crewly 1.5.22 → 1.6.1

package/config/skills/orchestrator/credential-manager/SKILL.md

@@ -0,0 +1,218 @@
+---
+name: Credential Manager
+description: "Manage workspace credentials (Google OAuth accounts, service API keys) that skills use to call third-party services on the user's behalf. Primary flow for remote users over Slack: start-google-oauth returns a link the user clicks on their device; they sign in and paste the resulting JSON back, then complete-google-oauth saves the credential. Supports multi-account."
+version: 1.1.0
+category: management
+skillType: claude-skill
+assignableRoles:
+  - orchestrator
+triggers:
+  - add gmail account
+  - add google account
+  - add api key
+  - list credentials
+  - show credentials
+  - what credentials
+  - delete credential
+  - revoke credential
+  - connect google
+  - connect gmail
+  - read gmail
+  - check unread emails
+  - unread messages
+  - my inbox
+tags:
+  - credentials
+  - oauth
+  - gmail
+  - google
+  - api-key
+execution:
+  type: script
+  script:
+    file: execute.sh
+    interpreter: bash
+    timeoutMs: 30000
+---
+
+# Credential Manager
+
+Manages the workspace's credential store used by skills. Supports Google OAuth
+(multi-account) and API keys.
+
+**Credential values are never returned** — only metadata (id, name, email,
+scopes). The actual tokens stay encrypted on disk and are only exposed to
+skills at execution time via per-slot env vars.
+
+## Primary flow: Remote user via Slack
+
+The user is on Slack and cannot run terminal commands. Use this flow:
+
+### 1. Start — return a sign-in link
+
+```bash
+bash execute.sh '{"action":"start-google-oauth"}'
+```
+
+Returns:
+```json
+{
+  "success": true,
+  "authUrl": "https://accounts.google.com/o/oauth2/v2/auth?client_id=...&scope=...",
+  "instructions": "Send authUrl to the user. They click it..."
+}
+```
+
+**Send the `authUrl` to the user**. Tell them:
+> Please click this link, sign in with the Google account you want to add,
+> then copy the entire JSON block shown on the success page and paste it back here.
+
+The URL opens on their device (phone, laptop, whatever). Google shows the
+consent screen ("Google Workspace Extension for Gemini CLI wants to access...").
+After they approve, they land on a page titled **"Success! Credentials Ready"**
+with a JSON block like:
+
+```json
+{
+  "refresh_token": "1//...",
+  "scope": "...",
+  "token_type": "Bearer",
+  "access_token": "ya29...",
+  "expiry_date": 1234567890123
+}
+```
+
+### 2. Complete — save the credential
+
+After the user pastes the JSON back, call:
+
+```bash
+bash execute.sh '{
+  "action":"complete-google-oauth",
+  "name":"info-steam-fun",
+  "credentialsJson": {"refresh_token":"...","access_token":"...","scope":"...","token_type":"Bearer","expiry_date":...}
+}'
+```
+
+Returns:
+```json
+{
+  "success": true,
+  "credential": {
+    "id": "cred-abc123...",
+    "name": "info-steam-fun",
+    "type": "google-oauth",
+    "provider": "google",
+    "helper": "gemini-cli-workspace",
+    "accountEmail": "info@steam-fun.com",
+    "scopes": [...]
+  }
+}
+```
+
+### 3. Repeat for more accounts
+
+Just call `start-google-oauth` → send new URL → `complete-google-oauth` again
+with a different name. No extension state to clear (headless mode never
+touches it).
+
+---
+
+## Developer flow (on-box only)
+
+If you're running on the same machine as Crewly AND have the Gemini CLI
+Workspace extension set up for interactive login, these still work:
+
+### `import-google`
+
+Import the extension's currently-active login:
+
+```bash
+bash execute.sh '{"action":"import-google","name":"info-steam-fun"}'
+```
+
+Precondition: user has run `GEMINI_CLI_WORKSPACE_FORCE_FILE_STORAGE=true gemini`
+and completed sign-in, leaving tokens in the extension's file cache.
+
+### `clear-gemini-cli`
+
+Delete the extension's cached token file so the next local login captures
+a fresh account:
+
+```bash
+bash execute.sh '{"action":"clear-gemini-cli"}'
+```
+
+---
+
+## Other actions
+
+### `list`
+
+List credentials (filter optional).
+
+```bash
+bash execute.sh '{"action":"list"}'
+bash execute.sh '{"action":"list","type":"google-oauth"}'
+bash execute.sh '{"action":"list","provider":"gemini"}'
+```
+
+### `add-api-key`
+
+```bash
+bash execute.sh '{"action":"add-api-key","name":"gemini-main","provider":"gemini","value":"AIza..."}'
+```
+
+### `delete`
+
+```bash
+bash execute.sh '{"action":"delete","id":"cred-abc123..."}'
+```
+
+### `read-gmail`
+
+Read unread emails from the named Google account:
+
+```bash
+bash execute.sh '{"action":"read-gmail","name":"info-steam-fun"}'
+bash execute.sh '{"action":"read-gmail","name":"personal-gmail","maxResults":5}'
+```
+
+---
+
+## Multi-account example (remote Slack user)
+
+```
+User: "Add info@steam-fun.com to Crewly"
+Orchestrator:
+  1. bash execute.sh '{"action":"start-google-oauth"}'
+  2. Gets authUrl back.
+  3. Replies in Slack:
+     "Click this to sign in with info@steam-fun.com: <authUrl>
+      After signing in, copy the JSON block from the 'Success!' page
+      and paste it back here."
+
+User: (clicks on phone, signs in, pastes JSON)
+  {"refresh_token":"...","access_token":"...","scope":"...","token_type":"Bearer","expiry_date":...}
+
+Orchestrator:
+  1. bash execute.sh '{"action":"complete-google-oauth","name":"info-steam-fun","credentialsJson":<pasted JSON>}'
+  2. Replies: "✓ Added info-steam-fun (info@steam-fun.com)."
+
+User: "Now add my personal gmail"
+Orchestrator:
+  repeats start → URL → user pastes → complete, with name=personal-gmail.
+
+User: "What's unread in info's inbox?"
+Orchestrator:
+  bash execute.sh '{"action":"read-gmail","name":"info-steam-fun"}'
+  → returns summary of unread emails.
+```
+
+## Errors
+
+- `name is required` / `credentialsJson is required` — missing fields in complete action
+- `credentialsJson is not valid JSON` — user pasted something other than the JSON block
+- `credentialsJson is missing access_token or refresh_token` — user pasted a partial JSON
+- `No google-oauth credential found with name '...'` — `read-gmail` lookup failed; try `list`
+- `Credential '...' is revoked` — the refresh token was revoked by the user or Google; re-run the OAuth flow

package/config/skills/orchestrator/credential-manager/execute.sh

@@ -0,0 +1,166 @@
+#!/bin/bash
+# Credential Manager — wraps /api/credentials REST endpoints so the
+# orchestrator can manage Google OAuth accounts and API keys on user request.
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/../_common/lib.sh"
+
+INPUT=$(read_json_input "${1:-}")
+if [ -z "$INPUT" ]; then
+  error_exit "Usage: execute.sh '{\"action\":\"list|import-google|clear-gemini-cli|add-api-key|delete|read-gmail\", ...}'"
+fi
+
+ACTION=$(printf '%s' "$INPUT" | jq -r '.action // empty')
+require_param "action" "$ACTION"
+
+case "$ACTION" in
+  list)
+    TYPE=$(printf '%s' "$INPUT" | jq -r '.type // empty')
+    PROVIDER=$(printf '%s' "$INPUT" | jq -r '.provider // empty')
+    RESP=$(api_call GET "/credentials")
+    # Filter client-side
+    printf '%s' "$RESP" | jq --arg type "$TYPE" --arg provider "$PROVIDER" '
+      .data
+      | map(select($type == "" or .type == $type))
+      | map(select($provider == "" or .provider == $provider))
+      | map({id, name, type, provider, helper, accountEmail, scopes, status, createdAt, lastUsedAt})
+    '
+    ;;
+
+  import-google)
+    # Import from gemini-cli extension's LOCAL file (developer / on-box user).
+    # For remote users over Slack, use start-google-oauth + complete-google-oauth instead.
+    NAME=$(printf '%s' "$INPUT" | jq -r '.name // empty')
+    require_param "name" "$NAME"
+    BODY=$(jq -nc --arg name "$NAME" '{name: $name}')
+    RESP=$(api_call POST "/credentials/oauth/import-gemini-cli" "$BODY")
+    printf '%s' "$RESP" | jq '
+      if .success == true then
+        {success: true, credential: .data | {id, name, type, provider, helper, accountEmail, scopes}}
+      else
+        {success: false, error: .error}
+      end
+    '
+    ;;
+
+  start-google-oauth)
+    # Headless flow — returns a URL for a remote user to click.
+    # Optionally takes scopes override; defaults to broad Workspace set.
+    SCOPES_ARG=$(printf '%s' "$INPUT" | jq -c '.scopes // empty')
+    if [ -n "$SCOPES_ARG" ]; then
+      BODY=$(printf '%s' "$SCOPES_ARG" | jq -c '{scopes: .}')
+    else
+      BODY='{}'
+    fi
+    RESP=$(api_call POST "/credentials/oauth/google/start" "$BODY")
+    printf '%s' "$RESP" | jq '
+      if .success == true then
+        {
+          success: true,
+          authUrl: .data.authUrl,
+          instructions: "Send authUrl to the user. They click it on their device, sign in with the Google account they want to add, and copy the JSON shown on the success page. Then call action=complete-google-oauth with the pasted JSON."
+        }
+      else
+        {success: false, error: .error}
+      end
+    '
+    ;;
+
+  complete-google-oauth)
+    # Accept the JSON the user pasted from the success page. Save as a new credential.
+    NAME=$(printf '%s' "$INPUT" | jq -r '.name // empty')
+    require_param "name" "$NAME"
+    # Accept either the raw JSON string or a parsed object under .credentialsJson
+    CREDS=$(printf '%s' "$INPUT" | jq -c '.credentialsJson // empty')
+    if [ -z "$CREDS" ] || [ "$CREDS" = "null" ]; then
+      error_exit "credentialsJson is required (paste the JSON block from the OAuth success page)"
+    fi
+    BODY=$(jq -nc --arg name "$NAME" --argjson creds "$CREDS" '{name: $name, credentialsJson: $creds}')
+    RESP=$(api_call POST "/credentials/oauth/google/complete" "$BODY")
+    printf '%s' "$RESP" | jq '
+      if .success == true then
+        {success: true, credential: .data | {id, name, type, provider, helper, accountEmail, scopes, status}}
+      else
+        {success: false, error: .error}
+      end
+    '
+    ;;
+
+  clear-gemini-cli)
+    api_call POST "/credentials/oauth/gemini-cli/clear-extension-file" "" \
+      | jq '{cleared: (.success == true), error: .error}'
+    ;;
+
+  add-api-key)
+    NAME=$(printf '%s' "$INPUT" | jq -r '.name // empty')
+    PROVIDER=$(printf '%s' "$INPUT" | jq -r '.provider // empty')
+    VALUE=$(printf '%s' "$INPUT" | jq -r '.value // empty')
+    require_param "name" "$NAME"
+    require_param "provider" "$PROVIDER"
+    require_param "value" "$VALUE"
+    BODY=$(jq -nc --arg name "$NAME" --arg provider "$PROVIDER" --arg value "$VALUE" \
+      '{name: $name, provider: $provider, value: $value}')
+    RESP=$(api_call POST "/credentials/api-key" "$BODY")
+    printf '%s' "$RESP" | jq '
+      if .success == true then
+        {success: true, credential: .data | {id, name, type, provider, createdAt}}
+      else
+        {success: false, error: .error}
+      end
+    '
+    ;;
+
+  delete)
+    ID=$(printf '%s' "$INPUT" | jq -r '.id // empty')
+    require_param "id" "$ID"
+    api_call DELETE "/credentials/${ID}" | jq '{deleted: (.success == true), error: .error}'
+    ;;
+
+  read-gmail)
+    NAME=$(printf '%s' "$INPUT" | jq -r '.name // empty')
+    MAX=$(printf '%s' "$INPUT" | jq -r '.maxResults // 10')
+    require_param "name" "$NAME"
+
+    # 1. Find the credential by name
+    LIST_RESP=$(api_call GET "/credentials")
+    CRED_ID=$(printf '%s' "$LIST_RESP" | jq -r --arg name "$NAME" '
+      .data[]? | select(.name == $name and .type == "google-oauth") | .id
+    ' | head -n 1)
+
+    if [ -z "$CRED_ID" ]; then
+      AVAILABLE=$(printf '%s' "$LIST_RESP" | jq -r '
+        .data[]? | select(.type == "google-oauth") | .name
+      ' | paste -sd ", " -)
+      error_exit "No google-oauth credential named '$NAME'. Available Google accounts: ${AVAILABLE:-none}. Use action=list to confirm."
+    fi
+
+    # 2. Execute gmail-reader skill with the credential bound to 'gmail' slot
+    EXEC_BODY=$(jq -nc --arg cid "$CRED_ID" --arg max "$MAX" '{
+      agentId: "orchestrator",
+      roleId: "orchestrator",
+      userInput: $max,
+      credentialBindings: {gmail: $cid}
+    }')
+    RESP=$(api_call POST "/skills/skill-gmail-reader/execute" "$EXEC_BODY")
+    # Extract the stdout from the skill execution so the orchestrator sees
+    # the human-readable summary directly
+    printf '%s' "$RESP" | jq '
+      if .success == true then
+        {
+          credential: "'"$NAME"'",
+          credentialId: "'"$CRED_ID"'",
+          success: .data.success,
+          output: .data.output,
+          error: .data.error,
+          durationMs: .data.durationMs
+        }
+      else
+        {success: false, error: .error}
+      end
+    '
+    ;;
+
+  *)
+    error_exit "Unknown action: '$ACTION'. Valid: list, start-google-oauth, complete-google-oauth, import-google, clear-gemini-cli, add-api-key, delete, read-gmail"
+    ;;
+esac

package/config/skills/orchestrator/credential-manager/execute.test.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+# Validation tests for credential-manager skill.
+# Covers argument handling + param validation for each action. Actions that
+# reach api_call are only exercised up to the point of validation (no live
+# backend calls).
+set -eo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+EXECUTE="$SCRIPT_DIR/execute.sh"
+PASS=0
+FAIL=0
+
+assert_contains() {
+  local test_name="$1" needle="$2" haystack="$3"
+  if printf '%s' "$haystack" | grep -q -- "$needle"; then
+    PASS=$((PASS + 1))
+    echo "  ✓ ${test_name}"
+  else
+    FAIL=$((FAIL + 1))
+    echo "  ✗ ${test_name}"
+    echo "    expected to contain: ${needle}"
+    echo "    got: ${haystack}"
+  fi
+}
+
+echo "=== credential-manager tests ==="
+
+echo ""
+echo "--- No input / missing action ---"
+
+OUTPUT=$(bash "$EXECUTE" 2>&1) || true
+assert_contains "No input rejected with usage hint" "Usage:" "$OUTPUT"
+
+OUTPUT=$(bash "$EXECUTE" '{}' 2>&1) || true
+assert_contains "Empty JSON → missing action error" "Missing required parameter: action" "$OUTPUT"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":""}' 2>&1) || true
+assert_contains "Empty action → missing action error" "Missing required parameter: action" "$OUTPUT"
+
+echo ""
+echo "--- Unknown action ---"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"does-not-exist"}' 2>&1) || true
+assert_contains "Unknown action rejected" "Unknown action" "$OUTPUT"
+assert_contains "Unknown action lists valid options" "list" "$OUTPUT"
+
+echo ""
+echo "--- import-google param validation ---"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"import-google"}' 2>&1) || true
+assert_contains "import-google without name rejected" "Missing required parameter: name" "$OUTPUT"
+
+echo ""
+echo "--- complete-google-oauth param validation ---"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"complete-google-oauth"}' 2>&1) || true
+assert_contains "complete without name rejected" "Missing required parameter: name" "$OUTPUT"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"complete-google-oauth","name":"work"}' 2>&1) || true
+assert_contains "complete without credentialsJson rejected" "credentialsJson is required" "$OUTPUT"
+
+echo ""
+echo "--- add-api-key param validation ---"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"add-api-key"}' 2>&1) || true
+assert_contains "add-api-key without name rejected" "Missing required parameter: name" "$OUTPUT"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"add-api-key","name":"x"}' 2>&1) || true
+assert_contains "add-api-key without provider rejected" "Missing required parameter: provider" "$OUTPUT"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"add-api-key","name":"x","provider":"gemini"}' 2>&1) || true
+assert_contains "add-api-key without value rejected" "Missing required parameter: value" "$OUTPUT"
+
+echo ""
+echo "--- delete param validation ---"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"delete"}' 2>&1) || true
+assert_contains "delete without id rejected" "Missing required parameter: id" "$OUTPUT"
+
+echo ""
+echo "--- read-gmail param validation ---"
+
+OUTPUT=$(bash "$EXECUTE" '{"action":"read-gmail"}' 2>&1) || true
+assert_contains "read-gmail without name rejected" "Missing required parameter: name" "$OUTPUT"
+
+echo ""
+echo "=== Results: ${PASS} passed, ${FAIL} failed ==="
+[ $FAIL -eq 0 ]

package/dist/backend/backend/src/config/oauth.config.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Google OAuth Configuration
+ *
+ * Shared constants for the Google OAuth flows that piggyback on the Gemini
+ * CLI Workspace extension's published OAuth app. Defining these here lets
+ * the REST controller (URL-builder) and the helper (refresh client) stay in
+ * sync on client_id / redirect_uri / endpoints.
+ *
+ * These values come from the Gemini CLI Workspace extension's
+ * `workspace-server/src/utils/config.ts` — using the same client_id
+ * + redirect_uri lets us avoid the 7-day testing-mode grant expiry.
+ *
+ * @module config/oauth.config
+ */
+/** OAuth client_id for the Gemini CLI Workspace extension's published app. */
+export declare const GOOGLE_OAUTH_CLIENT_ID = "338689075775-o75k922vn5fdl18qergr96rp8g63e4d7.apps.googleusercontent.com";
+/** Redirect URI the Gemini CLI Workspace cloud function is registered for. */
+export declare const GOOGLE_OAUTH_REDIRECT_URI = "https://google-workspace-extension.geminicli.com";
+/** Base URL of Google's OAuth 2.0 authorization endpoint. */
+export declare const GOOGLE_OAUTH_AUTH_BASE = "https://accounts.google.com/o/oauth2/v2/auth";
+/** Cloud Function base URL where the extension's `/refreshToken` lives. */
+export declare const GEMINI_CLI_CLOUD_FUNCTION_URL = "https://google-workspace-extension.geminicli.com";
+/** Path on the cloud function used for token refresh calls. */
+export declare const GEMINI_CLI_REFRESH_PATH = "/refreshToken";
+/** Google's userinfo endpoint — used to resolve an OAuth token's account email. */
+export declare const GOOGLE_USERINFO_ENDPOINT = "https://www.googleapis.com/oauth2/v3/userinfo";
+/**
+ * Default scope set for a broad Workspace grant — covers the common Gmail,
+ * Drive, Docs, Calendar, and Photos read paths used by marketplace skills.
+ * Callers of `/oauth/google/start` may override via the request body.
