corsair 0.1.76 → 0.1.78

package/dist/index-aVkEGoHG.d.ts

@@ -0,0 +1,53 @@
+type TunnelType = 'oauth.callback' | 'oauth.tokens' | 'webhook' | 'permission.approve' | 'permission.deny' | 'auth.credentials' | 'run';
+type TunnelEnvelope<TPayload = unknown> = {
+    type: TunnelType;
+    payload: TPayload;
+};
+type TunnelAck = {
+    status: 'ok' | 'failed';
+    retryable?: boolean;
+    error?: string;
+    webhookResponse?: {
+        status?: number;
+        body?: unknown;
+        headers?: Record<string, string>;
+    };
+};
+type WebhookTunnelPayload = {
+    headers: Record<string, string>;
+    body: string;
+    bodyBase64?: string;
+    bodyEncoding?: string;
+    query?: Record<string, string | string[] | undefined>;
+    plugin?: string;
+    linkType?: string;
+    externalId?: string;
+    tenantId?: string;
+};
+type OAuthCallbackTunnelPayload = {
+    code: string;
+    state: string;
+    redirectUri: string;
+};
+type OAuthTokensTunnelPayload = {
+    plugin: string;
+    tenantId: string;
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    scope?: string;
+};
+type ProcessCorsairRequest = {
+    headers: Headers | Record<string, string | string[] | undefined>;
+    body: string;
+};
+declare function applyPermissionDecision(corsair: unknown, token: string, decision: 'approved' | 'denied'): Promise<void>;
+type ProcessCorsairOptions = {
+    /** HMAC signing secret shared with the tunnel relay. Required unless allowUnsignedTunnel is true. */
+    signingSecret?: string;
+    /** Local development only. Skips signature verification when signingSecret is omitted. */
+    allowUnsignedTunnel?: boolean;
+};
+declare function processCorsair(corsair: unknown, request: ProcessCorsairRequest, options?: ProcessCorsairOptions): Promise<TunnelAck>;
+
+export { type OAuthCallbackTunnelPayload as O, type ProcessCorsairOptions as P, type TunnelAck as T, type WebhookTunnelPayload as W, applyPermissionDecision as a, type OAuthTokensTunnelPayload as b, type ProcessCorsairRequest as c, type TunnelEnvelope as d, type TunnelType as e, processCorsair as p };

package/dist/index-mZfhN-6e.d.ts

@@ -0,0 +1,55 @@
+import { CorsairDatabase } from './db.js';
+import { H as HubConfig } from './types-B1We8TTP.js';
+import { C as CorsairPlugin, a as CorsairIntegration, b as CorsairTenantWrapper, c as CorsairSingleTenantClient } from './index-BHyMcpwm.js';
+
+declare const CORSAIR_INTERNAL: unique symbol;
+type CorsairInternalConfig = {
+    plugins: readonly CorsairPlugin[];
+    database: CorsairDatabase | undefined;
+    kek: string;
+    multiTenancy: boolean;
+    approval?: {
+        timeout: string;
+        onTimeout: 'deny' | 'approve';
+        mode?: 'synchronous' | 'asynchronous' | (() => 'synchronous' | 'asynchronous');
+        /** Called when a permission is blocked in async mode. Return the message surfaced to the LLM. */
+        formatAsyncMessage?: (opts: {
+            token: string;
+            id: string;
+            plugin: string;
+            endpoint: string;
+            args: unknown;
+        }) => string;
+    };
+    connect?: {
+        baseUrl: string;
+        redirectUri: string;
+        onAuthMissing?: (opts: {
+            plugin: string;
+            connectUrl: string;
+            state: string;
+        }) => string;
+    };
+    hub?: HubConfig;
+};
+/**
+ * Creates a Corsair integration with multi-tenancy enabled.
+ * Returns a wrapper with a `withTenant()` method to scope operations to specific tenants,
+ * and a `keys` property for integration-level key management.
+ * @param config - Configuration with plugins, database, and multiTenancy: true
+ * @returns A tenant wrapper with `withTenant(tenantId)` method and integration-level `keys`
+ */
+declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
+    multiTenancy: true;
+}): CorsairTenantWrapper<Plugins>;
+/**
+ * Creates a Corsair integration without multi-tenancy.
+ * Returns a direct client instance with both plugin APIs and integration-level keys.
+ * @param config - Configuration with plugins and optional database
+ * @returns A Corsair client instance with plugin APIs and integration-level `keys`
+ */
+declare function createCorsair<const Plugins extends readonly CorsairPlugin[]>(config: CorsairIntegration<Plugins> & {
+    multiTenancy?: false | undefined;
+}): CorsairSingleTenantClient<Plugins>;
+
+export { CORSAIR_INTERNAL as C, type CorsairInternalConfig as a, createCorsair as c };

