npm - corsair - Versions diffs - 0.1.22 → 0.1.24 - Mend

corsair 0.1.22 → 0.1.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist/core/client/index.d.ts +11 -0
package/dist/core/client/index.d.ts.map +1 -1
package/dist/core/index.d.ts +1 -1
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +4 -0
package/dist/core/inspect/index.d.ts.map +1 -1
package/dist/core/permissions/index.d.ts +37 -0
package/dist/core/permissions/index.d.ts.map +1 -1
package/dist/core/permissions/index.js +50 -1
package/dist/db/index.d.ts +18 -13
package/dist/db/index.d.ts.map +1 -1
package/dist/db/index.js +24 -14
package/dist/db/kysely/database.d.ts.map +1 -1
package/dist/db/kysely/database.js +2 -0
package/dist/db/kysely/sqlite-date-plugin.d.ts +6 -0
package/dist/db/kysely/sqlite-date-plugin.d.ts.map +1 -0
package/dist/db/kysely/sqlite-date-plugin.js +42 -0
package/dist/db.d.ts +1 -0
package/dist/db.d.ts.map +1 -1
package/dist/db.js +1 -0
package/dist/permissions/index.d.ts +19 -22
package/dist/permissions/index.d.ts.map +1 -1
package/dist/permissions/index.js +87 -47
package/dist/plugins/resend/webhooks/types.d.ts +2 -2
package/dist/plugins/slack/webhooks/messages.d.ts.map +1 -1
package/dist/plugins/slack/webhooks/messages.js +2 -1
package/dist/tsup.config.d.ts.map +1 -1
package/dist/tsup.config.js +1 -0
package/package.json +1 -1

package/dist/core/client/index.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import type { AuthTypes } from '../constants';
 import type { BindEndpoints, EndpointTree } from '../endpoints';
 import type { CorsairErrorHandler } from '../errors';
 import type { CorsairInspectMethods } from '../inspect';
+import type { CorsairPermissionsNamespace } from '../permissions';
 import type { CorsairPlugin } from '../plugins';
 import type { BindWebhooks, RawWebhookRequest, WebhookTree } from '../webhooks';
 /**
@@ -102,6 +103,11 @@ export type CorsairTenantWrapper<Plugins extends readonly CorsairPlugin[]> = {
      * Used to manage secrets shared across all tenants (e.g., OAuth2 client_id, client_secret).
      */
     keys: InferAllIntegrationKeys<Plugins>;
+    /**
+     * Permission management namespace. Use this to query and transition permission records.
+     * Available at the root regardless of multi-tenancy setting.
+     */
+    permissions: CorsairPermissionsNamespace;
 } & CorsairInspectMethods;
 /**
  * Single-tenant client that includes both plugin APIs and integration-level keys.
@@ -112,6 +118,11 @@ export type CorsairSingleTenantClient<Plugins extends readonly CorsairPlugin[]>
      * Used to manage secrets shared across all tenants (e.g., OAuth2 client_id, client_secret).
      */
     keys: InferAllIntegrationKeys<Plugins>;
+    /**
+     * Permission management namespace. Use this to query and transition permission records.
+     * Available at the root regardless of multi-tenancy setting.
+     */
+    permissions: CorsairPermissionsNamespace;
 };
 export type BuildCorsairClientOptions = {
     database: CorsairDatabase | undefined;

package/dist/core/client/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AACtC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAEhE,OAAO,KAAK,EACX,mBAAmB,EAEnB,mBAAmB,EACnB,MAAM,cAAc,CAAC;AAKtB,OAAO,KAAK,EACX,oBAAoB,EACpB,wBAAwB,EACxB,gBAAgB,EAChB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAExD,OAAO,KAAK,EAEX,aAAa,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAOhF;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,CAC9B,MAAM,SAAS,mBAAmB,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,GAAG,SAAS,IACvE,MAAM,SAAS,mBAAmB,CAAC,MAAM,QAAQ,CAAC,GACnD;IAAE,EAAE,EAAE,mBAAmB,CAAC,QAAQ,CAAC,CAAA;CAAE,GACrC,EAAE,CAAC;AAMN;;GAEG;AACH,KAAK,mBAAmB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI,GAAG,KAAK,CAAC,SAAS,CAC9E,CAAC,EAAE,MAAM,CAAC,KACN,IAAI,GACN,CAAC,GACD,KAAK,CAAC;AAET;;;;;;;;;;GAUG;AACH,MAAM,MAAM,eAAe,CAC1B,OAAO,EACP,eAAe,SAAS,SAAS,GAAG,SAAS,GAAG,SAAS,IACtD,UAAU,SAAS,MAAM,OAAO,GAElC,OAAO,CAAC,UAAU,CAAC,SAAS,SAAS,GAEpC,OAAO,CAAC,UAAU,CAAC,GAEnB,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,SAAS,SAAS,GACjD,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,GAChC,KAAK,GAET,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,KAAK,CAAC;AAEV;;GAEG;AACH,KAAK,kBAAkB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,CAAC,GAAG,KAAK,CAAC;AAEzE;;;;GAIG;AACH,KAAK,oBAAoB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,iBAAiB,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACrE,WAAW,CAAC,CAAC,CAAC,SAAS,SAAS,GAC/B,WAAW,CAAC,CAAC,CAAC,GACd,SAAS,GACV,SAAS,CAAC;AAEb;;GAEG;AACH,KAAK,eAAe,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACzD,CAAC,SAAS,gBAAgB,GACzB,CAAC,GACD,SAAS,GACV,SAAS,CAAC;AAEb;;;GAGG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,EACR,MAAM,MAAM,EACZ,MAAM,SAAS,EACf,MAAM,QAAQ,CACd,GACE;KACC,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,SAAS,YAAY,GACvC;QAAE,GAAG,EAAE,aAAa,CAAC,SAAS,CAAC,CAAA;KAAE,GACjC,EAAE,CAAC,GACL,mBAAmB,CAAC,MAAM,CAAC,GAC3B,CAAC,QAAQ,SAAS,WAAW,GAC1B;QACA,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QACjC;;;;WAIG;QACH,oBAAoB,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,OAAO,CAAC;KAC/D,GACA,EAAE,CAAC,GAEN,CAAC,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GAChB;QACA,IAAI,EAAE,oBAAoB,CACzB,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB,CAAC;KACF,GACA,EAAE,CAAC;CACP,GACA,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,CACR,GACE,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GACjB;KACC,CAAC,IAAI,EAAE,GAAG,wBAAwB,CAClC,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB;CACD,GACA,KAAK,GACN,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,uBAAuB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACpE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;GAEG;AACH,KAAK,qBAAqB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAClE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;;GAGG;AACH,MAAM,MAAM,aAAa,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACjE,qBAAqB,CAAC,OAAO,CAAC,GAAG,qBAAqB,CAAC;AAExD;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAAI;IAC5E,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC,CAAC;IACzD;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;~~CACvC~~,GAAG,qBAAqB,CAAC;AAE1B;;GAEG;AACH,MAAM,MAAM,yBAAyB,CACpC,OAAO,SAAS,SAAS,aAAa,EAAE,IACrC,aAAa,CAAC,OAAO,CAAC,GAAG;IAC5B;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;~~CACvC~~,CAAC;AAsGF,MAAM,MAAM,yBAAyB,GAAG;IACvC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;IACxB,iBAAiB,CAAC,EAAE,mBAAmB,CAAC;IACxC,iGAAiG;IACjG,cAAc,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;CACpE,CAAC;AAMF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CACjC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,yBAAyB,GAChC,aAAa,CAAC,OAAO,CAAC,CAqKxB;AAMD;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CACnC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,eAAe,EACzB,GAAG,EAAE,MAAM,GACT,uBAAuB,CAAC,OAAO,CAAC,CAyBlC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AACtC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAEhE,OAAO,KAAK,EACX,mBAAmB,EAEnB,mBAAmB,EACnB,MAAM,cAAc,CAAC;AAKtB,OAAO,KAAK,EACX,oBAAoB,EACpB,wBAAwB,EACxB,gBAAgB,EAChB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAExD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,KAAK,EAEX,aAAa,EAIb,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAOhF;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,CAC9B,MAAM,SAAS,mBAAmB,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,GAAG,SAAS,IACvE,MAAM,SAAS,mBAAmB,CAAC,MAAM,QAAQ,CAAC,GACnD;IAAE,EAAE,EAAE,mBAAmB,CAAC,QAAQ,CAAC,CAAA;CAAE,GACrC,EAAE,CAAC;AAMN;;GAEG;AACH,KAAK,mBAAmB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI,GAAG,KAAK,CAAC,SAAS,CAC9E,CAAC,EAAE,MAAM,CAAC,KACN,IAAI,GACN,CAAC,GACD,KAAK,CAAC;AAET;;;;;;;;;;GAUG;AACH,MAAM,MAAM,eAAe,CAC1B,OAAO,EACP,eAAe,SAAS,SAAS,GAAG,SAAS,GAAG,SAAS,IACtD,UAAU,SAAS,MAAM,OAAO,GAElC,OAAO,CAAC,UAAU,CAAC,SAAS,SAAS,GAEpC,OAAO,CAAC,UAAU,CAAC,GAEnB,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,SAAS,SAAS,GACjD,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,GAChC,KAAK,GAET,eAAe,SAAS,SAAS,GAC/B,eAAe,GACf,KAAK,CAAC;AAEV;;GAEG;AACH,KAAK,kBAAkB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GAAG,CAAC,GAAG,KAAK,CAAC;AAEzE;;;;GAIG;AACH,KAAK,oBAAoB,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,iBAAiB,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACrE,WAAW,CAAC,CAAC,CAAC,SAAS,SAAS,GAC/B,WAAW,CAAC,CAAC,CAAC,GACd,SAAS,GACV,SAAS,CAAC;AAEb;;GAEG;AACH,KAAK,eAAe,CAAC,CAAC,IAAI,CAAC,SAAS;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC,CAAA;CAAE,GACzD,CAAC,SAAS,gBAAgB,GACzB,CAAC,GACD,SAAS,GACV,SAAS,CAAC;AAEb;;;GAGG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,EACR,MAAM,MAAM,EACZ,MAAM,SAAS,EACf,MAAM,QAAQ,CACd,GACE;KACC,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,SAAS,YAAY,GACvC;QAAE,GAAG,EAAE,aAAa,CAAC,SAAS,CAAC,CAAA;KAAE,GACjC,EAAE,CAAC,GACL,mBAAmB,CAAC,MAAM,CAAC,GAC3B,CAAC,QAAQ,SAAS,WAAW,GAC1B;QACA,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QACjC;;;;WAIG;QACH,oBAAoB,CAAC,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,OAAO,CAAC;KAC/D,GACA,EAAE,CAAC,GAEN,CAAC,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GAChB;QACA,IAAI,EAAE,oBAAoB,CACzB,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB,CAAC;KACF,GACA,EAAE,CAAC;CACP,GACA,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,aAAa,IAAI,CAAC,SAAS,aAAa,CAC3E,MAAM,EAAE,CACR,GACE,eAAe,CACf,kBAAkB,CAAC,CAAC,CAAC,EACrB,oBAAoB,CAAC,CAAC,CAAC,CACvB,SAAS,SAAS,GACjB;KACC,CAAC,IAAI,EAAE,GAAG,wBAAwB,CAClC,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAC/D,eAAe,CAAC,CAAC,CAAC,CAClB;CACD,GACA,KAAK,GACN,KAAK,CAAC;AAET;;GAEG;AACH,KAAK,uBAAuB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACpE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;GAEG;AACH,KAAK,qBAAqB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAClE,mBAAmB,CAAC,oBAAoB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAE5D;;;GAGG;AACH,MAAM,MAAM,aAAa,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IACjE,qBAAqB,CAAC,OAAO,CAAC,GAAG,qBAAqB,CAAC;AAExD;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,IAAI;IAC5E,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,aAAa,CAAC,OAAO,CAAC,CAAC;IACzD;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;IACvC;;;OAGG;IACH,WAAW,EAAE,2BAA2B,CAAC;CACzC,GAAG,qBAAqB,CAAC;AAE1B;;GAEG;AACH,MAAM,MAAM,yBAAyB,CACpC,OAAO,SAAS,SAAS,aAAa,EAAE,IACrC,aAAa,CAAC,OAAO,CAAC,GAAG;IAC5B;;;OAGG;IACH,IAAI,EAAE,uBAAuB,CAAC,OAAO,CAAC,CAAC;IACvC;;;OAGG;IACH,WAAW,EAAE,2BAA2B,CAAC;CACzC,CAAC;AAsGF,MAAM,MAAM,yBAAyB,GAAG;IACvC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;IACxB,iBAAiB,CAAC,EAAE,mBAAmB,CAAC;IACxC,iGAAiG;IACjG,cAAc,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;CACpE,CAAC;AAMF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CACjC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,yBAAyB,GAChC,aAAa,CAAC,OAAO,CAAC,CAqKxB;AAMD;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CACnC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAE9C,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,eAAe,EACzB,GAAG,EAAE,MAAM,GACT,uBAAuB,CAAC,OAAO,CAAC,CAyBlC"}

package/dist/core/index.d.ts CHANGED Viewed

@@ -38,7 +38,7 @@ export type { AllProviders, AuthTypes, BaseProviders } from './constants';
 export type { BindEndpoints, BoundEndpointFn, BoundEndpointTree, CorsairContext, CorsairEndpoint, EndpointPathsOf, EndpointTree, } from './endpoints';
 export type { CorsairErrorHandler, ErrorContext, ErrorHandler, ErrorHandlerAndMatchFunction, ErrorMatcher, RetryStrategies, RetryStrategy, } from './errors';
 export type { CorsairInspectMethods, EndpointSchemaResult } from './inspect';
-export type { EnforcePermissionOptions, EnforcePermissionResult, } from './permissions';
+export type { CorsairPermissionsNamespace, EnforcePermissionOptions, EnforcePermissionResult, } from './permissions';
 export type { BeforeHookResult, CorsairIntegration, CorsairKeyBuilder, CorsairKeyBuilderBase, CorsairPlugin, CorsairPluginContext, EndpointHooks, EndpointMetaEntry, EndpointRiskLevel, KeyBuilderContext, PermissionMode, PermissionPolicy, PluginEndpointMeta, PluginPermissionsConfig, RequiredPluginEndpointMeta, RequiredPluginEndpointSchemas, RequiredPluginWebhookSchemas, WebhookHooks, } from './plugins';
 export type { Bivariant, UnionToIntersection } from './utils';
 export type { BindWebhooks, BoundWebhook, BoundWebhookTree, CorsairWebhook, CorsairWebhookHandler, CorsairWebhookMatcher, RawWebhookRequest, WebhookPathsOf, WebhookRequest, WebhookResponse, WebhookTree, } from './webhooks';

package/dist/core/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../core/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAG7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;~~AAGhF~~,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAMnE,eAAO,MAAM,gBAAgB,eAAiC,CAAC;AAE/D,MAAM,MAAM,qBAAqB,GAAG;IACnC,OAAO,EAAE,SAAS,aAAa,EAAE,CAAC;IAClC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;KAC9B,CAAC;CACF,CAAC;AAMF;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,EAAE,IAAI,CAAA;CAAE,GAC1D,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAEjC;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,CAAC,EAAE,KAAK,GAAG,SAAS,CAAA;CAAE,GACxE,yBAAyB,CAAC,OAAO,CAAC,CAAC;~~AA6EtC~~,YAAY,EACX,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,cAAc,EACd,qBAAqB,EACrB,wBAAwB,EACxB,4BAA4B,EAC5B,gBAAgB,GAChB,MAAM,QAAQ,CAAC;AAEhB,OAAO,EACN,gBAAgB,EAChB,uBAAuB,EACvB,2BAA2B,EAC3B,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,GACf,MAAM,QAAQ,CAAC;AAEhB,YAAY,EACX,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACpB,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE1E,YAAY,EACX,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,eAAe,EACf,YAAY,GACZ,MAAM,aAAa,CAAC;AAErB,YAAY,EACX,mBAAmB,EACnB,YAAY,EACZ,YAAY,EACZ,4BAA4B,EAC5B,YAAY,EACZ,eAAe,EACf,aAAa,GACb,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAC7E,YAAY,EACX,wBAAwB,EACxB,uBAAuB,GACvB,MAAM,eAAe,CAAC;AAGvB,YAAY,EACX,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAC5B,YAAY,GACZ,MAAM,WAAW,CAAC;AAGnB,YAAY,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9D,YAAY,EACX,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,eAAe,EACf,WAAW,GACX,MAAM,YAAY,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../core/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAG7D,OAAO,KAAK,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAIhF,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAMnE,eAAO,MAAM,gBAAgB,eAAiC,CAAC;AAE/D,MAAM,MAAM,qBAAqB,GAAG;IACnC,OAAO,EAAE,SAAS,aAAa,EAAE,CAAC;IAClC,QAAQ,EAAE,eAAe,GAAG,SAAS,CAAC;IACtC,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;KAC9B,CAAC;CACF,CAAC;AAMF;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,EAAE,IAAI,CAAA;CAAE,GAC1D,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAEjC;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,CAAC,OAAO,SAAS,SAAS,aAAa,EAAE,EAC3E,MAAM,EAAE,kBAAkB,CAAC,OAAO,CAAC,GAAG;IAAE,YAAY,CAAC,EAAE,KAAK,GAAG,SAAS,CAAA;CAAE,GACxE,yBAAyB,CAAC,OAAO,CAAC,CAAC;AAiFtC,YAAY,EACX,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,cAAc,EACd,qBAAqB,EACrB,wBAAwB,EACxB,4BAA4B,EAC5B,gBAAgB,GAChB,MAAM,QAAQ,CAAC;AAEhB,OAAO,EACN,gBAAgB,EAChB,uBAAuB,EACvB,2BAA2B,EAC3B,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,EACb,UAAU,EACV,cAAc,EACd,WAAW,EACX,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,GACf,MAAM,QAAQ,CAAC;AAEhB,YAAY,EACX,aAAa,EACb,yBAAyB,EACzB,oBAAoB,GACpB,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE1E,YAAY,EACX,aAAa,EACb,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,eAAe,EACf,eAAe,EACf,YAAY,GACZ,MAAM,aAAa,CAAC;AAErB,YAAY,EACX,mBAAmB,EACnB,YAAY,EACZ,YAAY,EACZ,4BAA4B,EAC5B,YAAY,EACZ,eAAe,EACf,aAAa,GACb,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAC7E,YAAY,EACX,2BAA2B,EAC3B,wBAAwB,EACxB,uBAAuB,GACvB,MAAM,eAAe,CAAC;AAGvB,YAAY,EACX,gBAAgB,EAChB,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,0BAA0B,EAC1B,6BAA6B,EAC7B,4BAA4B,EAC5B,YAAY,GACZ,MAAM,WAAW,CAAC;AAGnB,YAAY,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9D,YAAY,EACX,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,eAAe,EACf,WAAW,GACX,MAAM,YAAY,CAAC"}