+ */
+export declare const DEFAULT_GOOGLE_SCOPES: readonly string[];
+//# sourceMappingURL=oauth.config.d.ts.map

package/dist/backend/backend/src/config/oauth.config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.config.d.ts","sourceRoot":"","sources":["../../../../../backend/src/config/oauth.config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,8EAA8E;AAC9E,eAAO,MAAM,sBAAsB,6EACyC,CAAC;AAE7E,8EAA8E;AAC9E,eAAO,MAAM,yBAAyB,qDACc,CAAC;AAErD,6DAA6D;AAC7D,eAAO,MAAM,sBAAsB,iDACa,CAAC;AAEjD,2EAA2E;AAC3E,eAAO,MAAM,6BAA6B,qDACU,CAAC;AAErD,+DAA+D;AAC/D,eAAO,MAAM,uBAAuB,kBAAkB,CAAC;AAEvD,mFAAmF;AACnF,eAAO,MAAM,wBAAwB,kDACY,CAAC;AAElD;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,MAAM,EAYlD,CAAC"}

package/dist/backend/backend/src/config/oauth.config.js

@@ -0,0 +1,45 @@
+/**
+ * Google OAuth Configuration
+ *
+ * Shared constants for the Google OAuth flows that piggyback on the Gemini
+ * CLI Workspace extension's published OAuth app. Defining these here lets
+ * the REST controller (URL-builder) and the helper (refresh client) stay in
+ * sync on client_id / redirect_uri / endpoints.
+ *
+ * These values come from the Gemini CLI Workspace extension's
+ * `workspace-server/src/utils/config.ts` — using the same client_id
+ * + redirect_uri lets us avoid the 7-day testing-mode grant expiry.
+ *
+ * @module config/oauth.config
+ */
+/** OAuth client_id for the Gemini CLI Workspace extension's published app. */
+export const GOOGLE_OAUTH_CLIENT_ID = '338689075775-o75k922vn5fdl18qergr96rp8g63e4d7.apps.googleusercontent.com';
+/** Redirect URI the Gemini CLI Workspace cloud function is registered for. */
+export const GOOGLE_OAUTH_REDIRECT_URI = 'https://google-workspace-extension.geminicli.com';
+/** Base URL of Google's OAuth 2.0 authorization endpoint. */
+export const GOOGLE_OAUTH_AUTH_BASE = 'https://accounts.google.com/o/oauth2/v2/auth';
+/** Cloud Function base URL where the extension's `/refreshToken` lives. */
+export const GEMINI_CLI_CLOUD_FUNCTION_URL = 'https://google-workspace-extension.geminicli.com';
+/** Path on the cloud function used for token refresh calls. */
+export const GEMINI_CLI_REFRESH_PATH = '/refreshToken';
+/** Google's userinfo endpoint — used to resolve an OAuth token's account email. */
+export const GOOGLE_USERINFO_ENDPOINT = 'https://www.googleapis.com/oauth2/v3/userinfo';
+/**
+ * Default scope set for a broad Workspace grant — covers the common Gmail,
+ * Drive, Docs, Calendar, and Photos read paths used by marketplace skills.
+ * Callers of `/oauth/google/start` may override via the request body.
