integrate-sdk 0.9.18-dev.0 → 0.9.20-dev.0

package/dist/ai/anthropic.js

@@ -4677,6 +4677,19 @@ if (!MCP_URL) {
   throw new Error('INTEGRATE_MCP_URL is not set — the sandbox cannot reach the MCP route.');
 }
 
+// Diagnostic: log sandbox env summary to stderr so it shows up in the
+// execute_code result's stderr field for debugging auth issues.
+console.error('[sandbox-diag] MCP_URL=' + MCP_URL);
+console.error('[sandbox-diag] HAS_API_KEY=' + !!API_KEY);
+console.error('[sandbox-diag] HAS_SESSION_TOKEN=' + !!SESSION_TOKEN);
+console.error('[sandbox-diag] HAS_PROVIDER_TOKENS=' + !!PROVIDER_TOKENS);
+if (PROVIDER_TOKENS) {
+  try {
+    const _keys = Object.keys(JSON.parse(PROVIDER_TOKENS));
+    console.error('[sandbox-diag] PROVIDER_TOKEN_KEYS=' + _keys.join(','));
+  } catch { console.error('[sandbox-diag] PROVIDER_TOKENS is not valid JSON'); }
+}
+
 function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (letter) => '_' + letter.toLowerCase());
 }
@@ -4692,6 +4705,14 @@ async function callTool(toolName, args) {
   if (INTEGRATIONS_HEADER) headers['x-integrations'] = INTEGRATIONS_HEADER;
   if (CONTEXT_JSON) headers['x-integrate-context'] = CONTEXT_JSON;
 
+  console.error('[sandbox-diag] callTool: ' + toolName + ' → ' + MCP_URL);
+  console.error('[sandbox-diag] headers: ' + JSON.stringify({
+    hasAuth: !!headers['Authorization'],
+    hasApiKey: !!headers['x-integrate-api-key'],
+    hasTokens: !!headers['x-integrate-tokens'],
+    hasCodeMode: !!headers['x-integrate-code-mode'],
+  }));
+
   const res = await fetch(MCP_URL, {
     method: 'POST',
     headers,
@@ -4699,6 +4720,8 @@ async function callTool(toolName, args) {
   });
 
   const text = await res.text();
+  console.error('[sandbox-diag] response: HTTP ' + res.status + ' len=' + text.length);
+
   let payload;
   try {
     payload = text ? JSON.parse(text) : null;
@@ -4876,6 +4899,16 @@ async function executeSandboxCode(options) {
       env.INTEGRATE_INTEGRATIONS = options.integrationsHeader;
     if (options.context)
       env.INTEGRATE_CONTEXT = JSON.stringify(options.context);
+    console.debug("[integrate-sdk] Sandbox env:", JSON.stringify({
+      mcpUrl: options.mcpUrl,
+      hasApiKey: !!options.apiKey,
+      hasSessionToken: !!options.sessionToken,
+      providerTokenKeys: options.providerTokens ? Object.keys(options.providerTokens) : [],
+      hasIntegrations: !!options.integrationsHeader,
+      hasContext: !!options.context,
+      runtime,
+      timeoutMs
+    }));
     const cmd = await sandbox.runCommand({
       cmd: "node",
       args: ["user.mjs"],
@@ -5001,11 +5034,50 @@ ${generated.compact}`;
       };
     }
     const mcpUrl = publicUrl.replace(/\/$/, "") + "/api/integrate/mcp";
+    let resolvedTokens = providerTokens;
+    let tokenSource = resolvedTokens && Object.keys(resolvedTokens).length > 0 ? "build-time" : "none";
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      try {
+        resolvedTokens = await getProviderTokens();
+        if (resolvedTokens && Object.keys(resolvedTokens).length > 0) {
+          tokenSource = "request-header";
+        }
+      } catch {}
+    }
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      const oauthManager = client.oauthManager;
+      if (oauthManager) {
+        resolvedTokens = {};
+        const clientIntegrations = client.integrations || [];
+        for (const integration of clientIntegrations) {
+          if (integration.oauth) {
+            const provider = integration.oauth.provider;
+            try {
+              const tokenData = await oauthManager.getProviderToken(provider, undefined, context);
+              if (tokenData?.accessToken) {
+                resolvedTokens[provider] = tokenData.accessToken;
+              }
+            } catch {}
+          }
+        }
+        if (Object.keys(resolvedTokens).length === 0) {
+          resolvedTokens = undefined;
+        } else {
+          tokenSource = "oauthManager";
+        }
+      }
+    }
+    console.debug("[integrate-sdk] execute_code token resolution:", JSON.stringify({
+      source: tokenSource,
+      keys: resolvedTokens ? Object.keys(resolvedTokens) : [],
+      hasApiKey: !!apiKey,
+      mcpUrl
+    }));
     return executeSandboxCode({
       code,
       mcpUrl,
       apiKey,
-      providerTokens,
+      providerTokens: resolvedTokens,
       context,
       integrationsHeader: integrationIds && integrationIds.length > 0 ? integrationIds.join(",") : undefined,
       runtime: sandboxOverrides.runtime ?? serverCodeModeConfig.runtime,

