connectors: batch 2b — 33 more greenfield SaaS adapters + engine fixes (catalog 134→167)

[keysersoft]

Summary

Brings the connector catalog from 134 → 167 adapters (+33 greenfield).

Together with the just-merged PR #236 (batch 2a), this lands 48 of the 50 connectors from the top-50 plan in two waves (two were dropped as duplicates of existing region-specific adapters: paystack is in `ng/`, personio in `de/`).

Connectors in this PR (33)

Category	New connectors
crm	zoho-crm, bitrix24, streak, nimble, nutshell-crm, agilecrm, less-annoying-crm, salesflare
accounting	freshbooks, wave-accounting, sage-business-cloud, invoiced, kashflow
hr	greenhouse, lever, workable, bamboohr, deel
support	freshchat, tidio
project-management	wrike, teamwork-projects, plane-so
time-tracking	timetastic
email	mailerlite, omnisend
payments	plaid, gocardless, flutterwave
social	pinterest, buffer
storage	dropbox, box

All verified no-vendor-MCP via `gh search repos`.

Engine + service fixes uncovered while authoring 2b

These are small, surgical and unblock real connectors. All come with passing unit coverage.

1. `rest.engine.ts` OAUTH2 — `tokenPrefix` support

Added support for non-Bearer token prefixes via `authConfig.tokenPrefix` (defaults to `Bearer`). Required by Zoho, which sends `Authorization: Zoho-oauthtoken ` instead of `Bearer`.

2. `adapters.service.ts importAdapter` — persist `connector.headers` + `connector.envVars`

The previous code wasn't persisting `connector.headers` from the catalog JSON. That silently broke adapters from batch 2a (harvest, freshservice, mastodon) whose per-tenant headers (`Harvest-Account-Id`, `GoCardless-Version`, etc.) were never sent at runtime.

Fix: headers are now resolved via `{{VAR}}` substitution from credentials and persisted on the `Connector` row. The import credentials are also persisted as `connector.envVars` so the runtime engine can resolve `$VAR_NAME` references inside `bodyMapping` / `path` / `queryParams` — used by:

• `plaid` (client_id+secret-in-body auth)
• `less-annoying-crm` (Function-dispatch envelope where auth lives in the body)
• `bamboohr`, `kashflow` (subdomain embedded in URL path)

3. `catalog.spec.ts` — exempt env-var refs from "must be declared" check

The well-formed-endpointMapping test now skips `$UPPER_SNAKE_CASE` references, since those are legitimately resolved at request time from `connector.envVars` and intentionally NOT declared as tool parameters.

Verification

```
$ node scripts/validate-adapters.mjs
Validated 167 adapters: 167 passed, 0 failed.

$ npx jest --testPathPatterns='adapters' --silent
Test Suites: 1 skipped, 130 passed
Tests: 26 skipped, 2436 passed, 2462 total
```

Notable per-connector decisions

• zoho-crm: needs the `Zoho-oauthtoken` prefix → triggered the engine extension.
• bitrix24: webhook-URL auth (no headers — secret embedded in URL path).
• less-annoying-crm: POST-only Function-dispatch envelope; auth goes in the body via $ENV_VAR substitution.
• plaid: server-side auth via client_id+secret-in-body; defaults to sandbox.plaid.com for safety.
• dropbox, box: file upload multipart deliberately out of scope — the existing engine doesn't stream binary; documented in instructions.
• bluesky, personio: explicit JWT-as-parameter pattern (Bluesky session lifecycle, Personio's rotating single-use tokens) — clients manage the token.
• mastodon: per-instance baseUrl via `{{MASTODON_INSTANCE_URL}}` placeholder.

Test plan

• CI green (validator + catalog-sync + jest)
• Merge → trigger docker-publish.yml → deploy-cloud.yml
• Verify `https://cloud.anythingmcp.com/api/adapters | jq 'length'` == 167
• Spot-check 3-5 new slugs end-to-end: zoho-crm (Zoho-oauthtoken prefix), bamboohr (subdomain in path), plaid (sandbox auth)
• Confirm harvest / freshservice / mastodon (2a) now get their per-tenant headers correctly (the fix in this PR)

Follow-ups (not in this PR)

• EN/DE/IT MDX guides for all 48 batch-2 connectors on the website repo
• ES/JA/RU/ZH translation fan-out