@vertesia/common 1.1.0-dev.20260327.125707Z → 1.1.0

package/src/oauth-server.ts

@@ -0,0 +1,258 @@
+import type { AuthTokenPayload } from './apikey.js';
+import type { ProjectRef } from './project.js';
+
+export type OAuthClientType = 'public' | 'confidential';
+export type OAuthClientStatus = 'active' | 'disabled';
+export type OAuthRegistrationSource = 'admin' | 'dynamic';
+export type OAuthProjectBindingMode = 'user_select' | 'fixed';
+export type OAuthTokenEndpointAuthMethod = 'none' | 'client_secret_post' | 'client_secret_basic';
+export type OAuthGrantType = 'authorization_code' | 'refresh_token';
+export type OAuthResponseType = 'code';
+export type OAuthAuthorizationRequestStatus = 'pending' | 'denied' | 'consumed';
+export type OAuthClientRegistrationMode = 'registered' | 'client_id_metadata_document';
+export type OAuthGrantStatus = 'active' | 'revoked' | 'expired';
+export type OAuthGrantSortField = 'granted_at' | 'client_name' | 'user_name' | 'resource' | 'last_used_at' | 'expires_at' | 'status';
+export type OAuthGrantSortOrder = 'asc' | 'desc';
+
+export interface OAuthClientData {
+    client_name: string;
+    client_type: OAuthClientType;
+    redirect_uris: string[];
+    grant_types: OAuthGrantType[];
+    response_types: OAuthResponseType[];
+    token_endpoint_auth_method: OAuthTokenEndpointAuthMethod;
+    allowed_scopes: string[];
+    registration_source: OAuthRegistrationSource;
+    status: OAuthClientStatus;
+    project_binding_mode: OAuthProjectBindingMode;
+    fixed_project_id?: string;
+    metadata?: Record<string, unknown>;
+    created_by?: string;
+    client_secret_configured?: boolean;
+    created_at: string;
+    updated_at: string;
+}
+
+export interface OAuthClient extends OAuthClientData {
+    client_id: string;
+}
+
+export interface OAuthClientCreateResponse extends OAuthClient {
+    client_secret?: string;
+}
+
+export interface OAuthGrant {
+    grant_id: string;
+    client_id: string;
+    client_name: string;
+    user_id: string;
+    user_name?: string;
+    user_email?: string;
+    account_id: string;
+    project_id: string;
+    resource: string;
+    scope: string[];
+    status: OAuthGrantStatus;
+    token_count: number;
+    granted_at: string;
+    created_at: string;
+    last_used_at?: string;
+    expires_at?: string;
+}
+
+export interface ListOAuthGrantsQuery {
+    account_id?: string;
+    project_id?: string;
+    user_id?: string;
+    client_id?: string;
+    resource?: string;
+    status?: OAuthGrantStatus | 'all';
+    limit?: number;
+    offset?: number;
+    sort_by?: OAuthGrantSortField;
+    sort_order?: OAuthGrantSortOrder;
+}
+
+export interface OAuthGrantListResponse {
+    grants: OAuthGrant[];
+    total_count: number;
+    limit: number;
+    offset: number;
+}
+
+export interface BulkRevokeOAuthGrantsPayload extends ListOAuthGrantsQuery {
+    grant_ids?: string[];
+    include_consent?: boolean;
+}
+
+export interface OAuthGrantRevokeResponse {
+    revoked_tokens: number;
+    revoked_consents: number;
+}
+
+export interface CreateOAuthClientPayload {
+    client_name: string;
+    client_type?: OAuthClientType;
+    redirect_uris: string[];
+    grant_types?: OAuthGrantType[];
+    response_types?: OAuthResponseType[];
+    token_endpoint_auth_method?: OAuthTokenEndpointAuthMethod;
+    allowed_scopes?: string[];
+    project_binding_mode?: OAuthProjectBindingMode;
+    fixed_project_id?: string;
+    client_secret?: string;
+    metadata?: Record<string, unknown>;
+}
+
+export interface UpdateOAuthClientPayload {
+    client_name?: string;
+    redirect_uris?: string[];
+    grant_types?: OAuthGrantType[];
+    response_types?: OAuthResponseType[];
+    token_endpoint_auth_method?: OAuthTokenEndpointAuthMethod;
+    allowed_scopes?: string[];
+    status?: OAuthClientStatus;
+    project_binding_mode?: OAuthProjectBindingMode;
+    fixed_project_id?: string;
+    client_secret?: string;
+    metadata?: Record<string, unknown>;
+}
+
+export interface OAuthAuthorizationServerMetadata {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    jwks_uri: string;
+    registration_endpoint?: string;
+    revocation_endpoint?: string;
+    response_types_supported: string[];
+    grant_types_supported: string[];
+    code_challenge_methods_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    scopes_supported: string[];
+    client_id_metadata_document_supported?: boolean;
+}
+
+export interface OAuthClientMetadataDocument {
+    client_id: string;
+    client_name: string;
+    redirect_uris: string[];
+    grant_types?: OAuthGrantType[];
+    response_types?: OAuthResponseType[];
+    token_endpoint_auth_method?: OAuthTokenEndpointAuthMethod;
+    scope?: string;
+    client_uri?: string;
+    logo_uri?: string;
+    tos_uri?: string;
+    policy_uri?: string;
+}
+
+export interface OAuthClientDisplayMetadata {
+    client_uri?: string;
+    logo_uri?: string;
+    tos_uri?: string;
+    policy_uri?: string;
+}
+
+export interface OAuthAuthorizeQuery {
+    response_type: 'code';
+    client_id: string;
+    redirect_uri: string;
+    resource?: string;
+    scope?: string;
+    state?: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+    project_id?: string;
+}
+
+export interface CreateOAuthAuthorizationRequestPayload extends OAuthAuthorizeQuery {}
+
+export interface OAuthAuthorizationRequest {
+    request_id: string;
+    client_id: string;
+    client_name: string;
+    client_metadata?: OAuthClientDisplayMetadata;
+    client_registration_mode?: OAuthClientRegistrationMode;
+    redirect_uri: string;
+    redirect_origin: string;
+    resource?: string;
+    requested_scopes: string[];
+    requested_project_id?: string;
+    project_binding_mode: OAuthProjectBindingMode;
+    fixed_project_id?: string;
+    status: OAuthAuthorizationRequestStatus;
+    created_at: string;
+    expires_at: string;
+}
+
+export interface ApproveOAuthAuthorizationRequestPayload {
+    project_id?: string;
+}
+
+export interface OAuthAuthorizationDecisionResponse {
+    redirect_url: string;
+}
+
+export interface OAuthTokenRequestAuthorizationCode {
+    grant_type: 'authorization_code';
+    code: string;
+    redirect_uri: string;
+    client_id: string;
+    resource?: string;
+    code_verifier: string;
+    client_secret?: string;
+}
+
+export interface OAuthTokenRequestRefreshToken {
+    grant_type: 'refresh_token';
+    refresh_token: string;
+    client_id: string;
+    resource?: string;
+    client_secret?: string;
+}
+
+export type OAuthTokenRequest = OAuthTokenRequestAuthorizationCode | OAuthTokenRequestRefreshToken;
+
+export interface OAuthTokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    scope: string;
+    refresh_token?: string;
+    id_token?: string;
+}
+
+export interface OAuthAuthorizationCodeRecord {
+    code: string;
+    client_id: string;
+    user_id: string;
+    account_id: string;
+    project_id: string;
+    resource: string;
+    scope: string[];
+    redirect_uri: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+    expires_at: string;
+}
+
+export interface OAuthConsentRecord {
+    user_id: string;
+    client_id: string;
+    account_id: string;
+    project_id: string;
+    scope: string[];
+    granted_at: string;
+    revoked_at?: string;
+}
+
+export interface OAuthAccessTokenPayload extends Omit<AuthTokenPayload, 'type' | 'project'> {
+    type: 'oauth_access';
+    client_id: string;
+    scope: string;
+    user_id: string;
+    project: ProjectRef;
+    allowed_collections?: string[];
+    resource?: string;
+}

