classifyre-cli 0.4.2__py3-none-any.whl

src/models/generated_input.py

@@ -0,0 +1,2732 @@
+# generated by datamodel-codegen:
+#   filename:  all_input_sources.json
+
+from __future__ import annotations
+
+from enum import StrEnum
+from typing import Any, Literal
+
+from pydantic import (
+    AnyUrl,
+    AwareDatetime,
+    BaseModel,
+    ConfigDict,
+    EmailStr,
+    Field,
+    RootModel,
+)
+
+
+class AssetType(StrEnum):
+    """
+    Type of the asset or source
+    """
+
+    WORDPRESS = 'WORDPRESS'
+    SLACK = 'SLACK'
+    S3_COMPATIBLE_STORAGE = 'S3_COMPATIBLE_STORAGE'
+    AZURE_BLOB_STORAGE = 'AZURE_BLOB_STORAGE'
+    GOOGLE_CLOUD_STORAGE = 'GOOGLE_CLOUD_STORAGE'
+    POSTGRESQL = 'POSTGRESQL'
+    MYSQL = 'MYSQL'
+    MSSQL = 'MSSQL'
+    ORACLE = 'ORACLE'
+    HIVE = 'HIVE'
+    DATABRICKS = 'DATABRICKS'
+    SNOWFLAKE = 'SNOWFLAKE'
+    MONGODB = 'MONGODB'
+    NEO4J = 'NEO4J'
+    POWERBI = 'POWERBI'
+    TABLEAU = 'TABLEAU'
+    CONFLUENCE = 'CONFLUENCE'
+    JIRA = 'JIRA'
+    SERVICEDESK = 'SERVICEDESK'
+
+
+class SourceCategory(StrEnum):
+    """
+    Category of the source: TABULAR for structured databases (PostgreSQL, MySQL, MSSQL, Oracle, Hive, Databricks Unity Catalog, Snowflake), UNSTRUCTURED for text/web/document sources (WordPress, S3-Compatible Storage, Azure Blob Storage, Google Cloud Storage, Slack, MongoDB, PowerBI, Tableau, Confluence, Jira, Service Desk)
+    """
+
+    TABULAR = 'TABULAR'
+    UNSTRUCTURED = 'UNSTRUCTURED'
+
+
+class DetectorType(StrEnum):
+    """
+    Type of detector for content analysis
+    """
+
+    SECRETS = 'SECRETS'
+    PII = 'PII'
+    YARA = 'YARA'
+    BROKEN_LINKS = 'BROKEN_LINKS'
+    CODE_SECURITY = 'CODE_SECURITY'
+    CUSTOM = 'CUSTOM'
+
+
+class PostStatus(StrEnum):
+    """
+    WordPress post status
+    """
+
+    publish = 'publish'
+    future = 'future'
+    draft = 'draft'
+    pending = 'pending'
+    private = 'private'
+
+
+class SlackChannelType(StrEnum):
+    """
+    Slack conversation types to include
+    """
+
+    public_channel = 'public_channel'
+    private_channel = 'private_channel'
+    mpim = 'mpim'
+    im = 'im'
+
+
+class SamplingStrategy(StrEnum):
+    """
+    Sampling strategy: RANDOM samples items randomly, LATEST prioritises the most recently modified/created items, ALL scans every item with no limit
+    """
+
+    RANDOM = 'RANDOM'
+    LATEST = 'LATEST'
+    ALL = 'ALL'
+
+
+class SamplingConfig(BaseModel):
+    """
+    Controls how content is extracted from each source. For tabular sources rows_per_page controls both sample size for RANDOM/LATEST and pagination batch size for ALL.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    strategy: SamplingStrategy
+    enable_ocr: bool | None = Field(
+        False,
+        description='When true, enable OCR/text extraction for supported binary documents and images before routing text-capable detectors.',
+    )
+    order_by_column: str | None = Field(
+        None,
+        description='Column to use for LATEST sampling mode in tabular sources (usually created_at/updated_at). Auto-detected when not set.',
+    )
+    fallback_to_random: bool | None = Field(
+        True,
+        description='Tabular sources only. Fallback to RANDOM ordering when LATEST mode cannot resolve an ordering column.',
+    )
+    include_column_names: bool | None = Field(
+        True,
+        description='Tabular sources only. Include column names in sampled detector payload rows.',
+    )
+    rows_per_page: int | None = Field(
+        100,
+        description='Tabular sources only. Number of rows per sample (RANDOM/LATEST) or per pagination batch (ALL). Controls memory usage during large table scans.',
+        ge=10,
+        le=10000,
+    )
+
+
+class Requests(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    cpu: str | None = Field(None, description='CPU request (e.g. 500m)')
+    memory: str | None = Field(None, description='Memory request (e.g. 1Gi)')
+
+
+class Limits(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    cpu: str | None = Field(None, description='CPU limit (e.g. 2)')
+    memory: str | None = Field(None, description='Memory limit (e.g. 4Gi)')
+
+
+class ResourceOverrides(BaseModel):
+    """
+    Override K8s job resources and timeout for this source.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    requests: Requests | None = None
+    limits: Limits | None = None
+    timeout_seconds: int | None = Field(
+        None,
+        description='Max runtime in seconds (overrides activeDeadlineSeconds)',
+        ge=60,
+        le=86400,
+    )
+    processing_workers: int | None = Field(
+        None,
+        description='Number of parallel asset-processing workers in Phase 2 (default: 2)',
+        ge=1,
+        le=20,
+    )
+    detector_max_concurrent: int | None = Field(
+        None,
+        description='Max concurrent detector invocations across all pages (default: 5)',
+        ge=1,
+        le=50,
+    )
+
+
+class Detector(BaseModel):
+    model_config = ConfigDict(
+        extra='allow',
+    )
+    type: DetectorType
+    enabled: bool | None = True
+    config: dict[str, Any] | None = Field(
+        None, description='Detector-specific configuration'
+    )
+
+
+class CustomDetectorSelection(RootModel[str]):
+    root: str = Field(..., min_length=1)
+
+
+class WordPressRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    url: AnyUrl = Field(
+        ..., description='Base URL of the WordPress site (e.g., https://example.com)'
+    )
+
+
+class WordPressMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str | None = Field(
+        None, description='Username for authentication (optional for public content)'
+    )
+    application_password: str | None = Field(
+        None, description='WordPress application password for authentication (optional)'
+    )
+
+
+class WordPressOptionalContent(BaseModel):
+    """
+    Content scope and filters for WordPress ingestion.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    fetch_posts: bool | None = Field(True, description='Whether to fetch blog posts')
+    fetch_pages: bool | None = Field(True, description='Whether to fetch pages')
+    post_status: list[PostStatus] | None = Field(
+        ['publish'],
+        description='Post status filters (requires authentication for non-public statuses)',
+    )
+
+
+class WordPressOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    content: WordPressOptionalContent | None = None
+
+
+class SlackRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    workspace: str | None = Field(
+        None, description='Slack workspace name or domain (for display and stable IDs)'
+    )
+
+
+class SlackMaskedBotToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    bot_token: str = Field(..., description='Slack bot token (starts with xoxb-)')
+
+
+class SlackMaskedUserToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    user_token: str = Field(..., description='Slack user token (starts with xoxp-)')
+
+
+class TokenType(StrEnum):
+    """
+    Token type hint
+    """
+
+    bot = 'bot'
+    user = 'user'
+
+
+class SlackMaskedToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    token: str = Field(..., description='Slack token (bot or user)')
+    token_type: TokenType | None = Field(None, description='Token type hint')
+
+
+class SlackOptionalChannels(BaseModel):
+    """
+    Channel discovery and targeting controls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    channel_types: list[SlackChannelType] | None = Field(
+        ['public_channel'],
+        description='Slack conversation types to include when listing channels',
+    )
+    channel_ids: list[str] | None = Field(
+        None,
+        description='Explicit channel IDs to scan. If provided, channel_types is ignored.',
+    )
+    exclude_archived: bool | None = Field(
+        True, description='Exclude archived channels when listing'
+    )
+
+
+class SlackOptionalTimeRange(BaseModel):
+    """
+    Time window filters for message ingestion.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    oldest: str | None = Field(
+        None, description='Start of date range (Slack timestamp or ISO 8601)'
+    )
+    latest: str | None = Field(
+        None, description='End of date range (Slack timestamp or ISO 8601)'
+    )
+
+
+class SlackOptionalIngestion(BaseModel):
+    """
+    Throughput and payload controls for Slack ingestion.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    batch_size: int | None = Field(
+        200, description='Messages per API call (max 200)', ge=1, le=200
+    )
+    rate_limit_delay_seconds: float | None = Field(
+        1, description='Delay between API calls to avoid rate limits', ge=0.0
+    )
+    include_thread_replies: bool | None = Field(
+        False, description='Include thread replies in fetched content for detectors'
+    )
+
+
+class SlackOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    channels: SlackOptionalChannels | None = None
+    time_range: SlackOptionalTimeRange | None = None
+    ingestion: SlackOptionalIngestion | None = None
+
+
+class ObjectStorageOptionalScope(BaseModel):
+    """
+    Object scope and filtering controls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    prefix: str | None = Field(
+        None, description='Object key prefix filter (for example, exports/2026/)'
+    )
+    include_extensions: list[str] | None = Field(
+        None,
+        description='Optional extension allowlist (for example, .pdf, .csv, .parquet)',
+    )
+    exclude_extensions: list[str] | None = Field(
+        None, description='Optional extension denylist'
+    )
+    include_empty_objects: bool | None = Field(
+        False, description='Include zero-byte objects in extraction results'
+    )
+    include_object_metadata: bool | None = Field(
+        True,
+        description='Attach provider metadata (etag, size, content-type hints, timestamps) to asset checksums',
+    )
+    include_content_preview: bool | None = Field(
+        True,
+        description='Download object bytes to infer MIME and extract detector-ready text previews',
+    )
+
+
+class S3CompatibleStorageRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    bucket: str = Field(
+        ...,
+        description='Bucket name for AWS S3, MinIO, Cloudflare R2, Backblaze B2, Garage, and other S3-compatible endpoints',
+    )
+
+
+class S3CompatibleStorageMasked(BaseModel):
+    """
+    Optional static credentials. Leave empty to use ambient AWS credentials chain.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    aws_access_key_id: str | None = Field(
+        None, description='S3-compatible access key ID'
+    )
+    aws_secret_access_key: str | None = Field(
+        None, description='S3-compatible secret access key'
+    )
+    aws_session_token: str | None = Field(
+        None, description='Optional session token for temporary credentials'
+    )
+
+
+class S3CompatibleStorageOptionalConnection(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    region_name: str | None = Field(
+        None,
+        description='Region (recommended for AWS; required by some S3-compatible providers)',
+    )
+    endpoint_url: AnyUrl | None = Field(
+        None,
+        description='Custom endpoint URL for MinIO/R2/B2/Garage and other S3-compatible providers',
+    )
+    request_timeout_seconds: float | None = Field(
+        30,
+        description='Network timeout in seconds for list/download operations',
+        ge=1.0,
+        le=300.0,
+    )
+    max_keys_per_page: int | None = Field(
+        200,
+        description='Maximum objects requested per provider list API call',
+        ge=1,
+        le=1000,
+    )
+    max_object_bytes: int | None = Field(
+        5242880,
+        description='Maximum bytes downloaded per object for MIME detection and text extraction',
+        ge=1024,
+        le=52428800,
+    )
+    verify_ssl: bool | None = Field(
+        True, description='TLS certificate verification toggle'
+    )
+
+
+class S3CompatibleStorageOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: S3CompatibleStorageOptionalConnection | None = None
+    scope: ObjectStorageOptionalScope | None = None
+
+
+class AzureBlobStorageRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    account_url: AnyUrl = Field(
+        ...,
+        description='Azure Blob account URL (for example, https://<account>.blob.core.windows.net)',
+    )
+    container: str = Field(..., description='Azure Blob container name')
+
+
+class AzureBlobStorageMasked(BaseModel):
+    """
+    Optional Azure credentials. Leave empty to use managed identity/default credential chain.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    azure_connection_string: str | None = Field(
+        None,
+        description='Azure storage connection string (takes precedence over other auth fields)',
+    )
+    azure_account_key: str | None = Field(None, description='Azure storage account key')
+    azure_sas_token: str | None = Field(None, description='Azure SAS token')
+    azure_client_id: str | None = Field(
+        None, description='Azure Entra client ID (service principal auth)'
+    )
+    azure_client_secret: str | None = Field(
+        None, description='Azure Entra client secret (service principal auth)'
+    )
+    azure_tenant_id: str | None = Field(
+        None, description='Azure Entra tenant ID (service principal auth)'
+    )
+
+
+class AzureBlobStorageOptionalConnection(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    request_timeout_seconds: float | None = Field(
+        30,
+        description='Network timeout in seconds for list/download operations',
+        ge=1.0,
+        le=300.0,
+    )
+    max_keys_per_page: int | None = Field(
+        200, description='Maximum blobs requested per list page', ge=1, le=1000
+    )
+    max_object_bytes: int | None = Field(
+        5242880,
+        description='Maximum bytes downloaded per blob for MIME detection and text extraction',
+        ge=1024,
+        le=52428800,
+    )
+
+
+class AzureBlobStorageOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: AzureBlobStorageOptionalConnection | None = None
+    scope: ObjectStorageOptionalScope | None = None
+
+
+class GoogleCloudStorageRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    bucket: str = Field(..., description='Google Cloud Storage bucket name')
+
+
+class GoogleCloudStorageMasked(BaseModel):
+    """
+    Optional inline service account credentials JSON. Leave empty to use ADC/workload identity.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    gcp_credentials_json: str | None = Field(
+        None, description='Google service account credentials JSON as inline string'
+    )
+
+
+class GoogleCloudStorageOptionalConnection(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    project_id: str | None = Field(
+        None,
+        description='Optional GCP project ID override for auth context and bucket listing',
+    )
+    gcp_credentials_file: str | None = Field(
+        None, description='Path to Google service account JSON credentials file'
+    )
+    request_timeout_seconds: float | None = Field(
+        30,
+        description='Network timeout in seconds for list/download operations',
+        ge=1.0,
+        le=300.0,
+    )
+    max_keys_per_page: int | None = Field(
+        200, description='Maximum objects requested per list page', ge=1, le=1000
+    )
+    max_object_bytes: int | None = Field(
+        5242880,
+        description='Maximum bytes downloaded per object for MIME detection and text extraction',
+        ge=1024,
+        le=52428800,
+    )
+
+
+class GoogleCloudStorageOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: GoogleCloudStorageOptionalConnection | None = None
+    scope: ObjectStorageOptionalScope | None = None
+
+
+class PostgreSQLSSLMode(StrEnum):
+    """
+    SSL mode for PostgreSQL connection
+    """
+
+    disable = 'disable'
+    allow = 'allow'
+    prefer = 'prefer'
+    require = 'require'
+    verify_ca = 'verify-ca'
+    verify_full = 'verify-full'
+
+
+class PostgreSQLRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    host: str = Field(..., description='PostgreSQL host')
+    port: int = Field(..., description='PostgreSQL port', ge=1, le=65535)
+
+
+class PostgreSQLMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Database username')
+    password: str = Field(..., description='Database password')
+
+
+class PostgreSQLOptionalConnection(BaseModel):
+    """
+    Connection tuning and SSL behavior.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    ssl_mode: PostgreSQLSSLMode | None = 'prefer'
+    connect_timeout_seconds: int | None = Field(
+        10, description='Connection timeout in seconds', ge=1, le=120
+    )
+
+
+class PostgreSQLOptionalScope(BaseModel):
+    """
+    Database, schema, and table selection scope.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    database: str | None = Field(
+        None,
+        description='Single database to scan (optional when include_all_databases is true)',
+    )
+    include_all_databases: bool | None = Field(
+        False, description='Scan all non-template databases visible to this user'
+    )
+    maintenance_database: str | None = Field(
+        'postgres',
+        description='Database used for database enumeration when include_all_databases is true',
+    )
+    include_schemas: list[str] | None = Field(
+        None, description='Optional schema allowlist (exact schema names)'
+    )
+    exclude_schemas: list[str] | None = Field(
+        ['information_schema', 'pg_catalog', 'pg_toast'],
+        description='Schema denylist (exact schema names)',
+    )
+    include_tables: list[str] | None = Field(
+        None,
+        description='Optional table allowlist. Accepted forms: schema.table or database.schema.table',
+    )
+    table_limit: int | None = Field(
+        None, description='Optional cap on number of table assets extracted', ge=1
+    )
+
+
+class PostgreSQLOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: PostgreSQLOptionalConnection | None = None
+    scope: PostgreSQLOptionalScope | None = None
+
+
+class MySQLSSLMode(StrEnum):
+    """
+    SSL/TLS connection mode. DISABLED: no TLS; PREFERRED: TLS when available (default); REQUIRED: mandate TLS without certificate verification; VERIFY_CA: mandate TLS and verify the CA certificate (requires ssl_ca); VERIFY_IDENTITY: mandate TLS, verify CA, and verify server hostname.
+    """
+
+    DISABLED = 'DISABLED'
+    PREFERRED = 'PREFERRED'
+    REQUIRED = 'REQUIRED'
+    VERIFY_CA = 'VERIFY_CA'
+    VERIFY_IDENTITY = 'VERIFY_IDENTITY'
+
+
+class MySQLRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    host: str = Field(..., description='MySQL host')
+    port: int = Field(..., description='MySQL port', ge=1, le=65535)
+
+
+class MySQLMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Database username')
+    password: str = Field(..., description='Database password')
+    ssl_ca: str | None = Field(
+        None,
+        description='PEM-encoded CA certificate for SSL/TLS verification. Paste the full certificate content (-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----). Required when ssl_mode is VERIFY_CA or VERIFY_IDENTITY.',
+    )
+
+
+class MySQLOptionalConnection(BaseModel):
+    """
+    Connection tuning for MySQL.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connect_timeout_seconds: int | None = Field(
+        10, description='Connection timeout in seconds', ge=1, le=120
+    )
+    ssl_mode: MySQLSSLMode | None = 'PREFERRED'
+    allow_public_key_retrieval: bool | None = Field(
+        False,
+        description='Allow automatic RSA public key retrieval from the server for caching_sha2_password authentication (MySQL 8+). Only needed when not using SSL and connecting to MySQL 8 servers using the default authentication plugin.',
+    )
+
+
+class MySQLOptionalScope(BaseModel):
+    """
+    Database and table selection scope.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    database: str | None = Field(
+        None,
+        description='Single database to scan (optional when include_all_databases is true)',
+    )
+    include_all_databases: bool | None = Field(
+        False, description='Scan all visible databases except excluded system databases'
+    )
+    exclude_databases: list[str] | None = Field(
+        ['information_schema', 'mysql', 'performance_schema', 'sys'],
+        description='Database denylist (exact database names)',
+    )
+    include_tables: list[str] | None = Field(
+        None,
+        description='Optional table allowlist. Accepted forms: table or database.table',
+    )
+    table_limit: int | None = Field(
+        None,
+        description='Optional cap on number of table assets extracted per database',
+        ge=1,
+    )
+
+
+class MySQLOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: MySQLOptionalConnection | None = None
+    scope: MySQLOptionalScope | None = None
+
+
+class MSSQLRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    host: str = Field(..., description='SQL Server host endpoint')
+    port: int = Field(..., description='SQL Server TCP port', ge=1, le=65535)
+
+
+class MSSQLMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='SQL Server login username')
+    password: str = Field(..., description='SQL Server login password')
+
+
+class AuthMode(StrEnum):
+    """
+    Authentication mode. CUSTOM uses masked.username as-is, LDAP prefixes username with ldap_domain when provided.
+    """
+
+    CUSTOM = 'CUSTOM'
+    LDAP = 'LDAP'
+
+
+class MSSQLOptionalConnection(BaseModel):
+    """
+    Connection tuning for SQL Server.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mode: AuthMode | None = Field(
+        'CUSTOM',
+        description='Authentication mode. CUSTOM uses masked.username as-is, LDAP prefixes username with ldap_domain when provided.',
+    )
+    ldap_domain: str | None = Field(
+        None,
+        description='Optional LDAP/AD domain for LDAP auth mode (for example, CORP or corp.local).',
+    )
+    is_aws_rds: bool | None = Field(
+        None,
+        description='Set true for AWS RDS SQL Server, false for on-prem. If unset, runtime auto-detects using host patterns.',
+    )
+    connect_timeout_seconds: int | None = Field(
+        10, description='Connection timeout in seconds', ge=1, le=120
+    )
+
+
+class MSSQLOptionalExtraction(BaseModel):
+    """
+    Lineage and advanced metadata extraction controls for SQL Server.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_table_lineage: bool | None = Field(
+        True,
+        description='Include table-level lineage links using foreign key metadata.',
+    )
+    include_view_lineage: bool | None = Field(
+        True,
+        description='Include view-to-table/view lineage links using SQL Server dependency metadata.',
+    )
+    include_view_column_lineage: bool | None = Field(
+        True, description='Enable view column lineage extraction when available.'
+    )
+    include_stored_procedures: bool | None = Field(
+        True, description='Include stored procedure metadata extraction.'
+    )
+    include_stored_procedures_code: bool | None = Field(
+        True,
+        description='Include stored procedure source code metadata when available.',
+    )
+    include_jobs: bool | None = Field(
+        True, description='Include SQL Server Agent jobs metadata extraction.'
+    )
+    include_query_lineage: bool | None = Field(
+        False,
+        description='Enable query-based lineage extraction from Query Store/DMVs.',
+    )
+    max_queries_to_extract: int | None = Field(
+        1000,
+        description='Maximum number of queries to analyze for query-based lineage.',
+        ge=1,
+        le=10000,
+    )
+    min_query_calls: int | None = Field(
+        1,
+        description='Minimum execution count for queries to be included in query-based lineage.',
+        ge=1,
+    )
+    query_exclude_patterns: list[str] | None = Field(
+        None,
+        description='SQL LIKE patterns used to exclude queries from query-based lineage.',
+        max_length=100,
+    )
+    include_usage_statistics: bool | None = Field(
+        False, description='Enable usage statistics extraction from SQL query metadata.'
+    )
+
+
+class MSSQLOptionalScope(BaseModel):
+    """
+    Database, schema, and object selection scope.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    database: str | None = Field(
+        None,
+        description='Single database to scan (optional when include_all_databases is true)',
+    )
+    include_all_databases: bool | None = Field(
+        False, description='Scan all visible databases except excluded system databases'
+    )
+    exclude_databases: list[str] | None = Field(
+        ['master', 'tempdb', 'model'],
+        description='Database denylist (exact database names)',
+    )
+    include_schemas: list[str] | None = Field(
+        None, description='Optional schema allowlist (exact schema names)'
+    )
+    exclude_schemas: list[str] | None = Field(
+        ['INFORMATION_SCHEMA', 'sys'],
+        description='Schema denylist (exact schema names)',
+    )
+    include_tables: bool | None = Field(
+        True, description='Include table assets in extraction'
+    )
+    include_views: bool | None = Field(
+        True, description='Include view assets in extraction'
+    )
+    include_objects: list[str] | None = Field(
+        None,
+        description='Optional object allowlist. Accepted forms: schema.object or database.schema.object',
+    )
+    table_limit: int | None = Field(
+        None, description='Optional cap on number of table/view assets extracted', ge=1
+    )
+
+
+class MSSQLOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: MSSQLOptionalConnection | None = None
+    scope: MSSQLOptionalScope | None = None
+    extraction: MSSQLOptionalExtraction | None = None
+
+
+class OracleRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    host: str = Field(..., description='Oracle host endpoint')
+    port: int = Field(..., description='Oracle TCP port', ge=1, le=65535)
+    service_name: str = Field(
+        ..., description='Oracle service name (for example, TEST_PDB)'
+    )
+
+
+class OracleMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Oracle login username')
+    password: str = Field(..., description='Oracle login password')
+
+
+class OracleOptionalConnection(BaseModel):
+    """
+    Connection tuning for Oracle.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connect_timeout_seconds: int | None = Field(
+        10, description='Connection timeout in seconds', ge=1, le=120
+    )
+
+
+class OracleOptionalScope(BaseModel):
+    """
+    Schema, object, and lineage extraction scope.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_schemas: list[str] | None = Field(
+        None, description='Optional schema allowlist (exact schema names)'
+    )
+    exclude_schemas: list[str] | None = Field(
+        [
+            'SYS',
+            'SYSTEM',
+            'DBSNMP',
+            'WMSYS',
+            'CTXSYS',
+            'XDB',
+            'MDSYS',
+            'ORDSYS',
+            'OUTLN',
+            'ORDDATA',
+        ],
+        description='Schema denylist (exact schema names)',
+    )
+    include_tables: bool | None = Field(
+        True, description='Include table assets in extraction'
+    )
+    include_views: bool | None = Field(
+        True, description='Include view assets in extraction'
+    )
+    include_view_lineage: bool | None = Field(
+        True,
+        description='Extract coarse lineage links from views to referenced tables/views',
+    )
+    include_view_column_lineage: bool | None = Field(
+        True,
+        description='Enable view column lineage collection from Oracle dependency metadata',
+    )
+    include_objects: list[str] | None = Field(
+        None,
+        description='Optional object allowlist. Accepted forms: schema.object or service.schema.object',
+    )
+    table_limit: int | None = Field(
+        None, description='Optional cap on number of table/view assets extracted', ge=1
+    )
+
+
+class OracleOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: OracleOptionalConnection | None = None
+    scope: OracleOptionalScope | None = None
+
+
+class HiveScheme(StrEnum):
+    """
+    Hive transport and driver scheme
+    """
+
+    hive = 'hive'
+    hive_http = 'hive+http'
+    hive_https = 'hive+https'
+    sparksql = 'sparksql'
+    databricks_pyhive = 'databricks+pyhive'
+
+
+class HiveRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    host: str = Field(..., description='Hive host endpoint')
+    port: int = Field(..., description='Hive TCP port', ge=1, le=65535)
+
+
+class HiveMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Hive login username')
+    password: str = Field(..., description='Hive login password')
+
+
+class HiveOptionalConnection(BaseModel):
+    """
+    Hive connection transport and authentication options.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    scheme: HiveScheme | None = None
+    connect_args: dict[str, Any] | None = Field(
+        {},
+        description='Additional PyHive connection arguments (e.g. auth, kerberos_service_name, http_path).',
+    )
+
+
