Files
multica/server/pkg/composio/doc.go
Multica Eve 8d0ea04fb0 feat(composio): add standalone Go SDK client (MVP) (#4603)
* feat(composio): add standalone Go SDK client (MVP)

Adds server/pkg/composio — a self-contained Go SDK for the Composio v3.1
REST API. Built on go-resty/resty v2; zero coupling to other Multica
packages so it can be vendored or extracted later without surgery.

MVP surface (just the endpoints Stage 2 needs):

- POST /connected_accounts/link        Client.CreateLink
- POST /tool_router/session            Client.CreateSession
- GET  /connected_accounts             Client.ListConnectedAccounts
- POST /connected_accounts/{id}/revoke Client.RevokeConnection
- DELETE /connected_accounts/{id}      Client.DeleteConnectedAccount
                                       (404 -> nil, idempotent)
- GET  /toolkits                       Client.ListToolkits
- GET  /toolkits/{slug}                Client.GetToolkit
- POST /tools/execute/{slug}           Client.ExecuteTool
- Webhook HMAC-SHA256 verification     composio.VerifyWebhook /
                                       VerifyHTTPRequest + ParseEvent

Other notes:

- Auth via x-api-key header (Composio v3.1 contract).
- Typed *APIError envelope with IsNotFound / IsUnauthorized /
  IsRateLimited helpers; falls back to raw body when upstream returns
  non-JSON.
- Webhook signature accepts the official "v1,<sig>" format and any
  comma-separated multi-version list; 300s replay tolerance by default,
  honors an injectable clock for tests; RFC3339 timestamps tolerated.
- README.md documents all public APIs and design choices.

Tests:

- All exercise httptest.NewServer - no real Composio calls.
- 36 tests covering happy paths, validation, 404 idempotence, error
  decoding, signature verify (good / tampered / stale / multi-version /
  bare / RFC3339 / missing headers / empty secret).
- go test ./pkg/composio/... -cover -> 82.2%, exceeds the >=80% bar.

Follow-ups (separate PRs):

- server/internal/integrations/composio - DB schema, REST handlers,
  registration_service (CSRF), dispatch hook (MUL-3720 remainder).
- Pagination iterators, retry middleware, proxy execute, triggers.

Refs: MUL-3720, MUL-3715
Co-authored-by: multica-agent <github@multica.ai>

* fix(composio): align SDK with v3.1 wire contract (PR #4603 review)

Addresses GPT-Boy's review on PR #4603:

Must-fix
- ListConnectedAccountsRequest: switch UserID/AuthConfigID singular fields
  to plural slices (UserIDs, AuthConfigIDs, ToolkitSlugs, ConnectedAccountIDs,
  Statuses). The Composio v3.1 spec ships these as `*_ids` array params;
  our singular form silently dropped the user-filter on the wire. Also
  surfaces order_by / order_direction / account_type from the same spec.
- ExecuteToolRequest: rename ToolkitVersions -> Version with json tag
  `version` (the actual v3.1 body field). Marks AllowTracing as
  deprecated per the spec.

Nits
- ListToolkitsRequest.SortBy comment: `popular | alphabetical` -> the
  real enum `usage | alphabetically`.
- Client constructor: when Options.HTTPClient is provided, use
  resty.NewWithClient(hc) so the caller's Transport, Jar, CheckRedirect,
  and Timeout all carry through — the prior code only forwarded
  Transport + Timeout despite the field comment promising the full
  *http.Client.

Tests
- TestListConnectedAccounts_QueryString now asserts plural query keys
  (user_ids, auth_config_ids, connected_account_ids, statuses) and
  explicitly guards that the legacy singular keys do not leak.
- TestExecuteTool_Success decodes the body as a raw map and asserts the
  wire key is `version` (not `toolkit_versions`).
- New TestExecuteToolRequest_VersionSerialization locks the json tag.
- New TestNewClient_HonorsInjectedHTTPClient drives a request through a
  recordingTransport and asserts the inbound *http.Client actually
  handled it.

Verification
- go test ./pkg/composio/... -cover -> 85.1% (38 tests; was 82.2% / 36).
- go vet, go build, gofmt -l all clean.

Refs: PR #4603 review, MUL-3720
Co-authored-by: multica-agent <github@multica.ai>

---------

Co-authored-by: Eve <eve@multica-ai.local>
Co-authored-by: multica-agent <github@multica.ai>
2026-06-26 15:07:47 +08:00

57 lines
2.2 KiB
Go

// Package composio is a small, standalone Go SDK for the Composio v3.1 REST API.
//
// It is intentionally self-contained: the only third-party dependency is
// [github.com/go-resty/resty/v2]. It does not import any Multica-specific
// package, so it can be reused by other Go services or extracted into its
// own module unchanged.
//
// # MVP surface
//
// The SDK targets the surface required by the Composio integration MVP
// (see MUL-3715 / MUL-3720). It is deliberately minimal — only the
// endpoints actually used by the first-stage product are wired up:
//
// - Connect Link — POST /connected_accounts/link
// - MCP Session — POST /tool_router/session
// - Connected Accounts — GET /connected_accounts,
// POST /connected_accounts/{id}/revoke,
// DELETE /connected_accounts/{id}
// - Toolkits — GET /toolkits, GET /toolkits/{slug}
// - Tool Execute — POST /tools/execute/{tool_slug}
// - Webhook — HMAC-SHA256 signature verification
//
// More surface (auth configs, triggers, proxy execute, etc.) can be
// added later without changing the existing types.
//
// # Quick start
//
// client, err := composio.NewClient(composio.Options{
// APIKey: os.Getenv("COMPOSIO_API_KEY"),
// })
// if err != nil { return err }
//
// link, err := client.CreateLink(ctx, composio.CreateLinkRequest{
// AuthConfigID: "ac_abc",
// UserID: "u_123",
// CallbackURL: "https://app.example.com/composio/callback",
// })
// // redirect user to link.RedirectURL
//
// session, err := client.CreateSession(ctx, composio.CreateSessionRequest{
// UserID: "u_123",
// })
// // agent runtime now consumes session.MCP.URL + composio.MCPAuthHeaders(...)
//
// # Errors
//
// All non-2xx responses come back as a *APIError carrying the upstream
// status, slug, and message. Transport errors come back unwrapped from
// resty so callers can errors.Is/As as usual.
//
// # Webhook verification
//
// [VerifyWebhook] verifies the HMAC-SHA256 signature Composio attaches
// to every webhook delivery, with a configurable replay tolerance.
// See https://docs.composio.dev/docs/setting-up-triggers/subscribing-to-events#verifying-signatures
package composio