package/dist/ai/google.js

@@ -4677,6 +4677,19 @@ if (!MCP_URL) {
   throw new Error('INTEGRATE_MCP_URL is not set — the sandbox cannot reach the MCP route.');
 }
 
+// Diagnostic: log sandbox env summary to stderr so it shows up in the
+// execute_code result's stderr field for debugging auth issues.
+console.error('[sandbox-diag] MCP_URL=' + MCP_URL);
+console.error('[sandbox-diag] HAS_API_KEY=' + !!API_KEY);
+console.error('[sandbox-diag] HAS_SESSION_TOKEN=' + !!SESSION_TOKEN);
+console.error('[sandbox-diag] HAS_PROVIDER_TOKENS=' + !!PROVIDER_TOKENS);
+if (PROVIDER_TOKENS) {
+  try {
+    const _keys = Object.keys(JSON.parse(PROVIDER_TOKENS));
+    console.error('[sandbox-diag] PROVIDER_TOKEN_KEYS=' + _keys.join(','));
+  } catch { console.error('[sandbox-diag] PROVIDER_TOKENS is not valid JSON'); }
+}
+
 function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (letter) => '_' + letter.toLowerCase());
 }
@@ -4692,6 +4705,14 @@ async function callTool(toolName, args) {
   if (INTEGRATIONS_HEADER) headers['x-integrations'] = INTEGRATIONS_HEADER;
   if (CONTEXT_JSON) headers['x-integrate-context'] = CONTEXT_JSON;
 
+  console.error('[sandbox-diag] callTool: ' + toolName + ' → ' + MCP_URL);
+  console.error('[sandbox-diag] headers: ' + JSON.stringify({
+    hasAuth: !!headers['Authorization'],
+    hasApiKey: !!headers['x-integrate-api-key'],
+    hasTokens: !!headers['x-integrate-tokens'],
+    hasCodeMode: !!headers['x-integrate-code-mode'],
+  }));
+
   const res = await fetch(MCP_URL, {
     method: 'POST',
     headers,
@@ -4699,6 +4720,8 @@ async function callTool(toolName, args) {
   });
 
