corsair 0.1.23 → 0.1.25

package/dist/core.js

@@ -1,17 +1,1807 @@
-/**
- * Corsair Core - Core types and utilities for building Corsair integrations
- *
- * This module exports all core infrastructure types including:
- * - Main factory function (createCorsair)
- * - Client types (CorsairClient, CorsairTenantWrapper, etc.)
- * - Plugin system types
- * - Endpoint and webhook infrastructure
- * - Auth types and utilities
- * - Error handling
- *
- * @example
- * ```ts
- * import { createCorsair, type CorsairPlugin } from 'corsair/core';
- * ```
- */
-export * from './core/index';
+// db/kysely/database.ts
+import { Kysely, PostgresDialect, SqliteDialect } from "kysely";
+
+// db/kysely/sqlite-date-plugin.ts
+import {
+  OperationNodeTransformer
+} from "kysely";
+function serializeValue(v) {
+  if (v instanceof Date) return v.toISOString();
+  if (v !== null && typeof v === "object" && !Buffer.isBuffer(v))
+    return JSON.stringify(v);
+  return v;
+}
+var SqliteSerializingTransformer = class extends OperationNodeTransformer {
+  transformValue(node) {
+    const serialized = serializeValue(node.value);
+    return serialized === node.value ? node : { ...node, value: serialized };
+  }
+  transformPrimitiveValueList(node) {
+    const serialized = node.values.map(serializeValue);
+    const changed = serialized.some((v, i) => v !== node.values[i]);
+    return changed ? { ...node, values: serialized } : node;
+  }
+};
+var transformer = new SqliteSerializingTransformer();
+var SqliteDatePlugin = class {
+  transformQuery(args) {
+    return transformer.transformNode(args.node);
+  }
+  async transformResult(args) {
+    return args.result;
+  }
+};
+
+// db/kysely/database.ts
+function isPgPool(input) {
+  return typeof input.query === "function" && typeof input.connect === "function";
+}
+function isBetterSqlite3(input) {
+  const db = input;
+  return typeof db.prepare === "function" && typeof db.exec === "function" && typeof db.close === "function" && !("query" in input);
+}
+function isKysely(input) {
+  return typeof input.selectFrom === "function";
+}
+function createCorsairDatabase(input) {
+  if (isKysely(input)) {
+    return { db: input };
+  }
+  if (isBetterSqlite3(input)) {
+    const db = new Kysely({
+      dialect: new SqliteDialect({ database: input }),
+      plugins: [new SqliteDatePlugin()]
+    });
+    return { db };
+  }
+  if (isPgPool(input)) {
+    const db = new Kysely({
+      dialect: new PostgresDialect({ pool: input })
+    });
+    return { db };
+  }
+  throw new Error(
+    "Unsupported database input. Expected a pg Pool, better-sqlite3 Database, or a Kysely instance."
+  );
+}
+
+// core/auth/encryption.ts
+import { createCipheriv, createDecipheriv, randomBytes, scrypt } from "crypto";
+import { promisify } from "util";
+var scryptAsync = promisify(scrypt);
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+var SALT_LENGTH = 16;
+var KEY_LENGTH = 32;
+function generateDEK() {
+  return randomBytes(KEY_LENGTH).toString("base64");
+}
+async function encryptDEK(dek, kek) {
+  const salt = randomBytes(SALT_LENGTH);
+  const derivedKey = await scryptAsync(kek, salt, KEY_LENGTH);
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, derivedKey, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  const encrypted = Buffer.concat([cipher.update(dek, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return [
+    salt.toString("base64"),
+    iv.toString("base64"),
+    authTag.toString("base64"),
+    encrypted.toString("base64")
+  ].join(":");
+}
+async function decryptDEK(encryptedDek, kek) {
+  const [saltB64, ivB64, authTagB64, encryptedB64] = encryptedDek.split(":");
+  if (!saltB64 || !ivB64 || !authTagB64 || !encryptedB64) {
+    throw new Error("Invalid encrypted DEK format");
+  }
+  const salt = Buffer.from(saltB64, "base64");
+  const iv = Buffer.from(ivB64, "base64");
+  const authTag = Buffer.from(authTagB64, "base64");
+  const encrypted = Buffer.from(encryptedB64, "base64");
+  const derivedKey = await scryptAsync(kek, salt, KEY_LENGTH);
+  const decipher = createDecipheriv(ALGORITHM, derivedKey, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ]);
+  return decrypted.toString("utf8");
+}
+function encryptWithDEK(data, dek) {
+  const key = Buffer.from(dek, "base64");
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  const encrypted = Buffer.concat([
+    cipher.update(data, "utf8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  return [
+    iv.toString("base64"),
+    authTag.toString("base64"),
+    encrypted.toString("base64")
+  ].join(":");
+}
+function decryptWithDEK(encryptedData, dek) {
+  const [ivB64, authTagB64, encryptedB64] = encryptedData.split(":");
+  if (!ivB64 || !authTagB64 || !encryptedB64) {
+    throw new Error("Invalid encrypted data format");
+  }
+  const key = Buffer.from(dek, "base64");
+  const iv = Buffer.from(ivB64, "base64");
+  const authTag = Buffer.from(authTagB64, "base64");
+  const encrypted = Buffer.from(encryptedB64, "base64");
+  const decipher = createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ]);
+  return decrypted.toString("utf8");
+}
+function encryptConfig(config, dek) {
+  const encrypted = {};
+  for (const [key, value] of Object.entries(config)) {
+    encrypted[key] = encryptWithDEK(value, dek);
+  }
+  return encrypted;
+}
+function decryptConfig(encryptedConfig, dek) {
+  const decrypted = {};
+  for (const [key, value] of Object.entries(encryptedConfig)) {
+    decrypted[key] = decryptWithDEK(value, dek);
+  }
+  return decrypted;
+}
+function reEncryptConfig(encryptedConfig, oldDek, newDek) {
+  const decrypted = decryptConfig(encryptedConfig, oldDek);
+  return encryptConfig(decrypted, newDek);
+}
+
+// core/auth/errors/missing-config.ts
+function createMissingConfigProxy(hasDatabase, hasKek) {
+  const missingConfig = [];
+  if (!hasDatabase) missingConfig.push("database");
+  if (!hasKek) missingConfig.push("kek");
+  const proxyTarget = {};
+  return new Proxy(proxyTarget, {
+    get(_target, prop) {
+      const isPlural = missingConfig.length > 1;
+      throw new Error(
+        `corsair.keys.${String(prop)}: Cannot access keys because ${missingConfig.join(" and ")} ${isPlural ? "are" : "is"} not configured. Provide both 'database' and 'kek' in createCorsair() to enable key management.
