@xemahq/kernel-contracts 0.22.1 → 0.22.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +176 -0
- package/dist/agent-workspace/awp-spec.json +1 -1
- package/dist/connector/index.d.ts +2 -0
- package/dist/connector/index.d.ts.map +1 -1
- package/dist/connector/index.js +2 -0
- package/dist/connector/index.js.map +1 -1
- package/dist/connector/lib/connector-descriptor.d.ts +13 -0
- package/dist/connector/lib/connector-descriptor.d.ts.map +1 -0
- package/dist/connector/lib/connector-descriptor.js +3 -0
- package/dist/connector/lib/connector-descriptor.js.map +1 -0
- package/dist/connector/lib/provider-descriptor.d.ts +37 -0
- package/dist/connector/lib/provider-descriptor.d.ts.map +1 -0
- package/dist/connector/lib/provider-descriptor.js +26 -0
- package/dist/connector/lib/provider-descriptor.js.map +1 -0
- package/dist/policy/lib/policy.d.ts +2 -1
- package/dist/policy/lib/policy.d.ts.map +1 -1
- package/dist/policy/lib/policy.js +1 -0
- package/dist/policy/lib/policy.js.map +1 -1
- package/package.json +18 -18
- package/src/connector/index.ts +2 -0
- package/src/connector/lib/connector-descriptor.ts +66 -0
- package/src/connector/lib/provider-descriptor.ts +181 -0
- package/src/policy/lib/policy.ts +11 -2
package/LICENSE
ADDED
|
@@ -0,0 +1,176 @@
|
|
|
1
|
+
Apache License
|
|
2
|
+
Version 2.0, January 2004
|
|
3
|
+
http://www.apache.org/licenses/
|
|
4
|
+
|
|
5
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
6
|
+
|
|
7
|
+
1. Definitions.
|
|
8
|
+
|
|
9
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
|
10
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
|
11
|
+
|
|
12
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
|
13
|
+
the copyright owner that is granting the License.
|
|
14
|
+
|
|
15
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
|
16
|
+
other entities that control, are controlled by, or are under common
|
|
17
|
+
control with that entity. For the purposes of this definition,
|
|
18
|
+
"control" means (i) the power, direct or indirect, to cause the
|
|
19
|
+
direction or management of such entity, whether by contract or
|
|
20
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
21
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
22
|
+
|
|
23
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
|
24
|
+
exercising permissions granted by this License.
|
|
25
|
+
|
|
26
|
+
"Source" form shall mean the preferred form for making modifications,
|
|
27
|
+
including but not limited to software source code, documentation
|
|
28
|
+
source, and configuration files.
|
|
29
|
+
|
|
30
|
+
"Object" form shall mean any form resulting from mechanical
|
|
31
|
+
transformation or translation of a Source form, including but
|
|
32
|
+
not limited to compiled object code, generated documentation,
|
|
33
|
+
and conversions to other media types.
|
|
34
|
+
|
|
35
|
+
"Work" shall mean the work of authorship, whether in Source or
|
|
36
|
+
Object form, made available under the License, as indicated by a
|
|
37
|
+
copyright notice that is included in or attached to the work
|
|
38
|
+
(an example is provided in the Appendix below).
|
|
39
|
+
|
|
40
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
|
41
|
+
form, that is based on (or derived from) the Work and for which the
|
|
42
|
+
editorial revisions, annotations, elaborations, or other modifications
|
|
43
|
+
represent, as a whole, an original work of authorship. For the purposes
|
|
44
|
+
of this License, Derivative Works shall not include works that remain
|
|
45
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
|
46
|
+
the Work and Derivative Works thereof.
|
|
47
|
+
|
|
48
|
+
"Contribution" shall mean any work of authorship, including
|
|
49
|
+
the original version of the Work and any modifications or additions
|
|
50
|
+
to that Work or Derivative Works thereof, that is intentionally
|
|
51
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
52
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
|
53
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
|
54
|
+
means any form of electronic, verbal, or written communication sent
|
|
55
|
+
to the Licensor or its representatives, including but not limited to
|
|
56
|
+
communication on electronic mailing lists, source code control systems,
|
|
57
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
|
58
|
+
Licensor for the purpose of discussing and improving the Work, but
|
|
59
|
+
excluding communication that is conspicuously marked or otherwise
|
|
60
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
|
61
|
+
|
|
62
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
63
|
+
on behalf of whom a Contribution has been received by Licensor and
|
|
64
|
+
subsequently incorporated within the Work.
|
|
65
|
+
|
|
66
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
67
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
68
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
69
|
+
copyright license to reproduce, prepare Derivative Works of,
|
|
70
|
+
publicly display, publicly perform, sublicense, and distribute the
|
|
71
|
+
Work and such Derivative Works in Source or Object form.
|
|
72
|
+
|
|
73
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
|
74
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
75
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
76
|
+
(except as stated in this section) patent license to make, have made,
|
|
77
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
78
|
+
where such license applies only to those patent claims licensable
|
|
79
|
+
by such Contributor that are necessarily infringed by their
|
|
80
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
|
81
|
+
with the Work to which such Contribution(s) was submitted. If You
|
|
82
|
+
institute patent litigation against any entity (including a
|
|
83
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
84
|
+
or a Contribution incorporated within the Work constitutes direct
|
|
85
|
+
or contributory patent infringement, then any patent licenses
|
|
86
|
+
granted to You under this License for that Work shall terminate
|
|
87
|
+
as of the date such litigation is filed.
