@forwardimpact/libbridge 0.1.7 → 0.1.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forwardimpact/libbridge",
-  "version": "0.1.7",
+  "version": "0.1.10",
   "description": "Threaded-channel bridge primitives — relay messages between human channels (GitHub Discussions, Microsoft Teams) and the Kata agent team.",
   "keywords": [
     "bridge",
@@ -40,13 +40,13 @@
     "test": "bun test test/*.test.js"
   },
   "dependencies": {
+    "@forwardimpact/libhttp": "^0.1.0",
     "@forwardimpact/libtype": "^0.1.0",
-    "@forwardimpact/libutil": "^0.1.84",
-    "@hono/node-server": "^2.0.4",
-    "hono": "^4.12.23"
+    "@forwardimpact/libutil": "^0.1.84"
   },
   "devDependencies": {
-    "@forwardimpact/libmock": "^0.1.0"
+    "@forwardimpact/libmock": "^0.1.0",
+    "@forwardimpact/libtelemetry": "^0.1.0"
   },
   "engines": {
     "bun": ">=1.2.0",

package/src/callback-handler.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 import { validateCallbackPayload } from "./callback-payload.js";
 
 /**
@@ -60,8 +58,9 @@ export function createCallbackHandler({
   loadDiscussionId,
   ackFinishTarget,
   handleReply,
-  clock = createDefaultClock(),
+  clock,
 }) {
+  if (!clock) throw new Error("clock is required");
   if (!channel) throw new Error("channel is required");
   if (!callbacks) throw new Error("callbacks is required");
   if (!ack) throw new Error("ack is required");
@@ -88,8 +87,14 @@ export function createCallbackHandler({
     if (!payload) return c.json({ error: "Invalid payload" }, 400);
 
     const token = c.req.param("token");
+    const tenant_id = c.req.param("tenant_id");
+    if (!tenant_id) {
+      return c.json({ error: "Unknown callback token" }, 404);
+    }
     const isTerminal = payload.kind === "terminal";
-    const meta = isTerminal ? callbacks.consume(token) : callbacks.peek(token);
+    const meta = isTerminal
+      ? callbacks.consume(token, { tenant_id })
+      : callbacks.peek(token, { tenant_id });
     if (!meta) {
       logger.debug?.("callback", "unknown token");
       return c.json({ error: "Unknown callback token" }, 404);

package/src/callback-payload.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 export const MAX_FIELD_LENGTH = 2000;
 export const MAX_REPLY_COUNT = 50;
 
@@ -129,8 +127,9 @@ export function newDiscussionContext({
   channel,
   discussionId,
   participant,
-  clock = createDefaultClock(),
+  clock,
 }) {
+  if (!clock) throw new Error("clock is required");
   return {
     id: `${channel}:${discussionId}`,
     channel,

package/src/callback-registry.js

@@ -1,7 +1,5 @@
 import { randomUUID } from "node:crypto";
 
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 const DEFAULT_TTL_MS = 2 * 60 * 60 * 1000;
 
 /**
@@ -9,6 +7,11 @@ const DEFAULT_TTL_MS = 2 * 60 * 60 * 1000;
  * the (token, correlationId) pairs via the discussion store so the registry
  * can be rehydrated after a restart; this class only owns the live token →
  * metadata mapping and TTL sweep.
+ *
+ * Every entry is tenant-bound. `register` requires `meta.tenant_id` (single
+ * tenant deployments pass `"default"`); `consume` and `peek` require the
+ * caller's `tenant_id` and return `null` when the stored value does not
+ * match — the same null shape callers already handle for unknown tokens.
  */
 export class CallbackRegistry {
   #ttlMs;
@@ -20,7 +23,8 @@ export class CallbackRegistry {
    * @param {number} [options.ttlMs] - Time-to-live in ms (default: 2h)
    * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({ ttlMs = DEFAULT_TTL_MS, clock = createDefaultClock() } = {}) {
+  constructor({ ttlMs = DEFAULT_TTL_MS, clock } = {}) {
+    if (!clock) throw new Error("clock is required");
     this.#ttlMs = ttlMs;
     this.#clock = clock;
   }
@@ -32,13 +36,16 @@ export class CallbackRegistry {
 
   /**
    * @param {string} correlationId
-   * @param {object} [meta] - Caller-defined metadata stored alongside the token
+   * @param {object} meta - Caller-defined metadata; `meta.tenant_id` is required
    * @returns {string} The newly issued callback token
    */
-  register(correlationId, meta = {}) {
+  register(correlationId, meta) {
     if (typeof correlationId !== "string" || !correlationId) {
       throw new Error("correlationId is required");
     }
+    if (!meta || typeof meta.tenant_id !== "string" || !meta.tenant_id) {
+      throw new Error("meta.tenant_id is required");
+    }
     const token = randomUUID();
     this.#entries.set(token, {
       correlationId,
@@ -49,28 +56,38 @@ export class CallbackRegistry {
   }
 
   /**
-   * Atomic lookup + delete. Returns null if the token is unknown.
+   * Atomic lookup + delete. Returns null when the token is unknown or when
+   * the supplied `tenant_id` does not match the stored binding.
    * @param {string} token
+   * @param {{tenant_id: string}} bind
    * @returns {{correlationId: string, meta: object, createdAt: number} | null}
    */
-  consume(token) {
+  consume(token, bind) {
+    if (!bind || typeof bind.tenant_id !== "string" || !bind.tenant_id) {
+      throw new Error("tenant_id is required");
+    }
     const entry = this.#entries.get(token);
     if (!entry) return null;
+    if (entry.meta.tenant_id !== bind.tenant_id) return null;
     this.#entries.delete(token);
     return entry;
   }
 
   /**
    * Returns a shallow clone of the stored metadata for a token without
-   * consuming it. Cloning prevents callers from corrupting internal state
-   * via the returned reference; diagnostic code paths that need to read
-   * `correlationId`, `meta`, or `createdAt` work unchanged.
+   * consuming it. Returns null on unknown token or `tenant_id` mismatch —
+   * matching `consume`'s shape so callers handle one missing case.
    * @param {string} token
+   * @param {{tenant_id: string}} bind
    * @returns {{correlationId: string, meta: object, createdAt: number} | null}
    */
-  peek(token) {
+  peek(token, bind) {
+    if (!bind || typeof bind.tenant_id !== "string" || !bind.tenant_id) {
+      throw new Error("tenant_id is required");
+    }
     const entry = this.#entries.get(token);
     if (!entry) return null;
+    if (entry.meta.tenant_id !== bind.tenant_id) return null;
     return { ...entry };
   }
 

package/src/dispatcher.js

@@ -1,7 +1,5 @@
 import { randomUUID } from "node:crypto";
 
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 import { dispatchWorkflow } from "./dispatch.js";
 
 /** Dispatch dance: resolve per-user token, register callback, ack, fire workflow, flush. */
@@ -13,6 +11,7 @@ export class Dispatcher {
   #workflowFile;
   #githubRepo;
   #tokenResolver;
+  #tenantResolver;
   #clock;
 
   /**
@@ -24,6 +23,7 @@ export class Dispatcher {
    * @param {string} options.workflowFile
    * @param {string} options.githubRepo
    * @param {import("./token-resolver.js").TokenResolver} options.tokenResolver
+   * @param {import("./tenant-resolver.js").TenantResolver} options.tenantResolver
    * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
   constructor({
@@ -34,7 +34,8 @@ export class Dispatcher {
     workflowFile,
     githubRepo,
     tokenResolver,
-    clock = createDefaultClock(),
+    tenantResolver,
+    clock,
   }) {
     if (!callbacks) throw new Error("callbacks is required");
     if (!ack) throw new Error("ack is required");
@@ -45,6 +46,8 @@ export class Dispatcher {
     if (!workflowFile) throw new Error("workflowFile is required");
     if (!githubRepo) throw new Error("githubRepo is required");
     if (!tokenResolver) throw new Error("tokenResolver is required");
+    if (!tenantResolver) throw new Error("tenantResolver is required");
+    if (!clock) throw new Error("clock is required");
     this.#callbacks = callbacks;
     this.#ack = ack;
     this.#store = store;
@@ -52,6 +55,7 @@ export class Dispatcher {
     this.#workflowFile = workflowFile;
     this.#githubRepo = githubRepo;
     this.#tokenResolver = tokenResolver;
+    this.#tenantResolver = tenantResolver;
     this.#clock = clock;
   }
 
@@ -80,12 +84,21 @@ export class Dispatcher {
     const auth = await this.#tokenResolver.resolve(ctx.channel, requester);
     if (auth.kind !== "token") return auth;
 
