release v0.5.4 from PR #

release v0.5.4 from PR #

Author: eschultink

.editorconfig

@@ -35,6 +35,30 @@ tab_width = 2
 indent_style = space
 tab_width = 2
 
+
+# Recommended settings for Markdown files in IntelliJ when publishing to GitBook
+# These settings assume Markdown is soft-wrapped visually at 100 columns,
+# with no hard wraps inserted by the IDE or formatter.
+
+[*.md]
+
+# Show visual guide at 100 characters in IntelliJ
+# Set in: Preferences → Editor → Code Style → Markdown → Right margin (columns)
+# (This value is visual only; it does not cause hard wrapping)
+# Suggested value: 100
+
+# Enable soft wrap in IntelliJ
+# Set in: Preferences → Editor → General → Soft Wraps
+# Add pattern: *.md
+
+# Prevent IntelliJ from inserting line breaks when reformatting
+# Set in: Preferences → Editor → Code Style → Markdown → Wrapping and Braces
+# Disable "Wrap on typing" and any force wrap rules
+
+max_line_length = off
+
+
+
 # TODO: use intellij specific controls?? can't find explicit docs on them exactly
 #ij_hcl-terraform_keep_line_breaks = true
 #ij_hcl_keep_line_breaks = true

.github/workflows/ci-bundles.yaml

@@ -11,6 +11,7 @@ on:
     branches:
       - 'main'
       - 'rc-*'
+  workflow_dispatch:
 
 jobs:
   bundle:
@@ -35,7 +36,7 @@ jobs:
           mvn clean -f pom.xml
           mvn package install -f "gateway-core/pom.xml" -Dmaven.test.skip=true
           mvn package install -f "core/pom.xml" -Dmaven.test.skip=true
-          mvn package -f "impl/${{ matrix.implementation }}/pom.xml" -Pdistribution 
+          mvn package   -Pdistribution -f "impl/${{ matrix.implementation }}/pom.xml"
       - name: Verify license artifacts are in the uber jar
         working-directory: java/impl/${{ matrix.implementation }}
         run: |
@@ -64,3 +65,21 @@ jobs:
           }
 
           echo "✅ License artifacts verified in $JAR_FILE"
+      - name: Configure AWS credentials via OIDC
+        if: matrix.implementation == 'aws'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::908404960471:role/GithubActionCIAgent
+          aws-region: us-west-2
+      - name: Upload uber-jar to S3
+        if: matrix.implementation == 'aws'
+        working-directory: java/impl/aws/target/
+        env:
+          AWS_REGION: us-west-2
+          S3_BUCKET: psoxy-public-artifacts
+        run: |
+          # uber-jar should be something like: psoxy-aws-{VERSION}.jar
+          JAR_FILE=$(find . -name "*.jar" | head -n1) 
+          echo "Uploading $JAR_FILE to s3://$S3_BUCKET/"
+
+          aws s3 cp "$JAR_FILE" "s3://$S3_BUCKET/" --region "$AWS_REGION"

.vscode/eclipse-java-google-style.xml

@@ -0,0 +1,12 @@
+{
+    "java.configuration.updateBuildConfiguration": "interactive",
+    "java.compile.nullAnalysis.mode": "automatic",
+    "java.format.settings.url": ".vscode/eclipse-java-google-style.xml",
+    "java.format.settings.profile": "GoogleStyle",
+    "editor.formatOnSave": false,
+    "editor.formatOnPaste": false,
+    "editor.formatOnType": false,
+    "java.format.enabled": false,
+    "java.format.onType.enabled": false,
+    "java.format.onSave.enabled": false
+}

.vscode/settings.json

@@ -7,6 +7,13 @@ Changes to be including in future/planned release notes will be added here.
 
 ## Next
 
+## [0.5.4](https://github.com/Worklytics/psoxy/release/tag/v0.5.4)
+  - `Slack Analytics`: added new connector for supporting fetching Slack Analytics data, through `api/admin.analytics.getFile` endpoint
+  - Side Outputs: added support; see [docs/configuration/side-outputs.md](docs/configuration/side-outputs.md) for details
+  - Supported async responses; see [docs/configuration/async-responses.md](docs/configuration/async-api-data.md) for details
+  - added `windsurf` connector in **alpha**; see [docs/sources/windsurf/README.md](docs/connectors/windsurf/README.md)
+  - added `cursor` connector in **alpha**; see [docs/sources/cursor/README.md](docs/connectors/cursor/README.md)
+
 ## [0.5.3](https://github.com/Worklytics/psoxy/release/tag/v0.5.3)
   - `aws` - removed `ssm:GetParameterVersion` perm from policies; not a thing
   - support for Side Outputs in `gcp` and `aws` modules; see [docs/configuration/side-outputs.md](docs/configuration/side-outputs.md) for details
@@ -408,4 +415,4 @@ Upgrade Notes:
     - eg, `PSOXY_SHARED` and `PSOXY_GCAL`, to allow IAM policies such as "read `PSOXY_SHARED*`" and
       "read+write `PSOXY_GCAL*`" (if shared secrets have common prefix with connector secrets,
       then wildcard policy to read shared also grants read of secrets across all connectors)
-- keys/salts per value kind (PII, item id, etc)
+- keys/salts per value kind (PII, item id, etc)

CHANGELOG.md

@@ -1,4 +1,6 @@
 {
-    "proseWrap": "always",
-    "printWidth": 100
+    "proseWrap": "never",
+    "tabWidth": 4,
+    "useTabs": true,
+    "endOfLine": "lf"
 }

docs/.prettierrc

@@ -57,12 +57,13 @@
     * [Jira Data Center](sources/atlassian/jira/jira-server.md)
   * [Dropbox](sources/dropbox-business/README.md)
   * [GitHub](sources/github/README.md)
-    * [Github Copilot](sources/github/copilot/README.md)
+    * [GitHub Copilot](sources/github/copilot/README.md)
     * [GitHub Enterprise Server](sources/github/enterprise-server/README.md)
-    * [Github Enterprise Cloud](sources/github/github/README.md)
-    * [Github Non Enterprise Cloud](sources/github/github-non-enterprise/README.md)
+    * [GitHub Enterprise Cloud](sources/github/github/README.md)
+    * [GitHub Non Enterprise Cloud](sources/github/github-non-enterprise/README.md)
   * [Google Workspace](sources/google-workspace/README.md)
-    * [API Call Examples](sources/google-workspace/example-api-calls.md)
+    * [Gemini in Workspace Apps](sources/google-workspace/gemini-in-workspace-apps/README.md)
+    * [Gemini Usage](sources/google-workspace/gemini-usage-bulk/README.md)
     * [Gmail](sources/google-workspace/gmail/README.md)
     * [Google Calendar](sources/google-workspace/calendar/README.md)
     * [Google Chat](sources/google-workspace/google-chat/README.md)
@@ -80,10 +81,10 @@
   * [Miro](sources/miro/README.md)
     * [Miro AI Bulk](sources/miro/miro-ai-bulk/README.md)
   * [Salesforce](sources/salesforce/README.md)
-  * [Slack Discovery API](sources/slack/README.md)
+  * [Slack](sources/slack/README.md)
     * [Slack AI Bulk](sources/slack/slack-ai-bulk/README.md)
-    * [Slack Discovery API](sources/slack/slack-discovery-api/README.md)
-    * [Slack Discovery Bulk](sources/slack/slack-discovery-bulk/README.md)
+    * [Slack Bulk Exports](sources/slack/slack-discovery-bulk/README.md)
+    * [Slack via Discovery API](sources/slack/slack-discovery-api/README.md)
   * [Zoom](sources/zoom/README.md)
     * [API Call Examples](sources/zoom/example-api-calls.md)
 

docs/README.md

@@ -1,41 +1,28 @@
 # API Mode Authentication and Authorization
 
-There are two connection legs to consider with regard to authentication and authorization in API
-mode:
+There are two connection legs to consider with regard to authentication and authorization in API mode:
 1. between Worklytics and the proxy (your host cloud)
 2. between the proxy and the data source API
 
-Eg, Worklytics initiates an API request to the proxy (1); which, after validating the request,
-forwards it to the data source API on behalf of Worklytics (2), adding its additional authentication
-information.
+Eg, Worklytics initiates an API request to the proxy (1); which, after validating the request, forwards it to the data source API on behalf of Worklytics (2), adding its additional authentication information.
 
