feat(connect): managed connectors via public org — cloud auth, local data

packages/cli/src/commands/_lib/apply/__tests__/map-config.test.ts

@@ -304,6 +304,39 @@ describe("mapProjectToDesiredState", () => {
     expect(dc?.feeds).toEqual([{ feedKey: "stars", schedule: "0 */6 * * *" }]);
   });
 
+  test("folds `managedBy` (org only — no url) into the connection config", () => {
+    const conn = defineConnection({
+      slug: "gh-managed",
+      connector: "github",
+      config: { existing: true },
+      managedBy: { org: "lobu-managed" },
+    });
+    const state = mapProjectToDesiredState(
+      defineConfig({ agents: [], connections: [conn] })
+    );
+    const dc = state.connectors.connections[0];
+    // No connection-supplied URL: a connection can never redirect where the
+    // cloud PAT is sent (it always targets the instance's LOBU_CLOUD_URL).
+    expect(dc?.config).toEqual({
+      existing: true,
+      managedBy: { org: "lobu-managed" },
+    });
+  });
+
+  test("a connection without `managedBy` carries no managedBy in config", () => {
+    const conn = defineConnection({
+      slug: "gh-plain",
+      connector: "github",
+      config: { existing: true },
+    });
+    const state = mapProjectToDesiredState(
+      defineConfig({ agents: [], connections: [conn] })
+    );
+    const dc = state.connectors.connections[0];
+    expect(dc?.config).toEqual({ existing: true });
+    expect(dc?.config?.managedBy).toBeUndefined();
+  });
+
   test("rejects an invalid connection slug", () => {
     const conn = defineConnection({ slug: "Bad_Slug", connector: "github" });
     expect(() =>

packages/cli/src/commands/_lib/apply/map-config.ts

@@ -642,8 +642,33 @@ function mapConnection(connection: Connection): DesiredConnection {
       ...(feed.config ? { config: feed.config } : {}),
     };
   });
+  // A consent-only connection exists solely to hold an OAuth grant for
+  // delegation (the cloud grant-holder behind a managed connector); it cannot
+  // have feeds, so it never syncs. Reject feeds at authoring time too — the
+  // server enforces the same invariant on feed creation.
+  if (connection.consentOnly && feeds.length > 0) {
+    throw new ValidationError(
+      `connection "${connection.slug}" is consent-only (holds an OAuth grant for delegation) and cannot have feeds`
+    );
+  }
   const authSlug = authProfileSlug(connection.authProfile);
   const appAuthSlug = authProfileSlug(connection.appAuthProfile);
+  // A managed connection's grant lives in a cloud (public) org. Fold the
+  // `managedBy` descriptor into the persisted connection `config` so the server
+  // resolver (execution-context.ts) can detect it and fetch the user's token
+  // from the cloud at runtime — no new column or CRUD field needed. The
+  // `consent_only` flag is folded the same way: it lives in the trusted
+  // connection `config` (where `managedBy` lives), never in `auth_data`.
+  const config =
+    connection.managedBy || connection.consentOnly
+      ? {
+          ...(connection.config ?? {}),
+          ...(connection.managedBy
+            ? { managedBy: { ...connection.managedBy } }
+            : {}),
+          ...(connection.consentOnly ? { consent_only: true } : {}),
+        }
+      : connection.config;
   return {
     slug: connection.slug,
     connector: connectorKey(connection.connector),
@@ -652,7 +677,7 @@ function mapConnection(connection: Connection): DesiredConnection {
     ...(connection.name ? { name: connection.name } : {}),
     ...(authSlug ? { authProfileSlug: authSlug } : {}),
     ...(appAuthSlug ? { appAuthProfileSlug: appAuthSlug } : {}),
-    ...(connection.config ? { config: connection.config } : {}),
+    ...(config ? { config } : {}),
     ...(connection.deviceWorkerId
       ? { deviceWorkerId: connection.deviceWorkerId }
       : {}),

packages/cli/src/config/define.ts

@@ -92,6 +92,24 @@ export interface ConnectionFeed {
   config?: Record<string, unknown>;
 }
 
+/**
+ * Marks a connection as MANAGED by a cloud (public) org. The OAuth grant lives
+ * in the cloud: a user joins the public `org`, connects normally (consent
+ * against the managed app → a connection owned by them), and the local instance
+ * fetches a fresh access token for its own user's connection at runtime via
+ * `POST /oauth/connection-token`, authenticating with the instance's cloud PAT
+ * (`LOBU_CLOUD_PAT`). The managed client secret + refresh token never leave the
+ * cloud.
+ *
+ * The cloud origin is fixed by the instance's `LOBU_CLOUD_URL` — a connection
+ * CANNOT supply a URL, so a malicious config can never redirect where the cloud
+ * PAT is sent.
+ */
+export interface ManagedBy {
+  /** The cloud (public) org the managed connector lives under. */
+  org: string;
+}
+
 export interface Connection {
   readonly kind: "connection";
   /** Stable slug — diff key. */
@@ -103,6 +121,20 @@ export interface Connection {
   /** OAuth-app auth profile (handle or slug). */
   appAuthProfile?: AuthProfile | string;
   config?: Record<string, unknown>;
+  /**
+   * Mark this connection as managed by a cloud (public) org — the grant lives
+   * in the cloud and the local instance fetches its token at runtime. See
+   * {@link ManagedBy}.
+   */
+  managedBy?: ManagedBy;
+  /**
+   * Consent-only connections exist solely to hold an OAuth grant for delegation
+   * (the cloud grant-holder behind a managed connector); they cannot have feeds,
+   * so they never sync. This is the by-construction guarantee that a managed
+   * connector's data only ever lives on the local instance — feed creation is
+   * rejected for a connection whose persisted `config.consent_only === true`.
+   */
+  consentOnly?: boolean;
   /** UUID pinning syncs/actions to a specific device worker. */
   deviceWorkerId?: string;
   feeds?: ConnectionFeed[];