+    const tenant = await this.#tenantResolver.resolve({
+      channel: ctx.channel,
+      key: ctx.channel_tenant_key,
+    });
+    if (!tenant) {
+      return { kind: "transient", error: new Error("tenant_unresolved") };
+    }
+    const tenant_id = tenant.tenant_id;
+
     const correlationId = randomUUID();
-    const mergedMeta = { ...(callbackMeta ?? {}), requester };
+    const mergedMeta = { ...(callbackMeta ?? {}), requester, tenant_id };
     const token = this.#callbacks.register(correlationId, mergedMeta);
     ctx.pending_callbacks[token] = correlationId;
     ctx.active_requester = requester;
-    const callbackUrl = `${this.#callbackBaseUrl}/api/callback/${token}`;
+    const callbackUrl = `${this.#callbackBaseUrl}/api/callback/${tenant_id}/${token}`;
     const inboxUrl = `${this.#callbackBaseUrl}/api/inbox/${correlationId}`;
 
     if (ackTarget !== undefined) await this.#ack.start(token, ackTarget);
@@ -107,7 +120,7 @@ export class Dispatcher {
       return { kind: "dispatched", token, correlationId };
     } catch (err) {
       if (ackTarget !== undefined) await this.#ack.finish(token, ackTarget);
-      this.#callbacks.consume(token);
+      this.#callbacks.consume(token, { tenant_id });
       delete ctx.pending_callbacks[token];
       ctx.active_requester = null;
       throw err;

package/src/elapsed-scheduler.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 const CHUNK_CAP_MS = 7 * 24 * 60 * 60 * 1000;
 
 /**
@@ -22,8 +20,9 @@ export class ElapsedScheduler {
    * @param {(err: Error, correlationId: string) => void} [options.onError] - Invoked when `onFire` rejects.
    * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({ onFire, onError = () => {}, clock = createDefaultClock() }) {
+  constructor({ onFire, onError = () => {}, clock }) {
     if (typeof onFire !== "function") throw new Error("onFire is required");
+    if (!clock) throw new Error("clock is required");
     this.#onFire = onFire;
     this.#onError = onError;
     this.#clock = clock;

package/src/inbox-handler.js

@@ -1,5 +1,4 @@
 import { bridge } from "@forwardimpact/libtype";
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
 
 /**
  * Long-poll handler for the per-correlation inbox. The run's InboxPoller
@@ -18,8 +17,9 @@ export function createInboxHandler({
   logger,
   pollTimeoutMs = 30_000,
   pollIntervalMs = 1_000,
-  clock = createDefaultClock(),
+  clock,
 }) {
+  if (!clock) throw new Error("clock is required");
   return async (c) => {
     const correlationId = c.req.param("correlationId");
     const sinceSeq = parseInt(c.req.query("since") ?? "0", 10);

package/src/index.js

@@ -19,7 +19,7 @@
  * @property {() => Promise<void>} flush
  * @property {() => Promise<void>} shutdown
  * @property {(target: object) => Promise<void>} [putPendingDispatch]
- * @property {(linkToken: string) => Promise<object|null>} [resolvePendingDispatch]
+ * @property {(linkToken: string, expectedSurfaceUserId?: string) => Promise<object|null>} [resolvePendingDispatch]
  */
 
 export { createBridgeServer } from "./server.js";
@@ -29,11 +29,12 @@ export { appendHistory } from "./history.js";
 export { RateLimiter } from "./rate-limit.js";
 export { dispatchWorkflow } from "./dispatch.js";
 export { ProgressTicker } from "./progress-ticker.js";
-export {
-  Acknowledgement,
-  DEFAULT_TYPING_VERBS,
-} from "./acknowledgement.js";
+export { Acknowledgement, DEFAULT_TYPING_VERBS } from "./acknowledgement.js";
 export { Dispatcher } from "./dispatcher.js";
+export {
+  DefaultTenantResolver,
+  RegistryTenantResolver,
+} from "./tenant-resolver.js";
 export { TokenResolver } from "./token-resolver.js";
 export {
   CallbackHandlerError,

package/src/link-resume.js

@@ -1,25 +1,81 @@
 import { randomUUID } from "node:crypto";
+import { isTrusted } from "@forwardimpact/libutil/trusted-origins";
+import { verifyCompletionTicket } from "@forwardimpact/libutil/completion-ticket";
 import { normalizeBaseUrl } from "./callback-payload.js";
 import { buildPrompt } from "./prompt.js";
 
 /**
- * @param {string} authorizeUrl
- * @param {string} callbackBaseUrl
- * @returns {{ linkToken: string, augmentedUrl: string }}
+ * Prepare a link-resume URL for the IdP authorize step.
+ *
+ * Discriminated return so a missing `catch` cannot become a 5xx oracle in
+ * the caller. The keyword-arg shape makes "forgot to pass trustedOrigins"
+ * a loud boot-time `TypeError` for any future xbridge.
+ *
+ * @param {object} args
+ * @param {string} args.authorizeUrl Upstream IdP authorize URL the bridge
+ *   intends to post into the channel.
+ * @param {string} args.callbackBaseUrl Bridge's own callback base URL; the
+ *   per-bridge `/api/link-complete` is composed from this.
+ * @param {Set<string>} args.trustedOrigins Trusted-origin set produced by
+ *   `loadTrustedIdpOrigins`. Required — a missing or non-Set value throws.
+ * @returns {{linkToken: string, augmentedUrl: string} | {skipped: true, reason: string}}
+ *   On a trusted, parseable URL: `{ linkToken, augmentedUrl }`. On any
+ *   refusal: `{ skipped: true, reason: "untrusted_origin" }`.
  */
-export function prepareLinkResume(authorizeUrl, callbackBaseUrl) {
+export function prepareLinkResume({
+  authorizeUrl,
+  callbackBaseUrl,
+  trustedOrigins,
+}) {
+  if (!(trustedOrigins instanceof Set))
+    throw new TypeError("prepareLinkResume: trustedOrigins must be a Set");
+  let originUrl;
+  try {
+    originUrl = new URL(authorizeUrl);
+  } catch {
+    return { skipped: true, reason: "untrusted_origin" };
+  }
+  if (!isTrusted(originUrl.origin, trustedOrigins))
+    return { skipped: true, reason: "untrusted_origin" };
+
   const linkToken = randomUUID();
-  const url = new URL(authorizeUrl);
-  url.searchParams.set(
+  originUrl.searchParams.set(
     "redirect_uri",
     `${normalizeBaseUrl(callbackBaseUrl)}/api/link-complete`,
   );
-  url.searchParams.set("client_state", linkToken);
-  return { linkToken, augmentedUrl: url.toString() };
+  originUrl.searchParams.set("client_state", linkToken);
+  return { linkToken, augmentedUrl: originUrl.toString() };
 }
 
+const UNABLE_TO_VERIFY_HTML =
+  "<!DOCTYPE html><html><body><h1>Unable to verify completion</h1>" +
+  "<p>The completion request could not be verified. Please try " +
+  "linking again from the conversation.</p></body></html>";
+
 /**
+ * Factory for the `/api/link-complete` GET handler.
+ *
+ * Handler ordering: the ticket is verified **before** any store touch —
+ * an attacker without a valid ticket exits at the verify step and never
+ * sees a present-vs-absent timing oracle on `linkToken`.
+ *
+ * The `surface_user_id` cross-check is performed **server-side** by passing
+ * `verify.claims.surfaceUserId` as `expectedSurfaceUserId` to
+ * `store.resolvePendingDispatch`. The bridge refuses to consume the entry
+ * on mismatch — so an attacker who minted a valid ticket against the
+ * victim's `link_token` (e.g. by driving the IdP round-trip under their
+ * own account with `client_state=victim_link_token`) cannot drain the
+ * auto-resume affordance: the bridge returns `{ unattributable: true }`
+ * and the entry stays available for the legitimate user.
+ *
  * @param {object} options
+ * @param {string} options.channel Channel id (e.g. `"github-discussions"`).
+ * @param {object} options.store
+ * @param {object} options.dispatcher
+ * @param {(ctx: object) => object} options.buildCallbackMeta
+ * @param {Set<string>} options.trustedOrigins Required.
+ * @param {string} options.ticketSecret Required.
+ * @param {{now: () => number}} options.clock Required.
  * @returns {(c: import("hono").Context) => Promise<Response>}
  */
 export function createLinkCompleteHandler({
@@ -27,7 +83,21 @@ export function createLinkCompleteHandler({
   store,
   dispatcher,
   buildCallbackMeta,
+  trustedOrigins,
+  ticketSecret,
+  clock,
 }) {
+  if (!(trustedOrigins instanceof Set))
+    throw new TypeError(
+      "createLinkCompleteHandler: trustedOrigins must be a Set",
+    );
+  if (typeof ticketSecret !== "string" || ticketSecret.length === 0)
+    throw new TypeError(
+      "createLinkCompleteHandler: ticketSecret must be a non-empty string",
+    );
+  if (!clock || typeof clock.now !== "function")
+    throw new TypeError("createLinkCompleteHandler: clock is required");
+
   return async (c) => {
     const linkToken = c.req.query("state");
     if (!linkToken) {
@@ -38,7 +108,22 @@ export function createLinkCompleteHandler({
       );
     }
 
-    const target = await store.resolvePendingDispatch(linkToken);
+    const ticket = c.req.query("ticket");
+    const verify = verifyCompletionTicket({
+      ticket,
+      expected: { linkToken },
+      trustedOrigins,
+      secret: ticketSecret,
+      now: clock.now(),
+    });
+    if (!verify.ok) {
+      return c.html(UNABLE_TO_VERIFY_HTML);
+    }
+
+    const target = await store.resolvePendingDispatch(
+      linkToken,
+      verify.claims.surfaceUserId,
+    );
     if (!target) {
       return c.html(
         "<!DOCTYPE html><html><body><h1>Already processed</h1>" +
@@ -46,6 +131,12 @@ export function createLinkCompleteHandler({
           "</p></body></html>",
       );
     }
+    if (target.unattributable) {
+      // Bridge refused to consume because the ticket's surfaceUserId does
+      // not match the pending row. The pending entry is left intact for
+      // the legitimate user.
+      return c.html(UNABLE_TO_VERIFY_HTML);
+    }
 
     const ctx = await store.loadByChannel(channel, target.discussion_id);
     if (!ctx) {

package/src/rate-limit.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 /**
  * Sliding-window rate limiter. Operates on a caller-owned `dispatches: number[]`
  * array of timestamps and returns a structured result so callers can both
@@ -16,11 +14,8 @@ export class RateLimiter {
    * @param {number} [options.max] - Max dispatches allowed in the window (default: 5)
    * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({
-    windowMs = 60_000,
-    max = 5,
-    clock = createDefaultClock(),
-  } = {}) {
+  constructor({ windowMs = 60_000, max = 5, clock } = {}) {
+    if (!clock) throw new Error("clock is required");
     this.#windowMs = windowMs;
     this.#max = max;
     this.#clock = clock;

package/src/resume-scheduler.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 import { ElapsedScheduler } from "./elapsed-scheduler.js";
 import { evaluateTrigger, parseIsoDuration } from "./triggers.js";
 
@@ -36,7 +34,7 @@ export class ResumeScheduler {
     buildCallbackMeta = (ctx) => ({ discussionId: ctx.discussion_id }),
     buildResumeInputs = () => ({}),
     onDeclined = null,
-    clock = createDefaultClock(),
+    clock,
   }) {
     if (!dispatcher) throw new Error("dispatcher is required");
     if (!store) throw new Error("store is required");
@@ -49,6 +47,7 @@ export class ResumeScheduler {
     if (onDeclined != null && typeof onDeclined !== "function") {
       throw new Error("onDeclined must be a function");
     }
+    if (!clock) throw new Error("clock is required");
     this.#dispatcher = dispatcher;
     this.#store = store;
     this.#logger = logger ?? null;

package/src/server.js

@@ -1,13 +1,13 @@
-import { Hono } from "hono";
-import { bodyLimit } from "hono/body-limit";
-import { serve } from "@hono/node-server";
+import { createHttpService } from "@forwardimpact/libhttp";
 
 /**
  * Create the channel-agnostic HTTP server that bridges (ghbridge, msbridge)
  * share. The server mounts two routes:
  *   - `OPTIONS|POST <webhookPath>` — channel-specific intake. The raw POST
  *     body is captured on `c.get("rawBody")` for signature verification.
- *   - `POST /api/callback/:token` — workflow → bridge reply intake.
+ *   - `POST /api/callback/:tenant_id/:token` — workflow → bridge reply
+ *     intake. Single-tenant deployments hit the same route with the literal
+ *     `default` segment; multi-tenant deployments with the resolved tenant.
  *
  * Handlers receive Hono's context `c` (matching the monorepo standard) and
  * return a `Response` (or use `c.json` / `c.text` / `c.body`). The caller
@@ -30,7 +30,7 @@ import { serve } from "@hono/node-server";
 export function createBridgeServer({
   config,
   logger,
-  tracer: _tracer,
+  tracer,
   webhookPath,
   onWebhook,
   onCallback,
@@ -47,97 +47,66 @@ export function createBridgeServer({
     throw new Error("onCallback is required");
   }
 
-  const app = new Hono();
-
-  // Security headers — standard hardening for a backend service.
-  app.use("*", async (c, next) => {
-    await next();
-    c.header("X-Content-Type-Options", "nosniff");
-    c.header("X-Frame-Options", "DENY");
-    c.header("Cache-Control", "no-store");
-  });
-
-  // Request body size limit — 1 MB is generous for JSON callback payloads.
-  app.use("*", bodyLimit({ maxSize: 1024 * 1024 }));
-
-  // Capture the raw POST body once, before downstream handlers parse it.
-  // Channel adapters use this buffer to verify HMAC signatures.
-  app.use("*", async (c, next) => {
-    if (c.req.method === "POST") {
-      const buf = Buffer.from(await c.req.raw.clone().arrayBuffer());
-      c.set("rawBody", buf);
-    }
-    await next();
-  });
-
-  app.options(webhookPath, (c) => c.body(null, 200));
+  // Lifecycle, security headers, body limit, and the health route are owned by
+  // `@forwardimpact/libhttp`. This factory only mounts the bridge routes (and
+  // the raw-body capture they depend on) through the `configure` callback.
+  return createHttpService({
+    name: "bridge",
+    config,
+    logger,
+    tracer,
+    configure(app) {
+      // Capture the raw POST body once, before downstream handlers parse it.
+      // Channel adapters use this buffer to verify HMAC signatures.
+      app.use("*", async (c, next) => {
+        if (c.req.method === "POST") {
+          const buf = Buffer.from(await c.req.raw.clone().arrayBuffer());
+          c.set("rawBody", buf);
+        }
+        await next();
+      });
 
-  app.post(webhookPath, async (c) => {
-    try {
-      return await onWebhook(c);
-    } catch (err) {
-      logger.error("bridge.webhook", err);
-      return c.json({ error: "Webhook failure" }, 500);
-    }
-  });
+      app.options(webhookPath, (c) => c.body(null, 200));
 
-  app.post("/api/callback/:token", async (c) => {
-    try {
-      return await onCallback(c);
-    } catch (err) {
-      logger.error("bridge.callback", err);
-      return c.json({ error: "Callback failure" }, 500);
-    }
-  });
+      app.post(webhookPath, async (c) => {
+        try {
+          return await onWebhook(c);
+        } catch (err) {
+          logger.error("bridge.webhook", err);
+          return c.json({ error: "Webhook failure" }, 500);
+        }
+      });
 
-  if (onLinkComplete) {
-    app.get("/api/link-complete", async (c) => {
-      try {
-        return await onLinkComplete(c);
-      } catch (err) {
-        logger.error("bridge.link-complete", err);
-        return c.json({ error: "Link completion failure" }, 500);
-      }
-    });
-  }
+      app.post("/api/callback/:tenant_id/:token", async (c) => {
+        try {
+          return await onCallback(c);
+        } catch (err) {
+          logger.error("bridge.callback", err);
+          return c.json({ error: "Callback failure" }, 500);
+        }
+      });
 
-  if (onInbox) {
-    app.get("/api/inbox/:correlationId", async (c) => {
-      try {
-        return await onInbox(c);
-      } catch (err) {
-        logger.error("bridge.inbox", err);
-        return c.json({ error: "Inbox failure" }, 500);
+      if (onLinkComplete) {
+        app.get("/api/link-complete", async (c) => {
+          try {
+            return await onLinkComplete(c);
+          } catch (err) {
+            logger.error("bridge.link-complete", err);
+            return c.json({ error: "Link completion failure" }, 500);
+          }
+        });
       }
-    });
-  }
-
-  let server = null;
 
