corsair 0.1.14 → 0.1.16

package/dist/core/client/index.d.ts

@@ -1,5 +1,6 @@
 import type { ZodTypeAny } from 'zod';
 import type { CorsairDatabase } from '../../db/kysely/database';
+import { type CorsairInspectMethods } from '../inspect';
 import type { CorsairPluginSchema, PluginEntityClients } from '../../db/orm';
 import type { AccountKeyManagerFor, IntegrationKeyManagerFor, PluginAuthConfig } from '../auth/types';
 import type { AuthTypes } from '../constants';
@@ -86,11 +87,13 @@ type InferAllIntegrationKeys<Plugins extends readonly CorsairPlugin[]> = UnionTo
 type InferPluginNamespaces<Plugins extends readonly CorsairPlugin[]> = UnionToIntersection<InferPluginNamespace<Plugins[number]>>;
 /**
  * The main Corsair client type that provides access to all plugin APIs, entities, webhooks, and keys.
+ * Also includes get_methods() and get_schema() for agent-facing endpoint discovery.
  */
-export type CorsairClient<Plugins extends readonly CorsairPlugin[]> = InferPluginNamespaces<Plugins>;
+export type CorsairClient<Plugins extends readonly CorsairPlugin[]> = InferPluginNamespaces<Plugins> & CorsairInspectMethods;
 /**
  * Multi-tenant wrapper that provides a `withTenant` method to scope operations to a specific tenant.
  * Also includes integration-level `keys` for managing shared secrets (OAuth2 client credentials, etc.)
+ * Inspect methods (get_methods / get_schema) are available at the root — no need to call withTenant().
  */
 export type CorsairTenantWrapper<Plugins extends readonly CorsairPlugin[]> = {
     withTenant: (tenantId: string) => CorsairClient<Plugins>;
@@ -99,7 +102,7 @@ export type CorsairTenantWrapper<Plugins extends readonly CorsairPlugin[]> = {
      * Used to manage secrets shared across all tenants (e.g., OAuth2 client_id, client_secret).
      */
     keys: InferAllIntegrationKeys<Plugins>;
-};
+} & CorsairInspectMethods;
 /**
  * Single-tenant client that includes both plugin APIs and integration-level keys.
  */
@@ -115,6 +118,11 @@ export type BuildCorsairClientOptions = {
     tenantId: string | undefined;
     kek: string | undefined;
     rootErrorHandlers?: CorsairErrorHandler;
+    /** Approval timeout from createCorsair({ approval: ... }). Forwarded to the permission guard. */
+    approvalConfig?: {
+        timeout: string;
+        onTimeout: 'deny' | 'approve';
+    };
 };
 /**
  * Builds a Corsair client instance with all plugin APIs, entities, webhooks, and account-level keys bound.