+
+To generate a KEK, run: openssl rand -base64 ${KEY_LENGTH}`
+      );
+    }
+  });
+}
+
+// db/kysely/orm.ts
+import { z } from "zod";
+
+// core/utils.ts
+import { v7 } from "uuid";
+function generateUUID() {
+  return v7();
+}
+
+// db/kysely/postgres.ts
+import { sql } from "kysely";
+function escapeJsonPath(path) {
+  return path.replace(/'/g, "''");
+}
+function jsonbTextField(key) {
+  const escapedPath = escapeJsonPath(key);
+  return sql`data->>'${sql.raw(escapedPath)}'`;
+}
+function jsonbNumberField(key) {
+  const escapedPath = escapeJsonPath(key);
+  return sql`(data->>'${sql.raw(escapedPath)}')::numeric`;
+}
+function jsonbBooleanField(key) {
+  const escapedPath = escapeJsonPath(key);
+  return sql`(data->>'${sql.raw(escapedPath)}')::boolean`;
+}
+function jsonbTimestampField(key) {
+  const escapedPath = escapeJsonPath(key);
+  return sql`(data->>'${sql.raw(escapedPath)}')::timestamptz`;
+}
+
+// db/kysely/orm.ts
+function parseJsonLike(value) {
+  if (typeof value === "string") {
+    try {
+      return JSON.parse(value);
+    } catch {
+      return value;
+    }
+  }
+  return value;
+}
+function unwrapSchema(schema) {
+  let current = schema;
+  while (current) {
+    if (current instanceof z.ZodOptional || current instanceof z.ZodNullable) {
+      current = current._def.innerType;
+      continue;
+    }
+    if (current instanceof z.ZodDefault) {
+      current = current._def.innerType;
+      continue;
+    }
+    if (current instanceof z.ZodEffects) {
+      current = current._def.schema;
+      continue;
+    }
+    break;
+  }
+  return current;
+}
+function getFieldType(schema) {
+  const unwrapped = unwrapSchema(schema);
+  if (unwrapped instanceof z.ZodString) return "string";
+  if (unwrapped instanceof z.ZodNumber) return "number";
+  if (unwrapped instanceof z.ZodBoolean) return "boolean";
+  if (unwrapped instanceof z.ZodDate) return "date";
+  return void 0;
+}
+function getDataFieldTypes(schema) {
+  const unwrapped = unwrapSchema(schema);
+  if (!(unwrapped instanceof z.ZodObject)) return {};
+  const shape = unwrapped.shape;
+  const fieldTypes = {};
+  for (const [key, fieldSchema] of Object.entries(shape)) {
+    const fieldType = getFieldType(fieldSchema);
+    if (fieldType) fieldTypes[key] = fieldType;
+  }
+  return fieldTypes;
+}
+function applyStringFilter(q, expr, filterValue) {
+  if (typeof filterValue === "string") {
+    return q.where(expr, "=", filterValue);
+  }
+  if (typeof filterValue === "object" && filterValue !== null && !Array.isArray(filterValue)) {
+    const obj = filterValue;
+    if ("equals" in obj && typeof obj.equals === "string") {
+      q = q.where(expr, "=", obj.equals);
+    }
+    if ("contains" in obj && typeof obj.contains === "string") {
+      q = q.where(expr, "like", `%${obj.contains}%`);
+    }
+    if ("startsWith" in obj && typeof obj.startsWith === "string") {
+      q = q.where(expr, "like", `${obj.startsWith}%`);
+    }
+    if ("endsWith" in obj && typeof obj.endsWith === "string") {
+      q = q.where(expr, "like", `%${obj.endsWith}`);
+    }
+    if ("in" in obj && Array.isArray(obj.in)) {
+      q = q.where(expr, "in", obj.in);
+    }
+  }
+  return q;
+}
+function applyNumberFilter(q, expr, filterValue) {
+  if (typeof filterValue === "number") {
+    return q.where(expr, "=", filterValue);
+  }
+  if (typeof filterValue === "object" && filterValue !== null && !Array.isArray(filterValue)) {
+    const obj = filterValue;
+    if (typeof obj.equals === "number") q = q.where(expr, "=", obj.equals);
+    if (typeof obj.gt === "number") q = q.where(expr, ">", obj.gt);
+    if (typeof obj.gte === "number") q = q.where(expr, ">=", obj.gte);
+    if (typeof obj.lt === "number") q = q.where(expr, "<", obj.lt);
+    if (typeof obj.lte === "number") q = q.where(expr, "<=", obj.lte);
+    if (Array.isArray(obj.in)) q = q.where(expr, "in", obj.in);
+  }
+  return q;
+}
+function applyBooleanFilter(q, expr, filterValue) {
+  if (typeof filterValue === "boolean") {
+    return q.where(expr, "=", filterValue);
+  }
+  if (typeof filterValue === "object" && filterValue !== null && !Array.isArray(filterValue)) {
+    const obj = filterValue;
+    if (typeof obj.equals === "boolean") q = q.where(expr, "=", obj.equals);
+  }
+  return q;
+}
+function applyDateFilter(q, expr, filterValue) {
+  if (filterValue instanceof Date) {
+    return q.where(expr, "=", filterValue);
+  }
+  if (typeof filterValue === "object" && filterValue !== null && !Array.isArray(filterValue)) {
+    const obj = filterValue;
+    if (obj.equals instanceof Date) q = q.where(expr, "=", obj.equals);
+    if (obj.before instanceof Date) q = q.where(expr, "<", obj.before);
+    if (obj.after instanceof Date) q = q.where(expr, ">", obj.after);
+    if (Array.isArray(obj.between) && obj.between.length === 2) {
+      const [start, end] = obj.between;
+      if (start instanceof Date) q = q.where(expr, ">=", start);
+      if (end instanceof Date) q = q.where(expr, "<=", end);
+    }
+  }
+  return q;
+}
+function applyDataFilter(q, key, fieldType, filterValue) {
+  if (fieldType === "number") {
+    return applyNumberFilter(q, jsonbNumberField(key), filterValue);
+  }
+  if (fieldType === "boolean") {
+    return applyBooleanFilter(q, jsonbBooleanField(key), filterValue);
+  }
+  if (fieldType === "date") {
+    return applyDateFilter(q, jsonbTimestampField(key), filterValue);
+  }
+  return applyStringFilter(q, jsonbTextField(key), filterValue);
+}
+function applyEntityFieldFilter(q, key, filterValue) {
+  if (typeof filterValue === "object" && filterValue !== null && !Array.isArray(filterValue)) {
+    const obj = filterValue;
+    if ("equals" in obj) q = q.where(key, "=", obj.equals);
+    if ("contains" in obj && typeof obj.contains === "string") {
+      q = q.where(key, "like", `%${obj.contains}%`);
+    }
+    if ("startsWith" in obj && typeof obj.startsWith === "string") {
+      q = q.where(key, "like", `${obj.startsWith}%`);
+    }
+    if ("endsWith" in obj && typeof obj.endsWith === "string") {
+      q = q.where(key, "like", `%${obj.endsWith}`);
+    }
+    if ("in" in obj && Array.isArray(obj.in)) {
+      q = q.where(key, "in", obj.in);
+    }
+    return q;
+  }
+  return q.where(key, "=", filterValue);
+}
+function parseCountValue(countVal) {
+  if (typeof countVal === "number") return countVal;
+  if (typeof countVal === "bigint") return Number(countVal);
+  return Number.parseInt(String(countVal ?? 0), 10);
+}
+function baseQuery(db, accountId, entityTypeName) {
+  return db.selectFrom("corsair_entities").selectAll().where("account_id", "=", accountId).where("entity_type", "=", entityTypeName);
+}
+function createKyselyEntityClient(db, getAccountId, entityTypeName, version, dataSchema) {
+  const dataFieldTypes = getDataFieldTypes(dataSchema);
+  function parseRow(row) {
+    const data = parseJsonLike(row.data);
+    return {
+      ...row,
+      data: dataSchema.parse(data)
+    };
+  }
+  return {
+    findByEntityId: async (entityId) => {
+      const accountId = await getAccountId();
+      const row = await baseQuery(db, accountId, entityTypeName).where("entity_id", "=", entityId).executeTakeFirst();
+      return row ? parseRow(row) : null;
+    },
+    findById: async (id) => {
+      const accountId = await getAccountId();
+      const row = await baseQuery(db, accountId, entityTypeName).where("id", "=", id).executeTakeFirst();
+      return row ? parseRow(row) : null;
+    },
+    findManyByEntityIds: async (entityIds) => {
+      if (entityIds.length === 0) return [];
+      const accountId = await getAccountId();
+      const rows = await baseQuery(db, accountId, entityTypeName).where("entity_id", "in", entityIds).execute();
+      return rows.map(parseRow);
+    },
+    list: async (options) => {
+      const accountId = await getAccountId();
+      let q = baseQuery(db, accountId, entityTypeName);
+      if (typeof options?.limit === "number") q = q.limit(options.limit);
+      if (typeof options?.offset === "number") q = q.offset(options.offset);
+      const rows = await q.execute();
+      return rows.map(parseRow);
+    },
+    search: async (options) => {
+      const accountId = await getAccountId();
+      let q = baseQuery(db, accountId, entityTypeName);
+      const reservedKeys = /* @__PURE__ */ new Set(["data", "limit", "offset"]);
+      for (const [key, filterValue] of Object.entries(options)) {
+        if (reservedKeys.has(key) || filterValue === void 0) continue;
+        q = applyEntityFieldFilter(q, key, filterValue);
+      }
+      if (options.data && typeof options.data === "object") {
+        for (const [key, filterValue] of Object.entries(options.data)) {
+          if (filterValue === void 0) continue;
+          const fieldType = dataFieldTypes[key] ?? "string";
+          q = applyDataFilter(q, key, fieldType, filterValue);
+        }
+      }
+      if (typeof options.limit === "number") q = q.limit(options.limit);
+      if (typeof options.offset === "number") q = q.offset(options.offset);
+      const rows = await q.execute();
+      return rows.map(parseRow);
+    },
+    upsertByEntityId: async (entityId, data) => {
+      const accountId = await getAccountId();
+      const parsed = dataSchema.parse(data);
+      const now = /* @__PURE__ */ new Date();
+      const existing = await baseQuery(db, accountId, entityTypeName).select("id").where("entity_id", "=", entityId).executeTakeFirst();
+      if (existing?.id) {
+        await db.updateTable("corsair_entities").set({ version, data: parsed, updated_at: now }).where("id", "=", existing.id).execute();
+        const updated = await db.selectFrom("corsair_entities").selectAll().where("id", "=", existing.id).executeTakeFirst();
+        return parseRow(updated);
+      }
+      const id = generateUUID();
+      await db.insertInto("corsair_entities").values({
+        id,
+        created_at: now,
+        updated_at: now,
+        account_id: accountId,
+        entity_id: entityId,
+        entity_type: entityTypeName,
+        version,
+        data: parsed
+      }).execute();
+      const inserted = await db.selectFrom("corsair_entities").selectAll().where("id", "=", id).executeTakeFirst();
+      return parseRow(inserted);
+    },
+    deleteById: async (id) => {
+      const accountId = await getAccountId();
+      const res = await db.deleteFrom("corsair_entities").where("account_id", "=", accountId).where("entity_type", "=", entityTypeName).where("id", "=", id).executeTakeFirst();
+      return Number(res.numDeletedRows) > 0;
+    },
+    deleteByEntityId: async (entityId) => {
+      const accountId = await getAccountId();
+      const res = await db.deleteFrom("corsair_entities").where("account_id", "=", accountId).where("entity_type", "=", entityTypeName).where("entity_id", "=", entityId).executeTakeFirst();
+      return Number(res.numDeletedRows) > 0;
+    },
+    count: async () => {
+      const accountId = await getAccountId();
+      const row = await db.selectFrom("corsair_entities").select((eb) => eb.fn.countAll().as("count")).where("account_id", "=", accountId).where("entity_type", "=", entityTypeName).executeTakeFirst();
+      return parseCountValue(row?.count);
+    }
+  };
+}
+
+// core/auth/types.ts
+var BASE_AUTH_FIELDS = {
+  oauth_2: {
+    integration: ["client_id", "client_secret", "redirect_url"],
+    account: [
+      "access_token",
+      "refresh_token",
+      "expires_at",
+      "scope",
+      "webhook_signature"
+    ]
+  },
+  api_key: {
+    integration: [],
+    account: ["api_key", "webhook_signature"]
+  },
+  bot_token: {
+    integration: [],
+    account: ["bot_token", "webhook_signature"]
+  }
+};
+
+// core/auth/key-manager.ts
+function createFieldAccessors(getDecryptedConfig, updateConfig, fields) {
+  const accessors = {};
+  for (const field of fields) {
+    accessors[`get_${field}`] = async () => {
+      const config = await getDecryptedConfig();
+      return config[field] ?? null;
+    };
+    accessors[`set_${field}`] = async (value) => {
+      await updateConfig({ [field]: value });
+    };
+  }
+  return accessors;
+}
+var parseConfig = (config) => {
+  if (!config) return {};
+  if (typeof config === "string") {
+    try {
+      return JSON.parse(config);
+    } catch {
+      return {};
+    }
+  }
+  return config;
+};
+function createIntegrationKeyManager(options) {
+  const {
+    authType,
+    integrationName,
+    kek,
+    database,
+    extraIntegrationFields = []
+  } = options;
+  const allFields = [
+    ...BASE_AUTH_FIELDS[authType].integration,
+    ...extraIntegrationFields
+  ];
+  let cachedIntegration = null;
+  const ctx = {
+    kek,
+    integrationName,
+    getIntegration: async () => {
+      if (cachedIntegration) return cachedIntegration;
+      const integration = await database.db.selectFrom("corsair_integrations").selectAll().where("name", "=", integrationName).executeTakeFirst();
+      if (!integration) {
+        throw new Error(
+          `Integration "${integrationName}" not found. Make sure to create the integration first.`
+        );
+      }
+      cachedIntegration = {
+        id: integration.id,
+        config: parseConfig(integration.config),
+        dek: integration.dek ?? null
+      };
+      return cachedIntegration;
+    },
+    updateIntegration: async (data) => {
+      const integration = await ctx.getIntegration();
+      await database.db.updateTable("corsair_integrations").set({
+        ...data.config !== void 0 ? { config: data.config } : {},
+        ...data.dek !== void 0 ? { dek: data.dek } : {},
+        updated_at: /* @__PURE__ */ new Date()
+      }).where("id", "=", integration.id).execute();
+      cachedIntegration = null;
+    }
+  };
+  let cachedDek = null;
+  const getDecryptedDek = async () => {
+    if (cachedDek) return cachedDek;
+    const integration = await ctx.getIntegration();
+    if (!integration.dek) {
+      throw new Error(
+        `No DEK found for integration "${integrationName}". Initialize the integration first.`
+      );
+    }
+    cachedDek = await decryptDEK(integration.dek, kek);
+    return cachedDek;
+  };
+  const getDecryptedConfig = async () => {
+    const integration = await ctx.getIntegration();
+    const dek = await getDecryptedDek();
+    const config = integration.config;
+    if (!config || Object.keys(config).length === 0) {
+      return {};
+    }
+    return decryptConfig(config, dek);
+  };
+  const updateConfig = async (updates) => {
+    const dek = await getDecryptedDek();
+    const currentConfig = await getDecryptedConfig();
+    const newConfig = { ...currentConfig };
+    for (const [key, value] of Object.entries(updates)) {
+      if (value === null) {
+        delete newConfig[key];
+      } else {
+        newConfig[key] = value;
+      }
+    }
+    const encryptedConfig = encryptConfig(newConfig, dek);
+    await ctx.updateIntegration({ config: encryptedConfig });
+  };
+  const manager = {
+    get_dek: getDecryptedDek,
+    issue_new_dek: async () => {
+      const integration = await ctx.getIntegration();
+      const newDek = generateDEK();
+      let newConfig = {};
+      if (integration.dek) {
+        const oldDek = await decryptDEK(integration.dek, kek);
+        const config = integration.config;
+        if (config && Object.keys(config).length > 0) {
+          newConfig = reEncryptConfig(config, oldDek, newDek);
+        }
+      }
+      const encryptedNewDek = await encryptDEK(newDek, kek);
+      await ctx.updateIntegration({
+        config: newConfig,
+        dek: encryptedNewDek
+      });
+      cachedDek = newDek;
+      return newDek;
+    },
+    // Auto-generated field accessors
+    ...createFieldAccessors(getDecryptedConfig, updateConfig, allFields)
+  };
+  return manager;
+}
+function createAccountKeyManager(options) {
+  const {
+    authType,
+    integrationName,
+    tenantId,
+    kek,
+    database,
+    extraAccountFields = []
+  } = options;
+  const allFields = [
+    ...BASE_AUTH_FIELDS[authType].account,
+    ...extraAccountFields
+  ];
+  let cachedAccount = null;
+  let cachedIntegration = null;
+  const getIntegration = async () => {
+    if (cachedIntegration) return cachedIntegration;