+class HiveOptionalScope(BaseModel):
+    """
+    Hive database and object selection scope.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    database: str | None = Field(
+        None,
+        description='Single Hive database to scan (optional when include_all_databases is true)',
+    )
+    include_all_databases: bool | None = Field(
+        False,
+        description='Scan all visible Hive databases except excluded system databases',
+    )
+    exclude_databases: list[str] | None = Field(
+        ['information_schema', 'sys'],
+        description='Database denylist (exact database names)',
+    )
+    include_tables: bool | None = Field(
+        True, description='Include table assets in extraction'
+    )
+    include_views: bool | None = Field(
+        True, description='Include view assets in extraction'
+    )
+    include_objects: list[str] | None = Field(
+        None,
+        description='Optional object allowlist. Accepted forms: table or database.table',
+    )
+    table_limit: int | None = Field(
+        None,
+        description='Optional cap on number of table/view assets extracted per database',
+        ge=1,
+    )
+
+
+class HiveOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: HiveOptionalConnection | None = None
+    scope: HiveOptionalScope | None = None
+
+
+class DatabricksAuthMode(StrEnum):
+    """
+    Databricks authentication mode
+    """
+
+    PAT_TOKEN = 'PAT_TOKEN'
+    SERVICE_PRINCIPAL = 'SERVICE_PRINCIPAL'
+
+
+class DatabricksRequiredPat(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mode: Literal['PAT_TOKEN']
+    workspace_url: AnyUrl = Field(
+        ...,
+        description='Databricks workspace URL (for example, https://adb-1234567890123456.7.azuredatabricks.net)',
+    )
+    warehouse_id: str = Field(
+        ..., description='Databricks SQL warehouse ID used for sampling queries'
+    )
+
+
+class DatabricksRequiredServicePrincipal(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mode: Literal['SERVICE_PRINCIPAL']
+    workspace_url: AnyUrl = Field(
+        ...,
+        description='Databricks workspace URL (for example, https://adb-1234567890123456.7.azuredatabricks.net)',
+    )
+    warehouse_id: str = Field(
+        ..., description='Databricks SQL warehouse ID used for sampling queries'
+    )
+    client_id: str = Field(..., description='Databricks service principal client ID')
+
+
+class DatabricksMaskedPat(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    token: str = Field(..., description='Databricks personal access token (PAT)')
+
+
+class DatabricksMaskedServicePrincipal(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    client_secret: str = Field(
+        ..., description='Databricks service principal client secret'
+    )
+
+
+class DatabricksOptionalConnection(BaseModel):
+    """
+    Databricks API and SQL statement execution tuning options.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    timeout_seconds: int | None = Field(
+        30, description='HTTP timeout for Databricks API calls', ge=5, le=300
+    )
+    statement_timeout_seconds: int | None = Field(
+        60, description='Maximum wait timeout for SQL statement execution', ge=5, le=600
+    )
+    max_statement_polls: int | None = Field(
+        30,
+        description='Maximum polling attempts when waiting for SQL statement completion',
+        ge=1,
+        le=120,
+    )
+
+
+class DatabricksOptionalScope(BaseModel):
+    """
+    Databricks Unity Catalog scope filters.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_catalogs: list[str] | None = Field(
+        None, description='Optional catalog allowlist (exact catalog names)'
+    )
+    exclude_catalogs: list[str] | None = Field(
+        [], description='Catalog denylist (exact catalog names)'
+    )
+    include_schemas: list[str] | None = Field(
+        None,
+        description='Optional schema allowlist. Accepted forms: schema or catalog.schema',
+    )
+    exclude_schemas: list[str] | None = Field(
+        ['information_schema'],
+        description='Schema denylist. Accepted forms: schema or catalog.schema',
+    )
+    include_tables: list[str] | None = Field(
+        None,
+        description='Optional table allowlist. Accepted forms: table, schema.table, or catalog.schema.table',
+    )
+    table_limit_per_schema: int | None = Field(
+        None,
+        description='Optional cap on number of Unity Catalog tables extracted per schema',
+        ge=1,
+    )
+    include_hive_metastore: bool | None = Field(
+        False, description='Include hive_metastore catalog in extraction'
+    )
+
+
+class DatabricksOptionalExtraction(BaseModel):
+    """
+    Databricks Unity Catalog extraction feature flags.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_table_lineage: bool | None = Field(
+        True,
+        description='Include table-level lineage links between Unity Catalog tables',
+    )
+    include_column_lineage: bool | None = Field(
+        False, description='Attempt to fetch column-level lineage metadata'
+    )
+    include_notebooks: bool | None = Field(
+        False, description='Extract workspace notebook metadata as additional assets'
+    )
+    include_pipelines: bool | None = Field(
+        False,
+        description='Extract Delta Live Tables pipeline metadata as additional assets',
+    )
+
+
+class DatabricksOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: DatabricksOptionalConnection | None = None
+    scope: DatabricksOptionalScope | None = None
+    extraction: DatabricksOptionalExtraction | None = None
+
+
+class SnowflakeAuthenticationType(StrEnum):
+    """
+    Snowflake authentication type
+    """
+
+    DEFAULT_AUTHENTICATOR = 'DEFAULT_AUTHENTICATOR'
+    EXTERNAL_BROWSER_AUTHENTICATOR = 'EXTERNAL_BROWSER_AUTHENTICATOR'
+    KEY_PAIR_AUTHENTICATOR = 'KEY_PAIR_AUTHENTICATOR'
+    OAUTH_AUTHENTICATOR_TOKEN = 'OAUTH_AUTHENTICATOR_TOKEN'
+
+
+class SnowflakeRequiredDefaultAuthenticator(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    authentication_type: Literal['DEFAULT_AUTHENTICATOR']
+    account_id: str = Field(
+        ...,
+        description='Snowflake account identifier (for example, xy12345.us-east-2.aws or LMAUONV-ONE_DATA_DEV)',
+    )
+
+
+class SnowflakeRequiredExternalBrowserAuthenticator(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    authentication_type: Literal['EXTERNAL_BROWSER_AUTHENTICATOR']
+    account_id: str = Field(
+        ...,
+        description='Snowflake account identifier (for example, xy12345.us-east-2.aws or LMAUONV-ONE_DATA_DEV)',
+    )
+
+
+class SnowflakeRequiredKeyPairAuthenticator(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    authentication_type: Literal['KEY_PAIR_AUTHENTICATOR']
+    account_id: str = Field(
+        ...,
+        description='Snowflake account identifier (for example, xy12345.us-east-2.aws or LMAUONV-ONE_DATA_DEV)',
+    )
+
+
+class SnowflakeRequiredOauthAuthenticatorToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    authentication_type: Literal['OAUTH_AUTHENTICATOR_TOKEN']
+    account_id: str = Field(
+        ...,
+        description='Snowflake account identifier (for example, xy12345.us-east-2.aws or LMAUONV-ONE_DATA_DEV)',
+    )
+
+
+class SnowflakeMaskedDefaultAuthenticator(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Snowflake login username')
+    password: str = Field(..., description='Snowflake login password')
+
+
+class SnowflakeMaskedExternalBrowserAuthenticator(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Snowflake login username')
+
+
+class SnowflakeMaskedKeyPairAuthenticator(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Snowflake login username')
+    private_key: str = Field(
+        ...,
+        description='Snowflake private key PEM content. You can pass escaped newlines (\\n).',
+    )
+    private_key_password: str | None = Field(
+        None,
+        description='Password for encrypted private key PEM (optional when key is not encrypted).',
+    )
+
+
+class SnowflakeMaskedOauthAuthenticatorToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Snowflake login username')
+    token: str = Field(
+        ..., description='OAuth bearer token for Snowflake authentication'
+    )
+
+
+class SnowflakeOptionalConnection(BaseModel):
+    """
+    Snowflake connection and session tuning options.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    warehouse: str | None = Field(
+        None, description='Snowflake warehouse to use for metadata and sampling queries'
+    )
+    role: str | None = Field(
+        None, description='Snowflake role to use for metadata and sampling queries'
+    )
+    snowflake_domain: str | None = Field(
+        'snowflakecomputing.com',
+        description='Snowflake domain suffix (use snowflakecomputing.cn for China regions).',
+    )
+    connect_timeout_seconds: int | None = Field(
+        15, description='Connection timeout in seconds', ge=1, le=300
+    )
+    connect_args: dict[str, Any] | None = Field(
+        {},
+        description='Additional snowflake.connector.connect keyword arguments (advanced usage).',
+    )
+
+
+class SnowflakeOptionalScope(BaseModel):
+    """
+    Database, schema, and object selection scope.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    database: str | None = Field(
+        None,
+        description='Single database to scan (optional when include_all_databases is true)',
+    )
+    include_all_databases: bool | None = Field(
+        False, description='Scan all visible databases except excluded system databases'
+    )
+    exclude_databases: list[str] | None = Field(
+        ['SNOWFLAKE', 'SNOWFLAKE_SAMPLE_DATA'],
+        description='Database denylist (exact database names)',
+    )
+    include_schemas: list[str] | None = Field(
+        None, description='Optional schema allowlist (exact schema names)'
+    )
+    exclude_schemas: list[str] | None = Field(
+        ['INFORMATION_SCHEMA'], description='Schema denylist (exact schema names)'
+    )
+    include_tables: bool | None = Field(
+        True, description='Include table assets in extraction'
+    )
+    include_views: bool | None = Field(
+        True, description='Include view assets in extraction'
+    )
+    include_objects: list[str] | None = Field(
+        None,
+        description='Optional object allowlist. Accepted forms: schema.object or database.schema.object',
+    )
+    table_limit: int | None = Field(
+        None, description='Optional cap on number of table/view assets extracted', ge=1
+    )
+
+
+class SnowflakeOptionalExtraction(BaseModel):
+    """
+    Lineage extraction controls for Snowflake metadata ingestion.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    start_time: AwareDatetime | None = Field(
+        None, description='Optional lineage lower bound timestamp (ISO 8601).'
+    )
+    include_table_lineage: bool | None = Field(
+        True,
+        description='Include table-level lineage links when dependency metadata is accessible.',
+    )
+    include_view_lineage: bool | None = Field(
+        True,
+        description='Include view-to-table/view lineage links when dependency metadata is accessible.',
+    )
+
+
+class SnowflakeOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: SnowflakeOptionalConnection | None = None
+    scope: SnowflakeOptionalScope | None = None
+    extraction: SnowflakeOptionalExtraction | None = None
+
+
+class MongoDBDeployment(StrEnum):
+    """
+    MongoDB deployment mode
+    """
+
+    ATLAS = 'ATLAS'
+    ON_PREM = 'ON_PREM'
+
+
+class MongoDBRequiredAtlas(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    deployment: Literal['ATLAS']
+    cluster_host: str = Field(
+        ...,
+        description='Atlas SRV cluster host or full mongodb+srv:// URI (for example, cluster.abc123.mongodb.net or mongodb+srv://cluster.abc123.mongodb.net). If a full URI is supplied, the host is extracted and credentials are discarded — set them in masked fields instead.',
+        min_length=1,
+    )
+
+
+class MongoDBRequiredOnPrem(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    deployment: Literal['ON_PREM']
+    host: str = Field(..., description='On-prem MongoDB host endpoint')
+    port: int = Field(..., description='On-prem MongoDB TCP port', ge=1, le=65535)
+
+
+class MongoDBMaskedUsernamePassword(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='MongoDB login username')
+    password: str = Field(..., description='MongoDB login password')
+
+
+class MongoDBMaskedNone(BaseModel):
+    """
+    Use when the MongoDB endpoint allows anonymous/no-auth access.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+
+
+class MongoDBAuthMechanism(StrEnum):
+    """
+    MongoDB authentication mechanism
+    """
+
+    DEFAULT = 'DEFAULT'
+    SCRAM_SHA_1 = 'SCRAM-SHA-1'
+    SCRAM_SHA_256 = 'SCRAM-SHA-256'
+    MONGODB_AWS = 'MONGODB-AWS'
+    MONGODB_X509 = 'MONGODB-X509'
+    GSSAPI = 'GSSAPI'
+    PLAIN = 'PLAIN'
+
+
+class MongoDBOptionalConnection(BaseModel):
+    """
+    MongoDB connection and authentication tuning options.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mechanism: MongoDBAuthMechanism | None = None
+    auth_source: str | None = Field(
+        None, description='Authentication database/source (for example, admin)'
+    )
+    app_name: str | None = Field(
+        None, description='MongoDB appName (Atlas and driver telemetry label)'
+    )
+    tls: bool | None = Field(
+        None, description='Enable TLS for on-prem connections when required'
+    )
+    replica_set: str | None = Field(
+        None, description='Replica set name for on-prem deployments'
+    )
+    direct_connection: bool | None = Field(
+        None,
+        description='Connect directly to a single host instead of topology discovery',
+    )
+    connect_timeout_ms: int | None = Field(
+        10000,
+        description='MongoDB connection timeout in milliseconds',
+        ge=100,
+        le=120000,
+    )
+    options: dict[str, Any] | None = Field(
+        {},
+        description='Additional pymongo.MongoClient keyword arguments (advanced usage).',
+    )
+
+
+class MongoDBOptionalScope(BaseModel):
+    """
+    MongoDB database and collection selection scope.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    database: str | None = Field(
+        None,
+        description='Single database to scan (optional when include_all_databases is true)',
+    )
+    include_all_databases: bool | None = Field(
+        True, description='Scan all visible databases except excluded system databases'
+    )
+    exclude_databases: list[str] | None = Field(
+        ['admin', 'config', 'local'],
+        description='Database denylist (exact database names)',
+    )
+    include_collections: list[str] | None = Field(
+        None,
+        description='Optional collection allowlist. Accepted forms: collection or database.collection',
+    )
+    exclude_collections: list[str] | None = Field(
+        None,
+        description='Optional collection denylist. Accepted forms: collection or database.collection',
+    )
+    include_system_collections: bool | None = Field(
+        False, description='Include system.* collections when true'
+    )
+    collection_limit: int | None = Field(
+        None,
+        description='Optional cap on number of collections extracted per database',
+        ge=1,
+    )
+
+
+class MongoDBOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: MongoDBOptionalConnection | None = None
+    scope: MongoDBOptionalScope | None = None
+
+
+class PowerBIAuthMode(StrEnum):
+    """
+    PowerBI authentication mode
+    """
+
+    SERVICE_PRINCIPAL = 'SERVICE_PRINCIPAL'
+    ACCESS_TOKEN = 'ACCESS_TOKEN'
+
+
+class PowerBIRequiredServicePrincipal(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mode: Literal['SERVICE_PRINCIPAL']
+    tenant_id: str = Field(
+        ..., description='Azure tenant identifier', pattern='^[0-9a-fA-F-]{36}$'
+    )
+    client_id: str = Field(
+        ..., description='Azure app client identifier', pattern='^[0-9a-fA-F-]{36}$'
+    )
+
+
+class PowerBIRequiredAccessToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mode: Literal['ACCESS_TOKEN']
+
+
+class PowerBIMaskedClientSecret(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    client_secret: str = Field(
+        ..., description='Azure app client secret for service principal auth'
+    )
+
+
+class PowerBIMaskedAccessToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    access_token: str = Field(..., description='Bearer token for PowerBI API access')
+
+
+class PowerBIOptionalConnection(BaseModel):
+    """
+    PowerBI API endpoint and timeout controls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    authority_url: AnyUrl | None = Field(
+        'https://login.microsoftonline.com',
+        description='Authority base URL for Microsoft Entra token issuance',
+    )
+    api_base_url: AnyUrl | None = Field(
+        'https://api.powerbi.com/v1.0/myorg', description='PowerBI REST API base URL'
+    )
+    timeout_seconds: int | None = Field(
+        30, description='HTTP timeout for PowerBI API calls', ge=5, le=300
+    )
+
+
+class PowerBIOptionalScope(BaseModel):
+    """
+    Workspace scope controls for PowerBI ingestion.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    workspace_ids: list[str] | None = Field(
+        None, description='Optional allowlist of workspace IDs to scan'
+    )
+    workspace_names: list[str] | None = Field(
+        None, description='Optional allowlist of workspace names to scan'
+    )
+    include_personal_workspaces: bool | None = Field(
+        False, description='Include personal workspaces when true'
+    )
+
+
+class PowerBIOptionalExtraction(BaseModel):
+    """
+    Feature flags that control PowerBI entities to extract.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    extract_ownership: bool | None = Field(
+        False, description='Extract workspace/report/dataset owner metadata'
+    )
+    extract_workspaces_to_containers: bool | None = Field(
+        True, description='Emit workspace metadata suitable for container grouping'
+    )
+    extract_datasets_to_containers: bool | None = Field(
+        False, description='Emit dataset metadata suitable for container grouping'
+    )
+    extract_dashboards: bool | None = Field(
+        True, description='Extract PowerBI dashboards'
+    )
+    extract_reports: bool | None = Field(True, description='Extract PowerBI reports')
+    extract_dataset_schema: bool | None = Field(
+        True, description='Attempt to extract PowerBI dataset table schema metadata'
+    )
+
+
+class PowerBIOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: PowerBIOptionalConnection | None = None
+    scope: PowerBIOptionalScope | None = None
+    extraction: PowerBIOptionalExtraction | None = None
+
+
+class TableauAuthMode(StrEnum):
+    """
+    Tableau authentication mode
+    """
+
+    USERNAME_PASSWORD = 'USERNAME_PASSWORD'
+    PERSONAL_ACCESS_TOKEN = 'PERSONAL_ACCESS_TOKEN'
+
+
+class TableauRequiredUsernamePassword(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mode: Literal['USERNAME_PASSWORD']
+    connect_uri: AnyUrl = Field(
+        ...,
+        description='Tableau host URL (for example, https://dub01.online.tableau.com)',
+    )
+    site: str = Field(
+        ...,
+        description='Tableau site content URL. Use empty string for the Default site on Tableau Server.',
+    )
+
+
+class TableauRequiredPersonalAccessToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    auth_mode: Literal['PERSONAL_ACCESS_TOKEN']
+    connect_uri: AnyUrl = Field(
+        ...,
+        description='Tableau host URL (for example, https://dub01.online.tableau.com)',
+    )
+    site: str = Field(
+        ...,
+        description='Tableau site content URL. Use empty string for the Default site on Tableau Server.',
+    )
+    token_name: str = Field(..., description='Tableau personal access token name')
+
+
+class TableauMaskedUsernamePassword(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Tableau login username')
+    password: str = Field(..., description='Tableau login password')
+
+
+class TableauMaskedPersonalAccessToken(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    token_value: str = Field(..., description='Tableau personal access token value')
+
+
+class TableauOptionalConnection(BaseModel):
+    """
+    Tableau API connection and retry settings.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    max_retries: int | None = Field(
+        3,
+        description='Maximum retries for transient Tableau API request failures',
+        ge=0,
+        le=10,
+    )
+    ssl_verify: bool | str | None = Field(
+        True,
+        description='Verify SSL certificates. Provide a PEM bundle path string for custom certs.',
+    )
+    session_trust_env: bool | None = Field(
+        False,
+        description='When true, allow requests session proxy/environment settings',
+    )
+    timeout_seconds: int | None = Field(
+        30, description='HTTP timeout in seconds for Tableau requests', ge=5, le=300
+    )
+
+
+class TableauOptionalScope(BaseModel):
+    """
+    Optional Tableau project/workbook/datasource scope filters.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    project_names: list[str] | None = Field(
+        None, description='Optional Tableau project allowlist (exact names)'
+    )
+    workbook_names: list[str] | None = Field(
+        None, description='Optional Tableau workbook allowlist (exact names)'
+    )
+    datasource_names: list[str] | None = Field(
+        None, description='Optional Tableau datasource allowlist (exact names)'
+    )
+    include_workbooks: bool | None = Field(
+        True, description='Include workbook assets in extraction'
+    )
+    include_datasources: bool | None = Field(
+        True, description='Include datasource assets in extraction'
+    )
+
+
+class TableauOptionalExtraction(BaseModel):
+    """
+    Tableau metadata extraction feature flags.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    ingest_tags: bool | None = Field(
+        False, description='Extract Tableau tags into asset metadata'
+    )
+    ingest_owner: bool | None = Field(
+        False, description='Extract Tableau owner metadata into assets'
+    )
+    extract_usage_stats: bool | None = Field(
+        False, description='Extract Tableau usage statistics when accessible'
+    )
+
+
+class TableauOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: TableauOptionalConnection | None = None
+    scope: TableauOptionalScope | None = None
+    extraction: TableauOptionalExtraction | None = None
+
+
+class CoreInput(BaseModel):
+    type: AssetType
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class Type(StrEnum):
+    """
+    Type of the asset or source
+    """
+
+    WORDPRESS = 'WORDPRESS'
+    SLACK = 'SLACK'
+    S3_COMPATIBLE_STORAGE = 'S3_COMPATIBLE_STORAGE'
+    AZURE_BLOB_STORAGE = 'AZURE_BLOB_STORAGE'
+    GOOGLE_CLOUD_STORAGE = 'GOOGLE_CLOUD_STORAGE'
+    POSTGRESQL = 'POSTGRESQL'
+    MYSQL = 'MYSQL'
+    MSSQL = 'MSSQL'
+    ORACLE = 'ORACLE'
+    HIVE = 'HIVE'
+    DATABRICKS = 'DATABRICKS'
+    SNOWFLAKE = 'SNOWFLAKE'
+    MONGODB = 'MONGODB'
+    NEO4J = 'NEO4J'
+    POWERBI = 'POWERBI'
+    TABLEAU = 'TABLEAU'
+    CONFLUENCE = 'CONFLUENCE'
+    JIRA = 'JIRA'
+    SERVICEDESK = 'SERVICEDESK'
+
+
+class SlackInput(CoreInput):
+    type: Literal['SLACK'] = Field('SLACK', description='Type of the asset or source')
+    required: SlackRequired
+    masked: SlackMaskedBotToken | SlackMaskedUserToken | SlackMaskedToken = Field(
+        ..., title='SlackMasked'
+    )
+    optional: SlackOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class S3CompatibleStorageInput(CoreInput):
+    type: Literal['S3_COMPATIBLE_STORAGE'] = Field(
+        'S3_COMPATIBLE_STORAGE', description='Type of the asset or source'
+    )
+    required: S3CompatibleStorageRequired
+    masked: S3CompatibleStorageMasked | None = None
+    optional: S3CompatibleStorageOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class AzureBlobStorageInput(CoreInput):
+    type: Literal['AZURE_BLOB_STORAGE'] = Field(
+        'AZURE_BLOB_STORAGE', description='Type of the asset or source'
+    )
+    required: AzureBlobStorageRequired
+    masked: AzureBlobStorageMasked | None = None
+    optional: AzureBlobStorageOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class GoogleCloudStorageInput(CoreInput):
+    type: Literal['GOOGLE_CLOUD_STORAGE'] = Field(
+        'GOOGLE_CLOUD_STORAGE', description='Type of the asset or source'
+    )
+    required: GoogleCloudStorageRequired
+    masked: GoogleCloudStorageMasked | None = None
+    optional: GoogleCloudStorageOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class WordPressInput(CoreInput):
+    type: Literal['WORDPRESS'] = Field(
+        'WORDPRESS', description='Type of the asset or source'
+    )
+    required: WordPressRequired
+    masked: WordPressMasked
+    optional: WordPressOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class PostgreSQLInput(CoreInput):
+    type: Literal['POSTGRESQL'] = Field(
+        'POSTGRESQL', description='Type of the asset or source'
+    )
+    required: PostgreSQLRequired
+    masked: PostgreSQLMasked
+    optional: PostgreSQLOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class MySQLInput(CoreInput):
+    type: Literal['MYSQL'] = Field('MYSQL', description='Type of the asset or source')
+    required: MySQLRequired
+    masked: MySQLMasked
+    optional: MySQLOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class MSSQLInput(CoreInput):
+    type: Literal['MSSQL'] = Field('MSSQL', description='Type of the asset or source')
+    required: MSSQLRequired
+    masked: MSSQLMasked
+    optional: MSSQLOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class OracleInput(CoreInput):
+    type: Literal['ORACLE'] = Field('ORACLE', description='Type of the asset or source')
+    required: OracleRequired
+    masked: OracleMasked
+    optional: OracleOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class HiveInput(CoreInput):
+    type: Literal['HIVE'] = Field('HIVE', description='Type of the asset or source')
+    required: HiveRequired
+    masked: HiveMasked
+    optional: HiveOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class DatabricksInput(CoreInput):
+    type: Literal['DATABRICKS'] = Field(
+        'DATABRICKS', description='Type of the asset or source'
+    )
+    required: DatabricksRequiredPat | DatabricksRequiredServicePrincipal = Field(
+        ..., title='DatabricksRequired'
+    )
+    masked: DatabricksMaskedPat | DatabricksMaskedServicePrincipal = Field(
+        ..., title='DatabricksMasked'
+    )
+    optional: DatabricksOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class SnowflakeInput(CoreInput):
+    type: Literal['SNOWFLAKE'] = Field(
+        'SNOWFLAKE', description='Type of the asset or source'
+    )
+    required: (
+        SnowflakeRequiredDefaultAuthenticator
+        | SnowflakeRequiredExternalBrowserAuthenticator
+        | SnowflakeRequiredKeyPairAuthenticator
+        | SnowflakeRequiredOauthAuthenticatorToken
+    ) = Field(..., title='SnowflakeRequired')
+    masked: (
+        SnowflakeMaskedDefaultAuthenticator
+        | SnowflakeMaskedExternalBrowserAuthenticator
+        | SnowflakeMaskedKeyPairAuthenticator
+        | SnowflakeMaskedOauthAuthenticatorToken
+    ) = Field(..., title='SnowflakeMasked')
+    optional: SnowflakeOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class MongoDBInput(CoreInput):
+    type: Literal['MONGODB'] = Field(
+        'MONGODB', description='Type of the asset or source'
+    )
+    required: MongoDBRequiredAtlas | MongoDBRequiredOnPrem = Field(
+        ..., title='MongoDBRequired'
+    )
+    masked: MongoDBMaskedUsernamePassword | MongoDBMaskedNone = Field(
+        ..., title='MongoDBMasked'
+    )
+    optional: MongoDBOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class Neo4jRequired(BaseModel):
+    """
+    Neo4j connection endpoint. Accepts bolt://, neo4j://, or neo4j+s:// URIs.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    uri: str = Field(
+        ...,
+        description='Bolt or Neo4j URI (e.g. bolt://localhost:7687 or neo4j+s://abc123.databases.neo4j.io)',
+    )
+    database: str | None = Field(
+        None,
+        description='Target database name (defaults to "neo4j"). Multi-database requires Neo4j 4.0+.',
+    )
+
+
+class Neo4jMaskedUsernamePassword(BaseModel):
+    """
+    Neo4j basic auth credentials.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    username: str = Field(..., description='Neo4j username (typically "neo4j")')
+    password: str = Field(..., description='Neo4j password')
+
+
+class Neo4jMaskedNone(BaseModel):
+    """
+    No authentication (local dev / anonymous access).
