Skip to content

feat: expand ContentstackEndpoints with OAuth-callable product endpoints#188

Open
timbenniks-contentstack wants to merge 3 commits into
mainfrom
feat/expand-contentstack-endpoints
Open

feat: expand ContentstackEndpoints with OAuth-callable product endpoints#188
timbenniks-contentstack wants to merge 3 commits into
mainfrom
feat/expand-contentstack-endpoints

Conversation

@timbenniks-contentstack

Copy link
Copy Markdown

Summary

Expands the ContentstackEndpoints type to surface the Contentstack management-plane product endpoints that an app's OAuth token can call via appSdk.api(), beyond the existing APP / CMA / DEVELOPER_HUB.

What changed

  • src/types/api.type.ts: added optional keys LAUNCH, AUTOMATE, BRAND_KIT, GEN_AI, PERSONALIZE_MANAGEMENT, ASSET_MANAGEMENT. Index signature widened to [key: string]: string | undefined so optional keys are honest. Added JSDoc explaining the OAuth-only rationale and the host-shell injection caveat.
  • __test__/uiLocation.test.ts: extended the init mock with two new keys (LAUNCH, BRAND_KIT) to exercise the expanded type.

Required vs optional — deliberate choice

  • APP, CMA, DEVELOPER_HUB stay required: the host shell always injects them today and live apps depend on them. (APP is the web-app URL, not an OAuth API, but kept required for backward compatibility.)
  • All new keys are optional: they resolve to a URL only when the host shell injects them, and availability varies by region — e.g. ASSET_MANAGEMENT exists only in the AWS North America region (per regions.json). Required keys would make the type lie when the parent omits them.

Runtime caveat (important)

This PR is a type/contract change only. The typed keys resolve to real URLs only when the host shell (Developer Hub / Marketplace UI) injects them into the initialization data at init. Today the shell injects APP / CMA / DEVELOPER_HUB; the companion marketplace-ui PR expands injection to the full OAuth set. Until that ships, the new keys read undefined at runtime — which is the correct "not available in this host/region" signal.

Why only OAuth-callable endpoints

appSdk.api() proxies to the host shell, which attaches the app's OAuth token. Delivery-plane APIs (Content/GraphQL Delivery, Preview, Image/Asset CDN, Personalize Edge) need a separate delivery/preview token, so surfacing them here would be misleading — they are intentionally excluded.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type Count (with fixes) Without fixes Threshold Result
🔴 Critical Severity 0 0 10 ✅ Passed
🟠 High Severity 0 0 25 ✅ Passed
🟡 Medium Severity 1 0 500 ✅ Passed
🔵 Low Severity 0 0 1000 ✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity Breaches (with fixes) Breaches (no fixes) SLA Threshold (with/no fixes) Status
🔴 Critical 0 0 15 / 30 days ✅ Passed
🟠 High 0 0 30 / 120 days ✅ Passed
🟡 Medium 0 0 90 / 365 days ✅ Passed
🔵 Low 0 0 180 / 365 days ✅ Passed

✅ BUILD PASSED - All security checks passed

Comment thread src/types/api.type.ts Outdated
Comment thread src/types/api.type.ts Outdated
Comment thread src/types/api.type.ts
/** Brand Kit Management API URL. OAuth-callable (management plane). */
BRAND_KIT?: string;
/** Generative AI API URL. OAuth-callable (management plane). */
GEN_AI?: string;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@timbenniks-contentstack Is this for AgentOS Team?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have BRAND_KIT seperately listed on Line 43. Then GEN_AI is not required

Comment thread src/types/api.type.ts
Co-authored-by: Rahul Chavan <rahul.chavan@contentstack.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type Count (with fixes) Without fixes Threshold Result
🔴 Critical Severity 0 0 10 ✅ Passed
🟠 High Severity 0 0 25 ✅ Passed
🟡 Medium Severity 1 0 500 ✅ Passed
🔵 Low Severity 0 0 1000 ✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity Breaches (with fixes) Breaches (no fixes) SLA Threshold (with/no fixes) Status
🔴 Critical 0 0 15 / 30 days ✅ Passed
🟠 High 0 0 30 / 120 days ✅ Passed
🟡 Medium 0 0 90 / 365 days ✅ Passed
🔵 Low 0 0 180 / 365 days ✅ Passed

✅ BUILD PASSED - All security checks passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants