@inkeep/agents-work-apps 0.0.0-dev-20260212083055 → 0.0.0-dev-20260212092330

package/dist/env.d.ts

@@ -28,6 +28,17 @@ declare const envSchema: z.ZodObject<{
   GITHUB_STATE_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
   GITHUB_APP_NAME: z.ZodOptional<z.ZodString>;
   GITHUB_MCP_API_KEY: z.ZodOptional<z.ZodString>;
+  SLACK_CLIENT_ID: z.ZodOptional<z.ZodString>;
+  SLACK_CLIENT_SECRET: z.ZodOptional<z.ZodString>;
+  SLACK_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
+  SLACK_BOT_TOKEN: z.ZodOptional<z.ZodString>;
+  SLACK_APP_URL: z.ZodOptional<z.ZodString>;
+  NANGO_SECRET_KEY: z.ZodOptional<z.ZodString>;
+  NANGO_SLACK_SECRET_KEY: z.ZodOptional<z.ZodString>;
+  NANGO_SLACK_INTEGRATION_ID: z.ZodOptional<z.ZodString>;
+  NANGO_SERVER_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_JWT_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_API_URL: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const env: {
   NODE_ENV: "development" | "production" | "test";
@@ -41,6 +52,17 @@ declare const env: {
   GITHUB_STATE_SIGNING_SECRET?: string | undefined;
   GITHUB_APP_NAME?: string | undefined;
   GITHUB_MCP_API_KEY?: string | undefined;
+  SLACK_CLIENT_ID?: string | undefined;
+  SLACK_CLIENT_SECRET?: string | undefined;
+  SLACK_SIGNING_SECRET?: string | undefined;
+  SLACK_BOT_TOKEN?: string | undefined;
+  SLACK_APP_URL?: string | undefined;
+  NANGO_SECRET_KEY?: string | undefined;
+  NANGO_SLACK_SECRET_KEY?: string | undefined;
+  NANGO_SLACK_INTEGRATION_ID?: string | undefined;
+  NANGO_SERVER_URL?: string | undefined;
+  INKEEP_AGENTS_JWT_SIGNING_SECRET?: string | undefined;
+  INKEEP_AGENTS_API_URL?: string | undefined;
 };
 type Env = z.infer<typeof envSchema>;
 //#endregion

package/dist/env.js

@@ -22,14 +22,25 @@ const envSchema = z.object({
 		"warn",
 		"error"
 	]).default("info").describe("Logging verbosity level"),
-	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().describe("PostgreSQL connection URL for the runtime database (Doltgres with Git version control)"),
+	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().describe("PostgreSQL connection URL for the runtime database"),
 	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional().describe("URL where the management UI is hosted"),
 	GITHUB_APP_ID: z.string().optional().describe("GitHub App ID for GitHub integration"),
 	GITHUB_APP_PRIVATE_KEY: z.string().optional().describe("GitHub App private key for authentication"),
 	GITHUB_WEBHOOK_SECRET: z.string().optional().describe("Secret for validating GitHub webhook payloads"),
 	GITHUB_STATE_SIGNING_SECRET: z.string().min(32, "GITHUB_STATE_SIGNING_SECRET must be at least 32 characters").optional().describe("Secret for signing GitHub OAuth state (minimum 32 characters)"),
 	GITHUB_APP_NAME: z.string().optional().describe("Name of the GitHub App"),
-	GITHUB_MCP_API_KEY: z.string().optional().describe("API key for the GitHub MCP")
+	GITHUB_MCP_API_KEY: z.string().optional().describe("API key for the GitHub MCP"),
+	SLACK_CLIENT_ID: z.string().optional().describe("Slack App Client ID"),
+	SLACK_CLIENT_SECRET: z.string().optional().describe("Slack App Client Secret"),
+	SLACK_SIGNING_SECRET: z.string().optional().describe("Slack App Signing Secret"),
+	SLACK_BOT_TOKEN: z.string().optional().describe("Slack Bot Token (for testing)"),
+	SLACK_APP_URL: z.string().optional().describe("Slack App Install URL"),
+	NANGO_SECRET_KEY: z.string().optional().describe("Nango Secret Key"),
+	NANGO_SLACK_SECRET_KEY: z.string().optional().describe("Nango Slack-specific Secret Key"),
+	NANGO_SLACK_INTEGRATION_ID: z.string().optional().describe("Nango Slack Integration ID"),
+	NANGO_SERVER_URL: z.string().optional().describe("Nango Server URL"),
+	INKEEP_AGENTS_JWT_SIGNING_SECRET: z.string().optional().describe("JWT signing secret shared with agents-api. Required in production (min 32 chars). Used for Slack user tokens and link tokens."),
+	INKEEP_AGENTS_API_URL: z.string().optional().describe("Inkeep Agents API URL")
 });
 const parseEnv = () => {
 	try {