-  return {
-    app,
-    address() {
-      if (!server || typeof server.address !== "function") return null;
-      const addr = server.address();
-      if (!addr || typeof addr === "string") return null;
-      return { port: addr.port };
-    },
-    async start() {
-      const { host, port } = config;
-      await new Promise((resolve) => {
-        server = serve({ fetch: app.fetch, port, hostname: host }, (info) => {
-          logger.info("bridge.server", "listening", {
-            host,
-            port: info?.port ?? port,
-          });
-          resolve();
+      if (onInbox) {
+        app.get("/api/inbox/:correlationId", async (c) => {
+          try {
+            return await onInbox(c);
+          } catch (err) {
+            logger.error("bridge.inbox", err);
+            return c.json({ error: "Inbox failure" }, 500);
+          }
         });
-      });
-    },
-    async stop() {
-      if (!server) return;
-      await new Promise((resolve) => server.close(() => resolve()));
-      server = null;
+      }
     },
-  };
+  });
 }

package/src/tenant-resolver.js

@@ -0,0 +1,102 @@
+/**
+ * Channel-agnostic tenant resolution.
+ *
+ * Bridges supply a resolver to libbridge primitives (`Dispatcher`,
+ * `CallbackRegistry`, callback handlers). The two implementations share a
+ * duck-typed surface — `resolve`, `resolveByRepo`, `resolveByTenantId` —
+ * so libbridge depends on the shape, not the implementation.
+ *
+ * @typedef {object} Tenant
+ * @property {string} tenant_id
+ * @property {string} channel
+ * @property {string} channel_tenant_key
+ * @property {{owner: string, name: string}} [repo]
+ * @property {"pending_consent" | "active" | "revoked"} state
+ *
+ * @typedef {object} TenantResolver
+ * @property {(key: {channel: string, key: string}) => Promise<Tenant | null>} resolve
+ * @property {(repo: {owner: string, name: string}) => Promise<Tenant | null>} resolveByRepo
+ * @property {(key: {tenant_id: string}) => Promise<Tenant | null>} resolveByTenantId
+ */
+
+/**
+ * Single-tenant resolver. Returns one fixed `default` tenant for every
+ * resolution call. Used in single-tenant deployments where the bridge does
+ * not reach `services/tenancy`.
+ */
+export class DefaultTenantResolver {
+  #default;
+
+  /**
+   * @param {object} options
+   * @param {string} options.channel
+   * @param {string} [options.channel_tenant_key]
+   * @param {{owner: string, name: string}} [options.repo]
+   */
+  constructor({ channel, channel_tenant_key = "default", repo }) {
+    if (!channel) throw new Error("channel is required");
+    this.#default = {
+      tenant_id: "default",
+      channel,
+      channel_tenant_key,
+      repo,
+      state: "active",
+    };
+  }
+
+  /** @returns {Promise<Tenant>} */
+  async resolve(_key) {
+    return this.#default;
+  }
+
+  /** @returns {Promise<Tenant>} */
+  async resolveByRepo(_repo) {
+    return this.#default;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolveByTenantId({ tenant_id }) {
+    return tenant_id === "default" ? this.#default : null;
+  }
+}
+
+/**
+ * Multi-tenant resolver. Wraps a `services/tenancy` gRPC client; returns
+ * only `active` tenants from `resolve` and `resolveByRepo` (callers must
+ * treat a `null` return as "no active tenant"). `resolveByTenantId` returns
+ * the registry row regardless of state so callback verification can compare
+ * the URL's tenant id against any known tenant.
+ */
+export class RegistryTenantResolver {
+  #client;
+
+  /**
+   * @param {object} options
+   * @param {{
+   *   ResolveByChannelKey: (req: {channel: string, key: string}) => Promise<Tenant | null>,
+   *   ResolveByRepo: (req: {owner: string, name: string}) => Promise<Tenant | null>,
+   *   ResolveByTenantId: (req: {tenant_id: string}) => Promise<Tenant | null>,
+   * }} options.client - Duck-typed tenancy client (typed at construction)
+   */
+  constructor({ client }) {
+    if (!client) throw new Error("client is required");
+    this.#client = client;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolve({ channel, key }) {
+    const t = await this.#client.ResolveByChannelKey({ channel, key });
+    return t?.state === "active" ? t : null;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolveByRepo({ owner, name }) {
+    const t = await this.#client.ResolveByRepo({ owner, name });
+    return t?.state === "active" ? t : null;
+  }
+
+  /** @returns {Promise<Tenant | null>} */
+  async resolveByTenantId({ tenant_id }) {
+    return this.#client.ResolveByTenantId({ tenant_id });
+  }
+}