@xemahq/kernel-contracts 0.22.2 → 0.22.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "$schema": "https://xema.dev/schemas/awp-spec.v1.json",
3
- "emittedAt": "2026-07-01T10:48:07.595Z",
3
+ "emittedAt": "2026-07-02T07:22:41.877Z",
4
4
  "spec": {
5
5
  "id": "awp/v1",
6
6
  "version": "1.2.0",
@@ -2,6 +2,8 @@ export * from './lib/adapter-kind';
2
2
  export * from './lib/capability';
3
3
  export * from './lib/credential-kind';
4
4
  export * from './lib/onboarding-manifest';
5
+ export * from './lib/provider-descriptor';
6
+ export * from './lib/connector-descriptor';
5
7
  export * from './lib/envelope-schema';
6
8
  export * from './lib/filter-expr';
7
9
  export * from './lib/filter-expr-schema';
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,2BAA2B,CAAC;AAC1C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,0BAA0B,CAAC;AACzC,cAAc,4BAA4B,CAAC"}
@@ -18,6 +18,8 @@ __exportStar(require("./lib/adapter-kind"), exports);
18
18
  __exportStar(require("./lib/capability"), exports);
19
19
  __exportStar(require("./lib/credential-kind"), exports);
20
20
  __exportStar(require("./lib/onboarding-manifest"), exports);
21
+ __exportStar(require("./lib/provider-descriptor"), exports);
22
+ __exportStar(require("./lib/connector-descriptor"), exports);
21
23
  __exportStar(require("./lib/envelope-schema"), exports);
22
24
  __exportStar(require("./lib/filter-expr"), exports);
23
25
  __exportStar(require("./lib/filter-expr-schema"), exports);
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,mDAAiC;AACjC,wDAAsC;AACtC,4DAA0C;AAC1C,wDAAsC;AACtC,oDAAkC;AAClC,2DAAyC;AACzC,6DAA2C"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/connector/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,mDAAiC;AACjC,wDAAsC;AACtC,4DAA0C;AAC1C,4DAA0C;AAC1C,6DAA2C;AAC3C,wDAAsC;AACtC,oDAAkC;AAClC,2DAAyC;AACzC,6DAA2C"}
@@ -0,0 +1,13 @@
1
+ import type { AdapterKindRef } from './adapter-kind';
2
+ import type { CredentialKind } from './credential-kind';
3
+ export interface ConnectorDescriptor {
4
+ readonly connectorKey: string;
5
+ readonly displayName: string;
6
+ readonly description: string;
7
+ readonly iconName: string;
8
+ readonly providerKey: string;
9
+ readonly scopes: readonly string[];
10
+ readonly connectionCredentialKind: CredentialKind;
11
+ readonly adapterKind: AdapterKindRef;
12
+ }
13
+ //# sourceMappingURL=connector-descriptor.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"connector-descriptor.d.ts","sourceRoot":"","sources":["../../../src/connector/lib/connector-descriptor.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AASxD,MAAM,WAAW,mBAAmB;IAElC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAE9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAG1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAU7B,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IAOnC,QAAQ,CAAC,wBAAwB,EAAE,cAAc,CAAC;IAOlD,QAAQ,CAAC,WAAW,EAAE,cAAc,CAAC;CACtC"}
@@ -0,0 +1,3 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ //# sourceMappingURL=connector-descriptor.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"connector-descriptor.js","sourceRoot":"","sources":["../../../src/connector/lib/connector-descriptor.ts"],"names":[],"mappings":""}
