corsair 0.1.72 → 0.1.73

package/dist/chunk-EK7JQYHJ.js

@@ -0,0 +1,5 @@
+import{C as R,D as v,j as m,k as A,l as _}from"./chunk-W6KENKHM.js";import{a as j}from"./chunk-AAWROBCK.js";import{Kysely as F}from"kysely";import{ZodBoolean as x,ZodDate as E,ZodEnum as D,ZodNullable as K,ZodNumber as N,ZodObject as B,ZodOptional as Z,ZodRecord as L,ZodString as U,ZodType as W}from"zod";var I={slack:{channels:{list:{}},users:{list:{}}},linear:{projects:{list:{}},issues:{list:{}},users:{list:{}}},github:{issues:{list:{}},repositories:{list:{}}},discord:{guilds:{list:{}},channels:{list:{}}},hubspot:{contacts:{getMany:{}},companies:{getMany:{}},deals:{getMany:{}}},gmail:{messages:{list:{}},labels:{list:{}},drafts:{list:{}},threads:{list:{}}},googlecalendar:{events:{getMany:{}}},googledrive:{files:{list:{}},folders:{list:{}},sharedDrives:{list:{}}},notion:{databases:{getManyDatabases:{}},databasePages:{getManyDatabasePages:{}},users:{getManyUsers:{}}},airtable:{bases:{getMany:{}}},todoist:{projects:{getMany:{}},tasks:{getMany:{}}},cal:{bookings:{list:{}}}};async function pn(n,e){let s=[],i=d=>{s.push(d),console.log(d)},a=d=>{s.push(d),console.warn(d)},t=e?.caller??"script",f=q(n);if(!f)throw new Error("setupCorsair: invalid corsair instance");if(!f.database)throw new Error("setupCorsair: a database must be configured on the corsair instance");let o=Q(n,f.plugins,e),r={...f,database:f.database},c=r.database.db;await X(c,a);let l=await nn(c,r,o.tenantId,o.provisionAccounts,i);e?.credentials&&Object.keys(e.credentials).length>0&&await sn(n,o,e.credentials,r,i,a);let y=await rn(l,o,i,t);if(e?.backfill){i("[corsair:setup] Starting backfill...");let d=v({plugins:f.plugins,database:c,kek:f.kek,multiTenancy:!0}).withTenant(o.tenantId);await on(d,f.plugins,y,i,a),i("[corsair:setup] Backfill complete.")}return s.join(`
+`)}function w(n){return typeof n=="object"&&n!==null}function Y(n){return!w(n)||!Array.isArray(n.plugins)||typeof n.kek!="string"||typeof n.multiTenancy!="boolean"?!1:n.database===void 0?!0:w(n.database)?n.database.db instanceof F:!1}function q(n){let e=Object.getOwnPropertyDescriptor(n,R);if(e)return Y(e.value)?e.value:void 0}function H(n){return n==="oauth_2"||n==="api_key"||n==="bot_token"}function P(n){let e=n.options?.authType;return H(e)?e:void 0}function J(n){return"withTenant"in n&&typeof n.withTenant=="function"}function $(n,e,s){let i=s==="integration"?n.authConfig?.[e]?.integration??[]:n.authConfig?.[e]?.account??[];return new Set([...m[e][s],...i])}function z(n,e){if(!n)return!1;for(let[s,i]of Object.entries(n)){let a=e.find(o=>o.id===s);if(!a)continue;let t=P(a);if(!t)continue;let f=$(a,t,"account");for(let o of Object.keys(i))if(f.has(o))return!0}return!1}function Q(n,e,s){let i=J(n),a=s?.tenantId?.trim(),t=a!==void 0&&a.length>0;if(i&&s?.backfill&&!t)throw new Error("setupCorsair: tenantId is required for backfill on a multi-tenant instance");if(i&&z(s?.credentials,e)&&!t)throw new Error("setupCorsair: tenantId is required when setting account-level credentials on a multi-tenant instance");if(t&&!a)throw new Error("setupCorsair: tenantId must be a non-empty string");return{multiTenant:i,tenantIdProvided:t,tenantId:t?a:"default",provisionAccounts:!i||t}}function C(n,e){if(!w(n))return;let s=n[e];return typeof s=="function"?(...i)=>Reflect.apply(s,n,i):void 0}function O(n,e){return w(n)?e===0?!0:Object.values(n).every(s=>O(s,e-1)):!1}function V(n){return O(n,4)}var G={...j};function S(n){if(n instanceof B){let e={};for(let[s,i]of Object.entries(n.shape))e[s]=i instanceof W?S(i):"unknown";return e}return n instanceof K?`${S(n.unwrap())} | null`:n instanceof Z?`${S(n.unwrap())} | undefined`:n instanceof D?n.options.join(" | "):n instanceof U?"string":n instanceof N?"number":n instanceof x?"boolean":n instanceof E?"date":n instanceof L?"jsonb":"unknown"}async function X(n,e){let s=await n.introspection.getTables(),i=new Set(s.map(a=>a.name));for(let[a,t]of Object.entries(G))i.has(a)||e(`[corsair:setup] Table "${a}" does not exist. Run your database migrations before calling setupCorsair.
