corsair 0.1.76 → 0.1.78

package/dist/{index-DSVPkmM-.d.ts → index-BHyMcpwm.d.ts}

@@ -1,152 +1,7 @@
-import { CorsairDatabase, CorsairPermission, CorsairDatabaseInput } from './db.js';
 import { ZodTypeAny } from 'zod';
+import { CorsairDatabase, CorsairPermission, CorsairDatabaseInput } from './db.js';
 import { CorsairPluginSchema, PluginEntityClients } from './orm.js';
-
-type AllErrors = 'RATE_LIMIT_ERROR' | 'AUTH_ERROR' | 'PERMISSION_ERROR' | 'NETWORK_ERROR' | 'TIMEOUT_ERROR' | 'SERVER_ERROR' | 'VALIDATION_ERROR' | 'NOT_FOUND_ERROR' | 'BAD_REQUEST_ERROR' | 'PARSING_ERROR' | 'DEFAULT' | (string & {});
-declare const BaseProviders: readonly ["airtable", "amplitude", "asana", "bitwarden", "bluesky", "box", "cal", "calendly", "cloudflare", "cursor", "discord", "dodopayments", "dropbox", "exa", "figma", "firecrawl", "fireflies", "github", "gitlab", "gmail", "googlecalendar", "googledrive", "googlesheets", "grafana", "hackernews", "hubspot", "intercom", "jira", "linear", "monday", "notion", "onedrive", "openweathermap", "oura", "outlook", "pagerduty", "posthog", "razorpay", "reddit", "resend", "sentry", "sharepoint", "slack", "spotify", "strava", "stripe", "tally", "tavily", "teams", "telegram", "todoist", "trello", "twitter", "twitterapiio", "typeform", "vapi", "xquik", "youtube", "zendesk", "zohomail", "zoom"];
-type AllProviders = 'airtable' | 'amplitude' | 'asana' | 'bitwarden' | 'bluesky' | 'box' | 'cal' | 'calendly' | 'cloudflare' | 'cursor' | 'discord' | 'dodopayments' | 'dropbox' | 'exa' | 'figma' | 'firecrawl' | 'fireflies' | 'github' | 'gitlab' | 'gmail' | 'googlecalendar' | 'googledrive' | 'googlesheets' | 'grafana' | 'hackernews' | 'hubspot' | 'intercom' | 'jira' | 'linear' | 'monday' | 'notion' | 'onedrive' | 'openweathermap' | 'oura' | 'outlook' | 'pagerduty' | 'posthog' | 'razorpay' | 'reddit' | 'resend' | 'sentry' | 'sharepoint' | 'slack' | 'spotify' | 'strava' | 'stripe' | 'tally' | 'tavily' | 'teams' | 'telegram' | 'todoist' | 'trello' | 'twitter' | 'twitterapiio' | 'typeform' | 'vapi' | 'xquik' | 'youtube' | 'zendesk' | 'zohomail' | 'zoom' | (string & {});
-type AuthTypes = 'oauth_2' | 'api_key' | 'bot_token';
-type PickAuth<T extends AuthTypes> = T;
-
-/**
- * Utility type that converts a union type to an intersection type.
- * This is useful for combining multiple plugin interfaces into a single client interface.
- * @template U - The union type to convert
- */
-type UnionToIntersection$1<U> = (U extends any ? (k: U) => void : never) extends (k: infer I) => void ? I : never;
-/**
- * Bivariance hack for function types to ensure proper type inference.
- * This helps TypeScript correctly infer function parameters and return types.
- * @template Args - The function arguments array
- * @template R - The function return type
- */
-type Bivariant$2<Args extends unknown[], R> = {
-    bivarianceHack(...args: Args): R;
-}['bivarianceHack'];
-
-/**
- * Defines the default fields for each auth type at the integration and account levels.
- * These are the base fields that every key manager of that auth type will have.
- * Plugins can extend these with additional fields via `authConfig`.
- */
-declare const BASE_AUTH_FIELDS: {
-    readonly oauth_2: {
-        readonly integration: readonly ["client_id", "client_secret", "redirect_url"];
-        readonly account: readonly ["access_token", "refresh_token", "expires_at", "scope", "webhook_signature"];
-    };
-    readonly api_key: {
-        readonly integration: readonly [];
-        readonly account: readonly ["api_key", "webhook_signature"];
-    };
-    readonly bot_token: {
-        readonly integration: readonly [];
-        readonly account: readonly ["bot_token", "webhook_signature"];
-    };
-};
-/**
- * Type-level representation of the base auth field config.
- */
-type BaseAuthFieldConfig = typeof BASE_AUTH_FIELDS;
-/**
- * Configuration that plugins can provide to extend the base auth fields.
- * Each auth type can have additional integration-level and/or account-level fields.
- *
- * @example
- * ```ts
- * const gmailAuthConfig = {
- *   oauth_2: {
- *     integration: ["topic_id"] as const,
- *     account: ["history_id"] as const,
- *   },
- * } as const satisfies PluginAuthConfig;
- * ```
- */
-type PluginAuthConfig = {
-    [K in AuthTypes]?: {
-        integration?: readonly string[];
-        account?: readonly string[];
-    };
-};
-/**
- * Extracts extra integration fields from a plugin auth config for a given auth type.
- */
-type ExtraIntegrationFields<Config extends PluginAuthConfig | undefined, T extends AuthTypes> = Config extends PluginAuthConfig ? T extends keyof Config ? NonNullable<Config[T]> extends {
-    integration: infer F extends readonly string[];
-} ? F[number] : never : never : never;
-/**
- * Extracts extra account fields from a plugin auth config for a given auth type.
- */
-type ExtraAccountFields<Config extends PluginAuthConfig | undefined, T extends AuthTypes> = Config extends PluginAuthConfig ? T extends keyof Config ? NonNullable<Config[T]> extends {
-    account: infer F extends readonly string[];
-} ? F[number] : never : never : never;
-/**
- * All integration field names for a given auth type (base + extension).
- */
-type IntegrationFieldNames<T extends AuthTypes, Config extends PluginAuthConfig | undefined = undefined> = BaseAuthFieldConfig[T]['integration'][number] | ExtraIntegrationFields<Config, T>;
-/**
- * All account field names for a given auth type (base + extension).
- */
-type AccountFieldNames<T extends AuthTypes, Config extends PluginAuthConfig | undefined = undefined> = BaseAuthFieldConfig[T]['account'][number] | ExtraAccountFields<Config, T>;
-/**
- * Generates getter and setter types for a single field.
- * e.g., "client_id" → { get_client_id: () => Promise<string | null>, set_client_id: (value: string | null) => Promise<void> }
- */
-type FieldAccessors<Field extends string> = {
-    [K in `get_${Field}`]: () => Promise<string | null>;
-} & {
-    [K in `set_${Field}`]: (value: string | null) => Promise<void>;
-};
-/**
- * Generates getters and setters for all fields in a union.
