@xemahq/kernel-contracts 0.22.1 → 0.22.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,176 @@
1
+ Apache License
2
+ Version 2.0, January 2004
3
+ http://www.apache.org/licenses/
4
+
5
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6
+
7
+ 1. Definitions.
8
+
9
+ "License" shall mean the terms and conditions for use, reproduction,
10
+ and distribution as defined by Sections 1 through 9 of this document.
11
+
12
+ "Licensor" shall mean the copyright owner or entity authorized by
13
+ the copyright owner that is granting the License.
14
+
15
+ "Legal Entity" shall mean the union of the acting entity and all
16
+ other entities that control, are controlled by, or are under common
17
+ control with that entity. For the purposes of this definition,
18
+ "control" means (i) the power, direct or indirect, to cause the
19
+ direction or management of such entity, whether by contract or
20
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
21
+ outstanding shares, or (iii) beneficial ownership of such entity.
22
+
23
+ "You" (or "Your") shall mean an individual or Legal Entity
24
+ exercising permissions granted by this License.
25
+
26
+ "Source" form shall mean the preferred form for making modifications,
27
+ including but not limited to software source code, documentation
28
+ source, and configuration files.
29
+
30
+ "Object" form shall mean any form resulting from mechanical
31
+ transformation or translation of a Source form, including but
32
+ not limited to compiled object code, generated documentation,
33
+ and conversions to other media types.
34
+
35
+ "Work" shall mean the work of authorship, whether in Source or
36
+ Object form, made available under the License, as indicated by a
37
+ copyright notice that is included in or attached to the work
38
+ (an example is provided in the Appendix below).
39
+
40
+ "Derivative Works" shall mean any work, whether in Source or Object
41
+ form, that is based on (or derived from) the Work and for which the
42
+ editorial revisions, annotations, elaborations, or other modifications
43
+ represent, as a whole, an original work of authorship. For the purposes
44
+ of this License, Derivative Works shall not include works that remain
45
+ separable from, or merely link (or bind by name) to the interfaces of,
46
+ the Work and Derivative Works thereof.
47
+
48
+ "Contribution" shall mean any work of authorship, including
49
+ the original version of the Work and any modifications or additions
50
+ to that Work or Derivative Works thereof, that is intentionally
51
+ submitted to Licensor for inclusion in the Work by the copyright owner
52
+ or by an individual or Legal Entity authorized to submit on behalf of
53
+ the copyright owner. For the purposes of this definition, "submitted"
54
+ means any form of electronic, verbal, or written communication sent
55
+ to the Licensor or its representatives, including but not limited to
56
+ communication on electronic mailing lists, source code control systems,
57
+ and issue tracking systems that are managed by, or on behalf of, the
58
+ Licensor for the purpose of discussing and improving the Work, but
59
+ excluding communication that is conspicuously marked or otherwise
60
+ designated in writing by the copyright owner as "Not a Contribution."
61
+
62
+ "Contributor" shall mean Licensor and any individual or Legal Entity
63
+ on behalf of whom a Contribution has been received by Licensor and
64
+ subsequently incorporated within the Work.
65
+
66
+ 2. Grant of Copyright License. Subject to the terms and conditions of
67
+ this License, each Contributor hereby grants to You a perpetual,
68
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69
+ copyright license to reproduce, prepare Derivative Works of,
70
+ publicly display, publicly perform, sublicense, and distribute the
71
+ Work and such Derivative Works in Source or Object form.
72
+
73
+ 3. Grant of Patent License. Subject to the terms and conditions of
74
+ this License, each Contributor hereby grants to You a perpetual,
75
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76
+ (except as stated in this section) patent license to make, have made,
77
+ use, offer to sell, sell, import, and otherwise transfer the Work,
78
+ where such license applies only to those patent claims licensable
79
+ by such Contributor that are necessarily infringed by their
80
+ Contribution(s) alone or by combination of their Contribution(s)
81
+ with the Work to which such Contribution(s) was submitted. If You
82
+ institute patent litigation against any entity (including a
83
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
84
+ or a Contribution incorporated within the Work constitutes direct
85
+ or contributory patent infringement, then any patent licenses
86
+ granted to You under this License for that Work shall terminate
87
+ as of the date such litigation is filed.
88
+
89
+ 4. Redistribution. You may reproduce and distribute copies of the
90
+ Work or Derivative Works thereof in any medium, with or without
91
+ modifications, and in Source or Object form, provided that You
92
+ meet the following conditions:
93
+
94
+ (a) You must give any other recipients of the Work or
95
+ Derivative Works a copy of this License; and
96
+
97
+ (b) You must cause any modified files to carry prominent notices
98
+ stating that You changed the files; and
99
+
100
+ (c) You must retain, in the Source form of any Derivative Works
101
+ that You distribute, all copyright, patent, trademark, and
102
+ attribution notices from the Source form of the Work,
103
+ excluding those notices that do not pertain to any part of
104
+ the Derivative Works; and
105
+
106
+ (d) If the Work includes a "NOTICE" text file as part of its
107
+ distribution, then any Derivative Works that You distribute must
108
+ include a readable copy of the attribution notices contained
109
+ within such NOTICE file, excluding those notices that do not
110
+ pertain to any part of the Derivative Works, in at least one
111
+ of the following places: within a NOTICE text file distributed
112
+ as part of the Derivative Works; within the Source form or
113
+ documentation, if provided along with the Derivative Works; or,
114
+ within a display generated by the Derivative Works, if and
115
+ wherever such third-party notices normally appear. The contents
116
+ of the NOTICE file are for informational purposes only and
117
+ do not modify the License. You may add Your own attribution
118
+ notices within Derivative Works that You distribute, alongside
119
+ or as an addendum to the NOTICE text from the Work, provided
120
+ that such additional attribution notices cannot be construed
121
+ as modifying the License.
