feat: expand ContentstackEndpoints with OAuth-callable product endpoints#188
feat: expand ContentstackEndpoints with OAuth-callable product endpoints#188timbenniks-contentstack wants to merge 3 commits into
Conversation
🔒 Security Scan Results
⏱️ SLA Breach Summary
✅ BUILD PASSED - All security checks passed |
| /** Brand Kit Management API URL. OAuth-callable (management plane). */ | ||
| BRAND_KIT?: string; | ||
| /** Generative AI API URL. OAuth-callable (management plane). */ | ||
| GEN_AI?: string; |
There was a problem hiding this comment.
@timbenniks-contentstack Is this for AgentOS Team?
There was a problem hiding this comment.
Brandkit team. its: https://ai.contentstack.com/brand-kits
There was a problem hiding this comment.
We already have BRAND_KIT seperately listed on Line 43. Then GEN_AI is not required
Co-authored-by: Rahul Chavan <rahul.chavan@contentstack.com>
🔒 Security Scan Results
⏱️ SLA Breach Summary
✅ BUILD PASSED - All security checks passed |
Summary
Expands the
ContentstackEndpointstype to surface the Contentstack management-plane product endpoints that an app's OAuth token can call viaappSdk.api(), beyond the existingAPP/CMA/DEVELOPER_HUB.What changed
src/types/api.type.ts: added optional keysLAUNCH,AUTOMATE,BRAND_KIT,GEN_AI,PERSONALIZE_MANAGEMENT,ASSET_MANAGEMENT. Index signature widened to[key: string]: string | undefinedso optional keys are honest. Added JSDoc explaining the OAuth-only rationale and the host-shell injection caveat.__test__/uiLocation.test.ts: extended the init mock with two new keys (LAUNCH,BRAND_KIT) to exercise the expanded type.Required vs optional — deliberate choice
APP,CMA,DEVELOPER_HUBstay required: the host shell always injects them today and live apps depend on them. (APPis the web-app URL, not an OAuth API, but kept required for backward compatibility.)ASSET_MANAGEMENTexists only in the AWS North America region (per regions.json). Required keys would make the type lie when the parent omits them.Runtime caveat (important)
This PR is a type/contract change only. The typed keys resolve to real URLs only when the host shell (Developer Hub / Marketplace UI) injects them into the initialization data at init. Today the shell injects
APP/CMA/DEVELOPER_HUB; the companion marketplace-ui PR expands injection to the full OAuth set. Until that ships, the new keys readundefinedat runtime — which is the correct "not available in this host/region" signal.Why only OAuth-callable endpoints
appSdk.api()proxies to the host shell, which attaches the app's OAuth token. Delivery-plane APIs (Content/GraphQL Delivery, Preview, Image/Asset CDN, Personalize Edge) need a separate delivery/preview token, so surfacing them here would be misleading — they are intentionally excluded.