DEFINITIONS).flatMap(([kind, definition]) =>
-    definition.tokens.map(
-      (token) => [token, kind as ProviderKind] as const,
-    ),
+    definition.tokens.map((token) => [token, kind as ProviderKind] as const),
   ),
 );
 

package/src/provider.ts

@@ -6,6 +6,7 @@ import type { MaybePromise } from "./api.ts";
 export type ProviderKind =
   | "integration"
   | "authentication"
+  | "authorization"
   | "cache"
   | "secrets"
   | "s3"
@@ -55,9 +56,9 @@ export type StartHandler = () => MaybePromise<void>;
 export type CloseHandler = () => MaybePromise<void>;
 
 /**
- * Shared runtime metadata and lifecycle hooks for authored providers.
+ * Shared provider metadata and lifecycle hooks for authored providers.
  */
-export interface RuntimeProviderOptions {
+export interface ProviderBaseOptions {
   name?: string;
   displayName?: string;
   description?: string;
@@ -72,7 +73,7 @@ export interface RuntimeProviderOptions {
 /**
  * Base class shared by all TypeScript SDK provider implementations.
  */
-export abstract class RuntimeProvider {
+export abstract class ProviderBase {
   abstract readonly kind: ProviderKind;
 
   name: string;
@@ -86,7 +87,7 @@ export abstract class RuntimeProvider {
   private readonly startHandler: StartHandler | undefined;
   private readonly closeHandler: CloseHandler | undefined;
 
-  protected constructor(options: RuntimeProviderOptions) {
+  protected constructor(options: ProviderBaseOptions) {
     this.name = slugName(options.name ?? "");
     this.displayName = options.displayName?.trim() ?? "";
     this.description = options.description?.trim() ?? "";
@@ -106,7 +107,7 @@ export abstract class RuntimeProvider {
     }
   }
 
-  runtimeMetadata(): ProviderMetadata {
+  providerMetadata(): ProviderMetadata {
     const metadata: ProviderMetadata = {
       kind: this.kind,
     };
@@ -125,7 +126,10 @@ export abstract class RuntimeProvider {
     return metadata;
   }
 
-  async configureProvider(name: string, config: Record<string, unknown>): Promise<void> {
+  async configureProvider(
+    name: string,
+    config: Record<string, unknown>,
+  ): Promise<void> {
     await this.configureHandler?.(name, config);
   }
 
@@ -157,28 +161,32 @@ export abstract class RuntimeProvider {
 }
 
 /**
- * Runtime type guard for values that implement the provider base contract.
+ * Type guard for values that implement the provider base contract.
  */
-export function isRuntimeProvider(value: unknown): value is RuntimeProvider {
+export function isProviderBase(value: unknown): value is ProviderBase {
   return (
-    value instanceof RuntimeProvider ||
+    value instanceof ProviderBase ||
     (typeof value === "object" &&
       value !== null &&
       "kind" in value &&
       "resolveName" in value &&
       typeof (value as { resolveName?: unknown }).resolveName === "function" &&
       "configureProvider" in value &&
-      typeof (value as { configureProvider?: unknown }).configureProvider === "function" &&
+      typeof (value as { configureProvider?: unknown }).configureProvider ===
+        "function" &&
       "supportsHealthCheck" in value &&
-      typeof (value as { supportsHealthCheck?: unknown }).supportsHealthCheck === "function" &&
+      typeof (value as { supportsHealthCheck?: unknown })
+        .supportsHealthCheck === "function" &&
       "healthCheck" in value &&
       typeof (value as { healthCheck?: unknown }).healthCheck === "function" &&
       "startProvider" in value &&
-      typeof (value as { startProvider?: unknown }).startProvider === "function" &&
+      typeof (value as { startProvider?: unknown }).startProvider ===
+        "function" &&
       "warnings" in value &&
       typeof (value as { warnings?: unknown }).warnings === "function" &&
       "closeProvider" in value &&
-      typeof (value as { closeProvider?: unknown }).closeProvider === "function")
+      typeof (value as { closeProvider?: unknown }).closeProvider ===
+        "function")
   );
 }
 

package/src/runtime-log-host.ts

@@ -1,7 +1,6 @@
 import { connect } from "node:net";
 import { Writable } from "node:stream";
 
-import type { MessageInitShape } from "@bufbuild/protobuf";
 import {
   createClient,
   type Client,
@@ -10,11 +9,10 @@ import {
 import { createGrpcTransport } from "@connectrpc/connect-node";
 
 import {
-  AppendPluginRuntimeLogsRequestSchema,
-  type AppendPluginRuntimeLogsResponse,
   PluginRuntimeLogHost as PluginRuntimeLogHostService,
-  PluginRuntimeLogStream,
+  PluginRuntimeLogStream as ProtoPluginRuntimeLogStream,
 } from "./internal/gen/v1/pluginruntime_pb.ts";
+import { timestampFromDate } from "./protocol.ts";
 
