aui-agent-builder 0.4.6 → 0.4.7

package/dist/services/integration.service.js

@@ -1,10 +1,13 @@
 import fetch from "node-fetch";
+import { existsSync, readFileSync } from "fs";
+import * as path from "path";
 import { randomUUID } from "crypto";
-import { AuthConfigTypes } from "@composio/core";
-import { getConfig, loadProjectConfig, getBaseUrl, getAgentSettingsWriteUrl, } from "../config/index.js";
-import { AUIClient } from "../api-client/index.js";
+import { getConfig, loadProjectConfig, getBaseUrl, getAgentSettingsWriteUrl, findProjectRoot, } from "../config/index.js";
+import { AUIAPIError, AUIClient } from "../api-client/index.js";
+import { detectAgentBundleMode, isModeMismatchError, } from "../commands/util/agent-mode.js";
+import { parseAuiFile, writeJsonFile } from "../utils/index.js";
 import { ApolloClient, } from "../api-client/apollo-client.js";
-import { AuthenticationError, ValidationError } from "../errors/index.js";
+import { AuthenticationError, CLIError, ValidationError, toCLIError, } from "../errors/index.js";
 import { getValidSession } from "./auth.service.js";
 import { captureRequest } from "../utils/request-capture.js";
 // ─────────────────────────────────────────────────────────────────────────────
@@ -109,6 +112,31 @@ export function buildAuthFromFlags(opts) {
         ...(opts.authHeaderName ? { header_name: opts.authHeaderName } : {}),
     };
 }
+/** Load BYO Composio OAuth credentials from a JSON file (`client_id`, etc.). */
+export function loadComposioCredentialsFile(filePath) {
+    let raw;
+    try {
+        raw = JSON.parse(readFileSync(filePath, "utf-8"));
+    }
+    catch (err) {
+        throw new Error(`Cannot read credentials file '${filePath}': ${err instanceof Error ? err.message : String(err)}`);
+    }
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        throw new Error(`Credentials file '${filePath}' must be a JSON object.`);
+    }
+    const obj = raw;
+    const creds = {};
+    if (obj.client_id)
+        creds.clientId = String(obj.client_id);
+    if (obj.client_secret)
+        creds.clientSecret = String(obj.client_secret);
+    if (obj.bearer_token)
+        creds.bearerToken = String(obj.bearer_token);
+    if (!creds.clientId && !creds.clientSecret && !creds.bearerToken) {
+        throw new Error(`Credentials file '${filePath}' must contain at least one of: client_id, client_secret, bearer_token.`);
+    }
+    return creds;
+}
 // ─── Session ───
 export async function getAuthenticatedSession() {
     const config = getConfig();
@@ -123,6 +151,79 @@ export async function getAuthenticatedSession() {
     }
     return session;
 }
+const COMPOSIO_AUTH_BODY_PATTERNS = [
+    /unauthorized/i,
+    /unauthenticated/i,
+    /not authenticated/i,
+    /authentication required/i,
+    /invalid.*token/i,
+    /session.*expired/i,
+    /auth.*required/i,
+];
+function composioAuthDetail(body) {
+    if (body == null)
+        return undefined;
+    if (typeof body === "string")
+        return body.trim() || undefined;
+    if (typeof body === "object" && "detail" in body) {
+        const detail = body.detail;
+        if (typeof detail === "string")
+            return detail.trim() || undefined;
+        if (Array.isArray(detail)) {
+            return detail
+                .map((item) => typeof item === "object" && item !== null && "msg" in item
+                ? String(item.msg)
+                : String(item))
+                .join("; ");
+        }
+    }
+    const text = JSON.stringify(body);
+    return COMPOSIO_AUTH_BODY_PATTERNS.some((re) => re.test(text))
+        ? text
+        : undefined;
+}
+function bodyLooksLikeAuthFailure(body) {
+    const detail = composioAuthDetail(body);
+    return detail != null && COMPOSIO_AUTH_BODY_PATTERNS.some((re) => re.test(detail));
+}
+/**
+ * Turn a Composio/Apollo MCP API failure into an actionable CLI error.
+ * Auth failures surface as AuthenticationError with login guidance instead
+ * of a generic "failed to fetch" message.
+ */
+export function composioApiError(error) {
+    if (error instanceof AUIAPIError && bodyLooksLikeAuthFailure(error.body)) {
+        return new AuthenticationError(composioAuthDetail(error.body) ?? `Authentication failed (${error.status}).`, { cause: error });
+    }
+    const classified = toCLIError(error);
+    if (classified instanceof AuthenticationError) {
+        return classified;
+    }
+    if (classified.code !== "UNKNOWN_ERROR") {
+        return classified;
+    }
+    return new CLIError(classified.message, {
+        code: classified.code,
+        suggestion: classified.suggestion ??
+            "Verify your `aui login` session is still valid and that Composio is configured on the backend.",
+        cause: error,
+    });
+}
+/** Short spinner label for a Composio API failure. */
+export function composioFailureLabel(error, defaultLabel) {
+    return composioApiError(error) instanceof AuthenticationError
+        ? "Not authenticated"
+        : defaultLabel;
+}
+/** JSON envelope fields for a Composio API failure. */
+export function composioFailureJson(error) {
+    const cliErr = composioApiError(error);
+    return {
+        code: cliErr.code,
+        message: cliErr.message,
+        ...(cliErr.suggestion ? { suggestion: cliErr.suggestion } : {}),
+    };
+}
 // ─── Scope Resolution ───
 export function resolveScopeIds(session, overrides) {
     const projectConfig = loadProjectConfig();
@@ -167,13 +268,7 @@ export function assertComposioUserIdMatchesNetworkId(composioUserId, networkId)
 export async function resolveNetworkCategoryId(session, networkId, scope) {
     if (scope.networkCategoryId)
         return scope.networkCategoryId;
-    const client = new AUIClient({
-        baseUrl: session.api_url || getBaseUrl(session.environment),
-        authToken: session.auth_token,
-        accountId: scope.accountId,
-        organizationId: scope.organizationId,
-        environment: session.environment,
-    });
+    const client = buildAUIClient(session, scope);
     try {
         const resp = await client.networks.get(networkId);
         const network = resp.data;
@@ -320,6 +415,101 @@ function extractTools(parsed) {
     return [];
 }
 // ─── Save ───
+const BUNDLE_MODE_LOCAL_SUGGESTION = "Integration saved to integrations.aui.json. Run `aui push` to upload it to the server.";
+const NO_PROJECT_ERROR = "Run this command inside an imported agent project (with .auirc).";
+const NO_PROJECT_SUGGESTION = "Run `aui import` or `cd` into your agent directory, then re-run `aui integration create`.";
+function integrationCodeFromName(name) {
+    return name
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-|-$/g, "");
+}
+function buildLocalMCPIntegrationRecord(request, code) {
+    return {
+        type: "MCP",
+        code,
+        name: request.display_name,
+        description: request.description,
+        settings: buildMCPSettings(request),
+    };
+}
+function mergeIntegrationIntoLocalFile(projectRoot, integration) {
+    const filePath = path.join(projectRoot, "integrations.aui.json");
+    let integrations = [];
+    if (existsSync(filePath)) {
+        const parsed = parseAuiFile(filePath);
+        const existing = parsed?.integrations;
+        if (Array.isArray(existing)) {
+            integrations = existing.filter((item) => !!item && typeof item === "object" && !Array.isArray(item));
+        }
+    }
+    const code = String(integration.code);
+    const idx = integrations.findIndex((item) => String(item.code) === code);
+    if (idx >= 0) {
+        integrations[idx] = integration;
+    }
+    else {
+        integrations.push(integration);
+    }
+    writeJsonFile(filePath, { integrations });
+    return filePath;
+}
+/** Agent-settings / agent-management client — same session+scope wiring as {@link buildApolloClient}. */
+export function buildAUIClient(session, scope) {
+    return new AUIClient({
+        baseUrl: session.api_url || getBaseUrl(session.environment),
+        authToken: session.auth_token,
+        accountId: scope.accountId,
+        organizationId: scope.organizationId,
+        environment: session.environment,
+    });
+}
+async function resolveAgentManagementIdForScope(session, scope) {
+    if (scope.agentId)
+        return scope.agentId;
+    if (!scope.networkId || !scope.organizationId)
+        return undefined;
+    const client = buildAUIClient(session, scope);
+    try {
+        const resp = await client.agentManagement.listAgents(scope.organizationId, 1, 50, { network_id: scope.networkId });
+        const match = resp.items.find((agent) => agent.scope.network_id === scope.networkId || agent.id === scope.networkId);
+        return match?.id;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function resolveIntegrationAgentMode(session, scope) {
+    const override = process.env.AUI_FORCE_AGENT_MODE;
+    if (override === "bundle" || override === "records") {
+        return override;
+    }
+    const agentMgmtId = await resolveAgentManagementIdForScope(session, scope);
+    if (!agentMgmtId) {
+        return "records";
+    }
+    const resolution = await detectAgentBundleMode(buildAUIClient(session, scope), agentMgmtId);
+    return resolution.mode;
+}
+function persistIntegrationLocally(request) {
+    const projectRoot = findProjectRoot();
+    if (!projectRoot) {
+        return {
+            success: false,
+            error: NO_PROJECT_ERROR,
+            suggestion: NO_PROJECT_SUGGESTION,
+        };
+    }
+    const code = integrationCodeFromName(request.name);
+    const integration = buildLocalMCPIntegrationRecord(request, code);
+    const filePath = mergeIntegrationIntoLocalFile(projectRoot, integration);
+    return {
+        ok: true,
+        code,
+        file: path.relative(projectRoot, filePath),
+        integration,
+    };
+}
 /**
  * Build the `IntegrationMCPSettings` payload posted to
  * `/v1/integrations/view`. Switches on the discriminated union's `type`
@@ -368,13 +558,29 @@ function buildMCPSettings(request) {
     }
 }
 export async function saveIntegration(session, request, scope) {
+    const agentMode = await resolveIntegrationAgentMode(session, scope);
+    const localPersist = persistIntegrationLocally(request);
+    if (!("ok" in localPersist)) {
+        return { ...localPersist, agentMode };
+    }
+    const localData = {
+        code: localPersist.code,
+        file: localPersist.file,
+        integration: localPersist.integration,
+    };
+    if (agentMode === "bundle") {
+        return {
+            success: true,
+            persistedVia: "local",
+            agentMode: "bundle",
+            suggestion: BUNDLE_MODE_LOCAL_SUGGESTION,
+            data: localData,
+        };
+    }
     const agentSettingsBase = getAgentSettingsWriteUrl(session.environment);
     const url = `${agentSettingsBase}/v1/integrations/view`;
     const categoryId = await resolveNetworkCategoryId(session, scope.networkId, scope);
-    const code = request.name
-        .toLowerCase()
-        .replace(/[^a-z0-9]+/g, "-")
-        .replace(/^-|-$/g, "");
+    const code = localPersist.code;
     // MCP integration settings — mirrors the backend variants
     // (`agent_settings_transcoder/schemas/backend/integration.py`).