package/dist/core/index.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { createCorsairDatabase } from '../db/kysely/database';
 import { createMissingConfigProxy } from './auth/errors';
 import { buildCorsairClient, buildIntegrationKeys } from './client';
 import { buildInspectMethods } from './inspect';
+import { buildPermissionsNamespace } from './permissions';
 // ─────────────────────────────────────────────────────────────────────────────
 // Internal access for CLI tooling
 // ─────────────────────────────────────────────────────────────────────────────
@@ -26,6 +27,7 @@ export function createCorsair(config) {
         multiTenancy: !!config.multiTenancy,
         approval: config.approval,
     };
+    const permissions = buildPermissionsNamespace(resolvedDatabase);
     if (config.multiTenancy) {
         return Object.assign({
             withTenant: (tenantId) => {
@@ -41,6 +43,7 @@ export function createCorsair(config) {
                 });
             },
             keys: integrationKeys,
+            permissions,
             ...buildInspectMethods(config.plugins),
         }, { [CORSAIR_INTERNAL]: internalConfig });
     }
@@ -53,6 +56,7 @@ export function createCorsair(config) {
     });
     return Object.assign({}, client, {
         keys: integrationKeys,
+        permissions,
         [CORSAIR_INTERNAL]: internalConfig,
     });
 }

package/dist/core/inspect/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/inspect/index.ts"],"names":[],"mappings":"~~AAEA~~,OAAO,KAAK,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC;~~AA2FnE~~,KAAK,WAAW,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;AAyF5D,MAAM,MAAM,oBAAoB,GAAG;IAClC,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,aAAa,CAAC;IAC7C,4CAA4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,gEAAgE;IAChE,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yDAAyD;IACzD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC5C,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IACjC,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8FAA8F;IAC9F,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,iGAAiG;IACjG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IAClC;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,OAAO,EAAE;QACR,6EAA6E;QAC7E,SAAS,EAAE;YAAE,IAAI,EAAE,QAAQ,CAAC;YAAC,SAAS,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;QACnD;;;WAGG;QACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE;YAAE,IAAI,EAAE,WAAW,CAAC;YAAC,SAAS,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC,CAAC;KACjE,CAAC;CACF,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IACnC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;;OAKG;IACH,IAAI,CAAC,EAAE,KAAK,GAAG,UAAU,GAAG,IAAI,CAAC;CACjC,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IACnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,eAAe,CACd,OAAO,CAAC,EAAE,qBAAqB,GAC7B,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,GAAG,MAAM,CAAC;IAChD;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,UAAU,CACT,IAAI,EAAE,MAAM,GACV,oBAAoB,GAAG,mBAAmB,GAAG,oBAAoB,CAAC;CACrE,CAAC;~~AAmYF~~;;;GAGG;AACH,wBAAgB,mBAAmB,CAClC,OAAO,EAAE,SAAS,aAAa,EAAE,GAC/B,qBAAqB,~~CASvB~~"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/inspect/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC;AA0FnE,KAAK,WAAW,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,CAAC;AAyF5D,MAAM,MAAM,oBAAoB,GAAG;IAClC,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,aAAa,CAAC;IAC7C,4CAA4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,gEAAgE;IAChE,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yDAAyD;IACzD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC5C,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IACjC,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8FAA8F;IAC9F,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,iGAAiG;IACjG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IAClC;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,OAAO,EAAE;QACR,6EAA6E;QAC7E,SAAS,EAAE;YAAE,IAAI,EAAE,QAAQ,CAAC;YAAC,SAAS,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;QACnD;;;WAGG;QACH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE;YAAE,IAAI,EAAE,WAAW,CAAC;YAAC,SAAS,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC,CAAC;KACjE,CAAC;CACF,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IACnC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;;OAKG;IACH,IAAI,CAAC,EAAE,KAAK,GAAG,UAAU,GAAG,IAAI,CAAC;CACjC,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IACnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,eAAe,CACd,OAAO,CAAC,EAAE,qBAAqB,GAC7B,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,GAAG,MAAM,CAAC;IAChD;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,UAAU,CACT,IAAI,EAAE,MAAM,GACV,oBAAoB,GAAG,mBAAmB,GAAG,oBAAoB,CAAC;CACrE,CAAC;AAqYF;;;GAGG;AACH,wBAAgB,mBAAmB,CAClC,OAAO,EAAE,SAAS,aAAa,EAAE,GAC/B,qBAAqB,CAWvB"}

package/dist/core/permissions/index.d.ts CHANGED Viewed

@@ -1,9 +1,46 @@
+import type { CorsairPermission } from '../../db';
 import type { CorsairDatabase } from '../../db/kysely/database';
 import type { EndpointMetaEntry, EndpointRiskLevel, PermissionMode, PermissionPolicy } from '../plugins';
 /** Resolves the effective permission policy for an endpoint. The override (from permissions.overrides) takes precedence. */
 export declare function evaluatePermission(riskLevel: EndpointRiskLevel, mode: PermissionMode, override?: PermissionPolicy): PermissionPolicy;
 /** Parses a duration string ('30s', '10m', '1h', '2h30m', '1d') into milliseconds. */
 export declare function parseDurationMs(duration: string): number;
+/**
+ * The `corsair.permissions` namespace available at the root of every corsair instance.
+ * Provides methods for querying and transitioning permission records.
+ *
+ * Status transitions exposed here are intentionally limited to safe, non-escalating states.
+ * Setting a record to 'approved' (which grants execution) is deliberately excluded —
+ * that must happen through the out-of-band review flow.
+ */
+export type CorsairPermissionsNamespace = {
+    /**
+     * Fetches a single permission record by its ID.
+     * Returns undefined if no record exists or if no database is configured.
+     */
+    find_by_permission_id(id: string): Promise<CorsairPermission | undefined>;
+    /**
+     * Fetches a single permission record by its token.
+     * The token is the public-facing handle embedded in review URLs.
+     * Returns undefined if no record exists or if no database is configured.
+     */
+    find_by_token(token: string): Promise<CorsairPermission | undefined>;
+    /**
+     * Marks the permission as 'executing'. Call this when executePermission picks up
+     * an approved record and is about to run the endpoint.
+     */
+    set_executing(id: string): Promise<void>;
+    /**
+     * Marks the permission as 'completed'. Call this after the endpoint has finished
+     * executing successfully.
+     */
+    set_completed(id: string): Promise<void>;
+};
+/**
+ * Builds the `corsair.permissions` namespace for a given database instance.
+ * Returns no-op stubs when no database is configured.
+ */
+export declare function buildPermissionsNamespace(db: CorsairDatabase | undefined): CorsairPermissionsNamespace;
 export type EnforcePermissionOptions = {
     pluginId: string;
     endpointPath: string;

package/dist/core/permissions/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/permissions/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,KAAK,EACX,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,MAAM,YAAY,CAAC;AAgBpB,4HAA4H;AAC5H,wBAAgB,kBAAkB,CACjC,SAAS,EAAE,iBAAiB,EAC5B,IAAI,EAAE,cAAc,EACpB,QAAQ,CAAC,EAAE,gBAAgB,GACzB,gBAAgB,CAGlB;AAMD,sFAAsF;AACtF,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAsBxD;AAMD,MAAM,MAAM,wBAAwB,GAAG;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,qFAAqF;IACrF,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,kGAAkG;IAClG,EAAE,CAAC,EAAE,eAAe,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kIAAkI;IAClI,QAAQ,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACrC,MAAM,EAAE,OAAO,GAAG,SAAS,CAAC;IAC5B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACjC,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,wBAAsB,iBAAiB,CACtC,IAAI,EAAE,wBAAwB,GAC5B,OAAO,CAAC,uBAAuB,CAAC,~~CA+FlC~~"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../core/permissions/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,KAAK,EACX,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,MAAM,YAAY,CAAC;AAgBpB,4HAA4H;AAC5H,wBAAgB,kBAAkB,CACjC,SAAS,EAAE,iBAAiB,EAC5B,IAAI,EAAE,cAAc,EACpB,QAAQ,CAAC,EAAE,gBAAgB,GACzB,gBAAgB,CAGlB;AAMD,sFAAsF;AACtF,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAsBxD;AAMD;;;;;;;GAOG;AACH,MAAM,MAAM,2BAA2B,GAAG;IACzC;;;OAGG;IACH,qBAAqB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,SAAS,CAAC,CAAC;IAC1E;;;;OAIG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,SAAS,CAAC,CAAC;IACrE;;;OAGG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzC;;;OAGG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACzC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,yBAAyB,CACxC,EAAE,EAAE,eAAe,GAAG,SAAS,GAC7B,2BAA2B,CAmC7B;AAMD,MAAM,MAAM,wBAAwB,GAAG;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,qFAAqF;IACrF,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,IAAI,CAAC,EAAE,iBAAiB,CAAC;IACzB,kGAAkG;IAClG,EAAE,CAAC,EAAE,eAAe,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kIAAkI;IAClI,QAAQ,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACrC,MAAM,EAAE,OAAO,GAAG,SAAS,CAAC;IAC5B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACjC,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,wBAAsB,iBAAiB,CACtC,IAAI,EAAE,wBAAwB,GAC5B,OAAO,CAAC,uBAAuB,CAAC,CAqGlC"}

package/dist/core/permissions/index.js CHANGED Viewed

@@ -42,6 +42,50 @@ export function parseDurationMs(duration) {
     }
     return total > 0 ? total : 10 * 60 * 1_000;
 }
+/**
+ * Builds the `corsair.permissions` namespace for a given database instance.
+ * Returns no-op stubs when no database is configured.
+ */
+export function buildPermissionsNamespace(db) {
+    return {
+        async find_by_permission_id(id) {
+            if (!db)
+                return undefined;
+            return db.db
+                .selectFrom('corsair_permissions')
+                .selectAll()
+                .where('id', '=', id)
+                .executeTakeFirst();
+        },
+        async find_by_token(token) {
+            if (!db)
+                return undefined;
+            return db.db
+                .selectFrom('corsair_permissions')
+                .selectAll()
+                .where('token', '=', token)
+                .executeTakeFirst();
+        },
+        async set_executing(id) {
+            if (!db)
+                return;
+            await db.db
+                .updateTable('corsair_permissions')
+                .set({ status: 'executing', updated_at: new Date() })
+                .where('id', '=', id)
+                .execute();
+        },
+        async set_completed(id) {
+            if (!db)
+                return;
+            await db.db
+                .updateTable('corsair_permissions')
+                .set({ status: 'completed', updated_at: new Date() })
+                .where('id', '=', id)
+                .execute();
+        },
+    };
+}
 /**
  * Evaluates the permission policy and returns whether the action is allowed.
  *
@@ -80,7 +124,7 @@ export async function enforcePermission(opts) {
         .where('args', '=', argsJson)
         .where('tenant_id', '=', tenantId)
         .where('expires_at', '>', now)
-        .where('status', 'in', ['pending', 'approved'])
+        .where('status', 'in', ['pending', 'approved', 'executing'])
         .orderBy('created_at', 'desc')
         .limit(1)
         .executeTakeFirst();
@@ -100,6 +144,11 @@ export async function enforcePermission(opts) {
                 },
             };
         }
+        if (existing.status === 'executing') {
+            // executePermission is actively running this — let the endpoint body proceed.
+            // Completion is handled by executePermission itself, not via onComplete here.
+            return { result: 'allow' };
+        }
         // status === 'pending': already waiting for approval, don't create a duplicate
         console.log(`[corsair/${opts.pluginId}] '${opts.endpointPath}' blocked — approval already pending.`, `\n  Action: ${description}`, `\n  Permission ID: ${existing.id}`, `\n  Use the token to approve or deny this request.`);
         return { result: 'blocked' };

package/dist/db/index.d.ts CHANGED Viewed

@@ -5,21 +5,21 @@ export declare const CorsairIntegrationsSchema: z.ZodObject<{
     updated_at: z.ZodDate;
     name: z.ZodString;
     config: z.ZodEffects<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>, Record<string, unknown>, Record<string, unknown> | null>;
-    dek: z.ZodOptional<z.ZodString>;
+    dek: z.ZodOptional<z.ZodNullable<z.ZodString>>;
 }, "strip", z.ZodTypeAny, {
     id: string;
     created_at: Date;
     updated_at: Date;
     name: string;
     config: Record<string, unknown>;
-    dek?: string | undefined;
+    dek?: string | null | undefined;
 }, {
     id: string;
     created_at: Date;
     updated_at: Date;
     name: string;
     config: Record<string, unknown> | null;
-    dek?: string | undefined;
+    dek?: string | null | undefined;
 }>;
 export type CorsairIntegration = z.infer<typeof CorsairIntegrationsSchema>;
 export declare const CorsairAccountsSchema: z.ZodObject<{
@@ -29,7 +29,7 @@ export declare const CorsairAccountsSchema: z.ZodObject<{
     tenant_id: z.ZodString;
     integration_id: z.ZodString;
     config: z.ZodEffects<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>, Record<string, unknown>, Record<string, unknown> | null>;
-    dek: z.ZodOptional<z.ZodString>;
+    dek: z.ZodOptional<z.ZodNullable<z.ZodString>>;
 }, "strip", z.ZodTypeAny, {
     id: string;
     created_at: Date;
@@ -37,7 +37,7 @@ export declare const CorsairAccountsSchema: z.ZodObject<{
     config: Record<string, unknown>;
     tenant_id: string;
     integration_id: string;
-    dek?: string | undefined;
+    dek?: string | null | undefined;
 }, {
     id: string;
     created_at: Date;
@@ -45,7 +45,7 @@ export declare const CorsairAccountsSchema: z.ZodObject<{
     config: Record<string, unknown> | null;
     tenant_id: string;
     integration_id: string;
-    dek?: string | undefined;
+    dek?: string | null | undefined;
 }>;
 export type CorsairAccount = z.infer<typeof CorsairAccountsSchema>;
 export declare const CorsairEntitiesSchema: z.ZodObject<{
@@ -120,33 +120,37 @@ export declare const CorsairPermissionsSchema: z.ZodObject<{
      * can scope the corsair instance correctly when executing the approved action.
      * Defaults to 'default' for single-tenant instances.
      */
-    tenant_id: z.ZodOptional<z.ZodString>;
+    tenant_id: z.ZodString;
     /** Current state of the approval request */
-    status: z.ZodDefault<z.ZodEnum<["pending", "approved", "completed", "denied", "expired"]>>;
+    status: z.ZodDefault<z.ZodEnum<["pending", "approved", "executing", "completed", "denied", "expired", "failed"]>>;
     /** ISO8601 timestamp — when this request becomes invalid */
     expires_at: z.ZodString;
+    /** Stringified error captured when status transitions to 'failed'. Null otherwise. */
+    error: z.ZodOptional<z.ZodNullable<z.ZodString>>;
 }, "strip", z.ZodTypeAny, {
     id: string;
     created_at: Date;
     updated_at: Date;
-    status: "pending" | "completed" | "approved" | "denied" | "expired";
+    status: "pending" | "completed" | "failed" | "approved" | "executing" | "denied" | "expired";
+    tenant_id: string;
     token: string;
     plugin: string;
     endpoint: string;
     args: string;
     expires_at: string;
-    tenant_id?: string | undefined;
+    error?: string | null | undefined;
 }, {
     id: string;
     created_at: Date;
     updated_at: Date;
+    tenant_id: string;
     token: string;
     plugin: string;
     endpoint: string;
     args: string;
     expires_at: string;
-    status?: "pending" | "completed" | "approved" | "denied" | "expired" | undefined;
-    tenant_id?: string | undefined;
+    status?: "pending" | "completed" | "failed" | "approved" | "executing" | "denied" | "expired" | undefined;
+    error?: string | null | undefined;
 }>;
 export type CorsairPermission = z.infer<typeof CorsairPermissionsSchema>;
 export type CorsairPermissionInsert = {
@@ -158,8 +162,9 @@ export type CorsairPermissionInsert = {
     endpoint: string;
     args: string;
     tenant_id?: string;
-    status?: 'pending' | 'approved' | 'completed' | 'denied' | 'expired';
+    status?: 'pending' | 'approved' | 'executing' | 'completed' | 'denied' | 'expired' | 'failed';
     expires_at: string;
+    error?: string | null;
 };
 export type CorsairTableName = 'corsair_integrations' | 'corsair_accounts' | 'corsair_entities' | 'corsair_events' | 'corsair_permissions' | (string & {});
 export type CorsairTableRow = {

package/dist/db/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../db/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;EAYpC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAM3E,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;EAehC,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMnE,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkBhC,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMlE,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;EAgB9B,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAM/D,eAAO,MAAM,wBAAwB;;;;IAKpC,uFAAuF;;IAEvF,uCAAuC;;IAEvC,6DAA6D;;IAE7D,6EAA6E;;IAE7E;;;;OAIG;;IAEH,4CAA4C;;~~IAI5C~~,4DAA4D~~;;;;;;;;;;;;;;;;;;;;;;;;EAE3D~~,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEzE,MAAM,MAAM,uBAAuB,GAAG;IACrC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,~~EAAE~~,SAAS,~~GAAG~~,UAAU,~~GAAG~~,WAAW,~~GAAG~~,QAAQ,~~GAAG~~,SAAS,CAAC;~~IACrE~~,UAAU,EAAE,MAAM,CAAC;~~CACnB~~,CAAC;AAMF,MAAM,MAAM,gBAAgB,GACzB,sBAAsB,GACtB,kBAAkB,GAClB,kBAAkB,GAClB,gBAAgB,GAChB,qBAAqB,GACrB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAMjB,MAAM,MAAM,eAAe,GAAG;IAC7B,oBAAoB,EAAE,kBAAkB,CAAC;IACzC,gBAAgB,EAAE,cAAc,CAAC;IACjC,gBAAgB,EAAE,aAAa,CAAC;IAChC,cAAc,EAAE,YAAY,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,CAAC,CAAC,SAAS,gBAAgB,IAClD,CAAC,SAAS,MAAM,eAAe,GAC5B,eAAe,CAAC,CAAC,CAAC,GAClB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAM5B,MAAM,MAAM,wBAAwB,GAAG;IACtC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IAClC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAChC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,QAAQ,CAAC;CAC3D,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAChC,oBAAoB,EAAE,wBAAwB,CAAC;IAC/C,gBAAgB,EAAE,oBAAoB,CAAC;IACvC,gBAAgB,EAAE,mBAAmB,CAAC;IACtC,cAAc,EAAE,kBAAkB,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,eAAe,CAAC,CAAC,SAAS,gBAAgB,IACrD,CAAC,SAAS,MAAM,kBAAkB,GAC/B,kBAAkB,CAAC,CAAC,CAAC,GACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAM5B,MAAM,MAAM,wBAAwB,GAAG,OAAO,CAC7C,IAAI,CAAC,kBAAkB,EAAE,IAAI,GAAG,YAAY,CAAC,CAC7C,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,OAAO,CACzC,IAAI,CAAC,cAAc,EAAE,IAAI,GAAG,YAAY,CAAC,CACzC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG,OAAO,CACxC,IAAI,CAAC,aAAa,EAAE,IAAI,GAAG,YAAY,CAAC,CACxC,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG,OAAO,CACvC,IAAI,CAAC,YAAY,EAAE,IAAI,GAAG,YAAY,CAAC,CACvC,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAChC,oBAAoB,EAAE,wBAAwB,CAAC;IAC/C,gBAAgB,EAAE,oBAAoB,CAAC;IACvC,gBAAgB,EAAE,mBAAmB,CAAC;IACtC,cAAc,EAAE,kBAAkB,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,eAAe,CAAC,CAAC,SAAS,gBAAgB,IACrD,CAAC,SAAS,MAAM,kBAAkB,GAC/B,kBAAkB,CAAC,CAAC,CAAC,GACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../db/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;EAYpC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAM3E,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;EAehC,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMnE,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkBhC,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMlE,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;EAgB9B,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAM/D,eAAO,MAAM,wBAAwB;;;;IAKpC,uFAAuF;;IAEvF,uCAAuC;;IAEvC,6DAA6D;;IAE7D,6EAA6E;;IAE7E;;;;OAIG;;IAEH,4CAA4C;;IAY5C,4DAA4D;;IAE5D,sFAAsF;;;;;;;;;;;;;;;;;;;;;;;;;;EAErF,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEzE,MAAM,MAAM,uBAAuB,GAAG;IACrC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EACJ,SAAS,GACT,UAAU,GACV,WAAW,GACX,WAAW,GACX,QAAQ,GACR,SAAS,GACT,QAAQ,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,CAAC;AAMF,MAAM,MAAM,gBAAgB,GACzB,sBAAsB,GACtB,kBAAkB,GAClB,kBAAkB,GAClB,gBAAgB,GAChB,qBAAqB,GACrB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAMjB,MAAM,MAAM,eAAe,GAAG;IAC7B,oBAAoB,EAAE,kBAAkB,CAAC;IACzC,gBAAgB,EAAE,cAAc,CAAC;IACjC,gBAAgB,EAAE,aAAa,CAAC;IAChC,cAAc,EAAE,YAAY,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,CAAC,CAAC,SAAS,gBAAgB,IAClD,CAAC,SAAS,MAAM,eAAe,GAC5B,eAAe,CAAC,CAAC,CAAC,GAClB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAM5B,MAAM,MAAM,wBAAwB,GAAG;IACtC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IAClC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAChC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,QAAQ,CAAC;CAC3D,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAChC,oBAAoB,EAAE,wBAAwB,CAAC;IAC/C,gBAAgB,EAAE,oBAAoB,CAAC;IACvC,gBAAgB,EAAE,mBAAmB,CAAC;IACtC,cAAc,EAAE,kBAAkB,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,eAAe,CAAC,CAAC,SAAS,gBAAgB,IACrD,CAAC,SAAS,MAAM,kBAAkB,GAC/B,kBAAkB,CAAC,CAAC,CAAC,GACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAM5B,MAAM,MAAM,wBAAwB,GAAG,OAAO,CAC7C,IAAI,CAAC,kBAAkB,EAAE,IAAI,GAAG,YAAY,CAAC,CAC7C,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,OAAO,CACzC,IAAI,CAAC,cAAc,EAAE,IAAI,GAAG,YAAY,CAAC,CACzC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG,OAAO,CACxC,IAAI,CAAC,aAAa,EAAE,IAAI,GAAG,YAAY,CAAC,CACxC,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG,OAAO,CACvC,IAAI,CAAC,YAAY,EAAE,IAAI,GAAG,YAAY,CAAC,CACvC,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAChC,oBAAoB,EAAE,wBAAwB,CAAC;IAC/C,gBAAgB,EAAE,oBAAoB,CAAC;IACvC,gBAAgB,EAAE,mBAAmB,CAAC;IACtC,cAAc,EAAE,kBAAkB,CAAC;CACnC,CAAC;AAEF,MAAM,MAAM,eAAe,CAAC,CAAC,SAAS,gBAAgB,IACrD,CAAC,SAAS,MAAM,kBAAkB,GAC/B,kBAAkB,CAAC,CAAC,CAAC,GACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC"}

