@excitedjs/feishu-transport 0.0.1

package/dist/parse/content.js

@@ -0,0 +1,208 @@
+/**
+ * Parsing inbound Feishu message content.
+ *
+ * Feishu delivers `message.content` as a JSON-encoded string whose shape
+ * depends on `message_type`. This module turns that into the plain text the
+ * channel forwards to the engine. Attachment message types (image, file) are
+ * summarized as a short text marker — the channel forwards text, not binaries.
+ *
+ * Ported verbatim from claudemux's `feishu-channel/src/content.ts` (the source
+ * of truth — it carries the `interactive`-card parse dreamux's drifted copy had
+ * lost); only the `./types` import was repointed to `../contract/types`.
+ */
+/**
+ * Parse one inbound Feishu message into forwardable text. Never throws —
+ * malformed content falls back to a best-effort string so a weird message
+ * still reaches the engine.
+ */
+export function parseInbound(message) {
+    const type = message.message_type ?? 'unknown';
+    let parsed;
+    try {
+        parsed = JSON.parse(message.content ?? '');
+    }
+    catch {
+        return { text: message.content ?? '(unparseable message)' };
+    }
+    const content = (parsed && typeof parsed === 'object' ? parsed : {});
+    switch (type) {
+        case 'text': {
+            const text = typeof content.text === 'string' ? content.text : '';
+            return { text: applyMentions(text, message.mentions) };
+        }
+        case 'post':
+            return { text: extractPostText(content) };
+        case 'image':
+            return { text: '(image)' };
+        case 'file': {
+            const fileName = typeof content.file_name === 'string' ? content.file_name : 'unknown';
+            return { text: `(file: ${fileName})` };
+        }
+        case 'interactive':
+            return { text: extractInteractiveText(content) };
+        default:
+            return { text: `(${type} message)` };
+    }
+}
+/**
+ * Feishu WebSocket events for interactive cards wrap the real v2 card JSON as a
+ * JSON-encoded string under `user_dsl`. Unwrap it so the extractor below always
+ * sees the card schema directly.
+ */
+function unwrapUserDsl(card) {
+    const dsl = card.user_dsl;
+    if (typeof dsl !== 'string')
+        return card;
+    try {
+        const inner = JSON.parse(dsl);
+        if (inner && typeof inner === 'object' && !Array.isArray(inner)) {
+            return inner;
+        }
+    }
+    catch {
+        // fall through
+    }
+    return card;
+}
+/**
+ * Extract plain text from a v2 interactive card content object.
+ * Handles feishu-channel cards (tag: markdown) and Dbotmux / other bots'
+ * cards (tag: div with text.content, tag: column_set, etc.).
+ */
+function extractInteractiveText(card) {
+    const c = unwrapUserDsl(card);
+    const parts = [];
+    const header = c.header;
+    if (header && typeof header === 'object') {
+        const title = header.title;
+        if (title && typeof title === 'object') {
+            const tc = title.content;
+            if (typeof tc === 'string' && tc.trim())
+                parts.push(tc);
+        }
+    }
+    const body = c.body;
+    const elements = body && typeof body === 'object'
+        ? body.elements
+        : c.elements;
+    if (Array.isArray(elements)) {
+        for (const el of elements)
+            extractCardElementText(el, parts);
+    }
+    return parts.join('\n') || '(interactive card)';
+}
+/** Recursively extract readable text from a v2 card element. */
+function extractCardElementText(el, parts) {
+    if (!el || typeof el !== 'object' || Array.isArray(el))
+        return;
+    const e = el;
+    const tag = e.tag;
+    if (tag === 'markdown' || tag === 'plain_text' || tag === 'div') {
+        // `content` is a direct string in feishu-channel cards;
+        // `text.content` is used when the text is a nested object (other bots).
+        const textObj = e.text;
+        const text = textObj && typeof textObj === 'object'
+            ? textObj.content
+            : e.content;
+        if (typeof text === 'string' && text.trim())
+            parts.push(text);
+        // div.fields[] — lark_md cells in field-layout cards from other bots.
+        if (Array.isArray(e.fields)) {
+            for (const f of e.fields) {
+                if (!f || typeof f !== 'object')
+                    continue;
+                const fo = f;
+                const ft = fo.text && typeof fo.text === 'object'
+                    ? fo.text.content
+                    : fo.content;
+                if (typeof ft === 'string' && ft.trim())
+                    parts.push(ft);
+            }
+        }
+    }
+    // column_set → columns[].elements[]
+    if (Array.isArray(e.columns)) {
+        for (const col of e.columns) {
+            if (!col || typeof col !== 'object')
+                continue;
+            const co = col;
+            if (Array.isArray(co.elements)) {
+                for (const child of co.elements)
+                    extractCardElementText(child, parts);
+            }
+        }
+    }
+    // Generic child elements (action blocks, nested containers)
+    if (Array.isArray(e.elements)) {
+        for (const child of e.elements)
+            extractCardElementText(child, parts);
+    }
+}
+/**
+ * Replace Feishu's `@_user_N` placeholders in text with the mentioned display
+ * names, so the forwarded message reads naturally.
+ */
+export function applyMentions(text, mentions) {
+    if (!mentions)
+        return text;
+    let out = text;
+    for (const m of mentions) {
+        if (m.key && m.name) {
+            out = out.split(m.key).join(`@${m.name}`);
+        }
+    }
+    return out;
+}
+/**
+ * Flatten a Feishu rich-text "post" payload into plain text. A post is
+ * locale-wrapped (`{ zh_cn: { title, content } }`) and its body is an array of
+ * paragraphs, each an array of tagged inline elements.
+ */
+export function extractPostText(content) {
+    const post = pickPostLocale(content);
+    const lines = [];
+    if (typeof post.title === 'string' && post.title.length > 0) {
+        lines.push(post.title);
+    }
+    const body = post.content;
+    if (Array.isArray(body)) {
+        for (const paragraph of body) {
+            if (!Array.isArray(paragraph))
+                continue;
+            lines.push(paragraph.map(renderPostElement).join(''));
+        }
+    }
+    return lines.join('\n');
+}
+/** Pick the first present locale block of a post, falling back to the raw object. */
+function pickPostLocale(content) {
+    for (const locale of ['zh_cn', 'en_us', 'ja_jp']) {
+        const block = content[locale];
+        if (block && typeof block === 'object')
+            return block;
+    }
+    return content;
+}
+/** Render one inline post element to text. */
+function renderPostElement(el) {
+    if (!el || typeof el !== 'object')
+        return '';
+    const e = el;
+    switch (e.tag) {
+        case 'text':
+            return typeof e.text === 'string' ? e.text : '';
+        case 'a':
+            return typeof e.text === 'string'
+                ? e.text
+                : typeof e.href === 'string'
+                    ? e.href
+                    : '';
+        case 'at':
+            return `@${typeof e.user_name === 'string' ? e.user_name : ''}`;
+        case 'img':
+            return '(image)';
+        default:
+            return '';
+    }
+}
+//# sourceMappingURL=content.js.map

package/dist/parse/content.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"content.js","sourceRoot":"","sources":["../../src/parse/content.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAiBH;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,OAAuB;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,IAAI,SAAS,CAAA;IAE9C,IAAI,MAAe,CAAA;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC,CAAA;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,OAAO,IAAI,uBAAuB,EAAE,CAAA;IAC7D,CAAC;IACD,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAA4B,CAAA;IAE/F,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,IAAI,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAA;YACjE,OAAO,EAAE,IAAI,EAAE,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAA;QACxD,CAAC;QACD,KAAK,MAAM;YACT,OAAO,EAAE,IAAI,EAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAA;QAC3C,KAAK,OAAO;YACV,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAA;QAC5B,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,QAAQ,GAAG,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAA;YACtF,OAAO,EAAE,IAAI,EAAE,UAAU,QAAQ,GAAG,EAAE,CAAA;QACxC,CAAC;QACD,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAA;QAClD;YACE,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,WAAW,EAAE,CAAA;IACxC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,IAA6B;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAA;IACzB,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IACxC,IAAI,CAAC;QACH,MAAM,KAAK,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACtC,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChE,OAAO,KAAgC,CAAA;QACzC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,eAAe;IACjB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;GAIG;AACH,SAAS,sBAAsB,CAAC,IAA6B;IAC3D,MAAM,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,CAAA;IAC7B,MAAM,KAAK,GAAa,EAAE,CAAA;IAE1B,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAA;IACvB,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QACzC,MAAM,KAAK,GAAI,MAAkC,CAAC,KAAK,CAAA;QACvD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvC,MAAM,EAAE,GAAI,KAAiC,CAAC,OAAO,CAAA;YACrD,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAA;IACnB,MAAM,QAAQ,GAAG,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAC/C,CAAC,CAAE,IAAgC,CAAC,QAAQ;QAC5C,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IACd,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,KAAK,MAAM,EAAE,IAAI,QAAQ;YAAE,sBAAsB,CAAC,EAAE,EAAE,KAAK,CAAC,CAAA;IAC9D,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAA;AACjD,CAAC;AAED,gEAAgE;AAChE,SAAS,sBAAsB,CAAC,EAAW,EAAE,KAAe;IAC1D,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAAE,OAAM;IAC9D,MAAM,CAAC,GAAG,EAA6B,CAAA;IACvC,MAAM,GAAG,GAAG,CAAC,CAAC,GAAyB,CAAA;IAEvC,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAChE,wDAAwD;QACxD,wEAAwE;QACxE,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAA;QACtB,MAAM,IAAI,GACR,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;YACpC,CAAC,CAAE,OAAmC,CAAC,OAAO;YAC9C,CAAC,CAAC,CAAC,CAAC,OAAO,CAAA;QACf,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,EAAE;YAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE7D,sEAAsE;QACtE,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;gBACzB,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,SAAQ;gBACzC,MAAM,EAAE,GAAG,CAA4B,CAAA;gBACvC,MAAM,EAAE,GACN,EAAE,CAAC,IAAI,IAAI,OAAO,EAAE,CAAC,IAAI,KAAK,QAAQ;oBACpC,CAAC,CAAE,EAAE,CAAC,IAAgC,CAAC,OAAO;oBAC9C,CAAC,CAAC,EAAE,CAAC,OAAO,CAAA;gBAChB,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,EAAE;oBAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;YACzD,CAAC;QACH,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;gBAAE,SAAQ;YAC7C,MAAM,EAAE,GAAG,GAA8B,CAAA;YACzC,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC/B,KAAK,MAAM,KAAK,IAAI,EAAE,CAAC,QAAQ;oBAAE,sBAAsB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,KAAK,MAAM,KAAK,IAAI,CAAC,CAAC,QAAQ;YAAE,sBAAsB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;IACtE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY,EAAE,QAA+B;IACzE,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAC1B,IAAI,GAAG,GAAG,IAAI,CAAA;IACd,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;YACpB,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,OAAgC;IAC9D,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAA;IACpC,MAAM,KAAK,GAAa,EAAE,CAAA;IAE1B,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACxB,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAA;IACzB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;YAC7B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;gBAAE,SAAQ;YACvC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAA;QACvD,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAED,qFAAqF;AACrF,SAAS,cAAc,CAAC,OAAgC;IACtD,KAAK,MAAM,MAAM,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC;QACjD,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;QAC7B,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,KAAgC,CAAA;IACjF,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,8CAA8C;AAC9C,SAAS,iBAAiB,CAAC,EAAW;IACpC,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAA;IAC5C,MAAM,CAAC,GAAG,EAA6B,CAAA;IACvC,QAAQ,CAAC,CAAC,GAAG,EAAE,CAAC;QACd,KAAK,MAAM;YACT,OAAO,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAA;QACjD,KAAK,GAAG;YACN,OAAO,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAC/B,CAAC,CAAC,CAAC,CAAC,IAAI;gBACR,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;oBAC1B,CAAC,CAAC,CAAC,CAAC,IAAI;oBACR,CAAC,CAAC,EAAE,CAAA;QACV,KAAK,IAAI;YACP,OAAO,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;QACjE,KAAK,KAAK;YACR,OAAO,SAAS,CAAA;QAClB;YACE,OAAO,EAAE,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/policy/gate.d.ts

@@ -0,0 +1,105 @@
+/**
+ * Access control — the security-critical gate every inbound message passes
+ * through before it can reach the engine session.
+ *
+ * `gate` is a pure function: it takes the current access state plus the
+ * message's identity fields and returns a decision. It never reads the clock,
+ * never touches disk, and never mutates its input — the caller injects `now`
+ * and a candidate `newCode`, and persists `result.access` when `result.changed`
+ * is true. That makes every branch here exhaustively unit-testable.
+ *
+ * Ported verbatim from claudemux's `feishu-channel/src/access.ts` (the source
+ * of truth); only the `./types` import was repointed to `../contract/types`.
+ */
+import type { Access, Mention } from '../contract/types.js';
+/** Cap on simultaneously-pending pairing requests — direct and group share it. */
+export declare const MAX_PENDING = 10;
+/** Cap on pairing-code replies sent to one un-paired sender. */
+export declare const MAX_PAIRING_REPLIES = 2;
+/** How long a pairing code stays valid, in milliseconds. */
+export declare const PAIRING_TTL_MS: number;
+export interface GateInput {
+    /** open_id of the message sender. */
+    senderId: string;
+    /**
+     * Feishu sender_type. Feishu uses `'bot'` for cross-bot card messages and
+     * `'app'` for custom-bot messages in some scenarios; `'user'` for humans.
+     * Absent when the field is missing from the raw payload.
+     */
+    senderType?: string;
+    /** chat_id the message arrived in. */
+    chatId: string;
+    /** Feishu chat_type — `p2p` or `group`. */
+    chatType: string;
+    /** Current access-control state. */
+    access: Access;
+    /** Injected clock (epoch millis) — keeps `gate` pure. */
+    now: number;
+    /** A fresh pairing code, used only if `gate` starts a new pairing. */
+    newCode: string;
+    /** @-mentions carried by the message, for group mention-gating. */
+    mentions?: Mention[];
+    /** open_id of the bot itself, for group mention-gating. */
+    botOpenId?: string;
+    /**
+     * open_ids of peer bots known via /introduce in this specific chat. Populated
+     * by the caller for group messages only; `undefined` for direct messages.
+     * Entries arise from two sources, both scoped to this chatId:
+     *  - an authorized human sender ran /introduce (trust via the gate that
+     *    governed that delivery), or
+     *  - a bot sender broadcast /introduce in an authorized group (ambient
+     *    self-recording; `isBotSenderType` and `isGroupAuthorized` are the guards).
+     */
+    observedBotIds?: ReadonlySet<string>;
+}
+export type GateResult = {
+    action: 'deliver';
+    access: Access;
+    changed: boolean;
+} | {
+    action: 'drop';
+    access: Access;
+    changed: boolean;
+    reason: string;
+} | {
+    action: 'pair';
+    access: Access;
+    changed: boolean;
+    code: string;
+    isResend: boolean;
+};
+/**
+ * Decide what to do with one inbound message. Returns the (possibly updated)
+ * access state in `access` and whether it differs from the input in `changed`.
+ */
+export declare function gate(input: GateInput): GateResult;
+/** True when one of `mentions` resolves to the bot's own open_id. */
+export declare function isBotMentioned(mentions: Mention[] | undefined, botOpenId: string | undefined): boolean;
+/**
+ * Drop pairing entries whose `expiresAt` is at or before `now`. Returns the
+ * same object reference when nothing expired, so callers can cheaply skip a
+ * disk write via the `changed` flag.
+ */
+export declare function pruneExpiredPending(access: Access, now: number): {
+    access: Access;
+    changed: boolean;
+};
+/**
+ * True when `senderType` identifies a Feishu bot or app.
+ * Feishu uses `'bot'` for cross-bot messages and `'app'` for custom-bot
+ * messages in some event contexts; both are non-human senders.
+ */
+export declare function isBotSenderType(senderType: string | undefined): boolean;
+/**
+ * True when the given group is "authorized" — i.e. the channel is actively
+ * serving it and ambient side effects (like /introduce recording) are appropriate.
+ *
+ *  - `block`       → never authorized; the bot ignores all groups.
+ *  - `follow-user` → always authorized; any group can receive messages.
+ *  - `allowlist`   → authorized only when the group has been paired and is
+ *                    present in `access.groups`. When `senderId` is provided,
+ *                    also checks that the sender passes the group's `allowFrom`
+ *                    filter (empty allowFrom = no restriction).
+ */
+export declare function isGroupAuthorized(access: Access, chatId: string, senderId?: string): boolean;
+//# sourceMappingURL=gate.d.ts.map

package/dist/policy/gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../src/policy/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAAgB,MAAM,sBAAsB,CAAA;AAEzE,kFAAkF;AAClF,eAAO,MAAM,WAAW,KAAK,CAAA;AAC7B,gEAAgE;AAChE,eAAO,MAAM,mBAAmB,IAAI,CAAA;AACpC,4DAA4D;AAC5D,eAAO,MAAM,cAAc,QAAiB,CAAA;AAE5C,MAAM,WAAW,SAAS;IACxB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAA;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,sCAAsC;IACtC,MAAM,EAAE,MAAM,CAAA;IACd,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAA;IAChB,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAA;IACd,yDAAyD;IACzD,GAAG,EAAE,MAAM,CAAA;IACX,sEAAsE;IACtE,OAAO,EAAE,MAAM,CAAA;IACf,mEAAmE;IACnE,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;IACpB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAA;CACrC;AAED,MAAM,MAAM,UAAU,GAClB;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,GACvD;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACpE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAA;AAEzF;;;GAGG;AACH,wBAAgB,IAAI,CAAC,KAAK,EAAE,SAAS,GAAG,UAAU,CAkBjD;AA+LD,qEAAqE;AACrE,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,OAAO,EAAE,GAAG,SAAS,EAC/B,SAAS,EAAE,MAAM,GAAG,SAAS,GAC5B,OAAO,CAGT;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAWtC;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAEvE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAS5F"}

package/dist/policy/gate.js

@@ -0,0 +1,276 @@
+/**
+ * Access control — the security-critical gate every inbound message passes
+ * through before it can reach the engine session.
+ *
+ * `gate` is a pure function: it takes the current access state plus the
+ * message's identity fields and returns a decision. It never reads the clock,
+ * never touches disk, and never mutates its input — the caller injects `now`
+ * and a candidate `newCode`, and persists `result.access` when `result.changed`
+ * is true. That makes every branch here exhaustively unit-testable.
+ *
+ * Ported verbatim from claudemux's `feishu-channel/src/access.ts` (the source
+ * of truth); only the `./types` import was repointed to `../contract/types`.
+ */
+/** Cap on simultaneously-pending pairing requests — direct and group share it. */
+export const MAX_PENDING = 10;
+/** Cap on pairing-code replies sent to one un-paired sender. */
+export const MAX_PAIRING_REPLIES = 2;
+/** How long a pairing code stays valid, in milliseconds. */
+export const PAIRING_TTL_MS = 60 * 60 * 1000;
+/**
+ * Decide what to do with one inbound message. Returns the (possibly updated)
+ * access state in `access` and whether it differs from the input in `changed`.
+ */
+export function gate(input) {
+    const pruned = pruneExpiredPending(input.access, input.now);
+    if (!input.senderId) {
+        return { action: 'drop', access: pruned.access, changed: pruned.changed, reason: 'missing sender id' };
+    }
+    if (input.chatType === 'p2p') {
+        return gateDirect(input, pruned.access, pruned.changed);
+    }
+    if (input.chatType === 'group') {
+        return gateGroup(input, pruned.access, pruned.changed);
+    }
+    return {
+        action: 'drop',
+        access: pruned.access,
+        changed: pruned.changed,
+        reason: `unsupported chat type: ${input.chatType}`,
+    };
+}
+/** Decide a direct (1:1) message. */
+function gateDirect(input, access, changed) {
+    if (access.dmPolicy === 'disabled') {
+        return { action: 'drop', access, changed, reason: 'direct messages disabled' };
+    }
+    if (access.allowFrom.includes(input.senderId)) {
+        return { action: 'deliver', access, changed };
+    }
+    if (access.dmPolicy === 'allowlist') {
+        return { action: 'drop', access, changed, reason: 'sender not on allowlist' };
+    }
+    // dmPolicy === 'pairing' — an unknown sender starts (or repeats) a pairing.
+    // The `kind` guard matters: a group-pairing entry also carries a senderId
+    // (its triggerer), so without it a group triggerer's later DM would match
+    // that entry and be answered with the group's code.
+    for (const [code, entry] of Object.entries(access.pending)) {
+        if (entry.kind !== 'dm' || entry.senderId !== input.senderId)
+            continue;
+        if (entry.replies >= MAX_PAIRING_REPLIES) {
+            return { action: 'drop', access, changed, reason: 'pairing reply cap reached' };
+        }
+        const nextAccess = {
+            ...access,
+            pending: { ...access.pending, [code]: { ...entry, replies: entry.replies + 1 } },
+        };
+        return { action: 'pair', access: nextAccess, changed: true, code, isResend: true };
+    }
+    if (Object.keys(access.pending).length >= MAX_PENDING) {
+        return { action: 'drop', access, changed, reason: 'too many pending pairings' };
+    }
+    const entry = {
+        kind: 'dm',
+        senderId: input.senderId,
+        chatId: input.chatId,
+        createdAt: input.now,
+        expiresAt: input.now + PAIRING_TTL_MS,
+        replies: 1,
+    };
+    const nextAccess = {
+        ...access,
+        pending: { ...access.pending, [input.newCode]: entry },
+    };
+    return { action: 'pair', access: nextAccess, changed: true, code: input.newCode, isResend: false };
+}
+/**
+ * Decide a group message according to `access.groupPolicy` — the switch that
+ * selects one of three group-access modes. See `GroupPolicy` in `types.ts`.
+ */
+function gateGroup(input, access, changed) {
+    if (access.groupPolicy === 'block') {
+        return {
+            action: 'drop',
+            access,
+            changed,
+            reason: 'group messages are blocked (groupPolicy: block)',
+        };
+    }
+    if (access.groupPolicy === 'follow-user') {
+        return gateGroupFollowUser(input, access, changed);
+    }
+    // 'allowlist' — a group is authorized as a unit, by pairing (decision feishu-channel-group-pairing).
+    return gateGroupAllowlist(input, access, changed);
+}
+/**
+ * Decide a group message under the `follow-user` policy: the group itself
+ * needs no authorization — the sender does. A message is delivered when the
+ * bot is @-mentioned (the deliberate "engage the bot" signal, without which
+ * the bot would react to every message in the group) AND the sender's open_id
+ * is either on the top-level `allowFrom` allowlist (the same allowlist that
+ * authorizes direct messages) OR is a peer bot known via /introduce in this
+ * chat. A non-mention message, or a mention from an unrecognized sender, is
+ * dropped; no pairing code is posted into a group.
+ *
+ * The observed-bot path is safe: entries are per-chatId and arise from two
+ * guarded sources — an authorized human /introduce delivery, or a bot that
+ * broadcast /introduce in an authorized group (ambient path, guarded by
+ * `isBotSenderType` + `isGroupAuthorized`). Both scope trust to this chat.
+ */
+function gateGroupFollowUser(input, access, changed) {
+    if (input.botOpenId === undefined) {
+        return {
+            action: 'drop',
+            access,
+            changed,
+            reason: 'group message requires an @-mention but the bot open_id is unknown',
+        };
+    }
+    if (!isBotMentioned(input.mentions, input.botOpenId)) {
+        return { action: 'drop', access, changed, reason: 'bot not mentioned' };
+    }
+    const onAllowlist = access.allowFrom.includes(input.senderId);
+    const isIntroducedBot = isBotSenderType(input.senderType) && (input.observedBotIds?.has(input.senderId) ?? false);
+    if (!onAllowlist && !isIntroducedBot) {
+        return { action: 'drop', access, changed, reason: 'sender not on allowlist' };
+    }
+    return { action: 'deliver', access, changed };
+}
+/**
+ * Decide a group message under the `allowlist` policy — a group is authorized
+ * as a unit (decision feishu-channel-group-pairing). A configured group is gated by its own
+ * `requireMention` / `allowFrom` entry; an unconfigured group is brought in by
+ * pairing.
+ */
+function gateGroupAllowlist(input, access, changed) {
+    const policy = access.groups[input.chatId];
+    if (!policy) {
+        return gateUnconfiguredGroup(input, access, changed);
+    }
+    if (policy.allowFrom.length > 0 && !policy.allowFrom.includes(input.senderId)) {
+        return { action: 'drop', access, changed, reason: 'sender not allowed in this group' };
+    }
+    if (policy.requireMention) {
+        // An unknown bot open_id cannot match any mention, so a mention-gated
+        // group would drop every message. Report that as its own reason rather
+        // than the misleading "bot not mentioned".
+        if (input.botOpenId === undefined) {
+            return {
+                action: 'drop',
+                access,
+                changed,
+                reason: 'group requires an @-mention but the bot open_id is unknown',
+            };
+        }
+        if (!isBotMentioned(input.mentions, input.botOpenId)) {
+            return { action: 'drop', access, changed, reason: 'bot not mentioned' };
+        }
+    }
+    return { action: 'deliver', access, changed };
+}
+/**
+ * Decide a message from a group that is not yet in `access.groups`.
+ *
+ * A group joins `access.groups` the same way an unknown direct sender joins
+ * the allowlist — by pairing. But a group pairing is started only by a
+ * deliberate @-mention of the bot, the group equivalent of choosing to open a
+ * 1:1 chat: that keeps the bot from posting a pairing code in every group it
+ * was incidentally added to, and bounds it to one code per group rather than
+ * one per group message. A non-mention message is dropped silently.
+ *
+ * Only one pairing runs per group at a time: while a `group` entry for this
+ * chat_id is pending, further mentions are dropped rather than posting a
+ * second code. The entry expires via `pruneExpiredPending`, so an un-approved
+ * pairing reopens on the next mention after its TTL.
+ */
+function gateUnconfiguredGroup(input, access, changed) {
+    if (input.botOpenId === undefined) {
+        return {
+            action: 'drop',
+            access,
+            changed,
+            reason: 'unconfigured group; bot open_id is unknown, so a mention cannot be detected',
+        };
+    }
+    if (!isBotMentioned(input.mentions, input.botOpenId)) {
+        return { action: 'drop', access, changed, reason: 'unconfigured group; bot not mentioned' };
+    }
+    for (const entry of Object.values(access.pending)) {
+        if (entry.kind === 'group' && entry.chatId === input.chatId) {
+            return { action: 'drop', access, changed, reason: 'group pairing already pending' };
+        }
+    }
+    if (Object.keys(access.pending).length >= MAX_PENDING) {
+        return { action: 'drop', access, changed, reason: 'too many pending pairings' };
+    }
+    const entry = {
+        kind: 'group',
+        senderId: input.senderId,
+        chatId: input.chatId,
+        createdAt: input.now,
+        expiresAt: input.now + PAIRING_TTL_MS,
+        replies: 1,
+    };
+    const nextAccess = {
+        ...access,
+        pending: { ...access.pending, [input.newCode]: entry },
+    };
+    return { action: 'pair', access: nextAccess, changed: true, code: input.newCode, isResend: false };
+}
+/** True when one of `mentions` resolves to the bot's own open_id. */
+export function isBotMentioned(mentions, botOpenId) {
+    if (!mentions || !botOpenId)
+        return false;
+    return mentions.some((m) => (m.id?.open_id ?? m.id?.union_id) === botOpenId);
+}
+/**
+ * Drop pairing entries whose `expiresAt` is at or before `now`. Returns the
+ * same object reference when nothing expired, so callers can cheaply skip a
+ * disk write via the `changed` flag.
+ */
+export function pruneExpiredPending(access, now) {
+    const kept = {};
+    let changed = false;
+    for (const [code, entry] of Object.entries(access.pending)) {
+        if (entry.expiresAt > now) {
+            kept[code] = entry;
+        }
+        else {
+            changed = true;
+        }
+    }
+    return changed ? { access: { ...access, pending: kept }, changed: true } : { access, changed: false };
+}
+/**
+ * True when `senderType` identifies a Feishu bot or app.
+ * Feishu uses `'bot'` for cross-bot messages and `'app'` for custom-bot
+ * messages in some event contexts; both are non-human senders.
+ */
+export function isBotSenderType(senderType) {
+    return senderType === 'bot' || senderType === 'app';
+}
+/**
+ * True when the given group is "authorized" — i.e. the channel is actively
+ * serving it and ambient side effects (like /introduce recording) are appropriate.
+ *
+ *  - `block`       → never authorized; the bot ignores all groups.
+ *  - `follow-user` → always authorized; any group can receive messages.
+ *  - `allowlist`   → authorized only when the group has been paired and is
+ *                    present in `access.groups`. When `senderId` is provided,
+ *                    also checks that the sender passes the group's `allowFrom`
+ *                    filter (empty allowFrom = no restriction).
+ */
+export function isGroupAuthorized(access, chatId, senderId) {
+    if (access.groupPolicy === 'block')
+        return false;
+    if (access.groupPolicy === 'follow-user')
+        return true;
+    const policy = access.groups[chatId];
+    if (!policy)
+        return false;
+    if (senderId !== undefined && policy.allowFrom.length > 0 && !policy.allowFrom.includes(senderId)) {
+        return false;
+    }
+    return true;
+}
+//# sourceMappingURL=gate.js.map

package/dist/policy/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../src/policy/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,kFAAkF;AAClF,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAA;AAC7B,gEAAgE;AAChE,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAA;AACpC,4DAA4D;AAC5D,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AA0C5C;;;GAGG;AACH,MAAM,UAAU,IAAI,CAAC,KAAgB;IACnC,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IAE3D,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACpB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IACxG,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;QAC7B,OAAO,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;IACzD,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC/B,OAAO,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;IACxD,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAM;QACd,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM,EAAE,0BAA0B,KAAK,CAAC,QAAQ,EAAE;KACnD,CAAA;AACH,CAAC;AAED,qCAAqC;AACrC,SAAS,UAAU,CAAC,KAAgB,EAAE,MAAc,EAAE,OAAgB;IACpE,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAA;IAChF,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;IAC/C,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAA;IAC/E,CAAC;IAED,4EAA4E;IAC5E,0EAA0E;IAC1E,0EAA0E;IAC1E,oDAAoD;IACpD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3D,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ;YAAE,SAAQ;QACtE,IAAI,KAAK,CAAC,OAAO,IAAI,mBAAmB,EAAE,CAAC;YACzC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAA;QACjF,CAAC;QACD,MAAM,UAAU,GAAW;YACzB,GAAG,MAAM;YACT,OAAO,EAAE,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,GAAG,CAAC,EAAE,EAAE;SACjF,CAAA;QACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAA;IACpF,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,WAAW,EAAE,CAAC;QACtD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAA;IACjF,CAAC;IACD,MAAM,KAAK,GAAiB;QAC1B,IAAI,EAAE,IAAI;QACV,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,SAAS,EAAE,KAAK,CAAC,GAAG;QACpB,SAAS,EAAE,KAAK,CAAC,GAAG,GAAG,cAAc;QACrC,OAAO,EAAE,CAAC;KACX,CAAA;IACD,MAAM,UAAU,GAAW;QACzB,GAAG,MAAM;QACT,OAAO,EAAE,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE;KACvD,CAAA;IACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAA;AACpG,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,KAAgB,EAAE,MAAc,EAAE,OAAgB;IACnE,IAAI,MAAM,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;QACnC,OAAO;YACL,MAAM,EAAE,MAAM;YACd,MAAM;YACN,OAAO;YACP,MAAM,EAAE,iDAAiD;SAC1D,CAAA;IACH,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,KAAK,aAAa,EAAE,CAAC;QACzC,OAAO,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAA;IACpD,CAAC;IACD,qGAAqG;IACrG,OAAO,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAA;AACnD,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,mBAAmB,CAAC,KAAgB,EAAE,MAAc,EAAE,OAAgB;IAC7E,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO;YACL,MAAM,EAAE,MAAM;YACd,MAAM;YACN,OAAO;YACP,MAAM,EAAE,oEAAoE;SAC7E,CAAA;IACH,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IACzE,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAA;IAC7D,MAAM,eAAe,GACnB,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,CAAA;IAC3F,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe,EAAE,CAAC;QACrC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAA;IAC/E,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;AAC/C,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,KAAgB,EAAE,MAAc,EAAE,OAAgB;IAC5E,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAA;IACtD,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9E,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAA;IACxF,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;QAC1B,sEAAsE;QACtE,uEAAuE;QACvE,2CAA2C;QAC3C,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,MAAM;gBACN,OAAO;gBACP,MAAM,EAAE,4DAA4D;aACrE,CAAA;QACH,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QACzE,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;AAC/C,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,qBAAqB,CAC5B,KAAgB,EAChB,MAAc,EACd,OAAgB;IAEhB,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO;YACL,MAAM,EAAE,MAAM;YACd,MAAM;YACN,OAAO;YACP,MAAM,EAAE,6EAA6E;SACtF,CAAA;IACH,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAA;IAC7F,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;YAC5D,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAA;QACrF,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,WAAW,EAAE,CAAC;QACtD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAA;IACjF,CAAC;IACD,MAAM,KAAK,GAAiB;QAC1B,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,SAAS,EAAE,KAAK,CAAC,GAAG;QACpB,SAAS,EAAE,KAAK,CAAC,GAAG,GAAG,cAAc;QACrC,OAAO,EAAE,CAAC;KACX,CAAA;IACD,MAAM,UAAU,GAAW;QACzB,GAAG,MAAM;QACT,OAAO,EAAE,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE;KACvD,CAAA;IACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAA;AACpG,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,cAAc,CAC5B,QAA+B,EAC/B,SAA6B;IAE7B,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAA;IACzC,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,QAAQ,CAAC,KAAK,SAAS,CAAC,CAAA;AAC9E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAc,EACd,GAAW;IAEX,MAAM,IAAI,GAAiC,EAAE,CAAA;IAC7C,IAAI,OAAO,GAAG,KAAK,CAAA;IACnB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3D,IAAI,KAAK,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC,IAAI,CAAC,GAAG,KAAK,CAAA;QACpB,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,CAAA;QAChB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AACvG,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,UAA8B;IAC5D,OAAO,UAAU,KAAK,KAAK,IAAI,UAAU,KAAK,KAAK,CAAA;AACrD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc,EAAE,QAAiB;IACjF,IAAI,MAAM,CAAC,WAAW,KAAK,OAAO;QAAE,OAAO,KAAK,CAAA;IAChD,IAAI,MAAM,CAAC,WAAW,KAAK,aAAa;QAAE,OAAO,IAAI,CAAA;IACrD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACpC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACzB,IAAI,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClG,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/policy/pairing.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Pairing codes — the short secret a new sender must echo back through the
+ * access skill before the channel will trust them. Ported verbatim from
+ * claudemux.
+ */
+/** A pairing code is this many random bytes, rendered as lowercase hex. */
+export declare const PAIRING_CODE_BYTES = 3;
+/** Resulting code length in characters (two hex digits per byte). */
+export declare const PAIRING_CODE_LENGTH: number;
+/** Generate a fresh, cryptographically-random pairing code. */
+export declare function generatePairingCode(): string;
+//# sourceMappingURL=pairing.d.ts.map

package/dist/policy/pairing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pairing.d.ts","sourceRoot":"","sources":["../../src/policy/pairing.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB,IAAI,CAAA;AACnC,qEAAqE;AACrE,eAAO,MAAM,mBAAmB,QAAyB,CAAA;AAEzD,+DAA+D;AAC/D,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C"}

package/dist/policy/pairing.js

@@ -0,0 +1,15 @@
+/**
+ * Pairing codes — the short secret a new sender must echo back through the
+ * access skill before the channel will trust them. Ported verbatim from
+ * claudemux.
+ */
+import { randomBytes } from 'node:crypto';
+/** A pairing code is this many random bytes, rendered as lowercase hex. */
+export const PAIRING_CODE_BYTES = 3;
+/** Resulting code length in characters (two hex digits per byte). */
+export const PAIRING_CODE_LENGTH = PAIRING_CODE_BYTES * 2;
+/** Generate a fresh, cryptographically-random pairing code. */
+export function generatePairingCode() {
+    return randomBytes(PAIRING_CODE_BYTES).toString('hex');
+}
+//# sourceMappingURL=pairing.js.map

package/dist/policy/pairing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pairing.js","sourceRoot":"","sources":["../../src/policy/pairing.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAEzC,2EAA2E;AAC3E,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAA;AACnC,qEAAqE;AACrE,MAAM,CAAC,MAAM,mBAAmB,GAAG,kBAAkB,GAAG,CAAC,CAAA;AAEzD,+DAA+D;AAC/D,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAW,CAAC,kBAAkB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxD,CAAC"}