     // `settings.type` discriminates between the two FLAT variants below;
@@ -439,9 +645,19 @@ export async function saveIntegration(session, request, scope) {
         success: resp.ok,
     });
     if (!resp.ok) {
+        if (resp.status === 422 && isModeMismatchError(responseText)) {
+            return {
+                success: true,
+                persistedVia: "local",
+                agentMode: "bundle",
+                suggestion: BUNDLE_MODE_LOCAL_SUGGESTION,
+                data: localData,
+            };
+        }
         return {
             success: false,
             error: `Failed to create integration (${resp.status}): ${responseText}`,
+            agentMode: "records",
         };
     }
     let parsed;
@@ -451,171 +667,95 @@ export async function saveIntegration(session, request, scope) {
     catch {
         parsed = responseText;
     }
-    return { success: true, data: parsed };
+    return {
+        success: true,
+        data: { ...localData, server: parsed },
+        persistedVia: "local_and_server",
+        agentMode: "records",
+    };
 }
-// ─── Composio Native Integration ───
-let composioInstance = null;
-let composioInstanceKey = "";
-async function getComposioClient(apiKey) {
-    if (!composioInstance || composioInstanceKey !== apiKey) {
-        const { Composio } = await import("@composio/core");
-        composioInstance = new Composio({ apiKey });
-        composioInstanceKey = apiKey;
-    }
-    return composioInstance;
+// ─── Composio Native Integration (via Apollo MCP API) ───
+//
+// Everything below is a thin orchestration layer on top of
+// `/v1/integrations/mcp/composio/*` (see mcp-api.md). The CLI never
+// holds a Composio API key — gateway auth (`Authorization: Bearer
+// <session>`) is sufficient because Apollo owns the upstream Composio
+// credential.
+/** Build an Apollo client from a session + scope (used by Composio helpers and mcp-test). */
+export function buildApolloClient(session, scope) {
+    return new ApolloClient({
+        authToken: session.auth_token,
+        organizationId: scope.organizationId,
+        accountId: scope.accountId,
+        userId: scope.userId,
+        environment: session.environment,
+    });
 }
-export function resetComposioClient() {
-    composioInstance = null;
-    composioInstanceKey = "";
+// ─── Toolkit listing ───
+export async function listComposioToolkits(session, scope, options = {}) {
+    const client = buildApolloClient(session, scope);
+    const page = await client.listComposioToolkits({
+        query: options.search,
+        limit: options.limit ?? 50,
+        cursor: options.cursor,
+    });
+    return {
+        items: page.items.map(toToolkitInfo),
+        nextCursor: page.next_cursor ?? undefined,
+    };
 }
 /**
- * Fetch the Composio API key from the AUI backend.
- * The key is returned Base64-encoded and decoded here in the CLI.
+ * Fetch Composio tool catalog metadata by slug via Apollo
+ * (`GET /v1/integrations/mcp/composio/tools/by-slug`). No toolkit
+ * connection or `composio_user_id` required.
  */
-export async function fetchComposioApiKey(session) {
-    const baseUrl = session.api_url || getBaseUrl(session.environment);
-    const configUrl = `${baseUrl}/third-party-auth/integrations/composio-config`;
-    try {
-        if (process.env.AUI_DEBUG) {
-            console.error(`[debug] Fetching integration config from: ${configUrl}`);
-        }
-        const resp = await fetch(configUrl, {
-            method: "GET",
-            headers: {
-                "Content-Type": "application/json",
-                "auth-token": session.auth_token,
-            },
-        });
-        if (process.env.AUI_DEBUG) {
-            console.error(`[debug] Integration config response: ${resp.status}`);
-        }
-        if (!resp.ok)
-            return null;
-        const body = await resp.json();
-        const encodedKey = body?.data?.apiKey;
-        if (process.env.AUI_DEBUG) {
-            console.error(`[debug] Integration config: key present=${!!encodedKey}, label=${body?.data?.label || "none"}`);
-        }
-        if (typeof encodedKey === "string" && encodedKey.length > 0) {
-            try {
-                return Buffer.from(encodedKey, "base64").toString("utf-8");
-            }
-            catch {
-                return encodedKey;
-            }
-        }
-        return null;
-    }
-    catch {
-        return null;
-    }
-}
-export async function listComposioToolkits(apiKey, options) {
-    const limit = options?.limit || 50;
-    const result = await fetchToolkitsViaREST(apiKey, limit, options?.search, options?.cursor);
-    const items = result.items.map((tk) => ({
-        slug: tk.slug || "",
-        name: tk.name || tk.slug || "",
-        logo: tk.meta?.logo || tk.logo || "",
-        description: tk.meta?.description || tk.description || "",
-        toolsCount: tk.meta?.toolsCount ?? tk.meta?.tools_count ?? tk.toolsCount ?? tk.tools_count ?? 0,
-        authSchemes: tk.authSchemes || tk.auth_schemes || [],
-        isNoAuth: tk.noAuth ?? tk.no_auth ?? false,
+export async function fetchComposioToolsBySlugs(session, scope, slugs) {
+    const client = buildApolloClient(session, scope);
+    const tools = await client.listComposioToolsBySlug({ slugs });
+    return tools.map((t, i) => ({
+        slug: String(t.slug ?? slugs[i] ?? ""),
+        name: String(t.name ?? ""),
+        description: t.description ? String(t.description) : undefined,
+        input_schema: (t.input_schema ?? t.inputSchema),
     }));
+}
+/** Project a raw Composio toolkit record onto the CLI's narrow view. */
+function toToolkitInfo(tk) {
+    const meta = tk.meta ?? {};
+    const authConfigDetails = tk.auth_config_details ?? [];
     return {
-        items,
-        nextCursor: result.nextCursor,
-        totalPages: result.totalPages ?? 1,
+        slug: String(tk.slug ?? ""),
+        name: String(tk.name ?? tk.slug ?? ""),
+        logo: meta.logo ?? tk.logo,
+        description: meta.description ??
+            tk.description,
+        toolsCount: meta.tools_count ??
+            tk.tools_count,
+        authSchemes: authConfigDetails
+            .map((d) => d.mode)
+            .filter((m) => Boolean(m)),
+        isNoAuth: tk.no_auth ??
