@chrisromp/copilot-bridge 0.7.0 → 0.8.1

package/dist/index.js

@@ -1,4 +1,4 @@
-import { loadConfig, getConfig, isConfiguredChannel, registerDynamicChannel, markChannelAsDM, getChannelConfig, getPlatformBots, getChannelBotName, isBotAdmin, getHardcodedRules, getConfigRules, reloadConfig, ConfigWatcher } from './config.js';
+import { loadConfig, getConfig, isConfiguredChannel, registerDynamicChannel, markChannelAsDM, getChannelConfig, getPlatformBots, getPlatformAccess, getChannelBotName, isBotAdmin, getHardcodedRules, getConfigRules, reloadConfig, ConfigWatcher } from './config.js';
 import { CopilotBridge } from './core/bridge.js';
 import { SessionManager, BRIDGE_CUSTOM_TOOLS } from './core/session-manager.js';
 import { handleCommand, parseCommand } from './core/command-handler.js';
@@ -12,7 +12,8 @@ import { initScheduler, stopAll as stopScheduler, listJobs, removeJob, pauseJob,
 import { markBusy, markIdle, markIdleImmediate, isBusy, waitForChannelIdle, cancelIdleDebounce } from './core/channel-idle.js';
 import { LoopDetector, MAX_IDENTICAL_CALLS } from './core/loop-detector.js';
 import { getTaskHistory } from './state/store.js';
-import { createLogger } from './logger.js';
+import { checkUserAccess } from './core/access-control.js';
+import { createLogger, setLogLevel } from './logger.js';
 import fs from 'node:fs';
 import path from 'node:path';
 const log = createLogger('bridge');
@@ -116,16 +117,135 @@ function getAdapterForChannel(channelId) {
         return null;
     return { adapter, streaming };
 }
+const SLACK_UID_PATTERN = /^U[A-Z0-9]{6,}$/;
+/**
+ * Resolve non-UID entries in Slack bot access configs.
+ * Handles added manually as usernames are looked up via Slack API (with pagination) and replaced with UIDs.
+ */
+async function resolveSlackAccessUsers(config) {
+    const slackPlatform = config.platforms.slack;
+    if (!slackPlatform?.bots)
+        return;
+    // Collect all access configs that need resolution: platform-level + per-bot
+    const accessTargets = [];
+    const firstBotToken = Object.values(slackPlatform.bots)[0]?.token;
+    if (slackPlatform.access?.users?.length && firstBotToken) {
+        accessTargets.push({ label: 'platform "slack"', access: slackPlatform.access, tokenSource: firstBotToken });
+    }
+    for (const [botName, bot] of Object.entries(slackPlatform.bots)) {
+        if (bot.access?.users?.length) {
+            accessTargets.push({ label: `bot "${botName}"`, access: bot.access, tokenSource: bot.token });
+        }
+    }
+    if (accessTargets.length === 0)
+        return;
+    // Deduplicate API calls — group by token
+    const membersByToken = new Map();
+    for (const target of accessTargets) {
+        if (membersByToken.has(target.tokenSource))
+            continue;
+        const unresolved = target.access.users.filter(u => !SLACK_UID_PATTERN.test(u));
+        if (unresolved.length === 0)
+            continue;
+        const allMembers = [];
+        try {
+            let cursor;
+            do {
+                const params = new URLSearchParams({ limit: '200' });
+                if (cursor)
+                    params.set('cursor', cursor);
+                const resp = await fetch(`https://slack.com/api/users.list?${params}`, {
+                    headers: { 'Authorization': `Bearer ${target.tokenSource}` },
+                });
+                if (!resp.ok) {
+                    log.warn(`  Slack users.list failed: HTTP ${resp.status}`);
+                    break;
+                }
+                const data = await resp.json();
+                if (!data.ok) {
+                    log.warn(`  Slack users.list failed: ${data.error}`);
+                    break;
+                }
+                for (const m of data.members ?? [])
+                    allMembers.push(m);
+                cursor = data.response_metadata?.next_cursor || undefined;
+            } while (cursor);
+        }
+        catch (err) {
+            log.warn(`  Failed to fetch Slack users: ${err.message}`);
+        }
+        membersByToken.set(target.tokenSource, allMembers);
+    }
+    // Resolve each access config
+    for (const target of accessTargets) {
+        const unresolved = target.access.users.filter(u => !SLACK_UID_PATTERN.test(u));
+        if (unresolved.length === 0)
+            continue;
+        log.info(`Resolving ${unresolved.length} Slack handle(s) for ${target.label} access list...`);
+        const allMembers = membersByToken.get(target.tokenSource) ?? [];
+        // Build lookup map for O(1) resolution
+        const nameMap = new Map();
+        const displayMap = new Map();
+        for (const m of allMembers) {
+            if (m.deleted || m.is_bot)
+                continue;
+            const name = (m.name ?? '').toLowerCase();
+            if (name)
+                nameMap.set(name, m.id);
+            const displayName = m.profile?.display_name_normalized?.toLowerCase() ?? '';
+            if (displayName)
+                displayMap.set(displayName, m.id);
+            const realName = m.profile?.real_name_normalized?.toLowerCase() ?? '';
+            if (realName)
+                displayMap.set(realName, m.id);
+        }
+        const resolved = [];
+        for (const handle of unresolved) {
+            const normalized = handle.replace(/^@/, '').toLowerCase();
+            const byName = nameMap.get(normalized);
+            if (byName) {
+                log.info(`  Resolved "${handle}" → ${byName} (by handle)`);
+                resolved.push(byName);
+            }
+            else {
+                const byDisplay = displayMap.get(normalized);
+                if (byDisplay) {
+                    log.warn(`  Resolved "${handle}" → ${byDisplay} (by display/real name — consider using the exact Slack handle for reliability)`);
+                    resolved.push(byDisplay);
+                }
+                else {
+                    log.warn(`  Could not resolve Slack handle "${handle}" — keeping as-is`);
+                    resolved.push(handle);
+                }
+            }
+        }
+        const uidEntries = target.access.users.filter(u => SLACK_UID_PATTERN.test(u));
+        target.access.users = [...uidEntries, ...resolved];
+    }
+}
 async function main() {
     log.info('copilot-bridge starting...');
     // Load configuration
     const config = loadConfig();
+    setLogLevel(config.logLevel ?? 'info');
     log.info(`Loaded ${config.channels.length} channel mapping(s)`);
     // Start config file watcher for hot-reload
     const configWatcher = new ConfigWatcher();
     configWatcher.onReload((result) => {
         if (!result.success)
             return;
+        // Re-apply logLevel in case config changed it
+        setLogLevel(getConfig().logLevel ?? 'info');
+        // Re-resolve Slack access handles after reload (config was re-read from disk).
+        // Fires asynchronously — messages during resolution use the old resolved values.
+        void (async () => {
+            try {
+                await resolveSlackAccessUsers(getConfig());
+            }
+            catch (err) {
+                log.warn(`Slack access resolution after reload failed: ${err.message}`);
+            }
+        })();
         if (result.restartNeeded.length > 0) {
             // Notify admin channels about restart-needed changes
             for (const [key, adapter] of botAdapters) {
@@ -174,20 +294,44 @@ async function main() {
     };
     // Initialize channel adapters — one per bot identity
     for (const [platformName, platformConfig] of Object.entries(config.platforms)) {
-        const factory = adapterFactories[platformName];
-        if (!factory) {
-            log.warn(`No adapter for platform "${platformName}" — skipping`);
-            continue;
-        }
         const bots = getPlatformBots(platformName);
         for (const [botName, botInfo] of bots) {
             const key = `${platformName}:${botName}`;
-            const adapter = factory(platformName, platformConfig.url, botInfo.token);
+            let adapter;
+            if (platformName === 'slack') {
+                // Slack needs appToken for Socket Mode — construct directly
+                if (!botInfo.appToken) {
+                    log.error(`Slack bot "${botName}" missing appToken — skipping`);
+                    continue;
+                }
+                try {
+                    const { SlackAdapter } = await import('./channels/slack/adapter.js');
+                    adapter = new SlackAdapter({
+                        platformName,
+                        botToken: botInfo.token,
+                        appToken: botInfo.appToken,
+                    });
+                }
+                catch (err) {
+                    log.error(`Failed to load Slack adapter: ${err.message}`);
+                    continue;
+                }
+            }
+            else {
+                const factory = adapterFactories[platformName];
+                if (!factory) {
+                    log.warn(`No adapter for platform "${platformName}" — skipping`);
+                    break; // skip all bots for this platform
+                }
+                adapter = factory(platformName, platformConfig.url ?? '', botInfo.token);
+            }
             botAdapters.set(key, adapter);
             botStreamers.set(key, new StreamingHandler(adapter));
             log.info(`Registered bot "${botName}" for ${platformName}`);
         }
     }
+    // Resolve non-UID Slack access entries at startup
+    await resolveSlackAccessUsers(config);
     // Wire up session events → streaming output (serialized per channel)
     sessionManager.onSessionEvent((sessionId, channelId, event) => {
         const prev = eventLocks.get(channelId) ?? Promise.resolve();
@@ -242,7 +386,7 @@ async function main() {
                 .catch(err => log.error(`Unhandled error in message handler:`, err)));
             channelLocks.set(msg.channelId, next);
         });
-        adapter.onReaction((reaction) => handleReaction(reaction, sessionManager));
+        adapter.onReaction((reaction) => handleReaction(reaction, sessionManager, platformName, botName));
         await adapter.connect();
         log.info(`${key} connected`);
         // Discover existing DM channels and auto-register any that aren't configured
@@ -370,6 +514,12 @@ async function handleMidTurnMessage(msg, sessionManager, platformName, botName)
         if (key.startsWith(`${platformName}:`) && msg.userId === a.getBotUserId())
             return;
     }
+    // Check user-level access control
+    const botInfo = getPlatformBots(platformName).get(botName);
+    if (!checkUserAccess(msg.userId, msg.username, botInfo?.access, getPlatformAccess(platformName))) {
+        log.debug(`User ${msg.username} (${msg.userId}) denied mid-turn access to bot "${botName}"`);
+        return;
+    }
     if (!isConfiguredChannel(msg.channelId))
         return;
     const assignedBot = getChannelBotName(msg.channelId);
@@ -381,8 +531,10 @@ async function handleMidTurnMessage(msg, sessionManager, platformName, botName)
     const { adapter } = resolved;
     const channelConfig = getChannelConfig(msg.channelId);
     // Respect trigger mode — don't steer on unmentioned messages in mention-only channels
-    if (channelConfig.triggerMode === 'mention' && !msg.mentionsBot && !msg.isDM)
+    if (channelConfig.triggerMode === 'mention' && !msg.mentionsBot && !msg.isDM) {
+        log.debug(`Ignoring mid-turn message (trigger=mention, no mention) in ${msg.channelId.slice(0, 8)}...`);
         return;
+    }
     const text = stripBotMention(msg.text, channelConfig.bot);
     if (!text && !msg.attachments?.length)
         return;
@@ -457,7 +609,7 @@ async function handleMidTurnMessage(msg, sessionManager, platformName, botName)
         // Commands with complex action handlers (skills, schedule, rules) defer to serialized path.
         const SAFE_MID_TURN = new Set([
             'context', 'status', 'help', 'verbose', 'autopilot', 'yolo',
-            'mcp', 'model', 'models', 'reasoning',
+            'mcp', 'model', 'models', 'reasoning', 'agents',
             'streamer-mode', 'on-air',
         ]);
         if (SAFE_MID_TURN.has(parsed.command)) {
@@ -523,6 +675,12 @@ async function handleInboundMessage(msg, sessionManager, platformName, botName)
         if (key.startsWith(`${platformName}:`) && msg.userId === a.getBotUserId())
             return;
     }
+    // Check user-level access control (reads live config — hot-reloadable)
+    const botInfo = getPlatformBots(platformName).get(botName);
+    if (!checkUserAccess(msg.userId, msg.username, botInfo?.access, getPlatformAccess(platformName))) {
+        log.debug(`User ${msg.username} (${msg.userId}) denied access to bot "${botName}"`);
+        return; // silent drop
+    }
     // Auto-register DM channels for known bots
     if (!isConfiguredChannel(msg.channelId) && msg.isDM) {
         const workspacePath = getWorkspacePath(botName);
@@ -558,8 +716,10 @@ async function handleInboundMessage(msg, sessionManager, platformName, botName)
     const channelConfig = getChannelConfig(msg.channelId);
     // Check trigger mode
     const triggerMode = channelConfig.triggerMode;
-    if (triggerMode === 'mention' && !msg.mentionsBot && !msg.isDM)
+    if (triggerMode === 'mention' && !msg.mentionsBot && !msg.isDM) {
+        log.debug(`Ignoring message (trigger=mention, no mention) in ${msg.channelId.slice(0, 8)}...`);
         return;
+    }
     // Strip bot mention from message text
     let text = stripBotMention(msg.text, channelConfig.bot);
     if (!text && !msg.attachments?.length)
@@ -635,22 +795,26 @@ async function handleInboundMessage(msg, sessionManager, platformName, botName)
                 if (!result.success) {
                     response = `❌ Config reload failed: ${result.error}\nExisting config is unchanged.`;
                 }
-                else if (result.changes.length === 0 && result.restartNeeded.length === 0) {
-                    response = '✅ Config reloaded — no changes detected.';
-                }
                 else {
-                    const parts = ['✅ Config reloaded.'];
-                    if (result.changes.length > 0) {
-                        parts.push('**Applied:**');
-                        for (const c of result.changes)
-                            parts.push(`  ✓ ${c}`);
+                    // Re-apply logLevel after manual reload
+                    setLogLevel(getConfig().logLevel ?? 'info');
+                    if (result.changes.length === 0 && result.restartNeeded.length === 0) {
+                        response = '✅ Config reloaded — no changes detected.';
                     }
-                    if (result.restartNeeded.length > 0) {
-                        parts.push('**Restart needed:**');
-                        for (const r of result.restartNeeded)
-                            parts.push(`  ⚠️ ${r}`);
+                    else {
+                        const parts = ['✅ Config reloaded.'];
+                        if (result.changes.length > 0) {
+                            parts.push('**Applied:**');
+                            for (const c of result.changes)
+                                parts.push(`  ✓ ${c}`);
+                        }
+                        if (result.restartNeeded.length > 0) {
+                            parts.push('**Restart needed:**');
+                            for (const r of result.restartNeeded)
+                                parts.push(`  ⚠️ ${r}`);
+                        }
+                        response = parts.join('\n');
                     }
-                    response = parts.join('\n');
                 }
                 await adapter.sendMessage(msg.channelId, response, { threadRootId: threadRoot });
                 break;
@@ -910,14 +1074,16 @@ async function handleInboundMessage(msg, sessionManager, platformName, botName)
                     lines.push('**Skills**');
                     for (const s of skills) {
                         const desc = s.description ? ` — ${s.description}` : '';
-                        lines.push(`• \`${s.name}\`${desc} _(${s.source})_`);
+                        const flag = s.pending ? ' ⏳ _reload to activate_' : '';
+                        lines.push(`• \`${s.name}\`${desc} _(${s.source})_${flag}`);
                     }
                     lines.push('');
                 }
                 if (mcpInfo.length > 0) {
                     lines.push('**MCP Servers**');
                     for (const s of mcpInfo) {
-                        lines.push(`• \`${s.name}\` _(${s.source})_`);
+                        const flag = s.pending ? ' ⏳ _reload to activate_' : '';
+                        lines.push(`• \`${s.name}\` _(${s.source})_${flag}`);
                     }
                     lines.push('');
                 }
@@ -1020,11 +1186,20 @@ async function handleInboundMessage(msg, sessionManager, platformName, botName)
     }
 }
 // --- Reaction Handling ---
-async function handleReaction(reaction, sessionManager) {
+async function handleReaction(reaction, sessionManager, platformName, botName) {
     if (!isConfiguredChannel(reaction.channelId))
         return;
     if (reaction.action !== 'added')
         return;
+    // Check user-level access control.
+    // Reactions only carry userId (no username), so this matches against userId only.
+    // For Slack (UIDs stored in config), this is exact. For Mattermost (usernames in config),
+    // this is best-effort — admin bots should use both username and user ID in allowlists.
+    const botInfo = getPlatformBots(platformName).get(botName);
+    if (!checkUserAccess(reaction.userId, reaction.userId, botInfo?.access, getPlatformAccess(platformName))) {
+        log.debug(`User ${reaction.userId} denied reaction access to bot "${botName}"`);
+        return;
+    }
     const resolved = getAdapterForChannel(reaction.channelId);
     if (!resolved)
         return;
@@ -1079,6 +1254,7 @@ async function handleSessionEvent(sessionId, channelId, event, sessionManager) {
     // Handle custom bridge events (permissions, user input)
     if (event.type === 'bridge.permission_request') {
         const streamKey = activeStreams.get(channelId);
+        const threadRootId = streamKey ? streaming.getStreamThreadRootId(streamKey) : undefined;
         if (streamKey) {
             await streaming.finalizeStream(streamKey);
             activeStreams.delete(channelId);
@@ -1086,11 +1262,12 @@ async function handleSessionEvent(sessionId, channelId, event, sessionManager) {
         await finalizeActivityFeed(channelId, adapter);
         const { toolName, serverName, input, commands } = event.data;
         const formatted = formatPermissionRequest(toolName, input, commands, serverName);
-        await adapter.sendMessage(channelId, formatted);
+        await adapter.sendMessage(channelId, formatted, { threadRootId });
         return;
     }
     if (event.type === 'bridge.user_input_request') {
         const streamKey = activeStreams.get(channelId);
+        const threadRootId = streamKey ? streaming.getStreamThreadRootId(streamKey) : undefined;
         if (streamKey) {
             await streaming.finalizeStream(streamKey);
             activeStreams.delete(channelId);
@@ -1098,7 +1275,7 @@ async function handleSessionEvent(sessionId, channelId, event, sessionManager) {
         await finalizeActivityFeed(channelId, adapter);
         const { question, choices } = event.data;
         const formatted = formatUserInputRequest(question, choices);
-        await adapter.sendMessage(channelId, formatted);
+        await adapter.sendMessage(channelId, formatted, { threadRootId });
         return;
     }
     // Format and route SDK events