@forwardimpact/libbridge 0.1.9 → 0.1.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forwardimpact/libbridge",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Threaded-channel bridge primitives — relay messages between human channels (GitHub Discussions, Microsoft Teams) and the Kata agent team.",
   "keywords": [
     "bridge",
@@ -45,7 +45,8 @@
     "@forwardimpact/libutil": "^0.1.84"
   },
   "devDependencies": {
-    "@forwardimpact/libmock": "^0.1.0"
+    "@forwardimpact/libmock": "^0.1.0",
+    "@forwardimpact/libtelemetry": "^0.1.0"
   },
   "engines": {
     "bun": ">=1.2.0",

package/src/callback-handler.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 import { validateCallbackPayload } from "./callback-payload.js";
 
 /**
@@ -60,8 +58,9 @@ export function createCallbackHandler({
   loadDiscussionId,
   ackFinishTarget,
   handleReply,
-  clock = createDefaultClock(),
+  clock,
 }) {
+  if (!clock) throw new Error("clock is required");
   if (!channel) throw new Error("channel is required");
   if (!callbacks) throw new Error("callbacks is required");
   if (!ack) throw new Error("ack is required");

package/src/callback-payload.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 export const MAX_FIELD_LENGTH = 2000;
 export const MAX_REPLY_COUNT = 50;
 
@@ -129,8 +127,9 @@ export function newDiscussionContext({
   channel,
   discussionId,
   participant,
-  clock = createDefaultClock(),
+  clock,
 }) {
+  if (!clock) throw new Error("clock is required");
   return {
     id: `${channel}:${discussionId}`,
     channel,

package/src/callback-registry.js

@@ -1,7 +1,5 @@
 import { randomUUID } from "node:crypto";
 
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 const DEFAULT_TTL_MS = 2 * 60 * 60 * 1000;
 
 /**
@@ -25,7 +23,8 @@ export class CallbackRegistry {
    * @param {number} [options.ttlMs] - Time-to-live in ms (default: 2h)
    * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({ ttlMs = DEFAULT_TTL_MS, clock = createDefaultClock() } = {}) {
+  constructor({ ttlMs = DEFAULT_TTL_MS, clock } = {}) {
+    if (!clock) throw new Error("clock is required");
     this.#ttlMs = ttlMs;
     this.#clock = clock;
   }

package/src/dispatcher.js

@@ -1,7 +1,5 @@
 import { randomUUID } from "node:crypto";
 
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 import { dispatchWorkflow } from "./dispatch.js";
 
 /** Dispatch dance: resolve per-user token, register callback, ack, fire workflow, flush. */
@@ -37,7 +35,7 @@ export class Dispatcher {
     githubRepo,
     tokenResolver,
     tenantResolver,
-    clock = createDefaultClock(),
+    clock,
   }) {
     if (!callbacks) throw new Error("callbacks is required");
     if (!ack) throw new Error("ack is required");
@@ -49,6 +47,7 @@ export class Dispatcher {
     if (!githubRepo) throw new Error("githubRepo is required");
     if (!tokenResolver) throw new Error("tokenResolver is required");
     if (!tenantResolver) throw new Error("tenantResolver is required");
+    if (!clock) throw new Error("clock is required");
     this.#callbacks = callbacks;
     this.#ack = ack;
     this.#store = store;

package/src/elapsed-scheduler.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 const CHUNK_CAP_MS = 7 * 24 * 60 * 60 * 1000;
 
 /**
@@ -22,8 +20,9 @@ export class ElapsedScheduler {
    * @param {(err: Error, correlationId: string) => void} [options.onError] - Invoked when `onFire` rejects.
    * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({ onFire, onError = () => {}, clock = createDefaultClock() }) {
+  constructor({ onFire, onError = () => {}, clock }) {
     if (typeof onFire !== "function") throw new Error("onFire is required");
+    if (!clock) throw new Error("clock is required");
     this.#onFire = onFire;
     this.#onError = onError;
     this.#clock = clock;

package/src/inbox-handler.js

@@ -1,5 +1,4 @@
 import { bridge } from "@forwardimpact/libtype";
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
 
 /**
  * Long-poll handler for the per-correlation inbox. The run's InboxPoller
@@ -18,8 +17,9 @@ export function createInboxHandler({
   logger,
   pollTimeoutMs = 30_000,
   pollIntervalMs = 1_000,
-  clock = createDefaultClock(),
+  clock,
 }) {
+  if (!clock) throw new Error("clock is required");
   return async (c) => {
     const correlationId = c.req.param("correlationId");
     const sinceSeq = parseInt(c.req.query("since") ?? "0", 10);

package/src/index.js

@@ -19,7 +19,7 @@
  * @property {() => Promise<void>} flush
  * @property {() => Promise<void>} shutdown
  * @property {(target: object) => Promise<void>} [putPendingDispatch]
- * @property {(linkToken: string) => Promise<object|null>} [resolvePendingDispatch]
+ * @property {(linkToken: string, expectedSurfaceUserId?: string) => Promise<object|null>} [resolvePendingDispatch]
  */
 
 export { createBridgeServer } from "./server.js";
@@ -29,10 +29,7 @@ export { appendHistory } from "./history.js";
 export { RateLimiter } from "./rate-limit.js";
 export { dispatchWorkflow } from "./dispatch.js";
 export { ProgressTicker } from "./progress-ticker.js";
-export {
-  Acknowledgement,
-  DEFAULT_TYPING_VERBS,
-} from "./acknowledgement.js";
+export { Acknowledgement, DEFAULT_TYPING_VERBS } from "./acknowledgement.js";
 export { Dispatcher } from "./dispatcher.js";
 export {
   DefaultTenantResolver,

package/src/link-resume.js

@@ -1,25 +1,81 @@
 import { randomUUID } from "node:crypto";
+import { isTrusted } from "@forwardimpact/libutil/trusted-origins";
+import { verifyCompletionTicket } from "@forwardimpact/libutil/completion-ticket";
 import { normalizeBaseUrl } from "./callback-payload.js";
 import { buildPrompt } from "./prompt.js";
 
 /**
- * @param {string} authorizeUrl
- * @param {string} callbackBaseUrl
- * @returns {{ linkToken: string, augmentedUrl: string }}
+ * Prepare a link-resume URL for the IdP authorize step.
+ *
+ * Discriminated return so a missing `catch` cannot become a 5xx oracle in
+ * the caller. The keyword-arg shape makes "forgot to pass trustedOrigins"
+ * a loud boot-time `TypeError` for any future xbridge.
+ *
+ * @param {object} args
+ * @param {string} args.authorizeUrl Upstream IdP authorize URL the bridge
+ *   intends to post into the channel.
+ * @param {string} args.callbackBaseUrl Bridge's own callback base URL; the
+ *   per-bridge `/api/link-complete` is composed from this.
+ * @param {Set<string>} args.trustedOrigins Trusted-origin set produced by
+ *   `loadTrustedIdpOrigins`. Required — a missing or non-Set value throws.
+ * @returns {{linkToken: string, augmentedUrl: string} | {skipped: true, reason: string}}
+ *   On a trusted, parseable URL: `{ linkToken, augmentedUrl }`. On any
+ *   refusal: `{ skipped: true, reason: "untrusted_origin" }`.
  */
-export function prepareLinkResume(authorizeUrl, callbackBaseUrl) {
+export function prepareLinkResume({
+  authorizeUrl,
+  callbackBaseUrl,
+  trustedOrigins,
+}) {
+  if (!(trustedOrigins instanceof Set))
+    throw new TypeError("prepareLinkResume: trustedOrigins must be a Set");
+  let originUrl;
+  try {
+    originUrl = new URL(authorizeUrl);
+  } catch {
+    return { skipped: true, reason: "untrusted_origin" };
+  }
+  if (!isTrusted(originUrl.origin, trustedOrigins))
+    return { skipped: true, reason: "untrusted_origin" };
+
   const linkToken = randomUUID();
-  const url = new URL(authorizeUrl);
-  url.searchParams.set(
+  originUrl.searchParams.set(
     "redirect_uri",
     `${normalizeBaseUrl(callbackBaseUrl)}/api/link-complete`,
   );
-  url.searchParams.set("client_state", linkToken);
-  return { linkToken, augmentedUrl: url.toString() };
+  originUrl.searchParams.set("client_state", linkToken);
+  return { linkToken, augmentedUrl: originUrl.toString() };
 }
 
+const UNABLE_TO_VERIFY_HTML =
+  "<!DOCTYPE html><html><body><h1>Unable to verify completion</h1>" +
+  "<p>The completion request could not be verified. Please try " +
+  "linking again from the conversation.</p></body></html>";
+
 /**
+ * Factory for the `/api/link-complete` GET handler.
+ *
+ * Handler ordering: the ticket is verified **before** any store touch —
+ * an attacker without a valid ticket exits at the verify step and never
+ * sees a present-vs-absent timing oracle on `linkToken`.
+ *
+ * The `surface_user_id` cross-check is performed **server-side** by passing
+ * `verify.claims.surfaceUserId` as `expectedSurfaceUserId` to
+ * `store.resolvePendingDispatch`. The bridge refuses to consume the entry
+ * on mismatch — so an attacker who minted a valid ticket against the
+ * victim's `link_token` (e.g. by driving the IdP round-trip under their
+ * own account with `client_state=victim_link_token`) cannot drain the
+ * auto-resume affordance: the bridge returns `{ unattributable: true }`
+ * and the entry stays available for the legitimate user.
+ *
  * @param {object} options
+ * @param {string} options.channel Channel id (e.g. `"github-discussions"`).
+ * @param {object} options.store
+ * @param {object} options.dispatcher
+ * @param {(ctx: object) => object} options.buildCallbackMeta
+ * @param {Set<string>} options.trustedOrigins Required.
+ * @param {string} options.ticketSecret Required.
+ * @param {{now: () => number}} options.clock Required.
  * @returns {(c: import("hono").Context) => Promise<Response>}
  */
 export function createLinkCompleteHandler({
@@ -27,7 +83,21 @@ export function createLinkCompleteHandler({
   store,
   dispatcher,
   buildCallbackMeta,
+  trustedOrigins,
+  ticketSecret,
+  clock,
 }) {
+  if (!(trustedOrigins instanceof Set))
+    throw new TypeError(
+      "createLinkCompleteHandler: trustedOrigins must be a Set",
+    );
+  if (typeof ticketSecret !== "string" || ticketSecret.length === 0)
+    throw new TypeError(
+      "createLinkCompleteHandler: ticketSecret must be a non-empty string",
+    );
+  if (!clock || typeof clock.now !== "function")
+    throw new TypeError("createLinkCompleteHandler: clock is required");
+
   return async (c) => {
     const linkToken = c.req.query("state");
     if (!linkToken) {
@@ -38,7 +108,22 @@ export function createLinkCompleteHandler({
       );
     }
 
-    const target = await store.resolvePendingDispatch(linkToken);
+    const ticket = c.req.query("ticket");
+    const verify = verifyCompletionTicket({
+      ticket,
+      expected: { linkToken },
+      trustedOrigins,
+      secret: ticketSecret,
+      now: clock.now(),
+    });
+    if (!verify.ok) {
+      return c.html(UNABLE_TO_VERIFY_HTML);
+    }
+
+    const target = await store.resolvePendingDispatch(
+      linkToken,
+      verify.claims.surfaceUserId,
+    );
     if (!target) {
       return c.html(
         "<!DOCTYPE html><html><body><h1>Already processed</h1>" +
@@ -46,6 +131,12 @@ export function createLinkCompleteHandler({
           "</p></body></html>",
       );
     }
+    if (target.unattributable) {
+      // Bridge refused to consume because the ticket's surfaceUserId does
+      // not match the pending row. The pending entry is left intact for
+      // the legitimate user.
+      return c.html(UNABLE_TO_VERIFY_HTML);
+    }
 
     const ctx = await store.loadByChannel(channel, target.discussion_id);
     if (!ctx) {

package/src/rate-limit.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 /**
  * Sliding-window rate limiter. Operates on a caller-owned `dispatches: number[]`
  * array of timestamps and returns a structured result so callers can both
@@ -16,11 +14,8 @@ export class RateLimiter {
    * @param {number} [options.max] - Max dispatches allowed in the window (default: 5)
    * @param {import("@forwardimpact/libutil/runtime").Runtime["clock"]} [options.clock]
    */
-  constructor({
-    windowMs = 60_000,
-    max = 5,
-    clock = createDefaultClock(),
-  } = {}) {
+  constructor({ windowMs = 60_000, max = 5, clock } = {}) {
+    if (!clock) throw new Error("clock is required");
     this.#windowMs = windowMs;
     this.#max = max;
     this.#clock = clock;

package/src/resume-scheduler.js

@@ -1,5 +1,3 @@
-import { createDefaultClock } from "@forwardimpact/libutil/runtime";
-
 import { ElapsedScheduler } from "./elapsed-scheduler.js";
 import { evaluateTrigger, parseIsoDuration } from "./triggers.js";
 
@@ -36,7 +34,7 @@ export class ResumeScheduler {
     buildCallbackMeta = (ctx) => ({ discussionId: ctx.discussion_id }),
     buildResumeInputs = () => ({}),
     onDeclined = null,
-    clock = createDefaultClock(),
+    clock,
   }) {
     if (!dispatcher) throw new Error("dispatcher is required");
     if (!store) throw new Error("store is required");
@@ -49,6 +47,7 @@ export class ResumeScheduler {
     if (onDeclined != null && typeof onDeclined !== "function") {
       throw new Error("onDeclined must be a function");
     }
+    if (!clock) throw new Error("clock is required");
     this.#dispatcher = dispatcher;
     this.#store = store;
     this.#logger = logger ?? null;