package/dist/slack/i18n/index.d.ts

@@ -0,0 +1,2 @@
+import { SlackStrings, SlackStringsType } from "./strings.js";
+export { SlackStrings, type SlackStringsType };

package/dist/slack/i18n/index.js

@@ -0,0 +1,3 @@
+import { SlackStrings } from "./strings.js";
+
+export { SlackStrings };

package/dist/slack/i18n/strings.d.ts

@@ -0,0 +1,73 @@
+//#region src/slack/i18n/strings.d.ts
+/**
+ * Slack UI/UX Internationalization Strings
+ *
+ * Centralized strings for all Slack-facing UI text.
+ * Update this file to change text across the entire Slack integration.
+ */
+declare const SlackStrings: {
+  readonly buttons: {
+    readonly triggerAgent: "Trigger Agent";
+    readonly send: "Send";
+    readonly followUp: "Follow Up";
+    readonly cancel: "Cancel";
+    readonly openDashboard: "⚙️ Open Dashboard";
+  };
+  readonly modals: {
+    readonly triggerAgent: "Trigger Agent";
+    readonly triggerAgentThread: "Trigger Agent (Thread)";
+    readonly askAboutMessage: "Ask About Message";
+    readonly followUp: "Follow Up";
+  };
+  readonly labels: {
+    readonly project: "Project";
+    readonly agent: "Agent";
+    readonly prompt: "Prompt";
+    readonly additionalInstructions: "Additional Instructions";
+    readonly context: "Context";
+  };
+  readonly placeholders: {
+    readonly selectProject: "Select a project...";
+    readonly selectAgent: "Select an agent...";
+    readonly enterPrompt: "Enter your prompt or question...";
+    readonly additionalInstructionsOptional: "Additional instructions (optional)...";
+    readonly additionalInstructionsMessage: "Additional instructions or question about this message...";
+  };
+  readonly visibility: {
+    readonly includeThreadContext: "Include thread context";
+  };
+  readonly context: {
+    readonly poweredBy: (agentName: string) => string;
+    readonly privateResponse: "_Private response_";
+  };
+  readonly usage: {
+    readonly mentionEmpty: string;
+  };
+  readonly status: {
+    readonly thinking: (agentName: string) => string;
+    readonly noAgentsAvailable: "No agents available";
+    readonly noProjectsConfigured: "⚙️ No projects configured. Please set up projects in the dashboard.";
+  };
+  readonly errors: {
+    readonly generic: "Sorry, something went wrong. Please try again.";
+    readonly failedToOpenSelector: "❌ Failed to open agent selector. Please try again.";
+  };
+  readonly help: {
+    readonly title: "Inkeep — How to Use";
+    readonly publicSection: string;
+    readonly privateSection: string;
+    readonly otherCommands: string;
+  };
+  readonly agentList: {
+    readonly title: "🤖 Available Agents";
+    readonly usage: "Usage:";
+    readonly runUsage: "`/inkeep run \"agent name\" question` - Run a specific agent";
+    readonly andMore: (count: number) => string;
+  };
+  readonly messageContext: {
+    readonly label: "Message:";
+  };
+};
+type SlackStringsType = typeof SlackStrings;
+//#endregion
+export { SlackStrings, SlackStringsType };

package/dist/slack/i18n/strings.js

@@ -0,0 +1,67 @@
+//#region src/slack/i18n/strings.ts
+/**
+* Slack UI/UX Internationalization Strings
+*
+* Centralized strings for all Slack-facing UI text.
+* Update this file to change text across the entire Slack integration.
+*/
+const SlackStrings = {
+	buttons: {
+		triggerAgent: "Trigger Agent",
+		send: "Send",
+		followUp: "Follow Up",
+		cancel: "Cancel",
+		openDashboard: "⚙️ Open Dashboard"
+	},
+	modals: {
+		triggerAgent: "Trigger Agent",
+		triggerAgentThread: "Trigger Agent (Thread)",
+		askAboutMessage: "Ask About Message",
+		followUp: "Follow Up"
+	},
+	labels: {
+		project: "Project",
+		agent: "Agent",
+		prompt: "Prompt",
+		additionalInstructions: "Additional Instructions",
+		context: "Context"
+	},
+	placeholders: {
+		selectProject: "Select a project...",
+		selectAgent: "Select an agent...",
+		enterPrompt: "Enter your prompt or question...",
+		additionalInstructionsOptional: "Additional instructions (optional)...",
+		additionalInstructionsMessage: "Additional instructions or question about this message..."
+	},
+	visibility: { includeThreadContext: "Include thread context" },
+	context: {
+		poweredBy: (agentName) => `Powered by *${agentName}* via Inkeep`,
+		privateResponse: "_Private response_"
+	},
+	usage: { mentionEmpty: "*To use your Inkeep agent, include a message:*\n\n• `@Inkeep <message>` — Send a message to your agent (reply appears in a thread)\n• `@Inkeep <message>` in a thread — Includes the thread as context for your agent\n• `@Inkeep` in a thread — Triggers your agent using the full thread as context\n\n💡 Use `/inkeep help` for all available commands." },
+	status: {
+		thinking: (agentName) => `_${agentName} is thinking..._`,
+		noAgentsAvailable: "No agents available",
+		noProjectsConfigured: "⚙️ No projects configured. Please set up projects in the dashboard."
+	},
+	errors: {
+		generic: "Sorry, something went wrong. Please try again.",
+		failedToOpenSelector: "❌ Failed to open agent selector. Please try again."
+	},
+	help: {
+		title: "Inkeep — How to Use",
+		publicSection: "🔊 *Public* — everyone in the channel can see the response\n\n• `@Inkeep <message>` — Send a message to your agent\n• `@Inkeep <message>` in a thread — Includes thread as context\n• `@Inkeep` in a thread — Uses the full thread as context",
+		privateSection: "🔒 *Private* — only you can see the response\n\n• `/inkeep <message>` — Send a message to your agent\n• `/inkeep` — Open the agent picker to choose an agent and prompt",
+		otherCommands: "⚙️ *Other Commands*\n\n• `/inkeep run \"agent name\" <message>` — Use a specific agent\n• `/inkeep list` — List available agents\n• `/inkeep status` — Check your connection and agent config\n• `/inkeep link` / `/inkeep unlink` — Manage account connection\n• `/inkeep help` — Show this message"
+	},
+	agentList: {
+		title: "🤖 Available Agents",
+		usage: "Usage:",
+		runUsage: "`/inkeep run \"agent name\" question` - Run a specific agent",
+		andMore: (count) => `...and ${count} more`
+	},
+	messageContext: { label: "Message:" }
+};
+
+//#endregion
+export { SlackStrings };

package/dist/slack/index.d.ts

@@ -0,0 +1,18 @@
+import { ManageAppVariables, WorkAppsVariables } from "./types.js";
+import { DefaultAgentConfig, SlackWorkspaceConnection, WorkspaceInstallData, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setWorkspaceDefaultAgent, storeWorkspaceInstallation, updateConnectionMetadata } from "./services/nango.js";
+import { getChannelAgentConfig, getWorkspaceDefaultAgent } from "./services/events/utils.js";
+import "./services/events/index.js";
+import { getBotTokenForTeam, setBotTokenForTeam } from "./services/workspace-tokens.js";
+import "./routes/oauth.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/slack/index.d.ts
+
+declare function createSlackRoutes(): OpenAPIHono<{
+  Variables: WorkAppsVariables;
+}, {}, "/">;
+declare const slackRoutes: OpenAPIHono<{
+  Variables: WorkAppsVariables;
+}, {}, "/">;
+//#endregion
+export { DefaultAgentConfig, ManageAppVariables, SlackWorkspaceConnection, WorkAppsVariables, WorkspaceInstallData, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, createSlackRoutes, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setBotTokenForTeam, setWorkspaceDefaultAgent, slackRoutes, storeWorkspaceInstallation, updateConnectionMetadata };

