lex-microsoft_teams 0.5.2 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +2 -2
  3. data/CHANGELOG.md +34 -0
  4. data/CLAUDE.md +2 -2
  5. data/docs/plans/2026-03-19-teams-token-lifecycle-design.md +120 -0
  6. data/docs/plans/2026-03-19-teams-token-lifecycle-implementation.md +679 -0
  7. data/lib/legion/extensions/microsoft_teams/actors/auth_validator.rb +105 -0
  8. data/lib/legion/extensions/microsoft_teams/actors/cache_sync.rb +1 -5
  9. data/lib/legion/extensions/microsoft_teams/actors/direct_chat_poller.rb +2 -2
  10. data/lib/legion/extensions/microsoft_teams/actors/message_processor.rb +1 -1
  11. data/lib/legion/extensions/microsoft_teams/actors/observed_chat_poller.rb +1 -1
  12. data/lib/legion/extensions/microsoft_teams/actors/token_refresher.rb +103 -0
  13. data/lib/legion/extensions/microsoft_teams/client.rb +5 -2
  14. data/lib/legion/extensions/microsoft_teams/helpers/browser_auth.rb +1 -1
  15. data/lib/legion/extensions/microsoft_teams/helpers/callback_server.rb +7 -2
  16. data/lib/legion/extensions/microsoft_teams/helpers/client.rb +4 -0
  17. data/lib/legion/extensions/microsoft_teams/helpers/prompt_resolver.rb +2 -5
  18. data/lib/legion/extensions/microsoft_teams/helpers/subscription_registry.rb +1 -0
  19. data/lib/legion/extensions/microsoft_teams/helpers/token_cache.rb +66 -3
  20. data/lib/legion/extensions/microsoft_teams/local_cache/extractor.rb +1 -1
  21. data/lib/legion/extensions/microsoft_teams/local_cache/record_parser.rb +1 -1
  22. data/lib/legion/extensions/microsoft_teams/runners/bot.rb +4 -4
  23. data/lib/legion/extensions/microsoft_teams/runners/cache_ingest.rb +8 -9
  24. data/lib/legion/extensions/microsoft_teams/runners/channel_messages.rb +5 -5
  25. data/lib/legion/extensions/microsoft_teams/runners/channels.rb +6 -6
  26. data/lib/legion/extensions/microsoft_teams/runners/chats.rb +5 -5
  27. data/lib/legion/extensions/microsoft_teams/runners/meetings.rb +16 -16
  28. data/lib/legion/extensions/microsoft_teams/runners/messages.rb +5 -5
  29. data/lib/legion/extensions/microsoft_teams/runners/presence.rb +2 -2
  30. data/lib/legion/extensions/microsoft_teams/runners/subscriptions.rb +5 -5
  31. data/lib/legion/extensions/microsoft_teams/runners/teams.rb +3 -3
  32. data/lib/legion/extensions/microsoft_teams/runners/transcripts.rb +6 -6
  33. data/lib/legion/extensions/microsoft_teams/version.rb +1 -1
  34. metadata +5 -2
  35. data/lib/legion/extensions/microsoft_teams/transport.rb +0 -11
@@ -0,0 +1,679 @@
1
+ # Teams Token Lifecycle Implementation Plan
2
+
3
+ > **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
4
+
5
+ **Goal:** Add automatic delegated token validation on boot, periodic refresh, and browser re-auth for previously authenticated users.
6
+
7
+ **Architecture:** Two new actors (AuthValidator/Once, TokenRefresher/Every) plus two new methods on TokenCache. AuthValidator loads tokens on startup and recovers expired sessions. TokenRefresher keeps tokens fresh on a configurable 15-minute interval. Both trigger BrowserAuth for re-auth when a previously authenticated user's token cannot be refreshed.
8
+
9
+ **Tech Stack:** Ruby, RSpec, lex-microsoft_teams actor/helper conventions
10
+
11
+ ---
12
+
13
+ ### Task 1: Add `authenticated?` and `previously_authenticated?` to TokenCache
14
+
15
+ **Files:**
16
+ - Modify: `lib/legion/extensions/microsoft_teams/helpers/token_cache.rb:38-63`
17
+ - Test: `spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb`
18
+
19
+ **Step 1: Write the failing tests**
20
+
21
+ Add to the end of `token_cache_spec.rb`, before the final `end`:
22
+
23
+ ```ruby
24
+ describe '#authenticated?' do
25
+ it 'returns false when no delegated token is cached' do
26
+ expect(cache.authenticated?).to be false
27
+ end
28
+
29
+ it 'returns true when a delegated token is stored' do
30
+ cache.store_delegated_token(
31
+ access_token: 'tok', refresh_token: 'ref',
32
+ expires_in: 3600, scopes: 'scope1'
33
+ )
34
+ expect(cache.authenticated?).to be true
35
+ end
36
+
37
+ it 'returns false after clearing delegated token' do
38
+ cache.store_delegated_token(
39
+ access_token: 'tok', refresh_token: 'ref',
40
+ expires_in: 3600, scopes: 'scope1'
41
+ )
42
+ cache.clear_delegated_token!
43
+ expect(cache.authenticated?).to be false
44
+ end
45
+ end
46
+
47
+ describe '#previously_authenticated?' do
48
+ it 'returns false when no local file exists' do
49
+ expect(cache.previously_authenticated?).to be false
50
+ end
51
+
52
+ it 'returns true after save_to_local' do
53
+ cache.store_delegated_token(
54
+ access_token: 'tok', refresh_token: 'ref',
55
+ expires_in: 3600, scopes: 'scope1'
56
+ )
57
+ cache.save_to_local
58
+ expect(cache.previously_authenticated?).to be true
59
+ end
60
+ end
61
+ ```
62
+
63
+ **Step 2: Run tests to verify they fail**
64
+
65
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb -v`
66
+ Expected: FAIL — `NoMethodError: undefined method 'authenticated?'`
67
+
68
+ **Step 3: Write minimal implementation**
69
+
70
+ Add these two methods to `token_cache.rb` after `clear_delegated_token!` (around line 63), before the `load_from_vault` method:
71
+
72
+ ```ruby
73
+ def authenticated?
74
+ @mutex.synchronize { !@delegated_cache.nil? }
75
+ end
76
+
77
+ def previously_authenticated?
78
+ File.exist?(local_token_path)
79
+ end
80
+ ```
81
+
82
+ **Step 4: Run tests to verify they pass**
83
+
84
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb -v`
85
+ Expected: All pass (including existing specs)
86
+
87
+ **Step 5: Run rubocop**
88
+
89
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop lib/legion/extensions/microsoft_teams/helpers/token_cache.rb`
90
+ Expected: No offenses
91
+
92
+ **Step 6: Commit**
93
+
94
+ ```bash
95
+ cd extensions/lex-microsoft_teams
96
+ git add lib/legion/extensions/microsoft_teams/helpers/token_cache.rb spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb
97
+ git commit -m "add authenticated? and previously_authenticated? to TokenCache"
98
+ ```
99
+
100
+ ---
101
+
102
+ ### Task 2: Create AuthValidator actor
103
+
104
+ **Files:**
105
+ - Create: `lib/legion/extensions/microsoft_teams/actors/auth_validator.rb`
106
+ - Test: `spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb`
107
+
108
+ **Step 1: Write the spec file**
109
+
110
+ Create `spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb`:
111
+
112
+ ```ruby
113
+ # frozen_string_literal: true
114
+
115
+ require 'spec_helper'
116
+
117
+ unless defined?(Legion::Extensions::Actors::Once)
118
+ module Legion
119
+ module Extensions
120
+ module Actors
121
+ class Once; end # rubocop:disable Lint/EmptyClass
122
+ end
123
+ end
124
+ end
125
+ end
126
+
127
+ $LOADED_FEATURES << 'legion/extensions/actors/once' unless $LOADED_FEATURES.include?('legion/extensions/actors/once')
128
+
129
+ require 'legion/extensions/microsoft_teams/actors/auth_validator'
130
+
131
+ RSpec.describe Legion::Extensions::MicrosoftTeams::Actor::AuthValidator do
132
+ subject(:actor) { described_class.allocate }
133
+
134
+ let(:token_cache) { instance_double(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache) }
135
+ let(:browser_auth) { instance_double(Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth) }
136
+
137
+ before do
138
+ allow(actor).to receive(:token_cache).and_return(token_cache)
139
+ end
140
+
141
+ it 'has a 2 second delay' do
142
+ expect(actor.delay).to eq(2.0)
143
+ end
144
+
145
+ it 'does not generate tasks' do
146
+ expect(actor.generate_task?).to be false
147
+ end
148
+
149
+ it 'does not check subtasks' do
150
+ expect(actor.check_subtask?).to be false
151
+ end
152
+
153
+ describe '#manual' do
154
+ before do
155
+ allow(token_cache).to receive(:previously_authenticated?).and_return(false)
156
+ end
157
+
158
+ context 'when token loads and refreshes successfully' do
159
+ before do
160
+ allow(token_cache).to receive(:load_from_vault).and_return(true)
161
+ allow(token_cache).to receive(:cached_delegated_token).and_return('valid-token')
162
+ end
163
+
164
+ it 'logs success and does not trigger browser auth' do
165
+ expect(actor).not_to receive(:attempt_browser_reauth)
166
+ actor.manual
167
+ end
168
+ end
169
+
170
+ context 'when token loads but refresh fails and previously authenticated' do
171
+ before do
172
+ allow(token_cache).to receive(:load_from_vault).and_return(true)
173
+ allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
174
+ allow(token_cache).to receive(:previously_authenticated?).and_return(true)
175
+ allow(actor).to receive(:attempt_browser_reauth).and_return(true)
176
+ end
177
+
178
+ it 'triggers browser re-auth' do
179
+ actor.manual
180
+ expect(actor).to have_received(:attempt_browser_reauth)
181
+ end
182
+ end
183
+
184
+ context 'when token loads but refresh fails and never authenticated' do
185
+ before do
186
+ allow(token_cache).to receive(:load_from_vault).and_return(true)
187
+ allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
188
+ allow(token_cache).to receive(:previously_authenticated?).and_return(false)
189
+ end
190
+
191
+ it 'does not trigger browser re-auth' do
192
+ expect(actor).not_to receive(:attempt_browser_reauth)
193
+ actor.manual
194
+ end
195
+ end
196
+
197
+ context 'when no token file exists' do
198
+ before do
199
+ allow(token_cache).to receive(:load_from_vault).and_return(false)
200
+ allow(token_cache).to receive(:previously_authenticated?).and_return(false)
201
+ end
202
+
203
+ it 'does nothing silently' do
204
+ expect(actor).not_to receive(:attempt_browser_reauth)
205
+ actor.manual
206
+ end
207
+ end
208
+
209
+ context 'when no token loads but previously authenticated' do
210
+ before do
211
+ allow(token_cache).to receive(:load_from_vault).and_return(false)
212
+ allow(token_cache).to receive(:previously_authenticated?).and_return(true)
213
+ allow(actor).to receive(:attempt_browser_reauth).and_return(true)
214
+ end
215
+
216
+ it 'triggers browser re-auth' do
217
+ actor.manual
218
+ expect(actor).to have_received(:attempt_browser_reauth)
219
+ end
220
+ end
221
+ end
222
+ end
223
+ ```
224
+
225
+ **Step 2: Run test to verify it fails**
226
+
227
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb -v`
228
+ Expected: FAIL — `LoadError: cannot load such file -- legion/extensions/microsoft_teams/actors/auth_validator`
229
+
230
+ **Step 3: Write the actor**
231
+
232
+ Create `lib/legion/extensions/microsoft_teams/actors/auth_validator.rb`:
233
+
234
+ ```ruby
235
+ # frozen_string_literal: true
236
+
237
+ module Legion
238
+ module Extensions
239
+ module MicrosoftTeams
240
+ module Actor
241
+ class AuthValidator < Legion::Extensions::Actors::Once
242
+ def use_runner? = false
243
+ def check_subtask? = false
244
+ def generate_task? = false
245
+
246
+ def delay
247
+ 2.0
248
+ end
249
+
250
+ def enabled?
251
+ defined?(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache)
252
+ rescue StandardError
253
+ false
254
+ end
255
+
256
+ def token_cache
257
+ @token_cache ||= Legion::Extensions::MicrosoftTeams::Helpers::TokenCache.new
258
+ end
259
+
260
+ def manual
261
+ loaded = token_cache.load_from_vault
262
+
263
+ if loaded
264
+ token = token_cache.cached_delegated_token
265
+ if token
266
+ log_info('Teams delegated auth restored')
267
+ elsif token_cache.previously_authenticated?
268
+ attempt_browser_reauth(token_cache)
269
+ end
270
+ elsif token_cache.previously_authenticated?
271
+ log_warn('Token file found but could not load, attempting re-authentication')
272
+ attempt_browser_reauth(token_cache)
273
+ else
274
+ log_debug('No Teams delegated auth configured, skipping')
275
+ end
276
+ rescue StandardError => e
277
+ log_error("AuthValidator: #{e.message}")
278
+ end
279
+
280
+ private
281
+
282
+ def attempt_browser_reauth(tc)
283
+ settings = teams_auth_settings
284
+ return false unless settings[:tenant_id] && settings[:client_id]
285
+
286
+ log_warn('Delegated token expired, opening browser for re-authentication...')
287
+
288
+ scopes = settings.dig(:delegated, :scopes) ||
289
+ Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth::DEFAULT_SCOPES
290
+ browser_auth = Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth.new(
291
+ tenant_id: settings[:tenant_id],
292
+ client_id: settings[:client_id],
293
+ scopes: scopes
294
+ )
295
+
296
+ result = browser_auth.authenticate
297
+ return false if result[:error]
298
+
299
+ body = result[:result]
300
+ tc.store_delegated_token(
301
+ access_token: body['access_token'],
302
+ refresh_token: body['refresh_token'],
303
+ expires_in: body['expires_in'],
304
+ scopes: scopes
305
+ )
306
+ tc.save_to_vault
307
+ log_info('Teams delegated auth restored via browser')
308
+ true
309
+ rescue StandardError => e
310
+ log_error("Browser re-auth failed: #{e.message}")
311
+ false
312
+ end
313
+
314
+ def teams_auth_settings
315
+ return {} unless defined?(Legion::Settings)
316
+
317
+ Legion::Settings.dig(:microsoft_teams, :auth) || {}
318
+ end
319
+
320
+ def log_info(msg)
321
+ Legion::Logging.info(msg) if defined?(Legion::Logging)
322
+ end
323
+
324
+ def log_warn(msg)
325
+ Legion::Logging.warn(msg) if defined?(Legion::Logging)
326
+ end
327
+
328
+ def log_debug(msg)
329
+ Legion::Logging.debug(msg) if defined?(Legion::Logging)
330
+ end
331
+
332
+ def log_error(msg)
333
+ Legion::Logging.error(msg) if defined?(Legion::Logging)
334
+ end
335
+ end
336
+ end
337
+ end
338
+ end
339
+ end
340
+ ```
341
+
342
+ **Step 4: Run tests to verify they pass**
343
+
344
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb -v`
345
+ Expected: All pass
346
+
347
+ **Step 5: Run rubocop**
348
+
349
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop lib/legion/extensions/microsoft_teams/actors/auth_validator.rb`
350
+ Expected: No offenses
351
+
352
+ **Step 6: Commit**
353
+
354
+ ```bash
355
+ cd extensions/lex-microsoft_teams
356
+ git add lib/legion/extensions/microsoft_teams/actors/auth_validator.rb spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb
357
+ git commit -m "add AuthValidator actor for boot-time token validation"
358
+ ```
359
+
360
+ ---
361
+
362
+ ### Task 3: Create TokenRefresher actor
363
+
364
+ **Files:**
365
+ - Create: `lib/legion/extensions/microsoft_teams/actors/token_refresher.rb`