 /** Environment variable containing the runtime-log host-service target. */
 export const ENV_RUNTIME_LOG_HOST_SOCKET = "GESTALT_RUNTIME_LOG_SOCKET";
@@ -28,16 +26,8 @@ const RUNTIME_LOG_RELAY_TOKEN_HEADER = "x-gestalt-host-service-relay-token";
 
 /** Named runtime log streams accepted by the authored SDK. */
 export type RuntimeLogStreamName = "stdout" | "stderr" | "runtime";
-/** Runtime log stream input, either a named stream or generated enum value. */
-export type RuntimeLogStreamInput =
-  | RuntimeLogStreamName
-  | PluginRuntimeLogStream;
-/** Shape accepted by `RuntimeLogHost.appendLogs`. */
-export type RuntimeLogAppendLogsInput = MessageInitShape<
-  typeof AppendPluginRuntimeLogsRequestSchema
->;
-/** Response message returned after appending runtime logs. */
-export type RuntimeLogAppendResponseMessage = AppendPluginRuntimeLogsResponse;
+/** Runtime log stream input accepted by authored APIs. */
+export type RuntimeLogStreamInput = RuntimeLogStreamName;
 
 /** One runtime log entry to append through `RuntimeLogHost.append`. */
 export interface RuntimeLogAppendInput {
@@ -53,6 +43,20 @@ export interface RuntimeLogAppendInput {
   sourceSeq?: number | bigint;
 }
 
+/** Batch of runtime log entries to append through `RuntimeLogHost.appendLogs`. */
+export interface RuntimeLogAppendLogsInput {
+  /** Runtime session id. Defaults to `GESTALT_RUNTIME_SESSION_ID`. */
+  sessionId?: string | undefined;
+  /** Log entries to append. */
+  logs: readonly RuntimeLogAppendInput[];
+}
+
+/** Response returned after appending runtime logs. */
+export interface RuntimeLogAppendResponse {
+  /** Last source sequence accepted by the host. */
+  lastSeq: bigint;
+}
+
 /** Options for the `Writable` returned by `RuntimeLogHost.writer`. */
 export interface RuntimeLogWriterOptions {
   /** Runtime session id. Defaults to `GESTALT_RUNTIME_SESSION_ID`. */
@@ -66,8 +70,8 @@ export interface RuntimeLogWriterOptions {
 /**
  * Client for appending plugin-runtime logs to the host.
  *
- * Use `append` for a single entry, `appendLogs` for a protocol-shaped batch, or
- * `writer` to bridge Node streams into the runtime log host.
+ * Use `append` for a single entry, `appendLogs` for a native batch, or `writer`
+ * to bridge Node streams into the runtime log host.
  */
 export class RuntimeLogHost {
   private readonly client: Client<typeof PluginRuntimeLogHostService>;
@@ -102,31 +106,23 @@ export class RuntimeLogHost {
 
   async appendLogs(
     request: RuntimeLogAppendLogsInput,
-  ): Promise<RuntimeLogAppendResponseMessage> {
-    return await this.client.appendLogs(request);
+  ): Promise<RuntimeLogAppendResponse> {
+    const sessionId = runtimeLogBatchSessionId(request);
+    return runtimeLogAppendResponseFromProto(
+      await this.client.appendLogs({
+        sessionId,
+        logs: request.logs.map((log) => this.runtimeLogEntryToProto(log)),
+      }),
+    );
   }
 
   /** Appends one runtime log entry. */
   async append(
     input: RuntimeLogAppendInput,
-  ): Promise<RuntimeLogAppendResponseMessage> {
-    const sourceSeq =
-      input.sourceSeq === undefined
-        ? (this.sourceSeq += 1n)
-        : BigInt(input.sourceSeq);
-    if (sourceSeq > this.sourceSeq) {
-      this.sourceSeq = sourceSeq;
-    }
+  ): Promise<RuntimeLogAppendResponse> {
     return await this.appendLogs({
-      sessionId: runtimeSessionId(input.sessionId),
-      logs: [
-        {
-          stream: runtimeLogStream(input.stream ?? "runtime"),
-          message: runtimeLogMessage(input.message),
-          observedAt: toProtoTimestamp(input.observedAt ?? new Date()),
-          sourceSeq,
-        },
-      ],
+      sessionId: input.sessionId,
+      logs: [input],
     });
   }
 
@@ -171,6 +167,22 @@ export class RuntimeLogHost {
       },
     });
   }
+
+  private runtimeLogEntryToProto(input: RuntimeLogAppendInput) {
+    const sourceSeq =
+      input.sourceSeq === undefined
+        ? (this.sourceSeq += 1n)
+        : BigInt(input.sourceSeq);
+    if (sourceSeq > this.sourceSeq) {
+      this.sourceSeq = sourceSeq;
+    }
+    return {
+      stream: runtimeLogStream(input.stream ?? "runtime"),
+      message: runtimeLogMessage(input.message),
+      observedAt: timestampFromDate(input.observedAt ?? new Date()),
+      sourceSeq,
+    };
+  }
 }
 
 function runtimeSessionId(sessionId?: string): string {
@@ -181,6 +193,27 @@ function runtimeSessionId(sessionId?: string): string {
   return value;
 }
 
+function runtimeLogBatchSessionId(request: RuntimeLogAppendLogsInput): string {
+  const explicitSessionIds = new Set<string>();
+  addRuntimeLogSessionId(explicitSessionIds, request.sessionId);
+  for (const log of request.logs) {
+    addRuntimeLogSessionId(explicitSessionIds, log.sessionId);
+  }
+  if (explicitSessionIds.size > 1) {
+    throw new Error("runtime log host: appendLogs entries must use one session id");
+  }
+  return runtimeSessionId(
+    request.sessionId ?? request.logs.find((log) => log.sessionId)?.sessionId,
+  );
+}
+
+function addRuntimeLogSessionId(values: Set<string>, sessionId?: string): void {
+  const value = sessionId?.trim();
+  if (value) {
+    values.add(value);
+  }
+}
+
 function runtimeLogTransportOptions(rawTarget: string): {
   baseUrl: string;
   nodeOptions?: { path: string };
@@ -232,17 +265,22 @@ function runtimeLogRelayTokenInterceptor(token: string): Interceptor {
   };
 }
 
-function runtimeLogStream(stream: RuntimeLogStreamInput): PluginRuntimeLogStream {
-  if (typeof stream === "number") {
-    return stream;
-  }
+function runtimeLogAppendResponseFromProto(
+  response: { lastSeq: bigint },
+): RuntimeLogAppendResponse {
+  return { lastSeq: response.lastSeq };
+}
+
+function runtimeLogStream(
+  stream: RuntimeLogStreamInput,
+): ProtoPluginRuntimeLogStream {
   switch (stream.trim().toLowerCase()) {
     case "stdout":
-      return PluginRuntimeLogStream.STDOUT;
+      return ProtoPluginRuntimeLogStream.STDOUT;
     case "stderr":
-      return PluginRuntimeLogStream.STDERR;
+      return ProtoPluginRuntimeLogStream.STDERR;
     case "runtime":
-      return PluginRuntimeLogStream.RUNTIME;
+      return ProtoPluginRuntimeLogStream.RUNTIME;
     default:
       throw new Error(`unsupported runtime log stream ${JSON.stringify(stream)}`);
   }
@@ -255,16 +293,6 @@ function runtimeLogMessage(message: string | Uint8Array): string {
   return Buffer.from(message).toString("utf8");
 }
 
-function toProtoTimestamp(value: Date): { seconds: bigint; nanos: number } {
-  const millis = value.getTime();
-  const seconds = Math.floor(millis / 1000);
-  const nanos = Math.trunc((millis - (seconds * 1000)) * 1_000_000);
-  return {
-    seconds: BigInt(seconds),
-    nanos,
-  };
-}
-
 function toError(error: unknown): Error {
   return error instanceof Error ? error : new Error(String(error));
 }

package/src/runtime.ts

@@ -25,6 +25,7 @@ import {
   type CompleteLoginRequest as AuthCompleteLoginRequest,
   type ValidateExternalTokenRequest,
 } from "./internal/gen/v1/authentication_pb.ts";
+import { AuthorizationProvider as AuthorizationProviderService } from "./internal/gen/v1/authorization_pb.ts";
 import {
   Cache as CacheService,
   CacheDeleteManyResponseSchema,
@@ -45,6 +46,7 @@ import {
   CatalogSchema as ProtoCatalogSchema,
   ConnectionMode as ProviderConnectionMode,
   GetSessionCatalogResponseSchema,
+  OperationAnnotationsSchema as ProtoOperationAnnotationsSchema,
   PostConnectResponseSchema,
   ResolveHTTPSubjectResponseSchema,
   OperationResultSchema,
@@ -84,9 +86,15 @@ import {
   isAuthenticationProvider,
   type AuthenticatedUser,
 } from "./auth.ts";
+import {
+  AuthorizationProvider,
+  createAuthorizationProviderService,
+  isAuthorizationProvider,
+} from "./authorization.ts";
 import { CacheProvider, isCacheProvider } from "./cache.ts";
 import { SecretsProvider, isSecretsProvider } from "./secrets.ts";
 import { catalogToYaml, type Catalog } from "./catalog.ts";
+import { valueFromJson, type JsonInput } from "./protocol.ts";
 import {
   HTTPSubjectResolutionError,
   type HTTPSubjectRequest,
@@ -145,6 +153,7 @@ export const CURRENT_PROTOCOL_VERSION = 3;
  */
 export const USAGE = "usage: bun run runtime.ts ROOT PROVIDER_TARGET";
 export { createAgentProviderService } from "./agent.ts";
+export { createAuthorizationProviderService } from "./authorization.ts";
 export { createPluginRuntimeProviderService } from "./pluginruntime.ts";
 export { createWorkflowProviderService } from "./workflow.ts";
 
