aui-agent-builder 0.3.155 → 0.3.157

package/dist/commands/integration.js

@@ -25,21 +25,142 @@ import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
  * `--json` implies non-interactive and emits machine-readable output via
  * `outputJson` / `outputJsonError`.
  *
- * Composio (native) settings: `settings.user_id` is the agent's `network_id`
- * (per MCP_SCHEMA_CHANGES → IntegrationComposioMCPSettingsView), so each
- * agent owns its own Composio user namespace.
+ * Composio (native) settings: `settings.composio.user_id` is the agent's
+ * `network_id` (per backend `ComposioIntegrationSchema` →
+ * `IntegrationMCPSettings`), so each agent owns its own Composio user
+ * namespace. The MCP server is provisioned once on create; its caller-
+ * stable id is persisted at `settings.composio.server_id` and the
+ * provisioned HTTP URL is persisted at `settings.server_url` so the
+ * runtime can hit the MCP endpoint without round-tripping Composio.
  */
 import { readFileSync } from "fs";
 import { render, Box, Text } from "ink";
 import inquirer from "inquirer";
 import chalk from "chalk";
-import { getAuthenticatedSession, discoverMCPTools, discoverComposioTools, saveIntegration as saveIntegrationSvc, resolveScopeIds, resolveNetworkCategoryId, listComposioToolkits, connectComposioToolkit, waitForComposioConnection, resetComposioClient, fetchComposioApiKey, getComposioToolkitAuthInfo, } from "../services/integration.service.js";
+import { getAuthenticatedSession, discoverMCPTools, discoverComposioTools, saveIntegration as saveIntegrationSvc, resolveScopeIds, resolveNetworkCategoryId, listComposioToolkits, connectComposioToolkit, waitForComposioConnection, resetComposioClient, fetchComposioApiKey, getComposioToolkitAuthInfo, getComposioServerUrl, buildAuthFromFlags, parseTransportType, } from "../services/integration.service.js";
 import { MCPToolList, IntegrationCreatedView, NativeIntegrationCreatedView, } from "../ui/views/IntegrationView.js";
 import { Header, Spinner, StatusLine, ErrorDisplay, } from "../ui/components/index.js";
 import { AUIClient } from "../api-client/index.js";
 import { getConfig, loadProjectConfig, loadSession, saveSession, } from "../config/index.js";
 import { isJsonMode, outputJson, outputJsonError, stderrLog } from "../utils/json-output.js";
 import open from "open";
+// NOTE: `buildAuthFromFlags`, `parseTransportType`, and `MCPAuthFlags`
+// live in `../services/integration.service.ts` so all MCP commands
+// (`create`, `discover`, `mcp-test`) share one parser → one canonical
+// `MCPAuthentication` shape. See the JSDoc on `buildAuthFromFlags` for
+// the legacy `token` alias, the `bearer_token` header default, and the
+// `oauth_client_credentials` flag-set.
+// ─── Shared interactive DIRECT MCP auth prompt ───
+/**
+ * Inquirer-driven picker for DIRECT MCP authentication. Covers the full
+ * canonical `MCPAuthenticationType` surface — `none`, `bearer_token`,
+ * `api_key`, `oauth_client_credentials` — and returns the canonical
+ * shape so callers can pass it straight to `discoverMCPTools`,
+ * `saveIntegration`, or the Apollo MCP-test endpoint without reshaping.
+ *
+ * Exported so `integration-mcp-test.tsx` can share the same prompt UX
+ * (single source of truth for what auth modes the CLI surfaces). The
+ * legacy `--auth-type token` alias is NOT offered here on purpose —
+ * interactive users get the canonical names; only flag invocations keep
+ * the alias for backwards compat.
+ */
+export async function promptDirectMCPAuth() {
+    const { authMethod } = await inquirer.prompt([
+        {
+            type: "list",
+            name: "authMethod",
+            message: "Authentication method:",
+            choices: [
+                { name: "None", value: "none" },
+                { name: "Bearer token", value: "bearer_token" },
+                { name: "API key (custom header)", value: "api_key" },
+                { name: "OAuth client credentials", value: "oauth_client_credentials" },
+            ],
+        },
+    ]);
+    if (authMethod === "none")
+        return { type: "none" };
+    if (authMethod === "bearer_token") {
+        const { token } = await inquirer.prompt([
+            {
+                type: "password",
+                name: "token",
+                message: "Bearer token:",
+                mask: "*",
+                validate: (v) => v.trim().length > 0 || "Token is required",
+            },
+        ]);
+        return {
+            type: "bearer_token",
+            value: token.trim(),
+        };
+    }
+    if (authMethod === "api_key") {
+        const { headerName, apiKey } = await inquirer.prompt([
+            {
+                type: "input",
+                name: "headerName",
+                message: "Header name (e.g. X-API-Key):",
+                validate: (v) => v.trim().length > 0 || "Header name is required",
+            },
+            {
+                type: "password",
+                name: "apiKey",
+                message: "API key value:",
+                mask: "*",
+                validate: (v) => v.trim().length > 0 || "API key is required",
+            },
+        ]);
+        return {
+            type: "api_key",
+            value: apiKey.trim(),
+            header_name: headerName.trim(),
+        };
+    }
+    // oauth_client_credentials — collect the token-endpoint + client credentials.
+    const { url, clientId, clientSecret } = await inquirer.prompt([
+        {
+            type: "input",
+            name: "url",
+            message: "OAuth token endpoint URL:",
+            validate: (v) => {
+                const t = v.trim();
+                if (!t)
+                    return "URL is required";
+                try {
+                    new URL(t);
+                    return true;
+                }
+                catch {
+                    return "Must be a valid URL";
+                }
+            },
+        },
+        {
+            type: "input",
+            name: "clientId",
+            message: "OAuth client ID:",
+            validate: (v) => v.trim().length > 0 || "Client ID is required",
+        },
+        {
+            type: "password",
+            name: "clientSecret",
+            message: "OAuth client secret:",
+            mask: "*",
+            validate: (v) => v.trim().length > 0 || "Client secret is required",
+        },
+    ]);
+    return {
+        type: "oauth_client_credentials",
+        oauth_client_credentials: {
+            url: url.trim(),
+            method: "POST",
+            client_id: clientId.trim(),
+            client_secret: clientSecret.trim(),
+            grant_type: "client_credentials",
+        },
+    };
+}
 // ─── BYO Credentials File Loader ───
 function loadCredentialsFile(filePath) {
     let raw;
@@ -391,10 +512,17 @@ export async function integration(_options = {}) {
 export async function integrationDiscover(options = {}) {
     const session = await getAuthenticatedSession();
     let serverUrl = options.url || "";
-    let auth = { type: "none" };
-    if (options.authType === "token" && options.authToken) {
-        auth = { type: "token", token: options.authToken };
-    }
+    // Canonical MCPAuthentication shape — built once in the command layer
+    // via the shared service-layer helper and passed straight through to
+    // discoverMCPTools (no per-callee reshaping). Handles the canonical
+    // surface declared by the backend `MCPAuthentication` schema:
+    // none | bearer_token | api_key | oauth_client_credentials
+    // (plus the CLI-only `--auth-type token` alias, collapsed to
+    // bearer_token inside buildAuthFromFlags before any wire emission).
+    let auth = buildAuthFromFlags(options);
+    // Validate --transport-type up-front (throws on a bad value). undefined
+    // means "let the service apply the schema default of STREAMABLE_HTTP".
+    const transportType = parseTransportType(options.transportType);
     // Resolve scope
     const scope = resolveScopeIds(session, {
         organizationId: options.organizationId,
@@ -427,28 +555,13 @@ export async function integrationDiscover(options = {}) {
             },
         ]);
         serverUrl = answers.url.trim();
-        const { authMethod } = await inquirer.prompt([
-            {
-                type: "list",
-                name: "authMethod",
-                message: "Authentication method:",
-                choices: [
-                    { name: "None", value: "none" },
-                    { name: "Token", value: "token" },
-                ],
-            },
-        ]);
-        if (authMethod === "token") {
-            const { token } = await inquirer.prompt([
-                {
-                    type: "password",
-                    name: "token",
-                    message: "Authentication token:",
-                    mask: "*",
-                    validate: (input) => input.trim().length > 0 || "Token is required",
-                },
-            ]);
-            auth = { type: "token", token: token.trim() };
+        // Interactive auth picker covers the full canonical surface so users
+        // can discover against any MCP server they would also `create` /
+        // `mcp-test` against. The prompt only runs when the user didn't pass
+        // --auth-type (so flag-driven invocations short-circuit and use the
+        // value we already parsed via buildAuthFromFlags).