- * Uses UnionToIntersection to merge individual field accessor types.
- */
-type AllFieldAccessors<Fields extends string> = [Fields] extends [never] ? {} : UnionToIntersection$1<FieldAccessors<Fields>>;
-/**
- * Base key manager interface with DEK operations.
- * All key managers (integration and account) include these.
- */
-type BaseKeyManager = {
-    /**
-     * Get the current DEK (decrypted using KEK)
-     */
-    get_dek: () => Promise<string>;
-    /**
-     * Issue a new DEK and re-encrypt all associated secrets
-     * @returns The new DEK (for reference, not typically needed)
-     */
-    issue_new_dek: () => Promise<string>;
-};
-/**
- * Integration credentials returned by get_integration_credentials (OAuth2 only).
- */
-type OAuth2IntegrationCredentials = {
-    client_id: string | null;
-    client_secret: string | null;
-    redirect_url: string | null;
-};
-/**
- * Integration-level key manager for a given auth type.
- * Includes base DEK operations + auto-generated getters/setters for all fields.
- *
- * @template T - The auth type
- * @template Config - Optional plugin auth config for extension fields
- */
-type IntegrationKeyManagerFor<T extends AuthTypes, Config extends PluginAuthConfig | undefined = undefined> = BaseKeyManager & AllFieldAccessors<IntegrationFieldNames<T, Config>>;
-/**
- * Account-level key manager for a given auth type.
- * Includes base DEK operations + auto-generated getters/setters for all fields.
- * OAuth2 account managers also include `get_integration_credentials`.
- *
- * @template T - The auth type
- * @template Config - Optional plugin auth config for extension fields
- */
-type AccountKeyManagerFor<T extends AuthTypes, Config extends PluginAuthConfig | undefined = undefined> = BaseKeyManager & AllFieldAccessors<AccountFieldNames<T, Config>> & (T extends 'oauth_2' ? {
-    /**
-     * Get the integration-level OAuth2 credentials (client_id, client_secret, redirect_url).
-     * Useful for token refresh flows that need access to both account and integration secrets.
-     */
-    get_integration_credentials: () => Promise<OAuth2IntegrationCredentials>;
-} : {});
+import { q as AllErrors, A as AuthTypes, a as AccountKeyManagerFor, P as PluginAuthConfig, I as IntegrationKeyManagerFor, f as AllProviders, H as HubConfig, n as HubConfigInput } from './types-B1We8TTP.js';
 
 /**
  * Bivariance hack for function types to ensure proper type inference.
@@ -307,6 +162,29 @@ type ManagementOk = {
     ok: true;
 };
 type PermissionRecord = CorsairPermission;
+type CreateConnectLinkInput = {
+    plugin: string;
+    tenantId?: string;
+};
+type ConnectLink = {
+    connectUrl: string;
+    state: string;
+};
+type ResolvedConnectLink = {
+    plugin: string;
+    tenantId: string;
+    providerName: string;
+    oauthUrl: string;
+    state: string;
+};
+type OAuthCallbackInput = {
+    code: string;
+    state: string;
+};
+type OAuthCallbackResult = {
+    plugin: string;
+    tenantId: string;
+};
 
 type CorsairManageNamespace = {
     ok: () => ManagementOk;
@@ -328,168 +206,215 @@ type CorsairManageNamespace = {
         get: (id: string) => Promise<PermissionRecord>;
         getByToken: (token: string) => Promise<PermissionRecord>;
     };
+    connect: {
+        createLink: (input: CreateConnectLinkInput) => Promise<ConnectLink>;
+        resolve: (state: string) => Promise<ResolvedConnectLink>;
+        oauthCallback: (input: OAuthCallbackInput) => Promise<OAuthCallbackResult>;
+    };
 };
 
 /**
- * Raw incoming webhook data for matching (before full parsing).
- * Used by matcher functions to determine if a webhook should be handled.
+ * The `corsair.permissions` namespace available at the root of every corsair instance.
+ * Provides methods for querying and transitioning permission records.
+ *
+ * Status transitions exposed here are intentionally limited to safe, non-escalating states.
+ * Setting a record to 'approved' (which grants execution) is deliberately excluded —
+ * that must happen through the out-of-band review flow.
  */
-type RawWebhookRequest = {
-    /** HTTP headers from the webhook request */
-    headers: Record<string, string | string[] | undefined>;
-    /** Raw request body (string or already parsed object) */
-    body: unknown;
+type CorsairPermissionsNamespace = {
+    /**
+     * Fetches a single permission record by its ID.
+     * Returns undefined if no record exists or if no database is configured.
+     */
+    find_by_permission_id(id: string): Promise<CorsairPermission | undefined>;
+    /**
+     * Fetches a single permission record by its token.
+     * The token is the public-facing handle embedded in review URLs.
+     * Returns undefined if no record exists or if no database is configured.
+     */
+    find_by_token(token: string): Promise<CorsairPermission | undefined>;
+    /**
+     * Marks the permission as 'executing'. Call this when executePermission picks up
+     * an approved record and is about to run the endpoint.
+     */
+    set_executing(id: string): Promise<void>;
+    /**
+     * Marks the permission as 'completed'. Call this after the endpoint has finished
+     * executing successfully.
+     */
+    set_completed(id: string): Promise<void>;
 };
-/**
- * Raw incoming webhook request data after initial processing.
- * Contains the parsed payload, headers, and optional raw body string.
- * @template TPayload - The type of the parsed webhook payload
- */
-type WebhookRequest<TPayload = unknown> = {
-    /** Parsed payload from the webhook request body */
-    payload: TPayload;
-    /** HTTP headers from the webhook request */
-    headers: Record<string, string | string[] | undefined>;
-    /** Raw request body string (for signature verification) */
-    rawBody?: string;
+type EnforcePermissionOptions = {
+    pluginId: string;
+    endpointPath: string;
+    /** unknown: caller-supplied args vary per endpoint — not statically knowable here */
+    args: unknown;
+    mode: PermissionMode;
+    override?: PermissionPolicy;
+    riskLevel: EndpointRiskLevel;
+    meta?: EndpointMetaEntry;
+    /** Required to create an approval record. Without a DB, 'require_approval' falls back to deny. */
+    db?: CorsairDatabase;
+    timeoutMs?: number;
+    /** Tenant ID for multi-tenant instances. Stored on the record so executePermission can scope correctly. Defaults to 'default'. */
+    tenantId?: string;
+    /**
+     * Controls whether the call blocks until the user approves or denies.
+     * - `'synchronous'`  → polls the DB every 500 ms; returns 'allow' on approval, 'blocked' on denial/timeout.
