Documentation
¶
Overview ¶
Package domain holds Conduit's aggregates: Connector (a provider definition), Connection (an org's authorized instance of one), and Credential (its encrypted secret material).
Index ¶
Constants ¶
const ResourceTypeConnection resource.Type = "connections"
ResourceTypeConnection is the JSON:API type for /api/connections.
const ResourceTypeConnector resource.Type = "connectors"
ResourceTypeConnector is the JSON:API type for /api/connectors.
const ResourceTypeCredential resource.Type = "credentials"
ResourceTypeCredential is the JSON:API type for credentials (never exposed with plaintext — admin inspect/rotate only).
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Connection ¶
type Connection interface {
resource.Resource
Owner() string
Connector() string // connector slug
Status() ConnectionStatus
Scopes() []string
ExpiresAt() *time.Time
}
Connection is an owner's authorized instance of a connector. Owner is an opaque key the caller supplies (a user, org, workspace, or service id — Conduit never interprets it); every access is scoped by it. The secret material lives in a Credential.
func NewConnection ¶
func NewConnection(owner, connector string, opts ...ConnectionOption) Connection
NewConnection builds a connection aggregate. owner/connector are mandatory; status defaults to ACTIVE.
type ConnectionOption ¶
type ConnectionOption func(*connection)
func WithConnectionExpiresAt ¶
func WithConnectionExpiresAt(t *time.Time) ConnectionOption
func WithConnectionID ¶
func WithConnectionID(id string) ConnectionOption
func WithConnectionScopes ¶
func WithConnectionScopes(s []string) ConnectionOption
func WithConnectionStatus ¶
func WithConnectionStatus(s ConnectionStatus) ConnectionOption
type ConnectionStatus ¶
type ConnectionStatus string
ConnectionStatus tracks an authorized connection's lifecycle.
const ( ConnectionStatusActive ConnectionStatus = "ACTIVE" ConnectionStatusNeedsReauth ConnectionStatus = "NEEDS_REAUTH" ConnectionStatusRevoked ConnectionStatus = "REVOKED" ConnectionStatusError ConnectionStatus = "ERROR" )
func (ConnectionStatus) Valid ¶
func (s ConnectionStatus) Valid() bool
type Connector ¶
type Connector struct {
Slug string
Name string
AuthType AuthType
// AuthURL/TokenURL drive the OAuth2 authorize + token/refresh exchange
// (empty for API_KEY connectors).
AuthURL string
TokenURL string
Scopes []string
Rate RateProfile
}
Connector is a global provider definition (Alpaca, Binance, IBKR, …), registered in code via kit/factory and surfaced read-only at /api/connectors. Its Slug is the identifier; it is not owner-scoped or persisted. It satisfies resource.Resource (id = slug) so it flows through the kit JSON:API handlers.
type Credential ¶
type Credential interface {
resource.Resource
Connection() resource.Identifier
Kind() CredentialKind
Ciphertext() []byte
WrappedKey() []byte
// KeyID names the wrapping key that sealed WrappedKey, so a KEK rotation
// can find and re-wrap credentials sealed under the retired key.
KeyID() string
ExpiresAt() *time.Time
}
Credential is a connection's secret material at rest: envelope-encrypted (Ciphertext under a per-connection data key, itself wrapped by a KMS master key in WrappedKey). Plaintext exists only transiently in the usecase during encrypt/decrypt — it is never held on the aggregate or returned by the API.
func NewCredential ¶
func NewCredential(connectionID string, kind CredentialKind, ciphertext, wrappedKey []byte, opts ...CredentialOption) Credential
NewCredential builds an encrypted-credential aggregate. connectionID/kind and the ciphertext + wrapped data key are mandatory.
type CredentialKind ¶
type CredentialKind string
CredentialKind is the shape of the stored secret.
const ( CredentialKindAPIKey CredentialKind = "API_KEY" CredentialKindOAuthTokens CredentialKind = "OAUTH_TOKENS" )
type CredentialOption ¶
type CredentialOption func(*credential)
func WithCredentialExpiresAt ¶
func WithCredentialExpiresAt(t *time.Time) CredentialOption
func WithCredentialID ¶
func WithCredentialID(id string) CredentialOption
func WithCredentialKeyID ¶
func WithCredentialKeyID(keyID string) CredentialOption
type RateProfile ¶
RateProfile is a connector's default per-provider throttle, enforced via kit/ratelimit so all orgs' calls stay under the provider's API limit.