+            authConfigDetails.every((d) => d.mode === "NO_AUTH"),
     };
 }
-async function fetchToolkitsViaREST(apiKey, limit = 50, search, cursor) {
-    let url = `https://backend.composio.dev/api/v3.1/toolkits?sort_by=usage&limit=${limit}`;
-    if (search)
-        url += `&search=${encodeURIComponent(search)}`;
-    if (cursor)
-        url += `&cursor=${encodeURIComponent(cursor)}`;
-    for (const headerName of ["x-api-key", "x-user-api-key"]) {
-        try {
-            const resp = await fetch(url, {
-                method: "GET",
-                headers: {
-                    [headerName]: apiKey,
-                    "Accept": "application/json",
-                },
-            });
-            if (process.env.AUI_DEBUG) {
-                console.error(`[debug] REST toolkits fetch with ${headerName}: status ${resp.status}`);
-            }
-            if (!resp.ok) {
-                if (process.env.AUI_DEBUG) {
-                    const text = await resp.text();
-                    console.error(`[debug] REST toolkits fetch failed (${resp.status}): ${text.slice(0, 200)}`);
-                }
-                continue;
-            }
-            const data = await resp.json();
-            if (process.env.AUI_DEBUG) {
-                console.error(`[debug] REST toolkits response keys: ${Object.keys(data).join(", ")}`);
-                console.error(`[debug] REST toolkits next_cursor: ${data.next_cursor ?? "none"}, total_items: ${data.total_items ?? "unknown"}, total_pages: ${data.total_pages ?? "unknown"}`);
-            }
-            const items = extractToolkitItems(data);
-            return {
-                items,
-                nextCursor: data.next_cursor || data.nextCursor || undefined,
-                totalPages: data.total_pages ?? data.totalPages ?? undefined,
-                totalItems: data.total_items ?? data.totalItems ?? undefined,
-            };
-        }
-        catch (e) {
-            if (process.env.AUI_DEBUG) {
-                console.error(`[debug] REST toolkits fetch error (${headerName}): ${e instanceof Error ? e.message : String(e)}`);
-            }
-        }
-    }
-    throw new Error("Failed to fetch toolkits. Check your Composio API key.");
-}
-function extractToolkitItems(resp) {
-    if (!resp)
-        return [];
-    if (Array.isArray(resp))
-        return resp;
-    if (Array.isArray(resp.items))
-        return resp.items;
-    if (Array.isArray(resp.data))
-        return resp.data;
-    if (resp.items && typeof resp.items === "object" && !Array.isArray(resp.items)) {
-        const vals = Object.values(resp.items);
-        if (vals.length > 0 && Array.isArray(vals[0]))
-            return vals[0];
-    }
-    for (const key of Object.keys(resp)) {
-        const val = resp[key];
-        if (Array.isArray(val) && val.length > 0 && val[0]?.slug) {
-            return val;
-        }
-    }
-    return [];
-}
-// ─── Composio: Toolkit Auth Metadata ───
+// ─── Toolkit auth metadata ───
 const _OAUTH_SCHEMES = new Set(["OAUTH2", "OAUTH1", "DCR_OAUTH", "S2S_OAUTH2"]);
 const _CREDENTIAL_SCHEMES = new Set(["API_KEY", "BEARER_TOKEN"]);
 /**
- * Fetches Composio toolkit metadata and returns a summary of the auth requirements
- * so the caller can decide whether to prompt the user for BYO credentials.
+ * Look up a single toolkit by slug (`/composio/toolkits?query=<slug>`)
+ * and surface the auth-scheme picker fields the CLI needs.
  */
-export async function getComposioToolkitAuthInfo(apiKey, toolkitSlug) {
-    const composio = await getComposioClient(apiKey);
-    const toolkit = await composio.toolkits.get(toolkitSlug);
-    const configDetails = toolkit.authConfigDetails ?? [];
-    const managedSchemes = toolkit.composioManagedAuthSchemes ?? [];
-    if (process.env.AUI_DEBUG) {
-        console.error(`[debug] toolkit raw keys: ${Object.keys(toolkit ?? {}).join(", ")}`);
-        console.error(`[debug] authConfigDetails: ${JSON.stringify(configDetails)}`);
-        console.error(`[debug] composioManagedAuthSchemes: ${JSON.stringify(managedSchemes)}`);
+export async function getComposioToolkitAuthInfo(session, scope, toolkitSlug) {
+    const client = buildApolloClient(session, scope);
+    const page = await client.listComposioToolkits({ query: toolkitSlug, limit: 1 });
+    const toolkit = page.items[0];
+    if (!toolkit) {
+        throw new Error(`Toolkit '${toolkitSlug}' not found.`);
     }
-    // No-auth toolkits expose either no schemes at all, or only the NO_AUTH mode.
-    const isNoAuth = configDetails.length === 0
-        || configDetails.every((d) => d.mode === "NO_AUTH");
+    const configDetails = toolkit.auth_config_details ?? [];
+    const managedSchemes = toolkit.composio_managed_auth_schemes ?? [];
+    const isNoAuth = configDetails.length === 0 ||
+        configDetails.every((d) => d.mode === "NO_AUTH");
     const schemes = configDetails
         .map((d) => d.mode)
         .filter((mode) => Boolean(mode) && mode !== "NO_AUTH")
@@ -625,48 +765,29 @@ export async function getComposioToolkitAuthInfo(apiKey, toolkitSlug) {
         isOAuth: _OAUTH_SCHEMES.has(scheme),
         isCredential: _CREDENTIAL_SCHEMES.has(scheme),
     }));
-    const defaultScheme = schemes[0]?.scheme ?? "";
-    if (process.env.AUI_DEBUG) {
-        console.error(`[debug] authInfo: defaultScheme=${defaultScheme}, isNoAuth=${isNoAuth}`);
-        console.error(`[debug] schemes: ${JSON.stringify(schemes)}`);
-    }
-    return { schemes, defaultScheme, isNoAuth };
-}
-// ─── Composio: Account & Auth-Config Helpers ───
-export async function getComposioConnectedAccounts(apiKey, userId, toolkitSlug) {
-    const composio = await getComposioClient(apiKey);
-    return composio.connectedAccounts.list({ userIds: [userId], toolkitSlugs: [toolkitSlug] });
+    return { schemes, defaultScheme: schemes[0]?.scheme ?? "", isNoAuth };
 }
 /**
- * Pre-flight check for "is this toolkit usable by this user?". Returns a
- * status struct so callers can decide how to react (throw, redirect to
- * `aui integration create`, or proceed). Does NOT mutate any state.
- *
- *  - NO_AUTH toolkits → `{ isNoAuth: true, isConnected: true }` (nothing to do).
- *  - Auth-required toolkits → `isConnected` reflects whether the user already
- *    has an ACTIVE, non-disabled connected account for the toolkit (same
- *    predicate `resolveComposioToolkitAuth` uses to short-circuit).
- *
- * This catches the gap that `resolveComposioAuthConfigId` misses: a toolkit
- * can have an auth-config provisioned globally (so MCP-server creation
- * succeeds) while THIS user has not yet linked their account — in which
- * case MCP tool calls would fail at runtime.
+ * Pre-flight: is this toolkit usable by this user? Combines toolkit
+ * metadata + connected-accounts listing so callers can decide whether
+ * to throw, redirect to `aui integration create`, or proceed.
  */
-export async function getComposioToolkitConnectionStatus(apiKey, userId, toolkitSlug) {
-    const composio = await getComposioClient(apiKey);
-    const toolkit = await composio.toolkits.get(toolkitSlug);
+export async function getComposioToolkitConnectionStatus(session, scope, composioUserId, toolkitSlug) {
+    const client = buildApolloClient(session, scope);
+    const page = await client.listComposioToolkits({ query: toolkitSlug, limit: 1 });
+    const toolkit = page.items[0];
     if (!toolkit) {
         throw new Error(`Toolkit '${toolkitSlug}' not found.`);
     }
-    const authMode = toolkit.authConfigDetails?.[0]?.mode;
+    const authMode = toolkit.auth_config_details?.[0]?.mode;
     if (!authMode || authMode === "NO_AUTH") {
         return { isNoAuth: true, isConnected: true };
     }
-    const accounts = await composio.connectedAccounts.list({
-        userIds: [userId],
-        toolkitSlugs: [toolkitSlug],
+    const accounts = await client.listComposioConnectedAccounts({
+        composioUserId,
+        toolkit: toolkitSlug,
     });
-    const active = accounts.items.find((a) => a.status === "ACTIVE" && !a.isDisabled);
+    const active = accounts.items.find((a) => a.status === "ACTIVE" && !a.is_disabled);
     return {
         isNoAuth: false,
         authMode,
@@ -674,385 +795,105 @@ export async function getComposioToolkitConnectionStatus(apiKey, userId, toolkit
         connectedAccountId: active?.id,
     };
 }
+// ─── Authorize + wait ───
 /**
- * Resolves auth for a toolkit:
- *
- *  - Short-circuits when the user already has an ACTIVE connection.
- *  - **BYOD path** (`authCredentials` or `authConfigId` supplied): creates a
- *    CUSTOM auth config with the provided credentials, then links the account
- *    directly via `connectedAccounts.link()`.
- *  - **Standard OAuth path** (no custom credentials): finds or creates a
- *    COMPOSIO_MANAGED auth config, then links directly via `connectedAccounts.link()`.
- *    Session creation is skipped — the MCP URL is generated server-side.
+ * Start (or reuse) a toolkit connection. `redirectUrl` is empty when the
+ * connection is already ACTIVE — callers should skip the browser flow.
  */
-export async function resolveComposioToolkitAuth(apiKey, userId, toolkitSlug, options = {}) {
-    const composio = await getComposioClient(apiKey);
-    const { callbackUrl, authScheme, authCredentials, authConfigId } = options;
-    const accounts = await composio.connectedAccounts.list({
-        userIds: [userId],
-        toolkitSlugs: [toolkitSlug],
-    });
-    const active = accounts.items.find((a) => a.status === "ACTIVE" && !a.isDisabled);
-    if (active) {
-        return {
-            id: active.id,
-            status: active.status,
-            redirectUrl: null,
-            waitForConnection: async (_timeout) => active,
-        };
-    }
-    // ── BYOD path: caller supplies their own credentials or an existing config ──
-    if (authCredentials || authConfigId) {
-        let resolvedConfigId;
-        if (authConfigId) {
-            resolvedConfigId = authConfigId;
-        }
-        else {
-            if (!authScheme) {
-                throw new Error(`authScheme is required when providing custom credentials for toolkit '${toolkitSlug}'.`);
+export async function connectComposioToolkit(session, scope, composioUserId, toolkitSlug, options = {}) {
+    const client = buildApolloClient(session, scope);
+    const result = await client.authorizeComposioToolkit({
+        composio_user_id: composioUserId,
+        toolkit: toolkitSlug,
+        ...(options.authScheme ? { auth_scheme: options.authScheme } : {}),
+        ...(options.authCredentials
+            ? {
+                auth_credentials: {
+                    ...(options.authCredentials.clientId != null && {
+                        client_id: options.authCredentials.clientId,
+                    }),
+                    ...(options.authCredentials.clientSecret != null && {
+                        client_secret: options.authCredentials.clientSecret,
+                    }),
+                    ...(options.authCredentials.bearerToken != null && {
+                        bearer_token: options.authCredentials.bearerToken,
+                    }),
+                },
             }
-            const credentials = {
-                ...(authCredentials.clientId != null && { client_id: authCredentials.clientId }),
-                ...(authCredentials.clientSecret != null && { client_secret: authCredentials.clientSecret }),
-                ...(authCredentials.bearerToken != null && { generic_id: authCredentials.bearerToken }),
-            };
-            const created = await composio.authConfigs.create(toolkitSlug, {
-                type: AuthConfigTypes.CUSTOM,
-                authScheme,
-                credentials,
-            });
-            resolvedConfigId = created.id;
-        }
-        return composio.connectedAccounts.link(userId, resolvedConfigId, callbackUrl != null ? { callbackUrl } : undefined);
-    }
-    // ── Standard path: find or create an auth config ──
-    // Session creation is unnecessary here — the integration stores composio.user_id
-    // and toolkit slugs; the MCP URL is generated server-side. Using authConfigs +
-    // connectedAccounts.link() directly avoids any session-creation API limitations.