   const text = await res.text();
+  console.error('[sandbox-diag] response: HTTP ' + res.status + ' len=' + text.length);
+
   let payload;
   try {
     payload = text ? JSON.parse(text) : null;
@@ -4876,6 +4899,16 @@ async function executeSandboxCode(options) {
       env.INTEGRATE_INTEGRATIONS = options.integrationsHeader;
     if (options.context)
       env.INTEGRATE_CONTEXT = JSON.stringify(options.context);
+    console.debug("[integrate-sdk] Sandbox env:", JSON.stringify({
+      mcpUrl: options.mcpUrl,
+      hasApiKey: !!options.apiKey,
+      hasSessionToken: !!options.sessionToken,
+      providerTokenKeys: options.providerTokens ? Object.keys(options.providerTokens) : [],
+      hasIntegrations: !!options.integrationsHeader,
+      hasContext: !!options.context,
+      runtime,
+      timeoutMs
+    }));
     const cmd = await sandbox.runCommand({
       cmd: "node",
       args: ["user.mjs"],
@@ -5001,11 +5034,50 @@ ${generated.compact}`;
       };
     }
     const mcpUrl = publicUrl.replace(/\/$/, "") + "/api/integrate/mcp";
+    let resolvedTokens = providerTokens;
+    let tokenSource = resolvedTokens && Object.keys(resolvedTokens).length > 0 ? "build-time" : "none";
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      try {
+        resolvedTokens = await getProviderTokens();
+        if (resolvedTokens && Object.keys(resolvedTokens).length > 0) {
+          tokenSource = "request-header";
+        }
+      } catch {}
+    }
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      const oauthManager = client.oauthManager;
+      if (oauthManager) {
+        resolvedTokens = {};
+        const clientIntegrations = client.integrations || [];
+        for (const integration of clientIntegrations) {
+          if (integration.oauth) {
+            const provider = integration.oauth.provider;
+            try {
+              const tokenData = await oauthManager.getProviderToken(provider, undefined, context);
+              if (tokenData?.accessToken) {
+                resolvedTokens[provider] = tokenData.accessToken;
+              }
+            } catch {}
+          }
+        }
+        if (Object.keys(resolvedTokens).length === 0) {
+          resolvedTokens = undefined;
+        } else {
+          tokenSource = "oauthManager";
+        }
+      }
+    }
+    console.debug("[integrate-sdk] execute_code token resolution:", JSON.stringify({
+      source: tokenSource,
+      keys: resolvedTokens ? Object.keys(resolvedTokens) : [],
+      hasApiKey: !!apiKey,
+      mcpUrl
+    }));
     return executeSandboxCode({
       code,
       mcpUrl,
       apiKey,
-      providerTokens,
+      providerTokens: resolvedTokens,
       context,
       integrationsHeader: integrationIds && integrationIds.length > 0 ? integrationIds.join(",") : undefined,
       runtime: sandboxOverrides.runtime ?? serverCodeModeConfig.runtime,

package/dist/ai/index.js

@@ -4677,6 +4677,19 @@ if (!MCP_URL) {
   throw new Error('INTEGRATE_MCP_URL is not set — the sandbox cannot reach the MCP route.');
 }
 
+// Diagnostic: log sandbox env summary to stderr so it shows up in the
+// execute_code result's stderr field for debugging auth issues.
+console.error('[sandbox-diag] MCP_URL=' + MCP_URL);
+console.error('[sandbox-diag] HAS_API_KEY=' + !!API_KEY);
+console.error('[sandbox-diag] HAS_SESSION_TOKEN=' + !!SESSION_TOKEN);
+console.error('[sandbox-diag] HAS_PROVIDER_TOKENS=' + !!PROVIDER_TOKENS);
+if (PROVIDER_TOKENS) {
+  try {
+    const _keys = Object.keys(JSON.parse(PROVIDER_TOKENS));
+    console.error('[sandbox-diag] PROVIDER_TOKEN_KEYS=' + _keys.join(','));
+  } catch { console.error('[sandbox-diag] PROVIDER_TOKENS is not valid JSON'); }
+}
+
 function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (letter) => '_' + letter.toLowerCase());
 }
@@ -4692,6 +4705,14 @@ async function callTool(toolName, args) {
   if (INTEGRATIONS_HEADER) headers['x-integrations'] = INTEGRATIONS_HEADER;
   if (CONTEXT_JSON) headers['x-integrate-context'] = CONTEXT_JSON;
 