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+
+
+class TrustStrategy(StrEnum):
+    """
+    Certificate trust strategy. TRUST_ALL_CERTIFICATES is useful for self-signed certs in dev.
+    """
+
+    TRUST_ALL_CERTIFICATES = 'TRUST_ALL_CERTIFICATES'
+    TRUST_SYSTEM_CA_SIGNED_CERTIFICATES = 'TRUST_SYSTEM_CA_SIGNED_CERTIFICATES'
+
+
+class Neo4jOptionalConnection(BaseModel):
+    """
+    Neo4j driver connection tuning options.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection_timeout_ms: int | None = Field(
+        30000, description='Driver connection timeout in milliseconds.', ge=1000
+    )
+    max_connection_pool_size: int | None = Field(
+        10, description='Maximum number of connections in the driver pool.', ge=1
+    )
+    encrypted: bool | None = Field(
+        None, description='Force encrypted connection (overrides URI scheme detection).'
+    )
+    trust_strategy: TrustStrategy | None = Field(
+        None,
+        description='Certificate trust strategy. TRUST_ALL_CERTIFICATES is useful for self-signed certs in dev.',
+    )
+
+
+class Neo4jOptionalScope(BaseModel):
+    """
+    Controls which node labels and relationships are included.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_labels: list[str] | None = Field(
+        None,
+        description='Allowlist of node labels to scan. If empty, all labels are included.',
+    )
+    exclude_labels: list[str] | None = Field(
+        None, description='Denylist of node labels to skip (case-sensitive).'
+    )
+    node_limit_per_label: int | None = Field(
+        None,
+        description='Maximum number of assets (node labels) to emit per extraction run.',
+        ge=1,
+    )
+    include_relationships: bool | None = Field(
+        True,
+        description='When true, relationship edges between labels are resolved and stored as asset links.',
+    )
+
+
+class Neo4jOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: Neo4jOptionalConnection | None = None
+    scope: Neo4jOptionalScope | None = None
+
+
+class Neo4jInput(CoreInput):
+    type: Literal['NEO4J'] = Field('NEO4J', description='Type of the asset or source')
+    required: Neo4jRequired
+    masked: Neo4jMaskedUsernamePassword | Neo4jMaskedNone = Field(
+        ..., title='Neo4jMasked'
+    )
+    optional: Neo4jOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class PowerBIInput(CoreInput):
+    type: Literal['POWERBI'] = Field(
+        'POWERBI', description='Type of the asset or source'
+    )
+    required: PowerBIRequiredServicePrincipal | PowerBIRequiredAccessToken = Field(
+        ..., title='PowerBIRequired'
+    )
+    masked: PowerBIMaskedClientSecret | PowerBIMaskedAccessToken = Field(
+        ..., title='PowerBIMasked'
+    )
+    optional: PowerBIOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class TableauInput(CoreInput):
+    type: Literal['TABLEAU'] = Field(
+        'TABLEAU', description='Type of the asset or source'
+    )
+    required: TableauRequiredUsernamePassword | TableauRequiredPersonalAccessToken = (
+        Field(..., title='TableauRequired')
+    )
+    masked: TableauMaskedUsernamePassword | TableauMaskedPersonalAccessToken = Field(
+        ..., title='TableauMasked'
+    )
+    optional: TableauOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class ConfluenceRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    base_url: AnyUrl = Field(
+        ...,
+        description='Confluence Cloud tenant URL (for example, https://your-domain.atlassian.net)',
+    )
+    account_email: EmailStr = Field(
+        ...,
+        description='Atlassian account email used with API token for Basic authentication',
+    )
+
+
+class ConfluenceMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    api_token: str = Field(..., description='Atlassian API token for Confluence Cloud')
+
+
+class ConfluenceOptionalConnection(BaseModel):
+    """
+    HTTP and retry settings for Confluence API calls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    request_timeout_seconds: float | None = Field(
+        30, description='HTTP request timeout for Confluence API calls', ge=1.0
+    )
+    rate_limit_delay_seconds: float | None = Field(
+        0,
+        description='Additional delay between API requests to reduce rate-limit pressure',
+        ge=0.0,
+    )
+    max_retries: int | None = Field(
+        3,
+        description='Maximum retry attempts for transient API failures and rate limits',
+        ge=0,
+        le=10,
+    )
+
+
+class Type16(StrEnum):
+    """
+    Filter spaces by space type
+    """
+
+    global_ = 'global'
+    collaboration = 'collaboration'
+    knowledge_base = 'knowledge_base'
+    personal = 'personal'
+    system = 'system'
+    onboarding = 'onboarding'
+    xflow_sample_space = 'xflow_sample_space'
+
+
+class Status(StrEnum):
+    """
+    Filter spaces by status
+    """
+
+    current = 'current'
+    archived = 'archived'
+
+
+class ConfluenceOptionalScopeSpaces(BaseModel):
+    """
+    Space-level filters passed to Confluence /spaces endpoint.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    ids: list[int] | None = Field(
+        None, description='Filter spaces by IDs (up to 250)', max_length=250
+    )
+    keys: list[str] | None = Field(
+        None, description='Filter spaces by keys (up to 250)', max_length=250
+    )
+    type: Type16 | None = Field(None, description='Filter spaces by space type')
+    status: Status | None = Field(None, description='Filter spaces by status')
+    labels: list[str] | None = Field(
+        None,
+        description='Filter spaces by labels (comma-separated in API request)',
+        max_length=250,
+    )
+
+
+class ConfluenceOptionalScope(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    spaces: ConfluenceOptionalScopeSpaces | None = None
+
+
+class ConfluenceOptionalContent(BaseModel):
+    """
+    Confluence content extraction controls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_footer_comments: bool | None = Field(
+        True,
+        description='Include footer comments and aggregate them into a per-page comments asset',
+    )
+    include_inline_comments: bool | None = Field(
+        True,
+        description='Include inline comments and aggregate them into a per-page comments asset',
+    )
+    include_attachments: bool | None = Field(
+        True, description='Include Confluence page attachments as related assets'
+    )
+    include_linked_file_assets: bool | None = Field(
+        True,
+        description='Materialize linked file-like URLs from page body as related assets',
+    )
+    attachment_max_bytes: int | None = Field(
+        5242880,
+        description='Maximum bytes downloaded per attachment for MIME inference and text extraction',
+        ge=1024,
+    )
+
+
+class ConfluenceOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: ConfluenceOptionalConnection | None = None
+    scope: ConfluenceOptionalScope | None = None
+    content: ConfluenceOptionalContent | None = None
+
+
+class JiraRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    base_url: AnyUrl = Field(
+        ...,
+        description='Jira Cloud tenant URL (for example, https://your-domain.atlassian.net)',
+    )
+    account_email: EmailStr = Field(
+        ...,
+        description='Atlassian account email used with API token for Basic authentication',
+    )
+
+
+class JiraMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    api_token: str = Field(..., description='Atlassian API token for Jira Cloud')
+
+
+class JiraOptionalConnection(BaseModel):
+    """
+    HTTP and retry settings for Jira API calls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    request_timeout_seconds: float | None = Field(
+        30, description='HTTP request timeout for Jira API calls', ge=1.0
+    )
+    rate_limit_delay_seconds: float | None = Field(
+        0,
+        description='Additional delay between API requests to reduce rate-limit pressure',
