angee.integrate.schema
GraphQL schema contributions for Angee integrations.
Owns the admin console surface for the third-party Vendor catalogue (moved here from iam) and the first-class Integration an integration runs over. The console is platform-admin gated, so Integration's REBAC-guarded relations (credential/account from iam) are safe to expose — the const-admin reaches every related row.
ConsoleImplChoicesQuery
@strawberry.type
class ConsoleImplChoicesQuery()Admin-gated impl-choice metadata for console forms.
impl_choices
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def impl_choices(model: str, field: str) -> list[ImplChoice]Return registry choices for an ImplClassField.
CredentialOAuthClientType
@strawberry.type
class CredentialOAuthClientType()Public-safe OAuth client projection for credential health rows.
display_name
@strawberry.field
def display_name() -> strReturn the configured OAuth client display name.
ExternalAccountType
@strawberry_django.type(ExternalAccount)
class ExternalAccountType(AngeeNode)GraphQL projection of a linked external identity.
provider_slug
@strawberry_django.field(only=["oauth_client__slug"])
def provider_slug() -> strReturn the originating OAuth client's slug.
provider_environment
@strawberry_django.field(only=["oauth_client__environment"])
def provider_environment() -> strReturn the originating OAuth client's environment.
provider_label
@strawberry_django.field(only=["oauth_client__display_name"])
def provider_label() -> strReturn the originating OAuth client's display label.
provider_icon
@strawberry_django.field(only=["oauth_client__icon"])
def provider_icon() -> strReturn the originating OAuth client's branding icon.
CredentialType
@strawberry_django.type(Credential)
class CredentialType(AngeeNode)GraphQL projection of credential health without secret values.
oauth_client
@strawberry_django.field(only=["oauth_client"])
def oauth_client() -> CredentialOAuthClientType | NoneReturn a public-safe projection of the OAuth client (None for local kinds).
ConnectedExternalAccountType
@strawberry_django.type(ExternalAccount)
class ConnectedExternalAccountType(AngeeNode)Public projection of the current user's connected external account.
credential_status
@strawberry_django.field(only=["credential__status"])
def credential_status() -> strReturn this account credential's current status when it is loaded.
ConnectedCredentialType
@strawberry_django.type(Credential)
class ConnectedCredentialType(AngeeNode)Public projection of one current-user connected credential.
display_name
@strawberry_django.field(only=[
"name",
"external_account__email",
"external_account__display_name",
"external_account__external_id",
])
def display_name() -> strReturn the public-safe connected credential label.
OAuthClientType
@strawberry_django.type(OAuthClient)
class OAuthClientType(AngeeNode)Admin GraphQL projection of an OAuth client registration.
default_scopes
@strawberry_django.field(only=["default_scopes"])
def default_scopes() -> list[str]Return the configured default OAuth scopes.
scopes_catalogue
@strawberry_django.field(only=["scopes_catalogue"])
def scopes_catalogue() -> list[str]Return the advertised OAuth scopes.
authorize_params
@strawberry_django.field(only=["authorize_params"])
def authorize_params() -> JSONReturn provider-specific OAuth authorize parameters.
token_params
@strawberry_django.field(only=["token_params"])
def token_params() -> JSONReturn provider-specific OAuth token parameters.
client_secret
@strawberry_django.field(only=["client_secret"])
def client_secret() -> strReturn the decrypted client secret for the admin console.
configuration_state
@strawberry_django.field
def configuration_state() -> strReturn this OAuth client's operator-facing configuration readiness.
ExternalAccountInput
@strawberry.input
class ExternalAccountInput()Fields accepted when manually linking an external account.
CredentialInput
@strawberry.input
class CredentialInput()Admin-write fields for a provider-less credential (OAuth ones arrive via connect).
kind discriminates the material: static_token reads api_key, ssh_key reads private_key, basic_auth reads username + password. user defaults to the calling admin.
ConnectableAccount
@strawberry.type
class ConnectableAccount()Picker-safe OAuth client fields for the public account-connect picker.
The OAuth client is self-describing (slug/display_name/icon are its own columns), so the picker reads them straight off each row — one query for the whole page, no per-row fetch and no catalogue join.
oauth_client_sqid
@strawberry.field
def oauth_client_sqid() -> strawberry.IDReturn the OAuth client sqid accepted by connect mutations.
oauth_client_display_name
@strawberry.field
def oauth_client_display_name() -> strReturn the OAuth client display label.
oauth_client_slug
@strawberry.field
def oauth_client_slug() -> strReturn the OAuth client slug (the provider key).
oauth_client_icon
@strawberry.field
def oauth_client_icon() -> strReturn the OAuth client branding icon.
OAuthStartPayload
@strawberry.type
class OAuthStartPayload()Result returned by OAuth/OIDC redirect-start mutations (connect, login, link).
mode
"auto" to redirect the browser back, or "manual" to paste the code.
redirect_uri
The effective redirect URI the flow used (resent verbatim at completion).
ConnectAccountResult
@strawberry.type
class ConnectAccountResult()Result returned by OAuth account-connect completion.
ConnectIntegrationResult
@strawberry.type
class ConnectIntegrationResult()Result returned by one-click integration connect/attach.
UnlinkAccountResult
@strawberry.type
class UnlinkAccountResult()Result returned by the account-disconnect mutation.
RevealedCredentialSecret
@strawberry.type
class RevealedCredentialSecret()One credential's decrypted secret, returned only on explicit admin request.
The secret is never part of :class:CredentialType (the normal read projection); it is disclosed solely by the audited reveal_credential mutation.
integration_create_attrs
def integration_create_attrs(data: Any, *, reason: str) -> dict[str, Any]Resolve inherited Integration create fields from GraphQL public ids.
apply_integration_patch_fields
def apply_integration_patch_fields(target: Any,
data: Any,
*,
reason: str,
ignore_null_status: bool = False
) -> set[str]Apply inherited Integration patch fields and return provided names.
connect_integration_target
def connect_integration_target(info: strawberry.Info, integration: Any,
oauth_client: Any, *, redirect_uri: str,
next_path: str) -> ConnectIntegrationResultAttach the user's live credential to an integration-like MTI row or start OAuth.
IntegrateConnectionsQuery
@strawberry.type
class IntegrateConnectionsQuery()Public account-connect picker and self-service connected-account queries.
ConnectionMutation
@strawberry.type
class ConnectionMutation()Authenticated OAuth account-connect / disconnect mutations.
connect_account_start
@strawberry.mutation
def connect_account_start(info: strawberry.Info,
id: PublicID,
redirect_uri: str,
next: str = "/") -> OAuthStartPayloadStart an authenticated OAuth account-connect flow.
discover_oauth_endpoints
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def discover_oauth_endpoints(id: PublicID) -> ActionResultFetch the provider's discovery document and fill this client's blank endpoints.
The resolved authorize/token/userinfo endpoints (and any composed extension endpoints, e.g. OIDC issuer/JWKS) are persisted on the OAuth client row, so the operator never types them by hand. Requires a discovery URL on the row.
connect_integration
@strawberry.mutation
def connect_integration(info: strawberry.Info,
integration_id: PublicID | None = None,
vendor_slug: str = "",
impl_class: str = "",
redirect_uri: str = "",
next: str = "/") -> ConnectIntegrationResultAttach this user's live credential to an integration, or start OAuth.
connect_account_complete
@strawberry.mutation
def connect_account_complete(info: strawberry.Info, code: str, state: str,
redirect_uri: str) -> ConnectAccountResultComplete an authenticated OAuth account-connect flow.
disconnect_account
@strawberry.mutation
def disconnect_account(info: strawberry.Info,
external_account_sqid: str) -> UnlinkAccountResultRemove this session user's credential link to an external account.
The credential delete fires pre_delete — the login addon, when installed, vetoes removing a user's last sign-in account by raising an :class:OAuthFlowError, surfaced here as a typed error rather than a 500.
IntegrateExternalAccountMutation
@strawberry.type
class IntegrateExternalAccountMutation()Admin mutations for manually linked external identities.
create_external_account
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def create_external_account(data: ExternalAccountInput) -> ExternalAccountTypeCreate or update one external account via the account manager owner.
delete_external_account
@strawberry.mutation(name="delete_external_account",
permission_classes=_ADMIN_PERMISSION_CLASSES)
def delete_external_account(id: PublicID,
confirm: bool = False) -> DeletePreviewRevoke the owner grant, then delete the account (owner is a REBAC tuple).
IntegrateCredentialMutation
@strawberry.type
class IntegrateCredentialMutation()Admin CRUD for credentials; create mints provider-less kinds (OAuth arrives via connect).
reveal_credential
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def reveal_credential(id: PublicID) -> RevealedCredentialSecretReturn one credential's decrypted secret for an admin to copy.
refresh_credential
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def refresh_credential(id: PublicID) -> ActionResultForce an OAuth credential to renew its token now and report the outcome.
The interactive counterpart to the lazy on-use refresh: it renews regardless of remaining lifetime (a still-valid token is rotated) and surfaces success or the reason to reconnect, rather than silently swallowing a dead refresh token.
create_credential
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def create_credential(info: strawberry.Info,
data: CredentialInput) -> CredentialTypeCreate one provider-less credential, dispatching material by kind.
delete_credential
@strawberry.mutation(name="delete_credential",
permission_classes=_ADMIN_PERMISSION_CLASSES)
def delete_credential(id: PublicID, confirm: bool = False) -> DeletePreviewBest-effort remote revoke, then delete the credential when unblocked.
VendorType
@strawberry_django.type(Vendor)
class VendorType(AngeeNode)GraphQL projection of an integration vendor catalogue row.
IntegrationLabelMixin
@strawberry.type
class IntegrationLabelMixin()Project Integration.display_label as the display_name field for a type.
Compose alongside the node base, e.g. class ChannelType(IntegrationLabelMixin, AngeeNode), to surface the operator label (falling back to Vendor (status)) on every Integration child type without re-declaring the resolver. A @strawberry.type (not an interface): merges the field into the concrete type without adding a GraphQL interface to the SDL.
display_name
@strawberry_django.field(only=["display_name", "vendor", "status"])
def display_name() -> strReturn the operator label, falling back to the vendor-derived one.
IntegrationType
@strawberry_django.type(Integration)
class IntegrationType(IntegrationLabelMixin, AngeeNode)Admin projection of an integration.
Exposes the catalogue/identity associations as nested relations so the console form's many2one pickers auto-wire (mirrors iam's CredentialType.external_account); safe because the surface is admin-gated.
bridge
@strawberry_django.field(only=["id"])
def bridge() -> VcsBridgeType | NoneReturn this integration's VCS child row when present.
impl_category
@strawberry_django.field(only=["impl_class"], description="Implementation")
def impl_category() -> strReturn this integration implementation's board grouping category.
Reads the class-level metadata off the resolved impl class — no instance, no child model fetch — so a board/list render does not N+1 over child models.
impl_label
@strawberry_django.field(only=["impl_class"])
def impl_label() -> strReturn this integration implementation's human label.
ConnectedIntegrationType
@strawberry_django.type(Integration)
class ConnectedIntegrationType(IntegrationLabelMixin, AngeeNode)Public projection of a current-user integration connection.
WebhookSubscriptionType
@strawberry_django.type(WebhookSubscription)
class WebhookSubscriptionType(AngeeNode)Admin projection of an outbound webhook subscription.
The signing secret is deliberately omitted (write-only) — unlike OAuthClient's revealed client_secret, a webhook secret is never read back.
RotatedSecret
@strawberry.type
class RotatedSecret()A freshly rotated webhook signing secret, returned once for display.
IntegrationCredentialMutation
@strawberry.type
class IntegrationCredentialMutation()Self-service integration creation from connected credentials.
create_integration_from_credential
@strawberry.mutation
def create_integration_from_credential(
info: strawberry.Info, credential: PublicID,
vendor_slug: str) -> ConnectedIntegrationTypeCreate or update this user's integration from a connected credential.
Self-service, not platform-admin: the authorization is ownership of the credential. resolve_action_target reads the credential elevated, then the user_id check below is the actual gate. This deliberately bypasses the create = admin->member arm in integrate/permissions.zed (which governs the admin-console Integration CRUD), so a credential owner can wire up their own integration without an admin.
IntegrationActionMutation
@strawberry.type
class IntegrationActionMutation()Operational actions on an integration (sync, connection test).
sync_integration
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def sync_integration(id: PublicID) -> ActionResultRun every bridge of one integration now (eager variant of the scheduler).
test_connection
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def test_connection(id: PublicID) -> ActionResultProbe the integration's credential so the operator sees it is usable.
WebhookActionMutation
@strawberry.type
class WebhookActionMutation()Operational actions on an outbound webhook subscription.
test_webhook_delivery
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def test_webhook_delivery(id: PublicID) -> ActionResultSend a test event to one subscription and report the delivery outcome.
rotate_webhook_secret
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def rotate_webhook_secret(id: PublicID) -> RotatedSecretRoll one subscription's signing secret and return the new value once.
VcsBridgeType
@strawberry_django.type(VcsBridge)
class VcsBridgeType(AngeeNode)Admin projection of a VCS bridge child model.
display_name
@strawberry_django.field(only=["backend_class", "status"])
def display_name() -> strReturn a human label for the record header and relation pickers.
RepositoryType
@strawberry_django.type(Repository)
class RepositoryType(AngeeNode)Admin projection of one inventoried repository.
SourceType
@strawberry_django.type(Source)
class SourceType(AngeeNode)Admin projection of one source (a ref+path pointer into a repository).
TemplateType
@strawberry_django.type(Template)
class TemplateType(AngeeNode)Admin projection of one discovered template.
RepoCandidate
@strawberry.type
class RepoCandidate()A repository the host returns for the add typeahead (not yet inventoried).
VcsBridgeInput
@strawberry.input
class VcsBridgeInput()Fields accepted when creating a VCS bridge child row.
VcsBridgePatch
@strawberry.input
class VcsBridgePatch()Fields accepted when updating a VCS bridge child model.
VCSConsoleQuery
@strawberry.type
class VCSConsoleQuery()Admin VCS inventory queries.
search_repositories
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def search_repositories(vcs_bridge_id: PublicID,
query: str) -> list[RepoCandidate]Return host repositories matching query for the add typeahead.
VcsBridgeCreateMutation
@strawberry.type
class VcsBridgeCreateMutation()Admin create for a VCS bridge child, validating backend-owned fields.
create_vcs_bridge
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def create_vcs_bridge(data: VcsBridgeInput) -> VcsBridgeTypeCreate a VCS child row directly.
VcsBridgeUpdateMutation
@strawberry.type
class VcsBridgeUpdateMutation()Admin update for a VCS bridge child, validating backend-owned fields.
update_vcs_bridge
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def update_vcs_bridge(data: VcsBridgePatch) -> VcsBridgeTypeUpdate a VCS child row, rematerializing backend defaults on backend change.
VCSActionMutation
@strawberry.type
class VCSActionMutation()Operational actions on a VCS bridge and its inventory.
add_repository
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def add_repository(vcs_bridge_id: PublicID, name: str) -> RepositoryTypeInventory one repository by its host name (a picked typeahead result).
discover_repositories
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def discover_repositories(vcs_bridge_id: PublicID,
org: str = "") -> ActionResultInventory every repository the account exposes (bulk import; prunes vanished).
sync_vcs_bridge
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def sync_vcs_bridge(id: PublicID) -> ActionResultRefresh every repository's sources for one VCS bridge now.
refresh_source
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def refresh_source(id: PublicID) -> ActionResultRe-enumerate one source's output rows now.
schemas
GraphQL contributions installed by the integrate addon.