-    const existingConfigs = await composio.authConfigs.list({ toolkit: toolkitSlug });
-    const match = existingConfigs.items.find((c) => c.status === "ENABLED" && (!c.authScheme || !authScheme || c.authScheme === authScheme));
-    if (process.env.AUI_DEBUG) {
-        console.error(`[debug] resolveComposioToolkitAuth match: ${JSON.stringify(match)}`);
-    }
-    let resolvedConfigId;
-    if (match) {
-        resolvedConfigId = match.id;
-    }
-    else {
-        // Determine auth config type from the toolkit's schema:
-        // use COMPOSIO_MANAGED only when the scheme is Composio-managed,
-        // otherwise fall back to CUSTOM (e.g. API_KEY or non-managed OAuth schemes).
-        // Prefer the caller-supplied `isManaged` flag (avoids an extra API call) and
-        // only fetch the toolkit when the caller didn't provide it.
-        let isManaged;
-        if (options.isManaged !== undefined) {
-            isManaged = options.isManaged;
-        }
-        else {
-            const toolkit = await composio.toolkits.get(toolkitSlug);
-            const managedSchemes = toolkit.composioManagedAuthSchemes ?? [];
-            const effectiveScheme = authScheme ?? toolkit.authConfigDetails?.[0]?.mode;
-            isManaged = effectiveScheme ? managedSchemes.includes(effectiveScheme) : managedSchemes.length > 0;
-        }
-        if (process.env.AUI_DEBUG) {
-            console.error(`[debug] resolveComposioToolkitAuth isManaged=${isManaged}, authScheme=${authScheme}`);
-        }
-        let created;
-        if (isManaged) {
-            // COMPOSIO_MANAGED: type literal only — authScheme is not part of this schema variant.
-            created = await composio.authConfigs.create(toolkitSlug, {
-                type: AuthConfigTypes.COMPOSIO_MANAGED,
-            });
-        }
-        else {
-            // Non-managed (e.g. API_KEY): create a CUSTOM config with the resolved scheme.
-            // Credentials were not supplied by the caller — pass an empty object and let
-            // the Composio API return its own validation error if they are required.
-            created = await composio.authConfigs.create(toolkitSlug, {
-                type: AuthConfigTypes.CUSTOM,
-                authScheme: authScheme,
-                credentials: {},
-            });
-        }
-        resolvedConfigId = created.id;
-    }
-    return composio.connectedAccounts.link(userId, resolvedConfigId, callbackUrl != null ? { callbackUrl } : undefined);
-}
-/**
- * High-level connection helper:
- *  - For BYOD (custom `authCredentials`): fetches the toolkit's first supported
- *    auth scheme, then delegates to the BYOD path of `resolveComposioToolkitAuth`.
- *  - For standard OAuth: delegates directly to `resolveComposioToolkitAuth`
- *    which uses a COMPOSIO_MANAGED auth config + `connectedAccounts.link()`.
- *
- * Returns the `ConnectionRequest` alongside the standard `AuthorizationResult`
- * fields so callers can invoke `waitForComposioConnection`.
- */
-export async function connectComposioToolkit(apiKey, userId, toolkitSlug, options = {}) {
-    let authScheme = options.authScheme;
-    if (!authScheme && options.authCredentials) {
-        // Only fetch toolkit metadata when BYO credentials are given without an explicit scheme.
-        const composio = await getComposioClient(apiKey);
-        const toolkit = await composio.toolkits.get(toolkitSlug);
-        const supportedModes = (toolkit.authConfigDetails ?? []).map((d) => d.mode);
-        if (supportedModes.length === 0) {
-            throw new Error(`Toolkit '${toolkitSlug}' has no supported auth schemes.`);
-        }
-        authScheme = supportedModes[0];
-    }
-    const req = await resolveComposioToolkitAuth(apiKey, userId, toolkitSlug, {
-        callbackUrl: options.callbackUrl,
-        authCredentials: options.authCredentials,
-        authScheme,
-        isManaged: options.isManaged,
+            : {}),
     });
     return {
-        id: req.id,
-        status: req.status ?? "",
-        redirectUrl: req.redirectUrl ?? "",
-        connectionRequest: req,
-    };
-}
-export async function waitForComposioConnection(authResult, timeout = 120000) {
-    const connectedAccount = await authResult.connectionRequest.waitForConnection(timeout);
-    return {
-        id: connectedAccount.id || "",
-        status: connectedAccount.status || "active",
+        id: result.id,
+        status: result.status,
+        redirectUrl: result.redirect_url ?? "",
     };
 }
 /**
- * Resolve the Composio auth-config id required to attach a toolkit to an
- * MCP server. Returns `undefined` for NO_AUTH toolkits. Throws when the
- * toolkit requires auth but no auth-configs have been provisioned yet —
- * callers should run `connectComposioToolkit` first.
+ * Poll `/composio/connected-accounts` until an ACTIVE entry appears for
+ * the `(user, toolkit)` pair, or `timeoutMs` elapses.