+        if (!options.authType) {
+            auth = await promptDirectMCPAuth();
         }
     }
     if (isJsonMode()) {
@@ -458,7 +571,7 @@ export async function integrationDiscover(options = {}) {
         ? null
         : startSpinner("Discovering tools from MCP server...");
     try {
-        const result = await discoverMCPTools(session, serverUrl, scope, auth);
+        const result = await discoverMCPTools(session, serverUrl, scope, auth, transportType);
         if (isJsonMode()) {
             outputJson({
                 server_url: serverUrl,
@@ -588,10 +701,15 @@ async function manualIntegrationFlow(session, options, target) {
     let integrationName = options.name || "";
     let description = options.description || "";
     let serverUrl = options.url || "";
-    let auth = { type: "none" };
-    if (options.authType === "token" && options.authToken) {
-        auth = { type: "token", token: options.authToken };
-    }
+    // Canonical MCPAuthentication shape — see the discover call site above
+    // for the shape rationale; buildAuthFromFlags centralises the parsing.
+    let auth = buildAuthFromFlags(options);
+    // Validate --transport-type up-front so a bad value fails before the
+    // discover spinner. undefined → let the service apply the schema
+    // default (STREAMABLE_HTTP). We reuse the parsed value for BOTH the
+    // discover call below and the save request further down so the same
+    // transport is exercised end-to-end.
+    const transportType = parseTransportType(options.transportType);
     // ── Name & Description ──
     if (!integrationName) {
         if (noPrompt) {
@@ -662,30 +780,15 @@ async function manualIntegrationFlow(session, options, target) {
         serverUrl = urlAnswer.url.trim();
     }
     // ── Authentication ──
+    //
+    // Interactive picker only runs when the caller didn't pass --auth-type
+    // — flag invocations short-circuit and use the canonical shape we
+    // already built above. The picker covers the full canonical surface
+    // (bearer_token / api_key / oauth_client_credentials / none) via the
+    // shared `promptDirectMCPAuth` helper, so DIRECT integrations created
+    // interactively are no longer limited to the legacy `token` choice.
     if (!options.authType && !isNonInteractive && !noPrompt) {
-        const { authMethod } = await inquirer.prompt([
-            {
-                type: "list",
-                name: "authMethod",
-                message: "Authentication method:",
-                choices: [
-                    { name: "None", value: "none" },
-                    { name: "Token", value: "token" },
-                ],
-            },
-        ]);
-        if (authMethod === "token") {
-            const { token } = await inquirer.prompt([
-                {
-                    type: "password",
-                    name: "token",
-                    message: "Authentication token:",
-                    mask: "*",
-                    validate: (input) => input.trim().length > 0 || "Token is required",
-                },
-            ]);
-            auth = { type: "token", token: token.trim() };
-        }
+        auth = await promptDirectMCPAuth();
     }
     // ── Discover Tools ──
     if (isJsonMode()) {
@@ -696,7 +799,7 @@ async function manualIntegrationFlow(session, options, target) {
         : startSpinner("Discovering tools from MCP server...");
     let discoveredTools;
     try {
-        const result = await discoverMCPTools(session, serverUrl, scope, auth);
+        const result = await discoverMCPTools(session, serverUrl, scope, auth, transportType);
         discoveredTools = result.tools;
         if (discoveredTools.length === 0) {
             if (isJsonMode()) {
@@ -790,13 +893,17 @@ async function manualIntegrationFlow(session, options, target) {
         stderrLog("Creating integration...");
     }
     const saveSpinner = isJsonMode() ? null : startSpinner("Creating integration...");
+    // `transportType` was parsed at the top of this flow so the discovery
+    // call exercised the same transport the save body will carry.
     const request = {
+        type: "DIRECT",
         name: integrationName,
         display_name: integrationName,
         description,
         server_url: serverUrl,
         authentication: auth,
         tool_names: selectedToolNames,
+        ...(transportType ? { transport_type: transportType } : {}),
     };
     try {
         const result = await saveIntegrationSvc(session, request, scope);
@@ -1221,8 +1328,8 @@ async function nativeIntegrationFlow(session, options, target) {
     // ── Step 6: Connect Toolkit ──
     // The Composio user namespace is scoped to the agent's network_id so every
     // agent maintains its own isolated connection set. This is the same value
-    // persisted as `settings.user_id` on the resulting integration
-    // (per MCP_SCHEMA_CHANGES: IntegrationComposioMCPSettingsView.user_id).
+    // persisted as `settings.composio.user_id` on the resulting integration
+    // (per backend `ComposioIntegrationSchema.user_id`).
     const composioUserId = scope.networkId;
     if (isJsonMode()) {
         stderrLog("Connecting toolkit...");
@@ -1453,25 +1560,81 @@ async function nativeIntegrationFlow(session, options, target) {
             return;
         }
     }
-    // ── Step 11: Save Integration ──
+    // ── Step 11: Provision Composio MCP Server (URL + stable server_id) ──
+    //
+    // The integration record stores both values so downstream consumers
+    // (mcp-test, agent runtime, BFF) can hit the MCP endpoint directly
+    // and so subsequent runs reuse the same server instead of minting a
+    // fresh one. `--server-id` lets callers pin a stable name across
+    // invocations; when omitted, a 30-char UUID prefix is generated by
+    // `getComposioServerUrl` (matching the backend convention).
+    if (isJsonMode()) {
+        stderrLog(`Provisioning Composio MCP server for ${toolkitSlug}...`);
+    }
+    const provisionSpinner = isJsonMode()
+        ? null
+        : startSpinner(`Provisioning MCP server for ${toolkitSlug}...`);
+    let mcpServerUrl;
+    let mcpServerId;
+    try {
+        const provisioned = await getComposioServerUrl(apiKey, {
+            composioUserId,
+            toolkit: toolkitSlug,
+            allowedTools: selectedToolNames,
+            serverId: options.serverId,
+        });
+        mcpServerUrl = provisioned.url;
+        mcpServerId = provisioned.serverId;
+        provisionSpinner?.succeed(`MCP server ready (${mcpServerId})`);
+    }
+    catch (error) {
+        provisionSpinner?.fail("Failed to provision MCP server");
+        if (isJsonMode()) {
+            outputJsonError({
+                code: "API_CLIENT_ERROR",
+                message: `Failed to provision Composio MCP server: ${error instanceof Error ? error.message : String(error)}`,
+            });
+        }
+        else {
+            log(_jsx(ErrorDisplay, { error: error, message: "Failed to provision Composio MCP server.", suggestion: "Re-run with AUI_DEBUG=1 to see the underlying Composio API call." }));
+        }
+        resetComposioClient();
+        return;
+    }
+    // ── Step 12: Save Integration ──
     if (isJsonMode()) {
         stderrLog("Creating integration...");
     }
     const saveSpinner = isJsonMode()
         ? null
         : startSpinner("Creating integration...");
+    // Build the COMPOSIO save body per `IntegrationMCPSettings`:
+    //   - the discriminated union forbids the DIRECT-only `authentication`
+    //     field here at compile time;
+    //   - `server_id` lives inside `composio` (per `ComposioIntegrationSchema`);
+    //   - `server_url` is sent in TWO places so consumers don't have to
+    //     coordinate: at the top level (`settings.server_url`, per
+    //     `IntegrationMCPSettings`) AND inside `composio` (alongside
+    //     `server_id`, so the nested payload is self-contained);
+    //   - `transport_type` is optional — when omitted the service defaults
+    //     it to STREAMABLE_HTTP, which is the only transport Composio MCP
+    //     servers currently support. `--transport-type SSE` is accepted for
+    //     parity with the canonical schema / manual flow.
+    const nativeTransportType = parseTransportType(options.transportType);
     const request = {
+        type: "COMPOSIO",
         name: integrationName,
         display_name: integrationName,
         description,
-        server_url: "",
-        authentication: { type: "none" },
-        tool_names: selectedToolNames,
+        server_url: mcpServerUrl,
         composio: {
             user_id: scope.networkId,
             toolkits: [toolkitSlug],
             tool_names: selectedToolNames,
+            server_id: mcpServerId,
+            server_url: mcpServerUrl,
         },
+        ...(nativeTransportType ? { transport_type: nativeTransportType } : {}),
     };
     try {
         const result = await saveIntegrationSvc(session, request, scope);
@@ -1493,6 +1656,8 @@ async function nativeIntegrationFlow(session, options, target) {
                     toolkit: toolkitSlug,
                     tool_names: selectedToolNames,
                     tool_count: selectedToolNames.length,
+                    server_url: mcpServerUrl,
+                    server_id: mcpServerId,
                     scope: {
                         organization_id: scope.organizationId,
                         account_id: scope.accountId,
@@ -1507,7 +1672,7 @@ async function nativeIntegrationFlow(session, options, target) {
             return;
         }
         saveSpinner?.succeed("Integration created");
-        log(_jsx(NativeIntegrationCreatedView, { name: integrationName, toolkitSlug: toolkitSlug, toolCount: selectedToolNames.length, toolNames: selectedToolNames }));
+        log(_jsx(NativeIntegrationCreatedView, { name: integrationName, toolkitSlug: toolkitSlug, toolCount: selectedToolNames.length, toolNames: selectedToolNames, serverUrl: mcpServerUrl, serverId: mcpServerId }));
     }
     catch (error) {
         if (isJsonMode()) {