package/dist/db/index.js CHANGED Viewed

@@ -4,23 +4,23 @@ import { z } from 'zod';
 // ─────────────────────────────────────────────────────────────────────────────
 export const CorsairIntegrationsSchema = z.object({
     id: z.string(),
-    created_at: z.date(),
-    updated_at: z.date(),
+    created_at: z.coerce.date(),
+    updated_at: z.coerce.date(),
     name: z.string(),
     // Coerce DB null to empty object
     config: z
         .record(z.unknown())
         .nullable()
         .transform((v) => v ?? {}),
-    dek: z.string().optional(),
+    dek: z.string().nullish(),
 });
 // ─────────────────────────────────────────────────────────────────────────────
 // Corsair Accounts
 // ─────────────────────────────────────────────────────────────────────────────
 export const CorsairAccountsSchema = z.object({
     id: z.string(),
-    created_at: z.date(),
-    updated_at: z.date(),
+    created_at: z.coerce.date(),
+    updated_at: z.coerce.date(),
     tenant_id: z.string(),
     // references integrations.id
     integration_id: z.string(),
@@ -29,15 +29,15 @@ export const CorsairAccountsSchema = z.object({
         .record(z.unknown())
         .nullable()
         .transform((v) => v ?? {}),
-    dek: z.string().optional(),
+    dek: z.string().nullish(),
 });
 // ─────────────────────────────────────────────────────────────────────────────
 // Corsair Entities
 // ─────────────────────────────────────────────────────────────────────────────
 export const CorsairEntitiesSchema = z.object({
     id: z.string(),
-    created_at: z.date(),
-    updated_at: z.date(),
+    created_at: z.coerce.date(),
+    updated_at: z.coerce.date(),
     // references accounts.id (which provides tenant scoping)
     account_id: z.string(),
     entity_id: z.string(),
@@ -54,8 +54,8 @@ export const CorsairEntitiesSchema = z.object({
 // ─────────────────────────────────────────────────────────────────────────────
 export const CorsairEventsSchema = z.object({
     id: z.string(),
-    created_at: z.date(),
-    updated_at: z.date(),
+    created_at: z.coerce.date(),
+    updated_at: z.coerce.date(),
     // references accounts.id (which provides tenant scoping)
     account_id: z.string(),
     event_type: z.string(),
@@ -71,8 +71,8 @@ export const CorsairEventsSchema = z.object({
 // ─────────────────────────────────────────────────────────────────────────────
 export const CorsairPermissionsSchema = z.object({
     id: z.string(),
-    created_at: z.date(),
-    updated_at: z.date(),
+    created_at: z.coerce.date(),
+    updated_at: z.coerce.date(),
     /** 32-byte hex-encoded secure random token, single-use. Embedded in the review URL. */
     token: z.string(),
     /** Plugin identifier, e.g. 'github' */
@@ -86,11 +86,21 @@ export const CorsairPermissionsSchema = z.object({
      * can scope the corsair instance correctly when executing the approved action.
      * Defaults to 'default' for single-tenant instances.
      */
-    tenant_id: z.string().optional(),
+    tenant_id: z.string(),
     /** Current state of the approval request */
     status: z
-        .enum(['pending', 'approved', 'completed', 'denied', 'expired'])
+        .enum([
+        'pending',
+        'approved',
+        'executing',
+        'completed',
+        'denied',
+        'expired',
+        'failed',
+    ])
         .default('pending'),
     /** ISO8601 timestamp — when this request becomes invalid */
     expires_at: z.string(),
+    /** Stringified error captured when status transitions to 'failed'. Null otherwise. */
+    error: z.string().nullable().optional(),
 });

package/dist/db/kysely/database.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../db/kysely/database.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,MAAM,EAAkC,MAAM,QAAQ,CAAC;~~AAChE~~,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EACX,cAAc,EACd,aAAa,EACb,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,MAAM,UAAU,CAAC;AAElB,MAAM,MAAM,qBAAqB,GAAG;IACnC,oBAAoB,EAAE,kBAAkB,CAAC;IACzC,gBAAgB,EAAE,cAAc,CAAC;IACjC,gBAAgB,EAAE,aAAa,CAAC;IAChC,cAAc,EAAE,YAAY,CAAC;IAC7B,mBAAmB,EAAE,iBAAiB,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC7B,EAAE,EAAE,MAAM,CAAC,qBAAqB,CAAC,CAAC;CAClC,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,WAAW,CAC9C,mBAAmB,CAAC,UAAU,CAAC,CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAC7B,IAAI,GACJ,qBAAqB,GACrB,MAAM,CAAC,qBAAqB,CAAC,CAAC;AA6BjC,wBAAgB,qBAAqB,CACpC,KAAK,EAAE,oBAAoB,GACzB,eAAe,~~CAsBjB~~"}
1	+ {"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../db/kysely/database.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,MAAM,EAAkC,MAAM,QAAQ,CAAC;AAEhE,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EACX,cAAc,EACd,aAAa,EACb,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,MAAM,UAAU,CAAC;AAElB,MAAM,MAAM,qBAAqB,GAAG;IACnC,oBAAoB,EAAE,kBAAkB,CAAC;IACzC,gBAAgB,EAAE,cAAc,CAAC;IACjC,gBAAgB,EAAE,aAAa,CAAC;IAChC,cAAc,EAAE,YAAY,CAAC;IAC7B,mBAAmB,EAAE,iBAAiB,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC7B,EAAE,EAAE,MAAM,CAAC,qBAAqB,CAAC,CAAC;CAClC,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,WAAW,CAC9C,mBAAmB,CAAC,UAAU,CAAC,CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAC7B,IAAI,GACJ,qBAAqB,GACrB,MAAM,CAAC,qBAAqB,CAAC,CAAC;AA6BjC,wBAAgB,qBAAqB,CACpC,KAAK,EAAE,oBAAoB,GACzB,eAAe,CAuBjB"}

package/dist/db/kysely/database.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { Kysely, PostgresDialect, SqliteDialect } from 'kysely';
+import { SqliteDatePlugin } from './sqlite-date-plugin.js';
 function isPgPool(input) {
     return (typeof input.query === 'function' &&
         typeof input.connect === 'function');
@@ -20,6 +21,7 @@ export function createCorsairDatabase(input) {
     if (isBetterSqlite3(input)) {
         const db = new Kysely({
             dialect: new SqliteDialect({ database: input }),
+            plugins: [new SqliteDatePlugin()],
         });
         return { db };
     }

package/dist/db/kysely/sqlite-date-plugin.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { type KyselyPlugin, type PluginTransformQueryArgs, type PluginTransformResultArgs, type QueryResult, type RootOperationNode, type UnknownRow } from 'kysely';
+export declare class SqliteDatePlugin implements KyselyPlugin {
+    transformQuery(args: PluginTransformQueryArgs): RootOperationNode;
+    transformResult(args: PluginTransformResultArgs): Promise<QueryResult<UnknownRow>>;
+}
+//# sourceMappingURL=sqlite-date-plugin.d.ts.map

package/dist/db/kysely/sqlite-date-plugin.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sqlite-date-plugin.d.ts","sourceRoot":"","sources":["../../../db/kysely/sqlite-date-plugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAEN,KAAK,YAAY,EACjB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAE9B,KAAK,WAAW,EAChB,KAAK,iBAAiB,EACtB,KAAK,UAAU,EAEf,MAAM,QAAQ,CAAC;AAwChB,qBAAa,gBAAiB,YAAW,YAAY;IACpD,cAAc,CAAC,IAAI,EAAE,wBAAwB,GAAG,iBAAiB;IAI3D,eAAe,CACpB,IAAI,EAAE,yBAAyB,GAC7B,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;CAGnC"}

package/dist/db/kysely/sqlite-date-plugin.js ADDED Viewed

@@ -0,0 +1,42 @@
+import { OperationNodeTransformer, } from 'kysely';
+function serializeValue(v) {
+    if (v instanceof Date)
+        return v.toISOString();
+    if (v !== null && typeof v === 'object' && !Buffer.isBuffer(v))
+        return JSON.stringify(v);
+    return v;
+}
+/**
+ * Kysely plugin for SQLite (better-sqlite3) that serializes JavaScript values
+ * that the driver cannot bind natively:
+ *
+ * - Date → ISO 8601 string   (better-sqlite3 rejects Date objects)
+ * - plain object / array → JSON string  (stored as TEXT, read back via parseJsonLike)
+ *
+ * Handles both ValueNode (WHERE clauses, complex expressions) and
+ * PrimitiveValueListNode (INSERT/UPDATE with all-primitive rows — Kysely's
+ * performance fast-path that bypasses ValueNode entirely).
+ *
+ * Applied only to the SQLite Kysely instance in createCorsairDatabase, so it
+ * has no effect on Postgres connections.
+ */
+class SqliteSerializingTransformer extends OperationNodeTransformer {
+    transformValue(node) {
+        const serialized = serializeValue(node.value);
+        return serialized === node.value ? node : { ...node, value: serialized };
+    }
+    transformPrimitiveValueList(node) {
+        const serialized = node.values.map(serializeValue);
+        const changed = serialized.some((v, i) => v !== node.values[i]);
+        return changed ? { ...node, values: serialized } : node;
+    }
+}
+const transformer = new SqliteSerializingTransformer();
+export class SqliteDatePlugin {
+    transformQuery(args) {
+        return transformer.transformNode(args.node);
+    }
+    async transformResult(args) {
+        return args.result;
+    }
+}

package/dist/db.d.ts CHANGED Viewed

@@ -14,5 +14,6 @@
  */
 export { sql } from 'kysely';
 export * from './db/index';
+export { createCorsairDatabase } from './db/kysely/database';
 export type { CorsairDatabase, CorsairDatabaseInput, CorsairKyselyDatabase, } from './db/kysely/database';
 //# sourceMappingURL=db.d.ts.map

package/dist/db.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,QAAQ,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,YAAY,EACX,eAAe,EACf,oBAAoB,EACpB,qBAAqB,GACrB,MAAM,sBAAsB,CAAC"}
1	+ {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,QAAQ,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,YAAY,EACX,eAAe,EACf,oBAAoB,EACpB,qBAAqB,GACrB,MAAM,sBAAsB,CAAC"}

package/dist/db.js CHANGED Viewed

@@ -14,3 +14,4 @@
  */
 export { sql } from 'kysely';
 export * from './db/index';
+export { createCorsairDatabase } from './db/kysely/database';

package/dist/permissions/index.d.ts CHANGED Viewed

@@ -1,21 +1,19 @@
-import type { CorsairDatabase } from '../db/kysely/database';
+import type { CorsairPermissionsNamespace } from '../core/permissions';
 /**
- * A plugin namespace on the corsair instance that may have API endpoints.
+ * The corsair instance type for permission execution.
+ * Must expose the `permissions` namespace and optionally a `withTenant` method.
+ * The withTenant return type is intentionally broad — we only need to index into it
+ * by plugin name, and we cast the result to PluginWithApi at the call site.
  */
-type PluginWithApi = {
-    api?: Record<string, unknown>;
-};
-/**
- * The corsair instance type for permission execution — a record of plugin namespaces.
- * Mirrors the duck-typed shape used by processWebhook.
- */
-type CorsairInstance = Record<string, PluginWithApi | undefined> & {
-    withTenant?: (tenantId: string) => CorsairInstance;
+type CorsairInstance = {
+    permissions: CorsairPermissionsNamespace;
+    withTenant?: (tenantId: string) => Record<string, unknown>;
+    [key: string]: unknown;
 };
 export type PermissionExecuteResult = {
-    plugin: string;
-    endpoint: string;
-    result: unknown;
+    plugin?: string;
+    endpoint?: string;
+    result?: unknown;
     error?: string;
 };
 /**
@@ -29,19 +27,18 @@ export type PermissionExecuteResult = {
  * involvement required.
  *
  * Lifecycle:
- * 1. Fetches the permission record from corsair_permissions
- * 2. Validates the record is pending and not expired
+ * 1. Fetches the permission record via corsair.permissions.find_by_permission_id
+ * 2. Validates the record is approved (human has signed off) and not expired
  * 3. Resolves the tenant-scoped corsair instance (via withTenant if multi-tenant)
- * 4. Sets status to 'approved' so the bound endpoint's permission guard allows it through
+ * 4. Sets status to 'executing' via corsair.permissions.set_executing
  * 5. Navigates corsair[plugin].api[...endpoint path] to find the bound function
  * 6. Calls the function with the stored args (JSON-parsed)
- * 7. The bound function's internal onComplete callback marks the record 'completed'
- * 8. Returns the result, or an error object if the endpoint throws
+ * 7. Sets status to 'completed' via corsair.permissions.set_completed
+ * 8. Returns the result, or an error object if the endpoint gracefully exits
  *
  * @param corsair - The corsair instance (returned from createCorsair)
- * @param db - The corsair database instance
- * @param permissionId - The ID of the corsair_permissions record to execute
+ * @param token - The token embedded in the review URL for the corsair_permissions record
  */
-export declare function executePermission(corsair: CorsairInstance, db: CorsairDatabase, permissionId: string): Promise<PermissionExecuteResult>;
+export declare function executePermission(corsair: CorsairInstance, token: string): Promise<PermissionExecuteResult>;
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/permissions/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../permissions/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,~~eAAe~~,EAAE,MAAM,~~uBAAuB~~,CAAC;~~AAM7D;;GAEG~~;AACH,KAAK,~~aAAa~~,GAAG;~~IACpB~~,~~GAAG~~,~~CAAC,~~EAAE,~~MAAM~~,CAAC,~~MAAM~~,EAAE,~~OAAO,~~CAAC,~~CAAC;CAC9B~~,~~CAAC;AAEF;;;GAGG;AACH~~,KAAK,~~eAAe,GAAG,~~MAAM,CAAC,MAAM,EAAE,~~aAAa~~,~~GAAG~~,~~SAAS,~~CAAC~~,GAAG~~;~~IAClE~~,~~UAAU,~~CAAC,~~EAAE~~,~~CAAC,QAAQ,~~EAAE,MAAM,~~KAAK~~,~~eAAe~~,CAAC;~~CACnD~~,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACrC,MAAM,EAAE,MAAM,CAAC;~~IACf~~,QAAQ,EAAE,MAAM,CAAC;~~IACjB~~,MAAM,EAAE,OAAO,CAAC;~~IAChB~~,KAAK,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;~~AA4BF;;;;;;;;;;;;;;;;;;;;;;;GAuBG~~;AACH,wBAAsB,iBAAiB,CACtC,OAAO,EAAE,eAAe,EACxB,~~EAAE~~,EAAE,~~eAAe,EACnB,YAAY,EAAE,~~MAAM,~~GAClB~~,OAAO,CAAC,uBAAuB,CAAC,~~CAiFlC~~"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../permissions/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC;AAcvE;;;;;GAKG;AACH,KAAK,eAAe,GAAG;IACtB,WAAW,EAAE,2BAA2B,CAAC;IACzC,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AA4CF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,iBAAiB,CACtC,OAAO,EAAE,eAAe,EACxB,KAAK,EAAE,MAAM,GACX,OAAO,CAAC,uBAAuB,CAAC,CAoHlC"}