366
+ - Test: `spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb`
367
+
368
+ **Step 1: Write the spec file**
369
+
370
+ Create `spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb`:
371
+
372
+ ```ruby
373
+ # frozen_string_literal: true
374
+
375
+ require 'spec_helper'
376
+
377
+ unless defined?(Legion::Extensions::Actors::Every)
378
+ module Legion
379
+ module Extensions
380
+ module Actors
381
+ class Every; end # rubocop:disable Lint/EmptyClass
382
+ end
383
+ end
384
+ end
385
+ end
386
+
387
+ $LOADED_FEATURES << 'legion/extensions/actors/every' unless $LOADED_FEATURES.include?('legion/extensions/actors/every')
388
+
389
+ require 'legion/extensions/microsoft_teams/actors/token_refresher'
390
+
391
+ RSpec.describe Legion::Extensions::MicrosoftTeams::Actor::TokenRefresher do
392
+ subject(:actor) { described_class.allocate }
393
+
394
+ let(:token_cache) { instance_double(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache) }
395
+
396
+ before do
397
+ allow(actor).to receive(:token_cache).and_return(token_cache)
398
+ end
399
+
400
+ it 'has a default 900 second interval' do
401
+ expect(actor.time).to eq(900)
402
+ end
403
+
404
+ it 'does not run immediately on start' do
405
+ expect(actor.run_now?).to be false
406
+ end
407
+
408
+ it 'does not generate tasks' do
409
+ expect(actor.generate_task?).to be false
410
+ end
411
+
412
+ it 'does not check subtasks' do
413
+ expect(actor.check_subtask?).to be false
414
+ end
415
+
416
+ describe '#manual' do
417
+ context 'when not authenticated' do
418
+ before do
419
+ allow(token_cache).to receive(:authenticated?).and_return(false)
420
+ end
421
+
422
+ it 'skips refresh entirely' do
423
+ expect(token_cache).not_to receive(:cached_delegated_token)
424
+ actor.manual
425
+ end
426
+ end
427
+
428
+ context 'when authenticated and refresh succeeds' do
429
+ before do
430
+ allow(token_cache).to receive(:authenticated?).and_return(true)
431
+ allow(token_cache).to receive(:cached_delegated_token).and_return('refreshed-token')
432
+ allow(token_cache).to receive(:save_to_vault)
433
+ end
434
+
435
+ it 'saves the refreshed token' do
436
+ actor.manual
437
+ expect(token_cache).to have_received(:save_to_vault)
438
+ end
439
+ end
440
+
441
+ context 'when authenticated but refresh fails and previously authenticated' do
442
+ before do
443
+ allow(token_cache).to receive(:authenticated?).and_return(true)
444
+ allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
445
+ allow(token_cache).to receive(:previously_authenticated?).and_return(true)
446
+ allow(actor).to receive(:attempt_browser_reauth).and_return(true)
447
+ end
448
+
449
+ it 'triggers browser re-auth' do
450
+ actor.manual
451
+ expect(actor).to have_received(:attempt_browser_reauth)
452
+ end
453
+ end
454
+
455
+ context 'when authenticated but refresh fails and never previously authenticated' do
456
+ before do
457
+ allow(token_cache).to receive(:authenticated?).and_return(true)
458
+ allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
459
+ allow(token_cache).to receive(:previously_authenticated?).and_return(false)
460
+ end
461
+
462
+ it 'does not trigger browser re-auth' do
463
+ expect(actor).not_to receive(:attempt_browser_reauth)
464
+ actor.manual
465
+ end
466
+ end
467
+ end
468
+ end
469
+ ```
470
+
471
+ **Step 2: Run test to verify it fails**
472
+
473
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb -v`
474
+ Expected: FAIL — `LoadError: cannot load such file`
475
+
476
+ **Step 3: Write the actor**
477
+
478
+ Create `lib/legion/extensions/microsoft_teams/actors/token_refresher.rb`:
479
+
480
+ ```ruby
481
+ # frozen_string_literal: true
482
+
483
+ module Legion
484
+ module Extensions
485
+ module MicrosoftTeams
486
+ module Actor
487
+ class TokenRefresher < Legion::Extensions::Actors::Every
488
+ DEFAULT_REFRESH_INTERVAL = 900 # 15 minutes
489
+
490
+ def runner_class = Legion::Extensions::MicrosoftTeams::Helpers::TokenCache
491
+ def runner_function = 'cached_delegated_token'
492
+ def run_now? = false
493
+ def use_runner? = false
494
+ def check_subtask? = false
495
+ def generate_task? = false
496
+
497
+ def time
498
+ settings = teams_auth_settings
499
+ delegated = settings[:delegated]
500
+ return DEFAULT_REFRESH_INTERVAL unless delegated.is_a?(Hash)
501
+
502
+ delegated[:refresh_interval] || DEFAULT_REFRESH_INTERVAL
503
+ end
504
+
505
+ def enabled?
506
+ defined?(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache)
507
+ rescue StandardError
508
+ false
509
+ end
510
+
511
+ def token_cache
512
+ @token_cache ||= Legion::Extensions::MicrosoftTeams::Helpers::TokenCache.new
513
+ end
514
+
515
+ def manual
516
+ return unless token_cache.authenticated?
517
+
518
+ token = token_cache.cached_delegated_token
519
+ if token
520
+ token_cache.save_to_vault
521
+ elsif token_cache.previously_authenticated?
522
+ attempt_browser_reauth(token_cache)
523
+ end
524
+ rescue StandardError => e
525
+ log_error("TokenRefresher: #{e.message}")
526
+ end
527
+
528
+ private
529
+
530
+ def attempt_browser_reauth(tc)
531
+ settings = teams_auth_settings
532
+ return false unless settings[:tenant_id] && settings[:client_id]
533
+
534
+ log_warn('Delegated token expired, opening browser for re-authentication...')
535
+
536
+ scopes = settings.dig(:delegated, :scopes) ||
537
+ Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth::DEFAULT_SCOPES
538
+ browser_auth = Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth.new(
539
+ tenant_id: settings[:tenant_id],
540
+ client_id: settings[:client_id],
541
+ scopes: scopes
542
+ )
543
+
544
+ result = browser_auth.authenticate
545
+ return false if result[:error]
546
+
547
+ body = result[:result]
548
+ tc.store_delegated_token(
549
+ access_token: body['access_token'],
550
+ refresh_token: body['refresh_token'],
551
+ expires_in: body['expires_in'],
552
+ scopes: scopes
553
+ )
554
+ tc.save_to_vault
555
+ log_info('Teams delegated auth restored via browser')
556
+ true
557
+ rescue StandardError => e
558
+ log_error("Browser re-auth failed: #{e.message}")
559
+ false
560
+ end
561
+
562
+ def teams_auth_settings
563
+ return {} unless defined?(Legion::Settings)
564
+
565
+ Legion::Settings.dig(:microsoft_teams, :auth) || {}
566
+ end
567
+
568
+ def log_info(msg)
569
+ Legion::Logging.info(msg) if defined?(Legion::Logging)
570
+ end
571
+
572
+ def log_warn(msg)
573
+ Legion::Logging.warn(msg) if defined?(Legion::Logging)
574
+ end
575
+
576
+ def log_error(msg)
577
+ Legion::Logging.error(msg) if defined?(Legion::Logging)
578
+ end
579
+ end
580
+ end
581
+ end
582
+ end
583
+ end
584
+ ```
585
+
586
+ **Step 4: Run tests to verify they pass**
587
+
588
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb -v`
589
+ Expected: All pass
590
+
591
+ **Step 5: Run rubocop**
592
+
593
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop lib/legion/extensions/microsoft_teams/actors/token_refresher.rb`
594
+ Expected: No offenses
595
+
596
+ **Step 6: Commit**
597
+
598
+ ```bash
599
+ cd extensions/lex-microsoft_teams
600
+ git add lib/legion/extensions/microsoft_teams/actors/token_refresher.rb spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb
601
+ git commit -m "add TokenRefresher actor for periodic delegated token refresh"
602
+ ```
603
+
604
+ ---
605
+
606
+ ### Task 4: Wire actors into entry point and run full suite
607
+
608
+ **Files:**
609
+ - Modify: `lib/legion/extensions/microsoft_teams.rb`
610
+
611
+ **Step 1: Add requires to the entry point**
612
+
613
+ In `lib/legion/extensions/microsoft_teams.rb`, the actor files are auto-discovered by the framework (loaded via `Legion::Extensions::Core`). However, to ensure they are available, verify the actors directory is loaded. No explicit require needed — actors are discovered by convention. But if other actors in this extension are explicitly required elsewhere, check that pattern.
614
+
615
+ Actually, reviewing the codebase: actors are NOT explicitly required in the entry point. They are auto-discovered by the framework via the `Actor` module namespace. The existing actors (CacheBulkIngest, CacheSync, DirectChatPoller, ObservedChatPoller, MessageProcessor) are all loaded this way. No change to `microsoft_teams.rb` is needed.
616
+
617
+ **Step 2: Run full spec suite**
618
+
619
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rspec -v`
620
+ Expected: All specs pass (should be ~200+ now)
621
+
622
+ **Step 3: Run rubocop on entire repo**
623
+
624
+ Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop`
625
+ Expected: No offenses
626
+
627
+ **Step 4: Verify spec count increased**
628
+
629
+ Expected: 188 (previous) + 5 (TokenCache) + 9 (AuthValidator) + 8 (TokenRefresher) = ~210 specs
630
+
631
+ **Step 5: Commit integration verification**
632
+
633
+ No files changed in this step — this is verification only.
634
+
635
+ ---
636
+
637
+ ### Task 5: Bump version and update changelog
638
+
639
+ **Files:**
640
+ - Modify: `lib/legion/extensions/microsoft_teams/version.rb`
641
+ - Modify: `CHANGELOG.md`
642
+
643
+ **Step 1: Bump version**
644
+
645
+ Change version from `0.5.3` to `0.5.4` in `version.rb`.
646
+
647
+ **Step 2: Update changelog**
648
+
649
+ Add entry at top of CHANGELOG.md:
650
+
651
+ ```markdown
652
+ ## [0.5.4] - 2026-03-19
653
+
654
+ ### Added
655
+ - `TokenCache#authenticated?` predicate for runtime delegated token state
656
+ - `TokenCache#previously_authenticated?` predicate for persistent auth history
657
+ - `AuthValidator` actor (Once): validates and restores delegated tokens on boot
658
+ - `TokenRefresher` actor (Every, 15min configurable): keeps delegated tokens fresh
659
+ - Automatic browser re-auth when previously authenticated user's token expires
660
+ - `refresh_interval` config key at `settings[:microsoft_teams][:auth][:delegated]`
661
+ ```
662
+
663
+ **Step 3: Commit**
664
+
665
+ ```bash
666
+ cd extensions/lex-microsoft_teams
667
+ git add lib/legion/extensions/microsoft_teams/version.rb CHANGELOG.md
668
+ git commit -m "bump version to 0.5.4, update changelog"
669
+ ```
670
+
671
+ ---
672
+
673
+ ### Task 6: Push
674
+
675
+ **Step 1: Push to remote**
676
+
677
+ ```bash
678
+ cd extensions/lex-microsoft_teams && git push
679
+ ```