import type { ConnectionConfig } from "../../config/models.js"; /** * A connection predicate's verdict on whether a tool should be enabled for a * given connection. Carries a {@linkcode ToolDisabledReason} when disabled so * that downstream consumers (startup logging, diagnostic tooling) can group * identical failures and render actionable messages to the user. */ export type PredicateResult = { readonly enabled: true; } | { readonly enabled: false; readonly reason: ToolDisabledReason; }; export type ConnectionPredicate = (conn: ConnectionConfig) => PredicateResult; export declare const ENABLED: PredicateResult; /** * Block-level — required by any tool that needs Kafka access regardless of * transport (native client or REST proxy). */ export declare function hasKafka(conn: ConnectionConfig): PredicateResult; /** * Field-level — required by tools that drive the native Kafka * admin/producer/consumer client (the broker address lives on * `bootstrap_servers`). */ export declare function hasKafkaBootstrap(conn: ConnectionConfig): PredicateResult; /** * Field-level — required by tools that perform authenticated Kafka calls. */ export declare function hasKafkaAuth(conn: ConnectionConfig): PredicateResult; /** * Field-level — required by tools that talk to the Kafka REST proxy * (`/kafka/v3` endpoints); needs both `rest_endpoint` and `auth` on the * `kafka` block. */ export declare function hasKafkaRestWithAuth(conn: ConnectionConfig): PredicateResult; /** * Block-level — required by tools that read or write through the Schema * Registry. */ export declare function hasSchemaRegistry(conn: ConnectionConfig): PredicateResult; /** * Block-level — verdict on whether the connection can reach the Confluent * Cloud control-plane REST surface, accepting either flavor. Direct * connections satisfy this when they carry a `confluent_cloud` block; OAuth * connections satisfy it unconditionally (the cloud REST URL is derived from * the Auth0 environment). * * Pair: {@linkcode hasConfluentCloud} for the direct-only verdict. */ export declare const hasConfluentCloudOrOAuth: ConnectionPredicate; /** * Block-level — verdict that holds only for direct connections carrying a * `confluent_cloud` block. Use this on handlers that are not yet OAuth-capable * and call `resolveDirectConnection()` inside `handle()`. Once a handler * widens to OAuth, switch its predicate to * {@linkcode hasConfluentCloudOrOAuth}. */ export declare function hasConfluentCloud(conn: ConnectionConfig): PredicateResult; /** * Block-level — required by tools that drive Flink SQL or its catalog. */ export declare function hasFlink(conn: ConnectionConfig): PredicateResult; /** * Block-level — required by tools that read metrics from the Telemetry API. */ export declare function hasTelemetry(conn: ConnectionConfig): PredicateResult; /** * Block-level — required by tools that manage Tableflow topics or catalog * entries. */ export declare function hasTableflow(conn: ConnectionConfig): PredicateResult; /** * Field-level — verdict that holds when the connection points at a Confluent * Cloud-hosted Schema Registry that exposes the `/catalog/v1/` Stream Catalog * endpoints. Requires three signals together: * - a `schema_registry` block, AND * - `auth.type === "api_key"` on that block, AND * - a `confluent_cloud` block (Cloud control-plane creds). * * The `confluent_cloud` block is required because `auth.type === "api_key"` is * ambiguous on its own: a self-managed Confluent Platform deployment with HTTP * Basic Auth in front of its SR also models as `auth.type === "api_key"` in * the YAML schema, even though that SR does not serve `/catalog/v1/`. Without * the `confluent_cloud` requirement, this predicate would over-enable Stream * Catalog tools on CP deployments and they would 404 at runtime. */ export declare function hasCCloudCatalogSupport(conn: ConnectionConfig): PredicateResult; /** * Predicate that returns {@linkcode ENABLED} for every connection. Use as * the {@linkcode BaseToolHandler.predicate} for tools with no service-block * requirement (e.g., generic docs search). */ export declare const alwaysEnabled: ConnectionPredicate; /** * Combine predicates with logical AND, short-circuiting on the first * failure. Returns {@linkcode ENABLED} only when every predicate passes for * the given connection; otherwise returns the first failing verdict so the * specific reason propagates downstream to startup logging and the * diagnostic-tool surface. * * Use this — never raw `predA(conn) && predB(conn)`. JavaScript boolean * composition silently drops the first operand because every * `PredicateResult` is a truthy object. */ export declare function allOf(...predicates: ConnectionPredicate[]): ConnectionPredicate; /** * Wrap a predicate so OAuth connections always answer enabled. Use this on * tool handlers that have been adapted to operate against an OAuth-typed * connection at call time — the wrapped predicate's block-based verdict * still governs direct connections, while OAuth's "no service blocks" * early-exit is overridden. */ export declare function widenForOAuth(predicate: ConnectionPredicate): ConnectionPredicate; /** * The native-Kafka client gate, widened to admit OAuth. Direct connections * still need `kafka.bootstrap_servers`; OAuth connections satisfy it * unconditionally (the broker URL is synthesized from the Auth0 environment). * Use on handlers that have been brought into the OAuth fold. */ export declare const kafkaBootstrapOrOAuth: ConnectionPredicate; /** * The Kafka REST client gate, widened to admit OAuth. Direct connections still * need both `kafka.rest_endpoint` and `kafka.auth`; OAuth connections satisfy * it unconditionally (the per-cluster REST URL is resolved at call time via * the cmk REST API and the bearer middleware handles auth). Use on REST-tool * handlers (`get-topic-config`, `alter-topic-config`). */ export declare const kafkaRestWithAuthOrOAuth: ConnectionPredicate; /** * The Schema Registry gate, widened to admit OAuth. Direct connections still * need a `schema_registry` block; OAuth connections satisfy it unconditionally * (the SR cluster + endpoint are auto-resolved at call time from * `environment_id`). */ export declare const hasSchemaRegistryOrOAuth: ConnectionPredicate; /** * The Stream Catalog gate, widened to admit OAuth. Direct connections still * need a CCloud-hosted Schema Registry (the `schema_registry` block with * `api_key` auth plus a `confluent_cloud` block — see * {@linkcode hasCCloudCatalogSupport}); OAuth connections satisfy it * unconditionally because under OAuth the Schema Registry is always * CCloud-hosted and the SR cluster + endpoint are auto-resolved at call time * from `environment_id`. Use on the catalog/tag/search handlers. */ export declare const hasCCloudCatalogOrOAuth: ConnectionPredicate; /** * The Telemetry gate, widened to admit OAuth. Direct connections still need a * `telemetry` block; OAuth connections satisfy it unconditionally — the * Telemetry REST base URL is derived from the Auth0 environment * (`getTelemetryRestUrlForEnv`) and the surface is cloud-wide (no per-cluster * or per-environment routing). Use on the metrics handlers (`query-metrics`, * `list-metrics`). */ export declare const hasTelemetryOrOAuth: ConnectionPredicate; /** * The Tableflow gate, widened to admit OAuth. Direct connections still need a * `tableflow` block; OAuth connections satisfy it unconditionally — the * Tableflow REST base URL reuses the cloud control-plane URL derived from the * Auth0 environment, and the surface rides the control-plane token. The * environment/cluster IDs a Tableflow call needs are supplied as explicit tool * arguments under OAuth (an OAuth connection carries no `kafka` block to fall * back to). Use on the Tableflow topic/catalog/region handlers. */ export declare const hasTableflowOrOAuth: ConnectionPredicate; /** * The Flink gate, widened to admit OAuth. Direct connections still need a * `flink` block; OAuth connections satisfy it unconditionally — the Flink REST * host is regional and resolved at call time from the compute pool's * `cloud`/`region` (`getFlinkRestClient`), and the surface