Skip to content

angee.integrate.schema

GraphQL schema contributions for Angee integrations.

Owns the admin console surface for the third-party Vendor catalogue (moved here from iam) and the first-class Integration an integration runs over. The console is platform-admin gated, so Integration's REBAC-guarded relations (credential/account from iam) are safe to expose — the const-admin reaches every related row.

ConsoleImplChoicesQuery

python
@strawberry.type
class ConsoleImplChoicesQuery()

Admin-gated impl-choice metadata for console forms.

impl_choices

python
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def impl_choices(model: str, field: str) -> list[ImplChoice]

Return registry choices for an ImplClassField.

CredentialOAuthClientType

python
@strawberry.type
class CredentialOAuthClientType()

Public-safe OAuth client projection for credential health rows.

display_name

python
@strawberry.field
def display_name() -> str

Return the configured OAuth client display name.

ExternalAccountType

python
@strawberry_django.type(ExternalAccount)
class ExternalAccountType(AngeeNode)

GraphQL projection of a linked external identity.

provider_slug

python
@strawberry_django.field(only=["oauth_client__slug"])
def provider_slug() -> str

Return the originating OAuth client's slug.

provider_environment

python
@strawberry_django.field(only=["oauth_client__environment"])
def provider_environment() -> str

Return the originating OAuth client's environment.

provider_label

python
@strawberry_django.field(only=["oauth_client__display_name"])
def provider_label() -> str

Return the originating OAuth client's display label.

provider_icon

python
@strawberry_django.field(only=["oauth_client__icon"])
def provider_icon() -> str

Return the originating OAuth client's branding icon.

CredentialType

python
@strawberry_django.type(Credential)
class CredentialType(AngeeNode)

GraphQL projection of credential health without secret values.

oauth_client

python
@strawberry_django.field(only=["oauth_client"])
def oauth_client() -> CredentialOAuthClientType | None

Return a public-safe projection of the OAuth client (None for local kinds).

ConnectedExternalAccountType

python
@strawberry_django.type(ExternalAccount)
class ConnectedExternalAccountType(AngeeNode)

Public projection of the current user's connected external account.

credential_status

python
@strawberry_django.field(only=["credential__status"])
def credential_status() -> str

Return this account credential's current status when it is loaded.

ConnectedCredentialType

python
@strawberry_django.type(Credential)
class ConnectedCredentialType(AngeeNode)

Public projection of one current-user connected credential.

display_name

python
@strawberry_django.field(only=[
    "name",
    "external_account__email",
    "external_account__display_name",
    "external_account__external_id",
])
def display_name() -> str

Return the public-safe connected credential label.

OAuthClientType

python
@strawberry_django.type(OAuthClient)
class OAuthClientType(AngeeNode)

Admin GraphQL projection of an OAuth client registration.

default_scopes

python
@strawberry_django.field(only=["default_scopes"])
def default_scopes() -> list[str]

Return the configured default OAuth scopes.

scopes_catalogue

python
@strawberry_django.field(only=["scopes_catalogue"])
def scopes_catalogue() -> list[str]

Return the advertised OAuth scopes.

authorize_params

python
@strawberry_django.field(only=["authorize_params"])
def authorize_params() -> JSON

Return provider-specific OAuth authorize parameters.

token_params

python
@strawberry_django.field(only=["token_params"])
def token_params() -> JSON

Return provider-specific OAuth token parameters.

client_secret

python
@strawberry_django.field(only=["client_secret"])
def client_secret() -> str

Return the decrypted client secret for the admin console.

configuration_state

python
@strawberry_django.field
def configuration_state() -> str

Return this OAuth client's operator-facing configuration readiness.

ExternalAccountInput

python
@strawberry.input
class ExternalAccountInput()

Fields accepted when manually linking an external account.

CredentialInput

python
@strawberry.input
class CredentialInput()

Admin-write fields for a provider-less credential (OAuth ones arrive via connect).

kind discriminates the material: static_token reads api_key, ssh_key reads private_key, basic_auth reads username + password. user defaults to the calling admin.

ConnectableAccount

python
@strawberry.type
class ConnectableAccount()

Picker-safe OAuth client fields for the public account-connect picker.

The OAuth client is self-describing (slug/display_name/icon are its own columns), so the picker reads them straight off each row — one query for the whole page, no per-row fetch and no catalogue join.

oauth_client_sqid

python
@strawberry.field
def oauth_client_sqid() -> strawberry.ID

Return the OAuth client sqid accepted by connect mutations.

oauth_client_display_name

python
@strawberry.field
def oauth_client_display_name() -> str

Return the OAuth client display label.

oauth_client_slug

python
@strawberry.field
def oauth_client_slug() -> str

Return the OAuth client slug (the provider key).

oauth_client_icon

python
@strawberry.field
def oauth_client_icon() -> str

Return the OAuth client branding icon.

OAuthStartPayload

python
@strawberry.type
class OAuthStartPayload()

Result returned by OAuth/OIDC redirect-start mutations (connect, login, link).

mode

"auto" to redirect the browser back, or "manual" to paste the code.

redirect_uri

The effective redirect URI the flow used (resent verbatim at completion).

ConnectAccountResult

python
@strawberry.type
class ConnectAccountResult()

Result returned by OAuth account-connect completion.

ConnectIntegrationResult

python
@strawberry.type
class ConnectIntegrationResult()

Result returned by one-click integration connect/attach.

UnlinkAccountResult

python
@strawberry.type
class UnlinkAccountResult()

Result returned by the account-disconnect mutation.

RevealedCredentialSecret

python
@strawberry.type
class RevealedCredentialSecret()

One credential's decrypted secret, returned only on explicit admin request.

The secret is never part of :class:CredentialType (the normal read projection); it is disclosed solely by the audited reveal_credential mutation.

integration_create_attrs

python
def integration_create_attrs(data: Any, *, reason: str) -> dict[str, Any]

Resolve inherited Integration create fields from GraphQL public ids.

apply_integration_patch_fields

python
def apply_integration_patch_fields(target: Any,
                                   data: Any,
                                   *,
                                   reason: str,
                                   ignore_null_status: bool = False
                                   ) -> set[str]

Apply inherited Integration patch fields and return provided names.

connect_integration_target

python
def connect_integration_target(info: strawberry.Info, integration: Any,
                               oauth_client: Any, *, redirect_uri: str,
                               next_path: str) -> ConnectIntegrationResult

Attach the user's live credential to an integration-like MTI row or start OAuth.

IntegrateConnectionsQuery

python
@strawberry.type
class IntegrateConnectionsQuery()

Public account-connect picker and self-service connected-account queries.

ConnectionMutation

python
@strawberry.type
class ConnectionMutation()

Authenticated OAuth account-connect / disconnect mutations.

connect_account_start

python
@strawberry.mutation
def connect_account_start(info: strawberry.Info,
                          id: PublicID,
                          redirect_uri: str,
                          next: str = "/") -> OAuthStartPayload

Start an authenticated OAuth account-connect flow.

discover_oauth_endpoints

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def discover_oauth_endpoints(id: PublicID) -> ActionResult

Fetch the provider's discovery document and fill this client's blank endpoints.

The resolved authorize/token/userinfo endpoints (and any composed extension endpoints, e.g. OIDC issuer/JWKS) are persisted on the OAuth client row, so the operator never types them by hand. Requires a discovery URL on the row.

connect_integration

python
@strawberry.mutation
def connect_integration(info: strawberry.Info,
                        integration_id: PublicID | None = None,
                        vendor_slug: str = "",
                        impl_class: str = "",
                        redirect_uri: str = "",
                        next: str = "/") -> ConnectIntegrationResult

Attach this user's live credential to an integration, or start OAuth.

connect_account_complete

python
@strawberry.mutation
def connect_account_complete(info: strawberry.Info, code: str, state: str,
                             redirect_uri: str) -> ConnectAccountResult

Complete an authenticated OAuth account-connect flow.

disconnect_account

python
@strawberry.mutation
def disconnect_account(info: strawberry.Info,
                       external_account_sqid: str) -> UnlinkAccountResult

Remove this session user's credential link to an external account.

The credential delete fires pre_delete — the login addon, when installed, vetoes removing a user's last sign-in account by raising an :class:OAuthFlowError, surfaced here as a typed error rather than a 500.