+Schema: ${JSON.stringify(S(t),null,2)}`)}async function nn(n,e,s,i,a){let t=new Date,f=new Map;for(let o of e.plugins){let r=o.id,c=P(o),l=await n.selectFrom("corsair_integrations").selectAll().where("name","=",r).executeTakeFirst();if(!l){let u=crypto.randomUUID();await n.insertInto("corsair_integrations").values({id:u,name:r,config:{},created_at:t,updated_at:t}).execute(),l=await n.selectFrom("corsair_integrations").selectAll().where("id","=",u).executeTakeFirst(),a(`[corsair:setup] Created integration: ${r}`)}let y=c?o.authConfig?.[c]?.integration??[]:[],d=c?o.authConfig?.[c]?.account??[]:[],g=c&&l?A({authType:c,integrationName:r,kek:e.kek,database:e.database,extraIntegrationFields:y}):void 0;if(l&&!l.dek&&g&&(await g.issue_new_dek(),a(`[corsair:setup] Issued integration DEK: ${r}`)),!l||!c||!g)continue;let p;if(i){let u=await n.selectFrom("corsair_accounts").selectAll().where("tenant_id","=",s).where("integration_id","=",l.id).executeTakeFirst();if(!u){let h=crypto.randomUUID();await n.insertInto("corsair_accounts").values({id:h,tenant_id:s,integration_id:l.id,config:{},created_at:t,updated_at:t}).execute(),u=await n.selectFrom("corsair_accounts").selectAll().where("id","=",h).executeTakeFirst(),a(`[corsair:setup] Created account: ${r}`)}p=u&&_({authType:c,integrationName:r,tenantId:s,kek:e.kek,database:e.database,extraAccountFields:d}),u&&p&&!u.dek&&(await p.issue_new_dek(),a(`[corsair:setup] Issued account DEK: ${r}`))}f.set(r,{pluginId:r,authType:c,integration:g,account:p,integrationFields:[...m[c].integration,...y],accountFields:i?[...m[c].account,...d]:[]})}return f}function en(n){if(!w(n))return;let e=n.keys;return w(e)?e:void 0}function tn(n,e){return"withTenant"in n&&typeof n.withTenant=="function"?n.withTenant(e):n}async function sn(n,e,s,i,a,t){let f=en(n),o=e.provisionAccounts?tn(n,e.tenantId):void 0;for(let[r,c]of Object.entries(s)){let l=i.plugins.find(b=>b.id===r);if(!l){t(`[corsair:setup] Unknown plugin '${r}' \u2014 skipping credentials.`);continue}let y=P(l);if(!y){t(`[corsair:setup] Plugin '${r}' has no auth type \u2014 skipping credentials.`);continue}let d=$(l,y,"integration"),g=$(l,y,"account"),p=f?.[r],u=o?.[r],h=w(u)?u.keys:void 0;for(let[b,T]of Object.entries(c))if(T){if(d.has(b)){if(e.multiTenant&&e.tenantIdProvided)throw new Error(`[corsair:setup] '${r}.${b}' is an integration-level credential shared across all tenants. You passed tenantId="${e.tenantId}", which only scopes account-level credentials. Run setup without --tenant if you intend to change this credential globally.`);let k=C(p,`set_${b}`);if(!k){t(`[corsair:setup] Cannot set integration field '${b}' for '${r}'.`);continue}await k(T),a(`[corsair:setup] Set ${r} integration.${b}`);continue}if(g.has(b)){if(e.multiTenant&&!e.tenantIdProvided)throw new Error(`setupCorsair: tenantId is required to set account-level credential '${r}.${b}' on a multi-tenant instance`);let k=C(h,`set_${b}`);if(!k){t(`[corsair:setup] Cannot set account field '${b}' for '${r}'.`);continue}await k(T),a(`[corsair:setup] Set ${r} account.${b} (tenant=${e.tenantId})`);continue}t(`[corsair:setup] Unknown credential field '${b}' for plugin '${r}'.`)}}}var M=new Set(["webhook_signature","expires_at","scope","redirect_url"]);async function an(n,e,s,i,a,t,f,o,r){let c=[],l=[];for(let d of a){if(M.has(d))continue;let g=C(s,`get_${d}`);if(!g)continue;let p=null;try{let u=await g();p=typeof u=="string"?u:null}catch{}p||c.push(d)}if(i&&t.length>0)for(let d of t){if(M.has(d))continue;let g=C(i,`get_${d}`);if(!g)continue;let p=null;try{let u=await g();p=typeof u=="string"?u:null}catch{}p||l.push(d)}let y=c.length===0&&l.length===0;if(y)o(`[corsair:setup] '${n}' (${e}) is configured \u2713`);else{let d=[...c,...l];if(r==="cli"){let g=d.map(p=>`${p}=VALUE`).join(" ");o(`[corsair:setup] '${n}' (${e}) needs credentials. Run:
+  corsair setup --${n} ${g}`)}else{let g=[`[corsair:setup] '${n}' (${e}) needs credentials. Call:`];for(let p of c)g.push(`  await corsair.keys.${n}.set_${p}(value)`);for(let p of l){let u=f.provisionAccounts?f.tenantId==="default"?`corsair.${n}`:`corsair.withTenant(${JSON.stringify(f.tenantId)}).${n}`:`corsair.withTenant(<tenant>).${n}`;g.push(`  await ${u}.keys.set_${p}(value)`)}o(g.join(`
+`))}}return y}async function rn(n,e,s,i){let a=new Set;for(let t of n.values())await an(t.pluginId,t.authType,t.integration,t.account,t.integrationFields,t.accountFields,e,s,i)&&a.add(t.pluginId);return a}async function on(n,e,s,i,a){if(!V(I)){a("[corsair:setup] Backfill config is invalid - skipping backfill.");return}let t=I,f=new Set(e.map(o=>o.id));for(let[o,r]of Object.entries(t)){if(!f.has(o))continue;if(!s.has(o)){i(`[corsair:setup] Skipping backfill for '${o}' \u2014 auth not configured.`);continue}let c=w(n)?n[o]:void 0,l=w(c)?c.api:void 0;if(l)for(let[y,d]of Object.entries(r))for(let[g,p]of Object.entries(d)){i(`[corsair:setup] Backfilling ${o} \u203A ${y}.${g}...`);try{let u=w(l)?l[y]:void 0;await C(u,g)?.(p)}catch(u){a(`[corsair:setup] ${o} \u203A ${y}.${g} failed: `+(u instanceof Error?u.message:String(u)))}}}}export{pn as a,sn as b};

package/dist/core.d.ts

@@ -1,12 +1,12 @@
-export { A as AuthMissingError, C as CORSAIR_INTERNAL, a as CorsairInternalConfig, D as DocSchemaFieldRow, b as DocSchemaShape, d as DocsApiEndpoint, e as DocsDbEntity, g as DocsDbFilterField, h as DocsWebhook, E as EndpointSchemaResult, I as IntrospectPluginForDocsResult, L as ListOperationsOptions, P as PluginDocsIntrospection, R as ResolveConnectLinkResult, c as createCorsair, f as formatDocSchemaShape, i as introspectPluginForDocs, r as resolveConnectLink } from './index-Cadh5O_D.js';
+import { O as OAuthConfig, A as AuthTypes, g as AccountKeyManagerFor, I as IntegrationKeyManagerFor } from './index-DLSRcm5o.js';
+export { j as AccountFieldNames, p as AllProviders, o as BASE_AUTH_FIELDS, k as BaseAuthFieldConfig, l as BaseKeyManager, e as BaseProviders, M as BeforeHookResult, r as BindEndpoints, a6 as BindWebhooks, a4 as Bivariant, s as BoundEndpointFn, t as BoundEndpointTree, a7 as BoundWebhook, B as BoundWebhookTree, h as CORSAIR_INTERNAL, c as CorsairClient, u as CorsairContext, v as CorsairEndpoint, y as CorsairErrorHandler, N as CorsairIntegration, i as CorsairInternalConfig, Q as CorsairKeyBuilder, S as CorsairKeyBuilderBase, d as CorsairPermissionsNamespace, a as CorsairPlugin, T as CorsairPluginContext, C as CorsairSingleTenantClient, b as CorsairTenantWrapper, a8 as CorsairWebhook, a9 as CorsairWebhookHandler, aa as CorsairWebhookMatcher, U as EndpointHooks, V as EndpointMetaEntry, w as EndpointPathsOf, E as EndpointRiskLevel, x as EndpointTree, K as EnforcePermissionOptions, L as EnforcePermissionResult, z as ErrorContext, D as ErrorHandler, F as ErrorHandlerAndMatchFunction, G as ErrorMatcher, m as IntegrationFieldNames, X as KeyBuilderContext, n as OAuth2IntegrationCredentials, Y as PermissionMode, Z as PermissionPolicy, q as PickAuth, P as PluginAuthConfig, _ as PluginEndpointMeta, $ as PluginPermissionsConfig, R as RawWebhookRequest, a0 as RequiredPluginEndpointMeta, a1 as RequiredPluginEndpointSchemas, a2 as RequiredPluginWebhookSchemas, H as RetryStrategies, J as RetryStrategy, a5 as UnionToIntersection, a3 as WebhookHooks, ab as WebhookPathsOf, ac as WebhookRequest, W as WebhookResponse, ad as WebhookTree, f as createCorsair } from './index-DLSRcm5o.js';
 import { CorsairDatabase } from './db.js';
-import { O as OAuthConfig, A as AuthTypes, f as AccountKeyManagerFor, I as IntegrationKeyManagerFor } from './index-CN2IlLdT.js';
-export { g as AccountFieldNames, m as AllProviders, l as BASE_AUTH_FIELDS, h as BaseAuthFieldConfig, i as BaseKeyManager, e as BaseProviders, H as BeforeHookResult, o as BindEndpoints, a3 as BindWebhooks, a1 as Bivariant, p as BoundEndpointFn, q as BoundEndpointTree, a4 as BoundWebhook, B as BoundWebhookTree, c as CorsairClient, r as CorsairContext, s as CorsairEndpoint, u as CorsairErrorHandler, J as CorsairIntegration, K as CorsairKeyBuilder, L as CorsairKeyBuilderBase, d as CorsairPermissionsNamespace, a as CorsairPlugin, M as CorsairPluginContext, C as CorsairSingleTenantClient, b as CorsairTenantWrapper, a5 as CorsairWebhook, a6 as CorsairWebhookHandler, a7 as CorsairWebhookMatcher, N as EndpointHooks, Q as EndpointMetaEntry, E as EndpointPathsOf, S as EndpointRiskLevel, t as EndpointTree, F as EnforcePermissionOptions, G as EnforcePermissionResult, v as ErrorContext, w as ErrorHandler, x as ErrorHandlerAndMatchFunction, y as ErrorMatcher, j as IntegrationFieldNames, T as KeyBuilderContext, k as OAuth2IntegrationCredentials, U as PermissionMode, V as PermissionPolicy, n as PickAuth, P as PluginAuthConfig, X as PluginEndpointMeta, Y as PluginPermissionsConfig, R as RawWebhookRequest, Z as RequiredPluginEndpointMeta, _ as RequiredPluginEndpointSchemas, $ as RequiredPluginWebhookSchemas, z as RetryStrategies, D as RetryStrategy, a2 as UnionToIntersection, a0 as WebhookHooks, a8 as WebhookPathsOf, a9 as WebhookRequest, W as WebhookResponse, aa as WebhookTree } from './index-CN2IlLdT.js';
-import 'kysely';
+export { A as AuthMissingError, D as DocSchemaFieldRow, a as DocSchemaShape, b as DocsApiEndpoint, c as DocsDbEntity, d as DocsDbFilterField, e as DocsWebhook, E as EndpointSchemaResult, I as IntrospectPluginForDocsResult, L as ListOperationsOptions, P as PluginDocsIntrospection, R as ResolveConnectLinkResult, f as formatDocSchemaShape, i as introspectPluginForDocs, r as resolveConnectLink } from './index-Cc9JiMef.js';
 import 'zod';
+import './orm.js';
+import 'kysely';
 import 'pg';
 import 'postgres';
-import './orm.js';
 
 /**
  * Context interface with account ID resolver for logging events.

package/dist/{index-Cadh5O_D.d.ts → index-Cc9JiMef.d.ts}

@@ -1,5 +1,4 @@
-import { S as EndpointRiskLevel, a as CorsairPlugin, J as CorsairIntegration, b as CorsairTenantWrapper, C as CorsairSingleTenantClient } from './index-CN2IlLdT.js';
-import { CorsairDatabase } from './db.js';
+import { E as EndpointRiskLevel, a as CorsairPlugin } from './index-DLSRcm5o.js';
 
 /**
  * Error thrown when a plugin endpoint is called but the user has not authenticated
@@ -184,53 +183,4 @@ declare function formatDocSchemaShape(shape: DocSchemaShape | undefined, depth?:
  */
 declare function introspectPluginForDocs(plugins: readonly CorsairPlugin[], pluginId: string): IntrospectPluginForDocsResult;
 