package/dist/core/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AACtC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAEhE,OAAO,KAAK,EACX,mBAAmB,EAEnB,mBAAmB,EACnB,MAAM,cAAc,CAAC;AAKtB,OAAO,KAAK,EACX,oBAAoB,EACpB,wBAAwB,EACxB,gBAAgB,EAChB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,KAAK,EAAyB,aAAa,EAAE,MAAM,YAAY,CAAC;AACvE,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAOhF;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,CAC9B,MAAM,SAAS,mBAAmB,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,GAAG,SAAS,IACvE,MAAM,SAAS,mBAAmB,CAAC,MAAM,QAAQ,CAAC,GACnD;IAAE,EAAE,EAAE,mBAAmB,CAAC,QAAQ,CAAC,CAAA;CAAE,GACrC,EAAE,CAAC;AAMN;;GAEG;AACH,KAAK,mBAAmB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI,GAAG,KAAK,CAAC,SAAS,CAC9E,CAAC,EAAE,MAAM,CAAC,KACN,IAAI,GACN,CAAC,GACD,KAAK,CAAC;AAET;;;;;;;;;;GAUG;AACH,MAAM,MAAM,eAAe,CAC1B,OAAO,EACP,eAAe,SAAS,SAAS,GAAG,SAAS,GAAG,SAAS,IACtD,UAAU,SAAS,MAAM,OAAO,GAElC,OAAO,CAAC,UAAU,CAAC,SAAS,SAAS,GAEpC,OAAO,CAAC,UAAU,CAAC,GAEnB,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,SAAS,SAAS,GACjD,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,GAChC,KAAK,GAET,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,KAAK,CAAC;AAEV;;GAEG;AACH,KAAK,kBAAkB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,CAAC,GAAG,KAAK,CAAC;AAEzE;;;;GAIG;AACH,KAAK,oBAAoB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,iBAAiB,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACrE,WAAW,CAAC,CAAC,CAAC,SAAS,SAAS,GAC/B,WAAW,CAAC,CAAC,CAAC,GACd,SAAS,GACV,SAAS,CAAC;AAEb;;GAEG;AACH,KAAK,eAAe,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACzD,CAAC,SAAS,gBAAgB,GACzB,CAAC,GACD,SAAS,GACV,SAAS,CAAC;AAEb;;;GAGG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,EACR,MAAM,MAAM,EACZ,MAAM,SAAS,EACf,MAAM,QAAQ,CACd,GACE;KACC,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,SAAS,YAAY,GACvC;QAAE,GAAG,EAAE,aAAa,CAAC,SAAS,CAAC,CAAA;KAAE,GACjC,EAAE,CAAC,GACL,mBAAmB,CAAC,MAAM,CAAC,GAC3B,CAAC,QAAQ,SAAS,WAAW,GAC1B;QACA,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QACjC;;;;WAIG;QACH,oBAAoB,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,OAAO,CAAC;KAC/D,GACA,EAAE,CAAC,GAEN,CAAC,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GAChB;QACA,IAAI,EAAE,oBAAoB,CACzB,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB,CAAC;KACF,GACA,EAAE,CAAC;CACP,GACA,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,CACR,GACE,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GACjB;KACC,CAAC,IAAI,EAAE,GAAG,wBAAwB,CAClC,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB;CACD,GACA,KAAK,GACN,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,uBAAuB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACpE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;GAEG;AACH,KAAK,qBAAqB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAClE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,aAAa,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACjE,qBAAqB,CAAC,OAAO,CAAC,CAAC;AAEhC;;;GAGG;AACH,MAAM,MAAM,oBAAoB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAAI;IAC5E,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC,CAAC;IACzD;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;CACvC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,yBAAyB,CACpC,OAAO,SAAS,SAAS,aAAa,EAAE,IACrC,aAAa,CAAC,OAAO,CAAC,GAAG;IAC5B;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;CACvC,CAAC;AAsGF,MAAM,MAAM,yBAAyB,GAAG;IACvC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;IACxB,iBAAiB,CAAC,EAAE,mBAAmB,CAAC;CACxC,CAAC;AAMF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CACjC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,yBAAyB,GAChC,aAAa,CAAC,OAAO,CAAC,CAiJxB;AAMD;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CACnC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,eAAe,EACzB,GAAG,EAAE,MAAM,GACT,uBAAuB,CAAC,OAAO,CAAC,CAyBlC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AACtC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAEhE,OAAO,EAEN,KAAK,qBAAqB,EAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EACX,mBAAmB,EAEnB,mBAAmB,EACnB,MAAM,cAAc,CAAC;AAKtB,OAAO,KAAK,EACX,oBAAoB,EACpB,wBAAwB,EACxB,gBAAgB,EAChB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,KAAK,EAEX,aAAa,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAOhF;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,CAC9B,MAAM,SAAS,mBAAmB,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,GAAG,SAAS,IACvE,MAAM,SAAS,mBAAmB,CAAC,MAAM,QAAQ,CAAC,GACnD;IAAE,EAAE,EAAE,mBAAmB,CAAC,QAAQ,CAAC,CAAA;CAAE,GACrC,EAAE,CAAC;AAMN;;GAEG;AACH,KAAK,mBAAmB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI,GAAG,KAAK,CAAC,SAAS,CAC9E,CAAC,EAAE,MAAM,CAAC,KACN,IAAI,GACN,CAAC,GACD,KAAK,CAAC;AAET;;;;;;;;;;GAUG;AACH,MAAM,MAAM,eAAe,CAC1B,OAAO,EACP,eAAe,SAAS,SAAS,GAAG,SAAS,GAAG,SAAS,IACtD,UAAU,SAAS,MAAM,OAAO,GAElC,OAAO,CAAC,UAAU,CAAC,SAAS,SAAS,GAEpC,OAAO,CAAC,UAAU,CAAC,GAEnB,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,SAAS,SAAS,GACjD,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,GAChC,KAAK,GAET,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,KAAK,CAAC;AAEV;;GAEG;AACH,KAAK,kBAAkB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,CAAC,GAAG,KAAK,CAAC;AAEzE;;;;GAIG;AACH,KAAK,oBAAoB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,iBAAiB,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACrE,WAAW,CAAC,CAAC,CAAC,SAAS,SAAS,GAC/B,WAAW,CAAC,CAAC,CAAC,GACd,SAAS,GACV,SAAS,CAAC;AAEb;;GAEG;AACH,KAAK,eAAe,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACzD,CAAC,SAAS,gBAAgB,GACzB,CAAC,GACD,SAAS,GACV,SAAS,CAAC;AAEb;;;GAGG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,EACR,MAAM,MAAM,EACZ,MAAM,SAAS,EACf,MAAM,QAAQ,CACd,GACE;KACC,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,SAAS,YAAY,GACvC;QAAE,GAAG,EAAE,aAAa,CAAC,SAAS,CAAC,CAAA;KAAE,GACjC,EAAE,CAAC,GACL,mBAAmB,CAAC,MAAM,CAAC,GAC3B,CAAC,QAAQ,SAAS,WAAW,GAC1B;QACA,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QACjC;;;;WAIG;QACH,oBAAoB,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,OAAO,CAAC;KAC/D,GACA,EAAE,CAAC,GAEN,CAAC,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GAChB;QACA,IAAI,EAAE,oBAAoB,CACzB,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB,CAAC;KACF,GACA,EAAE,CAAC;CACP,GACA,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,CACR,GACE,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GACjB;KACC,CAAC,IAAI,EAAE,GAAG,wBAAwB,CAClC,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB;CACD,GACA,KAAK,GACN,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,uBAAuB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACpE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;GAEG;AACH,KAAK,qBAAqB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAClE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;;GAGG;AACH,MAAM,MAAM,aAAa,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACjE,qBAAqB,CAAC,OAAO,CAAC,GAAG,qBAAqB,CAAC;AAExD;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAAI;IAC5E,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC,CAAC;IACzD;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;CACvC,GAAG,qBAAqB,CAAC;AAE1B;;GAEG;AACH,MAAM,MAAM,yBAAyB,CACpC,OAAO,SAAS,SAAS,aAAa,EAAE,IACrC,aAAa,CAAC,OAAO,CAAC,GAAG;IAC5B;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;CACvC,CAAC;AAsGF,MAAM,MAAM,yBAAyB,GAAG;IACvC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;IACxB,iBAAiB,CAAC,EAAE,mBAAmB,CAAC;IACxC,iGAAiG;IACjG,cAAc,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;CACpE,CAAC;AAMF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CACjC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,yBAAyB,GAChC,aAAa,CAAC,OAAO,CAAC,CAyKxB;AAMD;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CACnC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,eAAe,EACzB,GAAG,EAAE,MAAM,GACT,uBAAuB,CAAC,OAAO,CAAC,CAyBlC"}

package/dist/core/client/index.js

@@ -1,4 +1,5 @@
 import { createKyselyEntityClient } from '../../db/kysely/orm';
+import { buildInspectMethods, } from '../inspect';
 import { createAccountKeyManager, createIntegrationKeyManager, } from '../auth/key-manager';
 import { bindEndpointsRecursively } from '../endpoints/bind';
 import { bindWebhooksRecursively } from '../webhooks/bind';
@@ -78,7 +79,7 @@ function createEntityClient(database, getAccountId, entityTypeName, version, dat
  * @returns A fully configured Corsair client with account-level keys
  */
 export function buildCorsairClient(plugins, options) {
-    const { database, tenantId, kek, rootErrorHandlers } = options;
+    const { database, tenantId, kek, rootErrorHandlers, approvalConfig, } = options;
     const apiUnsafe = {};
     const pluginEntitiesUnsafe = {};
     for (const plugin of plugins) {
@@ -141,6 +142,10 @@ export function buildCorsairClient(plugins, options) {
         };
         // Create bound endpoints under `api` (supports nested structures)
         const boundTree = {};
+        // Extract permission config from plugin options.
+        // options is Record<string, unknown> — permissions is not in the base CorsairPlugin type
+        // because it's plugin-specific (typed via PluginPermissionsConfig<T> in each plugin).
+        const pluginPermsConfig = plugin.options?.permissions;
         bindEndpointsRecursively({
             endpoints,
             hooks,
@@ -150,6 +155,11 @@ export function buildCorsairClient(plugins, options) {
             errorHandlers: allErrorHandlers,
             currentPath: [],
             keyBuilder: plugin.keyBuilder,
+            permissionsConfig: pluginPermsConfig,
+            // endpointMeta is typed with plugin-specific literal keys — cast to runtime Record
+            endpointMeta: plugin.endpointMeta,
+            database,
+            approvalConfig,
         });
         if (Object.keys(boundTree).length > 0) {
             apiUnsafe[plugin.id].api = boundTree;
@@ -177,8 +187,10 @@ export function buildCorsairClient(plugins, options) {
         }
     }
     const api = apiUnsafe;
+    const inspect = buildInspectMethods(plugins);
     return {
         ...api,
+        ...inspect,
     };
 }
 // ─────────────────────────────────────────────────────────────────────────────

package/dist/core/constants.d.ts

@@ -1,6 +1,6 @@
 export type AllErrors = 'RATE_LIMIT_ERROR' | 'AUTH_ERROR' | 'PERMISSION_ERROR' | 'NETWORK_ERROR' | 'TIMEOUT_ERROR' | 'SERVER_ERROR' | 'VALIDATION_ERROR' | 'NOT_FOUND_ERROR' | 'BAD_REQUEST_ERROR' | 'PARSING_ERROR' | 'DEFAULT' | (string & {});
-export declare const BaseProviders: readonly ["discord", "github", "gmail", "googlecalendar", "googledrive", "googlesheets", "hubspot", "linear", "posthog", "resend", "slack", "tavily"];
-export type AllProviders = 'discord' | 'github' | 'gmail' | 'googlecalendar' | 'googledrive' | 'googlesheets' | 'hubspot' | 'linear' | 'posthog' | 'resend' | 'slack' | 'tavily' | (string & {});
+export declare const BaseProviders: readonly ["discord", "github", "gmail", "googlecalendar", "googledrive", "googlesheets", "hubspot", "linear", "posthog", "resend", "slack", "spotify", "tavily"];
+export type AllProviders = 'discord' | 'github' | 'gmail' | 'googlecalendar' | 'googledrive' | 'googlesheets' | 'hubspot' | 'linear' | 'posthog' | 'resend' | 'slack' | 'spotify' | 'tavily' | (string & {});
 export type AuthTypes = 'oauth_2' | 'api_key' | 'bot_token';
 export type PickAuth<T extends AuthTypes> = T;
 //# sourceMappingURL=constants.d.ts.map

package/dist/core/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../core/constants.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GAClB,kBAAkB,GAClB,YAAY,GACZ,kBAAkB,GAClB,eAAe,GACf,eAAe,GACf,cAAc,GACd,kBAAkB,GAClB,iBAAiB,GACjB,mBAAmB,GACnB,eAAe,GACf,SAAS,GACT,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEjB,eAAO,MAAM,aAAa,uJAahB,CAAC;AAEX,MAAM,MAAM,YAAY,GACrB,SAAS,GACT,QAAQ,GACR,OAAO,GACP,gBAAgB,GAChB,aAAa,GACb,cAAc,GACd,SAAS,GACT,QAAQ,GACR,SAAS,GACT,QAAQ,GACR,OAAO,GACP,QAAQ,GACR,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEjB,MAAM,MAAM,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;AAE5D,MAAM,MAAM,QAAQ,CAAC,CAAC,SAAS,SAAS,IAAI,CAAC,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../core/constants.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GAClB,kBAAkB,GAClB,YAAY,GACZ,kBAAkB,GAClB,eAAe,GACf,eAAe,GACf,cAAc,GACd,kBAAkB,GAClB,iBAAiB,GACjB,mBAAmB,GACnB,eAAe,GACf,SAAS,GACT,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEjB,eAAO,MAAM,aAAa,kKAchB,CAAC;AAEX,MAAM,MAAM,YAAY,GACrB,SAAS,GACT,QAAQ,GACR,OAAO,GACP,gBAAgB,GAChB,aAAa,GACb,cAAc,GACd,SAAS,GACT,QAAQ,GACR,SAAS,GACT,QAAQ,GACR,OAAO,GACP,SAAS,GACT,QAAQ,GACR,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEjB,MAAM,MAAM,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;AAE5D,MAAM,MAAM,QAAQ,CAAC,CAAC,SAAS,SAAS,IAAI,CAAC,CAAC"}

package/dist/core/constants.js

@@ -10,5 +10,6 @@ export const BaseProviders = [
     'posthog',
     'resend',
     'slack',
+    'spotify',
     'tavily',
 ];

package/dist/core/endpoints/bind.d.ts

@@ -1,5 +1,6 @@
+import type { CorsairDatabase } from '../../db/kysely/database';
 import type { CorsairErrorHandler } from '../errors';
-import type { CorsairKeyBuilderBase } from '../plugins';
+import type { CorsairKeyBuilderBase, EndpointMetaEntry, PermissionMode, PermissionPolicy } from '../plugins';
 /**
  * Checks if a value is an endpoint/function (has function signature).
  * @param value - The value to check
@@ -18,7 +19,7 @@ export declare function isEndpoint(value: unknown): value is Function;
  * @param currentPath - The current path for tracking nested endpoint operations
  * @param keyBuilder - Optional async callback to generate a key from the plugin context
  */
-export declare function bindEndpointsRecursively({ endpoints, hooks, ctx, tree, pluginId, errorHandlers, currentPath, keyBuilder, }: {
+export declare function bindEndpointsRecursively({ endpoints, hooks, ctx, tree, pluginId, errorHandlers, currentPath, keyBuilder, permissionsConfig, endpointMeta, database, approvalConfig, }: {
     endpoints: Record<string, unknown>;
     hooks: Record<string, unknown> | undefined;
     ctx: Record<string, unknown>;
@@ -27,5 +28,19 @@ export declare function bindEndpointsRecursively({ endpoints, hooks, ctx, tree,
     errorHandlers: CorsairErrorHandler;
     currentPath: string[];
     keyBuilder?: CorsairKeyBuilderBase;
+    /** Permission mode + per-endpoint overrides from plugin options. When set, every call is gated. */
+    permissionsConfig?: {
+        mode: PermissionMode;
+        overrides?: Record<string, PermissionPolicy>;
+    };
+    /** Risk level metadata per dot-notation endpoint path. Defaults riskLevel to 'write' when missing. */
+    endpointMeta?: Record<string, EndpointMetaEntry>;
+    /** Required for 'require_approval' to persist the approval record to the DB. */
+    database?: CorsairDatabase;
+    /** Approval timeout config from createCorsair({ approval: ... }). */
+    approvalConfig?: {
+        timeout: string;
+        onTimeout: 'deny' | 'approve';
+    };
 }): void;
 //# sourceMappingURL=bind.d.ts.map

package/dist/core/endpoints/bind.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bind.d.ts","sourceRoot":"","sources":["../../../core/endpoints/bind.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAErD,OAAO,KAAK,EAAE,qBAAqB,EAAiB,MAAM,YAAY,CAAC;AAMvE;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,QAAQ,CAE5D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,wBAAwB,CAAC,EACxC,SAAS,EACT,KAAK,EACL,GAAG,EACH,IAAI,EACJ,QAAQ,EACR,aAAa,EACb,WAAgB,EAChB,UAAU,GACV,EAAE;IACF,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;IAC3C,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,mBAAmB,CAAC;IACnC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACnC,GAAG,IAAI,CAuHP"}
+{"version":3,"file":"bind.d.ts","sourceRoot":"","sources":["../../../core/endpoints/bind.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAGrD,OAAO,KAAK,EACX,qBAAqB,EAErB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,MAAM,YAAY,CAAC;AAMpB;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,QAAQ,CAE5D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,wBAAwB,CAAC,EACxC,SAAS,EACT,KAAK,EACL,GAAG,EACH,IAAI,EACJ,QAAQ,EACR,aAAa,EACb,WAAgB,EAChB,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,QAAQ,EACR,cAAc,GACd,EAAE;IACF,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;IAC3C,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,mBAAmB,CAAC;IACnC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,CAAC,EAAE,qBAAqB,CAAC;IACnC,mGAAmG;IACnG,iBAAiB,CAAC,EAAE;QACnB,IAAI,EAAE,cAAc,CAAC;QACrB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;KAC7C,CAAC;IACF,sGAAsG;IACtG,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IACjD,gFAAgF;IAChF,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,qEAAqE;IACrE,cAAc,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;CACpE,GAAG,IAAI,CAwJP"}

package/dist/core/endpoints/bind.js

@@ -1,4 +1,5 @@
 import { handleCorsairError } from '../errors/handler';
+import { enforcePermission, parseDurationMs } from '../permissions';
 // ─────────────────────────────────────────────────────────────────────────────
 // Endpoint Utilities
 // ─────────────────────────────────────────────────────────────────────────────
@@ -22,7 +23,7 @@ export function isEndpoint(value) {
  * @param currentPath - The current path for tracking nested endpoint operations
  * @param keyBuilder - Optional async callback to generate a key from the plugin context
  */
-export function bindEndpointsRecursively({ endpoints, hooks, ctx, tree, pluginId, errorHandlers, currentPath = [], keyBuilder, }) {
+export function bindEndpointsRecursively({ endpoints, hooks, ctx, tree, pluginId, errorHandlers, currentPath = [], keyBuilder, permissionsConfig, endpointMeta, database, approvalConfig, }) {
     for (const [key, value] of Object.entries(endpoints)) {
         // we have to retype this now because it's nested webhooks
         const nodeHooks = hooks?.[key];
@@ -31,6 +32,26 @@ export function bindEndpointsRecursively({ endpoints, hooks, ctx, tree, pluginId
             const endpointHooks = nodeHooks;
             const operationPath = [...currentPath, key].join('.');
             const boundFn = async (args) => {
+                // ── Permission guard ────────────────────────────────────────────────────────────────
+                if (permissionsConfig) {
+                    const meta = endpointMeta?.[operationPath];
+                    const permResult = await enforcePermission({
+                        pluginId,
+                        endpointPath: operationPath,
+                        args,
+                        mode: permissionsConfig.mode,
+                        override: permissionsConfig.overrides?.[operationPath],
+                        // Default to 'write' when no meta declared — conservative fallback
+                        riskLevel: meta?.riskLevel ?? 'write',
+                        meta,
+                        db: database,
+                        timeoutMs: approvalConfig
+                            ? parseDurationMs(approvalConfig.timeout)
+                            : undefined,
+                    });
+                    if (permResult === 'blocked')
+                        return null;
+                }
                 const call = async (attemptNumber, callCtx, callArgs) => {
                     try {
                         return await value(callCtx, callArgs);
@@ -90,7 +111,12 @@ export function bindEndpointsRecursively({ endpoints, hooks, ctx, tree, pluginId
                     const ctxWithKey = { ...ctx, key };
                     const beforeResult = endpointHooks.before
                         ? await endpointHooks.before(ctxWithKey, args)
-                        : { ctx: ctxWithKey, args, continue: true, passToAfter: undefined };
+                        : {
+                            ctx: ctxWithKey,
+                            args,
+                            continue: true,
+                            passToAfter: undefined,
+                        };
                     if (beforeResult.continue === false)
                         return;
                     const res = await call(0, beforeResult.ctx, beforeResult.args);
@@ -112,6 +138,10 @@ export function bindEndpointsRecursively({ endpoints, hooks, ctx, tree, pluginId
                 errorHandlers,
                 currentPath: [...currentPath, key],
                 keyBuilder,
+                permissionsConfig,
+                endpointMeta,
+                database,
+                approvalConfig,
             });
             tree[key] = nestedTree;
         }