rides the * data-plane token. The organization/environment/compute-pool IDs a Flink call * needs are supplied as explicit tool arguments under OAuth (an OAuth * connection carries no `flink` block to fall back to). Used as the * `FlinkToolHandler` domain-base predicate, so it gates every Flink handler — * statement, catalog, and diagnostics. */ export declare const hasFlinkOrOAuth: ConnectionPredicate; /** * Gate for tools that create connectors against the direct Confluent Cloud * REST surface: requires both a `confluent_cloud` block (the `/connect/v1` * endpoint) and `kafka.auth` (the connector spec carries kafka API * credentials). Strict-direct — OAuth connections answer `OAuthNotDirectCapable` * because the handler calls `resolveDirectConnection()`. */ export declare const canCreateDirectConnector: ConnectionPredicate; /** * Gate for tools that read telemetry metrics about Flink statements: * requires both the `flink` block (to address a statement) and the * `telemetry` block (to query the metrics API). */ export declare const flinkWithTelemetry: ConnectionPredicate; /** * The Flink-statement-profiling gate ({@linkcode flinkWithTelemetry}), widened * to admit OAuth. Direct connections still need both the `flink` and * `telemetry` blocks; OAuth connections satisfy it unconditionally — the Flink * REST surface resolves its regional host at call time and the telemetry * surface is already OAuth-wired (cloud-wide, data-plane token). Use on * `get-flink-statement-profile`. */ export declare const flinkWithTelemetryOrOAuth: ConnectionPredicate; /** * Every reason a {@linkcode ConnectionPredicate} can return `enabled: false`. * The symbol is the wire-stable identifier (referenced from predicate bodies * and tests); the value is the human-readable phrasing surfaced to end users * through startup logs and diagnostic tooling. * * Adding a reason: name the symbol after the condition it describes — what's * missing from the connection config, or the policy it violates (not which * predicate or overlay emitted it — multiple sites may share a reason). Write * the value as a declarative phrase a misconfigured user could act on. Most * reasons originate in a predicate body; three are exceptions, produced * outside any predicate because they describe a condition no per-connection * check can see: {@linkcode ReadOnlyConnection} (the read-only verdict overlay in * `BaseToolHandler`, composing a tool's mutation posture with the connection's * `read_only` flag), {@linkcode NoConnectionsConfigured} (assigned by * `buildToolGatingReport` when there are no connections at all, so no * connection-dependent tool has any verdict to report), and * {@linkcode OperatorBlocked} (assigned by `buildToolGatingReport` when the * operator's server-wide allow/block-list excludes a tool, ahead of and * independent of any per-connection check). */ export declare enum ToolDisabledReason { MissingKafkaBlock = "no 'kafka' block in connection config", MissingKafkaBootstrap = "'kafka' block does not have 'bootstrap_servers' field", MissingKafkaAuth = "'kafka' block does not have 'auth' field", MissingKafkaRestEndpoint = "'kafka' block does not have 'rest_endpoint' field", MissingSchemaRegistryBlock = "no 'schema_registry' block in connection config", MissingSchemaRegistryApiKeyAuth = "'schema_registry' block does not have 'auth' field of type 'api_key'", MissingConfluentCloudBlock = "no 'confluent_cloud' block in connection config", MissingFlinkBlock = "no 'flink' block in connection config", MissingTelemetryBlock = "no 'telemetry' block in connection config", MissingTableflowBlock = "no 'tableflow' block in connection config", OAuthNoServiceBlocks = "OAuth connections carry no service blocks", OAuthNotDirectCapable = "OAuth connection cannot satisfy a direct-only requirement", ReadOnlyConnection = "connection is marked read_only; tools that mutate state are disabled", NoConnectionsConfigured = "no connections are configured", OperatorBlocked = "excluded by the operator's allow/block-list" } //# sourceMappingURL=connection-predicates.d.ts.map