-declare const CORSAIR_INTERNAL: unique symbol;
-type CorsairInternalConfig = {
-    plugins: readonly CorsairPlugin[];
-    database: CorsairDatabase | undefined;
-    kek: string;
-    multiTenancy: boolean;
-    approval?: {
-        timeout: string;
-        onTimeout: 'deny' | 'approve';
-        mode?: 'synchronous' | 'asynchronous' | (() => 'synchronous' | 'asynchronous');
-        /** Called when a permission is blocked in async mode. Return the message surfaced to the LLM. */
-        formatAsyncMessage?: (opts: {
-            token: string;
-            id: string;
-            plugin: string;
-            endpoint: string;
-            args: unknown;
-        }) => string;
-    };
-    connect?: {
-        baseUrl: string;
-        redirectUri: string;
-        onAuthMissing?: (opts: {
-            plugin: string;
-            connectUrl: string;
-            state: string;
-        }) => string;
-    };
-};
-/**
- * Creates a Corsair integration with multi-tenancy enabled.
- * Returns a wrapper with a `withTenant()` method to scope operations to specific tenants,
- * and a `keys` property for integration-level key management.
- * @param config - Configuration with plugins, database, and multiTenancy: true
- * @returns A tenant wrapper with `withTenant(tenantId)` method and integration-level `keys`
- */
-declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
-    multiTenancy: true;
-}): CorsairTenantWrapper<Plugins>;
-/**
- * Creates a Corsair integration without multi-tenancy.
- * Returns a direct client instance with both plugin APIs and integration-level keys.
- * @param config - Configuration with plugins and optional database
- * @returns A Corsair client instance with plugin APIs and integration-level `keys`
- */
-declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
-    multiTenancy?: false | undefined;
-}): CorsairSingleTenantClient<Plugins>;
-
-export { AuthMissingError as A, CORSAIR_INTERNAL as C, type DocSchemaFieldRow as D, type EndpointSchemaResult as E, type FormFieldSchema as F, type IntrospectPluginForDocsResult as I, type ListOperationsOptions as L, type PluginDocsIntrospection as P, type ResolveConnectLinkResult as R, type CorsairInternalConfig as a, type DocSchemaShape as b, createCorsair as c, type DocsApiEndpoint as d, type DocsDbEntity as e, formatDocSchemaShape as f, type DocsDbFilterField as g, type DocsWebhook as h, introspectPluginForDocs as i, resolveConnectLink as r };
+export { AuthMissingError as A, type DocSchemaFieldRow as D, type EndpointSchemaResult as E, type FormFieldSchema as F, type IntrospectPluginForDocsResult as I, type ListOperationsOptions as L, type PluginDocsIntrospection as P, type ResolveConnectLinkResult as R, type DocSchemaShape as a, type DocsApiEndpoint as b, type DocsDbEntity as c, type DocsDbFilterField as d, type DocsWebhook as e, formatDocSchemaShape as f, introspectPluginForDocs as i, resolveConnectLink as r };

package/dist/{index-CN2IlLdT.d.ts → index-DLSRcm5o.d.ts}

@@ -1,6 +1,6 @@
+import { CorsairDatabase, CorsairDatabaseInput, CorsairPermission } from './db.js';
 import { ZodTypeAny } from 'zod';
 import { CorsairPluginSchema, PluginEntityClients } from './orm.js';
-import { CorsairDatabase, CorsairDatabaseInput, CorsairPermission } from './db.js';
 
 type AllErrors = 'RATE_LIMIT_ERROR' | 'AUTH_ERROR' | 'PERMISSION_ERROR' | 'NETWORK_ERROR' | 'TIMEOUT_ERROR' | 'SERVER_ERROR' | 'VALIDATION_ERROR' | 'NOT_FOUND_ERROR' | 'BAD_REQUEST_ERROR' | 'PARSING_ERROR' | 'DEFAULT' | (string & {});
 declare const BaseProviders: readonly ["airtable", "amplitude", "asana", "bitwarden", "bluesky", "box", "cal", "calendly", "cloudflare", "cursor", "discord", "dodopayments", "dropbox", "exa", "figma", "firecrawl", "fireflies", "github", "gitlab", "gmail", "googlecalendar", "googledrive", "googlesheets", "grafana", "hackernews", "hubspot", "intercom", "jira", "linear", "monday", "notion", "onedrive", "openweathermap", "oura", "outlook", "pagerduty", "posthog", "razorpay", "reddit", "resend", "sentry", "sharepoint", "slack", "spotify", "strava", "stripe", "tally", "tavily", "teams", "telegram", "todoist", "trello", "twitter", "twitterapiio", "typeform", "vapi", "xquik", "youtube", "zendesk", "zoom"];
@@ -1140,4 +1140,53 @@ type CorsairSingleTenantClient<Plugins extends readonly CorsairPlugin[]> = Corsa
     permissions: CorsairPermissionsNamespace;
 };
 