package/dist/core/endpoints/index.d.ts

@@ -72,5 +72,33 @@ export type EndpointTree = {
 export type BindEndpoints<T extends EndpointTree> = {
     [K in keyof T]: T[K] extends CorsairEndpoint<any, infer A, infer R> ? (args: A) => Promise<R> : T[K] extends EndpointTree ? BindEndpoints<T[K]> : never;
 };
+/**
+ * Derives all dot-notation endpoint paths from an EndpointTree as a string literal union.
+ * Used to provide compile-time validation for permission overrides and endpoint metadata keys.
+ * Passing an invalid path to any config that accepts EndpointPathsOf<T> is a type error.
+ *
+ * Design note: The constraint on `T` is intentionally loosened to `object` (not `EndpointTree`)
+ * on the recursive call because `as const` endpoint trees have specific readonly literal keys —
+ * `{ readonly issues: { readonly list: fn } }` — which do NOT satisfy `EndpointTree`'s string
+ * index signature (`{ [key: string]: ... }`), even though the values are valid endpoints.
+ * If we recurse with `T extends EndpointTree`, TypeScript widens the subtypes and loses the
+ * literal keys we need. The outer-facing `PluginEndpointMeta<T extends EndpointTree>` and
+ * `PluginPermissionsConfig<T extends EndpointTree>` still enforce the EndpointTree constraint
+ * at the call site.
+ *
+ * Similarly, `T[K] extends Record<string, unknown>` fails for named-property objects without an
+ * index signature (a plain `{ list: fn }` does not satisfy `{ [key: string]: unknown }`), so we
+ * use `extends object` instead, which all non-primitive values satisfy.
+ *
+ * @example
+ * Given: `{ issues: { list: Endpoint, create: Endpoint }, repos: { list: Endpoint } }`
+ * Result: `'issues.list' | 'issues.create' | 'repos.list'`
+ *
+ * @template T - The endpoint tree to extract paths from (unconstrained to allow recursion through as-const types)
+ * @template Prefix - Internal accumulator for the current path prefix (do not supply manually)
+ */
+export type EndpointPathsOf<T, Prefix extends string = ''> = {
+    [K in keyof T & string]: T[K] extends (...args: any[]) => any ? Prefix extends '' ? K : `${Prefix}.${K}` : T[K] extends object ? EndpointPathsOf<T[K], Prefix extends '' ? K : `${Prefix}.${K}`> : never;
+}[keyof T & string];
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/core/endpoints/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/endpoints/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAMhE;;;;GAIG;AACH,KAAK,SAAS,CAAC,IAAI,SAAS,OAAO,EAAE,EAAE,CAAC,IAAI;IAC3C,cAAc,CAAC,GAAG,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC;CACjC,CAAC,gBAAgB,CAAC,CAAC;AAMpB;;;;GAIG;AACH,MAAM,MAAM,eAAe,CAAC,IAAI,GAAG,OAAO,EAAE,GAAG,GAAG,OAAO,IAAI,CAC5D,IAAI,EAAE,IAAI,KACN,OAAO,CAAC,GAAG,CAAC,CAAC;AAElB;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC/B,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,GAAG,iBAAiB,CAAC;CACnD,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,cAAc,CACzB,SAAS,SAAS,iBAAiB,GAAG,iBAAiB,IACpD;IACH,yEAAyE;IACzE,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,iFAAiF;IACjF,SAAS,EAAE,SAAS,CAAC;CACrB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,eAAe,CAC1B,GAAG,SAAS,cAAc,GAAG,cAAc,EAC3C,IAAI,GAAG,OAAO,EACd,GAAG,GAAG,OAAO,IACV,SAAS,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;AAMpD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,MAAM,YAAY,GAAG;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,YAAY,CAAC;CAC7D,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,aAAa,CAAC,CAAC,SAAS,YAAY,IAAI;KAClD,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,GAChE,CAAC,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,GACvB,CAAC,CAAC,CAAC,CAAC,SAAS,YAAY,GACxB,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GACnB,KAAK;CACT,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/endpoints/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAMhE;;;;GAIG;AACH,KAAK,SAAS,CAAC,IAAI,SAAS,OAAO,EAAE,EAAE,CAAC,IAAI;IAC3C,cAAc,CAAC,GAAG,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC;CACjC,CAAC,gBAAgB,CAAC,CAAC;AAMpB;;;;GAIG;AACH,MAAM,MAAM,eAAe,CAAC,IAAI,GAAG,OAAO,EAAE,GAAG,GAAG,OAAO,IAAI,CAC5D,IAAI,EAAE,IAAI,KACN,OAAO,CAAC,GAAG,CAAC,CAAC;AAElB;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC/B,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,GAAG,iBAAiB,CAAC;CACnD,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,cAAc,CACzB,SAAS,SAAS,iBAAiB,GAAG,iBAAiB,IACpD;IACH,yEAAyE;IACzE,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,iFAAiF;IACjF,SAAS,EAAE,SAAS,CAAC;CACrB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,eAAe,CAC1B,GAAG,SAAS,cAAc,GAAG,cAAc,EAC3C,IAAI,GAAG,OAAO,EACd,GAAG,GAAG,OAAO,IACV,SAAS,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;AAMpD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,MAAM,YAAY,GAAG;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,YAAY,CAAC;CAC7D,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,aAAa,CAAC,CAAC,SAAS,YAAY,IAAI;KAClD,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,GAChE,CAAC,IAAI,EAAE,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,GACvB,CAAC,CAAC,CAAC,CAAC,SAAS,YAAY,GACxB,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GACnB,KAAK;CACT,CAAC;AAMF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,MAAM,eAAe,CAAC,CAAC,EAAE,MAAM,SAAS,MAAM,GAAG,EAAE,IAAI;KAC3D,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,GAE3D,MAAM,SAAS,EAAE,GACf,CAAC,GACD,GAAG,MAAM,IAAI,CAAC,EAAE,GACjB,CAAC,CAAC,CAAC,CAAC,SAAS,MAAM,GAEnB,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,SAAS,EAAE,GAAG,CAAC,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,GAC9D,KAAK;CACT,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC"}