@@ -0,0 +1,37 @@
1
+ import type { CredentialFieldSpec } from './onboarding-manifest';
2
+ export declare enum ProviderAppAuthKind {
3
+ OAuth2 = "oauth2",
4
+ AppInstall = "app_install",
5
+ None = "none"
6
+ }
7
+ export declare enum ProviderOrigin {
8
+ Kernel = "kernel",
9
+ Platform = "platform",
10
+ Biome = "biome"
11
+ }
12
+ export declare enum ProviderCredentialScope {
13
+ Platform = "platform",
14
+ Org = "org"
15
+ }
16
+ export declare const PROVIDER_CREDENTIAL_SCOPE_ORDER: readonly ProviderCredentialScope[];
17
+ export interface ProviderOAuthEndpoints {
18
+ readonly authorizationUrl: string;
19
+ readonly tokenUrl: string;
20
+ readonly extraAuthorizeParams?: Readonly<Record<string, string>>;
21
+ readonly clientIdEnvVar?: string;
22
+ readonly clientSecretEnvVar?: string;
23
+ }
24
+ export interface ProviderDescriptor {
25
+ readonly providerKey: string;
26
+ readonly displayName: string;
27
+ readonly description: string;
28
+ readonly iconName: string;
29
+ readonly category: string;
30
+ readonly appAuthKind: ProviderAppAuthKind;
31
+ readonly origin: ProviderOrigin;
32
+ readonly appCredentialSchema?: readonly CredentialFieldSpec[];
33
+ readonly oauthEndpoints?: ProviderOAuthEndpoints;
34
+ readonly allowOrgOverride: boolean;
35
+ }
36
+ export declare function providerRequiresAppCredential(provider: Pick<ProviderDescriptor, 'appAuthKind'>): boolean;
37
+ //# sourceMappingURL=provider-descriptor.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"provider-descriptor.d.ts","sourceRoot":"","sources":["../../../src/connector/lib/provider-descriptor.ts"],"names":[],"mappings":"AA0BA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAQjE,oBAAY,mBAAmB;IAO7B,MAAM,WAAW;IAMjB,UAAU,gBAAgB;IAO1B,IAAI,SAAS;CACd;AAaD,oBAAY,cAAc;IACxB,MAAM,WAAW;IACjB,QAAQ,aAAa;IACrB,KAAK,UAAU;CAChB;AAiBD,oBAAY,uBAAuB;IACjC,QAAQ,aAAa;IACrB,GAAG,QAAQ;CACZ;AAGD,eAAO,MAAM,+BAA+B,EAAE,SAAS,uBAAuB,EACb,CAAC;AAOlE,MAAM,WAAW,sBAAsB;IAErC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAElC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAQ1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAQjE,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CACtC;AAOD,MAAM,WAAW,kBAAkB;IAEjC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAE1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAG1B,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC;IAE1C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAQhC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,SAAS,mBAAmB,EAAE,CAAC;IAM9D,QAAQ,CAAC,cAAc,CAAC,EAAE,sBAAsB,CAAC;IAOjD,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;CACpC;AAOD,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,IAAI,CAAC,kBAAkB,EAAE,aAAa,CAAC,GAChD,OAAO,CAET"}
@@ -0,0 +1,26 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.PROVIDER_CREDENTIAL_SCOPE_ORDER = exports.ProviderCredentialScope = exports.ProviderOrigin = exports.ProviderAppAuthKind = void 0;
4
+ exports.providerRequiresAppCredential = providerRequiresAppCredential;
5
+ var ProviderAppAuthKind;
6
+ (function (ProviderAppAuthKind) {
7
+ ProviderAppAuthKind["OAuth2"] = "oauth2";
8