+    const integration = await database.db.selectFrom("corsair_integrations").selectAll().where("name", "=", integrationName).executeTakeFirst();
+    if (!integration) {
+      throw new Error(
+        `Integration "${integrationName}" not found. Make sure to create the integration first.`
+      );
+    }
+    cachedIntegration = {
+      id: integration.id,
+      config: parseConfig(integration.config),
+      dek: integration.dek ?? null
+    };
+    return cachedIntegration;
+  };
+  const ctx = {
+    kek,
+    integrationName,
+    tenantId,
+    getIntegration,
+    getAccount: async () => {
+      if (cachedAccount) return cachedAccount;
+      const integration = await getIntegration();
+      const account = await database.db.selectFrom("corsair_accounts").selectAll().where("tenant_id", "=", tenantId).where("integration_id", "=", integration.id).executeTakeFirst();
+      if (!account) {
+        throw new Error(
+          `Account not found for tenant "${tenantId}" and integration "${integrationName}". Make sure to create the account first.`
+        );
+      }
+      cachedAccount = {
+        id: account.id,
+        config: parseConfig(account.config),
+        dek: account.dek ?? null
+      };
+      return cachedAccount;
+    },
+    updateAccount: async (data) => {
+      const account = await ctx.getAccount();
+      await database.db.updateTable("corsair_accounts").set({
+        ...data.config !== void 0 ? { config: data.config } : {},
+        ...data.dek !== void 0 ? { dek: data.dek } : {},
+        updated_at: /* @__PURE__ */ new Date()
+      }).where("id", "=", account.id).execute();
+      cachedAccount = null;
+    }
+  };
+  let cachedDek = null;
+  let cachedIntegrationDek = null;
+  const getDecryptedDek = async () => {
+    if (cachedDek) return cachedDek;
+    const account = await ctx.getAccount();
+    if (!account.dek) {
+      throw new Error(
+        `No DEK found for account (tenant: "${tenantId}", integration: "${integrationName}"). Initialize the account first.`
+      );
+    }
+    cachedDek = await decryptDEK(account.dek, kek);
+    return cachedDek;
+  };
+  const getDecryptedIntegrationDek = async () => {
+    if (cachedIntegrationDek) return cachedIntegrationDek;
+    const integration = await ctx.getIntegration();
+    if (!integration.dek) {
+      throw new Error(
+        `No DEK found for integration "${integrationName}". Initialize the integration first.`
+      );
+    }
+    cachedIntegrationDek = await decryptDEK(integration.dek, kek);
+    return cachedIntegrationDek;
+  };
+  const getDecryptedConfig = async () => {
+    const account = await ctx.getAccount();
+    const dek = await getDecryptedDek();
+    const config = account.config;
+    if (!config || Object.keys(config).length === 0) {
+      return {};
+    }
+    return decryptConfig(config, dek);
+  };
+  const getDecryptedIntegrationConfig = async () => {
+    const integration = await ctx.getIntegration();
+    const dek = await getDecryptedIntegrationDek();
+    const config = integration.config;
+    if (!config || Object.keys(config).length === 0) {
+      return {};
+    }
+    return decryptConfig(config, dek);
+  };
+  const updateConfig = async (updates) => {
+    const dek = await getDecryptedDek();
+    const currentConfig = await getDecryptedConfig();
+    const newConfig = { ...currentConfig };
+    for (const [key, value] of Object.entries(updates)) {
+      if (value === null) {
+        delete newConfig[key];
+      } else {
+        newConfig[key] = value;
+      }
+    }
+    const encryptedConfig = encryptConfig(newConfig, dek);
+    await ctx.updateAccount({ config: encryptedConfig });
+  };
+  const manager = {
+    get_dek: getDecryptedDek,
+    issue_new_dek: async () => {
+      const account = await ctx.getAccount();
+      const newDek = generateDEK();
+      let newConfig = {};
+      if (account.dek) {
+        const oldDek = await decryptDEK(account.dek, kek);
+        const config = account.config;
+        if (config && Object.keys(config).length > 0) {
+          newConfig = reEncryptConfig(config, oldDek, newDek);
+        }
+      }
+      const encryptedNewDek = await encryptDEK(newDek, kek);
+      await ctx.updateAccount({
+        config: newConfig,
+        dek: encryptedNewDek
+      });
+      cachedDek = newDek;
+      return newDek;
+    },
+    // Auto-generated field accessors
+    ...createFieldAccessors(getDecryptedConfig, updateConfig, allFields)
+  };
+  if (authType === "oauth_2") {
+    manager.get_integration_credentials = async () => {
+      const config = await getDecryptedIntegrationConfig();
+      return {
+        client_id: config.client_id || null,
+        client_secret: config.client_secret || null,
+        redirect_url: config.redirect_url ?? null
+      };
+    };
+  }
+  return manager;
+}
+async function initializeIntegrationDEK(database, integrationName, kek) {
+  const integration = await database.db.selectFrom("corsair_integrations").selectAll().where("name", "=", integrationName).executeTakeFirst();
+  if (!integration) {
+    throw new Error(`Integration "${integrationName}" not found.`);
+  }
+  const dek = generateDEK();
+  const encryptedDek = await encryptDEK(dek, kek);
+  await database.db.updateTable("corsair_integrations").set({
+    dek: encryptedDek,
+    updated_at: /* @__PURE__ */ new Date()
+  }).where("id", "=", integration.id).execute();
+  return dek;
+}
+async function initializeAccountDEK(database, integrationName, tenantId, kek) {
+  const integration = await database.db.selectFrom("corsair_integrations").selectAll().where("name", "=", integrationName).executeTakeFirst();
+  if (!integration) {
+    throw new Error(`Integration "${integrationName}" not found.`);
+  }
+  const account = await database.db.selectFrom("corsair_accounts").selectAll().where("tenant_id", "=", tenantId).where("integration_id", "=", integration.id).executeTakeFirst();
+  if (!account) {
+    throw new Error(
+      `Account not found for tenant "${tenantId}" and integration "${integrationName}".`
+    );
+  }
+  const dek = generateDEK();
+  const encryptedDek = await encryptDEK(dek, kek);
+  await database.db.updateTable("corsair_accounts").set({
+    dek: encryptedDek,
+    updated_at: /* @__PURE__ */ new Date()
+  }).where("id", "=", account.id).execute();
+  return dek;
+}
+
+// core/errors/handler.ts
+var defaultErrorHandler = async (error, context) => {
+  console.error(`[corsair:${context.pluginId}:${context.operation}]`, {
+    error: error.message,
+    input: context.input
+  });
+  return {
+    maxRetries: 0
+  };
+};
+async function handleCorsairError(error, pluginId, operation, input, errorHandlers) {
+  const context = {
+    pluginId,
+    operation,
+    input,
+    originalError: error
+  };
+  const matchingHandlerName = Object.keys(errorHandlers).find(
+    (errorName) => errorHandlers[errorName]?.match(error, context)
+  );
+  const pluginSpecificErrorHandler = errorHandlers[matchingHandlerName || "DEFAULT"]?.handler;
+  const handler = pluginSpecificErrorHandler || defaultErrorHandler;
+  return await handler(error, context);
+}
+
+// core/permissions/index.ts
+import { randomBytes as randomBytes2 } from "crypto";
+import { v4 as uuidv4 } from "uuid";
+var PERMISSION_MATRIX = {
+  open: { read: "allow", write: "allow", destructive: "allow" },
+  cautious: { read: "allow", write: "allow", destructive: "require_approval" },
+  strict: { read: "allow", write: "require_approval", destructive: "deny" },
+  readonly: { read: "allow", write: "deny", destructive: "deny" }
+};
+function evaluatePermission(riskLevel, mode, override) {
+  if (override !== void 0) return override;
+  return PERMISSION_MATRIX[mode][riskLevel];
+}
+function parseDurationMs(duration) {
+  const regex = /(\d+)(d|h|m|s)/g;
+  let total = 0;
+  let match;
+  while ((match = regex.exec(duration)) !== null) {
+    const value = parseInt(match[1], 10);
+    switch (match[2]) {
+      case "d":
+        total += value * 864e5;
+        break;
+      case "h":
+        total += value * 36e5;
+        break;
+      case "m":
+        total += value * 6e4;
+        break;
+      case "s":
+        total += value * 1e3;
+        break;
+    }
+  }
+  return total > 0 ? total : 10 * 60 * 1e3;
+}
+function buildPermissionsNamespace(db) {
+  return {
+    async find_by_permission_id(id) {
+      if (!db) return void 0;
+      return db.db.selectFrom("corsair_permissions").selectAll().where("id", "=", id).executeTakeFirst();
+    },
+    async find_by_token(token) {
+      if (!db) return void 0;
+      return db.db.selectFrom("corsair_permissions").selectAll().where("token", "=", token).executeTakeFirst();
+    },
+    async set_executing(id) {
+      if (!db) return;
+      await db.db.updateTable("corsair_permissions").set({ status: "executing", updated_at: /* @__PURE__ */ new Date() }).where("id", "=", id).execute();
+    },
+    async set_completed(id) {
+      if (!db) return;
+      await db.db.updateTable("corsair_permissions").set({ status: "completed", updated_at: /* @__PURE__ */ new Date() }).where("id", "=", id).execute();
+    }
+  };
+}
+async function enforcePermission(opts) {
+  const policy = evaluatePermission(opts.riskLevel, opts.mode, opts.override);
+  if (policy === "allow") return { result: "allow" };
+  const irreversibleNote = opts.meta?.irreversible ? " (irreversible)" : "";
+  const description = opts.meta?.description ? `${opts.meta.description}${irreversibleNote}` : `${opts.pluginId}.${opts.endpointPath}${irreversibleNote}`;
+  if (policy === "deny" || !opts.db) {
+    console.log(
+      `[corsair/${opts.pluginId}] '${opts.endpointPath}' blocked \u2014 denied by permission mode '${opts.mode}'.`,
+      `
+  Action: ${description}`,
+      `
+  To allow this, update the permission mode or add an override in your corsair config.`
+    );
+    return { result: "blocked" };
+  }
+  const argsJson = JSON.stringify(opts.args);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const tenantId = opts.tenantId ?? "default";
+  const existing = await opts.db.db.selectFrom("corsair_permissions").selectAll().where("plugin", "=", opts.pluginId).where("endpoint", "=", opts.endpointPath).where("args", "=", argsJson).where("tenant_id", "=", tenantId).where("expires_at", ">", now).where("status", "in", ["pending", "approved", "executing"]).orderBy("created_at", "desc").limit(1).executeTakeFirst();
+  if (existing) {
+    if (existing.status === "approved") {
+      const db = opts.db;
+      const permissionId = existing.id;
+      return {
+        result: "allow",
+        onComplete: async () => {
+          await db.db.updateTable("corsair_permissions").set({ status: "completed", updated_at: /* @__PURE__ */ new Date() }).where("id", "=", permissionId).execute();
+        }
+      };
+    }
+    if (existing.status === "executing") {
+      return { result: "allow" };
+    }
+    console.log(
+      `[corsair/${opts.pluginId}] '${opts.endpointPath}' blocked \u2014 approval already pending.`,
+      `
+  Action: ${description}`,
+      `
+  Permission ID: ${existing.id}`,
+      `
+  Use the token to approve or deny this request.`
+    );
+    return { result: "blocked" };
+  }
+  const id = uuidv4();
+  const token = randomBytes2(32).toString("hex");
+  const timeoutMs = opts.timeoutMs ?? 10 * 60 * 1e3;
+  const expiresAt = new Date(Date.now() + timeoutMs).toISOString();
+  await opts.db.db.insertInto("corsair_permissions").values({
+    id,
+    created_at: /* @__PURE__ */ new Date(),
+    updated_at: /* @__PURE__ */ new Date(),
+    token,
+    plugin: opts.pluginId,
+    endpoint: opts.endpointPath,
+    args: argsJson,
+    tenant_id: tenantId,
+    status: "pending",
+    expires_at: expiresAt
+  }).execute();
+  console.log(
+    `[corsair/${opts.pluginId}] '${opts.endpointPath}' blocked \u2014 approval required.`,
+    `
+  Action: ${description}`,
+    `
+  Permission ID:    ${id}`,
+    `
+  Permission token: ${token}`,
+    `
+  Expires at:       ${expiresAt}`,
+    `
+  Use the token to approve or deny this request.`
+  );
+  return { result: "blocked" };
+}
+
+// core/endpoints/bind.ts
+function isEndpoint(value) {
+  return typeof value === "function";
+}
+function bindEndpointsRecursively({
+  endpoints,
+  hooks,
+  ctx,
+  tree,
+  pluginId,
+  errorHandlers,
+  currentPath = [],
+  keyBuilder,
+  permissionsConfig,
+  endpointMeta,
+  database,
+  approvalConfig,
+  tenantId
+}) {
+  for (const [key, value] of Object.entries(endpoints)) {
+    const nodeHooks = hooks?.[key];
+    if (isEndpoint(value)) {
+      const endpointHooks = nodeHooks;
+      const operationPath = [...currentPath, key].join(".");
+      const boundFn = async (args) => {
+        let onPermissionComplete;
+        if (permissionsConfig) {
+          const meta = endpointMeta?.[operationPath];
+          const { result: permResult, onComplete } = await enforcePermission({
+            pluginId,
+            endpointPath: operationPath,
+            args,
+            mode: permissionsConfig.mode,
+            override: permissionsConfig.overrides?.[operationPath],
+            // Default to 'write' when no meta declared — conservative fallback
+            riskLevel: meta?.riskLevel ?? "write",
+            meta,
+            db: database,
+            timeoutMs: approvalConfig ? parseDurationMs(approvalConfig.timeout) : void 0,
+            tenantId
+          });
+          if (permResult === "blocked") return null;
+          onPermissionComplete = onComplete;
+        }
+        const call = async (attemptNumber, callCtx, callArgs) => {
+          try {
+            return await value(callCtx, callArgs);
+          } catch (error) {
+            if (error instanceof Error) {
+              const retryStrategy = await handleCorsairError(
+                error,
+                pluginId,
+                operationPath,
+                typeof callArgs === "object" && callArgs !== null ? callArgs : { args: callArgs },
+                errorHandlers
+              );
+              if (attemptNumber < (retryStrategy.maxRetries || 0)) {
+                const newAttempt = attemptNumber + 1;
+                console.log(
+                  `Retrying (${newAttempt} / ${retryStrategy.maxRetries})...`
+                );
+                let delayMs;
+                if (retryStrategy.headersRetryAfterMs) {
+                  delayMs = retryStrategy.headersRetryAfterMs;
+                } else {
+                  switch (retryStrategy.retryStrategy) {
+                    case "exponential_backoff":
+                      delayMs = Math.pow(2, newAttempt - 1) * 1e3;
+                      break;
+                    case "exponential_backoff_jitter":
+                      const baseDelay = Math.pow(2, newAttempt - 1) * 1e3;
+                      const jitter = (Math.random() - 0.5) * 1e3;
+                      delayMs = Math.max(0, baseDelay + jitter);
+                      break;
+                    case "linear_1s":
+                      delayMs = 1e3;
+                      break;
+                    case "linear_2s":
+                      delayMs = 2e3;
+                      break;
+                    case "linear_3s":
+                      delayMs = 3e3;
+                      break;
+                    case "linear_4s":
+                      delayMs = 4e3;
+                      break;
+                    default:
+                      delayMs = 1e3;
+                      break;
+                  }
+                }
+                await new Promise((resolve) => setTimeout(resolve, delayMs));
+                await call(newAttempt, callCtx, callArgs);
+                console.log(
+                  `[corsair:${pluginId}:${operationPath}] Retry strategy:`,
+                  retryStrategy
+                );
+              }
+            }
+            throw error;
+          }
+        };
+        const key2 = keyBuilder ? await keyBuilder(ctx, "endpoint") : void 0;
+        if (!endpointHooks?.before && !endpointHooks?.after) {
+          const res2 = await call(0, { ...ctx, key: key2 }, args);
+          await onPermissionComplete?.();