IntegrateExternalAccountMutation

python
@strawberry.type
class IntegrateExternalAccountMutation()

Admin mutations for manually linked external identities.

create_external_account

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def create_external_account(data: ExternalAccountInput) -> ExternalAccountType

Create or update one external account via the account manager owner.

delete_external_account

python
@strawberry.mutation(name="delete_external_account",
                     permission_classes=_ADMIN_PERMISSION_CLASSES)
def delete_external_account(id: PublicID,
                            confirm: bool = False) -> DeletePreview

Revoke the owner grant, then delete the account (owner is a REBAC tuple).

IntegrateCredentialMutation

python
@strawberry.type
class IntegrateCredentialMutation()

Admin CRUD for credentials; create mints provider-less kinds (OAuth arrives via connect).

reveal_credential

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def reveal_credential(id: PublicID) -> RevealedCredentialSecret

Return one credential's decrypted secret for an admin to copy.

refresh_credential

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def refresh_credential(id: PublicID) -> ActionResult

Force an OAuth credential to renew its token now and report the outcome.

The interactive counterpart to the lazy on-use refresh: it renews regardless of remaining lifetime (a still-valid token is rotated) and surfaces success or the reason to reconnect, rather than silently swallowing a dead refresh token.

create_credential

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def create_credential(info: strawberry.Info,
                      data: CredentialInput) -> CredentialType

Create one provider-less credential, dispatching material by kind.

delete_credential

python
@strawberry.mutation(name="delete_credential",
                     permission_classes=_ADMIN_PERMISSION_CLASSES)
def delete_credential(id: PublicID, confirm: bool = False) -> DeletePreview

Best-effort remote revoke, then delete the credential when unblocked.

VendorType

python
@strawberry_django.type(Vendor)
class VendorType(AngeeNode)

GraphQL projection of an integration vendor catalogue row.

IntegrationLabelMixin

python
@strawberry.type
class IntegrationLabelMixin()

Project Integration.display_label as the display_name field for a type.

Compose alongside the node base, e.g. class ChannelType(IntegrationLabelMixin, AngeeNode), to surface the operator label (falling back to Vendor (status)) on every Integration child type without re-declaring the resolver. A @strawberry.type (not an interface): merges the field into the concrete type without adding a GraphQL interface to the SDL.

display_name

python
@strawberry_django.field(only=["display_name", "vendor", "status"])
def display_name() -> str

Return the operator label, falling back to the vendor-derived one.

IntegrationType

python
@strawberry_django.type(Integration)
class IntegrationType(IntegrationLabelMixin, AngeeNode)

Admin projection of an integration.

Exposes the catalogue/identity associations as nested relations so the console form's many2one pickers auto-wire (mirrors iam's CredentialType.external_account); safe because the surface is admin-gated.

bridge

python
@strawberry_django.field(only=["id"])
def bridge() -> VcsBridgeType | None

Return this integration's VCS child row when present.

impl_category

python
@strawberry_django.field(only=["impl_class"], description="Implementation")
def impl_category() -> str

Return this integration implementation's board grouping category.

Reads the class-level metadata off the resolved impl class — no instance, no child model fetch — so a board/list render does not N+1 over child models.

impl_label

python
@strawberry_django.field(only=["impl_class"])
def impl_label() -> str

Return this integration implementation's human label.

ConnectedIntegrationType

python
@strawberry_django.type(Integration)
class ConnectedIntegrationType(IntegrationLabelMixin, AngeeNode)

Public projection of a current-user integration connection.

WebhookSubscriptionType

python
@strawberry_django.type(WebhookSubscription)
class WebhookSubscriptionType(AngeeNode)

Admin projection of an outbound webhook subscription.

The signing secret is deliberately omitted (write-only) — unlike OAuthClient's revealed client_secret, a webhook secret is never read back.

RotatedSecret

python
@strawberry.type
class RotatedSecret()

A freshly rotated webhook signing secret, returned once for display.

IntegrationCredentialMutation

python
@strawberry.type
class IntegrationCredentialMutation()

Self-service integration creation from connected credentials.

create_integration_from_credential

python
@strawberry.mutation
def create_integration_from_credential(
        info: strawberry.Info, credential: PublicID,
        vendor_slug: str) -> ConnectedIntegrationType

Create or update this user's integration from a connected credential.