+ ProviderAppAuthKind["AppInstall"] = "app_install";
9
+ ProviderAppAuthKind["None"] = "none";
10
+ })(ProviderAppAuthKind || (exports.ProviderAppAuthKind = ProviderAppAuthKind = {}));
11
+ var ProviderOrigin;
12
+ (function (ProviderOrigin) {
13
+ ProviderOrigin["Kernel"] = "kernel";
14
+ ProviderOrigin["Platform"] = "platform";
15
+ ProviderOrigin["Biome"] = "biome";
16
+ })(ProviderOrigin || (exports.ProviderOrigin = ProviderOrigin = {}));
17
+ var ProviderCredentialScope;
18
+ (function (ProviderCredentialScope) {
19
+ ProviderCredentialScope["Platform"] = "platform";
20
+ ProviderCredentialScope["Org"] = "org";
21
+ })(ProviderCredentialScope || (exports.ProviderCredentialScope = ProviderCredentialScope = {}));
22
+ exports.PROVIDER_CREDENTIAL_SCOPE_ORDER = [ProviderCredentialScope.Org, ProviderCredentialScope.Platform];
23
+ function providerRequiresAppCredential(provider) {
24
+ return provider.appAuthKind !== ProviderAppAuthKind.None;
25
+ }
26
+ //# sourceMappingURL=provider-descriptor.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"provider-descriptor.js","sourceRoot":"","sources":["../../../src/connector/lib/provider-descriptor.ts"],"names":[],"mappings":";;;AAgLA,sEAIC;AAlJD,IAAY,mBAqBX;AArBD,WAAY,mBAAmB;IAO7B,wCAAiB,CAAA;IAMjB,iDAA0B,CAAA;IAO1B,oCAAa,CAAA;AACf,CAAC,EArBW,mBAAmB,mCAAnB,mBAAmB,QAqB9B;AAaD,IAAY,cAIX;AAJD,WAAY,cAAc;IACxB,mCAAiB,CAAA;IACjB,uCAAqB,CAAA;IACrB,iCAAe,CAAA;AACjB,CAAC,EAJW,cAAc,8BAAd,cAAc,QAIzB;AAiBD,IAAY,uBAGX;AAHD,WAAY,uBAAuB;IACjC,gDAAqB,CAAA;IACrB,sCAAW,CAAA;AACb,CAAC,EAHW,uBAAuB,uCAAvB,uBAAuB,QAGlC;AAGY,QAAA,+BAA+B,GAC1C,CAAC,uBAAuB,CAAC,GAAG,EAAE,uBAAuB,CAAC,QAAQ,CAAC,CAAC;AAgFlE,SAAgB,6BAA6B,CAC3C,QAAiD;IAEjD,OAAO,QAAQ,CAAC,WAAW,KAAK,mBAAmB,CAAC,IAAI,CAAC;AAC3D,CAAC"}
@@ -12,7 +12,8 @@ export declare enum CredentialPrecedenceSource {
12
12
  Explicit = "explicit",
13
13
  CapabilityDefault = "capability_default",
14
14
  ProjectDefault = "project_default",
15
- OrgDefault = "org_default"
15
+ OrgDefault = "org_default",
16
+ PlatformDefault = "platform_default"
16
17
  }
17
18
  export declare const CredentialPrecedenceSourceSchema: z.ZodEnum<typeof CredentialPrecedenceSource>;
18
19
  export type PolicyRequest = ExecutionContext;
@@ -1 +1 @@
1
- {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AAShE,oBAAY,kBAAkB;IAC5B,KAAK,UAAU;IACf,IAAI,SAAS;IACb,aAAa,mBAAmB;CACjC;AAED,eAAO,MAAM,wBAAwB,sCAAmC,CAAC;AAczE,oBAAY,0BAA0B;IACpC,QAAQ,aAAa;IACrB,iBAAiB,uBAAuB;IACxC,cAAc,oBAAoB;IAClC,UAAU,gBAAgB;CAC3B;AAED,eAAO,MAAM,gCAAgC,8CAE5C,CAAC;AAWF,MAAM,MAAM,aAAa,GAAG,gBAAgB,CAAC;AAE7C,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CACjC,CAAC;AAWzB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,CAAC;IAWvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAM7B,2BAA2B,CAAC,EAAE,0BAA0B,CAAC;CAC1D;AAED,eAAO,MAAM,oBAAoB,EAO3B,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC"}
1
+ {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,eAAe,CAAC;AAShE,oBAAY,kBAAkB;IAC5B,KAAK,UAAU;IACf,IAAI,SAAS;IACb,aAAa,mBAAmB;CACjC;AAED,eAAO,MAAM,wBAAwB,sCAAmC,CAAC;AAgBzE,oBAAY,0BAA0B;IACpC,QAAQ,aAAa;IACrB,iBAAiB,uBAAuB;IACxC,cAAc,oBAAoB;IAClC,UAAU,gBAAgB;IAO1B,eAAe,qBAAqB;CACrC;AAED,eAAO,MAAM,gCAAgC,8CAE5C,CAAC;AAWF,MAAM,MAAM,aAAa,GAAG,gBAAgB,CAAC;AAE7C,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CACjC,CAAC;AAWzB,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,kBAAkB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,CAAC;IAWvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAM7B,2BAA2B,CAAC,EAAE,0BAA0B,CAAC;CAC1D;AAED,eAAO,MAAM,oBAAoB,EAO3B,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC"}
@@ -18,6 +18,7 @@ var CredentialPrecedenceSource;
18
18
  CredentialPrecedenceSource["CapabilityDefault"] = "capability_default";
19
19
  CredentialPrecedenceSource["ProjectDefault"] = "project_default";
20
20
  CredentialPrecedenceSource["OrgDefault"] = "org_default";
21
+ CredentialPrecedenceSource["PlatformDefault"] = "platform_default";
21
22
  })(CredentialPrecedenceSource || (exports.CredentialPrecedenceSource = CredentialPrecedenceSource = {}));
22
23
  exports.CredentialPrecedenceSourceSchema = zod_1.z.nativeEnum(CredentialPrecedenceSource);
23
24
  exports.PolicyRequestSchema = execution_context_1.ExecutionContextSchema;
@@ -1 +1 @@
1
- {"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,+DAGiC;AACjC,+CAGuB;AACvB,+CAAgE;AAShE,IAAY,kBAIX;AAJD,WAAY,kBAAkB;IAC5B,qCAAe,CAAA;IACf,mCAAa,CAAA;IACb,sDAAgC,CAAA;AAClC,CAAC,EAJW,kBAAkB,kCAAlB,kBAAkB,QAI7B;AAEY,QAAA,wBAAwB,GAAG,OAAC,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAczE,IAAY,0BAKX;AALD,WAAY,0BAA0B;IACpC,mDAAqB,CAAA;IACrB,sEAAwC,CAAA;IACxC,gEAAkC,CAAA;IAClC,wDAA0B,CAAA;AAC5B,CAAC,EALW,0BAA0B,0CAA1B,0BAA0B,QAKrC;AAEY,QAAA,gCAAgC,GAAG,OAAC,CAAC,UAAU,CAC1D,0BAA0B,CAC3B,CAAC;AAaW,QAAA,mBAAmB,GAC9B,0CAAsB,CAAC;AAmCZ,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,gCAAwB;IAC9B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,oCAAsB,CAAC,CAAC,QAAQ,EAAE;IACvD,UAAU,EAAE,6BAAe,CAAC,QAAQ,EAAE;IACtC,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjD,2BAA2B,EAAE,wCAAgC,CAAC,QAAQ,EAAE;CACzE,CAA8B,CAAC"}
1
+ {"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/policy/lib/policy.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,+DAGiC;AACjC,+CAGuB;AACvB,+CAAgE;AAShE,IAAY,kBAIX;AAJD,WAAY,kBAAkB;IAC5B,qCAAe,CAAA;IACf,mCAAa,CAAA;IACb,sDAAgC,CAAA;AAClC,CAAC,EAJW,kBAAkB,kCAAlB,kBAAkB,QAI7B;AAEY,QAAA,wBAAwB,GAAG,OAAC,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAgBzE,IAAY,0BAYX;AAZD,WAAY,0BAA0B;IACpC,mDAAqB,CAAA;IACrB,sEAAwC,CAAA;IACxC,gEAAkC,CAAA;IAClC,wDAA0B,CAAA;IAO1B,kEAAoC,CAAA;AACtC,CAAC,EAZW,0BAA0B,0CAA1B,0BAA0B,QAYrC;AAEY,QAAA,gCAAgC,GAAG,OAAC,CAAC,UAAU,CAC1D,0BAA0B,CAC3B,CAAC;AAaW,QAAA,mBAAmB,GAC9B,0CAAsB,CAAC;AAmCZ,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,IAAI,EAAE,gCAAwB;IAC9B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,oCAAsB,CAAC,CAAC,QAAQ,EAAE;IACvD,UAAU,EAAE,6BAAe,CAAC,QAAQ,EAAE;IACtC,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjD,2BAA2B,EAAE,wCAAgC,CAAC,QAAQ,EAAE;CACzE,CAA8B,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@xemahq/kernel-contracts",
3
- "version": "0.22.2",
3
+ "version": "0.22.3",
4
4
  "description": "Consolidated Xema OS kernel wire contracts — pure types + zod schemas for the 32 kernel protocol surfaces. One package, one npm scope, wildcard per-surface subpath exports. No framework/runtime deps.",
5
5
  "publishConfig": {
6
6
  "registry": "https://registry.npmjs.org/",
@@ -2,6 +2,8 @@ export * from './lib/adapter-kind';
2
2
  export * from './lib/capability';
3
3
  export * from './lib/credential-kind';
4
4
  export * from './lib/onboarding-manifest';
5
+ export * from './lib/provider-descriptor';
6
+ export * from './lib/connector-descriptor';
5
7
  export * from './lib/envelope-schema';
6
8
  export * from './lib/filter-expr';
7
9
  export * from './lib/filter-expr-schema';
@@ -0,0 +1,66 @@
1
+ /**
2
+ * ─────────────────────────────────────────────────────────────────────────
3
+ * Connector descriptor — a capability surface authenticated by ONE provider
4
+ *
5
+ * A **Connector** is what a user actually connects: Gmail, Google Drive,
6
+ * generic IMAP, generic SMTP, a GitHub SCM connector. Every connector names
7
+ * the **Provider** it authenticates against (`providerKey`) and the incremental
8
+ * OAuth `scopes` it needs from that provider. The catalog groups connectors by
9
+ * provider so ONE app credential (per `ProviderDescriptor`) backs many
10
+ * connectors.
11
+ *
12
+ * This descriptor is the connector-registry face of an `IntegrationProvider
13
+ * Module`: the module carries the executable webhook/action/resource handlers;
14
+ * this descriptor carries the *catalog + connect* metadata the framework needs
15
+ * to render the provider-grouped catalog, drive consent with the right scopes,
16
+ * and resolve the right per-connection credential kind.
17
+ * ─────────────────────────────────────────────────────────────────────────
18
+ */
19
+
20
+ import type { AdapterKindRef } from './adapter-kind';
21
+ import type { CredentialKind } from './credential-kind';
22
+
23
+ /**
24
+ * A connector in the catalog. `connectorKey` aligns with the persisted
25
+ * `ConnectorKind` wire value (e.g. `GMAIL`, `IMAP_GENERIC`, `SMTP_GENERIC`)
26
+ * but is typed as a string here to keep the kernel `connector` contract
27
+ * package free of the persisted `ConnectorKind` enum (which lives in
28
+ * platform-common's integration-webhooks); the connector-gateway maps the two.
29
+ */
30
+ export interface ConnectorDescriptor {
31
+ /** Stable connector key — aligns with the persisted `ConnectorKind`. */
32
+ readonly connectorKey: string;
33
+ /** Human-readable name — `Gmail`, `Generic IMAP`. */
34
+ readonly displayName: string;
35
+ /** One-sentence description shown on the connector row. */
36
+ readonly description: string;
37
+ /** Lucide-react icon name; may differ from the provider's icon. */
38
+ readonly iconName: string;
39
+
40
+ /** The provider (authenticating authority) this connector belongs to. */
41
+ readonly providerKey: string;
42
+
43
+ /**
44
+ * Incremental OAuth scopes this connector requests from its provider. Empty
45
+ * for connectors whose provider `appAuthKind` is `None` (IMAP/SMTP). When a
46
+ * second connector of the same OAuth provider is connected, the consent
47
+ * driver requests the UNION of already-granted + these scopes (incremental
48
+ * consent) so one app credential accrues capability without re-consent for
49
+ * scopes already held.
50
+ */
51
+ readonly scopes: readonly string[];
52
+
53
+ /**
54
+ * How an individual connection to THIS connector authenticates at runtime
55
+ * (the per-connection wallet/token). `oauth_user` for OAuth connectors,
56
+ * `imap_auth` / `smtp_auth` for the mail wallets, `pat` / `api_key`, …
57
+ */
58
+ readonly connectionCredentialKind: CredentialKind;
59
+
60
+ /**
61
+ * The adapter category this connector plugs into (`mail`, `scm`, …). Drives
62
+ * where normalized inbound envelopes are forwarded and which project-binding
63
+ * surface the connector appears under.
64
+ */
65
+ readonly adapterKind: AdapterKindRef;
66
+ }
@@ -0,0 +1,181 @@
1
+ /**
2
+ * ─────────────────────────────────────────────────────────────────────────
3
+ * Provider descriptor — the authenticating authority ("app") behind N connectors
4
+ *
5
+ * A **Provider** is the identity/authority a set of connectors authenticates
6
+ * against — e.g. `google`, `microsoft`, `github`, `slack`, `smtp`, `imap`.
7
+ * ONE provider owns ONE **app credential** (a Google Cloud OAuth client, a
8
+ * GitHub App private key, …) and fans out to MANY **connectors** (Gmail,
9
+ * Google Drive, Google Calendar …), each of which reuses that single app
10
+ * credential with its own incremental scopes.
11
+ *
12
+ * This is the "Google is a world" fix: the catalog lists connectors grouped
13
+ * under one provider card; the app credential is provided once (by a platform
14
+ * admin, or overridden per-org as BYO) and every connector under the provider
15
+ * reuses it. Adding a new Google service later is a new *connector* with new
16
+ * scopes — never a new credential and never a framework change.
17
+ *
18
+ * The descriptor is a **runtime contract** describing how a provider's app
19
+ * credential is obtained and where it lives. Actual secret VALUES are never
20
+ * carried here — only the SCHEMA of what an admin must supply
21
+ * (`appCredentialSchema`) and non-secret OAuth endpoint metadata. Secrets are
22
+ * held by the credential broker + custody, referenced by env-var name or
23
+ * custody ref, never inlined.
24
+ * ─────────────────────────────────────────────────────────────────────────
25
+ */
26
+
27
+ import type { CredentialFieldSpec } from './onboarding-manifest';
28
+
29
+ /**
30
+ * How a provider's APP-level credential authenticates. This is distinct from
31
+ * a *connector's* per-connection `CredentialKind` (how an individual user/
32
+ * mailbox connection authenticates) — it describes the shared "app" that the
33
+ * platform/org registers once.
34
+ */
35
+ export enum ProviderAppAuthKind {
36
+ /**
37
+ * 3-legged OAuth: the app is a registered OAuth client (clientId/secret).
38
+ * Connecting a connector runs an authorization-code consent redirect using
39
+ * the app credential + the connector's scopes. e.g. Google, Microsoft,
40
+ * Slack.
41
+ */
42
+ OAuth2 = 'oauth2',
43
+ /**
44
+ * App-installation flow (GitHub App / GitLab App / Atlassian Connect): the
45
+ * app authenticates via an app id + private key and the user installs it
46
+ * onto their account/org. e.g. GitHub.
47
+ */
48
+ AppInstall = 'app_install',
49
+ /**
50
+ * No shared app credential at all — every connection carries its own
51
+ * complete secret (a mailbox host+user+password, a raw API key). The
52
+ * connector is connectable with NO platform/org setup. e.g. generic SMTP,
53
+ * generic IMAP.
54
+ */
55
+ None = 'none',
56
+ }
57
+
58
+ /**
59
+ * Who shipped a provider. Determines WHICH admin fulfils its app-credential
60
+ * requirement and at which scope the requirement is registered.
61
+ *
62
+ * - `kernel` — a first-party provider baked into the platform.
63
+ * - `platform` — shipped by a platform (Layer-2) service/biome installed
64
+ * platform-wide; platform admin fulfils it.
65
+ * - `biome` — introduced by a biome. When that biome is installed at ORG
66
+ * scope, the requirement is org-scoped (the org admin BYO-fills
67
+ * it) because the platform never shipped the provider.
68
+ */
69
+ export enum ProviderOrigin {
70
+ Kernel = 'kernel',
71
+ Platform = 'platform',
72
+ Biome = 'biome',
73
+ }
74
+
75
+ /**
76
+ * The two scopes at which a provider's APP credential can be provisioned.
77
+ * Deliberately a SEPARATE, minimal enum from the 5-tier ownership
78
+ * `ScopeSource` and from the credential-broker's per-connection
79
+ * `CredentialScopeTier` — app-credential provisioning is a strict 2-tier
80
+ * concern: a platform-wide default that an org may override.
81
+ *
82
+ * Resolution precedence (narrowest wins):
83
+ *
84
+ * Org (BYO) > Platform (default) > [legacy env-var fallback] > unset
85
+ *
86
+ * An unset REQUIRED app credential is surfaced to the correct admin and the
87
+ * connector reports "needs setup" — it never silently falls through to an
88
+ * unauthenticated request.
89
+ */
90
+ export enum ProviderCredentialScope {
91
+ Platform = 'platform',
92
+ Org = 'org',
93
+ }
94
+
95
+ /** Precedence order for app-credential resolution — index 0 wins. */
96
+ export const PROVIDER_CREDENTIAL_SCOPE_ORDER: readonly ProviderCredentialScope[] =
97
+ [ProviderCredentialScope.Org, ProviderCredentialScope.Platform];
98
+
99
+ /**
100
+ * Non-secret OAuth endpoint metadata for a `ProviderAppAuthKind.OAuth2`
101
+ * provider. Client id/secret are NOT here — they are the app credential,
102
+ * resolved from a provision (or the legacy env fallback) at consent time.
103
+ */
104
+ export interface ProviderOAuthEndpoints {
105
+ /** Authorization-code consent endpoint (where the user is redirected). */
106
+ readonly authorizationUrl: string;
107
+ /** Token-exchange endpoint (code→token, refresh-token rotation). */
108
+ readonly tokenUrl: string;
109
+ /**
110
+ * Extra authorize-request params a provider needs to actually mint a
111
+ * refresh token / do incremental consent. Non-secret. e.g. Google needs
112
+ * `{ access_type: 'offline', include_granted_scopes: 'true', prompt:
113
+ * 'consent' }`. Kept explicit rather than hardcoded in the driver so a new
114
+ * OAuth provider is pure data.
115
+ */
116
+ readonly extraAuthorizeParams?: Readonly<Record<string, string>>;
117
+ /**
118
+ * Legacy env-var NAMES the OAuth driver falls back to for the app
119
+ * client id / secret when no provision exists yet (bootstrap before the
120
+ * platform-admin UI is used). Never the secret itself. Optional — a
121
+ * provider with no env fallback simply reports "needs setup" until an
122
+ * admin provisions it.
123
+ */
124
+ readonly clientIdEnvVar?: string;
125
+ readonly clientSecretEnvVar?: string;
126
+ }
127
+
128
+ /**
129
+ * A first-class Provider (authenticating authority). Registered in the
130
+ * provider registry alongside — but distinct from — the connectors that
131
+ * reference it via `Connector.providerKey`.