+     * - `'asynchronous'` → returns 'blocked' immediately after creating the pending record.
+     * - A no-arg function → called per-request, return value selects the mode dynamically.
+     * Defaults to `'asynchronous'`.
+     */
+    approvalMode?: 'synchronous' | 'asynchronous' | (() => 'synchronous' | 'asynchronous');
+};
+type EnforcePermissionResult = {
+    result: 'allow' | 'blocked';
+    /** Why the call was blocked. Only present when result === 'blocked'. */
+    reason?: 'denied' | 'policy' | 'timeout' | 'pending';
+    /** Permission record ID. Present when a pending approval record exists. */
+    id?: string;
+    /** Permission token (the value embedded in review URLs). Present when a pending approval record exists. */
+    token?: string;
+    /** ISO8601 expiry for pending approval records. Present when token is present. */
+    expiresAt?: string;
+    /**
+     * Called by the endpoint binding layer after the endpoint executes successfully.
+     * Marks the permission record as 'completed' (single-use approval consumed).
+     * Only present when an 'approved' record was found and the call is allowed through.
+     */
+    onComplete?: () => Promise<void>;
 };
+
 /**
- * Response from a webhook handler that can include acknowledgment data.
- * @template TData - The type of data to return in the response
+ * Extracts typed entity clients from a plugin schema.
+ * Each entity type becomes a `PluginEntityClient<DataSchema>`.
+ * Entities are nested under `db` to separate them from API endpoints.
  */
-type WebhookResponse<TData = unknown> = {
-    /** Whether the webhook was processed successfully */
-    success: boolean;
-    /** The entity relevant to the webhook (note that this is corsair_entities.id) */
-    corsairEntityId?: string;
-    /** Return this object to the sender. Defaults to empty. Usually only necessary for webhook confirmation / challenge. */
-    returnToSender?: Record<string, string>;
-    /** Optional data to return in the HTTP response */
-    data?: TData;
-    /** Optional error message if processing failed */
-    error?: string;
-    /** HTTP status code to return (defaults to 200 on success, 500 on error) */
-    statusCode?: number;
-    /** HTTP response headers to set on the outgoing response. Used for header-based handshakes (e.g. Asana X-Hook-Secret). */
-    responseHeaders?: Record<string, string>;
-};
+type InferPluginEntities<Schema extends CorsairPluginSchema<Record<string, ZodTypeAny>> | undefined> = Schema extends CorsairPluginSchema<infer Entities> ? {
+    db: PluginEntityClients<Entities>;
+} : {};
 /**
- * A webhook matcher function that synchronously determines if a raw webhook
- * request should be handled by this webhook.
- * @param request - The raw webhook request data
- * @returns True if this webhook should handle the request
+ * Utility type that converts a union to an intersection type.
  */
-type CorsairWebhookMatcher = (request: RawWebhookRequest) => boolean;
+type UnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends (k: infer I) => void ? I : never;
 /**
- * Bivariance hack for webhook function types to ensure proper type inference.
- * @template Args - The function arguments
- * @template R - The function return type
+ * Extracts the authType from plugin options.
+ * @template Options - The plugin options type
+ * @template DefaultAuthType - Optional default auth type to use when authType is optional or not present
+ *
+ * Priority:
+ * 1. If authType is a specific single AuthType (not a union), use that
+ * 2. If DefaultAuthType parameter is provided, use that as the fallback
+ * 3. Otherwise use the non-nullable union from authType
+ * 4. If authType is not in Options at all, fall back to DefaultAuthType
  */
-type Bivariant<Args extends unknown[], R> = {
-    bivarianceHack(...args: Args): R;
-}['bivarianceHack'];
+type ExtractAuthType<Options, DefaultAuthType extends AuthTypes | undefined = undefined> = 'authType' extends keyof Options ? Options['authType'] extends AuthTypes ? Options['authType'] : DefaultAuthType extends AuthTypes ? DefaultAuthType : NonNullable<Options['authType']> extends AuthTypes ? NonNullable<Options['authType']> : never : DefaultAuthType extends AuthTypes ? DefaultAuthType : never;
 /**
- * A webhook handler function definition that processes incoming webhooks.
- * Takes context + webhook request, returns a webhook response.
- * @template Ctx - The context type passed to the handler
- * @template TPayload - The type of the webhook payload
- * @template TResponseData - The type of data returned in the response
+ * Extracts Options type from plugin's options property.
  */
-type CorsairWebhookHandler<Ctx extends CorsairContext = CorsairContext, TPayload = unknown, TResponseData = unknown> = Bivariant<[
-    ctx: Ctx,
-    request: WebhookRequest<TPayload>
-], Promise<WebhookResponse<TResponseData>>>;
+type InferPluginOptions<P> = P extends {
+    options?: infer O;
+} ? O : never;
 /**
- * A complete webhook definition with both matcher and handler.
- * The matcher synchronously determines if this webhook handles the incoming request.
- * The handler processes the webhook after matching.
- * @template Ctx - The context type passed to the handler
- * @template TPayload - The type of the webhook payload
- * @template TResponseData - The type of data returned in the response
+ * Extracts DefaultAuthType from plugin's __defaultAuthType property.
+ * Uses NonNullable<D> because the __defaultAuthType property is optional,
+ * which causes TypeScript to infer D as `AuthType | undefined`.
  */
-type CorsairWebhook<Ctx extends CorsairContext = CorsairContext, TPayload = unknown, TResponseData = unknown> = {
-    /** Synchronously determines if this webhook handles the incoming request */
-    match: CorsairWebhookMatcher;
-    /** Handles the webhook request after matching */
-    handler: CorsairWebhookHandler<Ctx, TPayload, TResponseData>;
-};
+type InferDefaultAuthType<P> = P extends {
+    __defaultAuthType?: infer D;
+} ? NonNullable<D> extends AuthTypes ? NonNullable<D> : undefined : undefined;
 /**
- * A tree of webhooks that can be nested arbitrarily deep.
- * Similar to EndpointTree but for webhook handlers.
- *
- * @example
- * ```ts
- * // Flat structure
- * webhooks: {
- *   issueCreated: { match: (req) => ..., handler: async (ctx, req) => ... },
- *   issueClosed: { match: (req) => ..., handler: async (ctx, req) => ... },
- * }
- *
- * // Nested structure
- * webhooks: {
- *   issues: {
- *     created: { match: (req) => ..., handler: async (ctx, req) => ... },
- *     updated: { match: (req) => ..., handler: async (ctx, req) => ... },
- *   },
- *   pull_requests: {
- *     opened: { match: (req) => ..., handler: async (ctx, req) => ... },
- *   },
- * }
- * ```
+ * Extracts the AuthConfig from a plugin's authConfig property.