-export { type RequiredPluginWebhookSchemas as $, type AuthTypes as A, type BoundWebhookTree as B, type CorsairSingleTenantClient as C, type RetryStrategy as D, type EndpointPathsOf as E, type EnforcePermissionOptions as F, type EnforcePermissionResult as G, type BeforeHookResult as H, type IntegrationKeyManagerFor as I, type CorsairIntegration as J, type CorsairKeyBuilder as K, type CorsairKeyBuilderBase as L, type CorsairPluginContext as M, type EndpointHooks as N, type OAuthConfig as O, type PluginAuthConfig as P, type EndpointMetaEntry as Q, type RawWebhookRequest as R, type EndpointRiskLevel as S, type KeyBuilderContext as T, type PermissionMode as U, type PermissionPolicy as V, type WebhookResponse as W, type PluginEndpointMeta as X, type PluginPermissionsConfig as Y, type RequiredPluginEndpointMeta as Z, type RequiredPluginEndpointSchemas as _, type CorsairPlugin as a, type WebhookHooks as a0, type Bivariant$2 as a1, type UnionToIntersection$1 as a2, type BindWebhooks as a3, type BoundWebhook as a4, type CorsairWebhook as a5, type CorsairWebhookHandler as a6, type CorsairWebhookMatcher as a7, type WebhookPathsOf as a8, type WebhookRequest as a9, type WebhookTree as aa, type CorsairTenantWrapper as b, type CorsairClient as c, type CorsairPermissionsNamespace as d, BaseProviders as e, type AccountKeyManagerFor as f, type AccountFieldNames as g, type BaseAuthFieldConfig as h, type BaseKeyManager as i, type IntegrationFieldNames as j, type OAuth2IntegrationCredentials as k, BASE_AUTH_FIELDS as l, type AllProviders as m, type PickAuth as n, type BindEndpoints as o, type BoundEndpointFn as p, type BoundEndpointTree as q, type CorsairContext as r, type CorsairEndpoint as s, type EndpointTree as t, type CorsairErrorHandler as u, type ErrorContext as v, type ErrorHandler as w, type ErrorHandlerAndMatchFunction as x, type ErrorMatcher as y, type RetryStrategies as z };
+declare const CORSAIR_INTERNAL: unique symbol;
+type CorsairInternalConfig = {
+    plugins: readonly CorsairPlugin[];
+    database: CorsairDatabase | undefined;
+    kek: string;
+    multiTenancy: boolean;
+    approval?: {
+        timeout: string;
+        onTimeout: 'deny' | 'approve';
+        mode?: 'synchronous' | 'asynchronous' | (() => 'synchronous' | 'asynchronous');
+        /** Called when a permission is blocked in async mode. Return the message surfaced to the LLM. */
+        formatAsyncMessage?: (opts: {
+            token: string;
+            id: string;
+            plugin: string;
+            endpoint: string;
+            args: unknown;
+        }) => string;
+    };
+    connect?: {
+        baseUrl: string;
+        redirectUri: string;
+        onAuthMissing?: (opts: {
+            plugin: string;
+            connectUrl: string;
+            state: string;
+        }) => string;
+    };
+};
+/**
+ * Creates a Corsair integration with multi-tenancy enabled.
+ * Returns a wrapper with a `withTenant()` method to scope operations to specific tenants,
+ * and a `keys` property for integration-level key management.
+ * @param config - Configuration with plugins, database, and multiTenancy: true
+ * @returns A tenant wrapper with `withTenant(tenantId)` method and integration-level `keys`
+ */
+declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
+    multiTenancy: true;
+}): CorsairTenantWrapper<Plugins>;
+/**
+ * Creates a Corsair integration without multi-tenancy.
+ * Returns a direct client instance with both plugin APIs and integration-level keys.
+ * @param config - Configuration with plugins and optional database
+ * @returns A Corsair client instance with plugin APIs and integration-level `keys`
+ */
+declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
+    multiTenancy?: false | undefined;
+}): CorsairSingleTenantClient<Plugins>;
+
+export { type PluginPermissionsConfig as $, type AuthTypes as A, type BoundWebhookTree as B, type CorsairSingleTenantClient as C, type ErrorHandler as D, type EndpointRiskLevel as E, type ErrorHandlerAndMatchFunction as F, type ErrorMatcher as G, type RetryStrategies as H, type IntegrationKeyManagerFor as I, type RetryStrategy as J, type EnforcePermissionOptions as K, type EnforcePermissionResult as L, type BeforeHookResult as M, type CorsairIntegration as N, type OAuthConfig as O, type PluginAuthConfig as P, type CorsairKeyBuilder as Q, type RawWebhookRequest as R, type CorsairKeyBuilderBase as S, type CorsairPluginContext as T, type EndpointHooks as U, type EndpointMetaEntry as V, type WebhookResponse as W, type KeyBuilderContext as X, type PermissionMode as Y, type PermissionPolicy as Z, type PluginEndpointMeta as _, type CorsairPlugin as a, type RequiredPluginEndpointMeta as a0, type RequiredPluginEndpointSchemas as a1, type RequiredPluginWebhookSchemas as a2, type WebhookHooks as a3, type Bivariant$2 as a4, type UnionToIntersection$1 as a5, type BindWebhooks as a6, type BoundWebhook as a7, type CorsairWebhook as a8, type CorsairWebhookHandler as a9, type CorsairWebhookMatcher as aa, type WebhookPathsOf as ab, type WebhookRequest as ac, type WebhookTree as ad, type CorsairTenantWrapper as b, type CorsairClient as c, type CorsairPermissionsNamespace as d, BaseProviders as e, createCorsair as f, type AccountKeyManagerFor as g, CORSAIR_INTERNAL as h, type CorsairInternalConfig as i, type AccountFieldNames as j, type BaseAuthFieldConfig as k, type BaseKeyManager as l, type IntegrationFieldNames as m, type OAuth2IntegrationCredentials as n, BASE_AUTH_FIELDS as o, type AllProviders as p, type PickAuth as q, type BindEndpoints as r, type BoundEndpointFn as s, type BoundEndpointTree as t, type CorsairContext as u, type CorsairEndpoint as v, type EndpointPathsOf as w, type EndpointTree as x, type CorsairErrorHandler as y, type ErrorContext as z };

package/dist/index.d.ts

@@ -1,6 +1,7 @@
-import { F as FormFieldSchema, L as ListOperationsOptions } from './index-Cadh5O_D.js';
-export { A as AuthMissingError, R as ResolveConnectLinkResult, c as createCorsair, f as formatDocSchemaShape, r as resolveConnectLink } from './index-Cadh5O_D.js';
-import { C as CorsairSingleTenantClient, a as CorsairPlugin, b as CorsairTenantWrapper, c as CorsairClient, d as CorsairPermissionsNamespace, B as BoundWebhookTree, R as RawWebhookRequest, e as BaseProviders, W as WebhookResponse } from './index-CN2IlLdT.js';
+import { C as CorsairSingleTenantClient, a as CorsairPlugin, b as CorsairTenantWrapper, c as CorsairClient, d as CorsairPermissionsNamespace, B as BoundWebhookTree, R as RawWebhookRequest, e as BaseProviders, W as WebhookResponse } from './index-DLSRcm5o.js';
+export { f as createCorsair } from './index-DLSRcm5o.js';
+import { F as FormFieldSchema, L as ListOperationsOptions } from './index-Cc9JiMef.js';
+export { A as AuthMissingError, R as ResolveConnectLinkResult, f as formatDocSchemaShape, r as resolveConnectLink } from './index-Cc9JiMef.js';
 export { SetupCorsairOptions, setupCorsair } from './setup.js';
 import './db.js';
 import 'kysely';

package/dist/index.js

@@ -1,3 +1,3 @@
-import{a as A}from"./chunk-UEIITBYY.js";import{A as x,C,D as T,a as I,v as O,w as k,x as y,y as b,z as w}from"./chunk-W6KENKHM.js";import"./chunk-AAWROBCK.js";import"./chunk-OZHME3EO.js";import"./chunk-3USHGH6P.js";import"./chunk-6KMLS5U6.js";import"./chunk-QAIKSQAD.js";function h(n){let r=n[C];if(!r)throw new Error("listOperations / getSchema: invalid corsair instance. Pass the value returned by createCorsair() or corsair.withTenant().");return r.plugins}function B(n,r){let o=b(h(n),r);return typeof o=="string"?o:Array.isArray(o)?o.join(`
+import{a as A}from"./chunk-EK7JQYHJ.js";import{A as x,C,D as T,a as I,v as O,w as k,x as y,y as b,z as w}from"./chunk-W6KENKHM.js";import"./chunk-AAWROBCK.js";import"./chunk-OZHME3EO.js";import"./chunk-3USHGH6P.js";import"./chunk-6KMLS5U6.js";import"./chunk-QAIKSQAD.js";function h(n){let r=n[C];if(!r)throw new Error("listOperations / getSchema: invalid corsair instance. Pass the value returned by createCorsair() or corsair.withTenant().");return r.plugins}function B(n,r){let o=b(h(n),r);return typeof o=="string"?o:Array.isArray(o)?o.join(`
 `):Object.values(o).flat().join(`
 `)}function E(n,r){return w(h(n),r)}function F(n,r){return y(h(n),r)}var $=Symbol.for("corsair:internal");function j(n,r){let o=n;for(let e of r){if(!o||typeof o!="object")return null;o=o[e]}return typeof o=="function"?o:null}function S(n){return n[$]?.database}async function _(n,r){let o=new Date().toISOString(),e=await n.permissions.find_by_token(r);if(!e)return console.error("executePermission: no permission found for token."),{error:"executePermission: no permission found for token."};if(e.status!=="approved")return console.error(`executePermission: permission '${e.id}' is '${e.status}', expected 'approved'.`),{endpoint:e.endpoint,plugin:e.plugin,result:null,error:`executePermission: permission '${e.id}' is '${e.status}', expected 'approved'.`};if(e.expires_at<o){let i=S(n);return i&&await i.db.updateTable("corsair_permissions").set({status:"expired",updated_at:new Date}).where("id","=",e.id).execute(),console.error(`executePermission: permission '${e.id}' has expired.`),{error:`executePermission: permission '${e.id}' has expired.`,endpoint:e.endpoint,plugin:e.plugin,result:null}}let t=e.tenant_id??"default",g=(n.withTenant?n.withTenant(t):n)[e.plugin];if(!g?.api)return console.error(`executePermission: plugin '${e.plugin}' not found or has no API on this corsair instance.`),{error:`executePermission: plugin '${e.plugin}' not found or has no API on this corsair instance.`,plugin:e.plugin,endpoint:e.endpoint,result:null};let c=j(g.api,e.endpoint.split("."));if(!c)return console.error(`executePermission: endpoint '${e.endpoint}' not found in plugin '${e.plugin}'.`),{endpoint:e.endpoint,plugin:e.plugin,result:null,error:`executePermission: endpoint '${e.endpoint}' not found in plugin '${e.plugin}'.`};await n.permissions.set_executing(e.id);try{let i=typeof e.args=="string"?JSON.parse(e.args):e.args,u=await c(i);return await n.permissions.set_completed(e.id),{plugin:e.plugin,endpoint:e.endpoint,result:u}}catch(i){let u=i instanceof Error?i.message:String(i),d=S(n);return d&&await d.db.updateTable("corsair_permissions").set({status:"failed",error:u,updated_at:new Date}).where("id","=",e.id).execute(),{plugin:e.plugin,endpoint:e.endpoint,result:null,error:u}}}function v(n){return n!==null&&typeof n=="object"&&"match"in n&&"handler"in n&&typeof n.match=="function"&&typeof n.handler=="function"}function R(n,r,o=[]){for(let[e,t]of Object.entries(n))if(v(t)){if(t.match(r))return{webhook:t,path:[...o,e]}}else if(t&&typeof t=="object"){let s=R(t,r,[...o,e]);if(s)return s}return null}function N(n){let r={};for(let[o,e]of Object.entries(n))r[o.toLowerCase()]=Array.isArray(e)?e[0]:e;return r}function L(n){let r=n["x-goog-resource-uri"],o=n["x-goog-channel-id"];if(!r||!o)return null;let e={resourceId:n["x-goog-resource-id"]||"",resourceState:n["x-goog-resource-state"]||"",resourceUri:r,channelId:o,channelExpiration:n["x-goog-channel-expiration"]||""};return r.includes("/drive/")&&(e.kind="drive#change"),{message:{data:Buffer.from(JSON.stringify(e)).toString("base64"),messageId:n["x-goog-message-number"]||""}}}async function D(n,r,o,e){let t=N(r),s=typeof o=="string"?JSON.parse(o):o;(!s||typeof s=="object"&&Object.keys(s).length===0)&&t["x-goog-resource-uri"]&&(s=L(t)||s);let c={headers:t,body:s},i=e?.tenantId||"default",u=n.withTenant?n.withTenant(i):n,d=k;for(let l of d){let p=u[l];if(!p||!p.webhooks||p.pluginWebhookMatcher&&!p.pluginWebhookMatcher(c))continue;let f=R(p.webhooks,c);if(!f)continue;let m=f.path.join("."),P={payload:s,headers:t,rawBody:typeof o=="string"?o:JSON.stringify(o)};try{let a=await f.webhook.handler(P),W=!!Object.keys(a.returnToSender||{})?.length;return{plugin:l,action:m,body:s,response:W?{...a?.returnToSender,success:!0}:{success:!0},...a.responseHeaders&&{responseHeaders:a.responseHeaders}}}catch(a){return console.error(`Error executing webhook handler for ${l}.${m}:`,a),{plugin:l,action:m,body:s,response:{success:!1,error:a instanceof Error?a.message:"Unknown error"}}}}return{plugin:null,action:null,body:null}}export{I as AuthMissingError,T as createCorsair,_ as executePermission,x as formatDocSchemaShape,E as getSchema,F as getStructuredSchema,B as listOperations,D as processWebhook,O as resolveConnectLink,A as setupCorsair};

package/dist/setup.d.ts

@@ -1,18 +1,26 @@
-import { a as CorsairPlugin, C as CorsairSingleTenantClient, b as CorsairTenantWrapper } from './index-CN2IlLdT.js';
+import { a as CorsairPlugin, C as CorsairSingleTenantClient, b as CorsairTenantWrapper, i as CorsairInternalConfig } from './index-DLSRcm5o.js';
+import { CorsairDatabase } from './db.js';
 import 'zod';
 import './orm.js';
-import './db.js';
 import 'kysely';
 import 'pg';
 import 'postgres';
 