Self-service, not platform-admin: the authorization is ownership of the credential. resolve_action_target reads the credential elevated, then the user_id check below is the actual gate. This deliberately bypasses the create = admin->member arm in integrate/permissions.zed (which governs the admin-console Integration CRUD), so a credential owner can wire up their own integration without an admin.

IntegrationActionMutation

python
@strawberry.type
class IntegrationActionMutation()

Operational actions on an integration (sync, connection test).

sync_integration

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def sync_integration(id: PublicID) -> ActionResult

Run every bridge of one integration now (eager variant of the scheduler).

test_connection

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def test_connection(id: PublicID) -> ActionResult

Probe the integration's credential so the operator sees it is usable.

WebhookActionMutation

python
@strawberry.type
class WebhookActionMutation()

Operational actions on an outbound webhook subscription.

test_webhook_delivery

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def test_webhook_delivery(id: PublicID) -> ActionResult

Send a test event to one subscription and report the delivery outcome.

rotate_webhook_secret

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def rotate_webhook_secret(id: PublicID) -> RotatedSecret

Roll one subscription's signing secret and return the new value once.

VcsBridgeType

python
@strawberry_django.type(VcsBridge)
class VcsBridgeType(AngeeNode)

Admin projection of a VCS bridge child model.

display_name

python
@strawberry_django.field(only=["backend_class", "status"])
def display_name() -> str

Return a human label for the record header and relation pickers.

RepositoryType

python
@strawberry_django.type(Repository)
class RepositoryType(AngeeNode)

Admin projection of one inventoried repository.

SourceType

python
@strawberry_django.type(Source)
class SourceType(AngeeNode)

Admin projection of one source (a ref+path pointer into a repository).

TemplateType

python
@strawberry_django.type(Template)
class TemplateType(AngeeNode)

Admin projection of one discovered template.

RepoCandidate

python
@strawberry.type
class RepoCandidate()

A repository the host returns for the add typeahead (not yet inventoried).

VcsBridgeInput

python
@strawberry.input
class VcsBridgeInput()

Fields accepted when creating a VCS bridge child row.

VcsBridgePatch

python
@strawberry.input
class VcsBridgePatch()

Fields accepted when updating a VCS bridge child model.

VCSConsoleQuery

python
@strawberry.type
class VCSConsoleQuery()

Admin VCS inventory queries.

search_repositories

python
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def search_repositories(vcs_bridge_id: PublicID,
                        query: str) -> list[RepoCandidate]

Return host repositories matching query for the add typeahead.

VcsBridgeCreateMutation

python
@strawberry.type
class VcsBridgeCreateMutation()

Admin create for a VCS bridge child, validating backend-owned fields.

create_vcs_bridge

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def create_vcs_bridge(data: VcsBridgeInput) -> VcsBridgeType

Create a VCS child row directly.

VcsBridgeUpdateMutation

python
@strawberry.type
class VcsBridgeUpdateMutation()

Admin update for a VCS bridge child, validating backend-owned fields.

update_vcs_bridge

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def update_vcs_bridge(data: VcsBridgePatch) -> VcsBridgeType

Update a VCS child row, rematerializing backend defaults on backend change.

VCSActionMutation

python
@strawberry.type
class VCSActionMutation()

Operational actions on a VCS bridge and its inventory.

add_repository

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def add_repository(vcs_bridge_id: PublicID, name: str) -> RepositoryType

Inventory one repository by its host name (a picked typeahead result).

discover_repositories

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def discover_repositories(vcs_bridge_id: PublicID,
                          org: str = "") -> ActionResult

Inventory every repository the account exposes (bulk import; prunes vanished).

sync_vcs_bridge

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def sync_vcs_bridge(id: PublicID) -> ActionResult

Refresh every repository's sources for one VCS bridge now.

refresh_source

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def refresh_source(id: PublicID) -> ActionResult

Re-enumerate one source's output rows now.

schemas

GraphQL contributions installed by the integrate addon.

Released under the AGPL-3.0 License.