  */
-type WebhookTree = {
-    [key: string]: CorsairWebhook | WebhookTree;
-};
+type InferAuthConfig<P> = P extends {
+    authConfig?: infer C;
+} ? C extends PluginAuthConfig ? C : undefined : undefined;
 /**
- * A bound webhook - the user-facing API after context is applied.
- * Contains both the matcher (unchanged) and the bound handler.
- * @template TPayload - The type of the webhook payload
- * @template TResponseData - The type of data returned in the response
+ * Infers the complete namespace for a single plugin, including API endpoints,
+ * database entities, webhooks, and account-level keys.
  */
-type BoundWebhook<TPayload = unknown, TResponseData = unknown> = {
-    /** Synchronously determines if this webhook handles the incoming request */
-    match: CorsairWebhookMatcher;
-    /** Handles the webhook request (context already applied) */
-    handler: (request: WebhookRequest<TPayload>) => Promise<WebhookResponse<TResponseData>>;
-};
+type InferPluginNamespace<P extends CorsairPlugin> = P extends CorsairPlugin<infer Id, infer Schema, infer Endpoints, infer Webhooks> ? {
+    [K in Id]: (Endpoints extends EndpointTree ? {
+        api: BindEndpoints<Endpoints>;
+    } : {}) & InferPluginEntities<Schema> & (Webhooks extends WebhookTree ? {
+        webhooks: BindWebhooks<Webhooks>;
+        /**
+         * Synchronously checks if an incoming webhook request is intended for this plugin.
+         * Only present if the plugin defines a `pluginWebhookMatcher`.
+         * Use this as a first-level filter before checking individual webhook matchers.
+         */
+        pluginWebhookMatcher?: (request: RawWebhookRequest) => boolean;
+        /**
+         * Extracts the external tenant lookup key for this plugin's webhook.
+         * Only present if the plugin defines `pluginTenantWebhookMatcher`.
+         */
+        pluginTenantWebhookMatcher?: CorsairWebhookTenantMatcher;
+    } : {}) & (ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>> extends AuthTypes ? {
+        keys: AccountKeyManagerFor<ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>>, InferAuthConfig<P>>;
+    } : {});
+} : never;
 /**
- * A tree of bound webhooks (context already applied).
- * This is what the end user interacts with after client initialization.
+ * Infers the integration-level key manager for a single plugin.
  */
-type BoundWebhookTree = {
-    [key: string]: BoundWebhook<any, any> | BoundWebhookTree;
-};
+type InferIntegrationKeys<P extends CorsairPlugin> = P extends CorsairPlugin<infer Id> ? ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>> extends AuthTypes ? {
+    [K in Id]: IntegrationKeyManagerFor<ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>>, InferAuthConfig<P>>;
+} : never : never;
 /**
- * Recursively transforms webhook definitions to their bound (context-free) signatures.
- * Handles both flat and nested webhook structures.
- * @template T - The webhook tree to bind
+ * Combines all integration-level keys into a single interface.
  */
-type BindWebhooks<T extends WebhookTree> = {
-    [K in keyof T]: T[K] extends CorsairWebhook<any, infer P, infer R> ? BoundWebhook<P, R> : T[K] extends WebhookTree ? BindWebhooks<T[K]> : never;
+type InferAllIntegrationKeys<Plugins extends readonly CorsairPlugin[]> = UnionToIntersection<InferIntegrationKeys<Plugins[number]>>;
+/**
+ * Combines all plugin namespaces into a single client interface.
+ */
+type InferPluginNamespaces<Plugins extends readonly CorsairPlugin[]> = UnionToIntersection<InferPluginNamespace<Plugins[number]>>;
+/**
+ * The main Corsair client type that provides access to all plugin APIs, entities, webhooks, and keys.
+ */
+type CorsairClient<Plugins extends readonly CorsairPlugin[]> = InferPluginNamespaces<Plugins>;
+/**
+ * Multi-tenant wrapper that provides a `withTenant` method to scope operations to a specific tenant.
+ * Also includes integration-level `keys` for managing shared secrets (OAuth2 client credentials, etc.)
+ */
+type CorsairTenantWrapper<Plugins extends readonly CorsairPlugin[]> = {
+    withTenant: (tenantId: string) => CorsairClient<Plugins>;
+    /**
+     * Integration-level key managers for each plugin.
+     * Used to manage secrets shared across all tenants (e.g., OAuth2 client_id, client_secret).
+     */
+    keys: InferAllIntegrationKeys<Plugins>;
+    /**
+     * Permission management namespace. Use this to query and transition permission records.
+     * Available at the root regardless of multi-tenancy setting.
+     */
+    permissions: CorsairPermissionsNamespace;
+    /**
+     * Management control plane namespace — in-process equivalent of the HTTP
+     * `managementHandler`. Lists tenants, plugins, connection status, and
+     * permission records without going through HTTP.
+     */
+    manage: CorsairManageNamespace;
 };
 /**
- * Derives all dot-notation webhook paths from a WebhookTree as a string literal union.
- * Used to provide compile-time validation for webhook schema registry keys.
- * Passing an invalid path to any config that accepts WebhookPathsOf<T> is a type error.
- *
- * Design note: Same recursive constraint relaxation as EndpointPathsOf — see that type
- * for a full explanation of why we use `extends object` rather than `extends WebhookTree`
- * on the recursive call. We also check `{ match: any; handler: any }` before `object`
- * because webhook leaves are objects themselves.
- *
- * @example
- * Given: `{ messages: { message: { match: fn, handler: fn } }, channels: { created: { match: fn, handler: fn } } }`
- * Result: `'messages.message' | 'channels.created'`
- *
- * @template T - The webhook tree to extract paths from (unconstrained to allow recursion through as-const types)
- * @template Prefix - Internal accumulator for the current path prefix (do not supply manually)
+ * Single-tenant client that includes both plugin APIs and integration-level keys.
  */
-type WebhookPathsOf<T, Prefix extends string = ''> = {
-    [K in keyof T & string]: T[K] extends {
-        match: any;
-        handler: any;
-    } ? Prefix extends '' ? K : `${Prefix}.${K}` : T[K] extends object ? WebhookPathsOf<T[K], Prefix extends '' ? K : `${Prefix}.${K}`> : never;
-}[keyof T & string];
+type CorsairSingleTenantClient<Plugins extends readonly CorsairPlugin[]> = CorsairClient<Plugins> & {
+    /**
+     * Integration-level key managers for each plugin.
+     * Used to manage secrets shared across all tenants (e.g., OAuth2 client_id, client_secret).
+     */
+    keys: InferAllIntegrationKeys<Plugins>;
+    /**
+     * Permission management namespace. Use this to query and transition permission records.
+     * Available at the root regardless of multi-tenancy setting.