+/** Plugin id → credential field → value (from CLI `field=value` pairs). */
+type SetupCredentials = Record<string, Record<string, string>>;
 interface SetupCorsairOptions {
     /**
-     * Tenant to provision rows for. Defaults to "default".
-     * Pass a specific tenant ID to create that tenant's `corsair_accounts` rows
-     * and issue DEKs without touching other tenants.
+     * Tenant to provision account rows and account-level credentials for.
+     * Optional on single-tenant instances (defaults to `"default"`).
+     * On multi-tenant instances: required for account-level credentials and
+     * backfill; omit when only setting integration-level credentials.
      */
     tenantId?: string;
+    /**
+     * Credentials to persist during setup (integration-level fields use
+     * `corsair.keys.<plugin>`; account-level fields use the tenant client).
+     */
+    credentials?: SetupCredentials;
     /**
      * When true, calls list endpoints for every plugin defined in
      * setup/backfill.yaml to seed the local database with initial data.
@@ -25,7 +33,18 @@ interface SetupCorsairOptions {
      */
     caller?: 'cli' | 'script';
 }
+type SetupLog = (msg: string) => void;
+type SetupWarn = (msg: string) => void;
 type SetupCorsairInstance<Plugins extends readonly CorsairPlugin[]> = CorsairSingleTenantClient<Plugins> | CorsairTenantWrapper<Plugins>;
+type SetupInternalConfig = CorsairInternalConfig & {
+    database: CorsairDatabase;
+};
+type SetupTenantScope = {
+    multiTenant: boolean;
+    tenantIdProvided: boolean;
+    tenantId: string;
+    provisionAccounts: boolean;
+};
 /**
  * Initialises a corsair instance end-to-end:
  *
@@ -41,11 +60,12 @@ type SetupCorsairInstance<Plugins extends readonly CorsairPlugin[]> = CorsairSin
  *   - Integration-level (shared across all tenants): `corsair.keys.plugin.set_*(value)`
  *   - Account-level (per-tenant): `corsair.withTenant(tenantId).plugin.keys.set_*(value)`
  *
- * Multi-tenant corsair instances are accepted; pass `options.tenantId` to provision
- * rows for a specific tenant instead of the default account.
+ * Multi-tenant instances: pass `options.tenantId` for account-level work (account
+ * rows, account credentials, backfill). Integration-only setup may omit tenantId.
  *
  * Returns a newline-separated string of all setup output.
  */
 declare function setupCorsair<const Plugins extends readonly CorsairPlugin[]>(corsair: SetupCorsairInstance<Plugins>, options?: SetupCorsairOptions): Promise<string>;
+declare function applySetupCredentials<const Plugins extends readonly CorsairPlugin[]>(corsair: SetupCorsairInstance<Plugins>, tenantScope: SetupTenantScope, credentials: SetupCredentials, internal: SetupInternalConfig, log: SetupLog, warn: SetupWarn): Promise<void>;
 
-export { type SetupCorsairOptions, setupCorsair };
+export { type SetupCorsairOptions, type SetupCredentials, applySetupCredentials, setupCorsair };

package/dist/setup.js

@@ -1 +1 @@
-import{a as o}from"./chunk-UEIITBYY.js";import"./chunk-W6KENKHM.js";import"./chunk-AAWROBCK.js";import"./chunk-OZHME3EO.js";import"./chunk-3USHGH6P.js";import"./chunk-6KMLS5U6.js";import"./chunk-QAIKSQAD.js";export{o as setupCorsair};
+import{a as o,b as r}from"./chunk-EK7JQYHJ.js";import"./chunk-W6KENKHM.js";import"./chunk-AAWROBCK.js";import"./chunk-OZHME3EO.js";import"./chunk-3USHGH6P.js";import"./chunk-6KMLS5U6.js";import"./chunk-QAIKSQAD.js";export{r as applySetupCredentials,o as setupCorsair};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "corsair",
-  "version": "0.1.72",
+  "version": "0.1.73",
   "description": "",
   "type": "module",
   "main": "./dist/index.js",

