@hogsend/engine 0.21.0 → 0.22.0

package/src/lib/discord-gateway-heartbeat.ts

@@ -0,0 +1,164 @@
+import type { Logger } from "./logger.js";
+import { getRedis } from "./redis.js";
+
+/**
+ * Discord Gateway worker liveness heartbeat. The gateway worker is its OWN
+ * long-lived process (a `discord.js` socket forwarding raw dispatches), separate
+ * from BOTH the API and the Hatchet worker — so the API (and Studio's
+ * `/integrations` card) cannot otherwise tell whether the gateway socket is
+ * actually up. The worker writes a TTL'd key to Redis on an interval; readers
+ * treat a fresh key as "the gateway worker is alive".
+ *
+ * This mirrors {@link ./worker-heartbeat.ts} but on a DISTINCT key and with a
+ * richer JSON payload: it also carries the guild id the live worker observed at
+ * `GUILD_CREATE`, which lets the card confirm "Bot installed" for env-only
+ * deploys (no derived credential) — a fresh heartbeat with a guild id IS the
+ * proof-of-configuration the status fix needs.
+ *
+ * Redis is the channel because both processes can already reach it and the
+ * health route already probes it — no direct process-to-process coupling, no
+ * migration. Everything here is best-effort: a missing/unreachable Redis never
+ * crashes the worker and simply reads back as "down".
+ */
+const HEARTBEAT_KEY = "hogsend:discord-gateway:heartbeat";
+const TTL_SECONDS = 30;
+const REFRESH_MS = 10_000;
+
+export interface DiscordGatewayHeartbeat {
+  /** True when a fresh gateway-worker heartbeat is present in Redis. */
+  alive: boolean;
+  /** ISO timestamp the gateway worker last wrote, when alive. */
+  lastSeenAt?: string;
+  /** The guild id the live worker observed (confirms the bot is in a server). */
+  guildId?: string;
+  /** The intents bitfield the live worker requested at login. */
+  intents?: number;
+}
+
+/** The JSON shape persisted under {@link HEARTBEAT_KEY}. */
+interface HeartbeatPayload {
+  lastSeenAt: string;
+  guildId?: string;
+  intents?: number;
+}
+
+/** The mutable state a running heartbeat exposes for late-bound folding. */
+export interface DiscordGatewayHeartbeatState {
+  /**
+   * Fold the worker-observed guild id into the heartbeat and write immediately,
+   * so Studio can confirm "Bot installed" as soon as the socket sees a guild.
+   */
+  setGuildId(guildId: string): void;
+  /**
+   * Fold the worker's resolved intents bitfield into the heartbeat and write
+   * immediately, so Studio's intents chip reflects what the LIVE worker requested
+   * (preferred over the derived credential, which is never written by install).
+   */
+  setIntents(intents: number): void;
+}
+
+export interface DiscordGatewayHeartbeatHandle {
+  /** Mutable state — call `setGuildId` from the worker's `onGuildObserved` tap. */
+  state: DiscordGatewayHeartbeatState;
+  /** Clear the timer and delete the key for an immediate "down" on shutdown. */
+  stop(): Promise<void>;
+}
+
+/**
+ * Begin writing the Discord gateway-worker heartbeat. Writes once immediately,
+ * then refreshes every {@link REFRESH_MS} with a {@link TTL_SECONDS} expiry — so
+ * an ungraceful worker death is reflected as "down" within the TTL. The returned
+ * handle exposes `state.setGuildId(id)` (fold in the observed guild + write now)
+ * and `stop()` (clear the timer + delete the key for an immediate "down").
+ */
+export function startDiscordGatewayHeartbeat(
+  logger: Logger,
+): DiscordGatewayHeartbeatHandle {
+  let warned = false;
+  let guildId: string | undefined;
+  let intents: number | undefined;
+
+  const write = async () => {
+    const payload: HeartbeatPayload = {
+      lastSeenAt: new Date().toISOString(),
+      ...(guildId ? { guildId } : {}),
+      ...(typeof intents === "number" ? { intents } : {}),
+    };
+    try {
+      await getRedis().set(
+        HEARTBEAT_KEY,
+        JSON.stringify(payload),
+        "EX",
+        TTL_SECONDS,
+      );
+    } catch (err) {
+      // Log the first failure only — a Redis-less deploy would otherwise spam.
+      if (!warned) {
+        warned = true;
+        logger.debug(
+          "Discord gateway heartbeat write failed (Redis unreachable?)",
+          { error: err instanceof Error ? err.message : String(err) },
+        );
+      }
+    }
+  };
+
+  void write();
+  const timer = setInterval(() => void write(), REFRESH_MS);
+  // Never hold the process open for the heartbeat alone.
+  timer.unref?.();
+
+  return {
+    state: {
+      setGuildId(id: string) {
+        guildId = id;
+        // Write immediately so the card flips to "Bot installed" without waiting
+        // for the next refresh tick.
+        void write();
+      },
+      setIntents(value: number) {
+        intents = value;
+        // Write immediately so the intents chip reflects the live worker without
+        // waiting for the next refresh tick.
+        void write();
+      },
+    },
+    async stop() {
+      clearInterval(timer);
+      try {
+        await getRedis().del(HEARTBEAT_KEY);
+      } catch {
+        // Best-effort — the TTL expires it anyway.
+      }
+    },
+  };
+}
+
+/**
+ * Read the current Discord gateway-worker heartbeat. Resolves to
+ * `{ alive: false }` if the key is missing or Redis is unreachable. Tolerates a
+ * legacy plain-string value (treated as alive with no guild) so a reader can
+ * outlive a payload-shape change.
+ */
+export async function getDiscordGatewayHeartbeat(): Promise<DiscordGatewayHeartbeat> {
+  try {
+    const raw = await getRedis().get(HEARTBEAT_KEY);
+    if (!raw) return { alive: false };
+    try {
+      const parsed = JSON.parse(raw) as HeartbeatPayload;
+      return {
+        alive: true,
+        lastSeenAt: parsed.lastSeenAt,
+        ...(parsed.guildId ? { guildId: parsed.guildId } : {}),
+        ...(typeof parsed.intents === "number"
+          ? { intents: parsed.intents }
+          : {}),
+      };
+    } catch {
+      // Legacy plain-string value (a bare ISO timestamp) — alive, no guild.
+      return { alive: true, lastSeenAt: raw };
+    }
+  } catch {
+    return { alive: false };
+  }
+}

package/src/lib/ingestion.ts

@@ -14,6 +14,11 @@ export interface IngestEvent {
   userEmail?: string;
   /** D1: future anonymous→identified path. Threaded into the resolver. */
   anonymousId?: string;
+  /**
+   * Discord user id (snowflake). Resolves a `discord`-keyed contact (a later
+   * per-member link merges it into the email contact).
+   */
+  discordId?: string;
   /** D2: → `user_events` + Hatchet `trigger.where`/`exitOn` ONLY. */
   eventProperties: Record<string, unknown>;
   /** D2: → `contacts.properties` merge ONLY. */
@@ -68,6 +73,7 @@ export async function ingestEvent(opts: {
     userId: event.userId,
     email: event.userEmail || undefined,
     anonymousId: event.anonymousId,
+    discordId: event.discordId,
     contactProperties: event.contactProperties,
   });
 

package/src/lib/provider-credentials.ts

@@ -54,6 +54,17 @@ export interface DerivedCredentialPayload {
   projectApiKey?: string;
   projectId?: string;
   privateHost?: string;
+  // --- Discord (kind="derived", providerId="discord") ---
+  // Server-derived during `hogsend connect discord`: the app id + public key
+  // are read by the admin connect-info / interactions routes; the guild id is
+  // captured from the bot-install OAuth grant; the bot token + client secret
+  // (when stored here rather than env) feed the gateway worker / code exchange.
+  // All optional — the store is provider-neutral and additive.
+  discordAppId?: string;
+  discordPublicKey?: string;
+  discordClientSecret?: string;
+  discordBotToken?: string;
+  discordGuildId?: string;
 }
 
 /** Row metadata — everything EXCEPT token material. Safe to surface. */
@@ -297,6 +308,25 @@ export async function deleteProviderCredential(
   return deleted.length > 0;
 }
 
+/**
+ * Purge EVERY stored credential for a provider — the oauth grant AND the
+ * server-derived config (minted webhook secret + grabbed phc_). Disconnect
+ * must leave no orphaned rows; the single-kind `deleteProviderCredential`
+ * stays unchanged so token-lifecycle callers can still target one kind.
+ * Returns which kinds were removed. Never decrypts.
+ */
+export async function deleteAllProviderCredentials(
+  db: Database,
+  providerId: string,
+): Promise<{ oauth: boolean; derived: boolean }> {
+  const [oauth, derived] = await Promise.all([
+    deleteProviderCredential(db, providerId, "oauth"),
+    deleteProviderCredential(db, providerId, "derived"),
+  ]);
+
+  return { oauth, derived };
+}
+
 /**
  * Read + decrypt the kind="derived" config for a provider. `null` when none
  * stored; throws `ProviderCredentialDecryptError` when a row exists but cannot

package/src/routes/admin/analytics.ts

@@ -14,6 +14,7 @@ import {
   provisionPostHogLoop,
 } from "../../lib/provision-posthog-loop.js";
 import { errorSchema } from "../../lib/schemas.js";
+import { invalidateStoredPosthogSecret } from "../webhooks/sources.js";
 
 /**
  * Admin analytics-connection routes — the server half of
@@ -170,9 +171,8 @@ const provisionLoopRoute = createRoute({
       description:
         "Refused: `no_posthog_credential` (no OAuth credential and no " +
         "personal API key), `posthog_not_configured` (no PostHog env signal " +
-        "at all), `webhook_secret_missing` (POSTHOG_WEBHOOK_SECRET unset), " +
-        "or `api_public_url_unreachable` (API_PUBLIC_URL is loopback — " +
-        "PostHog cannot deliver to it)",
+        "at all), or `api_public_url_unreachable` (API_PUBLIC_URL is loopback " +
+        "— PostHog cannot deliver to it)",
     },
     502: {
       content: { "application/json": { schema: provisionFailureSchema } },
@@ -273,6 +273,9 @@ export const analyticsAdminRouter = new OpenAPIHono<AppEnv>()
         ...(storedDerived ?? {}),
         webhookSecret,
       });
+      // Bust the inbound posthog webhook source's cached secret so it enforces
+      // the freshly-minted value immediately instead of after the ~30s TTL.
+      invalidateStoredPosthogSecret();
     }
 
     try {
@@ -318,9 +321,6 @@ export const analyticsAdminRouter = new OpenAPIHono<AppEnv>()
       );
     } catch (error) {
       if (error instanceof ProvisionPostHogLoopError) {
-        if (error.code === "missing-webhook-secret") {
-          return c.json({ error: "webhook_secret_missing" }, 409);
-        }
         return c.json(
           {
             error: error.code,