package/src/oauth.ts

@@ -1,13 +1,13 @@
 /**
- * OAuth Application types for generic, project-level OAuth 2.0 integration.
+ * OAuth Provider types for generic, project-level OAuth 2.0 integration.
  * Decoupled from MCP — can be used by MCP collections, tool activities, or any OAuth-protected API.
  */
 
 /**
- * OAuth Application data stored in MongoDB.
+ * OAuth Provider data stored in MongoDB.
  * Represents the configuration for an OAuth 2.0 provider at the project level.
  */
-export interface OAuthApplicationData {
+export interface OAuthProviderData {
     /**
      * Unique name within the project (kebab-case identifier).
      */
@@ -19,12 +19,20 @@ export interface OAuthApplicationData {
     display_name: string;
 
     /**
-     * The project this OAuth application belongs to.
+     * The project this OAuth provider belongs to.
      */
     project: string;
 
+    /**
+     * The OAuth 2.0 grant type to use.
+     * - 'authorization_code': 3-legged flow requiring user authorization (default).
+     * - 'client_credentials': 2-legged server-to-server flow using client_id + client_secret.
+     */
+    grant_type?: 'authorization_code' | 'client_credentials';
+
     /**
      * The OAuth 2.0 authorization endpoint URL.
+     * Only used for authorization_code flow.
      * Optional when endpoints are discovered via .well-known (e.g. MCP servers).
      */
     authorization_endpoint?: string;
@@ -52,7 +60,7 @@ export interface OAuthApplicationData {
 
     /**
      * Whether to use PKCE (Proof Key for Code Exchange) in the authorization flow.
-     * Defaults to true.
+     * Only applies to authorization_code flow. Defaults to true.
      */
     use_pkce: boolean;
 
@@ -66,19 +74,20 @@ export interface OAuthApplicationData {
 }
 
 /**
- * OAuth Application as returned by the API (with id).
+ * OAuth Provider as returned by the API (with id).
  */
-export interface OAuthApplication extends OAuthApplicationData {
+export interface OAuthProvider extends OAuthProviderData {
     id: string;
 }
 
 /**
- * Payload for creating an OAuth Application.
+ * Payload for creating an OAuth Provider.
  * The client_secret is accepted as plaintext on create and stored encrypted.
  */
-export interface CreateOAuthApplicationPayload {
+export interface CreateOAuthProviderPayload {
     name: string;
     display_name: string;
+    grant_type?: 'authorization_code' | 'client_credentials';
     authorization_endpoint?: string;
     token_endpoint?: string;
     client_id: string;
@@ -93,18 +102,18 @@ export interface CreateOAuthApplicationPayload {
 }
 
 /**
- * Payload for updating an OAuth Application.
+ * Payload for updating an OAuth Provider.
  * All fields are optional — only provided fields are updated.
  * To clear the client_secret, set it to an empty string.
  */
-export type UpdateOAuthApplicationPayload = Partial<CreateOAuthApplicationPayload>;
+export type UpdateOAuthProviderPayload = Partial<CreateOAuthProviderPayload>;
 
 /**
- * OAuth authentication status for a user against an OAuth Application.
+ * OAuth authentication status for a user against an OAuth Provider.
  */
-export interface OAuthAppAuthStatus {
-    oauth_app_id: string;
-    oauth_app_name: string;
+export interface OAuthProviderAuthStatus {
+    oauth_provider_id: string;
+    oauth_provider_name: string;
     authenticated: boolean;
     expires_at?: string;
     scope?: string;
@@ -112,8 +121,11 @@ export interface OAuthAppAuthStatus {
 
 /**
  * Response from the OAuth authorize endpoint.
+ * For authorization_code flow: contains authorization_url and state for browser redirect.
+ * For client_credentials flow: contains connected=true (token was fetched server-side, no redirect needed).
  */
-export interface OAuthAppAuthorizeResponse {
-    authorization_url: string;
-    state: string;
+export interface OAuthProviderAuthorizeResponse {
+    authorization_url?: string;
+    state?: string;
+    connected?: boolean;
 }

package/src/project.ts

@@ -333,6 +333,16 @@ export interface IndexingStatusResponse {
         elapsed_seconds: number;
         /** Estimated seconds remaining (null if unknown) */
         estimated_seconds_remaining: number | null;
+        /** Total bytes sent to ES */
+        total_bytes?: number;
+        /** Total ES bulk flushes */
+        bulk_flushes?: number;
+        /** Average bytes per ES bulk flush */
+        avg_flush_bytes?: number;
+        /** Configured batch size */
+        batch_size?: number;
+        /** Configured parallel batch count */
+        parallel_batch_count?: number;
     };
 }
 
@@ -381,6 +391,12 @@ export interface CreateReindexTargetResult {
     index_name: string;
     alias_name: string;
     version: number;
+    dimensions?: {
+        text?: number;
+        image?: number;
+        properties?: number;
+    };
+    language?: string;
 }
 
 /**
@@ -404,17 +420,6 @@ export interface FetchBatchResult {
     done: boolean;
 }
 
-/**
- * Result from indexing a batch
- */
-export interface IndexBatchResult {
-    successful: number;
-    failed: number;
-    processed: number;
-    next_cursor: string | null;
-    done: boolean;
-}
-
 /**
  * Result from discovering the next cursor boundary for batch partitioning
  */
@@ -437,6 +442,95 @@ export interface TriggerReindexResult {
     enabled?: boolean;
 }
 
+// ========================================================================
+// Zeno Bulk (Go service) types
+// ========================================================================
+
+export interface ComputeShardsRequest {
+    tenant_id: string;
+    shard_size?: number;
+}
+
+export interface ComputeShardsResult {
+    shards: Array<{ min?: string; max?: string }>;
+    count: number;
+}
+
+export interface IndexShardParams {
+    tenant_id: string;
+    target_index: string;
+    shard_min: string;
+    shard_max?: string;
+    embedding_dimensions?: {
+        text?: number;
+        image?: number;
+        properties?: number;
+    };
+    dry_run?: boolean;
+    concurrency?: number;
+    batch_size?: number;
+    bulk_size_bytes?: number;
+    bulk_concurrency?: number;
+    updated_since?: string;
+}
+
+export interface IndexShardRequest {
+    force?: boolean;
+    params: IndexShardParams;
+}
+
+export interface IndexShardResult {
+    status: string;
+    projects_done: number;
+    projects_total: number;
+    scanned: number;
+    written: number;
+    skipped: number;
+    errors: number;
+    read_docs_s: string;
+    write_docs_s: string;
+    read_mb: string;
+    write_mb: string;
+    read_mb_s: string;
+    write_mb_s: string;
+    duration_sec: number;
+    failed_projects?: Array<{ tenant: string; error: string }>;
+}
+
+export interface SwapAliasRequest {
+    tenant_id: string;
+    target_index: string;
+    /** ES alias name. If not provided, the Go service derives it from the tenant ID. */
+    alias?: string;
+}
+
+export interface SwapAliasResult {
+    status: string;
+    alias: string;
+    old_index: string;
+    new_index: string;
+}
+
+export interface ReindexViaBulkRequest {
+    tenant_id: string;
+    dry_run?: boolean;
+}
+
+export interface ReindexViaBulkResult {
+    status: string;
+    error?: string;
+    projects_done: number;
+    projects_total: number;
+    scanned: number;
+    written: number;
+    errors: number;
+    read_docs_s: string;
+    write_docs_s: string;
+    read_mb: string;
+    write_mb: string;
+    duration_sec: number;
+}
+
 /**
  * Elasticsearch index statistics
  */
@@ -600,16 +694,6 @@ export interface DriftAnalysisStatusResponse extends WorkflowRunStatus {
     error?: string;
 }
 
-/**
- * Result from swap alias operation
- */
-export interface SwapAliasResult {
-    swapped: boolean;
-    alias_name?: string;
-    new_index_name?: string;
-    reason?: string;
-}
-
 export interface ProjectIntegrationListEntry {
     id: SupportedIntegrations;
     enabled: boolean;

package/src/query.ts

@@ -72,6 +72,11 @@ export interface InteractionSearchQuery extends SimpleSearchQuery {
     version?: string;
     model?: string;
     environment?: string;
+    is_agent?: boolean;
+    is_tool?: boolean;
+    is_skill?: boolean;
+    is_basic?: boolean;
+    is_sub_agent?: boolean;
 }
 
 export interface RunSearchQuery extends SimpleSearchQuery {
@@ -90,7 +95,9 @@ export interface RunSearchQuery extends SimpleSearchQuery {
     finish_reason?: string;
     created_by?: string;
     workflow_run_ids?: string[];
+    workflow_ids?: string[];
     run_ids?: string[];
+    is_agent?: boolean;
 }
 
 export interface WorkflowExecutionSearchQuery extends SimpleSearchQuery {

package/src/refs.ts

@@ -27,4 +27,8 @@ export interface ResourceRef {
     name: string
     type: string
     description?: string
+    version?: number
+    status?: string
+    tags?: string[]
+    endpoint?: string
 }

package/src/runs.ts

@@ -17,6 +17,21 @@ export interface ExecutionRunDocRef {
 export interface RunCreatePayload extends NamedInteractionExecutionPayload {
 }
 
+/**
+ * Payload for cloning an existing ExecutionRun.
+ * Creates a new run document with the same interaction/config but fresh status.
+ * Used by fork flows to create a new ExecutionRun for the forked workflow.
+ */
+export interface RunClonePayload {
+    /** The _id of the source ExecutionRun to clone */
+    source_run_id: string;
+    /** Temporal workflow reference for the new run */
+    workflow: {
+        run_id: string;
+        workflow_id: string;
+    };
+}
+
 /**
  * To be used as a value for a numeric or date filters
  */