@forwardimpact/libbridge 0.1.6 → 0.1.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forwardimpact/libbridge",
-  "version": "0.1.6",
+  "version": "0.1.9",
   "description": "Threaded-channel bridge primitives — relay messages between human channels (GitHub Discussions, Microsoft Teams) and the Kata agent team.",
   "keywords": [
     "bridge",
@@ -40,9 +40,9 @@
     "test": "bun test test/*.test.js"
   },
   "dependencies": {
+    "@forwardimpact/libhttp": "^0.1.0",
     "@forwardimpact/libtype": "^0.1.0",
-    "@hono/node-server": "^2.0.4",
-    "hono": "^4.12.23"
+    "@forwardimpact/libutil": "^0.1.84"
   },
   "devDependencies": {
     "@forwardimpact/libmock": "^0.1.0"

package/src/callback-handler.js

@@ -1,3 +1,5 @@
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
 import { validateCallbackPayload } from "./callback-payload.js";
 
 /**
@@ -44,6 +46,7 @@ export class CallbackHandlerError extends Error {
  * @param {(meta: object) => string} options.loadDiscussionId
  * @param {(meta: object) => unknown} [options.ackFinishTarget]
  * @param {(ctx: object, payload: object, meta: object) => Promise<void>} options.handleReply
+ * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
  * @returns {(c: object) => Promise<Response>}
  */
 export function createCallbackHandler({
@@ -57,6 +60,7 @@ export function createCallbackHandler({
   loadDiscussionId,
   ackFinishTarget,
   handleReply,
+  clock = createDefaultClock(),
 }) {
   if (!channel) throw new Error("channel is required");
   if (!callbacks) throw new Error("callbacks is required");
@@ -72,20 +76,70 @@ export function createCallbackHandler({
     throw new Error("handleReply is required");
   }
 
+  // biome-ignore lint/complexity/noExcessiveCognitiveComplexity: session-aware callback handler branches on kind
   return async (c) => {
-    const prelude = await resolveContext(c, {
-      callbacks,
-      ack,
-      store,
-      channel,
-      logger,
-      loadDiscussionId,
-      ackFinishTarget,
-    });
-    if (prelude.error) return c.json({ error: prelude.error }, prelude.status);
+    let body;
+    try {
+      body = await c.req.json();
+    } catch {
+      return c.json({ error: "Invalid JSON" }, 400);
+    }
+    const payload = validateCallbackPayload(body);
+    if (!payload) return c.json({ error: "Invalid payload" }, 400);
+
+    const token = c.req.param("token");
+    const tenant_id = c.req.param("tenant_id");
+    if (!tenant_id) {
+      return c.json({ error: "Unknown callback token" }, 404);
+    }
+    const isTerminal = payload.kind === "terminal";
+    const meta = isTerminal
+      ? callbacks.consume(token, { tenant_id })
+      : callbacks.peek(token, { tenant_id });
+    if (!meta) {
+      logger.debug?.("callback", "unknown token");
+      return c.json({ error: "Unknown callback token" }, 404);
+    }
+
+    if (isTerminal) {
+      await ack.finish(
+        token,
+        ackFinishTarget ? ackFinishTarget(meta) : undefined,
+      );
+    }
+    if (payload.correlation_id !== meta.correlationId) {
+      return c.json({ error: "Correlation ID mismatch" }, 400);
+    }
+
+    const discussionId = loadDiscussionId(meta);
+    const ctx = await store.loadByChannel(channel, discussionId);
+    if (!ctx) {
+      logger.error?.("callback", "context missing", {
+        discussion_id: discussionId,
+      });
+      return c.json({ error: "Discussion context missing" }, 410);
+    }
+
+    if (
+      !isTerminal &&
+      payload.seq >= 0 &&
+      payload.seq <= (ctx.last_posted_seq ?? -1)
+    ) {
+      return c.json({ ok: true, dedupe: true }, 200);
+    }
+
+    if (!isTerminal) {
+      payload.replies = payload.body
+        ? [{ body: payload.body, agent: payload.agent }]
+        : [];
+      payload.verdict = null;
+    }
+
+    if (isTerminal) {
+      delete ctx.pending_callbacks[token];
+      ctx.active_requester = null;
+    }
 
-    const { token, ctx, meta, payload } = prelude;
-    delete ctx.pending_callbacks[token];
     return runHandleReply(c, {
       ctx,
       meta,
@@ -95,45 +149,16 @@ export function createCallbackHandler({
       logger,
       tracer,
       spanName,
+      clock,
+      postReply() {
+        if (!isTerminal) {
+          ctx.last_posted_seq = payload.seq;
+        }
+      },
     });
   };
 }
 