 ## Worklytics to Proxy (1)
 
-Worklytics is **authorized** to access your proxy instance via an Identity and Access Management (IAM)
-policy which you must configure in your host platform. The exact details vary by cloud provider:
+Worklytics is **authorized** to access your proxy instance via an Identity and Access Management (IAM) policy which you must configure in your host platform. The exact details vary by cloud provider:
   - [AWS](aws/authentication-authorization.md)
   - [GCP](gcp/authentication-authorization.md)
 
-Worklytics **authenticates** in all cases via Workload Identity Federation; as your Worklytics tenant is
-running natively in the cloud, it can leverage the cloud provider's native IAM service to establish
-identity which can be asserted to other services in the cloud.
+Worklytics **authenticates** in all cases via Workload Identity Federation; as your Worklytics tenant is running natively in the cloud, it can leverage the cloud provider's native IAM service to establish identity which can be asserted to other services in the cloud.
 
 ## Proxy to Data Source API (2)
 
-Although exact details vary by data source, most utilize some form of [OAuth 2.0](https://oauth.net/2/)
-for authorization and authentication.
+Although exact details vary by data source, most utilize some form of [OAuth 2.0](https://oauth.net/2/) for authorization and authentication.
 
-A data source admin (eg, a Google Workspace admin) must **authorize** the proxy to access the data
-source via the data source's admin console. This typically involves creating a new OAuth 2.0 client
-and granting that client a set of [oauth scopes](https://oauth.net/2/scope/) required to support the
-API calls that will be made on behalf of Worklytics.  A detailed list of scopes required for each
-data source is specified in the documentation of each connector.
+A data source admin (eg, a Google Workspace admin) must **authorize** the proxy to access the data source via the data source's admin console. This typically involves creating a new OAuth 2.0 client and granting that client a set of [oauth scopes](https://oauth.net/2/scope/) required to support the API calls that will be made on behalf of Worklytics.  A detailed list of scopes required for each data source is specified in the documentation of each connector.
 
 See https://docs.worklytics.co/psoxy#supported-data-sources
 
-The proxy **authenticates** itself for calls to the data source using one of the supported OAuth 2.0
-mechanisms, see [https://oauth.net/2/client-authentication/]. Most commonly, these are [Client Credentials](https://oauth.net/2/grant-types/client-credentials/)
-or [Workload Identity Federation](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation).
+The proxy **authenticates** itself for calls to the data source using one of the supported OAuth 2.0 mechanisms, see [https://oauth.net/2/client-authentication/]. Most commonly, these are [Client Credentials](https://oauth.net/2/grant-types/client-credentials/) or [Workload Identity Federation](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation).
 
 In particular, a quick overview for common sources:
   - Microsoft 365 sources authenticate via Workload Identity Federation
@@ -46,8 +33,4 @@ In particular, a quick overview for common sources:
   - Salesforce authenticates via Client Credentials (a Salesforce App client id + secret)
   - Zoom authenticates via Client Credentials (a Zoom App client id + secret)
 
-In all cases relying on secrets (a key, client secret, token, etc) to authenticate, these values
-are stored in the secret store implementation of your Host cloud provider (eg, GCP Secret Manager)
-and **never** passed to or accessed by Worklytics.  Worklytics has no means to directly connect to
-any of your data sources.
-
+In all cases relying on secrets (a key, client secret, token, etc) to authenticate, these values are stored in the secret store implementation of your Host cloud provider (eg, GCP Secret Manager) and **never** passed to or accessed by Worklytics.  Worklytics has no means to directly connect to any of your data sources.

docs/SUMMARY.md

@@ -1,43 +1,30 @@
 # Authentication and Authorization in AWS Deployments of Psoxy
 
-This page provides an overview of how Psoxy authenticates and confirms authorization of clients
-(Worklytics tenants).
+This page provides an overview of how Psoxy authenticates and confirms authorization of clients (Worklytics tenants).
 
