@inkeep/agents-work-apps 0.0.0-dev-20260211191741 → 0.0.0-dev-20260211220939

package/dist/slack/routes/oauth.js

@@ -0,0 +1,325 @@
+import { env } from "../../env.js";
+import { getLogger } from "../../logger.js";
+import runDbClient_default from "../../db/runDbClient.js";
+import { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, deleteWorkspaceInstallation, storeWorkspaceInstallation } from "../services/nango.js";
+import { getSlackClient, getSlackTeamInfo, getSlackUserInfo } from "../services/client.js";
+import { getBotTokenForTeam, setBotTokenForTeam } from "../services/workspace-tokens.js";
+import "../services/index.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { createWorkAppSlackWorkspace } from "@inkeep/agents-core";
+import * as crypto$1 from "node:crypto";
+
+//#region src/slack/routes/oauth.ts
+/**
+* Slack OAuth Routes
+*
+* Endpoints for Slack workspace installation via OAuth:
+* - GET /install - Redirect to Slack OAuth page
+* - GET /oauth_redirect - Handle OAuth callback
+*/
+const logger = getLogger("slack-oauth");
+const STATE_TTL_MS = 600 * 1e3;
+/**
+* Allowed redirect domains for OAuth callbacks.
+* Validates INKEEP_AGENTS_MANAGE_UI_URL to prevent open redirect attacks.
+*/
+const ALLOWED_REDIRECT_HOSTNAMES = new Set([
+	"localhost",
+	"127.0.0.1",
+	"agents.inkeep.com"
+]);
+function isAllowedRedirectUrl(url) {
+	try {
+		const parsed = new URL(url);
+		if (ALLOWED_REDIRECT_HOSTNAMES.has(parsed.hostname)) return true;
+		if (parsed.hostname.endsWith(".inkeep.com")) return true;
+		return false;
+	} catch {
+		return false;
+	}
+}
+const manageUiUrl = env.INKEEP_AGENTS_MANAGE_UI_URL || "http://localhost:3000";
+if (!isAllowedRedirectUrl(manageUiUrl)) throw new Error(`Invalid INKEEP_AGENTS_MANAGE_UI_URL: "${manageUiUrl}" is not in the allowed redirect domains. Allowed: localhost, 127.0.0.1, *.inkeep.com`);
+function getStateSigningSecret() {
+	const secret = env.SLACK_SIGNING_SECRET;
+	if (!secret) {
+		if (env.ENVIRONMENT === "production") throw new Error("SLACK_SIGNING_SECRET is required in production for OAuth state signing");
+		logger.warn({}, "SLACK_SIGNING_SECRET not set, using insecure default. DO NOT USE IN PRODUCTION!");
+		return "insecure-dev-oauth-state-secret-change-in-production";
+	}
+	return secret;
+}
+function createOAuthState(tenantId) {
+	const state = {
+		nonce: crypto$1.randomBytes(16).toString("hex"),
+		tenantId: tenantId || "default",
+		timestamp: Date.now()
+	};
+	const data = Buffer.from(JSON.stringify(state)).toString("base64url");
+	return `${data}.${crypto$1.createHmac("sha256", getStateSigningSecret()).update(data).digest("base64url")}`;
+}
+function parseOAuthState(stateStr) {
+	try {
+		const [data, signature] = stateStr.split(".");
+		if (!data || !signature) {
+			logger.warn({}, "OAuth state missing signature");
+			return null;
+		}
+		const expectedSignature = crypto$1.createHmac("sha256", getStateSigningSecret()).update(data).digest("base64url");
+		if (signature.length !== expectedSignature.length || !crypto$1.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature))) {
+			logger.warn({}, "Invalid OAuth state signature");
+			return null;
+		}
+		const decoded = Buffer.from(data, "base64url").toString("utf-8");
+		const state = JSON.parse(decoded);
+		if (!state.nonce || !state.timestamp) return null;
+		if (Date.now() - state.timestamp > STATE_TTL_MS) {
+			logger.warn({ timestamp: state.timestamp }, "OAuth state expired");
+			return null;
+		}
+		return state;
+	} catch {
+		logger.warn({ stateStr: stateStr?.slice(0, 20) }, "Failed to parse OAuth state");
+		return null;
+	}
+}
+const app = new OpenAPIHono();
+app.openapi(createRoute({
+	method: "get",
+	path: "/install",
+	summary: "Install Slack App",
+	description: "Redirects to Slack OAuth page for workspace installation",
+	operationId: "slack-install",
+	tags: [
+		"Work Apps",
+		"Slack",
+		"OAuth"
+	],
+	request: { query: z.object({ tenant_id: z.string().optional() }) },
+	responses: { 302: { description: "Redirect to Slack OAuth" } }
+}), (c) => {
+	const { tenant_id: tenantId } = c.req.valid("query");
+	const clientId = env.SLACK_CLIENT_ID;
+	const redirectUri = `${env.SLACK_APP_URL}/work-apps/slack/oauth_redirect`;
+	const botScopes = [
+		"app_mentions:read",
+		"channels:history",
+		"channels:read",
+		"chat:write",
+		"chat:write.public",
+		"commands",
+		"groups:history",
+		"groups:read",
+		"im:history",
+		"im:read",
+		"im:write",
+		"team:read",
+		"users:read",
+		"users:read.email"
+	].join(",");
+	const state = createOAuthState(tenantId);
+	const slackAuthUrl = new URL("https://slack.com/oauth/v2/authorize");
+	slackAuthUrl.searchParams.set("client_id", clientId || "");
+	slackAuthUrl.searchParams.set("scope", botScopes);
+	slackAuthUrl.searchParams.set("redirect_uri", redirectUri);
+	slackAuthUrl.searchParams.set("state", state);
+	logger.info({
+		redirectUri,
+		tenantId: tenantId || "default"
+	}, "Redirecting to Slack OAuth");
+	return c.redirect(slackAuthUrl.toString());
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/oauth_redirect",
+	summary: "Slack OAuth Callback",
+	description: "Handles the OAuth callback from Slack after workspace installation",
+	operationId: "slack-oauth-redirect",
+	tags: [
+		"Work Apps",
+		"Slack",
+		"OAuth"
+	],
+	request: { query: z.object({
+		code: z.string().optional(),
+		error: z.string().optional(),
+		state: z.string().optional()
+	}) },
+	responses: { 302: { description: "Redirect to dashboard with workspace data" } }
+}), async (c) => {
+	const { code, error, state: stateParam } = c.req.valid("query");
+	const parsedState = stateParam ? parseOAuthState(stateParam) : null;
+	const tenantId = parsedState?.tenantId || "default";
+	const dashboardUrl = `${manageUiUrl}/${tenantId}/work-apps/slack`;
+	if (!stateParam || !parsedState) {
+		logger.error({ hasState: !!stateParam }, "Invalid or missing OAuth state parameter");
+		return c.redirect(`${dashboardUrl}?error=invalid_state`);
+	}
+	if (error) {
+		logger.error({ error }, "Slack OAuth error");
+		return c.redirect(`${dashboardUrl}?error=${encodeURIComponent(error)}`);
+	}
+	if (!code) {
+		logger.error({}, "No code provided in OAuth callback");
+		return c.redirect(`${dashboardUrl}?error=no_code`);
+	}
+	try {
+		const controller = new AbortController();
+		const timeout = setTimeout(() => controller.abort(), 1e4);
+		let tokenResponse;
+		try {
+			tokenResponse = await fetch("https://slack.com/api/oauth.v2.access", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: new URLSearchParams({
+					client_id: env.SLACK_CLIENT_ID || "",
+					client_secret: env.SLACK_CLIENT_SECRET || "",
+					code,
+					redirect_uri: `${env.SLACK_APP_URL}/work-apps/slack/oauth_redirect`
+				}),
+				signal: controller.signal
+			});
+		} catch (fetchErr) {
+			clearTimeout(timeout);
+			if (fetchErr.name === "AbortError") {
+				logger.error({}, "Slack token exchange timed out");
+				return c.redirect(`${dashboardUrl}?error=timeout`);
+			}
+			throw fetchErr;
+		} finally {
+			clearTimeout(timeout);
+		}
+		const tokenData = await tokenResponse.json();
+		if (!tokenData.ok) {
+			logger.error({ error: tokenData.error }, "Slack token exchange failed");
+			return c.redirect(`${dashboardUrl}?error=${encodeURIComponent(tokenData.error || "token_exchange_failed")}`);
+		}
+		const client = getSlackClient(tokenData.access_token);
+		const teamInfo = await getSlackTeamInfo(client);
+		logger.debug({ teamInfo }, "Retrieved Slack team info");
+		const installerUserId = tokenData.authed_user?.id;
+		let installerUserName;
+		if (installerUserId) try {
+			const userInfo = await getSlackUserInfo(client, installerUserId);
+			installerUserName = userInfo?.realName || userInfo?.name;
+		} catch {
+			logger.warn({ installerUserId }, "Could not fetch installer user info");
+		}
+		const workspaceData = {
+			ok: true,
+			teamId: tokenData.team?.id,
+			teamName: tokenData.team?.name,
+			teamDomain: teamInfo?.domain,
+			workspaceUrl: teamInfo?.url,
+			workspaceIconUrl: teamInfo?.icon,
+			enterpriseId: tokenData.enterprise?.id,
+			enterpriseName: tokenData.enterprise?.name,
+			isEnterpriseInstall: tokenData.is_enterprise_install || false,
+			botUserId: tokenData.bot_user_id,
+			botToken: tokenData.access_token,
+			botScopes: tokenData.scope,
+			installerUserId,
+			installerUserName,
+			appId: tokenData.app_id,
+			installedAt: (/* @__PURE__ */ new Date()).toISOString()
+		};
+		if (workspaceData.teamId && workspaceData.botToken) {
+			clearWorkspaceConnectionCache(workspaceData.teamId);
+			const nangoResult = await storeWorkspaceInstallation({
+				teamId: workspaceData.teamId,
+				teamName: workspaceData.teamName,
+				teamDomain: workspaceData.teamDomain,
+				workspaceUrl: workspaceData.workspaceUrl,
+				workspaceIconUrl: workspaceData.workspaceIconUrl,
+				enterpriseId: workspaceData.enterpriseId,
+				enterpriseName: workspaceData.enterpriseName,
+				botUserId: workspaceData.botUserId,
+				botToken: workspaceData.botToken,
+				botScopes: workspaceData.botScopes,
+				installerUserId: workspaceData.installerUserId,
+				installerUserName: workspaceData.installerUserName,
+				isEnterpriseInstall: workspaceData.isEnterpriseInstall,
+				appId: workspaceData.appId,
+				tenantId,
+				installationSource: "dashboard"
+			});
+			if (nangoResult.success && nangoResult.connectionId) {
+				logger.info({
+					teamId: workspaceData.teamId,
+					connectionId: nangoResult.connectionId
+				}, "Stored workspace installation in Nango");
+				try {
+					await createWorkAppSlackWorkspace(runDbClient_default)({
+						tenantId,
+						slackTeamId: workspaceData.teamId,
+						slackEnterpriseId: workspaceData.enterpriseId,
+						slackAppId: workspaceData.appId,
+						slackTeamName: workspaceData.teamName,
+						nangoConnectionId: nangoResult.connectionId,
+						status: "active"
+					});
+					logger.info({
+						teamId: workspaceData.teamId,
+						tenantId
+					}, "Persisted workspace installation to database");
+				} catch (dbError) {
+					const dbErrorMessage = dbError instanceof Error ? dbError.message : String(dbError);
+					if (dbErrorMessage.includes("duplicate key") || dbErrorMessage.includes("unique constraint")) logger.info({
+						teamId: workspaceData.teamId,
+						tenantId
+					}, "Workspace already exists in database");
+					else {
+						logger.error({
+							error: dbErrorMessage,
+							teamId: workspaceData.teamId
+						}, "Failed to persist workspace to database, rolling back Nango connection");
+						try {
+							await deleteWorkspaceInstallation(nangoResult.connectionId);
+						} catch (rollbackError) {
+							logger.error({
+								error: rollbackError,
+								connectionId: nangoResult.connectionId
+							}, "Failed to rollback Nango connection after DB failure");
+						}
+						return c.redirect(`${dashboardUrl}?error=installation_failed`);
+					}
+				}
+			} else logger.warn({ teamId: workspaceData.teamId }, "Failed to store in Nango, falling back to memory");
+			setBotTokenForTeam(workspaceData.teamId, {
+				botToken: workspaceData.botToken,
+				teamName: workspaceData.teamName || "",
+				installedAt: workspaceData.installedAt
+			});
+		}
+		logger.info({
+			teamId: workspaceData.teamId,
+			teamName: workspaceData.teamName
+		}, "Slack workspace installation successful");
+		const safeWorkspaceData = {
+			ok: workspaceData.ok,
+			teamId: workspaceData.teamId,
+			teamName: workspaceData.teamName,
+			teamDomain: workspaceData.teamDomain,
+			enterpriseId: workspaceData.enterpriseId,
+			enterpriseName: workspaceData.enterpriseName,
+			isEnterpriseInstall: workspaceData.isEnterpriseInstall,
+			botUserId: workspaceData.botUserId,
+			botScopes: workspaceData.botScopes,
+			installerUserId: workspaceData.installerUserId,
+			installedAt: workspaceData.installedAt,
+			connectionId: workspaceData.teamId ? computeWorkspaceConnectionId({
+				teamId: workspaceData.teamId,
+				enterpriseId: workspaceData.enterpriseId
+			}) : void 0
+		};
+		const encodedData = encodeURIComponent(JSON.stringify(safeWorkspaceData));
+		return c.redirect(`${dashboardUrl}?success=true&workspace=${encodedData}`);
+	} catch (err) {
+		logger.error({ error: err }, "Slack OAuth callback error");
+		return c.redirect(`${dashboardUrl}?error=callback_error`);
+	}
+});
+var oauth_default = app;
+
+//#endregion
+export { createOAuthState, oauth_default as default, getBotTokenForTeam, getStateSigningSecret, parseOAuthState, setBotTokenForTeam };

package/dist/slack/routes/users.d.ts

@@ -0,0 +1,10 @@
+import { WorkAppsVariables } from "../types.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/slack/routes/users.d.ts
+
+declare const app: OpenAPIHono<{
+  Variables: WorkAppsVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/slack/routes/users.js

@@ -0,0 +1,358 @@
+import { getLogger } from "../../logger.js";
+import runDbClient_default from "../../db/runDbClient.js";
+import { createConnectSession } from "../services/nango.js";
+import "../services/index.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { createWorkAppSlackUserMapping, deleteWorkAppSlackUserMapping, findWorkAppSlackUserMapping, findWorkAppSlackUserMappingByInkeepUserId, verifySlackLinkToken } from "@inkeep/agents-core";
+
+//#region src/slack/routes/users.ts
+/**
+* Slack User Routes
+*
+* Endpoints for user linking:
+* - GET /link-status - Check link status
+* - POST /link/verify-token - Verify JWT link token (primary linking method)
+* - POST /connect - Create Nango session
+* - POST /disconnect - Disconnect user
+*/
+const logger = getLogger("slack-users");
+/**
+* Verify the authenticated caller matches the requested userId.
+* System tokens and API keys are allowed to act on behalf of any user.