  */
-async function resolveComposioAuthConfigId(composio, toolkitSlug) {
-    const toolkit = await composio.toolkits.get(toolkitSlug);
-    if (!toolkit) {
-        throw new Error(`Toolkit '${toolkitSlug}' not found.`);
-    }
-    const firstMode = toolkit.authConfigDetails?.[0]?.mode;
-    if (!firstMode || firstMode === "NO_AUTH")
-        return undefined;
-    const { items } = await composio.authConfigs.list({ toolkit: toolkitSlug });
-    const first = items[0];
-    if (!first) {
-        throw new Error(`No auth configs provisioned for toolkit '${toolkitSlug}'.`);
-    }
-    return first.id;
-}
-/** Create a new Composio MCP server for a single toolkit and return its id. */
-async function createComposioMcpServer(composio, { toolkit, name, allowedTools, authConfigId }) {
-    const server = await composio.mcp.create(name, {
-        toolkits: [{ toolkit, ...(authConfigId && { authConfigId }) }],
-        allowedTools,
-    });
-    return server.id;
-}
-/** True when `existing` matches the desired toolkit + tool-set exactly. */
-function isComposioMcpServerInSync(existing, toolkit, allowedTools) {
-    if (existing.toolkits.length !== 1 || existing.toolkits[0] !== toolkit) {
-        return false;
+export async function waitForComposioConnection(session, scope, composioUserId, toolkitSlug, timeoutMs = 120_000) {
+    const client = buildApolloClient(session, scope);
+    const deadline = Date.now() + timeoutMs;
+    const intervalMs = 2_000;
+    while (Date.now() < deadline) {
+        const accounts = await client.listComposioConnectedAccounts({
+            composioUserId,
+            toolkit: toolkitSlug,
+        });
+        const active = accounts.items.find((a) => a.status === "ACTIVE" && !a.is_disabled);
+        if (active) {
+            return {
+                id: String(active.id ?? ""),
+                status: String(active.status ?? "ACTIVE"),
+            };
+        }
+        await new Promise((resolve) => setTimeout(resolve, intervalMs));
     }
-    const saved = new Set(existing.allowedTools);
-    return (saved.size === allowedTools.length &&
-        allowedTools.every((t) => saved.has(t)));
+    throw new Error(`Timed out waiting for Composio connection on toolkit '${toolkitSlug}'.`);
 }
+// ─── MCP server provisioning ───
 /**
- * Look up the MCP server for `(toolkit, name)` and reuse it when its
- * allowed tool-set and toolkit list still match. If either has drifted,
- * the server is deleted and recreated in place so the configuration
- * stays canonical.
+ * Provision (or reuse) a Composio MCP server scoped to `(user, toolkit,
+ * allowed_tools)` and return its HTTP URL + caller-stable `serverId`.
+ * Backend returns 400 when the toolkit requires auth and no connection
+ * exists — callers should `connectComposioToolkit` first.
  */
-export async function getOrCreateComposioMcpServerId(composio, spec) {
-    const { items } = await composio.mcp.list({
-        page: 1,
-        limit: 1,
-        toolkits: [spec.toolkit],
-        authConfigs: [],
-        name: spec.name,
+export async function getComposioServerUrl(session, scope, params) {
+    const client = buildApolloClient(session, scope);
+    const result = await client.getComposioServerUrl({
+        composio_user_id: params.composioUserId,
+        toolkit: params.toolkit,
+        allowed_tools: params.allowedTools,
+        ...(params.serverId ? { server_id: params.serverId } : {}),
     });
-    const existing = items[0];
-    if (!existing)
-        return createComposioMcpServer(composio, spec);
-    if (isComposioMcpServerInSync(existing, spec.toolkit, spec.allowedTools)) {
-        return existing.id;
-    }
-    if (process.env.AUI_DEBUG) {
-        console.error(`[debug] Composio MCP server drifted for id=${existing.id}, recreating`);
-    }
-    await composio.mcp.delete(existing.id);
-    return createComposioMcpServer(composio, spec);
+    return { url: result.url, serverId: result.server_id };
 }
 /**
- * Resolve the Composio MCP HTTP URL for a `(toolkit, user)` pair.
+ * List tools exposed by a Composio toolkit for the given user. The user
+ * must already be authorised — call `connectComposioToolkit` first.
  *
- * `serverId` is a **caller-stable identifier** used as the MCP server's
- * name in Composio — pass one in to reuse an existing server across
- * runs, or omit it to mint a fresh UUID-prefixed name. The returned
- * `serverId` is whatever was used (input or generated), NOT Composio's
- * internal config id — callers persist it so subsequent calls resolve
- * the same MCP server.
+ * Backend returns the same `MCPToolSchema` shape as `/mcp/list`, so
+ * `MCPTool.input_schema` (snake_case) is populated for both DIRECT and
+ * COMPOSIO paths consistently.
  */
-export async function getComposioServerUrl(apiKey, params) {
-    const { composioUserId, toolkit, allowedTools } = params;
-    const serverId = params.serverId ?? randomUUID().slice(0, 30);
-    const composio = await getComposioClient(apiKey);
-    const authConfigId = await resolveComposioAuthConfigId(composio, toolkit);
-    const mcpConfigId = await getOrCreateComposioMcpServerId(composio, {
-        toolkit,
-        name: serverId,
-        allowedTools,
-        authConfigId,
+export async function discoverComposioTools(session, scope, composioUserId, toolkitSlug) {
+    const client = buildApolloClient(session, scope);
+    const tools = await client.listComposioTools({
+        composioUserId,
+        toolkit: toolkitSlug,
     });
-    if (process.env.AUI_DEBUG) {
-        console.error(`[debug] Composio MCP serverId=${serverId} mcpConfigId=${mcpConfigId}`);
-    }
-    const instance = await composio.mcp.generate(composioUserId, mcpConfigId);
-    return { url: instance.url, serverId };
-}
-/**
- * Discover tools for a Composio toolkit using the REST API.
- * Supports pagination (cursor) and search (query).