package/dist/slack/index.js

@@ -0,0 +1,28 @@
+import { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setWorkspaceDefaultAgent, storeWorkspaceInstallation, updateConnectionMetadata } from "./services/nango.js";
+import { getChannelAgentConfig, getWorkspaceDefaultAgent } from "./services/events/utils.js";
+import { getBotTokenForTeam, setBotTokenForTeam } from "./services/workspace-tokens.js";
+import "./services/events/index.js";
+import "./routes/oauth.js";
+import routes_default from "./routes/index.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/slack/index.ts
+/**
+* Slack Work App
+*
+* Provides Slack integration for Inkeep Agents including:
+* - OAuth-based workspace installation
+* - User account linking via JWT tokens
+* - Slash commands for agent interaction
+* - @mention support for workspace-wide agent access
+* - Channel-specific agent configuration
+*/
+function createSlackRoutes() {
+	const app = new OpenAPIHono();
+	app.route("/", routes_default);
+	return app;
+}
+const slackRoutes = createSlackRoutes();
+
+//#endregion
+export { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, createSlackRoutes, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setBotTokenForTeam, setWorkspaceDefaultAgent, slackRoutes, storeWorkspaceInstallation, updateConnectionMetadata };

package/dist/slack/middleware/permissions.d.ts

@@ -0,0 +1,31 @@
+import { ManageAppVariables } from "../types.js";
+import * as hono0 from "hono";
+
+//#region src/slack/middleware/permissions.d.ts
+/**
+ * Check if user has admin role (owner or admin)
+ */
+declare function isOrgAdmin(tenantRole: string | undefined): boolean;
+/**
+ * Middleware that requires Inkeep org admin/owner role.
+ * Use for workspace-level settings that only Inkeep organization admins can modify.
+ */
+declare const requireWorkspaceAdmin: <Env extends {
+  Variables: ManageAppVariables;
+} = {
+  Variables: ManageAppVariables;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
+/**
+ * Middleware that requires either:
+ * 1. Org admin/owner role (can modify any channel), OR
+ * 2. Member role AND membership in the specific Slack channel
+ *
+ * Use for channel-level settings where members can configure their own channels.
+ */
+declare const requireChannelMemberOrAdmin: <Env extends {
+  Variables: ManageAppVariables;
+} = {
+  Variables: ManageAppVariables;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
+//#endregion
+export { isOrgAdmin, requireChannelMemberOrAdmin, requireWorkspaceAdmin };

package/dist/slack/middleware/permissions.js

@@ -0,0 +1,159 @@
+import { getLogger } from "../../logger.js";
+import runDbClient_default from "../../db/runDbClient.js";
+import { findWorkspaceConnectionByTeamId } from "../services/nango.js";
+import { checkUserIsChannelMember, getSlackClient } from "../services/client.js";
+import { OrgRoles, createApiError, findWorkAppSlackUserMappingByInkeepUserId, getUserOrganizationsFromDb } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+
+//#region src/slack/middleware/permissions.ts
+const logger = getLogger("slack-permissions");
+/**
+* Check if user has admin role (owner or admin)
+*/
+function isOrgAdmin(tenantRole) {
+	return tenantRole === OrgRoles.OWNER || tenantRole === OrgRoles.ADMIN;
+}
+/**
+* Resolve tenantId and tenantRole from a Slack teamId.
+* Looks up the workspace connection to find the owning tenant,
+* then checks the user's org membership to determine their role.
+*
+* This is needed because /work-apps/* routes don't go through requireTenantAccess
+* middleware (which normally sets tenantRole on /manage/* routes).
+*/
+async function resolveWorkAppTenantContext(c, teamId, userId) {
+	const workspace = await findWorkspaceConnectionByTeamId(teamId);
+	if (!workspace?.tenantId) throw createApiError({
+		code: "not_found",
+		message: "Slack workspace not found or not associated with a tenant",
+		instance: c.req.path
+	});
+	const orgAccess = (await getUserOrganizationsFromDb(runDbClient_default)(userId)).find((org) => org.organizationId === workspace.tenantId);
+	if (!orgAccess) throw createApiError({
+		code: "forbidden",
+		message: "Access denied to this organization",
+		instance: c.req.path
+	});
+	c.set("tenantId", workspace.tenantId);
+	c.set("tenantRole", orgAccess.role);
+}
+/**
+* Middleware that requires Inkeep org admin/owner role.
+* Use for workspace-level settings that only Inkeep organization admins can modify.
+*/
+const requireWorkspaceAdmin = () => createMiddleware(async (c, next) => {
+	if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
+		await next();
+		return;
+	}
+	const userId = c.get("userId");
+	if (!userId) throw createApiError({
+		code: "unauthorized",
+		message: "User context not found",
+		instance: c.req.path
+	});
+	if (userId === "system" || userId.startsWith("apikey:")) {
+		await next();
+		return;
+	}
+	const teamId = c.req.param("teamId") || c.req.param("workspaceId");
+	if (teamId && !c.get("tenantId")) await resolveWorkAppTenantContext(c, teamId, userId);
+	const tenantId = c.get("tenantId");
+	const tenantRole = c.get("tenantRole");
+	if (!tenantId) throw createApiError({
+		code: "unauthorized",
+		message: "Organization context not found",
+		instance: c.req.path
+	});
+	if (!isOrgAdmin(tenantRole)) throw createApiError({
+		code: "forbidden",
+		message: "Only organization administrators can modify workspace settings",
+		instance: c.req.path,
+		extensions: {
+			requiredRole: "admin or owner",
+			currentRole: tenantRole
+		}
+	});
+	await next();
+});
+/**
+* Middleware that requires either:
+* 1. Org admin/owner role (can modify any channel), OR
+* 2. Member role AND membership in the specific Slack channel
+*
+* Use for channel-level settings where members can configure their own channels.
+*/
+const requireChannelMemberOrAdmin = () => createMiddleware(async (c, next) => {
+	if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
+		await next();
+		return;
+	}
+	const userId = c.get("userId");
+	if (!userId) throw createApiError({
+		code: "unauthorized",
+		message: "User context not found",
+		instance: c.req.path
+	});
+	if (userId === "system" || userId.startsWith("apikey:")) {
+		await next();
+		return;
+	}
+	const teamId = c.req.param("teamId");
+	if (teamId && !c.get("tenantId")) await resolveWorkAppTenantContext(c, teamId, userId);
+	const tenantId = c.get("tenantId");
+	const tenantRole = c.get("tenantRole");
+	if (!tenantId) throw createApiError({
+		code: "unauthorized",
+		message: "Organization context not found",
+		instance: c.req.path
+	});
+	if (isOrgAdmin(tenantRole)) {
+		await next();
+		return;
+	}
+	const channelId = c.req.param("channelId");
+	if (!teamId || !channelId) throw createApiError({
+		code: "bad_request",
+		message: "Team ID and Channel ID are required",
+		instance: c.req.path
+	});
+	const userMapping = (await findWorkAppSlackUserMappingByInkeepUserId(runDbClient_default)(userId)).find((m) => m.tenantId === tenantId && m.slackTeamId === teamId);
+	if (!userMapping) throw createApiError({
+		code: "forbidden",
+		message: "You must link your Slack account to modify channel settings. Use /inkeep link in Slack.",
+		instance: c.req.path
+	});
+	const workspace = await findWorkspaceConnectionByTeamId(teamId);
+	if (!workspace?.botToken) throw createApiError({
+		code: "not_found",
+		message: "Slack workspace not found or not properly configured",
+		instance: c.req.path
+	});
+	if (!await checkUserIsChannelMember(getSlackClient(workspace.botToken), channelId, userMapping.slackUserId)) {
+		logger.info({
+			userId,
+			slackUserId: userMapping.slackUserId,
+			channelId,
+			teamId
+		}, "User is not a member of the channel");
+		throw createApiError({
+			code: "forbidden",
+			message: "You can only configure channels you are a member of",
+			instance: c.req.path,
+			extensions: {
+				channelId,
+				reason: "not_channel_member"
+			}
+		});
+	}
+	logger.debug({
+		userId,
+		slackUserId: userMapping.slackUserId,
+		channelId,
+		teamId
+	}, "User verified as channel member");
+	await next();
+});
+
+//#endregion
+export { isOrgAdmin, requireChannelMemberOrAdmin, requireWorkspaceAdmin };

package/dist/slack/routes/events.d.ts

@@ -0,0 +1,10 @@
+import { WorkAppsVariables } from "../types.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/slack/routes/events.d.ts
+
+declare const app: OpenAPIHono<{
+  Variables: WorkAppsVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };