feat: derive connection account info from the health-check probe

Layer account identity on top of the liveness probe. A health check can now
name a response field whose value identifies the connected account, so the same
probe that answers "is this alive?" also answers "whose account is this?".

Core: HealthCheckSpec gains an optional identityField (a dot-path into the
response body); HealthCheckResult carries the extracted identity plus a bounded
responseSample of the actual returned fields; HealthCheckCandidate carries the
operation's projected responseFields. New pure helpers: extractIdentity (resolve
a dot-path, numeric segments index arrays), projectResponseFields (enumerate a
response schema's scalar leaves breadth-first, merging every allOf/oneOf/anyOf
branch so discriminated-union fields aren't dropped), and extractResponseFields
(walk a real body for the live preview).

OpenAPI backing extracts the identity on a healthy probe and projects each
candidate's response fields. React: the editor gains a typed identity-field
picker fed by those fields and a live preview (probe a pasted test key, see the
real response plus what the identity resolves to); the account row labels itself
with the probed identity; and the Add Connection "check the key works" flow gains
the identity field (in the inline picker) and auto-fills the connection name from
the probed identity.

Covered by e2e: validating a key derives the identity; a saved connection's probe
surfaces the account then drops it once expired; the identity picker surfaces a
shallow scalar and a second-union-branch-only field across a discriminated union;
the editor live preview and the Add Connection name-derivation drive the identity
flow in the browser.

Author: RhysSullivan

e2e/scenarios/health-checks-ui.test.ts

@@ -27,14 +27,17 @@ import type { HttpApiClient } from "effect/unstable/httpapi";
 import type { Page } from "playwright";
 import { composePluginApi } from "@executor-js/api/server";
 import { openApiHttpPlugin } from "@executor-js/plugin-openapi/api";
-import { IntegrationSlug } from "@executor-js/sdk/shared";
+import { AuthTemplateSlug, ConnectionName, IntegrationSlug } from "@executor-js/sdk/shared";
 
 import { scenario } from "../src/scenario";
 import { Api, Browser, Target } from "../src/services";
 
 const api = composePluginApi([openApiHttpPlugin()] as const);
 type Client = HttpApiClient.ForApi<typeof api>;
 
+const TEMPLATE = AuthTemplateSlug.make("apiKey");
+const IDENTITY = "alice@example.com";
+
 const newSlug = (prefix: string) =>
   IntegrationSlug.make(`${prefix}-${randomBytes(4).toString("hex")}`);
 
@@ -85,9 +88,7 @@ const serveIdentityApi = (validToken: string) =>
         const authorized = request.headers["authorization"] === `Bearer ${validToken}`;
         if (request.method === "GET" && (request.url ?? "").startsWith("/me")) {
           response.writeHead(authorized ? 200 : 401, { "content-type": "application/json" });
-          response.end(
-            JSON.stringify(authorized ? { email: "alice@example.com" } : { error: "x" }),
-          );
+          response.end(JSON.stringify(authorized ? { email: IDENTITY } : { error: "x" }));
           return;
         }
         response.writeHead(404, { "content-type": "application/json" });
@@ -128,6 +129,57 @@ const registerIdentityIntegration = (client: Client, slug: IntegrationSlug, base
     },
   });
 