@@ -162,6 +171,7 @@ export type RuntimeArgs = {
 export type LoadedProvider =
   | PluginProvider
   | AuthenticationProvider
+  | AuthorizationProvider
   | CacheProvider
   | SecretsProvider
   | S3Provider
@@ -199,6 +209,18 @@ const PROVIDER_RUNTIME_ENTRIES: Partial<
       );
     },
   },
+  authorization: {
+    isProvider: isAuthorizationProvider as (
+      value: unknown,
+    ) => value is LoadedProvider,
+    protoKind: ProtoProviderKind.AUTHORIZATION,
+    registerService(router, provider) {
+      router.service(
+        AuthorizationProviderService,
+        createAuthorizationProviderService(provider as AuthorizationProvider),
+      );
+    },
+  },
   cache: {
     isProvider: isCacheProvider as (value: unknown) => value is LoadedProvider,
     protoKind: ProtoProviderKind.CACHE,
@@ -596,6 +618,7 @@ export function createProviderService(
               kind: subject.kind,
               displayName: subject.displayName,
               authSource: subject.authSource,
+              email: subject.email ?? "",
             },
           }
         : {});
@@ -822,6 +845,9 @@ function providerRequest(
   idempotencyKey = "",
 ): Request {
   const subject = requestContext?.subject;
+  const agentSubject = requestContext?.agentSubject;
+  const externalIdentity = requestContext?.externalIdentity;
+  const agentExternalIdentity = requestContext?.agentExternalIdentity;
   const credential = requestContext?.credential;
   const access = requestContext?.access;
   const host = requestContext?.host;
@@ -835,6 +861,22 @@ function providerRequest(
       kind: subject?.kind ?? "",
       displayName: subject?.displayName ?? "",
       authSource: subject?.authSource ?? "",
+      email: subject?.email ?? "",
+    },
+    agentSubject: {
+      id: agentSubject?.id ?? "",
+      kind: agentSubject?.kind ?? "",
+      displayName: agentSubject?.displayName ?? "",
+      authSource: agentSubject?.authSource ?? "",
+      email: agentSubject?.email ?? "",
+    },
+    externalIdentity: {
+      type: externalIdentity?.type ?? "",
+      id: externalIdentity?.id ?? "",
+    },
+    agentExternalIdentity: {
+      type: agentExternalIdentity?.type ?? "",
+      id: agentExternalIdentity?.id ?? "",
     },
     credential: {
       mode: credential?.mode ?? "",
@@ -982,8 +1024,20 @@ function catalogToProto(catalog: Catalog | Record<string, unknown>) {
         method: op.method,
         title: op.title ?? "",
         description: op.description ?? "",
+        inputSchema: catalogSchemaToWire(op.inputSchema),
+        outputSchema: catalogSchemaToWire(op.outputSchema),
+        annotations: op.annotations
+          ? create(ProtoOperationAnnotationsSchema, {
+              readOnlyHint: op.annotations.readOnlyHint,
+              idempotentHint: op.annotations.idempotentHint,
+              destructiveHint: op.annotations.destructiveHint,
+              openWorldHint: op.annotations.openWorldHint,
+            })
+          : undefined,
+        requiredScopes: op.requiredScopes ?? [],
         tags: op.tags ?? [],
         readOnly: op.readOnly ?? false,
+        transport: op.transport ?? "",
         allowedRoles: op.allowedRoles ?? [],
         parameters: (op.parameters ?? []).map((p) =>
           create(ProtoCatalogParameterSchema, {
@@ -991,6 +1045,9 @@ function catalogToProto(catalog: Catalog | Record<string, unknown>) {
             type: p.type,
             description: p.description ?? "",
             required: p.required ?? false,
+            default: p.default !== undefined
+              ? valueFromJson(p.default as JsonInput)
+              : undefined,
           }),
         ),
       });
@@ -1002,6 +1059,16 @@ function catalogToProto(catalog: Catalog | Record<string, unknown>) {
   });
 }
 
+function catalogSchemaToWire(schema: unknown): string {
+  if (schema === undefined || schema === null) {
+    return "";
+  }
+  if (typeof schema === "string") {
+    return schema;
+  }
+  return JSON.stringify(schema);
+}
+
 function authenticatedUserToProto(user: AuthenticatedUser) {
   return create(AuthenticatedUserSchema, {
     subject: user.subject,