package/dist/permissions/index.js CHANGED Viewed

@@ -1,3 +1,6 @@
+// Internal symbol — mirrors the one exported from core/index.ts without importing it
+// (avoids potential circular dependency) since Symbol.for() uses a global registry.
+const CORSAIR_INTERNAL_SYMBOL = Symbol.for('corsair:internal');
 // ─────────────────────────────────────────────────────────────────────────────
 // Helpers
 // ─────────────────────────────────────────────────────────────────────────────
@@ -16,6 +19,15 @@ function resolveEndpointFn(api, pathParts) {
         ? current
         : null;
 }
+/**
+ * Retrieves the internal database from a corsair instance via the CORSAIR_INTERNAL symbol.
+ * Used for terminal status transitions (expired, denied) that are not part of the
+ * public `corsair.permissions` API.
+ */
+function getInternalDb(corsair) {
+    const internal = corsair[CORSAIR_INTERNAL_SYMBOL];
+    return internal?.database;
+}
 // ─────────────────────────────────────────────────────────────────────────────
 // Main Function
 // ─────────────────────────────────────────────────────────────────────────────
@@ -30,77 +42,105 @@ function resolveEndpointFn(api, pathParts) {
  * involvement required.
  *
  * Lifecycle:
- * 1. Fetches the permission record from corsair_permissions
- * 2. Validates the record is pending and not expired
+ * 1. Fetches the permission record via corsair.permissions.find_by_permission_id
+ * 2. Validates the record is approved (human has signed off) and not expired
  * 3. Resolves the tenant-scoped corsair instance (via withTenant if multi-tenant)
- * 4. Sets status to 'approved' so the bound endpoint's permission guard allows it through
+ * 4. Sets status to 'executing' via corsair.permissions.set_executing
  * 5. Navigates corsair[plugin].api[...endpoint path] to find the bound function
  * 6. Calls the function with the stored args (JSON-parsed)
- * 7. The bound function's internal onComplete callback marks the record 'completed'
- * 8. Returns the result, or an error object if the endpoint throws
+ * 7. Sets status to 'completed' via corsair.permissions.set_completed
+ * 8. Returns the result, or an error object if the endpoint gracefully exits
  *
  * @param corsair - The corsair instance (returned from createCorsair)
- * @param db - The corsair database instance
- * @param permissionId - The ID of the corsair_permissions record to execute
+ * @param token - The token embedded in the review URL for the corsair_permissions record
  */
-export async function executePermission(corsair, db, permissionId) {
+export async function executePermission(corsair, token) {
     const now = new Date().toISOString();
-    const perm = await db.db
-        .selectFrom('corsair_permissions')
-        .selectAll()
-        .where('id', '=', permissionId)
-        .executeTakeFirst();
-    if (!perm) {
-        throw new Error(`executePermission: permission '${permissionId}' not found.`);
+    const permission = await corsair.permissions.find_by_token(token);
+    if (!permission) {
+        console.error(`executePermission: no permission found for token.`);
+        return {
+            error: `executePermission: no permission found for token.`,
+        };
     }
-    if (perm.status !== 'pending') {
-        throw new Error(`executePermission: permission '${permissionId}' is '${perm.status}', expected 'pending'.`);
+    if (permission.status !== 'approved') {
+        console.error(`executePermission: permission '${permission.id}' is '${permission.status}', expected 'approved'.`);
+        return {
+            endpoint: permission.endpoint,
+            plugin: permission.plugin,
+            result: null,
+            error: `executePermission: permission '${permission.id}' is '${permission.status}', expected 'approved'.`,
+        };
     }
-    if (perm.expires_at < now) {
-        await db.db
-            .updateTable('corsair_permissions')
-            .set({ status: 'expired', updated_at: new Date() })
-            .where('id', '=', permissionId)
-            .execute();
-        throw new Error(`executePermission: permission '${permissionId}' has expired.`);
+    if (permission.expires_at < now) {
+        const db = getInternalDb(corsair);
+        if (db) {
+            await db.db
+                .updateTable('corsair_permissions')
+                .set({ status: 'expired', updated_at: new Date() })
+                .where('id', '=', permission.id)
+                .execute();
+        }
+        console.error(`executePermission: permission '${permission.id}' has expired.`);
+        return {
+            error: `executePermission: permission '${permission.id}' has expired.`,
+            endpoint: permission.endpoint,
+            plugin: permission.plugin,
+            result: null,
+        };
     }
     // Resolve the tenant-scoped instance. The stored tenant_id ensures the correct
     // plugin context is used for multi-tenant corsair instances.
-    const tenantId = perm.tenant_id ?? 'default';
+    const tenantId = permission.tenant_id ?? 'default';
     const scopedCorsair = corsair.withTenant
         ? corsair.withTenant(tenantId)
         : corsair;
-    const pluginNamespace = scopedCorsair[perm.plugin];
+    const pluginNamespace = scopedCorsair[permission.plugin];
     if (!pluginNamespace?.api) {
-        throw new Error(`executePermission: plugin '${perm.plugin}' not found or has no API on this corsair instance.`);
+        console.error(`executePermission: plugin '${permission.plugin}' not found or has no API on this corsair instance.`);
+        return {
+            error: `executePermission: plugin '${permission.plugin}' not found or has no API on this corsair instance.`,
+            plugin: permission.plugin,
+            endpoint: permission.endpoint,
+            result: null,
+        };
     }
-    const endpointFn = resolveEndpointFn(pluginNamespace.api, perm.endpoint.split('.'));
+    const endpointFn = resolveEndpointFn(pluginNamespace.api, permission.endpoint.split('.'));
     if (!endpointFn) {
-        throw new Error(`executePermission: endpoint '${perm.endpoint}' not found in plugin '${perm.plugin}'.`);
+        console.error(`executePermission: endpoint '${permission.endpoint}' not found in plugin '${permission.plugin}'.`);
+        return {
+            endpoint: permission.endpoint,
+            plugin: permission.plugin,
+            result: null,
+            error: `executePermission: endpoint '${permission.endpoint}' not found in plugin '${permission.plugin}'.`,
+        };
     }
-    // Mark as approved — the bound function's enforcePermission will find this record,
-    // allow the call through, then its onComplete callback marks it 'completed'.
-    await db.db
-        .updateTable('corsair_permissions')
-        .set({ status: 'approved', updated_at: new Date() })
-        .where('id', '=', permissionId)
-        .execute();
+    // Mark as executing — the bound endpoint's enforcePermission recognises this status
+    // and allows the call through. Completion is set explicitly below after the endpoint returns.
+    await corsair.permissions.set_executing(permission.id);
     try {
-        const result = await endpointFn(JSON.parse(perm.args));
-        return { plugin: perm.plugin, endpoint: perm.endpoint, result };
+        const parsedArgs = typeof permission.args === 'string'
+            ? JSON.parse(permission.args)
+            : permission.args;
+        const result = await endpointFn(parsedArgs);
+        await corsair.permissions.set_completed(permission.id);
+        return { plugin: permission.plugin, endpoint: permission.endpoint, result };
     }
     catch (error) {
-        // Reset to a terminal state so the approval cannot be silently retried.
-        await db.db
-            .updateTable('corsair_permissions')
-            .set({ status: 'denied', updated_at: new Date() })
-            .where('id', '=', permissionId)
-            .execute();
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        const db = getInternalDb(corsair);
+        if (db) {
+            await db.db
+                .updateTable('corsair_permissions')
+                .set({ status: 'failed', error: errorMessage, updated_at: new Date() })
+                .where('id', '=', permission.id)
+                .execute();
+        }
         return {
-            plugin: perm.plugin,
-            endpoint: perm.endpoint,
+            plugin: permission.plugin,
+            endpoint: permission.endpoint,
             result: null,
-            error: error instanceof Error ? error.message : String(error),
+            error: errorMessage,
         };
     }
 }

package/dist/plugins/resend/webhooks/types.d.ts CHANGED Viewed

@@ -47,8 +47,8 @@ export declare const ResendWebhookPayloadSchema: z.ZodObject<{
         created_at: string;
         name?: string | undefined;
         status?: string | undefined;
-        link?: string | undefined;
         error?: string | undefined;
+        link?: string | undefined;
         subject?: string | undefined;
         from?: string | undefined;
         to?: string[] | undefined;
@@ -65,8 +65,8 @@ export declare const ResendWebhookPayloadSchema: z.ZodObject<{
         created_at: string;
         name?: string | undefined;
         status?: string | undefined;
-        link?: string | undefined;
         error?: string | undefined;
+        link?: string | undefined;
         subject?: string | undefined;
         from?: string | undefined;
         to?: string[] | undefined;

package/dist/plugins/slack/webhooks/messages.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"messages.d.ts","sourceRoot":"","sources":["../../../../plugins/slack/webhooks/messages.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AAGxC,eAAO,MAAM,OAAO,EAAE,aAAa,CAAC,SAAS,~~CAyF5C~~,CAAC"}
1	+ {"version":3,"file":"messages.d.ts","sourceRoot":"","sources":["../../../../plugins/slack/webhooks/messages.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AAGxC,eAAO,MAAM,OAAO,EAAE,aAAa,CAAC,SAAS,CA4F5C,CAAC"}

package/dist/plugins/slack/webhooks/messages.js CHANGED Viewed

@@ -43,7 +43,8 @@ export const message = {
                     });
                     corsairEntityId = entity?.id || '';
                 }
-                else if (!('subtype' in event) || event.subtype !== 'message_deleted') {
+                else if (!('subtype' in event) ||
+                    event.subtype !== 'message_deleted') {
                     // GenericMessageEvent, BotMessageEvent, FileShareMessageEvent, etc.
                     // Skip message_deleted — the message no longer exists and we don't
                     // want to create a spurious record keyed on the deletion-event timestamp.

package/dist/tsup.config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tsup.config.d.ts","sourceRoot":"","sources":["../tsup.config.ts"],"names":[],"mappings":";AAEA,~~wBA6BG~~"}
1	+ {"version":3,"file":"tsup.config.d.ts","sourceRoot":"","sources":["../tsup.config.ts"],"names":[],"mappings":";AAEA,wBA8BG"}

package/dist/tsup.config.js CHANGED Viewed

@@ -18,6 +18,7 @@ export default defineConfig({
     entry: [
         'index.ts',
         'core.ts',
+        'db.ts',
         'mcp.ts',
         'orm.ts',
         'plugins/index.ts',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "corsair",
-  "version": "0.1.22",
+  "version": "0.1.24",
   "description": "",
   "type": "module",
   "main": "./dist/index.js",