@forwardimpact/libbridge 0.1.12 → 0.1.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forwardimpact/libbridge",
-  "version": "0.1.12",
+  "version": "0.1.14",
   "description": "Threaded-channel bridge primitives — relay messages between human channels (GitHub Discussions, Microsoft Teams) and the Kata agent team.",
   "keywords": [
     "bridge",

package/src/callback-registry.js

@@ -1,6 +1,7 @@
 import { randomUUID } from "node:crypto";
 
 const DEFAULT_TTL_MS = 2 * 60 * 60 * 1000;
+const DEFAULT_SWEEP_INTERVAL_MS = 10 * 60 * 1000;
 
 /**
  * In-memory registry of pending bridge → workflow callbacks. Hosts persist
@@ -17,6 +18,7 @@ export class CallbackRegistry {
   #ttlMs;
   #clock;
   #entries = new Map();
+  #sweepTimer = null;
 
   /**
    * @param {object} [options]
@@ -56,8 +58,20 @@ export class CallbackRegistry {
   }
 
   /**
-   * Atomic lookup + delete. Returns null when the token is unknown or when
-   * the supplied `tenant_id` does not match the stored binding.
+   * Whether an entry's TTL has elapsed; expired entries are dropped at the
+   * lookup that observes them so a stale token stops being a credential
+   * even when no sweep has run yet.
+   * @param {{createdAt: number}} entry
+   * @param {number} now
+   * @returns {boolean}
+   */
+  #expired(entry, now) {
+    return now - entry.createdAt > this.#ttlMs;
+  }
+
+  /**
+   * Atomic lookup + delete. Returns null when the token is unknown, expired,
+   * or when the supplied `tenant_id` does not match the stored binding.
    * @param {string} token
    * @param {{tenant_id: string}} bind
    * @returns {{correlationId: string, meta: object, createdAt: number} | null}
@@ -68,6 +82,10 @@ export class CallbackRegistry {
     }
     const entry = this.#entries.get(token);
     if (!entry) return null;
+    if (this.#expired(entry, this.#clock.now())) {
+      this.#entries.delete(token);
+      return null;
+    }
     if (entry.meta.tenant_id !== bind.tenant_id) return null;
     this.#entries.delete(token);
     return entry;
@@ -87,10 +105,37 @@ export class CallbackRegistry {
     }
     const entry = this.#entries.get(token);
     if (!entry) return null;
+    if (this.#expired(entry, this.#clock.now())) {
+      this.#entries.delete(token);
+      return null;
+    }
     if (entry.meta.tenant_id !== bind.tenant_id) return null;
     return { ...entry };
   }
 
+  /**
+   * Return the bound `tenant_id` for any active token whose correlationId
+   * matches; null if no active token binds the correlation. The inbox
+   * route uses this to verify a path-supplied tenant against the binding
+   * the dispatcher recorded. Single-pass scan of the entries map; the
+   * registry is one entry per in-flight dispatch per bridge process.
+   * @param {string} correlationId
+   * @returns {string | null}
+   */
+  tenantOf(correlationId) {
+    if (typeof correlationId !== "string" || !correlationId) return null;
+    const now = this.#clock.now();
+    for (const [token, entry] of this.#entries) {
+      if (entry.correlationId !== correlationId) continue;
+      if (this.#expired(entry, now)) {
+        this.#entries.delete(token);
+        continue;
+      }
+      return entry.meta.tenant_id;
+    }
+    return null;
+  }
+
   /**
    * Drop entries older than ttlMs. Caller drives the clock so tests stay
    * deterministic.
@@ -100,11 +145,32 @@ export class CallbackRegistry {
   sweep(now = this.#clock.now()) {
     let evicted = 0;
     for (const [token, entry] of this.#entries) {
-      if (now - entry.createdAt > this.#ttlMs) {
+      if (this.#expired(entry, now)) {
         this.#entries.delete(token);
         evicted++;
       }
     }
     return evicted;
   }
+
+  /**
+   * Start the periodic sweep so tokens whose dispatch never calls back are
+   * reclaimed instead of accumulating for the life of the process. Idempotent;
+   * the handle is unref'd so it never holds the process open.
+   * @param {number} [intervalMs]
+   */
+  startSweepTimer(intervalMs = DEFAULT_SWEEP_INTERVAL_MS) {
+    if (this.#sweepTimer) return;
+    this.#sweepTimer = this.#clock.setInterval(() => this.sweep(), intervalMs);
+    this.#sweepTimer.unref?.();
+  }
+
+  /**
+   * Stop the periodic sweep. Safe to call when no timer is running.
+   */
+  stopSweepTimer() {
+    if (!this.#sweepTimer) return;
+    this.#clock.clearInterval(this.#sweepTimer);
+    this.#sweepTimer = null;
+  }
 }