122
+
123
+ You may add Your own copyright statement to Your modifications and
124
+ may provide additional or different license terms and conditions
125
+ for use, reproduction, or distribution of Your modifications, or
126
+ for any such Derivative Works as a whole, provided Your use,
127
+ reproduction, and distribution of the Work otherwise complies with
128
+ the conditions stated in this License.
129
+
130
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
131
+ any Contribution intentionally submitted for inclusion in the Work
132
+ by You to the Licensor shall be under the terms and conditions of
133
+ this License, without any additional terms or conditions.
134
+ Notwithstanding the above, nothing herein shall supersede or modify
135
+ the terms of any separate license agreement you may have executed
136
+ with Licensor regarding such Contributions.
137
+
138
+ 6. Trademarks. This License does not grant permission to use the trade
139
+ names, trademarks, service marks, or product names of the Licensor,
140
+ except as required for reasonable and customary use in describing the
141
+ origin of the Work and reproducing the content of the NOTICE file.
142
+
143
+ 7. Disclaimer of Warranty. Unless required by applicable law or
144
+ agreed to in writing, Licensor provides the Work (and each
145
+ Contributor provides its Contributions) on an "AS IS" BASIS,
146
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147
+ implied, including, without limitation, any warranties or conditions
148
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149
+ PARTICULAR PURPOSE. You are solely responsible for determining the
150
+ appropriateness of using or redistributing the Work and assume any
151
+ risks associated with Your exercise of permissions under this License.
152
+
153
+ 8. Limitation of Liability. In no event and under no legal theory,
154
+ whether in tort (including negligence), contract, or otherwise,
155
+ unless required by applicable law (such as deliberate and grossly
156
+ negligent acts) or agreed to in writing, shall any Contributor be
157
+ liable to You for damages, including any direct, indirect, special,
158
+ incidental, or consequential damages of any character arising as a
159
+ result of this License or out of the use or inability to use the
160
+ Work (including but not limited to damages for loss of goodwill,
161
+ work stoppage, computer failure or malfunction, or any and all
162
+ other commercial damages or losses), even if such Contributor
163
+ has been advised of the possibility of such damages.
164
+
165
+ 9. Accepting Warranty or Additional Liability. While redistributing
166
+ the Work or Derivative Works thereof, You may choose to offer,
167
+ and charge a fee for, acceptance of support, warranty, indemnity,
168
+ or other liability obligations and/or rights consistent with this
169
+ License. However, in accepting such obligations, You may act only
170
+ on Your own behalf and on Your sole responsibility, not on behalf
171
+ of any other Contributor, and only if You agree to indemnify,
172
+ defend, and hold each Contributor harmless for any liability
173
+ incurred by, or claims asserted against, such Contributor by reason
174
+ of your accepting any such warranty or additional liability.
175
+
176
+ END OF TERMS AND CONDITIONS
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "$schema": "https://xema.dev/schemas/awp-spec.v1.json",
3
- "emittedAt": "2026-07-01T10:43:39.744Z",
3
+ "emittedAt": "2026-07-02T07:22:41.877Z",
4
4
  "spec": {
5
5
  "id": "awp/v1",
6
6
  "version": "1.2.0",
@@ -2,6 +2,8 @@ export * from './lib/adapter-kind';
2
2
  export * from './lib/capability';
3
3
  export * from './lib/credential-kind';
4
4
  export * from './lib/onboarding-manifest';
5
+ export * from './lib/provider-descriptor';
6
+ export * from './lib/connector-descriptor';
5
7
  export * from './lib/envelope-schema';
6
8
  export * from './lib/filter-expr';
7
9
  export * from './lib/filter-expr-schema';
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,2BAA2B,CAAC;AAC1C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC"}
@@ -18,6 +18,8 @@ __exportStar(require("./lib/adapter-kind"), exports);