+/** Like `serveIdentityApi`, but with a `revoke()` that flips the key off so a
+ *  saved connection's previously-good key stops working mid-session (the editor
+ *  scenario's healthy -> expired transition). */
+const serveMutableIdentityApi = (validToken: string) =>
+  Effect.acquireRelease(
+    Effect.callback<{
+      readonly url: string;
+      readonly revoke: () => void;
+      readonly close: () => void;
+    }>((resume) => {
+      let live = true;
+      const server = createServer((request, response) => {
+        const authorized = live && request.headers["authorization"] === `Bearer ${validToken}`;
+        if (request.method === "GET" && (request.url ?? "").startsWith("/me")) {
+          response.writeHead(authorized ? 200 : 401, { "content-type": "application/json" });
+          response.end(JSON.stringify(authorized ? { email: IDENTITY } : { error: "x" }));
+          return;
+        }
+        response.writeHead(404, { "content-type": "application/json" });
+        response.end(JSON.stringify({ error: "not_found" }));
+      });
+      server.listen(0, "127.0.0.1", () => {
+        const address = server.address();
+        const port = typeof address === "object" && address ? address.port : 0;
+        resume(
+          Effect.succeed({
+            url: `http://127.0.0.1:${port}`,
+            revoke: () => {
+              live = false;
+            },
+            close: () => {
+              server.close();
+              server.closeAllConnections();
+            },
+          }),
+        );
+      });
+    }),
+    (server) => Effect.sync(server.close),
+  );
+
+/** The stored operation name for the GET probe (openapi prefixes it by tag),
+ *  discovered the same way the editor does: from the ranked candidate list. */
+const getMeOperation = (client: Client, slug: IntegrationSlug) =>
+  Effect.gen(function* () {
+    const candidates = yield* client.integrations.healthCheckCandidates({ params: { slug } });
+    const getMe = candidates.find((candidate) => candidate.method === "get");
+    if (!getMe) return yield* Effect.die("identity spec exposed no GET candidate");
+    return getMe.operation;
+  });
+
 /** Select the combobox option whose visible text contains `optionText` by
  *  keyboard (so it works inside a modal without a portaled-popup click). */
 const selectComboboxOption = async (page: Page, inputId: string, optionText: string) => {
@@ -430,3 +482,162 @@ scenario(
     }),
   ),
 );
+
+// ===========================================================================
+// 4. Edit sheet WITH identity: pick the operation + identity field, live-preview
+//    the response, then drive "Check now" on a saved connection healthy ->
+//    expired once the upstream revokes the key. (identity layer)
+// ===========================================================================
+
+scenario(
+  "Health checks (UI) · edit sheet with identity: preview the response, then healthy then expired",
+  {},
+  Effect.scoped(
+    Effect.gen(function* () {
+      const target = yield* Target;
+      const browser = yield* Browser;
+      const { client: makeClient } = yield* Api;
+      const identity = yield* target.newIdentity();
+      const client = yield* makeClient(api, identity);
+      const goodToken = `gk_${randomBytes(8).toString("hex")}`;
+      const server = yield* serveMutableIdentityApi(goodToken);
+      const slug = newSlug("hc-ui-id");
+      const name = ConnectionName.make("main");
+
+      yield* Effect.ensuring(
+        Effect.gen(function* () {
+          // Off camera: the integration and a saved connection holding the live
+          // key. The health check is configured ON camera in the editor below.
+          yield* registerIdentityIntegration(client, slug, server.url);
+          const operation = yield* getMeOperation(client, slug);
+          yield* client.connections.create({
+            payload: {
+              owner: "org",
+              name,
+              integration: slug,
+              template: TEMPLATE,
+              value: goodToken,
+            },
+          });
+
+          yield* browser.session(identity, async ({ page, step }) => {
+            const connections = page.locator("section").filter({
+              has: page.getByRole("heading", { level: 3, name: "Connections" }),
+            });
+            const menuTrigger = connections.locator('button[aria-haspopup="menu"]');
+
+            await step("Open the integration's connections", async () => {
+              await page.goto(`/integrations/${slug}`, { waitUntil: "networkidle" });
+              await connections.getByText("main", { exact: true }).waitFor();
+              await page.getByRole("heading", { level: 3, name: "Health check" }).waitFor();
+            });
+
+            await step("Pick the GET identity call and its email identity field", async () => {
+              await page.getByRole("button", { name: "Set up" }).click();
+              await selectComboboxOption(page, "health-check-operation", operation);