package/dist/chunk-UEIITBYY.js

@@ -1,5 +0,0 @@
-import{C as A,D as T,j as w,k as C,l as S}from"./chunk-W6KENKHM.js";import{a as _}from"./chunk-AAWROBCK.js";import{Kysely as I}from"kysely";import{ZodBoolean as M,ZodDate as R,ZodEnum as j,ZodNullable as D,ZodNumber as F,ZodObject as O,ZodOptional as x,ZodRecord as E,ZodString as K,ZodType as B}from"zod";var h={slack:{channels:{list:{}},users:{list:{}}},linear:{projects:{list:{}},issues:{list:{}},users:{list:{}}},github:{issues:{list:{}},repositories:{list:{}}},discord:{guilds:{list:{}},channels:{list:{}}},hubspot:{contacts:{getMany:{}},companies:{getMany:{}},deals:{getMany:{}}},gmail:{messages:{list:{}},labels:{list:{}},drafts:{list:{}},threads:{list:{}}},googlecalendar:{events:{getMany:{}}},googledrive:{files:{list:{}},folders:{list:{}},sharedDrives:{list:{}}},notion:{databases:{getManyDatabases:{}},databasePages:{getManyDatabasePages:{}},users:{getManyUsers:{}}},airtable:{bases:{getMany:{}}},todoist:{projects:{getMany:{}},tasks:{getMany:{}}},cal:{bookings:{list:{}}}};async function ie(e,t){let a=[],i=s=>{a.push(s),console.log(s)},o=s=>{a.push(s),console.warn(s)},f=t?.caller??"script",d=t?.tenantId;if(!d){if(e?.withTenant)throw new Error("setupCorsair: tenantId must be a non-empty string");d="default"}let n=v(e);if(!n)throw new Error("setupCorsair: invalid corsair instance");if(!n.database)throw new Error("setupCorsair: a database must be configured on the corsair instance");let u={...n,database:n.database},c=u.database.db;await Y(c,o);let p=await H(c,u,d,i),y=await z(p,d,i,f);if(t?.backfill){i("[corsair:setup] Starting backfill...");let s=T({plugins:n.plugins,database:c,kek:n.kek,multiTenancy:!0}).withTenant(d);await Q(s,n.plugins,y,i,o),i("[corsair:setup] Backfill complete.")}return a.join(`
-`)}function b(e){return typeof e=="object"&&e!==null}function Z(e){return!b(e)||!Array.isArray(e.plugins)||typeof e.kek!="string"||typeof e.multiTenancy!="boolean"?!1:e.database===void 0?!0:b(e.database)?e.database.db instanceof I:!1}function v(e){let t=Object.getOwnPropertyDescriptor(e,A);if(t)return Z(t.value)?t.value:void 0}function N(e){return e==="oauth_2"||e==="api_key"||e==="bot_token"}function L(e){let t=e.options?.authType;return N(t)?t:void 0}function m(e,t){if(!b(e))return;let a=e[t];return typeof a=="function"?(...i)=>Reflect.apply(a,e,i):void 0}function $(e,t){return b(e)?t===0?!0:Object.values(e).every(a=>$(a,t-1)):!1}function U(e){return $(e,4)}var W={..._};function k(e){if(e instanceof O){let t={};for(let[a,i]of Object.entries(e.shape))t[a]=i instanceof B?k(i):"unknown";return t}return e instanceof D?`${k(e.unwrap())} | null`:e instanceof x?`${k(e.unwrap())} | undefined`:e instanceof j?e.options.join(" | "):e instanceof K?"string":e instanceof F?"number":e instanceof M?"boolean":e instanceof R?"date":e instanceof E?"jsonb":"unknown"}async function Y(e,t){let a=await e.introspection.getTables(),i=new Set(a.map(o=>o.name));for(let[o,f]of Object.entries(W))i.has(o)||t(`[corsair:setup] Table "${o}" does not exist. Run your database migrations before calling setupCorsair.
-Schema: ${JSON.stringify(k(f),null,2)}`)}async function H(e,t,a,i){let o=new Date,f=new Map;for(let d of t.plugins){let n=d.id,u=L(d),c=await e.selectFrom("corsair_integrations").selectAll().where("name","=",n).executeTakeFirst();if(!c){let l=crypto.randomUUID();await e.insertInto("corsair_integrations").values({id:l,name:n,config:{},created_at:o,updated_at:o}).execute(),c=await e.selectFrom("corsair_integrations").selectAll().where("id","=",l).executeTakeFirst(),i(`[corsair:setup] Created integration: ${n}`)}let p=u?d.authConfig?.[u]?.integration??[]:[],y=u?d.authConfig?.[u]?.account??[]:[],s=u&&c?C({authType:u,integrationName:n,kek:t.kek,database:t.database,extraIntegrationFields:p}):void 0;if(c&&!c.dek&&s&&(await s.issue_new_dek(),i(`[corsair:setup] Issued integration DEK: ${n}`)),!c)continue;let r=await e.selectFrom("corsair_accounts").selectAll().where("tenant_id","=",a).where("integration_id","=",c.id).executeTakeFirst();if(!r){let l=crypto.randomUUID();await e.insertInto("corsair_accounts").values({id:l,tenant_id:a,integration_id:c.id,config:{},created_at:o,updated_at:o}).execute(),r=await e.selectFrom("corsair_accounts").selectAll().where("id","=",l).executeTakeFirst(),i(`[corsair:setup] Created account: ${n}`)}let g=u&&r?S({authType:u,integrationName:n,tenantId:a,kek:t.kek,database:t.database,extraAccountFields:y}):void 0;r&&!r.dek&&g&&(await g.issue_new_dek(),i(`[corsair:setup] Issued account DEK: ${n}`)),u&&s&&g&&f.set(n,{pluginId:n,authType:u,integration:s,account:g,integrationFields:[...w[u].integration,...p],accountFields:[...w[u].account,...y]})}return f}var P=new Set(["webhook_signature","expires_at","scope","redirect_url"]);async function J(e,t,a,i,o,f,d,n,u){let c=[],p=[];for(let s of o){if(P.has(s))continue;let r=m(a,`get_${s}`);if(!r)continue;let g=null;try{let l=await r();g=typeof l=="string"?l:null}catch{}g||c.push(s)}for(let s of f){if(P.has(s))continue;let r=m(i,`get_${s}`);if(!r)continue;let g=null;try{let l=await r();g=typeof l=="string"?l:null}catch{}g||p.push(s)}let y=c.length===0&&p.length===0;if(y)n(`[corsair:setup] '${e}' (${t}) is configured \u2713`);else{let s=[...c,...p];if(u==="cli"){let r=s.map(g=>`${g}=VALUE`).join(" ");n(`[corsair:setup] '${e}' (${t}) needs credentials. Run:
-  corsair setup --${e} ${r}`)}else{let r=[`[corsair:setup] '${e}' (${t}) needs credentials. Call:`];for(let g of c)r.push(`  await corsair.keys.${e}.set_${g}(value)`);for(let g of p){let l=d==="default"?`corsair.${e}`:`corsair.withTenant(${JSON.stringify(d)}).${e}`;r.push(`  await ${l}.keys.set_${g}(value)`)}n(r.join(`
-`))}}return y}async function z(e,t,a,i){let o=new Set;for(let f of e.values())await J(f.pluginId,f.authType,f.integration,f.account,f.integrationFields,f.accountFields,t,a,i)&&o.add(f.pluginId);return o}async function Q(e,t,a,i,o){if(!U(h)){o("[corsair:setup] Backfill config is invalid - skipping backfill.");return}let f=h,d=new Set(t.map(n=>n.id));for(let[n,u]of Object.entries(f)){if(!d.has(n))continue;if(!a.has(n)){i(`[corsair:setup] Skipping backfill for '${n}' \u2014 auth not configured.`);continue}let c=b(e)?e[n]:void 0,p=b(c)?c.api:void 0;if(p)for(let[y,s]of Object.entries(u))for(let[r,g]of Object.entries(s)){i(`[corsair:setup] Backfilling ${n} \u203A ${y}.${r}...`);try{let l=b(p)?p[y]:void 0;await m(l,r)?.(g)}catch(l){o(`[corsair:setup] ${n} \u203A ${y}.${r} failed: `+(l instanceof Error?l.message:String(l)))}}}}export{ie as a};