package/src/dispatcher.js

@@ -113,7 +113,7 @@ export class Dispatcher {
     ctx.pending_callbacks[token] = correlationId;
     ctx.active_requester = requester;
     const callbackUrl = `${this.#callbackBaseUrl}/api/callback/${tenant_id}/${token}`;
-    const inboxUrl = `${this.#callbackBaseUrl}/api/inbox/${correlationId}?tenant_id=${encodeURIComponent(tenant_id)}`;
+    const inboxUrl = `${this.#callbackBaseUrl}/api/inbox/${tenant_id}/${correlationId}`;
 
     // The workflow_dispatch targets the resolved tenant's repository when the
     // resolver supplies one (multi-tenant); otherwise the static configured

package/src/inbox-handler.js

@@ -4,9 +4,16 @@ import { bridge } from "@forwardimpact/libtype";
  * Long-poll handler for the per-correlation inbox. The run's InboxPoller
  * fetches injected messages via this endpoint.
  *
+ * The handler verifies the path `tenant_id` against the tenant bound to
+ * the `correlationId` in `callbacks` (the `CallbackRegistry`) before
+ * entering the poll loop. Unknown or mismatched correlations return
+ * `404 {error: "Unknown correlation"}` — the same shape the sister
+ * callback route emits for an unknown token (`callback-handler.js:100`).
+ *
  * @param {object} deps
  * @param {object} deps.client - Bridge gRPC client with DrainInbox
  * @param {object} deps.logger
+ * @param {import("./callback-registry.js").CallbackRegistry} deps.callbacks
  * @param {number} [deps.pollTimeoutMs] - Max wait before returning empty (default 30s)
  * @param {number} [deps.pollIntervalMs] - Poll interval (default 1s)
  * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [deps.clock]
@@ -15,23 +22,22 @@ import { bridge } from "@forwardimpact/libtype";
 export function createInboxHandler({
   client,
   logger,
+  callbacks,
   pollTimeoutMs = 30_000,
   pollIntervalMs = 1_000,
   clock,
 }) {
   if (!clock) throw new Error("clock is required");
+  if (!callbacks) throw new Error("callbacks is required");
   return async (c) => {
+    const tenant_id = c.req.param("tenant_id");
     const correlationId = c.req.param("correlationId");
-    const sinceSeq = parseInt(c.req.query("since") ?? "0", 10);
-    // The dispatcher embeds the resolved tenant on the inbox URL it hands the
-    // run (single-tenant binds the literal `default`). `services/bridge`
-    // rejects a `DrainInbox` without a `tenant_id`, so a poll that omits it is
-    // a caller error: fail fast rather than leaking a cross-tenant queue.
-    const tenant_id = c.req.query("tenant_id");
-    if (!tenant_id) {
-      logger.error?.("inbox", "missing tenant_id");
-      return c.json({ error: "tenant_id required" }, 400);
+    const bound = callbacks.tenantOf(correlationId);
+    if (!bound || bound !== tenant_id) {
+      logger.debug?.("inbox", "unknown correlation");
+      return c.json({ error: "Unknown correlation" }, 404);
     }
+    const sinceSeq = parseInt(c.req.query("since") ?? "0", 10);
     const deadline = clock.now() + pollTimeoutMs;
 
     while (clock.now() < deadline) {

package/src/server.js

@@ -98,7 +98,7 @@ export function createBridgeServer({
       }
 
       if (onInbox) {
-        app.get("/api/inbox/:correlationId", async (c) => {
+        app.get("/api/inbox/:tenant_id/:correlationId", async (c) => {
           try {
             return await onInbox(c);
           } catch (err) {