package/dist/index.d.ts

@@ -1,11 +1,15 @@
-import { ae as ManagementOk, af as Tenant, ag as CreateTenantInput, ah as PluginInfo, ai as ConnectionStatus, aj as PermissionRecord, k as CorsairSingleTenantClient, C as CorsairPlugin, l as CorsairTenantWrapper, j as CorsairClient, G as CorsairPermissionsNamespace, a5 as BoundWebhookTree, a9 as RawWebhookRequest, n as BaseProviders, ac as WebhookResponse } from './index-DSVPkmM-.js';
-export { ak as CorsairManageNamespace, al as PluginConnectionState, d as createCorsair } from './index-DSVPkmM-.js';
-import { F as FormFieldSchema, L as ListOperationsOptions } from './index-BnkJ_TYy.js';
-export { A as AuthMissingError, R as ResolveConnectLinkResult, f as formatDocSchemaShape, r as resolveConnectLink } from './index-BnkJ_TYy.js';
+import { a1 as ManagementOk, a2 as Tenant, a3 as CreateTenantInput, a4 as PluginInfo, a5 as ConnectionStatus, a6 as PermissionRecord, a7 as CreateConnectLinkInput, a8 as ConnectLink, a9 as ResolvedConnectLink, aa as OAuthCallbackInput, ab as OAuthCallbackResult, c as CorsairSingleTenantClient, C as CorsairPlugin, b as CorsairTenantWrapper, d as CorsairClient, q as CorsairPermissionsNamespace, N as BoundWebhookTree, Y as RawWebhookRequest, X as CorsairWebhookTenantMatcher, $ as WebhookResponse } from './index-BHyMcpwm.js';
+export { ac as CorsairManageNamespace, ad as PluginConnectionState } from './index-BHyMcpwm.js';
+export { c as createCorsair } from './index-mZfhN-6e.js';
+import { F as FormFieldSchema, L as ListOperationsOptions } from './tenant-match-utils-DXoUP9o9.js';
+export { A as AuthMissingError, j as PluginWebhookMatchers, R as ResolveConnectLinkResult, W as WebhookPluginTenantMatch, k as asRecord, g as collectPluginWebhookMatchers, l as decodePubSubData, o as firstString, f as formatDocSchemaShape, p as getHeader, m as matchWebhookPlugin, h as matchWebhookPluginAndTenant, s as readBodyRecord, r as resolveConnectLink, u as toExternalId } from './tenant-match-utils-DXoUP9o9.js';
 export { SetupCorsairOptions, setupCorsair } from './setup.js';
+export { O as OAuthCallbackTunnelPayload, P as ProcessCorsairOptions, c as ProcessCorsairRequest, T as TunnelAck, d as TunnelEnvelope, e as TunnelType, W as WebhookTunnelPayload, p as processCorsair } from './index-aVkEGoHG.js';
+import { g as BaseProviders } from './types-B1We8TTP.js';
+export { R as ResolveAccountFromWebhookLinkInput, W as WebhookTenantLink, r as resolveAccountFromWebhookLink, a as resolveTenantFromWebhookLink, b as resolveTenantIdFromWebhookLink, s as setWebhookTenantLink } from './tenant-links-UNTSO7K7.js';
+import 'zod';
 import './db.js';
 import 'kysely';
-import 'zod';
 import 'pg';
 import 'postgres';
 import './orm.js';
@@ -75,6 +79,11 @@ type CorsairManagementClient = {
         get: (id: string) => Promise<PermissionRecord>;
         getByToken: (token: string) => Promise<PermissionRecord>;
     };
+    connect: {
+        createLink: (input: CreateConnectLinkInput) => Promise<ConnectLink>;
+        resolve: (state: string) => Promise<ResolvedConnectLink>;
+        oauthCallback: (input: OAuthCallbackInput) => Promise<OAuthCallbackResult>;
+    };
 };
 declare class CorsairClientError extends Error {
     readonly status: number;
@@ -207,6 +216,8 @@ type PluginWithWebhooks = {
     webhooks?: BoundWebhookTree;
     /** Plugin-level matcher to quickly check if a webhook is for this plugin */
     pluginWebhookMatcher?: (request: RawWebhookRequest) => boolean;
+    /** Extracts the external tenant lookup key for this plugin's webhook */
+    pluginTenantWebhookMatcher?: CorsairWebhookTenantMatcher;
 };
 /**
  * The corsair instance type - a record of plugin namespaces.
@@ -245,4 +256,4 @@ declare function processWebhook(corsair: CorsairInstance, headers: WebhookHeader
     [x: string]: string | string[] | undefined;
 }): Promise<WebhookFilterResult>;
 
-export { type AnyCorsairInstance, ConnectionStatus, CorsairClientError, type CorsairClientOptions, type CorsairManagementClient, CreateTenantInput, type ExpressHandler, FormFieldSchema, type HonoHandler, ListOperationsOptions, type ManagementHandlerOptions, ManagementOk, type PermissionExecuteResult, PermissionRecord, PluginInfo, Tenant, createCorsairClient, executePermission, getSchema, getStructuredSchema, listOperations, managementHandler, processWebhook, toExpressHandler, toHonoHandler, toNextJsHandler };
+export { type AnyCorsairInstance, ConnectLink, ConnectionStatus, CorsairClientError, type CorsairClientOptions, type CorsairManagementClient, CreateConnectLinkInput, CreateTenantInput, type ExpressHandler, FormFieldSchema, type HonoHandler, ListOperationsOptions, type ManagementHandlerOptions, ManagementOk, OAuthCallbackInput, OAuthCallbackResult, type PermissionExecuteResult, PermissionRecord, PluginInfo, ResolvedConnectLink, Tenant, createCorsairClient, executePermission, getSchema, getStructuredSchema, listOperations, managementHandler, processWebhook, toExpressHandler, toHonoHandler, toNextJsHandler };