+          return res2;
+        }
+        const ctxWithKey = { ...ctx, key: key2 };
+        const beforeResult = endpointHooks.before ? await endpointHooks.before(ctxWithKey, args) : {
+          ctx: ctxWithKey,
+          args,
+          continue: true,
+          passToAfter: void 0
+        };
+        if (beforeResult.continue === false) return;
+        const res = await call(0, beforeResult.ctx, beforeResult.args);
+        await endpointHooks.after?.(
+          beforeResult.ctx,
+          res,
+          beforeResult.passToAfter
+        );
+        await onPermissionComplete?.();
+        return res;
+      };
+      tree[key] = boundFn;
+    } else if (value && typeof value === "object") {
+      const nestedTree = {};
+      bindEndpointsRecursively({
+        endpoints: value,
+        hooks: nodeHooks,
+        ctx,
+        tree: nestedTree,
+        pluginId,
+        errorHandlers,
+        currentPath: [...currentPath, key],
+        keyBuilder,
+        permissionsConfig,
+        endpointMeta,
+        database,
+        approvalConfig,
+        tenantId
+      });
+      tree[key] = nestedTree;
+    }
+  }
+}
+
+// core/constants.ts
+var BaseProviders = [
+  "discord",
+  "github",
+  "gmail",
+  "googlecalendar",
+  "googledrive",
+  "googlesheets",
+  "hubspot",
+  "linear",
+  "posthog",
+  "resend",
+  "slack",
+  "spotify",
+  "tavily"
+];
+
+// core/inspect/index.ts
+function zodToJsonSchema(schema) {
+  const def = schema._def;
+  const typeName = def.typeName;
+  switch (typeName) {
+    case "ZodString":
+      return { type: "string" };
+    case "ZodNumber":
+      return { type: "number" };
+    case "ZodBoolean":
+      return { type: "boolean" };
+    case "ZodNull":
+      return { type: "null" };
+    case "ZodUnknown":
+    case "ZodAny":
+      return {};
+    case "ZodLiteral":
+      return { const: def.value };
+    case "ZodEnum":
+      return { enum: def.values };
+    case "ZodOptional":
+      return zodToJsonSchema(def.innerType);
+    case "ZodNullable": {
+      const inner = zodToJsonSchema(def.innerType);
+      return { anyOf: [inner, { type: "null" }] };
+    }
+    case "ZodArray":
+      return { type: "array", items: zodToJsonSchema(def.type) };
+    case "ZodRecord":
+      return {
+        type: "object",
+        additionalProperties: zodToJsonSchema(def.valueType)
+      };
+    case "ZodObject": {
+      const shape = def.shape();
+      const properties = {};
+      const required = [];
+      for (const [key, val] of Object.entries(shape)) {
+        properties[key] = zodToJsonSchema(val);
+        const fieldTypeName = val._def.typeName;
+        if (fieldTypeName !== "ZodOptional" && fieldTypeName !== "ZodNullable") {
+          required.push(key);
+        }
+      }
+      const result = { type: "object", properties };
+      if (required.length > 0) result.required = required;
+      return result;
+    }
+    case "ZodUnion":
+      return { anyOf: def.options.map(zodToJsonSchema) };
+    case "ZodIntersection":
+      return {
+        allOf: [
+          zodToJsonSchema(def.left),
+          zodToJsonSchema(def.right)
+        ]
+      };
+    case "ZodEffects":
+      return zodToJsonSchema(def.schema);
+    default:
+      return { type: (typeName ?? "unknown").replace("Zod", "").toLowerCase() };
+  }
+}
+var STRING_OPERATORS = ["equals", "contains", "startsWith", "endsWith", "in"];
+var NUMBER_OPERATORS = ["equals", "gt", "gte", "lt", "lte", "in"];
+var BOOLEAN_OPERATORS = ["equals"];
+var DATE_OPERATORS = ["equals", "before", "after", "between"];
+function getSchemaLeafType(schema) {
+  const def = schema._def;
+  const typeName = def.typeName;
+  switch (typeName) {
+    case "ZodOptional":
+    case "ZodNullable":
+    case "ZodDefault":
+      return getSchemaLeafType(def.innerType);
+    case "ZodEffects":
+      return getSchemaLeafType(def.schema);
+    case "ZodString":
+      return "string";
+    case "ZodNumber":
+      return "number";
+    case "ZodBoolean":
+      return "boolean";
+    case "ZodDate":
+      return "date";
+    default:
+      return null;
+  }
+}
+function buildFilterableFields(schema) {
+  const def = schema._def;
+  const typeName = def.typeName;
+  if (typeName === "ZodOptional" || typeName === "ZodNullable" || typeName === "ZodDefault") {
+    return buildFilterableFields(def.innerType);
+  }
+  if (typeName === "ZodEffects") {
+    return buildFilterableFields(def.schema);
+  }
+  if (typeName !== "ZodObject") return {};
+  const shape = def.shape();
+  const result = {};
+  for (const [key, fieldSchema] of Object.entries(shape)) {
+    const leafType = getSchemaLeafType(fieldSchema);
+    if (leafType === "string") {
+      result[key] = { type: "string", operators: STRING_OPERATORS };
+    } else if (leafType === "number") {
+      result[key] = { type: "number", operators: NUMBER_OPERATORS };
+    } else if (leafType === "boolean") {
+      result[key] = { type: "boolean", operators: BOOLEAN_OPERATORS };
+    } else if (leafType === "date") {
+      result[key] = { type: "date", operators: DATE_OPERATORS };
+    }
+  }
+  return result;
+}
+function findEntityCaseInsensitive(entities, lowercasedName) {
+  for (const [key, schema] of Object.entries(entities)) {
+    if (key.toLowerCase() === lowercasedName) return [key, schema];
+  }
+  return void 0;
+}
+function walkEndpointTree(tree, pathParts, result) {
+  for (const [key, value] of Object.entries(tree)) {
+    const current = [...pathParts, key];
+    if (typeof value === "function") {
+      result.push(current.join("."));
+    } else if (value !== null && typeof value === "object") {
+      walkEndpointTree(value, current, result);
+    }
+  }
+}
+function isWebhookLeaf(value) {
+  return value !== null && typeof value === "object" && "match" in value && "handler" in value && typeof value.match === "function" && typeof value.handler === "function";
+}
+function walkWebhookTree(tree, pathParts, result) {
+  for (const [key, value] of Object.entries(tree)) {
+    const current = [...pathParts, key];
+    if (isWebhookLeaf(value)) {
+      result.push(current.join("."));
+    } else if (value !== null && typeof value === "object") {
+      walkWebhookTree(value, current, result);
+    }
+  }
+}
+function resolveWebhookPathOriginalCase(tree, normalizedParts) {
+  if (normalizedParts.length === 0) return null;
+  const [head, ...tail] = normalizedParts;
+  const entry = Object.entries(tree).find(([k]) => k.toLowerCase() === head);
+  if (!entry) return null;
+  const [originalKey, value] = entry;
+  if (tail.length === 0) {
+    return isWebhookLeaf(value) ? [originalKey] : null;
+  }
+  if (value !== null && typeof value === "object" && !isWebhookLeaf(value)) {
+    const rest = resolveWebhookPathOriginalCase(
+      value,
+      tail
+    );
+    if (rest !== null) return [originalKey, ...rest];
+  }
+  return null;
+}
+function buildWebhookUsageExample(pluginId, pathParts, responseSchema) {
+  const lines = [];
+  lines.push(`${pluginId}({`);
+  lines.push(`    webhookHooks: {`);
+  for (let i = 0; i < pathParts.length; i++) {
+    const indent = "    ".repeat(i + 2);
+    lines.push(`${indent}${pathParts[i]}: {`);
+  }
+  const hookIndent = "    ".repeat(pathParts.length + 2);
+  const bodyIndent = hookIndent + "    ";
+  lines.push(`${hookIndent}before(ctx, args) {`);
+  lines.push(`${bodyIndent}return { ctx, args };`);
+  lines.push(`${hookIndent}},`);
+  lines.push(`${hookIndent}after(ctx, response) {`);
+  if (responseSchema !== null) {
+    const json = JSON.stringify(responseSchema, null, 2);
+    const commentLines = json.split("\n").map(
+      (l, i) => i === 0 ? `${bodyIndent}// response.data: ${l}` : `${bodyIndent}// ${l}`
+    );
+    lines.push(...commentLines);
+  } else {
+    lines.push(
+      `${bodyIndent}// response.data: unknown (register webhookSchemas to see the type)`
+    );
+  }
+  lines.push(`${hookIndent}},`);
+  for (let i = pathParts.length - 1; i >= 0; i--) {
+    const indent = "    ".repeat(i + 2);
+    lines.push(`${indent}},`);
+  }
+  lines.push(`    },`);
+  lines.push(`})`);
+  return lines.join("\n");
+}
+var KNOWN_PLUGIN_IDS = new Set(BaseProviders);
+function listOperations(plugins, options) {
+  const type = options?.type ?? "api";
+  const pluginId = options?.plugin;
+  if (pluginId !== void 0) {
+    const found = plugins.find((p) => p.id === pluginId);
+    if (!found) {
+      if (KNOWN_PLUGIN_IDS.has(pluginId)) {
+        return `This plugin (${pluginId}) is not configured. Please add it to the Corsair instance to see its associated methods.`;
+      }
+      return listOperations(plugins);
+    }
+    if (type === "webhooks") {
+      if (!found.webhooks) return [];
+      const paths2 = [];
+      walkWebhookTree(found.webhooks, [], paths2);
+      return paths2.map((path) => `${found.id}.webhooks.${path}`);
+    }
+    if (type === "db") {
+      const entities = found.schema?.entities;
+      if (!entities) return [];
+      return Object.keys(entities).map(
+        (entityName) => `${found.id}.db.${entityName}.search`
+      );
+    }
+    if (!found.endpoints) return [];
+    const paths = [];
+    walkEndpointTree(found.endpoints, [], paths);
+    return paths.map((path) => `${found.id}.api.${path.toLowerCase()}`);
+  }
+  const result = {};
+  if (type === "webhooks") {
+    for (const p of plugins) {
+      if (!p.webhooks) continue;
+      const paths = [];
+      walkWebhookTree(p.webhooks, [], paths);
+      result[p.id] = paths.map((path) => `${p.id}.webhooks.${path}`);
+    }
+  } else if (type === "db") {
+    for (const p of plugins) {
+      const entities = p.schema?.entities;
+      if (!entities) continue;
+      result[p.id] = Object.keys(entities).map(
+        (entityName) => `${p.id}.db.${entityName}.search`
+      );
+    }
+  } else {
+    for (const p of plugins) {
+      if (!p.endpoints) continue;
+      const paths = [];
+      walkEndpointTree(p.endpoints, [], paths);
+      result[p.id] = paths.map((path) => `${p.id}.api.${path.toLowerCase()}`);
+    }
+  }
+  return result;
+}
+function findEndpointCaseInsensitive(record, lowercasedPath) {
+  if (!record) return void 0;
+  for (const [key, value] of Object.entries(record)) {
+    if (key.toLowerCase() === lowercasedPath) return value;
+  }
+  return void 0;
+}
+function getSchema(plugins, path) {
+  const normalised = path.toLowerCase();
+  const dotIndex = normalised.indexOf(".");
+  if (dotIndex !== -1) {
+    const pluginId = normalised.slice(0, dotIndex);
+    const remainder = normalised.slice(dotIndex + 1);
+    const plugin = plugins.find((p) => p.id === pluginId);
+    if (plugin) {
+      if (remainder.startsWith("db.")) {
+        const dbPath = remainder.slice(3);
+        const lastDot = dbPath.lastIndexOf(".");
+        if (lastDot !== -1) {
+          const entityNameLower = dbPath.slice(0, lastDot);
+          const method = dbPath.slice(lastDot + 1);
+          const entities = plugin.schema?.entities;
+          if (method === "search" && entities) {
+            const entry = findEntityCaseInsensitive(entities, entityNameLower);
+            if (entry) {
+              const [entityName, entitySchema] = entry;
+              return {
+                description: `Search ${pluginId} ${entityName} stored in the local database. Returns an array of matching records. Pass limit and offset (numbers) for pagination.`,
+                filters: {
+                  entity_id: {
+                    type: "string",
+                    operators: STRING_OPERATORS
+                  },
+                  data: buildFilterableFields(entitySchema)
+                }
+              };
+            }
+          }
+        }
+        return {
+          availableMethods: listOperations(plugins, {
+            type: "db"
+          })
+        };
+      }
+      if (remainder.startsWith("webhooks.")) {
+        const webhookPathNormalised = remainder.slice(9);
+        if (plugin.webhooks) {
+          const originalPathParts = resolveWebhookPathOriginalCase(
+            plugin.webhooks,
+            webhookPathNormalised.split(".")
+          );
+          if (originalPathParts !== null) {
+            const originalPath = originalPathParts.join(".");
+            const schemas2 = findEndpointCaseInsensitive(
+              plugin.webhookSchemas,
+              originalPath.toLowerCase()
+            );
+            const responseSchema = schemas2?.response ? zodToJsonSchema(schemas2.response) : null;
+            return {
+              description: schemas2?.description,
+              payload: schemas2?.payload ? zodToJsonSchema(schemas2.payload) : void 0,
+              response: responseSchema ?? void 0,
+              usage: buildWebhookUsageExample(
+                pluginId,
+                originalPathParts,
+                responseSchema
+              )
+            };
+          }
+        }
+        return {
+          availableWebhooks: listOperations(plugins, {
+            type: "webhooks"
+          })
+        };
+      }
+      let endpointPath = remainder;
+      if (endpointPath.startsWith("api.")) {
+        endpointPath = endpointPath.slice(4);
+      }
+      const meta = findEndpointCaseInsensitive(
+        plugin.endpointMeta,
+        endpointPath
+      );
+      const schemas = findEndpointCaseInsensitive(
+        plugin.endpointSchemas,
+        endpointPath
+      );
+      if (meta || schemas) {
+        return {
+          description: meta?.description,
+          riskLevel: meta?.riskLevel,
+          irreversible: meta?.irreversible,
+          input: schemas?.input ? zodToJsonSchema(schemas.input) : void 0,
+          output: schemas?.output ? zodToJsonSchema(schemas.output) : void 0
+        };
+      }
+    }
+  }
+  return {
+    availableMethods: listOperations(plugins)
+  };
+}
+function buildInspectMethods(plugins) {
+  return {
+    list_operations(options) {
+      return listOperations(plugins, options);
+    },
+    get_schema(path) {
+      return getSchema(plugins, path);
+    }
+  };
+}
+
+// core/webhooks/bind.ts
+function isWebhook(value) {
+  return value !== null && typeof value === "object" && "match" in value && "handler" in value && typeof value.match === "function" && typeof value.handler === "function";
+}
+function bindWebhooksRecursively({
+  webhooks,
+  hooks,
+  ctx,
+  webhooksTree,
+  keyBuilder
+}) {
+  for (const [key, value] of Object.entries(webhooks)) {
+    const nodeHooks = hooks?.[key];
+    if (isWebhook(value)) {
+      const webhookHooks = nodeHooks;
+      const boundHandler = async (request) => {
+        const call = (callCtx, callRequest) => value.handler(callCtx, callRequest);
+        const key2 = keyBuilder ? await keyBuilder(ctx, "webhook") : void 0;
+        if (!webhookHooks?.before && !webhookHooks?.after) {
+          return call({ ...ctx, key: key2 }, request);
+        }
+        return (async () => {
+          const ctxWithKey = { ...ctx, key: key2 };
+          const beforeResult = webhookHooks.before ? await webhookHooks.before(ctxWithKey, request) : {
+            ctx: ctxWithKey,
+            args: request,
+            continue: true,
+            passToAfter: void 0
+          };
+          if (beforeResult.continue === false) return;
+          const res = await call(beforeResult.ctx, beforeResult.args);
+          if (res?.success === true) {
+            await webhookHooks.after?.(
+              beforeResult.ctx,
+              res,
+              beforeResult.passToAfter
+            );
+          }
+          return res;
+        })();
+      };
+      webhooksTree[key] = {
+        match: value.match,
+        handler: boundHandler
+      };
+    } else if (value && typeof value === "object") {
+      const nestedWebhooksTree = {};
+      bindWebhooksRecursively({
+        webhooks: value,
+        hooks: nodeHooks,
+        ctx,
+        webhooksTree: nestedWebhooksTree,
+        keyBuilder
+      });
+      webhooksTree[key] = nestedWebhooksTree;
+    }
+  }
+}
+
+// core/client/index.ts
+function createAccountIdResolver(database, integrationName, tenantId) {
+  let cachedAccountId = null;
+  return async () => {