+  console.error('[sandbox-diag] callTool: ' + toolName + ' → ' + MCP_URL);
+  console.error('[sandbox-diag] headers: ' + JSON.stringify({
+    hasAuth: !!headers['Authorization'],
+    hasApiKey: !!headers['x-integrate-api-key'],
+    hasTokens: !!headers['x-integrate-tokens'],
+    hasCodeMode: !!headers['x-integrate-code-mode'],
+  }));
+
   const res = await fetch(MCP_URL, {
     method: 'POST',
     headers,
@@ -4699,6 +4720,8 @@ async function callTool(toolName, args) {
   });
 
   const text = await res.text();
+  console.error('[sandbox-diag] response: HTTP ' + res.status + ' len=' + text.length);
+
   let payload;
   try {
     payload = text ? JSON.parse(text) : null;
@@ -4876,6 +4899,16 @@ async function executeSandboxCode(options) {
       env.INTEGRATE_INTEGRATIONS = options.integrationsHeader;
     if (options.context)
       env.INTEGRATE_CONTEXT = JSON.stringify(options.context);
+    console.debug("[integrate-sdk] Sandbox env:", JSON.stringify({
+      mcpUrl: options.mcpUrl,
+      hasApiKey: !!options.apiKey,
+      hasSessionToken: !!options.sessionToken,
+      providerTokenKeys: options.providerTokens ? Object.keys(options.providerTokens) : [],
+      hasIntegrations: !!options.integrationsHeader,
+      hasContext: !!options.context,
+      runtime,
+      timeoutMs
+    }));
     const cmd = await sandbox.runCommand({
       cmd: "node",
       args: ["user.mjs"],
@@ -5001,11 +5034,50 @@ ${generated.compact}`;
       };
     }
     const mcpUrl = publicUrl.replace(/\/$/, "") + "/api/integrate/mcp";
+    let resolvedTokens = providerTokens;
+    let tokenSource = resolvedTokens && Object.keys(resolvedTokens).length > 0 ? "build-time" : "none";
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      try {
+        resolvedTokens = await getProviderTokens();
+        if (resolvedTokens && Object.keys(resolvedTokens).length > 0) {
+          tokenSource = "request-header";
+        }
+      } catch {}
+    }
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      const oauthManager = client.oauthManager;
+      if (oauthManager) {
+        resolvedTokens = {};
+        const clientIntegrations = client.integrations || [];
+        for (const integration of clientIntegrations) {
+          if (integration.oauth) {
+            const provider = integration.oauth.provider;
+            try {
+              const tokenData = await oauthManager.getProviderToken(provider, undefined, context);
+              if (tokenData?.accessToken) {
+                resolvedTokens[provider] = tokenData.accessToken;
+              }
+            } catch {}
+          }
+        }
+        if (Object.keys(resolvedTokens).length === 0) {
+          resolvedTokens = undefined;
+        } else {
+          tokenSource = "oauthManager";
+        }
+      }
+    }
+    console.debug("[integrate-sdk] execute_code token resolution:", JSON.stringify({
+      source: tokenSource,
+      keys: resolvedTokens ? Object.keys(resolvedTokens) : [],
+      hasApiKey: !!apiKey,
+      mcpUrl
+    }));
     return executeSandboxCode({
       code,
       mcpUrl,
       apiKey,
-      providerTokens,
+      providerTokens: resolvedTokens,
       context,
       integrationsHeader: integrationIds && integrationIds.length > 0 ? integrationIds.join(",") : undefined,
       runtime: sandboxOverrides.runtime ?? serverCodeModeConfig.runtime,

package/dist/ai/openai.js

@@ -4677,6 +4677,19 @@ if (!MCP_URL) {
   throw new Error('INTEGRATE_MCP_URL is not set — the sandbox cannot reach the MCP route.');
 }
 