+*/
+function isAuthorizedForUser(c, requestedUserId) {
+	const sessionUserId = c.get("userId");
+	if (!sessionUserId) return false;
+	if (sessionUserId === requestedUserId) return true;
+	if (sessionUserId === "system" || sessionUserId.startsWith("apikey:")) return true;
+	if (sessionUserId === "dev-user" && (process.env.ENVIRONMENT === "development" || process.env.ENVIRONMENT === "test")) return true;
+	return false;
+}
+const app = new OpenAPIHono();
+app.openapi(createRoute({
+	method: "get",
+	path: "/link-status",
+	summary: "Check Link Status",
+	description: "Check if a Slack user is linked to an Inkeep account",
+	operationId: "slack-link-status",
+	tags: [
+		"Work Apps",
+		"Slack",
+		"Users"
+	],
+	request: { query: z.object({
+		slackUserId: z.string(),
+		slackTeamId: z.string(),
+		tenantId: z.string().optional().default("default")
+	}) },
+	responses: { 200: {
+		description: "Link status",
+		content: { "application/json": { schema: z.object({
+			linked: z.boolean(),
+			linkId: z.string().optional(),
+			linkedAt: z.string().optional(),
+			slackUsername: z.string().optional()
+		}) } }
+	} }
+}), async (c) => {
+	const { slackUserId, slackTeamId, tenantId } = c.req.valid("query");
+	const sessionTenantId = c.get("tenantId");
+	if (sessionTenantId && sessionTenantId !== tenantId) return c.json({ linked: false });
+	const link = await findWorkAppSlackUserMapping(runDbClient_default)(tenantId, slackUserId, slackTeamId, "work-apps-slack");
+	if (link) return c.json({
+		linked: true,
+		linkId: link.id,
+		linkedAt: link.linkedAt,
+		slackUsername: link.slackUsername || void 0
+	});
+	return c.json({ linked: false });
+});
+app.openapi(createRoute({
+	method: "post",
+	path: "/link/verify-token",
+	summary: "Verify Link Token",
+	description: "Verify a JWT link token and create user mapping",
+	operationId: "slack-verify-link-token",
+	tags: [
+		"Work Apps",
+		"Slack",
+		"Users"
+	],
+	request: { body: { content: { "application/json": { schema: z.object({
+		token: z.string().min(1),
+		userId: z.string().min(1),
+		userEmail: z.string().email().optional()
+	}) } } } },
+	responses: {
+		200: {
+			description: "Link successful",
+			content: { "application/json": { schema: z.object({
+				success: z.boolean(),
+				linkId: z.string().optional(),
+				slackUsername: z.string().optional(),
+				slackTeamId: z.string().optional(),
+				tenantId: z.string().optional()
+			}) } }
+		},
+		400: { description: "Invalid or expired token" },
+		409: { description: "Account already linked" }
+	}
+}), async (c) => {
+	const body = c.req.valid("json");
+	try {
+		const verifyResult = await verifySlackLinkToken(body.token);
+		if (!verifyResult.valid || !verifyResult.payload) {
+			logger.warn({ error: verifyResult.error }, "Invalid link token");
+			return c.json({ error: verifyResult.error || "Invalid or expired link token. Please run /inkeep link in Slack to get a new one." }, 400);
+		}
+		const { tenantId, slack } = verifyResult.payload;
+		const { teamId, userId: slackUserId, enterpriseId, username } = slack;
+		const sessionUserId = c.get("userId");
+		const inkeepUserId = sessionUserId && sessionUserId !== "dev-user" && !sessionUserId.startsWith("apikey:") && sessionUserId !== "system" ? sessionUserId : body.userId;
+		const existingLink = await findWorkAppSlackUserMapping(runDbClient_default)(tenantId, slackUserId, teamId, "work-apps-slack");
+		if (existingLink && existingLink.inkeepUserId === inkeepUserId) {
+			logger.info({
+				slackUserId,
+				tenantId,
+				inkeepUserId: body.userId
+			}, "Slack user already linked to same account");
+			return c.json({
+				success: true,
+				linkId: existingLink.id,
+				slackUsername: existingLink.slackUsername || void 0,
+				slackTeamId: teamId,
+				tenantId
+			});
+		}
+		if (existingLink) logger.info({
+			slackUserId,