-async function resolveContext(
-  c,
-  { callbacks, ack, store, channel, logger, loadDiscussionId, ackFinishTarget },
-) {
-  const token = c.req.param("token");
-  const meta = callbacks.consume(token);
-  if (!meta) {
-    logger.debug?.("callback", "unknown token");
-    return { status: 404, error: "Unknown callback token" };
-  }
-  await ack.finish(token, ackFinishTarget ? ackFinishTarget(meta) : undefined);
-
-  let body;
-  try {
-    body = await c.req.json();
-  } catch {
-    return { status: 400, error: "Invalid JSON" };
-  }
-  const payload = validateCallbackPayload(body);
-  if (!payload) return { status: 400, error: "Invalid payload" };
-  if (payload.correlation_id !== meta.correlationId) {
-    return { status: 400, error: "Correlation ID mismatch" };
-  }
-
-  const discussionId = loadDiscussionId(meta);
-  const ctx = await store.loadByChannel(channel, discussionId);
-  if (!ctx) {
-    logger.error?.("callback", "context missing", {
-      discussion_id: discussionId,
-    });
-    return { status: 410, error: "Discussion context missing" };
-  }
-  return { token, ctx, meta, payload };
-}
-
 const STATUS_MESSAGES = {
   400: "Bad request",
   404: "Not found",
@@ -149,7 +174,18 @@ function sanitizeErrorMessage(status) {
 
 async function runHandleReply(
   c,
-  { ctx, meta, payload, handleReply, store, logger, tracer, spanName },
+  {
+    ctx,
+    meta,
+    payload,
+    handleReply,
+    store,
+    logger,
+    tracer,
+    spanName,
+    clock,
+    postReply,
+  },
 ) {
   const span = tracer.startSpan(spanName, {
     kind: "SERVER",
@@ -157,7 +193,8 @@ async function runHandleReply(
   });
   try {
     await handleReply(ctx, payload, meta);
-    ctx.last_active_at = Date.now();
+    if (postReply) postReply();
+    ctx.last_active_at = clock.now();
     await store.add(ctx);
     await store.flush();
     span.addEvent("reply_delivered", { verdict: payload.verdict });

package/src/callback-payload.js

@@ -1,3 +1,5 @@
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
 export const MAX_FIELD_LENGTH = 2000;
 export const MAX_REPLY_COUNT = 50;
 
@@ -11,6 +13,7 @@ export const MAX_REPLY_COUNT = 50;
  * @param {unknown} body
  * @returns {object | null}
  */
+// biome-ignore lint/complexity/noExcessiveCognitiveComplexity: lenient validator with per-field type checks
 export function validateCallbackPayload(body) {
   if (!body || typeof body !== "object") return null;
   const cid = body.correlation_id;
@@ -37,8 +40,22 @@ export function validateCallbackPayload(body) {
   const trigger = validateTrigger(body.trigger);
   const runUrl = typeof body.run_url === "string" ? body.run_url : undefined;
 
+  const kind = typeof body.kind === "string" ? body.kind : "terminal";
+  const seq = typeof body.seq === "number" ? body.seq : -1;
+  const eventBody =
+    typeof body.body === "string" ? body.body.slice(0, MAX_FIELD_LENGTH) : "";
+  const agent =
+    typeof body.agent === "string" ? body.agent.slice(0, MAX_FIELD_LENGTH) : "";
+  const lastActedSeq =
+    typeof body.last_acted_seq === "number" ? body.last_acted_seq : -1;
+
   return {
     correlation_id: cid,
+    kind,
+    seq,
+    body: eventBody,
+    agent,
+    last_acted_seq: lastActedSeq,
     verdict,
     summary,
     replies,
@@ -105,9 +122,15 @@ export function normalizeBaseUrl(url) {
  * @param {string} args.channel
  * @param {string} args.discussionId
  * @param {object} args.participant
+ * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [args.clock]
  * @returns {object}
  */
-export function newDiscussionContext({ channel, discussionId, participant }) {
+export function newDiscussionContext({
+  channel,
+  discussionId,
+  participant,
+  clock = createDefaultClock(),
+}) {
   return {
     id: `${channel}:${discussionId}`,
     channel,
@@ -118,6 +141,8 @@ export function newDiscussionContext({ channel, discussionId, participant }) {
     lead: "release-engineer",
     pending_callbacks: {},
     dispatches: [],
-    last_active_at: Date.now(),
+    last_active_at: clock.now(),
+    active_requester: null,
+    last_posted_seq: -1,
   };
 }

package/src/callback-registry.js

@@ -1,5 +1,7 @@
 import { randomUUID } from "node:crypto";
 
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
 const DEFAULT_TTL_MS = 2 * 60 * 60 * 1000;
 
 /**
@@ -7,17 +9,25 @@ const DEFAULT_TTL_MS = 2 * 60 * 60 * 1000;
  * the (token, correlationId) pairs via the discussion store so the registry
  * can be rehydrated after a restart; this class only owns the live token →
  * metadata mapping and TTL sweep.
+ *
+ * Every entry is tenant-bound. `register` requires `meta.tenant_id` (single
+ * tenant deployments pass `"default"`); `consume` and `peek` require the
+ * caller's `tenant_id` and return `null` when the stored value does not
+ * match — the same null shape callers already handle for unknown tokens.
  */
 export class CallbackRegistry {
   #ttlMs;
+  #clock;
   #entries = new Map();
 
   /**
    * @param {object} [options]
    * @param {number} [options.ttlMs] - Time-to-live in ms (default: 2h)
+   * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({ ttlMs = DEFAULT_TTL_MS } = {}) {
+  constructor({ ttlMs = DEFAULT_TTL_MS, clock = createDefaultClock() } = {}) {
     this.#ttlMs = ttlMs;
+    this.#clock = clock;
   }
 
   /** @returns {number} */
@@ -27,45 +37,58 @@ export class CallbackRegistry {
 
   /**
    * @param {string} correlationId
-   * @param {object} [meta] - Caller-defined metadata stored alongside the token
+   * @param {object} meta - Caller-defined metadata; `meta.tenant_id` is required
    * @returns {string} The newly issued callback token
    */
-  register(correlationId, meta = {}) {
+  register(correlationId, meta) {
     if (typeof correlationId !== "string" || !correlationId) {
       throw new Error("correlationId is required");
     }
+    if (!meta || typeof meta.tenant_id !== "string" || !meta.tenant_id) {
+      throw new Error("meta.tenant_id is required");
+    }
     const token = randomUUID();
     this.#entries.set(token, {
       correlationId,
       meta,
-      createdAt: Date.now(),
+      createdAt: this.#clock.now(),
     });
     return token;
   }
 
   /**
-   * Atomic lookup + delete. Returns null if the token is unknown.
+   * Atomic lookup + delete. Returns null when the token is unknown or when
+   * the supplied `tenant_id` does not match the stored binding.
    * @param {string} token
+   * @param {{tenant_id: string}} bind
    * @returns {{correlationId: string, meta: object, createdAt: number} | null}
    */
-  consume(token) {
+  consume(token, bind) {
+    if (!bind || typeof bind.tenant_id !== "string" || !bind.tenant_id) {
+      throw new Error("tenant_id is required");
+    }
     const entry = this.#entries.get(token);
     if (!entry) return null;
+    if (entry.meta.tenant_id !== bind.tenant_id) return null;
     this.#entries.delete(token);
     return entry;
   }
 
   /**
    * Returns a shallow clone of the stored metadata for a token without
-   * consuming it. Cloning prevents callers from corrupting internal state
-   * via the returned reference; diagnostic code paths that need to read
-   * `correlationId`, `meta`, or `createdAt` work unchanged.
+   * consuming it. Returns null on unknown token or `tenant_id` mismatch —
+   * matching `consume`'s shape so callers handle one missing case.
    * @param {string} token
+   * @param {{tenant_id: string}} bind
    * @returns {{correlationId: string, meta: object, createdAt: number} | null}
    */
-  peek(token) {
+  peek(token, bind) {
+    if (!bind || typeof bind.tenant_id !== "string" || !bind.tenant_id) {
+      throw new Error("tenant_id is required");
+    }
     const entry = this.#entries.get(token);
     if (!entry) return null;
+    if (entry.meta.tenant_id !== bind.tenant_id) return null;
     return { ...entry };
   }
 
@@ -75,7 +98,7 @@ export class CallbackRegistry {
    * @param {number} [now]
    * @returns {number} Number of entries evicted
    */
-  sweep(now = Date.now()) {
+  sweep(now = this.#clock.now()) {
     let evicted = 0;
     for (const [token, entry] of this.#entries) {
       if (now - entry.createdAt > this.#ttlMs) {

package/src/dispatch.js

@@ -16,6 +16,7 @@
  * @param {string} params.prompt - The facilitator prompt
  * @param {string} params.callbackUrl - Where the workflow posts the reply
  * @param {string} params.correlationId - UUID linking dispatch → callback
+ * @param {string} [params.inboxUrl] - Long-poll URL for injecting messages into a live run
  * @param {string} [params.discussionId] - For trace linkage in libeval
  * @param {string} [params.resumeContext] - JSON string carried across resumes
  * @returns {Promise<void>}
@@ -28,6 +29,7 @@ export async function dispatchWorkflow({
   prompt,
   callbackUrl,
   correlationId,
+  inboxUrl,
   discussionId,
   resumeContext,
 }) {
@@ -40,6 +42,7 @@ export async function dispatchWorkflow({
     callback_url: callbackUrl,
     correlation_id: correlationId,
   };
+  if (inboxUrl !== undefined) inputs.inbox_url = inboxUrl;
   if (discussionId !== undefined) inputs.discussion_id = discussionId;
   if (resumeContext !== undefined) inputs.resume_context = resumeContext;
 

package/src/dispatcher.js

@@ -1,5 +1,7 @@
 import { randomUUID } from "node:crypto";
 