|
|
88
|
+
|
|
89
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
|
90
|
+
Work or Derivative Works thereof in any medium, with or without
|
|
91
|
+
modifications, and in Source or Object form, provided that You
|
|
92
|
+
meet the following conditions:
|
|
93
|
+
|
|
94
|
+
(a) You must give any other recipients of the Work or
|
|
95
|
+
Derivative Works a copy of this License; and
|
|
96
|
+
|
|
97
|
+
(b) You must cause any modified files to carry prominent notices
|
|
98
|
+
stating that You changed the files; and
|
|
99
|
+
|
|
100
|
+
(c) You must retain, in the Source form of any Derivative Works
|
|
101
|
+
that You distribute, all copyright, patent, trademark, and
|
|
102
|
+
attribution notices from the Source form of the Work,
|
|
103
|
+
excluding those notices that do not pertain to any part of
|
|
104
|
+
the Derivative Works; and
|
|
105
|
+
|
|
106
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
|
107
|
+
distribution, then any Derivative Works that You distribute must
|
|
108
|
+
include a readable copy of the attribution notices contained
|
|
109
|
+
within such NOTICE file, excluding those notices that do not
|
|
110
|
+
pertain to any part of the Derivative Works, in at least one
|
|
111
|
+
of the following places: within a NOTICE text file distributed
|
|
112
|
+
as part of the Derivative Works; within the Source form or
|
|
113
|
+
documentation, if provided along with the Derivative Works; or,
|
|
114
|
+
within a display generated by the Derivative Works, if and
|
|
115
|
+
wherever such third-party notices normally appear. The contents
|
|
116
|
+
of the NOTICE file are for informational purposes only and
|
|
117
|
+
do not modify the License. You may add Your own attribution
|
|
118
|
+
notices within Derivative Works that You distribute, alongside
|
|
119
|
+
or as an addendum to the NOTICE text from the Work, provided
|
|
120
|
+
that such additional attribution notices cannot be construed
|
|
121
|
+
as modifying the License.
|
|
122
|
+
|
|
123
|
+
You may add Your own copyright statement to Your modifications and
|
|
124
|
+
may provide additional or different license terms and conditions
|
|
125
|
+
for use, reproduction, or distribution of Your modifications, or
|
|
126
|
+
for any such Derivative Works as a whole, provided Your use,
|
|
127
|
+
reproduction, and distribution of the Work otherwise complies with
|
|
128
|
+
the conditions stated in this License.
|
|
129
|
+
|
|
130
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
131
|
+
any Contribution intentionally submitted for inclusion in the Work
|
|
132
|
+
by You to the Licensor shall be under the terms and conditions of
|
|
133
|
+
this License, without any additional terms or conditions.
|
|
134
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
|
135
|
+
the terms of any separate license agreement you may have executed
|
|
136
|
+
with Licensor regarding such Contributions.
|
|
137
|
+
|
|
138
|
+
6. Trademarks. This License does not grant permission to use the trade
|
|
139
|
+
names, trademarks, service marks, or product names of the Licensor,
|
|
140
|
+
except as required for reasonable and customary use in describing the
|
|
141
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
|
142
|
+
|
|
143
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
144
|
+
agreed to in writing, Licensor provides the Work (and each
|
|
145
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
146
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
147
|
+
implied, including, without limitation, any warranties or conditions
|
|
148
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
149
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
150
|
+
appropriateness of using or redistributing the Work and assume any
|
|
151
|
+
risks associated with Your exercise of permissions under this License.
|
|
152
|
+
|
|
153
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
|
154
|
+
whether in tort (including negligence), contract, or otherwise,
|
|
155
|
+
unless required by applicable law (such as deliberate and grossly
|
|
156
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
|
157
|
+
liable to You for damages, including any direct, indirect, special,
|
|
158
|
+
incidental, or consequential damages of any character arising as a
|
|
159
|
+
result of this License or out of the use or inability to use the
|
|
160
|
+
Work (including but not limited to damages for loss of goodwill,
|
|
161
|
+
work stoppage, computer failure or malfunction, or any and all
|
|
162
|
+
other commercial damages or losses), even if such Contributor
|
|
163
|
+
has been advised of the possibility of such damages.
|
|
164
|
+
|
|
165
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
|
166
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
|
167
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
168
|
+
or other liability obligations and/or rights consistent with this
|
|
169
|
+
License. However, in accepting such obligations, You may act only
|
|
170
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
|
171
|
+
of any other Contributor, and only if You agree to indemnify,
|
|
172
|
+
defend, and hold each Contributor harmless for any liability
|
|
173
|
+
incurred by, or claims asserted against, such Contributor by reason
|
|
174
|
+
of your accepting any such warranty or additional liability.