-For general overview of how Psoxy is authorized to access data sources, and authenticates when
-making API calls to those sources, see [API Mode Authentication and Authorization](../authentication-authorization.md).
+For general overview of how Psoxy is authorized to access data sources, and authenticates when making API calls to those sources, see [API Mode Authentication and Authorization](../authentication-authorization.md).
 
 ## Authentication
 
-Each Worklytics tenant operates as a unique GCP service account within Google Cloud. GCP issues an
-identity token for this service account to processes running in the tenant, which the tenant then
-uses to authenticate against AWS.
+Each Worklytics tenant operates as a unique GCP service account within Google Cloud. GCP issues an identity token for this service account to processes running in the tenant, which the tenant then uses to authenticate against AWS.
 
-This is [OIDC](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html) based
-identity federation (aka "web identity federation" or "workload identity federation").
+This is [OIDC](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html) based identity federation (aka "web identity federation" or "workload identity federation").
 
-No secrets or keys need to be exchanged between Worklytics and your AWS instance. The integrity of
-the authentication is provided by the signature of the identity token provided by GCP, which AWS
-verifies against Google's public certificates.
-
-AWS provides an overview of the specific GCP Case:
-[Access AWS using a Google Cloud Platform native workload identity](https://aws.amazon.com/blogs/security/access-aws-using-a-google-cloud-platform-native-workload-identity/)
+No secrets or keys need to be exchanged between Worklytics and your AWS instance. The integrity of the authentication is provided by the signature of the identity token provided by GCP, which AWS verifies against Google's public certificates.
 
+AWS provides an overview of the specific GCP Case: [Access AWS using a Google Cloud Platform native workload identity](https://aws.amazon.com/blogs/security/access-aws-using-a-google-cloud-platform-native-workload-identity/)
 
 Annotating the diagram for the above case, with specific components for Worklytics-->Proxy case:
 
 ![gcp-to-aws-workload-identity.png](gcp-to-aws-workload-identity.png)
 
-In the above, the AWS resource you're allowing access to is AWS IAM role, which your Worklytics tenant
-assumes and then can access S3 or invoke Lambda function.
+In the above, the AWS resource you're allowing access to is AWS IAM role, which your Worklytics tenant assumes and then can access S3 or invoke Lambda function.
 
 ## Authorization
 
-Within your AWS account, you create an IAM role, with a role assumption policy that allows your
-Worklytics tenant's GCP Service Account (identified by a numeric ID you obtain from the Worklytics
-portal) to assume the role.
+Within your AWS account, you create an IAM role, with a role assumption policy that allows your Worklytics tenant's GCP Service Account (identified by a numeric ID you obtain from the Worklytics portal) to assume the role.
 
-This assumption policy will have a statement similar to the following, where the value of the `aud`
-claim is the numeric ID of your Worklytics tenant's GCP Service Account:
+This assumption policy will have a statement similar to the following, where the value of the `aud` claim is the numeric ID of your Worklytics tenant's GCP Service Account:
 
 ```json
 {
@@ -54,9 +41,6 @@ claim is the numeric ID of your Worklytics tenant's GCP Service Account:
 }
 ```
 
-Colloquially, this allows a web identity federated from `accounts.google.com` where Google has
-asserted the claim that `aud` == `12345678901234567890123456789` to assume the role.
+Colloquially, this allows a web identity federated from `accounts.google.com` where Google has asserted the claim that `aud` == `12345678901234567890123456789` to assume the role.
 
-Then you use this AWS IAM role as the principal in AWS IAM policies you define to authorize to
-invoke your proxy instances via their function URLs (API connectors) or to read from their sanitized
-output buckets (bulk data connectors)
+Then you use this AWS IAM role as the principal in AWS IAM policies you define to authorize to invoke your proxy instances via their function URLs (API connectors) or to read from their sanitized output buckets (bulk data connectors)