+// Diagnostic: log sandbox env summary to stderr so it shows up in the
+// execute_code result's stderr field for debugging auth issues.
+console.error('[sandbox-diag] MCP_URL=' + MCP_URL);
+console.error('[sandbox-diag] HAS_API_KEY=' + !!API_KEY);
+console.error('[sandbox-diag] HAS_SESSION_TOKEN=' + !!SESSION_TOKEN);
+console.error('[sandbox-diag] HAS_PROVIDER_TOKENS=' + !!PROVIDER_TOKENS);
+if (PROVIDER_TOKENS) {
+  try {
+    const _keys = Object.keys(JSON.parse(PROVIDER_TOKENS));
+    console.error('[sandbox-diag] PROVIDER_TOKEN_KEYS=' + _keys.join(','));
+  } catch { console.error('[sandbox-diag] PROVIDER_TOKENS is not valid JSON'); }
+}
+
 function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (letter) => '_' + letter.toLowerCase());
 }
@@ -4692,6 +4705,14 @@ async function callTool(toolName, args) {
   if (INTEGRATIONS_HEADER) headers['x-integrations'] = INTEGRATIONS_HEADER;
   if (CONTEXT_JSON) headers['x-integrate-context'] = CONTEXT_JSON;
 
+  console.error('[sandbox-diag] callTool: ' + toolName + ' → ' + MCP_URL);
+  console.error('[sandbox-diag] headers: ' + JSON.stringify({
+    hasAuth: !!headers['Authorization'],
+    hasApiKey: !!headers['x-integrate-api-key'],
+    hasTokens: !!headers['x-integrate-tokens'],
+    hasCodeMode: !!headers['x-integrate-code-mode'],
+  }));
+
   const res = await fetch(MCP_URL, {
     method: 'POST',
     headers,
@@ -4699,6 +4720,8 @@ async function callTool(toolName, args) {
   });
 
   const text = await res.text();
+  console.error('[sandbox-diag] response: HTTP ' + res.status + ' len=' + text.length);
+
   let payload;
   try {
     payload = text ? JSON.parse(text) : null;
@@ -4876,6 +4899,16 @@ async function executeSandboxCode(options) {
       env.INTEGRATE_INTEGRATIONS = options.integrationsHeader;
     if (options.context)
       env.INTEGRATE_CONTEXT = JSON.stringify(options.context);
+    console.debug("[integrate-sdk] Sandbox env:", JSON.stringify({
+      mcpUrl: options.mcpUrl,
+      hasApiKey: !!options.apiKey,
+      hasSessionToken: !!options.sessionToken,
+      providerTokenKeys: options.providerTokens ? Object.keys(options.providerTokens) : [],
+      hasIntegrations: !!options.integrationsHeader,
+      hasContext: !!options.context,
+      runtime,
+      timeoutMs
+    }));
     const cmd = await sandbox.runCommand({
       cmd: "node",
       args: ["user.mjs"],
@@ -5001,11 +5034,50 @@ ${generated.compact}`;
       };
     }
     const mcpUrl = publicUrl.replace(/\/$/, "") + "/api/integrate/mcp";
+    let resolvedTokens = providerTokens;
+    let tokenSource = resolvedTokens && Object.keys(resolvedTokens).length > 0 ? "build-time" : "none";
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      try {
+        resolvedTokens = await getProviderTokens();
+        if (resolvedTokens && Object.keys(resolvedTokens).length > 0) {
+          tokenSource = "request-header";
+        }
+      } catch {}
+    }
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      const oauthManager = client.oauthManager;
+      if (oauthManager) {
+        resolvedTokens = {};
+        const clientIntegrations = client.integrations || [];
+        for (const integration of clientIntegrations) {
+          if (integration.oauth) {
+            const provider = integration.oauth.provider;
+            try {
+              const tokenData = await oauthManager.getProviderToken(provider, undefined, context);
+              if (tokenData?.accessToken) {
+                resolvedTokens[provider] = tokenData.accessToken;
+              }
+            } catch {}
+          }
+        }
+        if (Object.keys(resolvedTokens).length === 0) {
+          resolvedTokens = undefined;
+        } else {
+          tokenSource = "oauthManager";
+        }
+      }
+    }
+    console.debug("[integrate-sdk] execute_code token resolution:", JSON.stringify({
+      source: tokenSource,
+      keys: resolvedTokens ? Object.keys(resolvedTokens) : [],
+      hasApiKey: !!apiKey,
+      mcpUrl
+    }));
     return executeSandboxCode({
       code,
       mcpUrl,
       apiKey,
-      providerTokens,
+      providerTokens: resolvedTokens,
       context,
       integrationsHeader: integrationIds && integrationIds.length > 0 ? integrationIds.join(",") : undefined,
       runtime: sandboxOverrides.runtime ?? serverCodeModeConfig.runtime,