+			existingUserId: existingLink.inkeepUserId,
+			newUserId: inkeepUserId,
+			tenantId
+		}, "Slack user already linked, updating to new user");
+		const slackUserMapping = await createWorkAppSlackUserMapping(runDbClient_default)({
+			tenantId,
+			clientId: "work-apps-slack",
+			slackUserId,
+			slackTeamId: teamId,
+			slackEnterpriseId: enterpriseId,
+			slackUsername: username,
+			slackEmail: body.userEmail,
+			inkeepUserId
+		});
+		logger.info({
+			slackUserId,
+			slackTeamId: teamId,
+			tenantId,
+			inkeepUserId: body.userId,
+			linkId: slackUserMapping.id
+		}, "Successfully linked Slack user to Inkeep account via JWT token");
+		return c.json({
+			success: true,
+			linkId: slackUserMapping.id,
+			slackUsername: username || void 0,
+			slackTeamId: teamId,
+			tenantId
+		});
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : String(error);
+		if (errorMessage.includes("duplicate key") || errorMessage.includes("unique constraint")) {
+			logger.warn({ userId: body.userId }, "Slack user already linked");
+			return c.json({ error: "This Slack account is already linked to an Inkeep account." }, 409);
+		}
+		logger.error({
+			error,
+			userId: body.userId
+		}, "Failed to verify link token");
+		return c.json({ error: "Failed to verify link. Please try again." }, 500);
+	}
+});
+app.openapi(createRoute({
+	method: "post",
+	path: "/connect",
+	summary: "Create Nango Connect Session",
+	description: "Create a Nango session for Slack OAuth flow. Used by the dashboard.",
+	operationId: "slack-user-connect",
+	tags: [
+		"Work Apps",
+		"Slack",
+		"Users"
+	],
+	request: { body: { content: { "application/json": { schema: z.object({
+		userId: z.string().describe("Inkeep user ID"),
+		userEmail: z.string().optional().describe("User email"),
+		userName: z.string().optional().describe("User display name"),
+		tenantId: z.string().optional().describe("Tenant ID")
+	}) } } } },
+	responses: {
+		200: {
+			description: "Connect session created",
+			content: { "application/json": { schema: z.object({
+				sessionToken: z.string().optional(),
+				connectUrl: z.string().optional()
+			}) } }
+		},
+		400: { description: "Missing required userId" },
+		500: { description: "Failed to create session" }
+	}
+}), async (c) => {
+	const { userId, userEmail, userName, tenantId } = c.req.valid("json");
+	if (!userId) return c.json({ error: "userId is required" }, 400);
+	if (!isAuthorizedForUser(c, userId)) return c.json({ error: "Can only create sessions for your own account" }, 403);
+	logger.debug({
+		userId,
+		userEmail,
+		userName
+	}, "Creating Nango connect session");
+	const session = await createConnectSession({
+		userId,
+		userEmail,
+		userName,
+		tenantId: tenantId || "default"
+	});
+	if (!session) return c.json({ error: "Failed to create session" }, 500);
+	return c.json(session);
+});
+app.openapi(createRoute({
+	method: "post",
+	path: "/disconnect",
+	summary: "Disconnect User",
+	description: "Unlink a Slack user from their Inkeep account.",
+	operationId: "slack-user-disconnect",
+	tags: [
+		"Work Apps",
+		"Slack",
+		"Users"
+	],
+	request: { body: { content: { "application/json": { schema: z.object({
+		userId: z.string().optional().describe("Inkeep user ID"),
+		slackUserId: z.string().optional().describe("Slack user ID"),
+		slackTeamId: z.string().optional().describe("Slack team ID"),
+		tenantId: z.string().optional().describe("Tenant ID")
+	}) } } } },
+	responses: {
+		200: {
+			description: "User disconnected",
+			content: { "application/json": { schema: z.object({ success: z.boolean() }) } }
+		},
+		400: { description: "Missing required identifiers" },
+		404: { description: "No connection found" },
+		500: { description: "Failed to disconnect" }
+	}
+}), async (c) => {
+	const { userId, slackUserId, slackTeamId, tenantId } = c.req.valid("json");