package/dist/core/index.d.ts

@@ -7,6 +7,10 @@ export type CorsairInternalConfig = {
     database: CorsairDatabase | undefined;
     kek: string;
     multiTenancy: boolean;
+    approval?: {
+        timeout: string;
+        onTimeout: 'deny' | 'approve';
+    };
 };
 /**
  * Creates a Corsair integration with multi-tenancy enabled.
@@ -30,10 +34,12 @@ export declare function createCorsair<const Plugins extends readonly CorsairPlug
 export type { AccountFieldNames, AccountKeyManagerFor, BaseAuthFieldConfig, BaseKeyManager, IntegrationFieldNames, IntegrationKeyManagerFor, OAuth2IntegrationCredentials, PluginAuthConfig, } from './auth';
 export { BASE_AUTH_FIELDS, createAccountKeyManager, createIntegrationKeyManager, decryptConfig, decryptDEK, decryptWithDEK, encryptConfig, encryptDEK, encryptWithDEK, generateDEK, initializeAccountDEK, initializeIntegrationDEK, reEncryptConfig, } from './auth';
 export type { CorsairClient, CorsairSingleTenantClient, CorsairTenantWrapper, } from './client';
+export type { CorsairInspectMethods, EndpointSchemaResult } from './inspect';
 export type { AllProviders, AuthTypes, BaseProviders } from './constants';
-export type { BindEndpoints, BoundEndpointFn, BoundEndpointTree, CorsairContext, CorsairEndpoint, EndpointTree, } from './endpoints';
+export type { BindEndpoints, BoundEndpointFn, BoundEndpointTree, CorsairContext, CorsairEndpoint, EndpointPathsOf, EndpointTree, } from './endpoints';
 export type { CorsairErrorHandler, ErrorContext, ErrorHandler, ErrorHandlerAndMatchFunction, ErrorMatcher, RetryStrategies, RetryStrategy, } from './errors';
-export type { BeforeHookResult, CorsairIntegration, CorsairKeyBuilder, CorsairKeyBuilderBase, CorsairPlugin, CorsairPluginContext, EndpointHooks, KeyBuilderContext, WebhookHooks, } from './plugins';
+export type { EnforcePermissionOptions } from './permissions';
+export type { BeforeHookResult, CorsairIntegration, CorsairKeyBuilder, CorsairKeyBuilderBase, CorsairPlugin, CorsairPluginContext, EndpointHooks, EndpointMetaEntry, EndpointRiskLevel, KeyBuilderContext, PermissionMode, PermissionPolicy, PluginEndpointMeta, PluginPermissionsConfig, WebhookHooks, } from './plugins';
 export type { Bivariant, UnionToIntersection } from './utils';
 export type { BindWebhooks, BoundWebhook, BoundWebhookTree, CorsairWebhook, CorsairWebhookHandler, CorsairWebhookMatcher, RawWebhookRequest, WebhookRequest, WebhookResponse, WebhookTree, } from './webhooks';
 //# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../core/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAG7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAEhF,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAMnE,eAAO,MAAM,gBAAgB,eAAiC,CAAC;AAE/D,MAAM,MAAM,qBAAqB,GAAG;IACnC,OAAO,EAAE,SAAS,aAAa,EAAE,CAAC;IAClC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,OAAO,CAAC;CACtB,CAAC;AAMF;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,EAAE,IAAI,CAAA;CAAE,GAC1D,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAEjC;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,CAAC,EAAE,KAAK,GAAG,SAAS,CAAA;CAAE,GACxE,yBAAyB,CAAC,OAAO,CAAC,CAAC;AAyEtC,YAAY,EACX,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,cAAc,EACd,qBAAqB,EACrB,wBAAwB,EACxB,4BAA4B,EAC5B,gBAAgB,GAChB,MAAM,QAAQ,CAAC;AAEhB,OAAO,EACN,gBAAgB,EAChB,uBAAuB,EACvB,2BAA2B,EAC3B,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,GACf,MAAM,QAAQ,CAAC;AAEhB,YAAY,EACX,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACpB,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG1E,YAAY,EACX,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,YAAY,GACZ,MAAM,aAAa,CAAC;AAErB,YAAY,EACX,mBAAmB,EACnB,YAAY,EACZ,YAAY,EACZ,4BAA4B,EAC5B,YAAY,EACZ,eAAe,EACf,aAAa,GACb,MAAM,UAAU,CAAC;AAElB,YAAY,EACX,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,aAAa,EACb,iBAAiB,EACjB,YAAY,GACZ,MAAM,WAAW,CAAC;AAGnB,YAAY,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9D,YAAY,EACX,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,WAAW,GACX,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../core/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAG7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAGhF,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAMnE,eAAO,MAAM,gBAAgB,eAAiC,CAAC;AAE/D,MAAM,MAAM,qBAAqB,GAAG;IACnC,OAAO,EAAE,SAAS,aAAa,EAAE,CAAC;IAClC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;KAC9B,CAAC;CACF,CAAC;AAMF;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,EAAE,IAAI,CAAA;CAAE,GAC1D,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAEjC;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,CAAC,EAAE,KAAK,GAAG,SAAS,CAAA;CAAE,GACxE,yBAAyB,CAAC,OAAO,CAAC,CAAC;AA6EtC,YAAY,EACX,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,cAAc,EACd,qBAAqB,EACrB,wBAAwB,EACxB,4BAA4B,EAC5B,gBAAgB,GAChB,MAAM,QAAQ,CAAC;AAEhB,OAAO,EACN,gBAAgB,EAChB,uBAAuB,EACvB,2BAA2B,EAC3B,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,GACf,MAAM,QAAQ,CAAC;AAEhB,YAAY,EACX,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACpB,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAE7E,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG1E,YAAY,EACX,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,eAAe,EACf,YAAY,GACZ,MAAM,aAAa,CAAC;AAErB,YAAY,EACX,mBAAmB,EACnB,YAAY,EACZ,YAAY,EACZ,4BAA4B,EAC5B,YAAY,EACZ,eAAe,EACf,aAAa,GACb,MAAM,UAAU,CAAC;AAClB,YAAY,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAG9D,YAAY,EACX,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,YAAY,GACZ,MAAM,WAAW,CAAC;AAGnB,YAAY,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9D,YAAY,EACX,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,WAAW,GACX,MAAM,YAAY,CAAC"}