18
18
  __exportStar(require("./lib/capability"), exports);
19
19
  __exportStar(require("./lib/credential-kind"), exports);
20
20
  __exportStar(require("./lib/onboarding-manifest"), exports);
21
+ __exportStar(require("./lib/provider-descriptor"), exports);
22
+ __exportStar(require("./lib/connector-descriptor"), exports);
21
23
  __exportStar(require("./lib/envelope-schema"), exports);
22
24
  __exportStar(require("./lib/filter-expr"), exports);
23
25
  __exportStar(require("./lib/filter-expr-schema"), exports);
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,mDAAiC;AACjC,wDAAsC;AACtC,4DAA0C;AAC1C,wDAAsC;AACtC,oDAAkC;AAClC,2DAAyC;AACzC,6DAA2C"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,mDAAiC;AACjC,wDAAsC;AACtC,4DAA0C;AAC1C,4DAA0C;AAC1C,6DAA2C;AAC3C,wDAAsC;AACtC,oDAAkC;AAClC,2DAAyC;AACzC,6DAA2C"}
@@ -0,0 +1,13 @@
1
+ import type { AdapterKindRef } from './adapter-kind';
2
+ import type { CredentialKind } from './credential-kind';
3
+ export interface ConnectorDescriptor {
4
+ readonly connectorKey: string;
5
+ readonly displayName: string;
6
+ readonly description: string;
7
+ readonly iconName: string;
8
+ readonly providerKey: string;
9
+ readonly scopes: readonly string[];
10
+ readonly connectionCredentialKind: CredentialKind;
11
+ readonly adapterKind: AdapterKindRef;
12
+ }
13
+ //# sourceMappingURL=connector-descriptor.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"connector-descriptor.d.ts","sourceRoot":"","sources":["../../../src/connector/lib/connector-descriptor.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AASxD,MAAM,WAAW,mBAAmB;IAElC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAE9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAG1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAU7B,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IAOnC,QAAQ,CAAC,wBAAwB,EAAE,cAAc,CAAC;IAOlD,QAAQ,CAAC,WAAW,EAAE,cAAc,CAAC;CACtC"}
@@ -0,0 +1,3 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ //# sourceMappingURL=connector-descriptor.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"connector-descriptor.js","sourceRoot":"","sources":["../../../src/connector/lib/connector-descriptor.ts"],"names":[],"mappings":""}
@@ -0,0 +1,37 @@
1
+ import type { CredentialFieldSpec } from './onboarding-manifest';
2
+ export declare enum ProviderAppAuthKind {
3
+ OAuth2 = "oauth2",
4
+ AppInstall = "app_install",
5
+ None = "none"
6
+ }
7
+ export declare enum ProviderOrigin {
8
+ Kernel = "kernel",
9
+ Platform = "platform",
10
+ Biome = "biome"
11
+ }
12
+ export declare enum ProviderCredentialScope {
13
+ Platform = "platform",
14
+ Org = "org"
15
+ }
16
+ export declare const PROVIDER_CREDENTIAL_SCOPE_ORDER: readonly ProviderCredentialScope[];
17
+ export interface ProviderOAuthEndpoints {
18
+ readonly authorizationUrl: string;
19
+ readonly tokenUrl: string;
20
+ readonly extraAuthorizeParams?: Readonly<Record<string, string>>;
21
+ readonly clientIdEnvVar?: string;
22
+ readonly clientSecretEnvVar?: string;
23
+ }
24
+ export interface ProviderDescriptor {
25
+ readonly providerKey: string;
26
+ readonly displayName: string;
27
+ readonly description: string;
28
+ readonly iconName: string;
29
+ readonly category: string;
30
+ readonly appAuthKind: ProviderAppAuthKind;
31
+ readonly origin: ProviderOrigin;
32
+ readonly appCredentialSchema?: readonly CredentialFieldSpec[];
33
+ readonly oauthEndpoints?: ProviderOAuthEndpoints;
34
+ readonly allowOrgOverride: boolean;
35
+ }
36
+ export declare function providerRequiresAppCredential(provider: Pick<ProviderDescriptor, 'appAuthKind'>): boolean;
37