+ */
+export const DEFAULT_GOOGLE_SCOPES = [
+    'openid',
+    'https://www.googleapis.com/auth/userinfo.email',
+    'https://www.googleapis.com/auth/userinfo.profile',
+    'https://www.googleapis.com/auth/gmail.readonly',
+    'https://www.googleapis.com/auth/gmail.send',
+    'https://www.googleapis.com/auth/drive.readonly',
+    'https://www.googleapis.com/auth/drive.file',
+    'https://www.googleapis.com/auth/documents.readonly',
+    'https://www.googleapis.com/auth/calendar.readonly',
+    'https://www.googleapis.com/auth/calendar.events',
+    'https://www.googleapis.com/auth/photoslibrary.readonly',
+];
+//# sourceMappingURL=oauth.config.js.map

package/dist/backend/backend/src/config/oauth.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.config.js","sourceRoot":"","sources":["../../../../../backend/src/config/oauth.config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,8EAA8E;AAC9E,MAAM,CAAC,MAAM,sBAAsB,GACjC,0EAA0E,CAAC;AAE7E,8EAA8E;AAC9E,MAAM,CAAC,MAAM,yBAAyB,GACpC,kDAAkD,CAAC;AAErD,6DAA6D;AAC7D,MAAM,CAAC,MAAM,sBAAsB,GACjC,8CAA8C,CAAC;AAEjD,2EAA2E;AAC3E,MAAM,CAAC,MAAM,6BAA6B,GACxC,kDAAkD,CAAC;AAErD,+DAA+D;AAC/D,MAAM,CAAC,MAAM,uBAAuB,GAAG,eAAe,CAAC;AAEvD,mFAAmF;AACnF,MAAM,CAAC,MAAM,wBAAwB,GACnC,+CAA+C,CAAC;AAElD;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAsB;IACtD,QAAQ;IACR,gDAAgD;IAChD,kDAAkD;IAClD,gDAAgD;IAChD,4CAA4C;IAC5C,gDAAgD;IAChD,4CAA4C;IAC5C,oDAAoD;IACpD,mDAAmD;IACnD,iDAAiD;IACjD,wDAAwD;CACzD,CAAC"}

package/dist/backend/backend/src/controllers/credentials/credentials.controller.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Credentials REST Controller
+ *
+ * Exposes workspace credential management over REST so the frontend (and
+ * Cloud portal) can list, add, rename, delete, and OAuth-import credentials.
+ *
+ * All endpoints return `{ success, data?, error? }` matching the rest of
+ * the Crewly API surface. Secret values (token payloads, API keys) are
+ * never returned — only registry metadata.
+ *
+ * @module controllers/credentials/credentials.controller
+ */
+import type { Request, Response, NextFunction } from 'express';
+/** Reset the helper singleton — for tests only. */
+export declare function _resetGeminiHelperForTesting(): void;
+/**
+ * GET /api/credentials — list all credential metadata (never values).
+ */
+export declare function listCredentials(_req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * GET /api/credentials/:id — metadata for a single credential.
+ */
+export declare function getCredentialById(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * POST /api/credentials/api-key — add an API key credential.
+ * Body: { name, provider, value }
+ */
+export declare function addApiKey(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * PATCH /api/credentials/:id — update metadata (name, status).
+ * Body: { name?, status? }
+ */
+export declare function updateCredentialHandler(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * DELETE /api/credentials/:id — delete credential (registry entry + .enc file).
+ */
+export declare function deleteCredentialHandler(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * POST /api/credentials/oauth/import-gemini-cli — capture current extension
+ * login into a new credential.
+ * Body: { name }
+ *
+ * Precondition: the user has run
+ *   `GEMINI_CLI_WORKSPACE_FORCE_FILE_STORAGE=true gemini`
+ * and signed in via the workspace extension.
+ */
+export declare function importOAuthFromGeminiCli(req: Request, res: Response, next: NextFunction): Promise<void>;
+/**
+ * POST /api/credentials/oauth/gemini-cli/clear-extension-file —
+ * delete the extension's cached token file so the next extension login
+ * captures a different account.
+ */
+export declare function clearGeminiCliExtensionFile(_req: Request, res: Response, next: NextFunction): Promise<void>;
+//# sourceMappingURL=credentials.controller.d.ts.map

package/dist/backend/backend/src/controllers/credentials/credentials.controller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.controller.d.ts","sourceRoot":"","sources":["../../../../../../backend/src/controllers/credentials/credentials.controller.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AA0C/D,mDAAmD;AACnD,wBAAgB,4BAA4B,IAAI,IAAI,CAEnD;AAMD;;GAEG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,OAAO,EACb,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CAYf;AAED;;;GAGG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CA8Bf;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CAkDf;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CAYf;AAED;;;;;;;;GAQG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CA8Bf;AAED;;;;GAIG;AACH,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,OAAO,EACb,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf"}