132
+ */
133
+ export interface ProviderDescriptor {
134
+ /** Stable lowercase slug — `google`, `microsoft`, `github`, `smtp`. */
135
+ readonly providerKey: string;
136
+ /** Human-readable name — `Google`, `Microsoft`, `Generic SMTP`. */
137
+ readonly displayName: string;
138
+ /** One-sentence description shown on the provider card. */
139
+ readonly description: string;
140
+ /** Lucide-react icon name; frontend maps to a component. */
141
+ readonly iconName: string;
142
+ /** Catalog grouping label (e.g. `Email`, `Source control`, `Chat`). */
143
+ readonly category: string;
144
+
145
+ /** How the shared app credential authenticates. */
146
+ readonly appAuthKind: ProviderAppAuthKind;
147
+ /** Who shipped the provider — drives requirement scope + which admin fills. */
148
+ readonly origin: ProviderOrigin;
149
+
150
+ /**
151
+ * Schema of the app-credential fields an admin must supply to register the
152
+ * app (Google → clientId/clientSecret[/pubsubTopic]; GitHub App → appId/
153
+ * privateKey/webhookSecret). Empty/omitted when `appAuthKind = None`
154
+ * (nothing to provision — the connector is immediately connectable).
155
+ */
156
+ readonly appCredentialSchema?: readonly CredentialFieldSpec[];
157
+
158
+ /**
159
+ * OAuth endpoint metadata — REQUIRED when `appAuthKind = OAuth2`, absent
160
+ * otherwise.
161
+ */
162
+ readonly oauthEndpoints?: ProviderOAuthEndpoints;
163
+
164
+ /**
165
+ * Whether an org may override the platform-default app credential with its
166
+ * own (BYO app). `false` pins the provider to the platform provision only.
167
+ * Ignored when `appAuthKind = None` (there is no shared app to override).
168
+ */
169
+ readonly allowOrgOverride: boolean;
170
+ }
171
+
172
+ /**
173
+ * True when a provider needs an app credential provisioned before any of its
174
+ * connectors can be connected (i.e. anything other than `None`). Callers use
175
+ * this to decide whether to surface a "needs setup" state and to whom.
176
+ */
177
+ export function providerRequiresAppCredential(
178
+ provider: Pick<ProviderDescriptor, 'appAuthKind'>,
179
+ ): boolean {
180
+ return provider.appAuthKind !== ProviderAppAuthKind.None;
181
+ }
@@ -33,14 +33,23 @@ export const PolicyDecisionKindSchema = z.nativeEnum(PolicyDecisionKind);
33
33
  * Priority, highest wins:
34
34
  * `explicit` (a grant names the binding) > `capability_default`
35
35
  * (the descriptor's `defaultCredentialBindingRef`) > `project_default` >
36
- * `org_default`. No match the PDP emits NO binding and denies with
37
- * `MISSING_CREDENTIAL_BINDING` (never a silent fallback).
36
+ * `org_default` > `platform_default` (a deployment-wide default an org may
37
+ * override the Provider–Credential framework's platform tier). No match ⇒
38
+ * the PDP emits NO binding and denies with `MISSING_CREDENTIAL_BINDING`
39
+ * (never a silent fallback).
38
40
  */
39
41
  export enum CredentialPrecedenceSource {
40
42
  Explicit = 'explicit',
41
43
  CapabilityDefault = 'capability_default',
42
44
  ProjectDefault = 'project_default',
43
45
  OrgDefault = 'org_default',
46
+ /**
47
+ * A deployment-wide platform default provision (broadest tier, below org).
48
+ * An org-scoped default always overrides it. Used by `authorization-api`'s
49
+ * credential-precedence resolver once this kernel change is published +
50
+ * consumed (see the Connections framework plan).
51
+ */
52
+ PlatformDefault = 'platform_default',
44
53
  }
45
54
 
46
55
  export const CredentialPrecedenceSourceSchema = z.nativeEnum(