+    if (cachedAccountId) return cachedAccountId;
+    if (!database) {
+      throw new Error("Database not configured");
+    }
+    const integration = await database.db.selectFrom("corsair_integrations").selectAll().where("name", "=", integrationName).executeTakeFirst();
+    if (!integration) {
+      throw new Error(
+        `Integration "${integrationName}" not found. Make sure to create the integration first.`
+      );
+    }
+    const account = await database.db.selectFrom("corsair_accounts").selectAll().where("tenant_id", "=", tenantId).where("integration_id", "=", integration.id).executeTakeFirst();
+    if (!account) {
+      throw new Error(
+        `Account not found for tenant "${tenantId}" and integration "${integrationName}". Make sure to create the account first.`
+      );
+    }
+    cachedAccountId = account.id;
+    return cachedAccountId;
+  };
+}
+function createEntityClient(database, getAccountId, entityTypeName, version, dataSchema) {
+  if (database) {
+    return createKyselyEntityClient(
+      database.db,
+      getAccountId,
+      entityTypeName,
+      version,
+      dataSchema
+    );
+  }
+  return {
+    findByEntityId: async () => null,
+    findById: async () => null,
+    findManyByEntityIds: async () => [],
+    list: async () => [],
+    search: async () => [],
+    upsertByEntityId: async () => {
+      throw new Error("Database not configured");
+    },
+    deleteById: async () => false,
+    deleteByEntityId: async () => false,
+    count: async () => 0
+  };
+}
+function buildCorsairClient(plugins, options) {
+  const { database, tenantId, kek, rootErrorHandlers, approvalConfig } = options;
+  const apiUnsafe = {};
+  const pluginEntitiesUnsafe = {};
+  for (const plugin of plugins) {
+    apiUnsafe[plugin.id] = {};
+    pluginEntitiesUnsafe[plugin.id] = {};
+  }
+  for (const plugin of plugins) {
+    const schema = plugin.schema;
+    const effectiveTenantId = tenantId ?? "default";
+    const getAccountId = createAccountIdResolver(
+      database,
+      plugin.id,
+      effectiveTenantId
+    );
+    if (schema?.entities) {
+      const dbClients = {};
+      for (const [entityTypeName, dataSchema] of Object.entries(
+        schema.entities
+      )) {
+        const entityClient = database ? createKyselyEntityClient(
+          database.db,
+          getAccountId,
+          entityTypeName,
+          schema.version,
+          dataSchema
+        ) : createEntityClient(
+          void 0,
+          getAccountId,
+          entityTypeName,
+          schema.version,
+          dataSchema
+        );
+        dbClients[entityTypeName] = entityClient;
+      }
+      pluginEntitiesUnsafe[plugin.id].db = dbClients;
+      apiUnsafe[plugin.id].db = dbClients;
+    }
+    const pluginOptions = plugin.options;
+    const authConfig = plugin.authConfig;
+    let accountKeyManager;
+    if (database && kek && pluginOptions?.authType) {
+      const extraAccountFields = authConfig?.[pluginOptions.authType]?.account ?? [];
+      accountKeyManager = createAccountKeyManager({
+        authType: pluginOptions.authType,
+        integrationName: plugin.id,
+        tenantId: effectiveTenantId,
+        kek,
+        database,
+        extraAccountFields
+      });
+      apiUnsafe[plugin.id].keys = accountKeyManager;
+    }
+    const ctxForPlugin = {
+      database,
+      db: pluginEntitiesUnsafe[plugin.id]?.db ?? {},
+      $getAccountId: getAccountId,
+      ...plugin.options ? { options: plugin.options } : {},
+      // Include keys manager and authType in context so keyBuilder can access and narrow types
+      ...accountKeyManager ? { keys: accountKeyManager, authType: pluginOptions?.authType } : {},
+      // Include tenantId in context so it's available in webhook hooks
+      ...tenantId ? { tenantId } : {}
+    };
+    const endpoints = plugin.endpoints ?? {};
+    const hooks = plugin.hooks;
+    const allErrorHandlers = {
+      ...rootErrorHandlers,
+      ...plugin.errorHandlers
+    };
+    const boundTree = {};
+    const pluginPermsConfig = plugin.options?.permissions;
+    bindEndpointsRecursively({
+      endpoints,
+      hooks,
+      ctx: ctxForPlugin,
+      tree: boundTree,
+      pluginId: plugin.id,
+      errorHandlers: allErrorHandlers,
+      currentPath: [],
+      keyBuilder: plugin.keyBuilder,
+      permissionsConfig: pluginPermsConfig,
+      // endpointMeta is typed with plugin-specific literal keys — cast to runtime Record
+      endpointMeta: plugin.endpointMeta,
+      database,
+      approvalConfig,
+      tenantId
+    });
+    if (Object.keys(boundTree).length > 0) {
+      apiUnsafe[plugin.id].api = boundTree;
+    }
+    ctxForPlugin.endpoints = boundTree;
+    const webhooks = plugin.webhooks ?? {};
+    const webhookHooks = plugin.webhookHooks;
+    if (Object.keys(webhooks).length > 0) {
+      const boundWebhooks = {};
+      bindWebhooksRecursively({
+        webhooks,
+        hooks: webhookHooks,
+        ctx: ctxForPlugin,
+        webhooksTree: boundWebhooks,
+        keyBuilder: plugin.keyBuilder
+      });
+      apiUnsafe[plugin.id].webhooks = boundWebhooks;
+      if (plugin.pluginWebhookMatcher) {
+        apiUnsafe[plugin.id].pluginWebhookMatcher = plugin.pluginWebhookMatcher;
+      }
+    }
+  }
+  const api = apiUnsafe;
+  const inspect = buildInspectMethods(plugins);
+  return {
+    ...api,
+    ...inspect
+  };
+}
+function buildIntegrationKeys(plugins, database, kek) {
+  const keysUnsafe = {};
+  for (const plugin of plugins) {
+    const pluginOptions = plugin.options;
+    const authConfig = plugin.authConfig;
+    if (pluginOptions?.authType) {
+      const extraIntegrationFields = authConfig?.[pluginOptions.authType]?.integration ?? [];
+      const integrationKeyManager = createIntegrationKeyManager({
+        authType: pluginOptions.authType,
+        integrationName: plugin.id,
+        kek,
+        database,
+        extraIntegrationFields
+      });
+      keysUnsafe[plugin.id] = integrationKeyManager;
+    }
+  }
+  return keysUnsafe;
+}
+
+// core/index.ts
+var CORSAIR_INTERNAL = Symbol.for("corsair:internal");
+function createCorsair(config) {
+  const resolvedDatabase = config.database ? createCorsairDatabase(config.database) : void 0;
+  const integrationKeys = resolvedDatabase && config.kek ? buildIntegrationKeys(config.plugins, resolvedDatabase, config.kek) : createMissingConfigProxy(
+    !!resolvedDatabase,
+    !!config.kek
+  );
+  const internalConfig = {
+    plugins: config.plugins,
+    database: resolvedDatabase,
+    kek: config.kek,
+    multiTenancy: !!config.multiTenancy,
+    approval: config.approval
+  };
+  const permissions = buildPermissionsNamespace(resolvedDatabase);
+  if (config.multiTenancy) {
+    return Object.assign(
+      {
+        withTenant: (tenantId) => {
+          if (!tenantId) {
+            throw new Error(
+              "corsair.withTenant(tenantId): tenantId must be a non-empty string"
+            );
+          }
+          return buildCorsairClient(config.plugins, {
+            database: resolvedDatabase,
+            tenantId,
+            kek: config.kek,
+            rootErrorHandlers: config.errorHandlers,
+            approvalConfig: config.approval
+          });
+        },
+        keys: integrationKeys,
+        permissions,
+        ...buildInspectMethods(config.plugins)
+      },
+      { [CORSAIR_INTERNAL]: internalConfig }
+    );
+  }
+  const client = buildCorsairClient(config.plugins, {
+    database: resolvedDatabase,
+    tenantId: void 0,
+    kek: config.kek,
+    rootErrorHandlers: config.errorHandlers,
+    approvalConfig: config.approval
+  });
+  return Object.assign({}, client, {
+    keys: integrationKeys,
+    permissions,
+    [CORSAIR_INTERNAL]: internalConfig
+  });
+}
+export {
+  BASE_AUTH_FIELDS,
+  CORSAIR_INTERNAL,
+  createAccountKeyManager,
+  createCorsair,
+  createIntegrationKeyManager,
+  decryptConfig,
+  decryptDEK,
+  decryptWithDEK,
+  encryptConfig,
+  encryptDEK,
+  encryptWithDEK,
+  generateDEK,
+  initializeAccountDEK,
+  initializeIntegrationDEK,
+  reEncryptConfig
+};