+     */
+    permissions: CorsairPermissionsNamespace;
+    /**
+     * Management control plane namespace — in-process equivalent of the HTTP
+     * `managementHandler`. Lists tenants, plugins, connection status, and
+     * permission records without going through HTTP.
+     */
+    manage: CorsairManageNamespace;
+};
 
 /**
  * Risk level classification for plugin endpoints.
@@ -725,6 +650,8 @@ type ExtractAllAuthTypes<Options> = 'authType' extends keyof Options ? NonNullab
  *     return await ctx.keys.get_access_token();
  *   } else if (ctx.authType === 'bot_token') {
  *     return await ctx.keys.get_bot_token();
+ *   } else if (ctx.authType === 'managed') {
+ *     return await ctx.keys.get_access_token();
  *   }
  *   return '';
  * }
@@ -737,6 +664,10 @@ type KeyBuilderContext<Options extends Record<string, unknown>, AuthConfig exten
     options: Options;
     /** Account-level key manager - type narrows based on authType check */
     keys: AccountKeyManagerFor<A, AuthConfig>;
+    /** Tenant ID for this request (always set; defaults to 'default' in single-tenant) */
+    tenantId: string;
+    /** Hub config when createCorsair({ hub: ... }) is configured */
+    hub?: HubConfig;
 } : never : never;
 /**
  * Type for the keyBuilder callback function that retrieves the authentication key.
@@ -780,6 +711,17 @@ type CorsairPlugin<Id extends AllProviders = AllProviders, Schema extends Corsai
      * should handle an incoming request. Acts as a first-level filter.
      */
     pluginWebhookMatcher?: CorsairWebhookMatcher;
+    /**
+     * Extracts the external identifier used to resolve a tenant for this webhook
+     * (for example Slack `team_id`, GitHub `installation.id`). Return null when
+     * the request cannot be mapped to a tenant.
+     */
+    pluginTenantWebhookMatcher?: CorsairWebhookTenantMatcher;
+    /**
+     * Resolves the external id to store on the account after OAuth so incoming
+     * webhooks can be routed to the correct tenant. Return null when unavailable.
+     */
+    oauthWebhookTenantLinkResolver?: CorsairOAuthWebhookTenantLinkResolver;
     /** Plugin-specific error handlers */
     errorHandlers?: CorsairErrorHandler;
     /**
@@ -1005,251 +947,206 @@ type CorsairIntegration<Plugins extends readonly CorsairPlugin[]> = {
             state: string;
         }) => string;
     };
+    /** Corsair Hub configuration for hosted OAuth connect flows. */
+    hub?: HubConfigInput;
 };
 
+type TokenResponse = {
+    access_token?: string;
+    refresh_token?: string;
+    expires_in?: number;
+    token_type?: string;
+    [key: string]: unknown;
+};
 /**
- * The `corsair.permissions` namespace available at the root of every corsair instance.
- * Provides methods for querying and transitioning permission records.
- *
- * Status transitions exposed here are intentionally limited to safe, non-escalating states.
- * Setting a record to 'approved' (which grants execution) is deliberately excluded —
- * that must happen through the out-of-band review flow.
+ * Exchanges an OAuth authorization code for access/refresh tokens.
+ * Supports both 'body' (default) and 'basic' token auth methods.
  */
-type CorsairPermissionsNamespace = {
-    /**
-     * Fetches a single permission record by its ID.
-     * Returns undefined if no record exists or if no database is configured.
-     */
-    find_by_permission_id(id: string): Promise<CorsairPermission | undefined>;
-    /**
-     * Fetches a single permission record by its token.
-     * The token is the public-facing handle embedded in review URLs.
-     * Returns undefined if no record exists or if no database is configured.
-     */
-    find_by_token(token: string): Promise<CorsairPermission | undefined>;
-    /**
-     * Marks the permission as 'executing'. Call this when executePermission picks up
-     * an approved record and is about to run the endpoint.
-     */
-    set_executing(id: string): Promise<void>;
-    /**
-     * Marks the permission as 'completed'. Call this after the endpoint has finished
-     * executing successfully.
-     */
-    set_completed(id: string): Promise<void>;
-};
-type EnforcePermissionOptions = {
-    pluginId: string;
-    endpointPath: string;
-    /** unknown: caller-supplied args vary per endpoint — not statically knowable here */
-    args: unknown;
-    mode: PermissionMode;
-    override?: PermissionPolicy;
-    riskLevel: EndpointRiskLevel;
-    meta?: EndpointMetaEntry;
-    /** Required to create an approval record. Without a DB, 'require_approval' falls back to deny. */
-    db?: CorsairDatabase;
-    timeoutMs?: number;
-    /** Tenant ID for multi-tenant instances. Stored on the record so executePermission can scope correctly. Defaults to 'default'. */
-    tenantId?: string;
-    /**
-     * Controls whether the call blocks until the user approves or denies.
-     * - `'synchronous'`  → polls the DB every 500 ms; returns 'allow' on approval, 'blocked' on denial/timeout.
-     * - `'asynchronous'` → returns 'blocked' immediately after creating the pending record.
-     * - A no-arg function → called per-request, return value selects the mode dynamically.
-     * Defaults to `'asynchronous'`.
-     */
-    approvalMode?: 'synchronous' | 'asynchronous' | (() => 'synchronous' | 'asynchronous');
-};
-type EnforcePermissionResult = {
-    result: 'allow' | 'blocked';
-    /** Why the call was blocked. Only present when result === 'blocked'. */
-    reason?: 'denied' | 'policy' | 'timeout' | 'pending';
-    /** Permission record ID. Present when a pending approval record exists. */
-    id?: string;
-    /** Permission token (the value embedded in review URLs). Present when a pending approval record exists. */
-    token?: string;
-    /**
-     * Called by the endpoint binding layer after the endpoint executes successfully.
-     * Marks the permission record as 'completed' (single-use approval consumed).
-     * Only present when an 'approved' record was found and the call is allowed through.
-     */
-    onComplete?: () => Promise<void>;
-};
+declare function exchangeCodeForTokens(code: string, clientId: string, clientSecret: string, oauthConfig: OAuthConfig, redirectUri: string): Promise<TokenResponse>;
 
 /**
- * Extracts typed entity clients from a plugin schema.
- * Each entity type becomes a `PluginEntityClient<DataSchema>`.
- * Entities are nested under `db` to separate them from API endpoints.
+ * Raw incoming webhook data for matching (before full parsing).
+ * Used by matcher functions to determine if a webhook should be handled.
  */
-type InferPluginEntities<Schema extends CorsairPluginSchema<Record<string, ZodTypeAny>> | undefined> = Schema extends CorsairPluginSchema<infer Entities> ? {
-    db: PluginEntityClients<Entities>;
-} : {};
+type RawWebhookRequest = {
+    /** HTTP headers from the webhook request */
+    headers: Record<string, string | string[] | undefined>;
+    /** Raw request body (string or already parsed object) */
+    body: unknown;
+    /** Query string parameters when available (e.g. Microsoft Graph validationToken). */
+    query?: Record<string, string | string[] | undefined>;
+};
 /**
- * Utility type that converts a union to an intersection type.