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
 import { dispatchWorkflow } from "./dispatch.js";
 
 /** Dispatch dance: resolve per-user token, register callback, ack, fire workflow, flush. */
@@ -11,6 +13,8 @@ export class Dispatcher {
   #workflowFile;
   #githubRepo;
   #tokenResolver;
+  #tenantResolver;
+  #clock;
 
   /**
    * @param {object} options
@@ -21,6 +25,8 @@ export class Dispatcher {
    * @param {string} options.workflowFile
    * @param {string} options.githubRepo
    * @param {import("./token-resolver.js").TokenResolver} options.tokenResolver
+   * @param {import("./tenant-resolver.js").TenantResolver} options.tenantResolver
+   * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
   constructor({
     callbacks,
@@ -30,6 +36,8 @@ export class Dispatcher {
     workflowFile,
     githubRepo,
     tokenResolver,
+    tenantResolver,
+    clock = createDefaultClock(),
   }) {
     if (!callbacks) throw new Error("callbacks is required");
     if (!ack) throw new Error("ack is required");
@@ -40,6 +48,7 @@ export class Dispatcher {
     if (!workflowFile) throw new Error("workflowFile is required");
     if (!githubRepo) throw new Error("githubRepo is required");
     if (!tokenResolver) throw new Error("tokenResolver is required");
+    if (!tenantResolver) throw new Error("tenantResolver is required");
     this.#callbacks = callbacks;
     this.#ack = ack;
     this.#store = store;
@@ -47,6 +56,8 @@ export class Dispatcher {
     this.#workflowFile = workflowFile;
     this.#githubRepo = githubRepo;
     this.#tokenResolver = tokenResolver;
+    this.#tenantResolver = tenantResolver;
+    this.#clock = clock;
   }
 
   /**
@@ -74,11 +85,22 @@ export class Dispatcher {
     const auth = await this.#tokenResolver.resolve(ctx.channel, requester);
     if (auth.kind !== "token") return auth;
 
+    const tenant = await this.#tenantResolver.resolve({
+      channel: ctx.channel,
+      key: ctx.channel_tenant_key,
+    });
+    if (!tenant) {
+      return { kind: "transient", error: new Error("tenant_unresolved") };
+    }
+    const tenant_id = tenant.tenant_id;
+
     const correlationId = randomUUID();
-    const mergedMeta = { ...(callbackMeta ?? {}), requester };
+    const mergedMeta = { ...(callbackMeta ?? {}), requester, tenant_id };
     const token = this.#callbacks.register(correlationId, mergedMeta);
     ctx.pending_callbacks[token] = correlationId;
-    const callbackUrl = `${this.#callbackBaseUrl}/api/callback/${token}`;
+    ctx.active_requester = requester;
+    const callbackUrl = `${this.#callbackBaseUrl}/api/callback/${tenant_id}/${token}`;
+    const inboxUrl = `${this.#callbackBaseUrl}/api/inbox/${correlationId}`;
 
     if (ackTarget !== undefined) await this.#ack.start(token, ackTarget);
     try {
@@ -89,17 +111,19 @@ export class Dispatcher {
         prompt,
         callbackUrl,
         correlationId,
+        inboxUrl,
         ...(workflowInputs ?? {}),
       });
-      ctx.dispatches.push(Date.now());
-      ctx.last_active_at = Date.now();
+      ctx.dispatches.push(this.#clock.now());
+      ctx.last_active_at = this.#clock.now();
       await this.#store.add(ctx);
       await this.#store.flush();
       return { kind: "dispatched", token, correlationId };
     } catch (err) {
       if (ackTarget !== undefined) await this.#ack.finish(token, ackTarget);
-      this.#callbacks.consume(token);
+      this.#callbacks.consume(token, { tenant_id });
       delete ctx.pending_callbacks[token];
+      ctx.active_requester = null;
       throw err;
     }
   }

package/src/elapsed-scheduler.js

@@ -1,3 +1,5 @@
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
 const CHUNK_CAP_MS = 7 * 24 * 60 * 60 * 1000;
 
 /**
@@ -12,16 +14,19 @@ export class ElapsedScheduler {
   #timers = new Map();
   #onFire;
   #onError;
+  #clock;
 
   /**
    * @param {object} options
    * @param {(correlationId: string) => Promise<void>} options.onFire - Invoked when the deadline passes.
    * @param {(err: Error, correlationId: string) => void} [options.onError] - Invoked when `onFire` rejects.
+   * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({ onFire, onError = () => {} }) {
+  constructor({ onFire, onError = () => {}, clock = createDefaultClock() }) {
     if (typeof onFire !== "function") throw new Error("onFire is required");
     this.#onFire = onFire;
     this.#onError = onError;
+    this.#clock = clock;
   }
 
   /** @returns {number} */
@@ -38,13 +43,13 @@ export class ElapsedScheduler {
    */
   schedule(correlationId, dueAt) {
     this.cancel(correlationId);
-    const remaining = dueAt - Date.now();
+    const remaining = dueAt - this.#clock.now();
     if (remaining <= 0) {
       this.#fire(correlationId);
       return;
     }
     const delay = Math.min(remaining, CHUNK_CAP_MS);
-    const timer = setTimeout(() => {
+    const timer = this.#clock.setTimeout(() => {
       this.#timers.delete(correlationId);
       if (remaining > CHUNK_CAP_MS) {
         this.schedule(correlationId, dueAt);
@@ -63,14 +68,14 @@ export class ElapsedScheduler {
   cancel(correlationId) {
     const timer = this.#timers.get(correlationId);
     if (timer) {
-      clearTimeout(timer);
+      this.#clock.clearTimeout(timer);
       this.#timers.delete(correlationId);
     }
   }
 
   /** Cancel every scheduled timer. */
   clear() {
-    for (const timer of this.#timers.values()) clearTimeout(timer);
+    for (const timer of this.#timers.values()) this.#clock.clearTimeout(timer);
     this.#timers.clear();
   }
 

package/src/inbox-handler.js

@@ -0,0 +1,47 @@
+import { bridge } from "@forwardimpact/libtype";
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
+/**
+ * Long-poll handler for the per-correlation inbox. The run's InboxPoller
+ * fetches injected messages via this endpoint.
+ *
+ * @param {object} deps
+ * @param {object} deps.client - Bridge gRPC client with DrainInbox
+ * @param {object} deps.logger
+ * @param {number} [deps.pollTimeoutMs] - Max wait before returning empty (default 30s)
+ * @param {number} [deps.pollIntervalMs] - Poll interval (default 1s)
+ * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [deps.clock]
+ * @returns {(c: import("hono").Context) => Promise<Response>}
+ */
+export function createInboxHandler({
+  client,
+  logger,
+  pollTimeoutMs = 30_000,
+  pollIntervalMs = 1_000,
+  clock = createDefaultClock(),
+}) {
+  return async (c) => {
+    const correlationId = c.req.param("correlationId");
+    const sinceSeq = parseInt(c.req.query("since") ?? "0", 10);
+    const deadline = clock.now() + pollTimeoutMs;
+
+    while (clock.now() < deadline) {
+      try {
+        const result = await client.DrainInbox(
+          bridge.DrainInboxRequest.fromObject({
+            correlation_id: correlationId,
+            since_seq: sinceSeq,
+          }),
+        );
+        if (result.messages?.length > 0) {
+          return c.json({ messages: result.messages });
+        }
+      } catch (err) {
+        logger.error?.("inbox", err);
+        return c.json({ error: "Inbox failure" }, 500);
+      }
+      await clock.sleep(pollIntervalMs);
+    }
+    return c.json({ messages: [] });
+  };
+}

package/src/index.js

@@ -34,6 +34,10 @@ export {
   DEFAULT_TYPING_VERBS,
 } from "./acknowledgement.js";
 export { Dispatcher } from "./dispatcher.js";
+export {
+  DefaultTenantResolver,
+  RegistryTenantResolver,
+} from "./tenant-resolver.js";
 export { TokenResolver } from "./token-resolver.js";
 export {
   CallbackHandlerError,
@@ -50,3 +54,4 @@ export {
 } from "./callback-payload.js";
 export { evaluateTrigger, parseIsoDuration } from "./triggers.js";
 export { prepareLinkResume, createLinkCompleteHandler } from "./link-resume.js";
+export { createInboxHandler } from "./inbox-handler.js";

package/src/rate-limit.js

@@ -1,3 +1,5 @@
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
 /**
  * Sliding-window rate limiter. Operates on a caller-owned `dispatches: number[]`
  * array of timestamps and returns a structured result so callers can both
@@ -6,15 +8,22 @@
 export class RateLimiter {
   #windowMs;
   #max;
+  #clock;
 
   /**
    * @param {object} [options]
    * @param {number} [options.windowMs] - Sliding window length in ms (default: 60_000)
    * @param {number} [options.max] - Max dispatches allowed in the window (default: 5)
+   * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({ windowMs = 60_000, max = 5 } = {}) {
+  constructor({
+    windowMs = 60_000,
+    max = 5,
+    clock = createDefaultClock(),
+  } = {}) {
     this.#windowMs = windowMs;
     this.#max = max;
+    this.#clock = clock;
   }
 
   /**
@@ -29,7 +38,7 @@ export class RateLimiter {
     if (!Array.isArray(dispatches)) {
       throw new Error("dispatches must be an array");
     }
-    const now = Date.now();
+    const now = this.#clock.now();
     const cutoff = now - this.#windowMs;
     let i = 0;
     while (i < dispatches.length && dispatches[i] < cutoff) i++;

package/src/resume-scheduler.js

@@ -1,3 +1,5 @@
+import { createDefaultClock } from "@forwardimpact/libutil/runtime";
+
 import { ElapsedScheduler } from "./elapsed-scheduler.js";
 import { evaluateTrigger, parseIsoDuration } from "./triggers.js";
 
@@ -13,6 +15,7 @@ export class ResumeScheduler {
   #buildResumeInputs;
   #buildCallbackMeta;
   #onDeclined;
+  #clock;
 
   /**
    * @param {object} options
@@ -23,6 +26,7 @@ export class ResumeScheduler {
    * @param {(ctx: object) => object} [options.buildCallbackMeta]
    * @param {(ctx: object) => object} [options.buildResumeInputs]
    * @param {((ctx: object, outcome: object) => Promise<void>) | null} [options.onDeclined]
+   * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
   constructor({
     dispatcher,
@@ -32,6 +36,7 @@ export class ResumeScheduler {
     buildCallbackMeta = (ctx) => ({ discussionId: ctx.discussion_id }),
     buildResumeInputs = () => ({}),
     onDeclined = null,
+    clock = createDefaultClock(),
   }) {
     if (!dispatcher) throw new Error("dispatcher is required");
     if (!store) throw new Error("store is required");
@@ -51,12 +56,14 @@ export class ResumeScheduler {
     this.#buildCallbackMeta = buildCallbackMeta;
     this.#buildResumeInputs = buildResumeInputs;
     this.#onDeclined = onDeclined;
+    this.#clock = clock;
     this.#elapsed = new ElapsedScheduler({
       onFire: (cid) => this.#fireElapsed(cid),
       onError: (err, cid) =>
         this.#logger?.error?.("resume.elapsed", err, {
           correlation_id: cid,
         }),
+      clock,
     });
   }
 
@@ -81,7 +88,7 @@ export class ResumeScheduler {
    */
   enterRecess(ctx, correlationId, trigger, requester) {
     if (!trigger) return;
-    const openedAt = Date.now();
+    const openedAt = this.#clock.now();
     ctx.open_rfcs[correlationId] = {
       trigger,
       opened_at: openedAt,
@@ -157,7 +164,7 @@ export class ResumeScheduler {
         replies: ctx.history.length - rfc.history_index_at_open,
         opened_at: rfc.opened_at,
       };
-      if (evaluateTrigger(trigger, observed, Date.now()).fired) {
+      if (evaluateTrigger(trigger, observed, this.#clock.now()).fired) {
         fired.push({ correlationId, rfc });
       }
     }
@@ -207,7 +214,7 @@ export class ResumeScheduler {
     const result = await this.#redispatch(ctx, correlationId, historySince);
     if (result.kind === "dispatched") {
       this.cancelRecess(ctx, correlationId);
-      ctx.last_active_at = Date.now();
+      ctx.last_active_at = this.#clock.now();
       await this.#store.add(ctx);
       await this.#store.flush();
     }

package/src/server.js

@@ -1,13 +1,13 @@
-import { Hono } from "hono";
-import { bodyLimit } from "hono/body-limit";
-import { serve } from "@hono/node-server";
+import { createHttpService } from "@forwardimpact/libhttp";
 
 /**
  * Create the channel-agnostic HTTP server that bridges (ghbridge, msbridge)
  * share. The server mounts two routes:
  *   - `OPTIONS|POST <webhookPath>` — channel-specific intake. The raw POST
  *     body is captured on `c.get("rawBody")` for signature verification.
- *   - `POST /api/callback/:token` — workflow → bridge reply intake.
+ *   - `POST /api/callback/:tenant_id/:token` — workflow → bridge reply
+ *     intake. Single-tenant deployments hit the same route with the literal
+ *     `default` segment; multi-tenant deployments with the resolved tenant.
  *
  * Handlers receive Hono's context `c` (matching the monorepo standard) and
  * return a `Response` (or use `c.json` / `c.text` / `c.body`). The caller
@@ -24,16 +24,18 @@ import { serve } from "@hono/node-server";
  * @param {(c: import("hono").Context) => Promise<Response> | Response} options.onWebhook
  * @param {(c: import("hono").Context) => Promise<Response> | Response} options.onCallback
  * @param {((c: import("hono").Context) => Promise<Response> | Response)} [options.onLinkComplete]
+ * @param {(c: import("hono").Context) => Promise<Response> | Response} [options.onInbox] - Long-poll inbox handler
  * @returns {{ start: () => Promise<void>, stop: () => Promise<void>, app: import("hono").Hono, address: () => ({port: number} | null) }}
  */
 export function createBridgeServer({
   config,
   logger,
-  tracer: _tracer,
+  tracer,
   webhookPath,
   onWebhook,
   onCallback,
   onLinkComplete,
+  onInbox,
 }) {
   if (!config) throw new Error("config is required");
   if (!logger) throw new Error("logger is required");
@@ -45,86 +47,66 @@ export function createBridgeServer({
     throw new Error("onCallback is required");
   }
 
-  const app = new Hono();
-
-  // Security headers — standard hardening for a backend service.
-  app.use("*", async (c, next) => {
-    await next();
-    c.header("X-Content-Type-Options", "nosniff");
-    c.header("X-Frame-Options", "DENY");
-    c.header("Cache-Control", "no-store");
-  });
-
-  // Request body size limit — 1 MB is generous for JSON callback payloads.
-  app.use("*", bodyLimit({ maxSize: 1024 * 1024 }));
-
-  // Capture the raw POST body once, before downstream handlers parse it.
-  // Channel adapters use this buffer to verify HMAC signatures.
-  app.use("*", async (c, next) => {
-    if (c.req.method === "POST") {
-      const buf = Buffer.from(await c.req.raw.clone().arrayBuffer());
-      c.set("rawBody", buf);
-    }
-    await next();
-  });
+  // Lifecycle, security headers, body limit, and the health route are owned by
+  // `@forwardimpact/libhttp`. This factory only mounts the bridge routes (and
+  // the raw-body capture they depend on) through the `configure` callback.
+  return createHttpService({
+    name: "bridge",
+    config,
+    logger,
+    tracer,
+    configure(app) {
+      // Capture the raw POST body once, before downstream handlers parse it.
+      // Channel adapters use this buffer to verify HMAC signatures.
+      app.use("*", async (c, next) => {
+        if (c.req.method === "POST") {
+          const buf = Buffer.from(await c.req.raw.clone().arrayBuffer());
+          c.set("rawBody", buf);
+        }
+        await next();
+      });
 
-  app.options(webhookPath, (c) => c.body(null, 200));
+      app.options(webhookPath, (c) => c.body(null, 200));
 
-  app.post(webhookPath, async (c) => {
-    try {
-      return await onWebhook(c);
-    } catch (err) {
-      logger.error("bridge.webhook", err);
-      return c.json({ error: "Webhook failure" }, 500);
-    }
-  });
+      app.post(webhookPath, async (c) => {
+        try {
+          return await onWebhook(c);
+        } catch (err) {
+          logger.error("bridge.webhook", err);
+          return c.json({ error: "Webhook failure" }, 500);
+        }
+      });
 
-  app.post("/api/callback/:token", async (c) => {
-    try {
-      return await onCallback(c);
-    } catch (err) {
-      logger.error("bridge.callback", err);
-      return c.json({ error: "Callback failure" }, 500);
-    }
-  });
+      app.post("/api/callback/:tenant_id/:token", async (c) => {
+        try {
+          return await onCallback(c);
+        } catch (err) {
+          logger.error("bridge.callback", err);
+          return c.json({ error: "Callback failure" }, 500);
+        }
+      });
 
-  if (onLinkComplete) {
-    app.get("/api/link-complete", async (c) => {
-      try {
-        return await onLinkComplete(c);
-      } catch (err) {
-        logger.error("bridge.link-complete", err);
-        return c.json({ error: "Link completion failure" }, 500);
+      if (onLinkComplete) {
+        app.get("/api/link-complete", async (c) => {
+          try {
+            return await onLinkComplete(c);
+          } catch (err) {
+            logger.error("bridge.link-complete", err);
+            return c.json({ error: "Link completion failure" }, 500);
+          }
+        });
       }
-    });
-  }
 
-  let server = null;
-
-  return {
-    app,
-    address() {
-      if (!server || typeof server.address !== "function") return null;
-      const addr = server.address();
-      if (!addr || typeof addr === "string") return null;
-      return { port: addr.port };
-    },
-    async start() {
-      const { host, port } = config;
-      await new Promise((resolve) => {
-        server = serve({ fetch: app.fetch, port, hostname: host }, (info) => {
-          logger.info("bridge.server", "listening", {
-            host,
-            port: info?.port ?? port,
-          });
-          resolve();
+      if (onInbox) {
+        app.get("/api/inbox/:correlationId", async (c) => {
+          try {
+            return await onInbox(c);
+          } catch (err) {
+            logger.error("bridge.inbox", err);
+            return c.json({ error: "Inbox failure" }, 500);
+          }
         });
-      });
-    },
-    async stop() {
-      if (!server) return;
-      await new Promise((resolve) => server.close(() => resolve()));
-      server = null;
+      }
     },
-  };
+  });
 }

package/src/tenant-resolver.js

@@ -0,0 +1,102 @@
+/**
+ * Channel-agnostic tenant resolution.
+ *
+ * Bridges supply a resolver to libbridge primitives (`Dispatcher`,
+ * `CallbackRegistry`, callback handlers). The two implementations share a
+ * duck-typed surface — `resolve`, `resolveByRepo`, `resolveByTenantId` —
+ * so libbridge depends on the shape, not the implementation.
+ *
+ * @typedef {object} Tenant
+ * @property {string} tenant_id
+ * @property {string} channel
+ * @property {string} channel_tenant_key
+ * @property {{owner: string, name: string}} [repo]
+ * @property {"pending_consent" | "active" | "revoked"} state
+ *
+ * @typedef {object} TenantResolver
+ * @property {(key: {channel: string, key: string}) => Promise<Tenant | null>} resolve
+ * @property {(repo: {owner: string, name: string}) => Promise<Tenant | null>} resolveByRepo
+ * @property {(key: {tenant_id: string}) => Promise<Tenant | null>} resolveByTenantId
+ */
+
+/**
+ * Single-tenant resolver. Returns one fixed `default` tenant for every
+ * resolution call. Used in single-tenant deployments where the bridge does
+ * not reach `services/tenancy`.
+ */
+export class DefaultTenantResolver {
+  #default;
+
+  /**
+   * @param {object} options
+   * @param {string} options.channel
+   * @param {string} [options.channel_tenant_key]
+   * @param {{owner: string, name: string}} [options.repo]
+   */
+  constructor({ channel, channel_tenant_key = "default", repo }) {
+    if (!channel) throw new Error("channel is required");
+    this.#default = {
+      tenant_id: "default",
+      channel,
+      channel_tenant_key,
+      repo,
+      state: "active",
+    };
+  }
+
+  /** @returns {Promise<Tenant>} */
+  async resolve(_key) {
+    return this.#default;
+  }
+
+  /** @returns {Promise<Tenant>} */
+  async resolveByRepo(_repo) {
+    return this.#default;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolveByTenantId({ tenant_id }) {
+    return tenant_id === "default" ? this.#default : null;
+  }
+}
+
+/**
+ * Multi-tenant resolver. Wraps a `services/tenancy` gRPC client; returns
+ * only `active` tenants from `resolve` and `resolveByRepo` (callers must
+ * treat a `null` return as "no active tenant"). `resolveByTenantId` returns
+ * the registry row regardless of state so callback verification can compare
+ * the URL's tenant id against any known tenant.
+ */
+export class RegistryTenantResolver {
+  #client;
+
+  /**
+   * @param {object} options
+   * @param {{
+   *   ResolveByChannelKey: (req: {channel: string, key: string}) => Promise<Tenant | null>,
+   *   ResolveByRepo: (req: {owner: string, name: string}) => Promise<Tenant | null>,
+   *   ResolveByTenantId: (req: {tenant_id: string}) => Promise<Tenant | null>,
+   * }} options.client - Duck-typed tenancy client (typed at construction)
+   */
+  constructor({ client }) {
+    if (!client) throw new Error("client is required");
+    this.#client = client;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolve({ channel, key }) {
+    const t = await this.#client.ResolveByChannelKey({ channel, key });
+    return t?.state === "active" ? t : null;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolveByRepo({ owner, name }) {
+    const t = await this.#client.ResolveByRepo({ owner, name });
+    return t?.state === "active" ? t : null;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolveByTenantId({ tenant_id }) {
+    return this.#client.ResolveByTenantId({ tenant_id });
+  }
+}

package/src/token-resolver.js

@@ -1,19 +1,19 @@
-import { ghauth } from "@forwardimpact/libtype";
+import { ghuser } from "@forwardimpact/libtype";
 
-/** Maps ghauth GetToken oneof + gRPC transport into a discriminated DispatchAuth result. */
+/** Maps ghuser GetToken oneof + gRPC transport into a discriminated DispatchAuth result. */
 export class TokenResolver {
   #client;
 
-  /** @param {object} client - ghauth gRPC client */
+  /** @param {object} client - ghuser gRPC client */
   constructor(client) {
-    if (!client) throw new Error("ghauth client is required");
+    if (!client) throw new Error("ghuser client is required");
     this.#client = client;
   }
 
   /** @returns {Promise<{kind: string, token?: string, authorizeUrl?: string, error?: Error}>} */
   async resolve(surface, surfaceUserId) {
     try {
-      const req = new ghauth.GetTokenRequest({
+      const req = new ghuser.GetTokenRequest({
         surface,
         surface_user_id: surfaceUserId,
       });