oO/services/integrations/README.md

# integrations

Third-party connectors and the token vault.

## Connector interface

```ts
interface Connector {
  id: string                                // e.g. "todoist"
  beginOAuth(user): Promise<{ redirectUrl, state }>
  finishOAuth(code, state): Promise<StoredCredential>
  fetchSignals(user, since?): AsyncIterable<NormalizedEvent>
  // optional write-back, e.g. mark task done
  act?(user, action): Promise<void>
}
```

## Token vault

- Credentials encrypted at rest (libsodium sealed box); key from env/KMS.
- Refresh handled transparently; consumers never see raw tokens.
- One row per `(user, provider)` with provider-specific `meta`.

## Roadmap

- Phase 0: **Todoist** (OAuth2, read tasks, complete task).
- Phase 2: Google Calendar, Apple Health (web import), generic webhook ingress.
- Phase 5: public SDK so third parties can ship connectors.