+              await selectComboboxOption(page, "health-check-identity", "email");
+            });
+
+            await step("Live preview a pasted key: status, response, and identity", async () => {
+              const sheet = page.getByRole("dialog");
+              await page.locator("#health-check-preview-key").fill(goodToken);
+              await sheet.getByRole("button", { name: "Preview", exact: true }).click();
+              await sheet.getByText("Response", { exact: true }).waitFor({ timeout: 30_000 });
+              await sheet.getByText("Resolves to:").waitFor();
+              await sheet.getByText(IDENTITY).first().waitFor();
+            });
+
+            await step("Save the health check", async () => {
+              await page.getByRole("button", { name: "Save", exact: true }).click();
+              await page.locator("#health-check-operation").waitFor({ state: "hidden" });
+            });
+
+            await step("Check the live connection: healthy, and whose account it is", async () => {
+              await menuTrigger.click();
+              await page.getByRole("menuitem", { name: "Check now" }).click();
+              await connections.getByText(IDENTITY).waitFor({ timeout: 30_000 });
+              await connections.getByLabel("Status: Healthy").waitFor();
+            });
+
+            await step("The upstream revokes the key: the connection reads expired", async () => {
+              server.revoke();
+              await menuTrigger.click();
+              await page.getByRole("menuitem", { name: "Check now" }).click();
+              await connections.getByText("Expired", { exact: true }).waitFor({ timeout: 30_000 });
+              await connections.getByLabel("Status: Expired").waitFor();
+            });
+          });
+
+          const stored = yield* client.integrations.healthCheckGet({ params: { slug } });
+          expect(stored).toEqual({ operation, identityField: "email" });
+        }),
+        Effect.gen(function* () {
+          yield* client.connections
+            .remove({ params: { owner: "org", integration: slug, name } })
+            .pipe(Effect.ignore);
+          yield* client.openapi.removeSpec({ params: { slug } }).pipe(Effect.ignore);
+        }),
+      );
+    }),
+  ),
+);
+
+// ===========================================================================
+// 5. Add Connection, check configured WITH identity: checking the key derives
+//    the connection name from the probed identity. (identity layer)
+// ===========================================================================
+
+scenario(
+  "Health checks (UI) · Add Connection derives the connection name from the probed identity",
+  {},
+  Effect.scoped(
+    Effect.gen(function* () {
+      const target = yield* Target;
+      const browser = yield* Browser;
+      const { client: makeClient } = yield* Api;
+      const identity = yield* target.newIdentity();
+      const client = yield* makeClient(api, identity);
+      const goodToken = `gk_${randomBytes(8).toString("hex")}`;
+      const server = yield* serveIdentityApi(goodToken);
+      const slug = newSlug("hc-ui-name");
+
+      yield* Effect.ensuring(
+        Effect.gen(function* () {
+          // Configure a check WITH an identity field up front, so the Add
+          // Connection modal probes against it (no inline picker needed).
+          yield* registerIdentityIntegration(client, slug, server.url);
+          const operation = yield* getMeOperation(client, slug);
+          yield* client.integrations.healthCheckSet({
+            params: { slug },
+            payload: { spec: { operation, identityField: "email" } },
+          });
+
+          yield* browser.session(identity, async ({ page, step }) => {
+            const dialog = page.getByRole("dialog");
+
+            await step("Open the Add Connection modal", async () => {
+              await page.goto(`/integrations/${slug}`, { waitUntil: "networkidle" });
+              await page.getByRole("button", { name: "Add connection", exact: true }).click();
+              await page.getByRole("heading", { name: /Add connection/ }).waitFor();
+            });
+
+            await step("A valid key checks healthy and names the connection", async () => {
+              await dialog.getByPlaceholder("paste the value / token").fill(goodToken);
+              await dialog.getByRole("button", { name: "Check the key works" }).click();
+              await dialog.getByText("Healthy").waitFor({ timeout: 30_000 });
+              // The probed identity auto-fills the display name.
+              await page.waitForFunction(
+                (expected) =>
+                  (document.querySelector("#connection-name") as HTMLInputElement | null)?.value ===
+                  expected,
+                IDENTITY,
+                { timeout: 10_000 },
+              );
+            });
+          });
+        }),
+        client.openapi.removeSpec({ params: { slug } }).pipe(Effect.ignore),
+      );
+    }),
+  ),
+);