domain

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2026 License: MIT Imports: 2 Imported by: 0

Documentation

Overview

Package domain holds Conduit's aggregates: Connector (a provider definition), Connection (an org's authorized instance of one), and Credential (its encrypted secret material).

Index

Constants

View Source
const ResourceTypeConnection resource.Type = "connections"

ResourceTypeConnection is the JSON:API type for /api/connections.

View Source
const ResourceTypeConnector resource.Type = "connectors"

ResourceTypeConnector is the JSON:API type for /api/connectors.

View Source
const ResourceTypeCredential resource.Type = "credentials"

ResourceTypeCredential is the JSON:API type for credentials (never exposed with plaintext — admin inspect/rotate only).

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthType

type AuthType string

AuthType is how a connector authenticates to its provider.

const (
	AuthTypeOAuth2 AuthType = "OAUTH2"
	AuthTypeAPIKey AuthType = "API_KEY"
)

func (AuthType) Valid

func (a AuthType) Valid() bool

type Connection

type Connection interface {
	resource.Resource
	Owner() string
	Connector() string // connector slug
	Status() ConnectionStatus
	Scopes() []string
	ExpiresAt() *time.Time
}

Connection is an owner's authorized instance of a connector. Owner is an opaque key the caller supplies (a user, org, workspace, or service id — Conduit never interprets it); every access is scoped by it. The secret material lives in a Credential.

func NewConnection

func NewConnection(owner, connector string, opts ...ConnectionOption) Connection

NewConnection builds a connection aggregate. owner/connector are mandatory; status defaults to ACTIVE.

type ConnectionOption

type ConnectionOption func(*connection)

func WithConnectionExpiresAt

func WithConnectionExpiresAt(t *time.Time) ConnectionOption

func WithConnectionID

func WithConnectionID(id string) ConnectionOption

func WithConnectionScopes

func WithConnectionScopes(s []string) ConnectionOption

func WithConnectionStatus

func WithConnectionStatus(s ConnectionStatus) ConnectionOption

type ConnectionStatus

type ConnectionStatus string

ConnectionStatus tracks an authorized connection's lifecycle.

const (
	ConnectionStatusActive      ConnectionStatus = "ACTIVE"
	ConnectionStatusNeedsReauth ConnectionStatus = "NEEDS_REAUTH"
	ConnectionStatusRevoked     ConnectionStatus = "REVOKED"
	ConnectionStatusError       ConnectionStatus = "ERROR"
)

func (ConnectionStatus) Valid

func (s ConnectionStatus) Valid() bool

type Connector

type Connector struct {
	Slug     string
	Name     string
	AuthType AuthType
	// AuthURL/TokenURL drive the OAuth2 authorize + token/refresh exchange
	// (empty for API_KEY connectors).
	AuthURL  string
	TokenURL string
	Scopes   []string
	Rate     RateProfile
}

Connector is a global provider definition (Alpaca, Binance, IBKR, …), registered in code via kit/factory and surfaced read-only at /api/connectors. Its Slug is the identifier; it is not owner-scoped or persisted. It satisfies resource.Resource (id = slug) so it flows through the kit JSON:API handlers.

func (Connector) CreatedAt

func (c Connector) CreatedAt() time.Time

func (Connector) DeletedAt

func (c Connector) DeletedAt() *time.Time

func (Connector) ID

func (c Connector) ID() string

func (Connector) LID

func (c Connector) LID() string

func (Connector) Type

func (c Connector) Type() resource.Type

func (Connector) UpdatedAt

func (c Connector) UpdatedAt() time.Time

type Credential

type Credential interface {
	resource.Resource
	Connection() resource.Identifier
	Kind() CredentialKind
	Ciphertext() []byte
	WrappedKey() []byte
	// KeyID names the wrapping key that sealed WrappedKey, so a KEK rotation
	// can find and re-wrap credentials sealed under the retired key.
	KeyID() string
	ExpiresAt() *time.Time
}

Credential is a connection's secret material at rest: envelope-encrypted (Ciphertext under a per-connection data key, itself wrapped by a KMS master key in WrappedKey). Plaintext exists only transiently in the usecase during encrypt/decrypt — it is never held on the aggregate or returned by the API.

func NewCredential

func NewCredential(connectionID string, kind CredentialKind, ciphertext, wrappedKey []byte, opts ...CredentialOption) Credential

NewCredential builds an encrypted-credential aggregate. connectionID/kind and the ciphertext + wrapped data key are mandatory.

type CredentialKind

type CredentialKind string

CredentialKind is the shape of the stored secret.

const (
	CredentialKindAPIKey      CredentialKind = "API_KEY"
	CredentialKindOAuthTokens CredentialKind = "OAUTH_TOKENS"
)

type CredentialOption

type CredentialOption func(*credential)

func WithCredentialExpiresAt

func WithCredentialExpiresAt(t *time.Time) CredentialOption

func WithCredentialID

func WithCredentialID(id string) CredentialOption

func WithCredentialKeyID

func WithCredentialKeyID(keyID string) CredentialOption

type RateProfile

type RateProfile struct {
	Limit  int
	Window time.Duration
}

RateProfile is a connector's default per-provider throttle, enforced via kit/ratelimit so all orgs' calls stay under the provider's API limit.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL