@vellumai/assistant 0.4.48 → 0.4.50

package/src/oauth/byo-connection.test.ts

@@ -63,14 +63,54 @@ mock.module("../security/oauth2.js", () => {
   };
 });
 
+// ---------------------------------------------------------------------------
+// Mock oauth-store — token-manager reads refresh config from SQLite
+// ---------------------------------------------------------------------------
+
+/** Mutable per-test map of provider connections for getConnectionByProvider */
+const mockConnections = new Map<
+  string,
+  {
+    id: string;
+    providerKey: string;
+    oauthAppId: string;
+    expiresAt: number | null;
+    grantedScopes?: string;
+    accountInfo?: string | null;
+  }
+>();
+const mockApps = new Map<
+  string,
+  {
+    id: string;
+    providerKey: string;
+    clientId: string;
+    clientSecretCredentialPath: string;
+  }
+>();
+const mockProviders = new Map<
+  string,
+  {
+    key: string;
+    tokenUrl: string;
+    tokenEndpointAuthMethod?: string;
+    baseUrl?: string;
+  }
+>();
+
+mock.module("./oauth-store.js", () => ({
+  getConnectionByProvider: (service: string) => mockConnections.get(service),
+  getApp: (id: string) => mockApps.get(id),
+  getProvider: (key: string) => mockProviders.get(key),
+  updateConnection: () => {},
+  getMostRecentAppByProvider: () => undefined,
+  listConnections: () => [],
+}));
+
 // ---------------------------------------------------------------------------
 // Imports (after mocks)
 // ---------------------------------------------------------------------------
 
-import {
-  _resetMigrationFlag,
-  credentialKey,
-} from "../security/credential-key.js";
 import { setSecureKey } from "../security/secure-keys.js";
 import {
   _resetInflightRefreshes,
@@ -88,7 +128,6 @@ import { resolveOAuthConnection } from "./connection-resolver.js";
 // ---------------------------------------------------------------------------
 
 const originalFetch = globalThis.fetch;
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
 let mockFetch: ReturnType<typeof mock<any>>;
 
 // ---------------------------------------------------------------------------
@@ -110,7 +149,10 @@ beforeEach(() => {
   _resetBackend();
   _resetRefreshBreakers();
   _resetInflightRefreshes();
-  _resetMigrationFlag();
+  // Clear mock oauth-store maps
+  mockConnections.clear();
+  mockApps.clear();
+  mockProviders.clear();
 
   // Default mock fetch returning 200 JSON
   mockFetch = mock(() =>
@@ -139,16 +181,41 @@ function setupCredential(
   service: string,
   opts?: { expiresAt?: number; grantedScopes?: string[] },
 ) {
-  setSecureKey(credentialKey(service, "access_token"), "test-access-token");
-  setSecureKey(credentialKey(service, "refresh_token"), "test-refresh-token");
-  setSecureKey(credentialKey(service, "client_secret"), "test-client-secret");
-  upsertCredentialMetadata(service, "access_token", {
+  // Seed mock oauth-store maps so token-manager can resolve refresh config
+  const appId = `app-${service}`;
+  const connId = `conn-${service}`;
+  mockProviders.set(service, {
+    key: service,
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    // Only well-known providers (gmail) have a baseUrl; custom services don't
+    baseUrl:
+      service === "integration:gmail"
+        ? "https://gmail.googleapis.com/gmail/v1/users/me"
+        : undefined,
+  });
+  mockApps.set(appId, {
+    id: appId,
+    providerKey: service,
+    clientId: "test-client-id",
+    clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
+  });
+  mockConnections.set(service, {
+    id: connId,
+    providerKey: service,
+    oauthAppId: appId,
     expiresAt: opts?.expiresAt ?? Date.now() + 3600 * 1000,
-    grantedScopes: opts?.grantedScopes ?? ["read", "write"],
-    oauth2TokenUrl: "https://oauth2.googleapis.com/token",
-    oauth2ClientId: "test-client-id",
-    hasRefreshToken: true,
+    grantedScopes: JSON.stringify(opts?.grantedScopes ?? ["read", "write"]),
+    accountInfo: null,
   });
+  // Store access token in oauth-store key format
+  setSecureKey(`oauth_connection/${connId}/access_token`, "test-access-token");
+  // Store refresh token and client_secret in secure keys (token-manager reads them)
+  setSecureKey(
+    `oauth_connection/${connId}/refresh_token`,
+    "test-refresh-token",
+  );
+  setSecureKey(`oauth_app/${appId}/client_secret`, "test-client-secret");
+  upsertCredentialMetadata(service, "access_token", {});
 }
 
 function createConnection(service = "integration:gmail"): BYOOAuthConnection {
@@ -185,10 +252,10 @@ describe("BYOOAuthConnection", () => {
       expect(url).toBe(
         "https://gmail.googleapis.com/gmail/v1/users/me/messages",
       );
-      expect((init as RequestInit).headers).toMatchObject({
-        Authorization: "Bearer test-access-token",
-        "Content-Type": "application/json",
-      });
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("Authorization")).toBe("Bearer test-access-token");
+      // GET requests have no body, so Content-Type should not be set
+      expect(headers.has("Content-Type")).toBe(false);
       expect((init as RequestInit).method).toBe("GET");
     });
 
@@ -237,6 +304,9 @@ describe("BYOOAuthConnection", () => {
         JSON.stringify({ raw: "base64-encoded-email" }),
       );
       expect((init as RequestInit).method).toBe("POST");
+      // POST requests with a body should include Content-Type
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("Content-Type")).toBe("application/json");
     });
 
     test("retries once on 401 response", async () => {
@@ -336,10 +406,9 @@ describe("BYOOAuthConnection", () => {
       });
 
       const [, init] = mockFetch.mock.calls[0];
-      expect((init as RequestInit).headers).toMatchObject({
-        "X-Custom-Header": "custom-value",
-        Authorization: "Bearer test-access-token",
-      });
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("X-Custom-Header")).toBe("custom-value");
+      expect(headers.get("Authorization")).toBe("Bearer test-access-token");
     });
   });
 
@@ -361,9 +430,10 @@ describe("BYOOAuthConnection", () => {
 
       // The request should use the refreshed token
       const [, init] = mockFetch.mock.calls[0];
-      expect((init as RequestInit).headers).toMatchObject({
-        Authorization: "Bearer refreshed-access-token",
-      });
+      const headers = (init as RequestInit).headers as Headers;
+      expect(headers.get("Authorization")).toBe(
+        "Bearer refreshed-access-token",
+      );
     });
   });
 
@@ -433,4 +503,42 @@ describe("resolveOAuthConnection", () => {
       /No base URL configured for "integration:custom-service"/,
     );
   });
+
+  test("resolves base URL via app's canonical providerKey for custom credential_service", () => {
+    // Set up a well-known provider with a baseUrl
+    mockProviders.set("github", {
+      key: "github",
+      tokenUrl: "https://github.com/login/oauth/access_token",
+      baseUrl: "https://api.github.com",
+    });
+    // The custom credential service has no provider entry of its own
+    // (getProvider("integration:github-work") returns undefined)
+
+    // App points to the canonical "github" provider
+    const appId = "app-github-work";
+    mockApps.set(appId, {
+      id: appId,
+      providerKey: "github",
+      clientId: "test-client-id",
+      clientSecretCredentialPath: `oauth_app/${appId}/client_secret`,
+    });
+
+    // Connection uses the custom credential service as its providerKey
+    const connId = "conn-github-work";
+    mockConnections.set("integration:github-work", {
+      id: connId,
+      providerKey: "integration:github-work",
+      oauthAppId: appId,
+      expiresAt: Date.now() + 3600 * 1000,
+      grantedScopes: JSON.stringify(["repo"]),
+      accountInfo: null,
+    });
+    setSecureKey(`oauth_connection/${connId}/access_token`, "ghp-test-token");
+
+    const conn = resolveOAuthConnection("integration:github-work");
+
+    expect(conn).toBeInstanceOf(BYOOAuthConnection);
+    expect(conn.providerKey).toBe("integration:github-work");
+    expect(conn.grantedScopes).toEqual(["repo"]);
+  });
 });

package/src/oauth/byo-connection.ts

@@ -53,7 +53,14 @@ export class BYOOAuthConnection implements OAuthConnection {
       let fullUrl = `${effectiveBaseUrl}${req.path}`;
 
       if (req.query && Object.keys(req.query).length > 0) {
-        const params = new URLSearchParams(req.query);
+        const params = new URLSearchParams();
+        for (const [key, value] of Object.entries(req.query)) {
+          if (Array.isArray(value)) {
+            for (const v of value) params.append(key, v);
+          } else {
+            params.append(key, value);
+          }
+        }
         fullUrl += `?${params.toString()}`;
       }
 
@@ -62,13 +69,22 @@ export class BYOOAuthConnection implements OAuthConnection {
         "Making authenticated request",
       );
 
+      // Use the Headers API for case-insensitive merging. Set defaults
+      // first so caller-supplied headers (in any casing) override them.
+      const headers = new Headers();
+      if (req.body) {
+        headers.set("Content-Type", "application/json");
+      }
+      if (req.headers) {
+        for (const [key, value] of Object.entries(req.headers)) {
+          headers.set(key, value);
+        }
+      }
+      headers.set("Authorization", `Bearer ${token}`);
+
       const resp = await fetch(fullUrl, {
         method: req.method,
-        headers: {
-          ...(req.body ? { "Content-Type": "application/json" } : {}),
-          ...req.headers,
-          Authorization: `Bearer ${token}`,
-        },
+        headers,
         body: req.body ? JSON.stringify(req.body) : undefined,
         signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
       });

package/src/oauth/connect-orchestrator.ts

@@ -12,7 +12,7 @@
  * - Ensuring metadata is writable (assertMetadataWritable)
  *
  * The orchestrator handles:
- * - Provider profile resolution
+ * - Provider config resolution (from DB)
  * - Scope policy enforcement
  * - Building the OAuth2Config
  * - Running the interactive or deferred flow
@@ -23,13 +23,54 @@
 import type { TokenEndpointAuthMethod } from "../security/oauth2.js";
 import { prepareOAuth2Flow, startOAuth2Flow } from "../security/oauth2.js";
 import { getLogger } from "../util/logger.js";
-import type { OAuthConnectResult } from "./connect-types.js";
-import { getProviderProfile, resolveService } from "./provider-profiles.js";
+import type {
+  OAuthConnectResult,
+  OAuthProviderBehavior,
+  OAuthScopePolicy,
+} from "./connect-types.js";
+import { getProvider } from "./oauth-store.js";
+import { getProviderBehavior, resolveService } from "./provider-behaviors.js";
 import { resolveScopes } from "./scope-policy.js";
 import { storeOAuth2Tokens } from "./token-persistence.js";
 
 const log = getLogger("oauth-connect-orchestrator");
 
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Look up the code-side behavioral fields for a provider.
+ * Returns an empty object when no behavior is registered.
+ */
+function resolveBehavior(providerKey: string): {
+  identityVerifier?: OAuthProviderBehavior["identityVerifier"];
+  setup?: OAuthProviderBehavior["setup"];
+  setupSkillId?: string;
+  postConnectHookId?: string;
+  injectionTemplates?: OAuthProviderBehavior["injectionTemplates"];
+} {
+  const behavior = getProviderBehavior(providerKey);
+  if (!behavior) return {};
+  return {
+    identityVerifier: behavior.identityVerifier,
+    setup: behavior.setup,
+    setupSkillId: behavior.setupSkillId,
+    postConnectHookId: behavior.postConnectHookId,
+    injectionTemplates: behavior.injectionTemplates,
+  };
+}
+
+/** Safely parse a JSON string, returning a fallback on failure or null/undefined input. */
+function safeJsonParse<T>(value: string | null | undefined, fallback: T): T {
+  if (value == null) return fallback;
+  try {
+    return JSON.parse(value) as T;
+  } catch {
+    return fallback;
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Options
 // ---------------------------------------------------------------------------
@@ -63,15 +104,6 @@ export interface OAuthConnectOptions {
     accountInfo?: string;
     error?: string;
   }) => void;
-
-  // Optional overrides — when provided, these take precedence over the
-  // provider profile. This lets callers connect custom / unknown providers.
-  authUrl?: string;
-  tokenUrl?: string;
-  scopes?: string[];
-  extraParams?: Record<string, string>;
-  userinfoUrl?: string;
-  tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
 }
 
 // ---------------------------------------------------------------------------
@@ -90,42 +122,69 @@ export async function orchestrateOAuthConnect(
   options: OAuthConnectOptions,
 ): Promise<OAuthConnectResult> {
   const resolvedService = resolveService(options.service);
-  const profile = getProviderProfile(resolvedService);
 
-  // Merge explicit overrides with profile defaults
-  const authUrl = options.authUrl ?? profile?.authUrl;
-  const tokenUrl = options.tokenUrl ?? profile?.tokenUrl;
-  const extraParams = options.extraParams ?? profile?.extraParams;
-  const userinfoUrl = options.userinfoUrl ?? profile?.userinfoUrl;
-  const tokenEndpointAuthMethod =
-    options.tokenEndpointAuthMethod ?? profile?.tokenEndpointAuthMethod;
+  // Read provider config from the DB
+  const providerRow = getProvider(resolvedService);
+  if (!providerRow) {
+    return {
+      success: false,
+      error: `No OAuth provider registered for "${resolvedService}". Ensure the provider is seeded in the database.`,
+      safeError: true,
+    };
+  }
+
+  // Behavioral/code-side fields come from the behavior registry
+  const behavior = resolveBehavior(resolvedService);
 
-  // Scopes: use explicit override, then try scope policy resolution, then profile defaults
-  let finalScopes: string[];
-  if (options.scopes) {
-    // Explicit scopes override — bypass policy (caller takes responsibility)
-    finalScopes = options.scopes;
-  } else if (profile) {
-    const scopeResult = resolveScopes(profile, options.requestedScopes);
-    if (!scopeResult.ok) {
-      const guidance = scopeResult.allowedScopes
-        ? ` Allowed scopes: ${scopeResult.allowedScopes.join(", ")}`
-        : "";
-      return {
-        success: false,
-        error: `${scopeResult.error}${guidance}`,
-        safeError: true,
-      };
-    }
-    finalScopes = scopeResult.scopes;
-  } else {
-    // No profile and no explicit scopes — cannot proceed
+  // Deserialize JSON fields from the DB row
+  const dbDefaultScopes = safeJsonParse<string[]>(
+    providerRow.defaultScopes,
+    [],
+  );
+  const dbScopePolicy = safeJsonParse<OAuthScopePolicy>(
+    providerRow.scopePolicy,
+    {
+      allowAdditionalScopes: false,
+      allowedOptionalScopes: [],
+      forbiddenScopes: [],
+    },
+  );
+  const dbExtraParams = safeJsonParse<Record<string, string> | undefined>(
+    providerRow.extraParams,
+    undefined,
+  );
+
+  // Resolve all protocol-level config from the DB
+  const authUrl = providerRow.authUrl;
+  const tokenUrl = providerRow.tokenUrl;
+  const extraParams = dbExtraParams;
+  const userinfoUrl = providerRow.userinfoUrl ?? undefined;
+  const tokenEndpointAuthMethod = providerRow.tokenEndpointAuthMethod as
+    | TokenEndpointAuthMethod
+    | undefined;
+  const callbackTransport =
+    (providerRow.callbackTransport as "loopback" | "gateway" | null) ??
+    "gateway";
+  const loopbackPort = providerRow.loopbackPort;
+
+  // Resolve scopes via the scope policy engine
+  const scopeProfile = {
+    service: resolvedService,
+    defaultScopes: dbDefaultScopes,
+    scopePolicy: dbScopePolicy,
+  };
+  const scopeResult = resolveScopes(scopeProfile, options.requestedScopes);
+  if (!scopeResult.ok) {
+    const guidance = scopeResult.allowedScopes
+      ? ` Allowed scopes: ${scopeResult.allowedScopes.join(", ")}`
+      : "";
     return {
       success: false,
-      error: `No well-known OAuth config found for "${options.service}" and no scopes were provided`,
+      error: `${scopeResult.error}${guidance}`,
       safeError: true,
     };
   }
+  const finalScopes = scopeResult.scopes;
 
   if (!authUrl) {
     return {
@@ -161,7 +220,7 @@ export async function orchestrateOAuthConnect(
     tokenEndpointAuthMethod,
     userinfoUrl,
     allowedTools: options.allowedTools,
-    wellKnownInjectionTemplates: profile?.injectionTemplates,
+    wellKnownInjectionTemplates: behavior.injectionTemplates,
   };
 
   // -----------------------------------------------------------------------
@@ -169,8 +228,6 @@ export async function orchestrateOAuthConnect(
   // -----------------------------------------------------------------------
   if (!options.isInteractive) {
     try {
-      const callbackTransport = profile?.callbackTransport ?? "gateway";
-
       // Gateway transport needs a public ingress URL
       if (callbackTransport !== "loopback") {
         const { loadConfig } = await import("../config/loader.js");
@@ -191,7 +248,7 @@ export async function orchestrateOAuthConnect(
       const prepared = await prepareOAuth2Flow(
         oauthConfig,
         callbackTransport === "loopback"
-          ? { callbackTransport, loopbackPort: profile?.loopbackPort }
+          ? { callbackTransport, loopbackPort: loopbackPort ?? undefined }
           : undefined,
       );
 
@@ -201,10 +258,10 @@ export async function orchestrateOAuthConnect(
           try {
             let accountInfo: string | undefined;
 
-            // Run identity verifier if available
-            if (profile?.identityVerifier) {
+            // Run identity verifier if available (code-side behavior)
+            if (behavior.identityVerifier) {
               try {
-                accountInfo = await profile.identityVerifier(
+                accountInfo = await behavior.identityVerifier(
                   result.tokens.accessToken,
                 );
               } catch {
@@ -293,19 +350,18 @@ export async function orchestrateOAuthConnect(
           }
         },
       },
-      profile?.callbackTransport
-        ? {
-            callbackTransport: profile.callbackTransport,
-            loopbackPort: profile.loopbackPort,
-          }
-        : undefined,
+      callbackTransport === "loopback"
+        ? { callbackTransport, loopbackPort: loopbackPort ?? undefined }
+        : callbackTransport === "gateway"
+          ? { callbackTransport }
+          : undefined,
     );
 
-    // Run identity verifier if available
+    // Run identity verifier if available (code-side behavior)
     let verifiedIdentity: string | undefined;
-    if (profile?.identityVerifier) {
+    if (behavior.identityVerifier) {
       try {
-        verifiedIdentity = await profile.identityVerifier(tokens.accessToken);
+        verifiedIdentity = await behavior.identityVerifier(tokens.accessToken);
       } catch {
         // Non-fatal
       }

package/src/oauth/connect-types.ts

@@ -1,11 +1,15 @@
 /**
  * Shared types for the OAuth provider extensibility layer.
  *
- * These types are consumed by the provider profile registry, the token
+ * These types are consumed by the provider behavior registry, the token
  * persistence module, and the credential vault orchestrator.
+ *
+ * Protocol-level OAuth config (authUrl, tokenUrl, scopes, etc.) is now
+ * stored exclusively in the `oauth_providers` SQLite table. This file
+ * only defines code-side behavioral types that cannot be serialised to
+ * a DB row (functions, templates, UI metadata).
  */
 
-import type { TokenEndpointAuthMethod } from "../security/oauth2.js";
 import type { CredentialInjectionTemplate } from "../tools/credentials/policy-types.js";
 
 // ---------------------------------------------------------------------------
@@ -23,31 +27,21 @@ export interface OAuthScopePolicy {
 }
 
 // ---------------------------------------------------------------------------
-// Provider profile
+// Provider behavior
 // ---------------------------------------------------------------------------
 
-/** Full configuration profile for a well-known OAuth provider. */
-export interface OAuthProviderProfile {
+/**
+ * Code-side behavioral configuration for a well-known OAuth provider.
+ *
+ * Protocol-level fields (authUrl, tokenUrl, defaultScopes, scopePolicy,
+ * tokenEndpointAuthMethod, callbackTransport, loopbackPort, userinfoUrl,
+ * extraParams) are stored in the `oauth_providers` DB table. This
+ * interface contains only fields that require code references (functions,
+ * templates, skill IDs) and cannot be serialised to a DB row.
+ */
+export interface OAuthProviderBehavior {
   /** Canonical service key (e.g. "integration:twitter"). */
   service: string;
-  /** OAuth2 authorization endpoint. */
-  authUrl: string;
-  /** OAuth2 token endpoint. */
-  tokenUrl: string;
-  /** Default scopes requested during authorization. */
-  defaultScopes: string[];
-  /** Policy governing additional/forbidden scopes. */
-  scopePolicy: OAuthScopePolicy;
-  /** How to send client credentials at the token endpoint. */
-  tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
-  /** Force a specific callback transport. */
-  callbackTransport?: "loopback" | "gateway";
-  /** Fixed port for loopback transport (e.g. Slack). */
-  loopbackPort?: number;
-  /** Endpoint to fetch user identity info after authorization. */
-  userinfoUrl?: string;
-  /** Extra query parameters appended to the authorization URL. */
-  extraParams?: Record<string, string>;
   /**
    * Async function that verifies the user's identity after a successful
    * token exchange. Returns a human-readable account identifier (e.g.

package/src/oauth/connection-resolver.ts

@@ -1,34 +1,58 @@
-import { getCredentialMetadata } from "../tools/credentials/metadata-store.js";
+import { getSecureKey } from "../security/secure-keys.js";
 import { BYOOAuthConnection } from "./byo-connection.js";
 import type { OAuthConnection } from "./connection.js";
-import { getProviderBaseUrl } from "./provider-base-urls.js";
+import { getApp, getConnectionByProvider, getProvider } from "./oauth-store.js";
 
 /**
  * Resolve an OAuthConnection for a given credential service.
- * Currently always creates a BYO connection from existing credential store.
- * Will be extended to create Platform connections when storage model supports it.
+ *
+ * Reads exclusively from the SQLite oauth-store. Throws if no connection
+ * exists (authorization required).
  */
 export function resolveOAuthConnection(
   credentialService: string,
 ): OAuthConnection {
-  const meta = getCredentialMetadata(credentialService, "access_token");
-  if (!meta) {
+  const conn = getConnectionByProvider(credentialService);
+  if (!conn) {
     throw new Error(
       `No credential found for "${credentialService}". Authorization required.`,
     );
   }
 
-  const baseUrl = getProviderBaseUrl(credentialService);
+  const accessToken = getSecureKey(`oauth_connection/${conn.id}/access_token`);
+
+  if (!accessToken) {
+    throw new Error(
+      `No access token found for "${credentialService}". Authorization required.`,
+    );
+  }
+
+  // Look up the provider by credentialService first; fall back to the
+  // connection's app's canonical providerKey so custom credential_service
+  // overrides (e.g. "integration:github-work") still resolve to the well-known
+  // provider's base URL. We traverse conn -> oauthApp -> providerKey because
+  // conn.providerKey equals credentialService (getConnectionByProvider queries
+  // WHERE providerKey = credentialService), whereas the app's providerKey is a
+  // foreign key to the oauthProviders table.
+  const provider =
+    getProvider(credentialService) ??
+    getProvider(getApp(conn.oauthAppId)?.providerKey ?? "");
+  const baseUrl = provider?.baseUrl;
+
   if (!baseUrl) {
     throw new Error(`No base URL configured for "${credentialService}".`);
   }
 
+  const grantedScopes: string[] = conn.grantedScopes
+    ? JSON.parse(conn.grantedScopes)
+    : [];
+
   return new BYOOAuthConnection({
-    id: meta.credentialId,
-    providerKey: credentialService,
+    id: conn.id,
+    providerKey: conn.providerKey,
     baseUrl,
-    accountInfo: null,
-    grantedScopes: meta.grantedScopes ?? [],
+    accountInfo: conn.accountInfo,
+    grantedScopes,
     credentialService,
   });
 }

package/src/oauth/connection.ts

@@ -1,7 +1,7 @@
 export interface OAuthConnectionRequest {
   method: string;
   path: string; // relative, e.g. "/2/tweets"
-  query?: Record<string, string>;
+  query?: Record<string, string | string[]>;
   headers?: Record<string, string>;
   body?: unknown; // JSON-serializable
   /**