package/dist/core/index.js

@@ -1,6 +1,7 @@
 import { createCorsairDatabase } from '../db/kysely/database';
 import { createMissingConfigProxy } from './auth/errors';
 import { buildCorsairClient, buildIntegrationKeys } from './client';
+import { buildInspectMethods } from './inspect';
 // ─────────────────────────────────────────────────────────────────────────────
 // Internal access for CLI tooling
 // ─────────────────────────────────────────────────────────────────────────────
@@ -23,6 +24,7 @@ export function createCorsair(config) {
         database: resolvedDatabase,
         kek: config.kek,
         multiTenancy: !!config.multiTenancy,
+        approval: config.approval,
     };
     if (config.multiTenancy) {
         return Object.assign({
@@ -35,9 +37,11 @@ export function createCorsair(config) {
                     tenantId,
                     kek: config.kek,
                     rootErrorHandlers: config.errorHandlers,
+                    approvalConfig: config.approval,
                 });
             },
             keys: integrationKeys,
+            ...buildInspectMethods(config.plugins),
         }, { [CORSAIR_INTERNAL]: internalConfig });
     }
     const client = buildCorsairClient(config.plugins, {
@@ -45,6 +49,7 @@ export function createCorsair(config) {
         tenantId: undefined,
         kek: config.kek,
         rootErrorHandlers: config.errorHandlers,
+        approvalConfig: config.approval,
     });
     return Object.assign({}, client, {
         keys: integrationKeys,

package/dist/core/inspect/index.d.ts

@@ -0,0 +1,57 @@
+import type { CorsairPlugin } from '../plugins';
+export type EndpointSchemaResult = {
+    /** Human-readable description of what this endpoint does. */
+    description?: string;
+    /** Risk classification: 'read' | 'write' | 'destructive' */
+    riskLevel?: 'read' | 'write' | 'destructive';
+    /** Whether this action cannot be undone. */
+    irreversible?: boolean;
+    /** JSON Schema representation of the input arguments object. */
+    input?: unknown;
+    /** JSON Schema representation of the response object. */
+    output?: unknown;
+    /**
+     * Present when the requested method was not found.
+     * Lists all available full-form paths so the caller can pick a valid one.
+     */
+    availableMethods?: Record<string, string[]>;
+};
+export type CorsairInspectMethods = {
+    /**
+     * Returns all available endpoint paths for every registered plugin.
+     * Keys are plugin IDs, values are arrays of full-form paths (plugin.group.method).
+     *
+     * @example
+     * corsair.get_methods()
+     * // { slack: ['slack.channels.list', 'slack.messages.post', ...], github: ['github.issues.list', ...] }
+     */
+    get_methods(): Record<string, string[]>;
+    /**
+     * Returns all available endpoint paths for a specific plugin.
+     * Paths are full-form (plugin.group.method) so they can be passed directly to get_schema().
+     *
+     * @example
+     * corsair.get_methods('slack')
+     * // ['slack.channels.list', 'slack.channels.get', 'slack.messages.post', ...]
+     */
+    get_methods(plugin: string): string[];
+    /**
+     * Returns schema and metadata for a specific endpoint.
+     * Pass the full dot-path including the plugin ID: 'slack.channels.list'.
+     * If the method is not found, returns an empty result with `availableMethods` listing all valid paths.
+     *
+     * @example
+     * corsair.get_schema('slack.channels.list')
+     * // { description: '...', riskLevel: 'read', input: { type: 'object', ... }, output: { ... } }
+     *
+     * corsair.get_schema('slack.invalid')
+     * // { availableMethods: { slack: ['slack.channels.list', ...], ... } }
+     */
+    get_schema(method: string): EndpointSchemaResult;
+};
+/**
+ * Creates the get_methods / get_schema functions bound to a specific plugin list.
+ * Used by both single-tenant and multi-tenant client builders.
+ */
+export declare function buildInspectMethods(plugins: readonly CorsairPlugin[]): CorsairInspectMethods;
+//# sourceMappingURL=index.d.ts.map

package/dist/core/inspect/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/inspect/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC;AAqFnE,MAAM,MAAM,oBAAoB,GAAG;IAClC,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,aAAa,CAAC;IAC7C,4CAA4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,gEAAgE;IAChE,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yDAAyD;IACzD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC5C,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IACnC;;;;;;;OAOG;IACH,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACxC;;;;;;;OAOG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACtC;;;;;;;;;;;OAWG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB,CAAC;CACjD,CAAC;AAmFF;;;GAGG;AACH,wBAAgB,mBAAmB,CAClC,OAAO,EAAE,SAAS,aAAa,EAAE,GAC/B,qBAAqB,CASvB"}

package/dist/core/inspect/index.js

@@ -0,0 +1,150 @@
+// ─────────────────────────────────────────────────────────────────────────────
+// Zod → JSON Schema Converter
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Converts a Zod schema to a plain JSON Schema-compatible object.
+ * Used to produce human-readable type information for get_schema().
+ */
+function zodToJsonSchema(schema) {
+    // Access Zod internals via a generic cast — avoids importing internal Zod types
+    const def = schema._def;
+    const typeName = def.typeName;
+    switch (typeName) {
+        case 'ZodString':
+            return { type: 'string' };
+        case 'ZodNumber':
+            return { type: 'number' };
+        case 'ZodBoolean':
+            return { type: 'boolean' };
+        case 'ZodNull':
+            return { type: 'null' };
+        case 'ZodUnknown':
+        case 'ZodAny':
+            return {};
+        case 'ZodLiteral':
+            return { const: def.value };
+        case 'ZodEnum':
+            return { enum: def.values };
+        case 'ZodOptional':
+            // Optional is reflected in the parent object's required[] array, not here
+            return zodToJsonSchema(def.innerType);
+        case 'ZodNullable': {
+            const inner = zodToJsonSchema(def.innerType);
+            return { anyOf: [inner, { type: 'null' }] };
+        }
+        case 'ZodArray':
+            return { type: 'array', items: zodToJsonSchema(def.type) };
+        case 'ZodRecord':
+            return {
+                type: 'object',
+                additionalProperties: zodToJsonSchema(def.valueType),
+            };
+        case 'ZodObject': {
+            const shape = def.shape();
+            const properties = {};
+            const required = [];
+            for (const [key, val] of Object.entries(shape)) {
+                properties[key] = zodToJsonSchema(val);
+                const fieldTypeName = val._def.typeName;
+                if (fieldTypeName !== 'ZodOptional' && fieldTypeName !== 'ZodNullable') {
+                    required.push(key);
+                }
+            }
+            const result = { type: 'object', properties };
+            if (required.length > 0)
+                result.required = required;
+            return result;
+        }
+        case 'ZodUnion':
+            return { anyOf: def.options.map(zodToJsonSchema) };
+        case 'ZodIntersection':
+            return {
+                allOf: [
+                    zodToJsonSchema(def.left),
+                    zodToJsonSchema(def.right),
+                ],
+            };
+        case 'ZodEffects':
+            // .refine(), .transform(), etc. — unwrap to the inner schema
+            return zodToJsonSchema(def.schema);
+        default:
+            return { type: (typeName ?? 'unknown').replace('Zod', '').toLowerCase() };
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Endpoint Tree Walker
+// ─────────────────────────────────────────────────────────────────────────────
+function walkEndpointTree(tree, pathParts, result) {
+    for (const [key, value] of Object.entries(tree)) {
+        const current = [...pathParts, key];
+        if (typeof value === 'function') {
+            result.push(current.join('.'));
+        }
+        else if (value !== null && typeof value === 'object') {
+            walkEndpointTree(value, current, result);
+        }
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Core Functions
+// ─────────────────────────────────────────────────────────────────────────────
+function getMethods(plugins, plugin) {
+    if (plugin !== undefined) {
+        const found = plugins.find((p) => p.id === plugin);
+        if (!found?.endpoints)
+            return [];
+        const paths = [];
+        walkEndpointTree(found.endpoints, [], paths);
+        return paths.map((path) => `${found.id}.${path}`);
+    }
+    const result = {};
+    for (const p of plugins) {
+        if (!p.endpoints)
+            continue;
+        const paths = [];
+        walkEndpointTree(p.endpoints, [], paths);
+        result[p.id] = paths.map((path) => `${p.id}.${path}`);
+    }
+    return result;
+}
+function getSchema(plugins, method) {
+    const dotIndex = method.indexOf('.');
+    if (dotIndex !== -1) {
+        const pluginId = method.slice(0, dotIndex);
+        const endpointPath = method.slice(dotIndex + 1);
+        const plugin = plugins.find((p) => p.id === pluginId);
+        if (plugin) {
+            const meta = plugin.endpointMeta?.[endpointPath];
+            const schemas = plugin.endpointSchemas?.[endpointPath];
+            // Valid entry — meta or schemas found
+            if (meta || schemas) {
+                return {
+                    description: meta?.description,
+                    riskLevel: meta?.riskLevel,
+                    irreversible: meta?.irreversible,
+                    input: schemas?.input ? zodToJsonSchema(schemas.input) : undefined,
+                    output: schemas?.output ? zodToJsonSchema(schemas.output) : undefined,
+                };
+            }
+        }
+    }
+    // Invalid or unknown method — return all available methods so the caller can self-correct
+    return { availableMethods: getMethods(plugins) };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Factory — binds inspect methods to a fixed plugin list
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates the get_methods / get_schema functions bound to a specific plugin list.
+ * Used by both single-tenant and multi-tenant client builders.
+ */
+export function buildInspectMethods(plugins) {
+    return {
+        get_methods(plugin) {
+            return getMethods(plugins, plugin);
+        },
+        get_schema(method) {
+            return getSchema(plugins, method);
+        },
+    };
+}

package/dist/core/permissions/index.d.ts

@@ -0,0 +1,29 @@
+import type { CorsairDatabase } from '../../db/kysely/database';
+import type { EndpointMetaEntry, EndpointRiskLevel, PermissionMode, PermissionPolicy } from '../plugins';
+/** Resolves the effective permission policy for an endpoint. The override (from permissions.overrides) takes precedence. */
+export declare function evaluatePermission(riskLevel: EndpointRiskLevel, mode: PermissionMode, override?: PermissionPolicy): PermissionPolicy;
+/** Parses a duration string ('30s', '10m', '1h', '2h30m', '1d') into milliseconds. */
+export declare function parseDurationMs(duration: string): number;
+export type EnforcePermissionOptions = {
+    pluginId: string;
+    endpointPath: string;
+    /** unknown: caller-supplied args vary per endpoint — not statically knowable here */
+    args: unknown;
+    mode: PermissionMode;
+    override?: PermissionPolicy;
+    riskLevel: EndpointRiskLevel;
+    meta?: EndpointMetaEntry;
+    /** Required to create an approval record. Without a DB, 'require_approval' falls back to deny. */
+    db?: CorsairDatabase;
+    timeoutMs?: number;
+};
+/**
+ * Evaluates the permission policy and returns whether the action is allowed.
+ *
+ * - `'allow'`            → returns 'allow', caller proceeds normally
+ * - `'deny'`             → logs a blocked message, returns 'blocked'
+ * - `'require_approval'` → creates a `corsair_permissions` record, logs the token, returns 'blocked'
+ *                          (falls back to deny if no database is configured)
+ */
+export declare function enforcePermission(opts: EnforcePermissionOptions): Promise<'allow' | 'blocked'>;
+//# sourceMappingURL=index.d.ts.map

package/dist/core/permissions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/permissions/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,KAAK,EACX,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,MAAM,YAAY,CAAC;AAgBpB,4HAA4H;AAC5H,wBAAgB,kBAAkB,CACjC,SAAS,EAAE,iBAAiB,EAC5B,IAAI,EAAE,cAAc,EACpB,QAAQ,CAAC,EAAE,gBAAgB,GACzB,gBAAgB,CAGlB;AAMD,sFAAsF;AACtF,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAsBxD;AAMD,MAAM,MAAM,wBAAwB,GAAG;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,qFAAqF;IACrF,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,kGAAkG;IAClG,EAAE,CAAC,EAAE,eAAe,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACtC,IAAI,EAAE,wBAAwB,GAC5B,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAkD9B"}