+	if (!userId && !(slackUserId && slackTeamId)) return c.json({ error: "Either userId or (slackUserId + slackTeamId) is required" }, 400);
+	if (userId && !isAuthorizedForUser(c, userId)) return c.json({ error: "Can only disconnect your own account" }, 403);
+	try {
+		const effectiveTenantId = tenantId || "default";
+		if (slackUserId && slackTeamId) {
+			if (await deleteWorkAppSlackUserMapping(runDbClient_default)(effectiveTenantId, slackUserId, slackTeamId, "work-apps-slack")) {
+				logger.info({
+					slackUserId,
+					slackTeamId,
+					tenantId: effectiveTenantId
+				}, "User unlinked");
+				return c.json({ success: true });
+			}
+			return c.json({ error: "No link found for this user" }, 404);
+		}
+		if (userId) {
+			const userMappings = await findWorkAppSlackUserMappingByInkeepUserId(runDbClient_default)(userId);
+			if (userMappings.length === 0) return c.json({ error: "No link found for this user" }, 404);
+			let deletedCount = 0;
+			for (const mapping of userMappings) if (await deleteWorkAppSlackUserMapping(runDbClient_default)(mapping.tenantId, mapping.slackUserId, mapping.slackTeamId, "work-apps-slack")) deletedCount++;
+			logger.info({
+				userId,
+				deletedCount
+			}, "User disconnected from Slack");
+			return c.json({ success: true });
+		}
+		return c.json({ error: "No connection found for this user" }, 404);
+	} catch (error) {
+		logger.error({
+			error,
+			userId,
+			slackUserId,
+			slackTeamId
+		}, "Failed to disconnect from Slack");
+		return c.json({ error: "Failed to disconnect" }, 500);
+	}
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/status",
+	summary: "Get Connection Status",
+	description: "Check if an Inkeep user has a linked Slack account.",
+	operationId: "slack-user-status",
+	tags: [
+		"Work Apps",
+		"Slack",
+		"Users"
+	],
+	request: { query: z.object({ userId: z.string().describe("Inkeep user ID") }) },
+	responses: {
+		200: {
+			description: "Connection status",
+			content: { "application/json": { schema: z.object({
+				connected: z.boolean(),
+				connection: z.object({
+					connectionId: z.string(),
+					appUserId: z.string(),
+					appUserEmail: z.string(),
+					slackDisplayName: z.string(),
+					linkedAt: z.string(),
+					tenantId: z.string(),
+					slackUserId: z.string(),
+					slackTeamId: z.string()
+				}).nullable()
+			}) } }
+		},
+		400: { description: "Missing userId" },
+		500: { description: "Failed to get status" }
+	}
+}), async (c) => {
+	const { userId: appUserId } = c.req.valid("query");
+	if (!isAuthorizedForUser(c, appUserId)) return c.json({ error: "Can only query your own connection status" }, 403);
+	try {
+		const userMappings = await findWorkAppSlackUserMappingByInkeepUserId(runDbClient_default)(appUserId);
+		if (userMappings.length === 0) {
+			logger.debug({
+				appUserId,
+				connected: false
+			}, "Retrieved connection status from DB");
+			return c.json({
+				connected: false,
+				connection: null
+			});
+		}
+		const mostRecent = userMappings.sort((a, b) => new Date(b.linkedAt).getTime() - new Date(a.linkedAt).getTime())[0];
+		const connection = {
+			connectionId: mostRecent.id,
+			appUserId: mostRecent.inkeepUserId,
+			appUserEmail: mostRecent.slackEmail || "",
+			slackDisplayName: mostRecent.slackUsername || "",
+			linkedAt: mostRecent.linkedAt,
+			tenantId: mostRecent.tenantId,
+			slackUserId: mostRecent.slackUserId,
+			slackTeamId: mostRecent.slackTeamId
+		};
+		logger.debug({
+			appUserId,
+			connected: true
+		}, "Retrieved connection status from DB");
+		return c.json({
+			connected: true,
+			connection
+		});
+	} catch (error) {
+		logger.error({
+			error,
+			appUserId
+		}, "Failed to get connection status");
+		return c.json({ error: "Failed to get connection status" }, 500);
+	}
+});
+var users_default = app;
+
+//#endregion
+export { users_default as default };