package/dist/ai/vercel-ai.js

@@ -4677,6 +4677,19 @@ if (!MCP_URL) {
   throw new Error('INTEGRATE_MCP_URL is not set — the sandbox cannot reach the MCP route.');
 }
 
+// Diagnostic: log sandbox env summary to stderr so it shows up in the
+// execute_code result's stderr field for debugging auth issues.
+console.error('[sandbox-diag] MCP_URL=' + MCP_URL);
+console.error('[sandbox-diag] HAS_API_KEY=' + !!API_KEY);
+console.error('[sandbox-diag] HAS_SESSION_TOKEN=' + !!SESSION_TOKEN);
+console.error('[sandbox-diag] HAS_PROVIDER_TOKENS=' + !!PROVIDER_TOKENS);
+if (PROVIDER_TOKENS) {
+  try {
+    const _keys = Object.keys(JSON.parse(PROVIDER_TOKENS));
+    console.error('[sandbox-diag] PROVIDER_TOKEN_KEYS=' + _keys.join(','));
+  } catch { console.error('[sandbox-diag] PROVIDER_TOKENS is not valid JSON'); }
+}
+
 function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (letter) => '_' + letter.toLowerCase());
 }
@@ -4692,6 +4705,14 @@ async function callTool(toolName, args) {
   if (INTEGRATIONS_HEADER) headers['x-integrations'] = INTEGRATIONS_HEADER;
   if (CONTEXT_JSON) headers['x-integrate-context'] = CONTEXT_JSON;
 
+  console.error('[sandbox-diag] callTool: ' + toolName + ' → ' + MCP_URL);
+  console.error('[sandbox-diag] headers: ' + JSON.stringify({
+    hasAuth: !!headers['Authorization'],
+    hasApiKey: !!headers['x-integrate-api-key'],
+    hasTokens: !!headers['x-integrate-tokens'],
+    hasCodeMode: !!headers['x-integrate-code-mode'],
+  }));
+
   const res = await fetch(MCP_URL, {
     method: 'POST',
     headers,
@@ -4699,6 +4720,8 @@ async function callTool(toolName, args) {
   });
 
   const text = await res.text();
+  console.error('[sandbox-diag] response: HTTP ' + res.status + ' len=' + text.length);
+
   let payload;
   try {
     payload = text ? JSON.parse(text) : null;
@@ -4876,6 +4899,16 @@ async function executeSandboxCode(options) {
       env.INTEGRATE_INTEGRATIONS = options.integrationsHeader;
     if (options.context)
       env.INTEGRATE_CONTEXT = JSON.stringify(options.context);
+    console.debug("[integrate-sdk] Sandbox env:", JSON.stringify({
+      mcpUrl: options.mcpUrl,
+      hasApiKey: !!options.apiKey,
+      hasSessionToken: !!options.sessionToken,
+      providerTokenKeys: options.providerTokens ? Object.keys(options.providerTokens) : [],
+      hasIntegrations: !!options.integrationsHeader,
+      hasContext: !!options.context,
+      runtime,
+      timeoutMs
+    }));
     const cmd = await sandbox.runCommand({
       cmd: "node",
       args: ["user.mjs"],
@@ -5001,11 +5034,50 @@ ${generated.compact}`;
       };
     }
     const mcpUrl = publicUrl.replace(/\/$/, "") + "/api/integrate/mcp";
+    let resolvedTokens = providerTokens;
+    let tokenSource = resolvedTokens && Object.keys(resolvedTokens).length > 0 ? "build-time" : "none";
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      try {
+        resolvedTokens = await getProviderTokens();
+        if (resolvedTokens && Object.keys(resolvedTokens).length > 0) {
+          tokenSource = "request-header";
+        }
+      } catch {}
+    }
+    if (!resolvedTokens || Object.keys(resolvedTokens).length === 0) {
+      const oauthManager = client.oauthManager;
+      if (oauthManager) {
+        resolvedTokens = {};
+        const clientIntegrations = client.integrations || [];
+        for (const integration of clientIntegrations) {
+          if (integration.oauth) {
+            const provider = integration.oauth.provider;
+            try {
+              const tokenData = await oauthManager.getProviderToken(provider, undefined, context);
+              if (tokenData?.accessToken) {
+                resolvedTokens[provider] = tokenData.accessToken;
+              }
+            } catch {}
+          }
+        }
+        if (Object.keys(resolvedTokens).length === 0) {
+          resolvedTokens = undefined;
+        } else {
+          tokenSource = "oauthManager";
+        }
+      }
+    }
+    console.debug("[integrate-sdk] execute_code token resolution:", JSON.stringify({
+      source: tokenSource,
+      keys: resolvedTokens ? Object.keys(resolvedTokens) : [],
+      hasApiKey: !!apiKey,
+      mcpUrl
+    }));
     return executeSandboxCode({
       code,
       mcpUrl,
       apiKey,
-      providerTokens,
+      providerTokens: resolvedTokens,
       context,
       integrationsHeader: integrationIds && integrationIds.length > 0 ? integrationIds.join(",") : undefined,
       runtime: sandboxOverrides.runtime ?? serverCodeModeConfig.runtime,

package/dist/code-mode/executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../../src/code-mode/executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGrD;;;;GAIG;AACH,UAAU,WAAW;IACnB,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,UAAU,CACR,MAAM,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GACA,OAAO,CAAC;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;KAC3B,CAAC,CAAC;IACH,IAAI,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1B;AAED,UAAU,cAAc;IACtB,MAAM,CAAC,OAAO,EAAE;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,SAAS,CAAC,EAAE;YAAE,KAAK,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAC/B,aAAa,CAAC,EAAE,OAAO,CAAC;KACzB,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CAC1B;AAWD,8DAA8D;AAC9D,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI,GAAG,IAAI,CAKhF;AAED,0EAA0E;AAC1E,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAMpE;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,OAAO,CAAC,CAoC3D;AAoBD,MAAM,WAAW,yBAAyB;IACxC,uEAAuE;IACvE,IAAI,EAAE,MAAM,CAAC;IACb,iFAAiF;IACjF,MAAM,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,uEAAuE;IACvE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,8EAA8E;IAC9E,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,qDAAqD;IACrD,OAAO,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC9B,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qDAAqD;IACrD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+EAA+E;IAC/E,aAAa,CAAC,EAAE,WAAW,GAAG,UAAU,GAAG;QAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,CAAC,EAAE;YAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;YAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;SAAE,CAAA;KAAE,CAAC;CAClH;AAED,MAAM,WAAW,wBAAwB;IACvC,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,kEAAkE;IAClE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,MAAM,EAAE,MAAM,CAAC;IACf,yBAAyB;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA4DD;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAsE9G"}
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../../src/code-mode/executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGrD;;;;GAIG;AACH,UAAU,WAAW;IACnB,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,UAAU,CACR,MAAM,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GACA,OAAO,CAAC;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;KAC3B,CAAC,CAAC;IACH,IAAI,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1B;AAED,UAAU,cAAc;IACtB,MAAM,CAAC,OAAO,EAAE;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,SAAS,CAAC,EAAE;YAAE,KAAK,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAC/B,aAAa,CAAC,EAAE,OAAO,CAAC;KACzB,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CAC1B;AAWD,8DAA8D;AAC9D,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI,GAAG,IAAI,CAKhF;AAED,0EAA0E;AAC1E,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAMpE;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,OAAO,CAAC,CAoC3D;AAoBD,MAAM,WAAW,yBAAyB;IACxC,uEAAuE;IACvE,IAAI,EAAE,MAAM,CAAC;IACb,iFAAiF;IACjF,MAAM,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,uEAAuE;IACvE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,8EAA8E;IAC9E,OAAO,CAAC,EAAE,UAAU,CAAC;IACrB,qDAAqD;IACrD,OAAO,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC9B,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qDAAqD;IACrD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+EAA+E;IAC/E,aAAa,CAAC,EAAE,WAAW,GAAG,UAAU,GAAG;QAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,CAAC,EAAE;YAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;YAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;SAAE,CAAA;KAAE,CAAC;CAClH;AAED,MAAM,WAAW,wBAAwB;IACvC,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,kEAAkE;IAClE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,MAAM,EAAE,MAAM,CAAC;IACf,yBAAyB;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AA4DD;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAsF9G"}

