Documentation
¶
Overview ¶
Package hubspotpolicy classifies HubSpot activity (the remote HubSpot MCP connector used by Claude Cowork and Claude Code) into canonical provider actions and binds the shared provider-policy sync machinery (internal/providerpolicy) to the HubSpot snapshot contract.
The contract mirrors packages/shared/src/hubspot/policy-snapshot.ts in the kontext cloud repository. Like the GitHub pilot the directive is observe-only: the engine records what it *would* allow or deny, but never blocks.
Index ¶
Constants ¶
const ( ActionObjectRead = "hubspot.object.read" ActionObjectWrite = "hubspot.object.write" ActionAPIRead = "hubspot.api.read" ActionAPIWrite = "hubspot.api.write" )
Canonical HubSpot action names emitted by the classifier, mirroring the shared action catalog (packages/shared/src/hubspot/action-catalog.ts):
hubspot.object.read / hubspot.object.write — CRM data; the object type is the resource anchor (Resource), normalized to canonical names. hubspot.api.read / hubspot.api.write — everything else the connector exposes: account/user info, marketing analytics, landing pages, connector utilities.
const HubspotMCPHost = "mcp.hubspot.com"
HubspotMCPHost is the host of HubSpot's remote MCP server. Identification keys on the URL host — where the connector's calls actually go — never on its display name, which is free text.
const SchemaVersionV1 = "hubspot-policy-snapshot-v1"
SchemaVersionV1 is the only HubSpot snapshot wire format. It ships the group layer and endpoint directory from day one — there are no deployed pre-v1 clients to negotiate with. Anything else is rejected (fail closed).
const SnapshotEndpoint = "/api/v1/policy/hubspot/snapshot"
SnapshotEndpoint is the cloud path serving the HubSpot policy snapshot. Tenancy is resolved from the install token.
Variables ¶
var Config = providerpolicy.Config{ ProviderKey: "hubspot", SnapshotEndpoint: SnapshotEndpoint, RequestSchema: SchemaVersionV1, Schemas: []providerpolicy.SchemaSupport{ {Version: SchemaVersionV1, GroupLayer: true, Directory: true}, }, CacheFileName: "hubspot-policy-snapshot.json", CacheTempPattern: ".hubspot-policy-*.tmp", RefreshEnvVar: "KONTEXT_HUBSPOT_POLICY_REFRESH_INTERVAL", }
Config binds the shared sync machinery to the HubSpot snapshot contract.
Functions ¶
This section is empty.
Types ¶
type ConnectorResolver ¶
ConnectorResolver resolves an MCP server segment (the middle part of an "mcp__<server>__<tool>" tool name) against Cowork's per-session connector registry. resolved=false means the registry could not answer (no config file, unknown id) and the tool-name fallback decides; resolved=true with isHubspot=false is a definitive counter-signal — the segment maps to a different server — and suppresses classification even for HubSpot-looking tool names.
func ConnectorResolverForCWD ¶
func ConnectorResolverForCWD(cwd string) ConnectorResolver
ConnectorResolverForCWD returns a ConnectorResolver backed by the Cowork session config next to the hook event's working directory, memoized so the file is read at most once per classification. A non-Cowork cwd (no session config anywhere above it) yields a resolver that never resolves.
Cowork session layout: hook cwd points at (or below) …/local_<id>/outputs, and the session config is the sibling file …/local_<id>.json.
type ProviderAction ¶
ProviderAction is one classified HubSpot action. Resource is the CRM object type (e.g. "contacts") when the tool input names one, otherwise empty ("any resource" for rule-matching purposes).
func ClassifyProviderActions ¶
func ClassifyProviderActions(toolName string, toolInput map[string]any, resolver ConnectorResolver) []ProviderAction
ClassifyProviderActions classifies one hook event's tool call into canonical HubSpot actions. Only MCP tool calls are classified: the HubSpot surface reachable from Claude Cowork / Claude Code is the remote MCP connector, so there is no shell or URL grammar here (raw api.hubapi.com classification is a deliberate non-goal for v1).
The connector is identified in two steps: resolver (Cowork's connector registry, matching the server URL host) first, then a tool-name fallback — HubSpot's tool names are distinctive enough that a name match alone is safe, and the registry file is an undocumented Claude-internal format we must not hard-depend on.