|
|
175
|
+
|
|
176
|
+
END OF TERMS AND CONDITIONS
|
|
@@ -2,6 +2,8 @@ export * from './lib/adapter-kind';
|
|
|
2
2
|
export * from './lib/capability';
|
|
3
3
|
export * from './lib/credential-kind';
|
|
4
4
|
export * from './lib/onboarding-manifest';
|
|
5
|
+
export * from './lib/provider-descriptor';
|
|
6
|
+
export * from './lib/connector-descriptor';
|
|
5
7
|
export * from './lib/envelope-schema';
|
|
6
8
|
export * from './lib/filter-expr';
|
|
7
9
|
export * from './lib/filter-expr-schema';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,2BAA2B,CAAC;AAC1C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC"}
|
package/dist/connector/index.js
CHANGED
|
@@ -18,6 +18,8 @@ __exportStar(require("./lib/adapter-kind"), exports);
|
|
|
18
18
|
__exportStar(require("./lib/capability"), exports);
|
|
19
19
|
__exportStar(require("./lib/credential-kind"), exports);
|
|
20
20
|
__exportStar(require("./lib/onboarding-manifest"), exports);
|
|
21
|
+
__exportStar(require("./lib/provider-descriptor"), exports);
|
|
22
|
+
__exportStar(require("./lib/connector-descriptor"), exports);
|
|
21
23
|
__exportStar(require("./lib/envelope-schema"), exports);
|
|
22
24
|
__exportStar(require("./lib/filter-expr"), exports);
|
|
23
25
|
__exportStar(require("./lib/filter-expr-schema"), exports);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,mDAAiC;AACjC,wDAAsC;AACtC,4DAA0C;AAC1C,wDAAsC;AACtC,oDAAkC;AAClC,2DAAyC;AACzC,6DAA2C"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,mDAAiC;AACjC,wDAAsC;AACtC,4DAA0C;AAC1C,4DAA0C;AAC1C,6DAA2C;AAC3C,wDAAsC;AACtC,oDAAkC;AAClC,2DAAyC;AACzC,6DAA2C"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { AdapterKindRef } from './adapter-kind';
|
|
2
|
+
import type { CredentialKind } from './credential-kind';
|
|
3
|
+
export interface ConnectorDescriptor {
|
|
4
|
+
readonly connectorKey: string;
|
|
5
|
+
readonly displayName: string;
|
|
6
|
+
readonly description: string;
|
|
7
|
+
readonly iconName: string;
|
|
8
|
+
readonly providerKey: string;
|
|
9
|
+
readonly scopes: readonly string[];
|
|
10
|
+
readonly connectionCredentialKind: CredentialKind;
|
|
11
|
+
readonly adapterKind: AdapterKindRef;
|
|
12
|
+
}
|
|
13
|
+
//# sourceMappingURL=connector-descriptor.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"connector-descriptor.d.ts","sourceRoot":"","sources":["../../../src/connector/lib/connector-descriptor.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AASxD,MAAM,WAAW,mBAAmB;IAElC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAE9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAG1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAU7B,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IAOnC,QAAQ,CAAC,wBAAwB,EAAE,cAAc,CAAC;IAOlD,QAAQ,CAAC,WAAW,EAAE,cAAc,CAAC;CACtC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"connector-descriptor.js","sourceRoot":"","sources":["../../../src/connector/lib/connector-descriptor.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import type { CredentialFieldSpec } from './onboarding-manifest';
|
|
2
|
+
export declare enum ProviderAppAuthKind {
|
|
3
|
+
OAuth2 = "oauth2",
|
|
4
|
+
AppInstall = "app_install",
|
|
5
|
+
None = "none"
|
|
6
|
+
}
|
|
7
|
+
export declare enum ProviderOrigin {
|
|
8
|
+
Kernel = "kernel",
|
|
9
|
+
Platform = "platform",
|
|
10
|
+
Biome = "biome"
|
|
11
|
+
}
|
|
12
|
+
export declare enum ProviderCredentialScope {
|
|
13
|
+
Platform = "platform",
|
|
14
|
+
Org = "org"
|
|
15
|
+
}
|
|
16
|
+
export declare const PROVIDER_CREDENTIAL_SCOPE_ORDER: readonly ProviderCredentialScope[];
|
|
17
|
+
export interface ProviderOAuthEndpoints {
|
|
18
|
+
readonly authorizationUrl: string;
|
|
19
|
+
readonly tokenUrl: string;
|
|
20
|
+
readonly extraAuthorizeParams?: Readonly<Record<string, string>>;
|
|
21
|
+
readonly clientIdEnvVar?: string;
|
|
22
|
+
readonly clientSecretEnvVar?: string;
|
|
23
|
+
}
|
|
24
|
+
export interface ProviderDescriptor {
|
|
25
|
+
readonly providerKey: string;
|
|
26
|
+
readonly displayName: string;
|
|
27
|
+
readonly description: string;
|
|
28
|
+
readonly iconName: string;
|
|
29
|
+
readonly category: string;
|
|
30
|
+
readonly appAuthKind: ProviderAppAuthKind;
|
|
31
|
+
readonly origin: ProviderOrigin;
|
|
32
|
+
readonly appCredentialSchema?: readonly CredentialFieldSpec[];
|
|
33
|
+
readonly oauthEndpoints?: ProviderOAuthEndpoints;
|
|
34
|
+
readonly allowOrgOverride: boolean;
|
|
35
|
+
}
|
|
36
|
+
export declare function providerRequiresAppCredential(provider: Pick<ProviderDescriptor, 'appAuthKind'>): boolean;
|
|
37
|
+
//# sourceMappingURL=provider-descriptor.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider-descriptor.d.ts","sourceRoot":"","sources":["../../../src/connector/lib/provider-descriptor.ts"],"names":[],"mappings":"AA0BA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAQjE,oBAAY,mBAAmB;IAO7B,MAAM,WAAW;IAMjB,UAAU,gBAAgB;IAO1B,IAAI,SAAS;CACd;AAaD,oBAAY,cAAc;IACxB,MAAM,WAAW;IACjB,QAAQ,aAAa;IACrB,KAAK,UAAU;CAChB;AAiBD,oBAAY,uBAAuB;IACjC,QAAQ,aAAa;IACrB,GAAG,QAAQ;CACZ;AAGD,eAAO,MAAM,+BAA+B,EAAE,SAAS,uBAAuB,EACb,CAAC;AAOlE,MAAM,WAAW,sBAAsB;IAErC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAElC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAQ1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAQjE,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CACtC;AAOD,MAAM,WAAW,kBAAkB;IAEjC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAE1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAG1B,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;IAE1C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAQhC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,SAAS,mBAAmB,EAAE,CAAC;IAM9D,QAAQ,CAAC,cAAc,CAAC,EAAE,sBAAsB,CAAC;IAOjD,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;CACpC;AAOD,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,IAAI,CAAC,kBAAkB,EAAE,aAAa,CAAC,GAChD,OAAO,CAET"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.PROVIDER_CREDENTIAL_SCOPE_ORDER = exports.ProviderCredentialScope = exports.ProviderOrigin = exports.ProviderAppAuthKind = void 0;
|
|
4
|
+
exports.providerRequiresAppCredential = providerRequiresAppCredential;
|
|
5
|
+
var ProviderAppAuthKind;
|
|
6
|
+
(function (ProviderAppAuthKind) {
|
|
7
|
+
ProviderAppAuthKind["OAuth2"] = "oauth2";
|
|
8
|
+
ProviderAppAuthKind["AppInstall"] = "app_install";
|
|
9
|
+
ProviderAppAuthKind["None"] = "none";
|
|
10
|
+
})(ProviderAppAuthKind || (exports.ProviderAppAuthKind = ProviderAppAuthKind = {}));
|
|
11
|
+
var ProviderOrigin;
|
|
12
|
+
(function (ProviderOrigin) {
|
|
13
|
+
ProviderOrigin["Kernel"] = "kernel";
|
|
14
|
+
ProviderOrigin["Platform"] = "platform";
|
|
15
|
+
ProviderOrigin["Biome"] = "biome";
|
|
16
|
+
})(ProviderOrigin || (exports.ProviderOrigin = ProviderOrigin = {}));
|
|
17
|
+
var ProviderCredentialScope;
|
|
18
|
+
(function (ProviderCredentialScope) {
|
|
19
|
+
ProviderCredentialScope["Platform"] = "platform";
|
|
20
|
+
ProviderCredentialScope["Org"] = "org";
|
|
21
|
+
})(ProviderCredentialScope || (exports.ProviderCredentialScope = ProviderCredentialScope = {}));
|
|
22
|
+
exports.PROVIDER_CREDENTIAL_SCOPE_ORDER = [ProviderCredentialScope.Org, ProviderCredentialScope.Platform];
|
|
23
|
+
function providerRequiresAppCredential(provider) {
|
|
24
|
+
return provider.appAuthKind !== ProviderAppAuthKind.None;
|
|
25
|
+
}
|
|
26
|
+
//# sourceMappingURL=provider-descriptor.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider-descriptor.js","sourceRoot":"","sources":["../../../src/connector/lib/provider-descriptor.ts"],"names":[],"mappings":";;;AAgLA,sEAIC;AAlJD,IAAY,mBAqBX;AArBD,WAAY,mBAAmB;IAO7B,wCAAiB,CAAA;IAMjB,iDAA0B,CAAA;IAO1B,oCAAa,CAAA;AACf,CAAC,EArBW,mBAAmB,mCAAnB,mBAAmB,QAqB9B;AAaD,IAAY,cAIX;AAJD,WAAY,cAAc;IACxB,mCAAiB,CAAA;IACjB,uCAAqB,CAAA;IACrB,iCAAe,CAAA;AACjB,CAAC,EAJW,cAAc,8BAAd,cAAc,QAIzB;AAiBD,IAAY,uBAGX;AAHD,WAAY,uBAAuB;IACjC,gDAAqB,CAAA;IACrB,sCAAW,CAAA;AACb,CAAC,EAHW,uBAAuB,uCAAvB,uBAAuB,QAGlC;AAGY,QAAA,+BAA+B,GAC1C,CAAC,uBAAuB,CAAC,GAAG,EAAE,uBAAuB,CAAC,QAAQ,CAAC,CAAC;AAgFlE,SAAgB,6BAA6B,CAC3C,QAAiD;IAEjD,OAAO,QAAQ,CAAC,WAAW,KAAK,mBAAmB,CAAC,IAAI,CAAC;AAC3D,CAAC"}
|
|
@@ -12,7 +12,8 @@ export declare enum CredentialPrecedenceSource {
|
|
|
12
12
|
Explicit = "explicit",
|
|
13
13
|
CapabilityDefault = "capability_default",
|
|
14
14
|
ProjectDefault = "project_default",
|
|
15
|
-
OrgDefault = "org_default"
|
|
15
|
+
OrgDefault = "org_default",
|
|
16
|
+
PlatformDefault = "platform_default"
|
|
16
17
|
}
|
|
17
18
|
export declare const CredentialPrecedenceSourceSchema: z.ZodEnum<typeof CredentialPrecedenceSource>;
|
|
18
19
|
export type PolicyRequest = ExecutionContext;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AAShE,oBAAY,kBAAkB;IAC5B,KAAK,UAAU;IACf,IAAI,SAAS;IACb,aAAa,mBAAmB;CACjC;AAED,eAAO,MAAM,wBAAwB,sCAAmC,CAAC;
|
|
1
|
+
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AAShE,oBAAY,kBAAkB;IAC5B,KAAK,UAAU;IACf,IAAI,SAAS;IACb,aAAa,mBAAmB;CACjC;AAED,eAAO,MAAM,wBAAwB,sCAAmC,CAAC;AAgBzE,oBAAY,0BAA0B;IACpC,QAAQ,aAAa;IACrB,iBAAiB,uBAAuB;IACxC,cAAc,oBAAoB;IAClC,UAAU,gBAAgB;IAO1B,eAAe,qBAAqB;CACrC;AAED,eAAO,MAAM,gCAAgC,8CAE5C,CAAC;AAWF,MAAM,MAAM,aAAa,GAAG,gBAAgB,CAAC;AAE7C,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CACjC,CAAC;AAWzB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,CAAC;IAWvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAM7B,2BAA2B,CAAC,EAAE,0BAA0B,CAAC;CAC1D;AAED,eAAO,MAAM,oBAAoB,EAO3B,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC"}
|
|
@@ -18,6 +18,7 @@ var CredentialPrecedenceSource;
|
|
|
18
18
|
CredentialPrecedenceSource["CapabilityDefault"] = "capability_default";
|
|
19
19
|
CredentialPrecedenceSource["ProjectDefault"] = "project_default";
|
|
20
20
|
CredentialPrecedenceSource["OrgDefault"] = "org_default";
|
|
21
|
+
CredentialPrecedenceSource["PlatformDefault"] = "platform_default";
|
|
21
22
|
})(CredentialPrecedenceSource || (exports.CredentialPrecedenceSource = CredentialPrecedenceSource = {}));
|
|
22
23
|
exports.CredentialPrecedenceSourceSchema = zod_1.z.nativeEnum(CredentialPrecedenceSource);
|
|
23
24
|
exports.PolicyRequestSchema = execution_context_1.ExecutionContextSchema;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,+DAGiC;AACjC,+CAGuB;AACvB,+CAAgE;AAShE,IAAY,kBAIX;AAJD,WAAY,kBAAkB;IAC5B,qCAAe,CAAA;IACf,mCAAa,CAAA;IACb,sDAAgC,CAAA;AAClC,CAAC,EAJW,kBAAkB,kCAAlB,kBAAkB,QAI7B;AAEY,QAAA,wBAAwB,GAAG,OAAC,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,+DAGiC;AACjC,+CAGuB;AACvB,+CAAgE;AAShE,IAAY,kBAIX;AAJD,WAAY,kBAAkB;IAC5B,qCAAe,CAAA;IACf,mCAAa,CAAA;IACb,sDAAgC,CAAA;AAClC,CAAC,EAJW,kBAAkB,kCAAlB,kBAAkB,QAI7B;AAEY,QAAA,wBAAwB,GAAG,OAAC,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAgBzE,IAAY,0BAYX;AAZD,WAAY,0BAA0B;IACpC,mDAAqB,CAAA;IACrB,sEAAwC,CAAA;IACxC,gEAAkC,CAAA;IAClC,wDAA0B,CAAA;IAO1B,kEAAoC,CAAA;AACtC,CAAC,EAZW,0BAA0B,0CAA1B,0BAA0B,QAYrC;AAEY,QAAA,gCAAgC,GAAG,OAAC,CAAC,UAAU,CAC1D,0BAA0B,CAC3B,CAAC;AAaW,QAAA,mBAAmB,GAC9B,0CAAsB,CAAC;AAmCZ,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,gCAAwB;IAC9B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,oCAAsB,CAAC,CAAC,QAAQ,EAAE;IACvD,UAAU,EAAE,6BAAe,CAAC,QAAQ,EAAE;IACtC,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjD,2BAA2B,EAAE,wCAAgC,CAAC,QAAQ,EAAE;CACzE,CAA8B,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@xemahq/kernel-contracts",
|
|
3
|
-
"version": "0.22.
|
|
3
|
+
"version": "0.22.3",
|
|
4
4
|
"description": "Consolidated Xema OS kernel wire contracts — pure types + zod schemas for the 32 kernel protocol surfaces. One package, one npm scope, wildcard per-surface subpath exports. No framework/runtime deps.",
|
|
5
5
|
"publishConfig": {
|
|
6
6
|
"registry": "https://registry.npmjs.org/",
|
|
@@ -10,26 +10,18 @@
|
|
|
10
10
|
"dist",
|
|
11
11
|
"src"
|
|
12
12
|
],
|
|
13
|
-
"scripts": {
|
|
14
|
-
"clean": "rm -rf dist",
|
|
15
|
-
"build": "tsc -p tsconfig.json && node scripts/emit-awp-spec.mjs",
|
|
16
|
-
"format": "prettier --write \"src/**/*.ts\"",
|
|
17
|
-
"typecheck": "tsc -p tsconfig.json --noEmit",
|
|
18
|
-
"lint": "eslint .",
|
|
19
|
-
"check:boundary": "node scripts/check-subpath-dag.mjs"
|
|
20
|
-
},
|
|
21
13
|
"devDependencies": {
|
|
22
|
-
"@eslint/js": "
|
|
23
|
-
"@types/node": "
|
|
24
|
-
"eslint": "
|
|
25
|
-
"eslint-config-prettier": "
|
|
14
|
+
"@eslint/js": "^9.39.4",
|
|
15
|
+
"@types/node": "25.2.3",
|
|
16
|
+
"eslint": "^9.39.4",
|
|
17
|
+
"eslint-config-prettier": "^10.1.8",
|
|
26
18
|
"eslint-plugin-import": "^2.31.0",
|
|
27
|
-
"prettier": "
|
|
28
|
-
"typescript": "
|
|
29
|
-
"typescript-eslint": "
|
|
19
|
+
"prettier": "3.6.2",
|
|
20
|
+
"typescript": "5.9.3",
|
|
21
|
+
"typescript-eslint": "^8.56.1"
|
|
30
22
|
},
|
|
31
23
|
"dependencies": {
|
|
32
|
-
"zod": "
|
|
24
|
+
"zod": "^4.3.6"
|
|
33
25
|
},
|
|
34
26
|
"exports": {
|
|
35
27
|
"./*": {
|
|
@@ -38,5 +30,13 @@
|
|
|
38
30
|
"default": "./dist/*/index.js"
|
|
39
31
|
},
|
|
40
32
|
"./package.json": "./package.json"
|
|
33
|
+
},
|
|
34
|
+
"scripts": {
|
|
35
|
+
"clean": "rm -rf dist",
|
|
36
|
+
"build": "tsc -p tsconfig.json && node scripts/emit-awp-spec.mjs",
|
|
37
|
+
"format": "prettier --write \"src/**/*.ts\"",
|
|
38
|
+
"typecheck": "tsc -p tsconfig.json --noEmit",
|
|
39
|
+
"lint": "eslint .",
|
|
40
|
+
"check:boundary": "node scripts/check-subpath-dag.mjs"
|
|
41
41
|
}
|
|
42
|
-
}
|
|
42
|
+
}
|
package/src/connector/index.ts
CHANGED
|
@@ -2,6 +2,8 @@ export * from './lib/adapter-kind';
|
|
|
2
2
|
export * from './lib/capability';
|
|
3
3
|
export * from './lib/credential-kind';
|
|
4
4
|
export * from './lib/onboarding-manifest';
|
|
5
|
+
export * from './lib/provider-descriptor';
|
|
6
|
+
export * from './lib/connector-descriptor';
|
|
5
7
|
export * from './lib/envelope-schema';
|
|
6
8
|
export * from './lib/filter-expr';
|
|
7
9
|
export * from './lib/filter-expr-schema';
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ─────────────────────────────────────────────────────────────────────────
|
|
3
|
+
* Connector descriptor — a capability surface authenticated by ONE provider
|
|
4
|
+
*
|
|
5
|
+
* A **Connector** is what a user actually connects: Gmail, Google Drive,
|
|
6
|
+
* generic IMAP, generic SMTP, a GitHub SCM connector. Every connector names
|
|
7
|
+
* the **Provider** it authenticates against (`providerKey`) and the incremental
|
|
8
|
+
* OAuth `scopes` it needs from that provider. The catalog groups connectors by
|
|
9
|
+
* provider so ONE app credential (per `ProviderDescriptor`) backs many
|
|
10
|
+
* connectors.
|
|
11
|
+
*
|
|
12
|
+
* This descriptor is the connector-registry face of an `IntegrationProvider
|
|
13
|
+
* Module`: the module carries the executable webhook/action/resource handlers;
|
|
14
|
+
* this descriptor carries the *catalog + connect* metadata the framework needs
|
|
15
|
+
* to render the provider-grouped catalog, drive consent with the right scopes,
|
|
16
|
+
* and resolve the right per-connection credential kind.
|
|
17
|
+
* ─────────────────────────────────────────────────────────────────────────
|
|
18
|
+
*/
|
|
19
|
+
|
|
20
|
+
import type { AdapterKindRef } from './adapter-kind';
|
|
21
|
+
import type { CredentialKind } from './credential-kind';
|
|
22
|
+
|
|
23
|
+
/**
|
|
24
|
+
* A connector in the catalog. `connectorKey` aligns with the persisted
|
|
25
|
+
* `ConnectorKind` wire value (e.g. `GMAIL`, `IMAP_GENERIC`, `SMTP_GENERIC`)
|
|
26
|
+
* but is typed as a string here to keep the kernel `connector` contract
|
|
27
|
+
* package free of the persisted `ConnectorKind` enum (which lives in
|
|
28
|
+
* platform-common's integration-webhooks); the connector-gateway maps the two.
|
|
29
|
+
*/
|
|
30
|
+
export interface ConnectorDescriptor {
|
|
31
|
+
/** Stable connector key — aligns with the persisted `ConnectorKind`. */
|
|
32
|
+
readonly connectorKey: string;
|
|
33
|
+
/** Human-readable name — `Gmail`, `Generic IMAP`. */
|
|
34
|
+
readonly displayName: string;
|
|
35
|
+
/** One-sentence description shown on the connector row. */
|
|
36
|
+
readonly description: string;
|
|
37
|
+
/** Lucide-react icon name; may differ from the provider's icon. */
|
|
38
|
+
readonly iconName: string;
|
|
39
|
+
|
|
40
|
+
/** The provider (authenticating authority) this connector belongs to. */
|
|
41
|
+
readonly providerKey: string;
|
|
42
|
+
|
|
43
|
+
/**
|
|
44
|
+
* Incremental OAuth scopes this connector requests from its provider. Empty
|
|
45
|
+
* for connectors whose provider `appAuthKind` is `None` (IMAP/SMTP). When a
|
|
46
|
+
* second connector of the same OAuth provider is connected, the consent
|
|
47
|
+
* driver requests the UNION of already-granted + these scopes (incremental
|
|
48
|
+
* consent) so one app credential accrues capability without re-consent for
|
|
49
|
+
* scopes already held.
|
|
50
|
+
*/
|
|
51
|
+
readonly scopes: readonly string[];
|
|
52
|
+
|
|
53
|
+
/**
|
|
54
|
+
* How an individual connection to THIS connector authenticates at runtime
|
|
55
|
+
* (the per-connection wallet/token). `oauth_user` for OAuth connectors,
|
|
56
|
+
* `imap_auth` / `smtp_auth` for the mail wallets, `pat` / `api_key`, …
|
|
57
|
+
*/
|
|
58
|
+
readonly connectionCredentialKind: CredentialKind;
|
|
59
|
+
|
|
60
|
+
/**
|
|
61
|
+
* The adapter category this connector plugs into (`mail`, `scm`, …). Drives
|
|
62
|
+
* where normalized inbound envelopes are forwarded and which project-binding
|
|
63
|
+
* surface the connector appears under.
|
|
64
|
+
*/
|
|
65
|
+
readonly adapterKind: AdapterKindRef;
|
|
66
|
+
}
|
|
@@ -0,0 +1,181 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ─────────────────────────────────────────────────────────────────────────
|
|
3
|
+
* Provider descriptor — the authenticating authority ("app") behind N connectors
|
|
4
|
+
*
|
|
5
|
+
* A **Provider** is the identity/authority a set of connectors authenticates
|
|
6
|
+
* against — e.g. `google`, `microsoft`, `github`, `slack`, `smtp`, `imap`.
|
|
7
|
+
* ONE provider owns ONE **app credential** (a Google Cloud OAuth client, a
|
|
8
|
+
* GitHub App private key, …) and fans out to MANY **connectors** (Gmail,
|
|
9
|
+
* Google Drive, Google Calendar …), each of which reuses that single app
|
|
10
|
+
* credential with its own incremental scopes.
|
|
11
|
+
*
|
|
12
|
+
* This is the "Google is a world" fix: the catalog lists connectors grouped
|
|
13
|
+
* under one provider card; the app credential is provided once (by a platform
|
|
14
|
+
* admin, or overridden per-org as BYO) and every connector under the provider
|
|
15
|
+
* reuses it. Adding a new Google service later is a new *connector* with new
|
|
16
|
+
* scopes — never a new credential and never a framework change.
|
|
17
|
+
*
|
|
18
|
+
* The descriptor is a **runtime contract** describing how a provider's app
|
|
19
|
+
* credential is obtained and where it lives. Actual secret VALUES are never
|
|
20
|
+
* carried here — only the SCHEMA of what an admin must supply
|
|
21
|
+
* (`appCredentialSchema`) and non-secret OAuth endpoint metadata. Secrets are
|
|
22
|
+
* held by the credential broker + custody, referenced by env-var name or
|
|
23
|
+
* custody ref, never inlined.
|
|
24
|
+
* ─────────────────────────────────────────────────────────────────────────
|
|
25
|
+
*/
|
|
26
|
+
|
|
27
|
+
import type { CredentialFieldSpec } from './onboarding-manifest';
|
|
28
|
+
|
|
29
|
+
/**
|
|
30
|
+
* How a provider's APP-level credential authenticates. This is distinct from
|
|
31
|
+
* a *connector's* per-connection `CredentialKind` (how an individual user/
|
|
32
|
+
* mailbox connection authenticates) — it describes the shared "app" that the
|
|
33
|
+
* platform/org registers once.
|
|
34
|
+
*/
|
|
35
|
+
export enum ProviderAppAuthKind {
|
|
36
|
+
/**
|
|
37
|
+
* 3-legged OAuth: the app is a registered OAuth client (clientId/secret).
|
|
38
|
+
* Connecting a connector runs an authorization-code consent redirect using
|
|
39
|
+
* the app credential + the connector's scopes. e.g. Google, Microsoft,
|
|
40
|
+
* Slack.
|
|
41
|
+
*/
|
|
42
|
+
OAuth2 = 'oauth2',
|
|
43
|
+
/**
|
|
44
|
+
* App-installation flow (GitHub App / GitLab App / Atlassian Connect): the
|
|
45
|
+
* app authenticates via an app id + private key and the user installs it
|
|
46
|
+
* onto their account/org. e.g. GitHub.
|
|
47
|
+
*/
|
|
48
|
+
AppInstall = 'app_install',
|
|
49
|
+
/**
|
|
50
|
+
* No shared app credential at all — every connection carries its own
|
|
51
|
+
* complete secret (a mailbox host+user+password, a raw API key). The
|
|
52
|
+
* connector is connectable with NO platform/org setup. e.g. generic SMTP,
|
|
53
|
+
* generic IMAP.
|
|
54
|
+
*/
|
|
55
|
+
None = 'none',
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
/**
|
|
59
|
+
* Who shipped a provider. Determines WHICH admin fulfils its app-credential
|
|
60
|
+
* requirement and at which scope the requirement is registered.
|
|
61
|
+
*
|
|
62
|
+
* - `kernel` — a first-party provider baked into the platform.
|
|
63
|
+
* - `platform` — shipped by a platform (Layer-2) service/biome installed
|
|
64
|
+
* platform-wide; platform admin fulfils it.
|
|
65
|
+
* - `biome` — introduced by a biome. When that biome is installed at ORG
|
|
66
|
+
* scope, the requirement is org-scoped (the org admin BYO-fills
|
|
67
|
+
* it) because the platform never shipped the provider.
|
|
68
|
+
*/
|
|
69
|
+
export enum ProviderOrigin {
|
|
70
|
+
Kernel = 'kernel',
|
|
71
|
+
Platform = 'platform',
|
|
72
|
+
Biome = 'biome',
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
/**
|
|
76
|
+
* The two scopes at which a provider's APP credential can be provisioned.
|
|
77
|
+
* Deliberately a SEPARATE, minimal enum from the 5-tier ownership
|
|
78
|
+
* `ScopeSource` and from the credential-broker's per-connection
|
|
79
|
+
* `CredentialScopeTier` — app-credential provisioning is a strict 2-tier
|
|
80
|
+
* concern: a platform-wide default that an org may override.
|
|
81
|
+
*
|
|
82
|
+
* Resolution precedence (narrowest wins):
|
|
83
|
+
*
|
|
84
|
+
* Org (BYO) > Platform (default) > [legacy env-var fallback] > unset
|
|
85
|
+
*
|
|
86
|
+
* An unset REQUIRED app credential is surfaced to the correct admin and the
|
|
87
|
+
* connector reports "needs setup" — it never silently falls through to an
|
|
88
|
+
* unauthenticated request.
|
|
89
|
+
*/
|
|
90
|
+
export enum ProviderCredentialScope {
|
|
91
|
+
Platform = 'platform',
|
|
92
|
+
Org = 'org',
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
/** Precedence order for app-credential resolution — index 0 wins. */
|
|
96
|
+
export const PROVIDER_CREDENTIAL_SCOPE_ORDER: readonly ProviderCredentialScope[] =
|
|
97
|
+
[ProviderCredentialScope.Org, ProviderCredentialScope.Platform];
|
|
98
|
+
|
|
99
|
+
/**
|
|
100
|
+
* Non-secret OAuth endpoint metadata for a `ProviderAppAuthKind.OAuth2`
|
|
101
|
+
* provider. Client id/secret are NOT here — they are the app credential,
|
|
102
|
+
* resolved from a provision (or the legacy env fallback) at consent time.
|
|
103
|
+
*/
|
|
104
|
+
export interface ProviderOAuthEndpoints {
|
|
105
|
+
/** Authorization-code consent endpoint (where the user is redirected). */
|
|
106
|
+
readonly authorizationUrl: string;
|
|
107
|
+
/** Token-exchange endpoint (code→token, refresh-token rotation). */
|
|
108
|
+
readonly tokenUrl: string;
|
|
109
|
+
/**
|
|
110
|
+
* Extra authorize-request params a provider needs to actually mint a
|
|
111
|
+
* refresh token / do incremental consent. Non-secret. e.g. Google needs
|
|
112
|
+
* `{ access_type: 'offline', include_granted_scopes: 'true', prompt:
|
|
113
|
+
* 'consent' }`. Kept explicit rather than hardcoded in the driver so a new
|
|
114
|
+
* OAuth provider is pure data.
|
|
115
|
+
*/
|
|
116
|
+
readonly extraAuthorizeParams?: Readonly<Record<string, string>>;
|
|
117
|
+
/**
|
|
118
|
+
* Legacy env-var NAMES the OAuth driver falls back to for the app
|
|
119
|
+
* client id / secret when no provision exists yet (bootstrap before the
|
|
120
|
+
* platform-admin UI is used). Never the secret itself. Optional — a
|
|
121
|
+
* provider with no env fallback simply reports "needs setup" until an
|
|
122
|
+
* admin provisions it.
|
|
123
|
+
*/
|
|
124
|
+
readonly clientIdEnvVar?: string;
|
|
125
|
+
readonly clientSecretEnvVar?: string;
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
/**
|
|
129
|
+
* A first-class Provider (authenticating authority). Registered in the
|
|
130
|
+
* provider registry alongside — but distinct from — the connectors that
|
|
131
|
+
* reference it via `Connector.providerKey`.
|
|
132
|
+
*/
|
|
133
|
+
export interface ProviderDescriptor {
|
|
134
|
+
/** Stable lowercase slug — `google`, `microsoft`, `github`, `smtp`. */
|
|
135
|
+
readonly providerKey: string;
|
|
136
|
+
/** Human-readable name — `Google`, `Microsoft`, `Generic SMTP`. */
|
|
137
|
+
readonly displayName: string;
|
|
138
|
+
/** One-sentence description shown on the provider card. */
|
|
139
|
+
readonly description: string;
|
|
140
|
+
/** Lucide-react icon name; frontend maps to a component. */
|
|
141
|
+
readonly iconName: string;
|
|
142
|
+
/** Catalog grouping label (e.g. `Email`, `Source control`, `Chat`). */
|
|
143
|
+
readonly category: string;
|
|
144
|
+
|
|
145
|
+
/** How the shared app credential authenticates. */
|
|
146
|
+
readonly appAuthKind: ProviderAppAuthKind;
|
|
147
|
+
/** Who shipped the provider — drives requirement scope + which admin fills. */
|
|
148
|
+
readonly origin: ProviderOrigin;
|
|
149
|
+
|
|
150
|
+
/**
|
|
151
|
+
* Schema of the app-credential fields an admin must supply to register the
|
|
152
|
+
* app (Google → clientId/clientSecret[/pubsubTopic]; GitHub App → appId/
|
|
153
|
+
* privateKey/webhookSecret). Empty/omitted when `appAuthKind = None`
|
|
154
|
+
* (nothing to provision — the connector is immediately connectable).
|
|
155
|
+
*/
|
|
156
|
+
readonly appCredentialSchema?: readonly CredentialFieldSpec[];
|
|
157
|
+
|
|
158
|
+
/**
|
|
159
|
+
* OAuth endpoint metadata — REQUIRED when `appAuthKind = OAuth2`, absent
|
|
160
|
+
* otherwise.
|
|
161
|
+
*/
|
|
162
|
+
readonly oauthEndpoints?: ProviderOAuthEndpoints;
|
|
163
|
+
|
|
164
|
+
/**
|
|
165
|
+
* Whether an org may override the platform-default app credential with its
|
|
166
|
+
* own (BYO app). `false` pins the provider to the platform provision only.
|
|
167
|
+
* Ignored when `appAuthKind = None` (there is no shared app to override).
|
|
168
|
+
*/
|
|
169
|
+
readonly allowOrgOverride: boolean;
|
|
170
|
+
}
|
|
171
|
+
|
|
172
|
+
/**
|
|
173
|
+
* True when a provider needs an app credential provisioned before any of its
|
|
174
|
+
* connectors can be connected (i.e. anything other than `None`). Callers use
|
|
175
|
+
* this to decide whether to surface a "needs setup" state and to whom.
|
|
176
|
+
*/
|
|
177
|
+
export function providerRequiresAppCredential(
|
|
178
|
+
provider: Pick<ProviderDescriptor, 'appAuthKind'>,
|
|
179
|
+
): boolean {
|
|
180
|
+
return provider.appAuthKind !== ProviderAppAuthKind.None;
|
|
181
|
+
}
|
package/src/policy/lib/policy.ts
CHANGED
|
@@ -33,14 +33,23 @@ export const PolicyDecisionKindSchema = z.nativeEnum(PolicyDecisionKind);
|
|
|
33
33
|
* Priority, highest wins:
|
|
34
34
|
* `explicit` (a grant names the binding) > `capability_default`
|
|
35
35
|
* (the descriptor's `defaultCredentialBindingRef`) > `project_default` >
|
|
36
|
-
* `org_default
|
|
37
|
-
*
|
|
36
|
+
* `org_default` > `platform_default` (a deployment-wide default an org may
|
|
37
|
+
* override — the Provider–Credential framework's platform tier). No match ⇒
|
|
38
|
+
* the PDP emits NO binding and denies with `MISSING_CREDENTIAL_BINDING`
|
|
39
|
+
* (never a silent fallback).
|
|
38
40
|
*/
|
|
39
41
|
export enum CredentialPrecedenceSource {
|
|
40
42
|
Explicit = 'explicit',
|
|
41
43
|
CapabilityDefault = 'capability_default',
|
|
42
44
|
ProjectDefault = 'project_default',
|
|
43
45
|
OrgDefault = 'org_default',
|
|
46
|
+
/**
|
|
47
|
+
* A deployment-wide platform default provision (broadest tier, below org).
|
|
48
|
+
* An org-scoped default always overrides it. Used by `authorization-api`'s
|
|
49
|
+
* credential-precedence resolver once this kernel change is published +
|
|
50
|
+
* consumed (see the Connections framework plan).
|
|
51
|
+
*/
|
|
52
|
+
PlatformDefault = 'platform_default',
|
|
44
53
|
}
|
|
45
54
|
|
|
46
55
|
export const CredentialPrecedenceSourceSchema = z.nativeEnum(
|