package/dist/code-mode/executor.js

@@ -30,6 +30,19 @@ if (!MCP_URL) {
   throw new Error('INTEGRATE_MCP_URL is not set — the sandbox cannot reach the MCP route.');
 }
 
+// Diagnostic: log sandbox env summary to stderr so it shows up in the
+// execute_code result's stderr field for debugging auth issues.
+console.error('[sandbox-diag] MCP_URL=' + MCP_URL);
+console.error('[sandbox-diag] HAS_API_KEY=' + !!API_KEY);
+console.error('[sandbox-diag] HAS_SESSION_TOKEN=' + !!SESSION_TOKEN);
+console.error('[sandbox-diag] HAS_PROVIDER_TOKENS=' + !!PROVIDER_TOKENS);
+if (PROVIDER_TOKENS) {
+  try {
+    const _keys = Object.keys(JSON.parse(PROVIDER_TOKENS));
+    console.error('[sandbox-diag] PROVIDER_TOKEN_KEYS=' + _keys.join(','));
+  } catch { console.error('[sandbox-diag] PROVIDER_TOKENS is not valid JSON'); }
+}
+
 function camelToSnake(str) {
   return str.replace(/[A-Z]/g, (letter) => '_' + letter.toLowerCase());
 }
@@ -45,6 +58,14 @@ async function callTool(toolName, args) {
   if (INTEGRATIONS_HEADER) headers['x-integrations'] = INTEGRATIONS_HEADER;
   if (CONTEXT_JSON) headers['x-integrate-context'] = CONTEXT_JSON;
 
+  console.error('[sandbox-diag] callTool: ' + toolName + ' → ' + MCP_URL);
+  console.error('[sandbox-diag] headers: ' + JSON.stringify({
+    hasAuth: !!headers['Authorization'],
+    hasApiKey: !!headers['x-integrate-api-key'],
+    hasTokens: !!headers['x-integrate-tokens'],
+    hasCodeMode: !!headers['x-integrate-code-mode'],
+  }));
+
   const res = await fetch(MCP_URL, {
     method: 'POST',
     headers,
@@ -52,6 +73,8 @@ async function callTool(toolName, args) {
   });
 
   const text = await res.text();
+  console.error('[sandbox-diag] response: HTTP ' + res.status + ' len=' + text.length);
+
   let payload;
   try {
     payload = text ? JSON.parse(text) : null;
@@ -240,6 +263,16 @@ async function executeSandboxCode(options) {
       env.INTEGRATE_INTEGRATIONS = options.integrationsHeader;
     if (options.context)
       env.INTEGRATE_CONTEXT = JSON.stringify(options.context);
+    console.debug("[integrate-sdk] Sandbox env:", JSON.stringify({
+      mcpUrl: options.mcpUrl,
+      hasApiKey: !!options.apiKey,
+      hasSessionToken: !!options.sessionToken,
+      providerTokenKeys: options.providerTokens ? Object.keys(options.providerTokens) : [],
+      hasIntegrations: !!options.integrationsHeader,
+      hasContext: !!options.context,
+      runtime,
+      timeoutMs
+    }));
     const cmd = await sandbox.runCommand({
       cmd: "node",
       args: ["user.mjs"],