+ //# sourceMappingURL=provider-descriptor.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"provider-descriptor.d.ts","sourceRoot":"","sources":["../../../src/connector/lib/provider-descriptor.ts"],"names":[],"mappings":"AA0BA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAQjE,oBAAY,mBAAmB;IAO7B,MAAM,WAAW;IAMjB,UAAU,gBAAgB;IAO1B,IAAI,SAAS;CACd;AAaD,oBAAY,cAAc;IACxB,MAAM,WAAW;IACjB,QAAQ,aAAa;IACrB,KAAK,UAAU;CAChB;AAiBD,oBAAY,uBAAuB;IACjC,QAAQ,aAAa;IACrB,GAAG,QAAQ;CACZ;AAGD,eAAO,MAAM,+BAA+B,EAAE,SAAS,uBAAuB,EACb,CAAC;AAOlE,MAAM,WAAW,sBAAsB;IAErC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAElC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAQ1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAQjE,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CACtC;AAOD,MAAM,WAAW,kBAAkB;IAEjC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAE1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAG1B,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;IAE1C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAQhC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,SAAS,mBAAmB,EAAE,CAAC;IAM9D,QAAQ,CAAC,cAAc,CAAC,EAAE,sBAAsB,CAAC;IAOjD,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;CACpC;AAOD,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,IAAI,CAAC,kBAAkB,EAAE,aAAa,CAAC,GAChD,OAAO,CAET"}
@@ -0,0 +1,26 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.PROVIDER_CREDENTIAL_SCOPE_ORDER = exports.ProviderCredentialScope = exports.ProviderOrigin = exports.ProviderAppAuthKind = void 0;
4
+ exports.providerRequiresAppCredential = providerRequiresAppCredential;
5
+ var ProviderAppAuthKind;
6
+ (function (ProviderAppAuthKind) {
7
+ ProviderAppAuthKind["OAuth2"] = "oauth2";
8
+ ProviderAppAuthKind["AppInstall"] = "app_install";
9
+ ProviderAppAuthKind["None"] = "none";
10
+ })(ProviderAppAuthKind || (exports.ProviderAppAuthKind = ProviderAppAuthKind = {}));
11
+ var ProviderOrigin;
12
+ (function (ProviderOrigin) {
13
+ ProviderOrigin["Kernel"] = "kernel";
14
+ ProviderOrigin["Platform"] = "platform";
15
+ ProviderOrigin["Biome"] = "biome";
16
+ })(ProviderOrigin || (exports.ProviderOrigin = ProviderOrigin = {}));
17
+ var ProviderCredentialScope;
18
+ (function (ProviderCredentialScope) {
19
+ ProviderCredentialScope["Platform"] = "platform";
20
+ ProviderCredentialScope["Org"] = "org";
21
+ })(ProviderCredentialScope || (exports.ProviderCredentialScope = ProviderCredentialScope = {}));
22
+ exports.PROVIDER_CREDENTIAL_SCOPE_ORDER = [ProviderCredentialScope.Org, ProviderCredentialScope.Platform];
23
+ function providerRequiresAppCredential(provider) {
24
+ return provider.appAuthKind !== ProviderAppAuthKind.None;
25
+ }
26
+ //# sourceMappingURL=provider-descriptor.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"provider-descriptor.js","sourceRoot":"","sources":["../../../src/connector/lib/provider-descriptor.ts"],"names":[],"mappings":";;;AAgLA,sEAIC;AAlJD,IAAY,mBAqBX;AArBD,WAAY,mBAAmB;IAO7B,wCAAiB,CAAA;IAMjB,iDAA0B,CAAA;IAO1B,oCAAa,CAAA;AACf,CAAC,EArBW,mBAAmB,mCAAnB,mBAAmB,QAqB9B;AAaD,IAAY,cAIX;AAJD,WAAY,cAAc;IACxB,mCAAiB,CAAA;IACjB,uCAAqB,CAAA;IACrB,iCAAe,CAAA;AACjB,CAAC,EAJW,cAAc,8BAAd,cAAc,QAIzB;AAiBD,IAAY,uBAGX;AAHD,WAAY,uBAAuB;IACjC,gDAAqB,CAAA;IACrB,sCAAW,CAAA;AACb,CAAC,EAHW,uBAAuB,uCAAvB,uBAAuB,QAGlC;AAGY,QAAA,+BAA+B,GAC1C,CAAC,uBAAuB,CAAC,GAAG,EAAE,uBAAuB,CAAC,QAAQ,CAAC,CAAC;AAgFlE,SAAgB,6BAA6B,CAC3C,QAAiD;IAEjD,OAAO,QAAQ,CAAC,WAAW,KAAK,mBAAmB,CAAC,IAAI,CAAC;AAC3D,CAAC"}
@@ -12,7 +12,8 @@ export declare enum CredentialPrecedenceSource {
12
12
  Explicit = "explicit",
13
13
  CapabilityDefault = "capability_default",
14
14
  ProjectDefault = "project_default",
15
- OrgDefault = "org_default"
15
+ OrgDefault = "org_default",
16
+ PlatformDefault = "platform_default"
16
17
  }
17
18
  export declare const CredentialPrecedenceSourceSchema: z.ZodEnum<typeof CredentialPrecedenceSource>;
18
19
  export type PolicyRequest = ExecutionContext;
@@ -1 +1 @@
1
- {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AAShE,oBAAY,kBAAkB;IAC5B,KAAK,UAAU;IACf,IAAI,SAAS;IACb,aAAa,mBAAmB;CACjC;AAED,eAAO,MAAM,wBAAwB,sCAAmC,CAAC;AAczE,oBAAY,0BAA0B;IACpC,QAAQ,aAAa;IACrB,iBAAiB,uBAAuB;IACxC,cAAc,oBAAoB;IAClC,UAAU,gBAAgB;CAC3B;AAED,eAAO,MAAM,gCAAgC,8CAE5C,CAAC;AAWF,MAAM,MAAM,aAAa,GAAG,gBAAgB,CAAC;AAE7C,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CACjC,CAAC;AAWzB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,CAAC;IAWvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAM7B,2BAA2B,CAAC,EAAE,0BAA0B,CAAC;CAC1D;AAED,eAAO,MAAM,oBAAoB,EAO3B,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC"}
1
+ {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AAShE,oBAAY,kBAAkB;IAC5B,KAAK,UAAU;IACf,IAAI,SAAS;IACb,aAAa,mBAAmB;CACjC;AAED,eAAO,MAAM,wBAAwB,sCAAmC,CAAC;AAgBzE,oBAAY,0BAA0B;IACpC,QAAQ,aAAa;IACrB,iBAAiB,uBAAuB;IACxC,cAAc,oBAAoB;IAClC,UAAU,gBAAgB;IAO1B,eAAe,qBAAqB;CACrC;AAED,eAAO,MAAM,gCAAgC,8CAE5C,CAAC;AAWF,MAAM,MAAM,aAAa,GAAG,gBAAgB,CAAC;AAE7C,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CACjC,CAAC;AAWzB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,CAAC;IAWvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAM7B,2BAA2B,CAAC,EAAE,0BAA0B,CAAC;CAC1D;AAED,eAAO,MAAM,oBAAoB,EAO3B,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC"}
@@ -18,6 +18,7 @@ var CredentialPrecedenceSource;
18
18
  CredentialPrecedenceSource["CapabilityDefault"] = "capability_default";
19
19
  CredentialPrecedenceSource["ProjectDefault"] = "project_default";
20
20
  CredentialPrecedenceSource["OrgDefault"] = "org_default";
21
+ CredentialPrecedenceSource["PlatformDefault"] = "platform_default";
21
22
  })(CredentialPrecedenceSource || (exports.CredentialPrecedenceSource = CredentialPrecedenceSource = {}));
22
23
  exports.CredentialPrecedenceSourceSchema = zod_1.z.nativeEnum(CredentialPrecedenceSource);
23
24
  exports.PolicyRequestSchema = execution_context_1.ExecutionContextSchema;
@@ -1 +1 @@
1
- {"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,+DAGiC;AACjC,+CAGuB;AACvB,+CAAgE;AAShE,IAAY,kBAIX;AAJD,WAAY,kBAAkB;IAC5B,qCAAe,CAAA;IACf,mCAAa,CAAA;IACb,sDAAgC,CAAA;AAClC,CAAC,EAJW,kBAAkB,kCAAlB,kBAAkB,QAI7B;AAEY,QAAA,wBAAwB,GAAG,OAAC,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAczE,IAAY,0BAKX;AALD,WAAY,0BAA0B;IACpC,mDAAqB,CAAA;IACrB,sEAAwC,CAAA;IACxC,gEAAkC,CAAA;IAClC,wDAA0B,CAAA;AAC5B,CAAC,EALW,0BAA0B,0CAA1B,0BAA0B,QAKrC;AAEY,QAAA,gCAAgC,GAAG,OAAC,CAAC,UAAU,CAC1D,0BAA0B,CAC3B,CAAC;AAaW,QAAA,mBAAmB,GAC9B,0CAAsB,CAAC;AAmCZ,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,gCAAwB;IAC9B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,oCAAsB,CAAC,CAAC,QAAQ,EAAE;IACvD,UAAU,EAAE,6BAAe,CAAC,QAAQ,EAAE;IACtC,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjD,2BAA2B,EAAE,wCAAgC,CAAC,QAAQ,EAAE;CACzE,CAA8B,CAAC"}
1
+ {"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,+DAGiC;AACjC,+CAGuB;AACvB,+CAAgE;AAShE,IAAY,kBAIX;AAJD,WAAY,kBAAkB;IAC5B,qCAAe,CAAA;IACf,mCAAa,CAAA;IACb,sDAAgC,CAAA;AAClC,CAAC,EAJW,kBAAkB,kCAAlB,kBAAkB,QAI7B;AAEY,QAAA,wBAAwB,GAAG,OAAC,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAgBzE,IAAY,0BAYX;AAZD,WAAY,0BAA0B;IACpC,mDAAqB,CAAA;IACrB,sEAAwC,CAAA;IACxC,gEAAkC,CAAA;IAClC,wDAA0B,CAAA;IAO1B,kEAAoC,CAAA;AACtC,CAAC,EAZW,0BAA0B,0CAA1B,0BAA0B,QAYrC;AAEY,QAAA,gCAAgC,GAAG,OAAC,CAAC,UAAU,CAC1D,0BAA0B,CAC3B,CAAC;AAaW,QAAA,mBAAmB,GAC9B,0CAAsB,CAAC;AAmCZ,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,gCAAwB;IAC9B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,oCAAsB,CAAC,CAAC,QAAQ,EAAE;IACvD,UAAU,EAAE,6BAAe,CAAC,QAAQ,EAAE;IACtC,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjD,2BAA2B,EAAE,wCAAgC,CAAC,QAAQ,EAAE;CACzE,CAA8B,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@xemahq/kernel-contracts",
3
- "version": "0.22.1",
3
+ "version": "0.22.3",
4
4
  "description": "Consolidated Xema OS kernel wire contracts — pure types + zod schemas for the 32 kernel protocol surfaces. One package, one npm scope, wildcard per-surface subpath exports. No framework/runtime deps.",
5
5
  "publishConfig": {
6
6
  "registry": "https://registry.npmjs.org/",
@@ -10,26 +10,18 @@
10
10
  "dist",
11
11
  "src"
12
12
  ],
13
- "scripts": {
14
- "clean": "rm -rf dist",
15
- "build": "tsc -p tsconfig.json && node scripts/emit-awp-spec.mjs",
16
- "format": "prettier --write \"src/**/*.ts\"",
17
- "typecheck": "tsc -p tsconfig.json --noEmit",
18
- "lint": "eslint .",
19
- "check:boundary": "node scripts/check-subpath-dag.mjs"
20
- },
21
13
  "devDependencies": {
22
- "@eslint/js": "catalog:",
23
- "@types/node": "catalog:",
24
- "eslint": "catalog:",
25
- "eslint-config-prettier": "catalog:",
14
+ "@eslint/js": "^9.39.4",
15
+ "@types/node": "25.2.3",
16
+ "eslint": "^9.39.4",
17
+ "eslint-config-prettier": "^10.1.8",
26
18
  "eslint-plugin-import": "^2.31.0",
27
- "prettier": "catalog:",
28
- "typescript": "catalog:",
29
- "typescript-eslint": "catalog:"
19
+ "prettier": "3.6.2",
20
+ "typescript": "5.9.3",
21
+ "typescript-eslint": "^8.56.1"
30
22
  },
31
23
  "dependencies": {
32
- "zod": "catalog:"
24
+ "zod": "^4.3.6"
33
25
  },
34
26
  "exports": {
35
27
  "./*": {
@@ -38,5 +30,13 @@
38
30
  "default": "./dist/*/index.js"
39
31
  },
40
32
  "./package.json": "./package.json"
33
+ },
34
+ "scripts": {
35
+ "clean": "rm -rf dist",
36
+ "build": "tsc -p tsconfig.json && node scripts/emit-awp-spec.mjs",
37
+ "format": "prettier --write \"src/**/*.ts\"",
38
+ "typecheck": "tsc -p tsconfig.json --noEmit",
39
+ "lint": "eslint .",
40
+ "check:boundary": "node scripts/check-subpath-dag.mjs"
41
41
  }
42
- }
42
+ }
@@ -2,6 +2,8 @@ export * from './lib/adapter-kind';
2
2
  export * from './lib/capability';
3
3
  export * from './lib/credential-kind';
4
4
  export * from './lib/onboarding-manifest';
5
+ export * from './lib/provider-descriptor';
6
+ export * from './lib/connector-descriptor';
5
7
  export * from './lib/envelope-schema';
6
8
  export * from './lib/filter-expr';
7
9
  export * from './lib/filter-expr-schema';
@@ -0,0 +1,66 @@
1
+ /**
2
+ * ─────────────────────────────────────────────────────────────────────────
3
+ * Connector descriptor — a capability surface authenticated by ONE provider
4
+ *
5
+ * A **Connector** is what a user actually connects: Gmail, Google Drive,
6
+ * generic IMAP, generic SMTP, a GitHub SCM connector. Every connector names
7
+ * the **Provider** it authenticates against (`providerKey`) and the incremental
8
+ * OAuth `scopes` it needs from that provider. The catalog groups connectors by
9
+ * provider so ONE app credential (per `ProviderDescriptor`) backs many
10
+ * connectors.
11
+ *
12
+ * This descriptor is the connector-registry face of an `IntegrationProvider
13
+ * Module`: the module carries the executable webhook/action/resource handlers;
14
+ * this descriptor carries the *catalog + connect* metadata the framework needs
15
+ * to render the provider-grouped catalog, drive consent with the right scopes,
16
+ * and resolve the right per-connection credential kind.
17
+ * ─────────────────────────────────────────────────────────────────────────
18
+ */
19
+
20
+ import type { AdapterKindRef } from './adapter-kind';
21
+ import type { CredentialKind } from './credential-kind';
22
+
23
+ /**
24
+ * A connector in the catalog. `connectorKey` aligns with the persisted
25
+ * `ConnectorKind` wire value (e.g. `GMAIL`, `IMAP_GENERIC`, `SMTP_GENERIC`)
26
+ * but is typed as a string here to keep the kernel `connector` contract
27
+ * package free of the persisted `ConnectorKind` enum (which lives in
28
+ * platform-common's integration-webhooks); the connector-gateway maps the two.
29
+ */
30
+ export interface ConnectorDescriptor {
31
+ /** Stable connector key — aligns with the persisted `ConnectorKind`. */
32
+ readonly connectorKey: string;
33
+ /** Human-readable name — `Gmail`, `Generic IMAP`. */
34
+ readonly displayName: string;
35
+ /** One-sentence description shown on the connector row. */
36
+ readonly description: string;
37
+ /** Lucide-react icon name; may differ from the provider's icon. */
38
+ readonly iconName: string;
39
+
40
+ /** The provider (authenticating authority) this connector belongs to. */
41
+ readonly providerKey: string;
42
+
43
+ /**
44
+ * Incremental OAuth scopes this connector requests from its provider. Empty
45
+ * for connectors whose provider `appAuthKind` is `None` (IMAP/SMTP). When a
46
+ * second connector of the same OAuth provider is connected, the consent
47
+ * driver requests the UNION of already-granted + these scopes (incremental
48
+ * consent) so one app credential accrues capability without re-consent for
49
+ * scopes already held.
50
+ */
51
+ readonly scopes: readonly string[];
52
+
53
+ /**
54
+ * How an individual connection to THIS connector authenticates at runtime
55
+ * (the per-connection wallet/token). `oauth_user` for OAuth connectors,
56
+ * `imap_auth` / `smtp_auth` for the mail wallets, `pat` / `api_key`, …
57
+ */
58
+ readonly connectionCredentialKind: CredentialKind;
59
+
60
+ /**
61
+ * The adapter category this connector plugs into (`mail`, `scm`, …). Drives
62
+ * where normalized inbound envelopes are forwarded and which project-binding
63
+ * surface the connector appears under.