+ * Raw incoming webhook request data after initial processing.
+ * Contains the parsed payload, headers, and optional raw body string.
+ * @template TPayload - The type of the parsed webhook payload
  */
-type UnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends (k: infer I) => void ? I : never;
+type WebhookRequest<TPayload = unknown> = {
+    /** Parsed payload from the webhook request body */
+    payload: TPayload;
+    /** HTTP headers from the webhook request */
+    headers: Record<string, string | string[] | undefined>;
+    /** Raw request body string (for signature verification) */
+    rawBody?: string;
+    /** Query string parameters when available. */
+    query?: Record<string, string | string[] | undefined>;
+};
 /**
- * Extracts the authType from plugin options.
- * @template Options - The plugin options type
- * @template DefaultAuthType - Optional default auth type to use when authType is optional or not present
- *
- * Priority:
- * 1. If authType is a specific single AuthType (not a union), use that
- * 2. If DefaultAuthType parameter is provided, use that as the fallback
- * 3. Otherwise use the non-nullable union from authType
- * 4. If authType is not in Options at all, fall back to DefaultAuthType
+ * Response from a webhook handler that can include acknowledgment data.
+ * @template TData - The type of data to return in the response
  */
-type ExtractAuthType<Options, DefaultAuthType extends AuthTypes | undefined = undefined> = 'authType' extends keyof Options ? Options['authType'] extends AuthTypes ? Options['authType'] : DefaultAuthType extends AuthTypes ? DefaultAuthType : NonNullable<Options['authType']> extends AuthTypes ? NonNullable<Options['authType']> : never : DefaultAuthType extends AuthTypes ? DefaultAuthType : never;
+type WebhookResponse<TData = unknown> = {
+    /** Whether the webhook was processed successfully */
+    success: boolean;
+    /** The entity relevant to the webhook (note that this is corsair_entities.id) */
+    corsairEntityId?: string;
+    /** Return this object to the sender. Defaults to empty. Usually only necessary for webhook confirmation / challenge. */
+    returnToSender?: Record<string, string>;
+    /** Optional data to return in the HTTP response */
+    data?: TData;
+    /** Optional error message if processing failed */
+    error?: string;
+    /** HTTP status code to return (defaults to 200 on success, 500 on error) */
+    statusCode?: number;
+    /** HTTP response headers to set on the outgoing response. Used for header-based handshakes (e.g. Asana X-Hook-Secret). */
+    responseHeaders?: Record<string, string>;
+};
 /**
- * Extracts Options type from plugin's options property.
+ * A webhook matcher function that synchronously determines if a raw webhook
+ * request should be handled by this webhook.
+ * @param request - The raw webhook request data
+ * @returns True if this webhook should handle the request
  */
-type InferPluginOptions<P> = P extends {
-    options?: infer O;
-} ? O : never;
+type CorsairWebhookMatcher = (request: RawWebhookRequest) => boolean;
 /**
- * Extracts DefaultAuthType from plugin's __defaultAuthType property.
- * Uses NonNullable<D> because the __defaultAuthType property is optional,
- * which causes TypeScript to infer D as `AuthType | undefined`.
+ * Identifies which external credential key should be used to resolve a tenant
+ * for an incoming webhook. The `linkType` names the field stored on
+ * `corsair_accounts` (for example `team_id`, `installation_id`).
  */
-type InferDefaultAuthType<P> = P extends {
-    __defaultAuthType?: infer D;
-} ? NonNullable<D> extends AuthTypes ? NonNullable<D> : undefined : undefined;
+type WebhookTenantMatch = {
+    linkType: string;
+    externalId: string;
+};
 /**
- * Extracts the AuthConfig from a plugin's authConfig property.
+ * Extracts the tenant lookup key from a webhook after the plugin has been
+ * identified. Return null when the payload does not contain a resolvable id
+ * (for example URL verification challenges).
  */
-type InferAuthConfig<P> = P extends {
-    authConfig?: infer C;
-} ? C extends PluginAuthConfig ? C : undefined : undefined;
+type CorsairWebhookTenantMatcher = (request: RawWebhookRequest) => WebhookTenantMatch | null;
 /**
- * Infers the complete namespace for a single plugin, including API endpoints,
- * database entities, webhooks, and account-level keys.
+ * Resolves the webhook tenant link field after OAuth completes.
+ * Return null when the provider does not expose a stable external id.
  */
-type InferPluginNamespace<P extends CorsairPlugin> = P extends CorsairPlugin<infer Id, infer Schema, infer Endpoints, infer Webhooks> ? {
-    [K in Id]: (Endpoints extends EndpointTree ? {
-        api: BindEndpoints<Endpoints>;
-    } : {}) & InferPluginEntities<Schema> & (Webhooks extends WebhookTree ? {
-        webhooks: BindWebhooks<Webhooks>;
-        /**
-         * Synchronously checks if an incoming webhook request is intended for this plugin.
-         * Only present if the plugin defines a `pluginWebhookMatcher`.
-         * Use this as a first-level filter before checking individual webhook matchers.
-         */
-        pluginWebhookMatcher?: (request: RawWebhookRequest) => boolean;
-    } : {}) & (ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>> extends AuthTypes ? {
-        keys: AccountKeyManagerFor<ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>>, InferAuthConfig<P>>;
-    } : {});
-} : never;
+type CorsairOAuthWebhookTenantLinkResolver = (tokens: TokenResponse) => WebhookTenantMatch | null | Promise<WebhookTenantMatch | null>;
 /**
- * Infers the integration-level key manager for a single plugin.
+ * Bivariance hack for webhook function types to ensure proper type inference.
+ * @template Args - The function arguments
+ * @template R - The function return type
  */
-type InferIntegrationKeys<P extends CorsairPlugin> = P extends CorsairPlugin<infer Id> ? ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>> extends AuthTypes ? {
-    [K in Id]: IntegrationKeyManagerFor<ExtractAuthType<InferPluginOptions<P>, InferDefaultAuthType<P>>, InferAuthConfig<P>>;
-} : never : never;
+type Bivariant<Args extends unknown[], R> = {
+    bivarianceHack(...args: Args): R;
+}['bivarianceHack'];
 /**
- * Combines all integration-level keys into a single interface.
+ * A webhook handler function definition that processes incoming webhooks.
+ * Takes context + webhook request, returns a webhook response.
+ * @template Ctx - The context type passed to the handler
+ * @template TPayload - The type of the webhook payload
+ * @template TResponseData - The type of data returned in the response
  */
-type InferAllIntegrationKeys<Plugins extends readonly CorsairPlugin[]> = UnionToIntersection<InferIntegrationKeys<Plugins[number]>>;
+type CorsairWebhookHandler<Ctx extends CorsairContext = CorsairContext, TPayload = unknown, TResponseData = unknown> = Bivariant<[
+    ctx: Ctx,
+    request: WebhookRequest<TPayload>
+], Promise<WebhookResponse<TResponseData>>>;
 /**
- * Combines all plugin namespaces into a single client interface.
+ * A complete webhook definition with both matcher and handler.
+ * The matcher synchronously determines if this webhook handles the incoming request.
+ * The handler processes the webhook after matching.
+ * @template Ctx - The context type passed to the handler
+ * @template TPayload - The type of the webhook payload
+ * @template TResponseData - The type of data returned in the response
  */
-type InferPluginNamespaces<Plugins extends readonly CorsairPlugin[]> = UnionToIntersection<InferPluginNamespace<Plugins[number]>>;
+type CorsairWebhook<Ctx extends CorsairContext = CorsairContext, TPayload = unknown, TResponseData = unknown> = {
+    /** Synchronously determines if this webhook handles the incoming request */
+    match: CorsairWebhookMatcher;
+    /** Handles the webhook request after matching */
+    handler: CorsairWebhookHandler<Ctx, TPayload, TResponseData>;
+};
 /**
- * The main Corsair client type that provides access to all plugin APIs, entities, webhooks, and keys.
+ * A tree of webhooks that can be nested arbitrarily deep.
+ * Similar to EndpointTree but for webhook handlers.
+ *
+ * @example
+ * ```ts
+ * // Flat structure
+ * webhooks: {
+ *   issueCreated: { match: (req) => ..., handler: async (ctx, req) => ... },
+ *   issueClosed: { match: (req) => ..., handler: async (ctx, req) => ... },
+ * }
+ *
+ * // Nested structure
+ * webhooks: {
+ *   issues: {
+ *     created: { match: (req) => ..., handler: async (ctx, req) => ... },
+ *     updated: { match: (req) => ..., handler: async (ctx, req) => ... },
+ *   },
+ *   pull_requests: {
+ *     opened: { match: (req) => ..., handler: async (ctx, req) => ... },
+ *   },
+ * }
+ * ```
  */
-type CorsairClient<Plugins extends readonly CorsairPlugin[]> = InferPluginNamespaces<Plugins>;
+type WebhookTree = {
+    [key: string]: CorsairWebhook | WebhookTree;
+};
 /**
- * Multi-tenant wrapper that provides a `withTenant` method to scope operations to a specific tenant.
- * Also includes integration-level `keys` for managing shared secrets (OAuth2 client credentials, etc.)
+ * A bound webhook - the user-facing API after context is applied.
+ * Contains both the matcher (unchanged) and the bound handler.
+ * @template TPayload - The type of the webhook payload
+ * @template TResponseData - The type of data returned in the response
  */
-type CorsairTenantWrapper<Plugins extends readonly CorsairPlugin[]> = {
-    withTenant: (tenantId: string) => CorsairClient<Plugins>;
-    /**
-     * Integration-level key managers for each plugin.
-     * Used to manage secrets shared across all tenants (e.g., OAuth2 client_id, client_secret).
-     */
-    keys: InferAllIntegrationKeys<Plugins>;
-    /**
-     * Permission management namespace. Use this to query and transition permission records.
-     * Available at the root regardless of multi-tenancy setting.
-     */
-    permissions: CorsairPermissionsNamespace;
-    /**
-     * Management control plane namespace — in-process equivalent of the HTTP
-     * `managementHandler`. Lists tenants, plugins, connection status, and
-     * permission records without going through HTTP.
-     */
-    manage: CorsairManageNamespace;
+type BoundWebhook<TPayload = unknown, TResponseData = unknown> = {
+    /** Synchronously determines if this webhook handles the incoming request */
+    match: CorsairWebhookMatcher;
+    /** Handles the webhook request (context already applied) */
+    handler: (request: WebhookRequest<TPayload>) => Promise<WebhookResponse<TResponseData>>;
 };
 /**
- * Single-tenant client that includes both plugin APIs and integration-level keys.
+ * A tree of bound webhooks (context already applied).
+ * This is what the end user interacts with after client initialization.
  */
-type CorsairSingleTenantClient<Plugins extends readonly CorsairPlugin[]> = CorsairClient<Plugins> & {
-    /**
-     * Integration-level key managers for each plugin.
-     * Used to manage secrets shared across all tenants (e.g., OAuth2 client_id, client_secret).
-     */
-    keys: InferAllIntegrationKeys<Plugins>;
-    /**
-     * Permission management namespace. Use this to query and transition permission records.
-     * Available at the root regardless of multi-tenancy setting.
-     */
-    permissions: CorsairPermissionsNamespace;
-    /**
-     * Management control plane namespace — in-process equivalent of the HTTP
-     * `managementHandler`. Lists tenants, plugins, connection status, and
-     * permission records without going through HTTP.
-     */
-    manage: CorsairManageNamespace;
-};
-
-declare const CORSAIR_INTERNAL: unique symbol;
-type CorsairInternalConfig = {
-    plugins: readonly CorsairPlugin[];
-    database: CorsairDatabase | undefined;
-    kek: string;
-    multiTenancy: boolean;
-    approval?: {
-        timeout: string;
-        onTimeout: 'deny' | 'approve';
-        mode?: 'synchronous' | 'asynchronous' | (() => 'synchronous' | 'asynchronous');
-        /** Called when a permission is blocked in async mode. Return the message surfaced to the LLM. */
-        formatAsyncMessage?: (opts: {
-            token: string;
-            id: string;
-            plugin: string;
-            endpoint: string;
-            args: unknown;
-        }) => string;
-    };
-    connect?: {
-        baseUrl: string;
-        redirectUri: string;
-        onAuthMissing?: (opts: {
-            plugin: string;
-            connectUrl: string;
-            state: string;
-        }) => string;
-    };
+type BoundWebhookTree = {
+    [key: string]: BoundWebhook<any, any> | BoundWebhookTree;
 };
 /**
- * Creates a Corsair integration with multi-tenancy enabled.
- * Returns a wrapper with a `withTenant()` method to scope operations to specific tenants,
- * and a `keys` property for integration-level key management.
- * @param config - Configuration with plugins, database, and multiTenancy: true
- * @returns A tenant wrapper with `withTenant(tenantId)` method and integration-level `keys`
+ * Recursively transforms webhook definitions to their bound (context-free) signatures.
+ * Handles both flat and nested webhook structures.
+ * @template T - The webhook tree to bind
  */
-declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
-    multiTenancy: true;
-}): CorsairTenantWrapper<Plugins>;
+type BindWebhooks<T extends WebhookTree> = {
+    [K in keyof T]: T[K] extends CorsairWebhook<any, infer P, infer R> ? BoundWebhook<P, R> : T[K] extends WebhookTree ? BindWebhooks<T[K]> : never;
+};
 /**
- * Creates a Corsair integration without multi-tenancy.
- * Returns a direct client instance with both plugin APIs and integration-level keys.
- * @param config - Configuration with plugins and optional database
- * @returns A Corsair client instance with plugin APIs and integration-level `keys`
+ * Derives all dot-notation webhook paths from a WebhookTree as a string literal union.
+ * Used to provide compile-time validation for webhook schema registry keys.
+ * Passing an invalid path to any config that accepts WebhookPathsOf<T> is a type error.
+ *
+ * Design note: Same recursive constraint relaxation as EndpointPathsOf — see that type
+ * for a full explanation of why we use `extends object` rather than `extends WebhookTree`
+ * on the recursive call. We also check `{ match: any; handler: any }` before `object`
+ * because webhook leaves are objects themselves.
+ *
+ * @example
+ * Given: `{ messages: { message: { match: fn, handler: fn } }, channels: { created: { match: fn, handler: fn } } }`
+ * Result: `'messages.message' | 'channels.created'`
+ *
+ * @template T - The webhook tree to extract paths from (unconstrained to allow recursion through as-const types)
+ * @template Prefix - Internal accumulator for the current path prefix (do not supply manually)
  */
-declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
-    multiTenancy?: false | undefined;
-}): CorsairSingleTenantClient<Plugins>;
+type WebhookPathsOf<T, Prefix extends string = ''> = {
+    [K in keyof T & string]: T[K] extends {
+        match: any;
+        handler: any;
+    } ? Prefix extends '' ? K : `${Prefix}.${K}` : T[K] extends object ? WebhookPathsOf<T[K], Prefix extends '' ? K : `${Prefix}.${K}`> : never;
+}[keyof T & string];
 
-export { type RequiredPluginWebhookSchemas as $, type AuthTypes as A, type BaseAuthFieldConfig as B, type CorsairPlugin as C, type ErrorMatcher as D, type EndpointRiskLevel as E, type RetryStrategy as F, type CorsairPermissionsNamespace as G, type EnforcePermissionOptions as H, type IntegrationKeyManagerFor as I, type EnforcePermissionResult as J, type BeforeHookResult as K, type CorsairIntegration as L, type CorsairKeyBuilder as M, type CorsairKeyBuilderBase as N, type OAuthConfig as O, type PluginAuthConfig as P, type CorsairPluginContext as Q, type RetryStrategies as R, type EndpointHooks as S, type EndpointMetaEntry as T, type KeyBuilderContext as U, type PermissionMode as V, type PermissionPolicy as W, type PluginEndpointMeta as X, type PluginPermissionsConfig as Y, type RequiredPluginEndpointMeta as Z, type RequiredPluginEndpointSchemas as _, type AccountKeyManagerFor as a, type WebhookHooks as a0, type Bivariant$2 as a1, type UnionToIntersection$1 as a2, type BindWebhooks as a3, type BoundWebhook as a4, type BoundWebhookTree as a5, type CorsairWebhook as a6, type CorsairWebhookHandler as a7, type CorsairWebhookMatcher as a8, type RawWebhookRequest as a9, type WebhookPathsOf as aa, type WebhookRequest as ab, type WebhookResponse as ac, type WebhookTree as ad, type ManagementOk as ae, type Tenant as af, type CreateTenantInput as ag, type PluginInfo as ah, type ConnectionStatus as ai, type PermissionRecord as aj, type CorsairManageNamespace as ak, type PluginConnectionState as al, CORSAIR_INTERNAL as b, type CorsairInternalConfig as c, createCorsair as d, type AccountFieldNames as e, type BaseKeyManager as f, type IntegrationFieldNames as g, type OAuth2IntegrationCredentials as h, BASE_AUTH_FIELDS as i, type CorsairClient as j, type CorsairSingleTenantClient as k, type CorsairTenantWrapper as l, type AllProviders as m, BaseProviders as n, type PickAuth as o, type BindEndpoints as p, type BoundEndpointFn as q, type BoundEndpointTree as r, type CorsairContext as s, type CorsairEndpoint as t, type EndpointPathsOf as u, type EndpointTree as v, type CorsairErrorHandler as w, type ErrorContext as x, type ErrorHandler as y, type ErrorHandlerAndMatchFunction as z };
+export { type WebhookResponse as $, type PermissionPolicy as A, type BindEndpoints as B, type CorsairPlugin as C, type PluginEndpointMeta as D, type EndpointPathsOf as E, type PluginPermissionsConfig as F, type RequiredPluginEndpointMeta as G, type RequiredPluginEndpointSchemas as H, type RequiredPluginWebhookSchemas as I, type WebhookHooks as J, type KeyBuilderContext as K, type BindWebhooks as L, type BoundWebhook as M, type BoundWebhookTree as N, type OAuthConfig as O, type PermissionMode as P, type CorsairOAuthWebhookTenantLinkResolver as Q, type RetryStrategies as R, type CorsairWebhook as S, type TokenResponse as T, type CorsairWebhookHandler as U, type CorsairWebhookMatcher as V, type WebhookTenantMatch as W, type CorsairWebhookTenantMatcher as X, type RawWebhookRequest as Y, type WebhookPathsOf as Z, type WebhookRequest as _, type CorsairIntegration as a, type WebhookTree as a0, type ManagementOk as a1, type Tenant as a2, type CreateTenantInput as a3, type PluginInfo as a4, type ConnectionStatus as a5, type PermissionRecord as a6, type CreateConnectLinkInput as a7, type ConnectLink as a8, type ResolvedConnectLink as a9, type OAuthCallbackInput as aa, type OAuthCallbackResult as ab, type CorsairManageNamespace as ac, type PluginConnectionState as ad, type CorsairTenantWrapper as b, type CorsairSingleTenantClient as c, type CorsairClient as d, exchangeCodeForTokens as e, type BoundEndpointFn as f, type BoundEndpointTree as g, type CorsairContext as h, type CorsairEndpoint as i, type EndpointTree as j, type CorsairErrorHandler as k, type ErrorContext as l, type ErrorHandler as m, type ErrorHandlerAndMatchFunction as n, type ErrorMatcher as o, type RetryStrategy as p, type CorsairPermissionsNamespace as q, type EnforcePermissionOptions as r, type EnforcePermissionResult as s, type BeforeHookResult as t, type CorsairKeyBuilder as u, type CorsairKeyBuilderBase as v, type CorsairPluginContext as w, type EndpointHooks as x, type EndpointMetaEntry as y, type EndpointRiskLevel as z };