+        ge=0.0,
+    )
+    max_retries: int | None = Field(
+        3,
+        description='Maximum retry attempts for transient API failures and rate limits',
+        ge=0,
+        le=10,
+    )
+
+
+class JiraOptionalScope(BaseModel):
+    """
+    Optional Jira scope filters. When omitted, all visible issues are eligible for sampling.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    project_keys: list[str] | None = Field(
+        None,
+        description='Project keys to include (up to 50)',
+        max_length=50,
+        min_length=1,
+    )
+    project_ids: list[int] | None = Field(
+        None,
+        description='Project IDs to include (up to 50)',
+        max_length=50,
+        min_length=1,
+    )
+    jql: str | None = Field(
+        None,
+        description='Additional JQL filter to combine with project scope',
+        min_length=1,
+    )
+
+
+class JiraOptionalContent(BaseModel):
+    """
+    Jira issue content extraction controls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_comments: bool | None = Field(
+        True,
+        description='Include issue comments and aggregate them into a per-issue comments asset',
+    )
+    include_attachments: bool | None = Field(
+        True, description='Include issue attachments as related assets'
+    )
+    attachment_max_bytes: int | None = Field(
+        5242880,
+        description='Maximum bytes downloaded per attachment for MIME inference and text extraction',
+        ge=1024,
+    )
+
+
+class JiraOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: JiraOptionalConnection | None = None
+    scope: JiraOptionalScope | None = None
+    content: JiraOptionalContent | None = None
+
+
+class ServiceDeskRequired(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    base_url: AnyUrl = Field(
+        ...,
+        description='Jira Service Management tenant URL (for example, https://your-domain.atlassian.net)',
+    )
+    account_email: EmailStr = Field(
+        ...,
+        description='Atlassian account email used with API token for Basic authentication',
+    )
+
+
+class ServiceDeskMasked(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    api_token: str = Field(
+        ..., description='Atlassian API token for Jira Service Management Cloud'
+    )
+
+
+class ServiceDeskOptionalConnection(BaseModel):
+    """
+    HTTP and retry settings for Jira Service Management API calls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    request_timeout_seconds: float | None = Field(
+        30, description='HTTP request timeout for Service Desk API calls', ge=1.0
+    )
+    rate_limit_delay_seconds: float | None = Field(
+        0,
+        description='Additional delay between API requests to reduce rate-limit pressure',
+        ge=0.0,
+    )
+    max_retries: int | None = Field(
+        3,
+        description='Maximum retry attempts for transient API failures and rate limits',
+        ge=0,
+        le=10,
+    )
+
+
+class ServiceDeskOptionalScope(BaseModel):
+    """
+    Optional Service Desk scope filters. When omitted, all visible requests are eligible for sampling.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    service_desk_ids: list[int] | None = Field(
+        None, description='Service desk IDs to include', max_length=100, min_length=1
+    )
+    request_type_ids: list[int] | None = Field(
+        None, description='Request type IDs to include', max_length=100, min_length=1
+    )
+    request_status: str | None = Field(
+        None, description='Request status filter passed to Service Desk API'
+    )
+    request_ownership: list[str] | None = Field(
+        None,
+        description='Ownership filter values passed to Service Desk API (for example, OWNED_REQUESTS)',
+        min_length=1,
+    )
+    organization_id: int | None = Field(
+        None, description='Organization ID used to scope requests'
+    )
+    search_term: str | None = Field(
+        None, description='Search term filter for request summaries and content'
+    )
+
+
+class ServiceDeskOptionalContent(BaseModel):
+    """
+    Service Desk request extraction controls.
+    """
+
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    include_comments: bool | None = Field(
+        True,
+        description='Include request comments and aggregate them into a per-request comments asset',
+    )
+    include_attachments: bool | None = Field(
+        True, description='Include request attachments as related assets'
+    )
+    attachment_max_bytes: int | None = Field(
+        5242880,
+        description='Maximum bytes downloaded per attachment for MIME inference and text extraction',
+        ge=1024,
+    )
+
+
+class ServiceDeskOptional(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid',
+    )
+    connection: ServiceDeskOptionalConnection | None = None
+    scope: ServiceDeskOptionalScope | None = None
+    content: ServiceDeskOptionalContent | None = None
+
+
+class Type17(StrEnum):
+    """
+    Type of the asset or source
+    """
+
+    WORDPRESS = 'WORDPRESS'
+    SLACK = 'SLACK'
+    S3_COMPATIBLE_STORAGE = 'S3_COMPATIBLE_STORAGE'
+    AZURE_BLOB_STORAGE = 'AZURE_BLOB_STORAGE'
+    GOOGLE_CLOUD_STORAGE = 'GOOGLE_CLOUD_STORAGE'
+    POSTGRESQL = 'POSTGRESQL'
+    MYSQL = 'MYSQL'
+    MSSQL = 'MSSQL'
+    ORACLE = 'ORACLE'
+    HIVE = 'HIVE'
+    DATABRICKS = 'DATABRICKS'
+    SNOWFLAKE = 'SNOWFLAKE'
+    MONGODB = 'MONGODB'
+    NEO4J = 'NEO4J'
+    POWERBI = 'POWERBI'
+    TABLEAU = 'TABLEAU'
+    CONFLUENCE = 'CONFLUENCE'
+    JIRA = 'JIRA'
+    SERVICEDESK = 'SERVICEDESK'
+
+
+class ConfluenceInput(CoreInput):
+    type: Literal['CONFLUENCE'] = Field(
+        'CONFLUENCE', description='Type of the asset or source'
+    )
+    required: ConfluenceRequired
+    masked: ConfluenceMasked
+    optional: ConfluenceOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class JiraInput(CoreInput):
+    type: Literal['JIRA'] = Field('JIRA', description='Type of the asset or source')
+    required: JiraRequired
+    masked: JiraMasked
+    optional: JiraOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class ServiceDeskInput(CoreInput):
+    type: Literal['SERVICEDESK'] = Field(
+        'SERVICEDESK', description='Type of the asset or source'
+    )
+    required: ServiceDeskRequired
+    masked: ServiceDeskMasked
+    optional: ServiceDeskOptional | None = None
+    detectors: list[Detector] | None = Field(
+        None, description='Detectors to run on ingested content'
+    )
+    custom_detectors: list[CustomDetectorSelection] | None = Field(
+        None,
+        description='Reusable custom detector IDs selected from the custom detector catalog.',
+    )
+    sampling: SamplingConfig
+    resources: ResourceOverrides | None = None
+
+
+class SourceInput(
+    RootModel[
+        SlackInput
+        | S3CompatibleStorageInput
+        | AzureBlobStorageInput
+        | GoogleCloudStorageInput
+        | PostgreSQLInput
+        | MySQLInput
+        | MSSQLInput
+        | OracleInput
+        | HiveInput
+        | DatabricksInput
+        | SnowflakeInput
+        | MongoDBInput
+        | Neo4jInput
+        | PowerBIInput
+        | TableauInput
+        | WordPressInput
+        | ConfluenceInput
+        | JiraInput
+        | ServiceDeskInput
+    ]
+):
+    root: (
+        SlackInput
+        | S3CompatibleStorageInput
+        | AzureBlobStorageInput
+        | GoogleCloudStorageInput
+        | PostgreSQLInput
+        | MySQLInput
+        | MSSQLInput
+        | OracleInput
+        | HiveInput
+        | DatabricksInput
+        | SnowflakeInput
+        | MongoDBInput
+        | Neo4jInput
+        | PowerBIInput
+        | TableauInput
+        | WordPressInput
+        | ConfluenceInput
+        | JiraInput
+        | ServiceDeskInput
+    ) = Field(
+        ...,
+        description='Merged configuration schema with all source types and common definitions',
+        title='SourceInput',
+    )