64
+ */
65
+ readonly adapterKind: AdapterKindRef;
66
+ }
@@ -0,0 +1,181 @@
1
+ /**
2
+ * ─────────────────────────────────────────────────────────────────────────
3
+ * Provider descriptor — the authenticating authority ("app") behind N connectors
4
+ *
5
+ * A **Provider** is the identity/authority a set of connectors authenticates
6
+ * against — e.g. `google`, `microsoft`, `github`, `slack`, `smtp`, `imap`.
7
+ * ONE provider owns ONE **app credential** (a Google Cloud OAuth client, a
8
+ * GitHub App private key, …) and fans out to MANY **connectors** (Gmail,
9
+ * Google Drive, Google Calendar …), each of which reuses that single app
10
+ * credential with its own incremental scopes.
11
+ *
12
+ * This is the "Google is a world" fix: the catalog lists connectors grouped
13
+ * under one provider card; the app credential is provided once (by a platform
14
+ * admin, or overridden per-org as BYO) and every connector under the provider
15
+ * reuses it. Adding a new Google service later is a new *connector* with new
16
+ * scopes — never a new credential and never a framework change.
17
+ *
18
+ * The descriptor is a **runtime contract** describing how a provider's app
19
+ * credential is obtained and where it lives. Actual secret VALUES are never
20
+ * carried here — only the SCHEMA of what an admin must supply
21
+ * (`appCredentialSchema`) and non-secret OAuth endpoint metadata. Secrets are
22
+ * held by the credential broker + custody, referenced by env-var name or
23
+ * custody ref, never inlined.
24
+ * ─────────────────────────────────────────────────────────────────────────
25
+ */
26
+
27
+ import type { CredentialFieldSpec } from './onboarding-manifest';
28
+
29
+ /**
30
+ * How a provider's APP-level credential authenticates. This is distinct from
31
+ * a *connector's* per-connection `CredentialKind` (how an individual user/
32
+ * mailbox connection authenticates) — it describes the shared "app" that the
33
+ * platform/org registers once.
34
+ */
35
+ export enum ProviderAppAuthKind {
36
+ /**
37
+ * 3-legged OAuth: the app is a registered OAuth client (clientId/secret).
38
+ * Connecting a connector runs an authorization-code consent redirect using
39
+ * the app credential + the connector's scopes. e.g. Google, Microsoft,
40
+ * Slack.
41
+ */
42
+ OAuth2 = 'oauth2',
43
+ /**
44
+ * App-installation flow (GitHub App / GitLab App / Atlassian Connect): the
45
+ * app authenticates via an app id + private key and the user installs it
46
+ * onto their account/org. e.g. GitHub.
47
+ */
48
+ AppInstall = 'app_install',
49
+ /**
50
+ * No shared app credential at all — every connection carries its own
51
+ * complete secret (a mailbox host+user+password, a raw API key). The
52
+ * connector is connectable with NO platform/org setup. e.g. generic SMTP,
53
+ * generic IMAP.
54
+ */
55
+ None = 'none',
56
+ }
57
+
58
+ /**
59
+ * Who shipped a provider. Determines WHICH admin fulfils its app-credential
60
+ * requirement and at which scope the requirement is registered.
61
+ *
62
+ * - `kernel` — a first-party provider baked into the platform.
63
+ * - `platform` — shipped by a platform (Layer-2) service/biome installed
64
+ * platform-wide; platform admin fulfils it.
65
+ * - `biome` — introduced by a biome. When that biome is installed at ORG
66
+ * scope, the requirement is org-scoped (the org admin BYO-fills
67
+ * it) because the platform never shipped the provider.
68
+ */
69
+ export enum ProviderOrigin {
70
+ Kernel = 'kernel',
71
+ Platform = 'platform',
72
+ Biome = 'biome',
73
+ }
74
+
75
+ /**
76
+ * The two scopes at which a provider's APP credential can be provisioned.
77
+ * Deliberately a SEPARATE, minimal enum from the 5-tier ownership
78
+ * `ScopeSource` and from the credential-broker's per-connection
79
+ * `CredentialScopeTier` — app-credential provisioning is a strict 2-tier
80
+ * concern: a platform-wide default that an org may override.
81
+ *
82
+ * Resolution precedence (narrowest wins):
83
+ *
84
+ * Org (BYO) > Platform (default) > [legacy env-var fallback] > unset
85
+ *
86
+ * An unset REQUIRED app credential is surfaced to the correct admin and the
87
+ * connector reports "needs setup" — it never silently falls through to an
88
+ * unauthenticated request.
89
+ */
90
+ export enum ProviderCredentialScope {
91
+ Platform = 'platform',
92
+ Org = 'org',
93
+ }
94
+
95
+ /** Precedence order for app-credential resolution — index 0 wins. */
96
+ export const PROVIDER_CREDENTIAL_SCOPE_ORDER: readonly ProviderCredentialScope[] =
97
+ [ProviderCredentialScope.Org, ProviderCredentialScope.Platform];
98
+
99
+ /**
100
+ * Non-secret OAuth endpoint metadata for a `ProviderAppAuthKind.OAuth2`
101
+ * provider. Client id/secret are NOT here — they are the app credential,
102
+ * resolved from a provision (or the legacy env fallback) at consent time.