- */
-export async function discoverComposioTools(apiKey, toolkitSlug, options) {
-    const limit = options?.limit || 200;
-    let url = `https://backend.composio.dev/api/v3.1/tools?toolkit_slug=${encodeURIComponent(toolkitSlug)}&limit=${limit}`;
-    if (options?.query)
-        url += `&query=${encodeURIComponent(options.query)}`;
-    if (options?.cursor)
-        url += `&cursor=${encodeURIComponent(options.cursor)}`;
-    for (const headerName of ["x-api-key", "x-user-api-key"]) {
-        const resp = await fetch(url, {
-            method: "GET",
-            headers: { [headerName]: apiKey, "Accept": "application/json" },
-        });
-        if (!resp.ok)
-            continue;
-        const data = await resp.json();
-        if (process.env.AUI_DEBUG) {
-            console.error(`[debug] Composio tools response keys: ${Object.keys(data).join(", ")}`);
-            console.error(`[debug] Composio tools count: ${data.items?.length ?? data.length ?? "unknown"}`);
-        }
-        return {
-            tools: extractComposioTools(data),
-            nextCursor: data?.next_cursor || data?.nextCursor || undefined,
-            totalItems: data?.total_items ?? data?.totalItems ?? undefined,
-        };
-    }
-    throw new Error(`Failed to fetch tools for ${toolkitSlug}. Check your API key.`);
-}
-function extractComposioTools(data) {
-    let rawItems = [];
-    if (Array.isArray(data))
-        rawItems = data;
-    else if (Array.isArray(data?.items))
-        rawItems = data.items;
-    else if (Array.isArray(data?.data))
-        rawItems = data.data;
-    return rawItems.map((t) => ({
-        name: t.slug || t.name || "",
-        description: t.description || t.human_description || "",
-        inputSchema: t.input_parameters || t.inputParameters || undefined,
-    }));
-}
-/**
- * Fetch full Composio tool descriptors by their slugs. Mirrors the
- * dashboard request
- *   GET https://backend.composio.dev/api/v3.1/tools
- *       ?toolkit_versions=<version>&tool_slugs=<SLUG_A,SLUG_B>
- *
- * Returns the raw items from the response, so callers (notably the
- * `aui integration tools --json` command) can surface every field
- * Composio sends — input/output schemas, toolkit metadata, tags, etc.
- *
- * Auth: the same Composio API key the CLI already uses (auto-fetched
- * via `fetchComposioApiKey`). Both `x-api-key` and `x-user-api-key`
- * header names are tried so this works against both org and user keys.
- */
-export async function fetchComposioToolsBySlugs(apiKey, toolSlugs, options) {
-    if (!apiKey) {
-        throw new Error("Composio API key is required");
-    }
-    if (!Array.isArray(toolSlugs) || toolSlugs.length === 0) {
-        throw new Error("At least one tool slug is required");
-    }
-    const params = new URLSearchParams();
-    if (options?.toolkitVersions) {
-        params.set("toolkit_versions", options.toolkitVersions);
-    }
-    params.set("tool_slugs", toolSlugs.join(","));
-    if (typeof options?.limit === "number") {
-        params.set("limit", String(options.limit));
-    }
-    if (options?.cursor) {
-        params.set("cursor", options.cursor);
-    }
-    const url = `https://backend.composio.dev/api/v3.1/tools?${params.toString()}`;
-    let lastError = null;
-    // Composio accepts the key under either of these headers depending on
-    // whether the key was minted as an org key (x-api-key) or a user key
-    // (x-user-api-key). The other helpers in this file (toolkits, tools
-    // by toolkit) probe both — keep behavior consistent here.
-    for (const headerName of ["x-api-key", "x-user-api-key"]) {
-        try {
-            const resp = await fetch(url, {
-                method: "GET",
-                headers: {
-                    [headerName]: apiKey,
-                    Accept: "application/json",
-                },
-            });
-            if (process.env.AUI_DEBUG) {
-                console.error(`[debug] fetchComposioToolsBySlugs (${headerName}): status ${resp.status}`);
-            }
-            if (!resp.ok) {
-                const text = await resp.text();
-                lastError = new Error(`HTTP ${resp.status}: ${text.slice(0, 500)}`);
-                // Auth-style failures — try the alternate header name before giving up.
-                if (resp.status === 401 || resp.status === 403)
-                    continue;
-                throw lastError;
-            }
-            const data = await resp.json();
-            if (process.env.AUI_DEBUG) {
-                console.error(`[debug] fetchComposioToolsBySlugs response keys: ${Object.keys(data || {}).join(", ")}`);
-            }
-            const rawItems = extractToolDetailItems(data);
-            return {
-                tools: rawItems,
-                nextCursor: data?.next_cursor || data?.nextCursor || undefined,
-                totalItems: data?.total_items ?? data?.totalItems ?? undefined,
-            };
-        }
-        catch (e) {
-            lastError = e instanceof Error ? e : new Error(String(e));
-            if (process.env.AUI_DEBUG) {
-                console.error(`[debug] fetchComposioToolsBySlugs error (${headerName}): ${lastError.message}`);
-            }
-        }
-    }
-    throw (lastError ??
-        new Error("Failed to fetch tools by slugs from Composio. Check your API key."));
-}
-function extractToolDetailItems(data) {
-    if (!data)
-        return [];
-    if (Array.isArray(data))
-        return data;
-    if (Array.isArray(data.items))
-        return data.items;
-    if (Array.isArray(data.data))
-        return data.data;
-    if (Array.isArray(data.tools))
-        return data.tools;
-    // Walk one level for any nested array whose first item looks tool-ish.
-    for (const key of Object.keys(data)) {
-        const val = data[key];
-        if (Array.isArray(val) && val.length > 0 && (val[0]?.slug || val[0]?.name)) {
-            return val;
-        }
-    }
-    return [];
+    return {
+        tools: tools.map((t) => ({
+            name: String(t.name ?? ""),
+            description: String(t.description ?? ""),
+            ...(t.input_schema
+                ? { input_schema: t.input_schema }
+                : {}),
+            ...(t.inputSchema
+                ? { inputSchema: t.inputSchema }
+                : {}),
+        })),
+    };
 }
 //# sourceMappingURL=integration.service.js.map