package/dist/index.js

@@ -1,3 +1,3 @@
-import{a as H}from"./chunk-UPIMTWVI.js";import{A as k,B as C,C as b,D as w,E as x,G as P,H as j,a as W,s as E,t as $,u as B,v as M,z as A}from"./chunk-LIZVHWQK.js";import"./chunk-UBM25HVI.js";import"./chunk-OZHME3EO.js";import"./chunk-3USHGH6P.js";import"./chunk-FL4GOHVN.js";import"./chunk-QAIKSQAD.js";var l=class extends Error{status;code;extra;constructor(t,r,e,s={}){super(e),this.name="CorsairClientError",this.status=t,this.code=r,this.extra=s}};function _(n){return n.endsWith("/")?n.slice(0,-1):n}async function R(n){let t={};try{t=await n.json()}catch{}let r=typeof t.error=="string"?t.error:"request_failed",e=typeof t.message=="string"?t.message:`Request failed (${n.status})`,{error:s,message:i,...o}=t;return new l(n.status,r,e,o)}function F(n){let t=_(n.baseURL),r=n.fetch??globalThis.fetch.bind(globalThis);async function e(o,u){let a=u&&Object.keys(u).length?`?${new URLSearchParams(u).toString()}`:"",c=await r(`${t}${o}${a}`,{method:"GET"});if(!c.ok)throw await R(c);return await c.json()}async function s(o,u){let a=await r(`${t}${o}`,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify(u)});if(!a.ok)throw await R(a);return await a.json()}let i=encodeURIComponent;return{ok:()=>e("/ok"),tenants:{list:()=>e("/tenants"),create:o=>s("/tenants",o),get:o=>e(`/tenants/${i(o)}`)},plugins:{list:()=>e("/plugins"),get:o=>e(`/plugins/${i(o)}`)},connectionStatus:{get:o=>{let u={};return o?.tenantId&&(u.tenantId=o.tenantId),e("/connection-status",u)}},permissions:{get:o=>e(`/permissions/${i(o)}`),getByToken:o=>s("/permissions/lookup-by-token",{token:o})}}}function y(n){let t=n[P];if(!t)throw new Error("listOperations / getSchema: invalid corsair instance. Pass the value returned by createCorsair() or corsair.withTenant().");return t.plugins}function L(n,t){let r=b(y(n),t);return typeof r=="string"?r:Array.isArray(r)?r.join(`
-`):Object.values(r).flat().join(`
-`)}function N(n,t){return w(y(n),t)}function v(n,t){return C(y(n),t)}var D=Symbol.for("corsair:internal");function q(n,t){let r=n;for(let e of t){if(!r||typeof r!="object")return null;r=r[e]}return typeof r=="function"?r:null}function S(n){return n[D]?.database}async function J(n,t){let r=new Date().toISOString(),e=await n.permissions.find_by_token(t);if(!e)return console.error("executePermission: no permission found for token."),{error:"executePermission: no permission found for token."};if(e.status!=="approved")return console.error(`executePermission: permission '${e.id}' is '${e.status}', expected 'approved'.`),{endpoint:e.endpoint,plugin:e.plugin,result:null,error:`executePermission: permission '${e.id}' is '${e.status}', expected 'approved'.`};if(e.expires_at<r){let a=S(n);return a&&await a.db.updateTable("corsair_permissions").set({status:"expired",updated_at:new Date}).where("id","=",e.id).execute(),console.error(`executePermission: permission '${e.id}' has expired.`),{error:`executePermission: permission '${e.id}' has expired.`,endpoint:e.endpoint,plugin:e.plugin,result:null}}let s=e.tenant_id??"default",o=(n.withTenant?n.withTenant(s):n)[e.plugin];if(!o?.api)return console.error(`executePermission: plugin '${e.plugin}' not found or has no API on this corsair instance.`),{error:`executePermission: plugin '${e.plugin}' not found or has no API on this corsair instance.`,plugin:e.plugin,endpoint:e.endpoint,result:null};let u=q(o.api,e.endpoint.split("."));if(!u)return console.error(`executePermission: endpoint '${e.endpoint}' not found in plugin '${e.plugin}'.`),{endpoint:e.endpoint,plugin:e.plugin,result:null,error:`executePermission: endpoint '${e.endpoint}' not found in plugin '${e.plugin}'.`};await n.permissions.set_executing(e.id);try{let a=typeof e.args=="string"?JSON.parse(e.args):e.args,c=await u(a);return await n.permissions.set_completed(e.id),{plugin:e.plugin,endpoint:e.endpoint,result:c}}catch(a){let c=a instanceof Error?a.message:String(a),g=S(n);return g&&await g.db.updateTable("corsair_permissions").set({status:"failed",error:c,updated_at:new Date}).where("id","=",e.id).execute(),{plugin:e.plugin,endpoint:e.endpoint,result:null,error:c}}}function U(n){return n!==null&&typeof n=="object"&&"match"in n&&"handler"in n&&typeof n.match=="function"&&typeof n.handler=="function"}function I(n,t,r=[]){for(let[e,s]of Object.entries(n))if(U(s)){if(s.match(t))return{webhook:s,path:[...r,e]}}else if(s&&typeof s=="object"){let i=I(s,t,[...r,e]);if(i)return i}return null}function z(n){let t={};for(let[r,e]of Object.entries(n))t[r.toLowerCase()]=Array.isArray(e)?e[0]:e;return t}function G(n){let t=n["x-goog-resource-uri"],r=n["x-goog-channel-id"];if(!t||!r)return null;let e={resourceId:n["x-goog-resource-id"]||"",resourceState:n["x-goog-resource-state"]||"",resourceUri:t,channelId:r,channelExpiration:n["x-goog-channel-expiration"]||""};return t.includes("/drive/")&&(e.kind="drive#change"),{message:{data:Buffer.from(JSON.stringify(e)).toString("base64"),messageId:n["x-goog-message-number"]||""}}}async function Y(n,t,r,e){let s=z(t),i=typeof r=="string"?JSON.parse(r):r;(!i||typeof i=="object"&&Object.keys(i).length===0)&&s["x-goog-resource-uri"]&&(i=G(s)||i);let u={headers:s,body:i},a=e?.tenantId||"default",c=n.withTenant?n.withTenant(a):n,g=k;for(let m of g){let d=c[m];if(!d||!d.webhooks||d.pluginWebhookMatcher&&!d.pluginWebhookMatcher(u))continue;let f=I(d.webhooks,u);if(!f)continue;let h=f.path.join("."),T={payload:i,headers:s,rawBody:typeof r=="string"?r:JSON.stringify(r)};try{let p=await f.webhook.handler(T),O=!!Object.keys(p.returnToSender||{})?.length;return{plugin:m,action:h,body:i,response:O?{...p?.returnToSender,success:!0}:{success:!0},...p.responseHeaders&&{responseHeaders:p.responseHeaders}}}catch(p){return console.error(`Error executing webhook handler for ${m}.${h}:`,p),{plugin:m,action:h,body:i,response:{success:!1,error:p instanceof Error?p.message:"Unknown error"}}}}return{plugin:null,action:null,body:null}}export{W as AuthMissingError,l as CorsairClientError,j as createCorsair,F as createCorsairClient,J as executePermission,x as formatDocSchemaShape,N as getSchema,v as getStructuredSchema,L as listOperations,E as managementHandler,Y as processWebhook,A as resolveConnectLink,H as setupCorsair,$ as toExpressHandler,B as toHonoHandler,M as toNextJsHandler};
+import{a as B}from"./chunk-KLJBBN2T.js";import{$ as T,Aa as D,Ba as H,Ca as k,Da as j,P as w,U as I,da as S,ea as O,fa as L,ga as A,ha as v,la as d,ma as g,na as C,oa as f,qa as $,ra as E,sa as M,ta as W,ua as F,va as _,w as P,wa as N,x,y as b,z as R}from"./chunk-J6HIPZAR.js";import"./chunk-3X6WVI5I.js";import"./chunk-IGGCNGU2.js";import"./chunk-QAIKSQAD.js";var c=class extends Error{status;code;extra;constructor(r,o,e,a={}){super(e),this.name="CorsairClientError",this.status=r,this.code=o,this.extra=a}};function J(n){return n.endsWith("/")?n.slice(0,-1):n}async function y(n){let r={};try{r=await n.json()}catch{}let o=typeof r.error=="string"?r.error:"request_failed",e=typeof r.message=="string"?r.message:`Request failed (${n.status})`,{error:a,message:u,...t}=r;return new c(n.status,o,e,t)}function U(n){let r=J(n.baseURL),o=n.fetch??globalThis.fetch.bind(globalThis);async function e(t,s){let i=s&&Object.keys(s).length?`?${new URLSearchParams(s).toString()}`:"",p=await o(`${r}${t}${i}`,{method:"GET"});if(!p.ok)throw await y(p);return await p.json()}async function a(t,s){let i=await o(`${r}${t}`,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify(s)});if(!i.ok)throw await y(i);return await i.json()}let u=encodeURIComponent;return{ok:()=>e("/ok"),tenants:{list:()=>e("/tenants"),create:t=>a("/tenants",t),get:t=>e(`/tenants/${u(t)}`)},plugins:{list:()=>e("/plugins"),get:t=>e(`/plugins/${u(t)}`)},connectionStatus:{get:t=>{let s={};return t?.tenantId&&(s.tenantId=t.tenantId),e("/connection-status",s)}},permissions:{get:t=>e(`/permissions/${u(t)}`),getByToken:t=>a("/permissions/lookup-by-token",{token:t})},connect:{createLink:t=>a("/connect/links",t),resolve:t=>e("/connect/resolve",{state:t}),oauthCallback:t=>a("/connect/oauth/callback",t)}}}function l(n){let r=n[k];if(!r)throw new Error("listOperations / getSchema: invalid corsair instance. Pass the value returned by createCorsair() or corsair.withTenant().");return r.plugins}function q(n,r){let o=g(l(n),r);return typeof o=="string"?o:Array.isArray(o)?o.join(`
+`):Object.values(o).flat().join(`
+`)}function G(n,r){return C(l(n),r)}function Y(n,r){return d(l(n),r)}var z=Symbol.for("corsair:internal");function K(n,r){let o=n;for(let e of r){if(!o||typeof o!="object")return null;o=o[e]}return typeof o=="function"?o:null}function h(n){return n[z]?.database}async function Q(n,r){let o=new Date().toISOString(),e=await n.permissions.find_by_token(r);if(!e)return console.error("executePermission: no permission found for token."),{error:"executePermission: no permission found for token."};if(e.status!=="approved")return console.error(`executePermission: permission '${e.id}' is '${e.status}', expected 'approved'.`),{endpoint:e.endpoint,plugin:e.plugin,result:null,error:`executePermission: permission '${e.id}' is '${e.status}', expected 'approved'.`};if(e.expires_at<o){let i=h(n);return i&&await i.db.updateTable("corsair_permissions").set({status:"expired",updated_at:new Date}).where("id","=",e.id).execute(),console.error(`executePermission: permission '${e.id}' has expired.`),{error:`executePermission: permission '${e.id}' has expired.`,endpoint:e.endpoint,plugin:e.plugin,result:null}}let a=e.tenant_id??"default",t=(n.withTenant?n.withTenant(a):n)[e.plugin];if(!t?.api)return console.error(`executePermission: plugin '${e.plugin}' not found or has no API on this corsair instance.`),{error:`executePermission: plugin '${e.plugin}' not found or has no API on this corsair instance.`,plugin:e.plugin,endpoint:e.endpoint,result:null};let s=K(t.api,e.endpoint.split("."));if(!s)return console.error(`executePermission: endpoint '${e.endpoint}' not found in plugin '${e.plugin}'.`),{endpoint:e.endpoint,plugin:e.plugin,result:null,error:`executePermission: endpoint '${e.endpoint}' not found in plugin '${e.plugin}'.`};await n.permissions.set_executing(e.id);try{let i=typeof e.args=="string"?JSON.parse(e.args):e.args,p=await s(i);return await n.permissions.set_completed(e.id),{plugin:e.plugin,endpoint:e.endpoint,result:p}}catch(i){let p=i instanceof Error?i.message:String(i),m=h(n);return m&&await m.db.updateTable("corsair_permissions").set({status:"failed",error:p,updated_at:new Date}).where("id","=",e.id).execute(),{plugin:e.plugin,endpoint:e.endpoint,result:null,error:p}}}export{T as AuthMissingError,c as CorsairClientError,_ as asRecord,M as collectPluginWebhookMatchers,j as createCorsair,U as createCorsairClient,H as decodePubSubData,Q as executePermission,D as firstString,f as formatDocSchemaShape,W as getHeader,G as getSchema,Y as getStructuredSchema,q as listOperations,O as managementHandler,$ as matchWebhookPlugin,E as matchWebhookPluginAndTenant,I as processCorsair,w as processWebhook,N as readBodyRecord,x as resolveAccountFromWebhookLink,S as resolveConnectLink,R as resolveTenantFromWebhookLink,b as resolveTenantIdFromWebhookLink,P as setWebhookTenantLink,B as setupCorsair,L as toExpressHandler,F as toExternalId,A as toHonoHandler,v as toNextJsHandler};

package/dist/oauth.d.ts

@@ -8,6 +8,11 @@ declare function decodeOAuthState(state: string, { maxAgeMs }?: {
     maxAgeMs?: number;
 }): OAuthState | null;
 
+type OAuthCallbackErrorCode = 'invalid_corsair_instance' | 'no_database' | 'invalid_state' | 'plugin_not_found' | 'plugin_has_no_oauth_config' | 'credentials_not_configured' | 'no_access_token';
+declare class OAuthCallbackError extends Error {
+    readonly code: OAuthCallbackErrorCode;
+    constructor(code: OAuthCallbackErrorCode, message: string);
+}
 type GenerateOAuthUrlOptions = {
     tenantId: string;
     redirectUri: string;
@@ -50,4 +55,4 @@ type ProcessOAuthCallbackResult = {
  */
 declare function processOAuthCallback(corsair: unknown, options: ProcessOAuthCallbackOptions): Promise<ProcessOAuthCallbackResult>;
 
-export { type GenerateOAuthUrlOptions, type GenerateOAuthUrlResult, type ProcessOAuthCallbackOptions, type ProcessOAuthCallbackResult, decodeOAuthState, encodeOAuthState, generateOAuthUrl, processOAuthCallback };
+export { type GenerateOAuthUrlOptions, type GenerateOAuthUrlResult, OAuthCallbackError, type OAuthCallbackErrorCode, type ProcessOAuthCallbackOptions, type ProcessOAuthCallbackResult, decodeOAuthState, encodeOAuthState, generateOAuthUrl, processOAuthCallback };

package/dist/oauth.js

@@ -1 +1 @@
-import{G as x,b as C,c as O,k as p,l as m,o as f,p as _,q as A,r as y,y as b}from"./chunk-LIZVHWQK.js";import{b as P}from"./chunk-UBM25HVI.js";import"./chunk-OZHME3EO.js";import"./chunk-3USHGH6P.js";import"./chunk-FL4GOHVN.js";import"./chunk-QAIKSQAD.js";import*as E from"querystring";function I(n){let e=n[x];if(!e)throw new Error("Invalid corsair instance");return e}function U(n,e){let o=n.plugins.find(a=>a.id===e);if(!o)throw new Error(`Plugin '${e}' not found`);return o}function N(n){let e=n.oauthConfig;if(!e)throw new Error(`Plugin '${n.id}' has no oauthConfig`);return e}async function R(n,e,o,a){let i=P(n),t=await i.integrations.findByName(e);if(!t)throw new Error(`Integration '${e}' not found. Run setupCorsair first.`);if(await i.accounts.findOne({tenant_id:o,integration_id:t.id}))return;let r=C(),s=await O(r,a);await i.accounts.create({tenant_id:o,integration_id:t.id,config:{},dek:s})}async function S(n,e,o){let{tenantId:a,redirectUri:i}=o,t=I(n);if(!t.database)throw new Error("No database configured on corsair instance");let u=U(t,e),r=N(u),d=await p({authType:"oauth_2",integrationName:e,kek:t.kek,database:t.database}).get_client_id();if(!d)throw new Error(`client_id not configured for '${e}'`);let g=A(f(e,a),t.kek),l={...r.authParams,client_id:d,redirect_uri:i,response_type:"code",scope:r.scopes.join(" "),state:g};return{url:`${r.authUrl}?${E.stringify(l)}`,state:g}}async function K(n,e){let{code:o,state:a,redirectUri:i}=e,t=I(n),u=y(a,t.kek);if(!u)throw new Error("Invalid or tampered state parameter");let{plugin:r,tenantId:s}=u;if(!t.database)throw new Error("No database configured on corsair instance");let d=U(t,r),g=N(d),l=p({authType:"oauth_2",integrationName:r,kek:t.kek,database:t.database}),k=await l.get_client_id(),w=await l.get_client_secret();if(!k||!w)throw new Error(`Credentials not configured for '${r}'`);await R(t.database,r,s,t.kek);let c=await b(o,k,w,g,i);if(!c.access_token)throw new Error(`No access_token returned from ${g.providerName}`);let h=m({authType:"oauth_2",integrationName:r,tenantId:s,kek:t.kek,database:t.database});return await h.set_access_token(c.access_token),c.refresh_token&&await h.set_refresh_token(c.refresh_token),c.expires_in&&await h.set_expires_at(String(Math.floor(Date.now()/1e3)+c.expires_in)),{plugin:r,tenantId:s}}export{_ as decodeOAuthState,f as encodeOAuthState,S as generateOAuthUrl,K as processOAuthCallback};
+import{A as c,B as d,C as e,h as a,i as b}from"./chunk-J6HIPZAR.js";import"./chunk-3X6WVI5I.js";import"./chunk-IGGCNGU2.js";import"./chunk-QAIKSQAD.js";export{c as OAuthCallbackError,b as decodeOAuthState,a as encodeOAuthState,d as generateOAuthUrl,e as processOAuthCallback};

package/dist/orm.js

@@ -1 +1 @@
-import"./chunk-N2XRSSRL.js";import{b as o,c as e,d as n,e as s}from"./chunk-UBM25HVI.js";import"./chunk-OZHME3EO.js";import{a as r,b as t,c as i,d as a}from"./chunk-3USHGH6P.js";import"./chunk-FL4GOHVN.js";import"./chunk-QAIKSQAD.js";export{t as CorsairAccountsSchema,i as CorsairEntitiesSchema,a as CorsairEventsSchema,r as CorsairIntegrationsSchema,o as createCorsairOrm,e as createPluginOrm,s as createPluginOrmFactory,n as createTenantScopedOrm};
+import"./chunk-N2XRSSRL.js";import{d as o,e,f as n,g as s}from"./chunk-3X6WVI5I.js";import{b as r,c as t,d as i,e as a}from"./chunk-IGGCNGU2.js";import"./chunk-QAIKSQAD.js";export{t as CorsairAccountsSchema,i as CorsairEntitiesSchema,a as CorsairEventsSchema,r as CorsairIntegrationsSchema,o as createCorsairOrm,e as createPluginOrm,s as createPluginOrmFactory,n as createTenantScopedOrm};

package/dist/setup.d.ts

@@ -1,10 +1,12 @@
-import { C as CorsairPlugin, k as CorsairSingleTenantClient, l as CorsairTenantWrapper, c as CorsairInternalConfig } from './index-DSVPkmM-.js';
+import { a as CorsairInternalConfig } from './index-mZfhN-6e.js';
 import { CorsairDatabase } from './db.js';
-import 'zod';
-import './orm.js';
+import { C as CorsairPlugin, c as CorsairSingleTenantClient, b as CorsairTenantWrapper } from './index-BHyMcpwm.js';
+import './types-B1We8TTP.js';
 import 'kysely';
+import 'zod';
 import 'pg';
 import 'postgres';
+import './orm.js';
 
 /** Plugin id → credential field → value (from CLI `field=value` pairs). */
 type SetupCredentials = Record<string, Record<string, string>>;

package/dist/setup.js

@@ -1 +1 @@
-import{a as o,b as r}from"./chunk-UPIMTWVI.js";import"./chunk-LIZVHWQK.js";import"./chunk-UBM25HVI.js";import"./chunk-OZHME3EO.js";import"./chunk-3USHGH6P.js";import"./chunk-FL4GOHVN.js";import"./chunk-QAIKSQAD.js";export{r as applySetupCredentials,o as setupCorsair};
+import{a as o,b as r}from"./chunk-KLJBBN2T.js";import"./chunk-J6HIPZAR.js";import"./chunk-3X6WVI5I.js";import"./chunk-IGGCNGU2.js";import"./chunk-QAIKSQAD.js";export{r as applySetupCredentials,o as setupCorsair};

package/dist/tenant-links-UNTSO7K7.d.ts

@@ -0,0 +1,43 @@
+import { A as AuthTypes } from './types-B1We8TTP.js';
+import { W as WebhookTenantMatch } from './index-BHyMcpwm.js';
+import { CorsairDatabase, CorsairAccount } from './db.js';
+
+type WebhookTenantLink = WebhookTenantMatch;
+declare function setWebhookTenantLink(options: {
+    database: CorsairDatabase;
+    kek: string;
+    pluginId: string;
+    tenantId: string;
+    link: WebhookTenantLink;
+    authType?: AuthTypes;
+    extraAccountFields?: readonly string[];
+}): Promise<void>;
+type ResolveAccountFromWebhookLinkInput = {
+    database: CorsairDatabase;
+    kek: string;
+    pluginId: string;
+    linkType: string;
+    externalId: string;
+};
+/**
+ * Resolves the matching corsair_accounts row for a webhook tenant link.
+ *
+ * Runs one SQL query scoped to the plugin, then decrypts only the requested
+ * link field per account using the account DEK and KEK.
+ */
+declare function resolveAccountFromWebhookLink(options: ResolveAccountFromWebhookLinkInput): Promise<CorsairAccount | null>;
+declare function resolveTenantIdFromWebhookLink(options: {
+    database: CorsairDatabase;
+    kek: string;
+    pluginId: string;
+    linkType: string;
+    externalId: string;
+}): Promise<string | null>;
+declare function resolveTenantFromWebhookLink(options: {
+    database: CorsairDatabase;
+    kek: string;
+    pluginId: string;
+    match: WebhookTenantMatch;
+}): Promise<string | null>;
+
+export { type ResolveAccountFromWebhookLinkInput as R, type WebhookTenantLink as W, resolveTenantFromWebhookLink as a, resolveTenantIdFromWebhookLink as b, resolveAccountFromWebhookLink as r, setWebhookTenantLink as s };

package/dist/{index-BnkJ_TYy.d.ts → tenant-match-utils-DXoUP9o9.d.ts}

@@ -1,4 +1,5 @@
-import { E as EndpointRiskLevel, C as CorsairPlugin } from './index-DSVPkmM-.js';
+import { z as EndpointRiskLevel, C as CorsairPlugin, V as CorsairWebhookMatcher, X as CorsairWebhookTenantMatcher, Y as RawWebhookRequest, W as WebhookTenantMatch } from './index-BHyMcpwm.js';
+import { f as AllProviders } from './types-B1We8TTP.js';
 
 /**
  * Error thrown when a plugin endpoint is called but the required auth credentials
@@ -184,4 +185,43 @@ declare function formatDocSchemaShape(shape: DocSchemaShape | undefined, depth?:
  */
 declare function introspectPluginForDocs(plugins: readonly CorsairPlugin[], pluginId: string): IntrospectPluginForDocsResult;
 
-export { AuthMissingError as A, type DocSchemaFieldRow as D, type EndpointSchemaResult as E, type FormFieldSchema as F, type IntrospectPluginForDocsResult as I, type ListOperationsOptions as L, type PluginDocsIntrospection as P, type ResolveConnectLinkResult as R, type DocSchemaShape as a, type DocsApiEndpoint as b, type DocsDbEntity as c, type DocsDbFilterField as d, type DocsWebhook as e, formatDocSchemaShape as f, introspectPluginForDocs as i, resolveConnectLink as r };
+type PluginWebhookMatchers = {
+    pluginWebhookMatcher?: CorsairWebhookMatcher;
+    pluginTenantWebhookMatcher?: CorsairWebhookTenantMatcher;
+};
+type WebhookPluginTenantMatch = {
+    plugin: AllProviders | (string & {});
+    tenantMatch: WebhookTenantMatch;
+};
+/**
+ * Identifies which plugin an incoming webhook belongs to.
+ */
+declare function matchWebhookPlugin(plugins: Record<string, PluginWebhookMatchers | undefined>, request: RawWebhookRequest): string | null;
+/**
+ * Runs plugin identification, then extracts the tenant lookup key for that plugin.
+ */
+declare function matchWebhookPluginAndTenant(plugins: Record<string, PluginWebhookMatchers | undefined>, request: RawWebhookRequest): WebhookPluginTenantMatch | null;
+/**
+ * Collects plugin-level webhook matchers from a corsair plugin list.
+ */
+declare function collectPluginWebhookMatchers(plugins: readonly CorsairPlugin[]): Record<string, PluginWebhookMatchers>;
+
+declare function getHeader(headers: Record<string, string | string[] | undefined>, name: string): string | undefined;
+declare function toExternalId(value: unknown): string | undefined;
+declare function asRecord(value: unknown): Record<string, unknown> | null;
+declare function readBodyRecord(request: RawWebhookRequest): Record<string, unknown> | null;
+declare function readQueryParam(request: {
+    query?: Record<string, string | string[] | undefined>;
+}, name: string): string | undefined;
+type MicrosoftGraphValidationRequest = {
+    headers?: Record<string, string | string[] | undefined>;
+    body?: unknown;
+    payload?: unknown;
+    query?: Record<string, string | string[] | undefined>;
+};
+declare function extractMicrosoftGraphValidationToken(request: MicrosoftGraphValidationRequest): string | null;
+declare function isMicrosoftGraphValidationHandshake(request: MicrosoftGraphValidationRequest): boolean;
+declare function firstString(values: unknown[]): string | undefined;
+declare function decodePubSubData(body: Record<string, unknown>): unknown;
+
+export { AuthMissingError as A, type DocSchemaFieldRow as D, type EndpointSchemaResult as E, type FormFieldSchema as F, type IntrospectPluginForDocsResult as I, type ListOperationsOptions as L, type PluginDocsIntrospection as P, type ResolveConnectLinkResult as R, type WebhookPluginTenantMatch as W, type DocSchemaShape as a, type DocsApiEndpoint as b, type DocsDbEntity as c, type DocsDbFilterField as d, type DocsWebhook as e, formatDocSchemaShape as f, collectPluginWebhookMatchers as g, matchWebhookPluginAndTenant as h, introspectPluginForDocs as i, type PluginWebhookMatchers as j, asRecord as k, decodePubSubData as l, matchWebhookPlugin as m, extractMicrosoftGraphValidationToken as n, firstString as o, getHeader as p, isMicrosoftGraphValidationHandshake as q, resolveConnectLink as r, readBodyRecord as s, readQueryParam as t, toExternalId as u };

package/dist/tunnel.d.ts

@@ -0,0 +1,35 @@
+export { O as OAuthCallbackTunnelPayload, b as OAuthTokensTunnelPayload, P as ProcessCorsairOptions, c as ProcessCorsairRequest, T as TunnelAck, d as TunnelEnvelope, e as TunnelType, W as WebhookTunnelPayload, a as applyPermissionDecision, p as processCorsair } from './index-aVkEGoHG.js';
+export { r as resolveAccountFromWebhookLink, a as resolveTenantFromWebhookLink, b as resolveTenantIdFromWebhookLink, s as setWebhookTenantLink } from './tenant-links-UNTSO7K7.js';
+import './types-B1We8TTP.js';
+import './index-BHyMcpwm.js';
+import 'zod';
+import './db.js';
+import 'kysely';
+import 'pg';
+import 'postgres';
+import './orm.js';
+
+type BrowserDeliveryPayload = {
+    jti: string;
+    connectJti: string;
+    projectId: string;
+    plugin: string;
+    tenantId: string;
+    hubSuccessUrl: string;
+    exp: number;
+    iat: number;
+    deliveryMode?: 'oauth.callback' | 'oauth.tokens' | 'permission.approve' | 'permission.deny';
+    code?: string;
+    state?: string;
+    redirectUri?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    scope?: string;
+    permissionToken?: string;
+};
+declare function isPermissionBrowserDelivery(payload: BrowserDeliveryPayload): boolean;
+declare function isManagedBrowserDelivery(payload: BrowserDeliveryPayload): boolean;
+declare function verifyBrowserDeliveryToken(token: string, signingSecret: string): BrowserDeliveryPayload | null;
+
+export { type BrowserDeliveryPayload, isManagedBrowserDelivery, isPermissionBrowserDelivery, verifyBrowserDeliveryToken };

package/dist/tunnel.js

@@ -0,0 +1 @@
+import{Q as e,R as f,S as g,T as h,U as i,w as a,x as b,y as c,z as d}from"./chunk-J6HIPZAR.js";import"./chunk-3X6WVI5I.js";import"./chunk-IGGCNGU2.js";import"./chunk-QAIKSQAD.js";export{h as applyPermissionDecision,f as isManagedBrowserDelivery,e as isPermissionBrowserDelivery,i as processCorsair,b as resolveAccountFromWebhookLink,d as resolveTenantFromWebhookLink,c as resolveTenantIdFromWebhookLink,a as setWebhookTenantLink,g as verifyBrowserDeliveryToken};