103
+ */
104
+ export interface ProviderOAuthEndpoints {
105
+ /** Authorization-code consent endpoint (where the user is redirected). */
106
+ readonly authorizationUrl: string;
107
+ /** Token-exchange endpoint (code→token, refresh-token rotation). */
108
+ readonly tokenUrl: string;
109
+ /**
110
+ * Extra authorize-request params a provider needs to actually mint a
111
+ * refresh token / do incremental consent. Non-secret. e.g. Google needs
112
+ * `{ access_type: 'offline', include_granted_scopes: 'true', prompt:
113
+ * 'consent' }`. Kept explicit rather than hardcoded in the driver so a new
114
+ * OAuth provider is pure data.
115
+ */
116
+ readonly extraAuthorizeParams?: Readonly<Record<string, string>>;
117
+ /**
118
+ * Legacy env-var NAMES the OAuth driver falls back to for the app
119
+ * client id / secret when no provision exists yet (bootstrap before the
120
+ * platform-admin UI is used). Never the secret itself. Optional — a
121
+ * provider with no env fallback simply reports "needs setup" until an
122
+ * admin provisions it.
123
+ */
124
+ readonly clientIdEnvVar?: string;
125
+ readonly clientSecretEnvVar?: string;
126
+ }
127
+
128
+ /**
129
+ * A first-class Provider (authenticating authority). Registered in the
130
+ * provider registry alongside — but distinct from — the connectors that
131
+ * reference it via `Connector.providerKey`.
132
+ */
133
+ export interface ProviderDescriptor {
134
+ /** Stable lowercase slug — `google`, `microsoft`, `github`, `smtp`. */
135
+ readonly providerKey: string;
136
+ /** Human-readable name — `Google`, `Microsoft`, `Generic SMTP`. */
137
+ readonly displayName: string;
138
+ /** One-sentence description shown on the provider card. */
139
+ readonly description: string;
140
+ /** Lucide-react icon name; frontend maps to a component. */
141
+ readonly iconName: string;
142
+ /** Catalog grouping label (e.g. `Email`, `Source control`, `Chat`). */
143
+ readonly category: string;
144
+
145
+ /** How the shared app credential authenticates. */
146
+ readonly appAuthKind: ProviderAppAuthKind;
147
+ /** Who shipped the provider — drives requirement scope + which admin fills. */
148
+ readonly origin: ProviderOrigin;
149
+
150
+ /**
151
+ * Schema of the app-credential fields an admin must supply to register the
152
+ * app (Google → clientId/clientSecret[/pubsubTopic]; GitHub App → appId/
153
+ * privateKey/webhookSecret). Empty/omitted when `appAuthKind = None`
154
+ * (nothing to provision — the connector is immediately connectable).
155
+ */
156
+ readonly appCredentialSchema?: readonly CredentialFieldSpec[];
157
+
158
+ /**
159
+ * OAuth endpoint metadata — REQUIRED when `appAuthKind = OAuth2`, absent
160
+ * otherwise.
161
+ */
162
+ readonly oauthEndpoints?: ProviderOAuthEndpoints;
163
+
164
+ /**
165
+ * Whether an org may override the platform-default app credential with its
166
+ * own (BYO app). `false` pins the provider to the platform provision only.
167
+ * Ignored when `appAuthKind = None` (there is no shared app to override).
168
+ */
169
+ readonly allowOrgOverride: boolean;
170
+ }
171
+
172
+ /**
173
+ * True when a provider needs an app credential provisioned before any of its
174
+ * connectors can be connected (i.e. anything other than `None`). Callers use
175
+ * this to decide whether to surface a "needs setup" state and to whom.
176
+ */
177
+ export function providerRequiresAppCredential(
178
+ provider: Pick<ProviderDescriptor, 'appAuthKind'>,
179
+ ): boolean {
180
+ return provider.appAuthKind !== ProviderAppAuthKind.None;
181
+ }
@@ -33,14 +33,23 @@ export const PolicyDecisionKindSchema = z.nativeEnum(PolicyDecisionKind);
33
33
  * Priority, highest wins:
34
34
  * `explicit` (a grant names the binding) > `capability_default`
35
35
  * (the descriptor's `defaultCredentialBindingRef`) > `project_default` >
36
- * `org_default`. No match the PDP emits NO binding and denies with
37
- * `MISSING_CREDENTIAL_BINDING` (never a silent fallback).
36
+ * `org_default` > `platform_default` (a deployment-wide default an org may
37
+ * override the Provider–Credential framework's platform tier). No match ⇒
38
+ * the PDP emits NO binding and denies with `MISSING_CREDENTIAL_BINDING`
39
+ * (never a silent fallback).
38
40
  */
39
41
  export enum CredentialPrecedenceSource {
40
42
  Explicit = 'explicit',
41
43
  CapabilityDefault = 'capability_default',
42
44
  ProjectDefault = 'project_default',
43
45
  OrgDefault = 'org_default',
46
+ /**
47
+ * A deployment-wide platform default provision (broadest tier, below org).
48
+ * An org-scoped default always overrides it. Used by `authorization-api`'s
49
+ * credential-precedence resolver once this kernel change is published +
50
+ * consumed (see the Connections framework plan).
51
+ */
52
+ PlatformDefault = 'platform_default',
44
53
  }
45
54
 
46
55
  export const CredentialPrecedenceSourceSchema = z.nativeEnum(