@inkeep/agents-work-apps 0.0.0-dev-20260225215837 → 0.0.0-dev-20260225221013

package/dist/github/mcp/index.d.ts

@@ -1,11 +1,11 @@
 import { Hono } from "hono";
-import * as hono_types3 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/github/mcp/index.d.ts
 declare const app: Hono<{
   Variables: {
     toolId: string;
   };
-}, hono_types3.BlankSchema, "/">;
+}, hono_types5.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/setup.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types8 from "hono/types";
+import * as hono_types3 from "hono/types";
 
 //#region src/github/routes/setup.d.ts
-declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
+declare const app: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/setup.js

@@ -1,7 +1,7 @@
 import { env } from "../../env.js";
 import { getLogger } from "../../logger.js";
-import runDbClient_default from "../../db/runDbClient.js";
 import { getStateSigningSecret, isStateSigningConfigured } from "../config.js";
+import runDbClient_default from "../../db/runDbClient.js";
 import { createAppJwt, determineStatus, fetchInstallationDetails, fetchInstallationRepositories } from "../installation.js";
 import { createInstallation, generateId, getInstallationByGitHubId, listProjectsMetadata, setProjectAccessMode, syncRepositories, updateInstallationStatusByGitHubId } from "@inkeep/agents-core";
 import { Hono } from "hono";

package/dist/github/routes/tokenExchange.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types4 from "hono/types";
+import * as hono_types6 from "hono/types";
 
 //#region src/github/routes/tokenExchange.d.ts
-declare const app: Hono<hono_types4.BlankEnv, hono_types4.BlankSchema, "/">;
+declare const app: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/tokenExchange.js

@@ -1,6 +1,6 @@
 import { getLogger } from "../../logger.js";
-import runDbClient_default from "../../db/runDbClient.js";
 import { isGitHubAppConfigured } from "../config.js";
+import runDbClient_default from "../../db/runDbClient.js";
 import { generateInstallationAccessToken, lookupInstallationForRepo } from "../installation.js";
 import { validateOidcToken } from "../oidcToken.js";
 import { checkProjectRepositoryAccess, getInstallationByGitHubId } from "@inkeep/agents-core";

package/dist/github/routes/webhooks.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types6 from "hono/types";
+import * as hono_types8 from "hono/types";
 
 //#region src/github/routes/webhooks.d.ts
 interface WebhookVerificationResult {
@@ -7,6 +7,6 @@ interface WebhookVerificationResult {
   error?: string;
 }
 declare function verifyWebhookSignature(payload: string, signature: string | undefined, secret: string): WebhookVerificationResult;
-declare const app: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
+declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
 //#endregion
 export { WebhookVerificationResult, app as default, verifyWebhookSignature };

package/dist/github/routes/webhooks.js

@@ -1,6 +1,6 @@
 import { getLogger } from "../../logger.js";
-import runDbClient_default from "../../db/runDbClient.js";
 import { getWebhookSecret, isWebhookConfigured } from "../config.js";
+import runDbClient_default from "../../db/runDbClient.js";
 import { addRepositories, deleteInstallation, getInstallationByGitHubId, removeRepositories, updateInstallationStatusByGitHubId } from "@inkeep/agents-core";
 import { Hono } from "hono";
 import { createHmac, timingSafeEqual } from "node:crypto";

package/dist/slack/services/blocks/index.js

@@ -1,3 +1,4 @@
+import { escapeSlackLinkText, escapeSlackMrkdwn } from "../events/utils.js";
 import { SlackStrings } from "../../i18n/strings.js";
 import { z } from "zod";
 import { Blocks, Elements, Md, Message } from "slack-block-builder";
@@ -12,7 +13,7 @@ function createContextBlock(params) {
 		type: "context",
 		elements: [{
 			type: "mrkdwn",
-			text: SlackStrings.context.poweredBy(agentName)
+			text: SlackStrings.context.poweredBy(escapeSlackMrkdwn(agentName))
 		}]
 	};
 }
@@ -73,15 +74,16 @@ function buildToolApprovalBlocks(params) {
 		type: "section",
 		text: {
 			type: "mrkdwn",
-			text: `*Approval required - \`${toolName}\`*`
+			text: `*Approval required - \`${escapeSlackMrkdwn(toolName)}\`*`
 		}
 	}];
 	if (input && Object.keys(input).length > 0) {
 		const fields = Object.entries(input).slice(0, 10).map(([k, v]) => {
 			const val = typeof v === "object" ? JSON.stringify(v) : String(v ?? "");
+			const truncated = val.length > 80 ? `${val.slice(0, 80)}…` : val;
 			return {
 				type: "mrkdwn",
-				text: `*${k}:*\n${val.length > 80 ? `${val.slice(0, 80)}…` : val}`
+				text: `*${escapeSlackMrkdwn(k)}:*\n${escapeSlackMrkdwn(truncated)}`
 			};
 		});
 		blocks.push({
@@ -121,7 +123,7 @@ function buildToolApprovalDoneBlocks(params) {
 		type: "context",
 		elements: [{
 			type: "mrkdwn",
-			text: approved ? `✅ Approved \`${toolName}\` · <@${actorUserId}>` : `❌ Denied \`${toolName}\` · <@${actorUserId}>`
+			text: approved ? `✅ Approved \`${escapeSlackMrkdwn(toolName)}\` · <@${actorUserId}>` : `❌ Denied \`${escapeSlackMrkdwn(toolName)}\` · <@${actorUserId}>`
 		}]
 	}];
 }
@@ -130,16 +132,17 @@ function buildToolApprovalExpiredBlocks(params) {
 		type: "context",
 		elements: [{
 			type: "mrkdwn",
-			text: `⏱️ Expired · \`${params.toolName}\``
+			text: `⏱️ Expired · \`${escapeSlackMrkdwn(params.toolName)}\``
 		}]
 	}];
 }
 function buildToolOutputErrorBlock(toolName, errorText) {
+	const truncated = errorText.length > 100 ? `${errorText.slice(0, 100)}…` : errorText;
 	return {
 		type: "context",
 		elements: [{
 			type: "mrkdwn",
-			text: `⚠️ *${toolName}* · failed: ${errorText.length > 100 ? `${errorText.slice(0, 100)}…` : errorText}`
+			text: `⚠️ *${escapeSlackMrkdwn(toolName)}* · failed: ${escapeSlackMrkdwn(truncated)}`
 		}]
 	};
 }
@@ -148,7 +151,7 @@ function buildSummaryBreadcrumbBlock(labels) {
 		type: "context",
 		elements: [{
 			type: "mrkdwn",
-			text: labels.join(" → ")
+			text: labels.map(escapeSlackMrkdwn).join(" → ")
 		}]
 	};
 }
@@ -179,9 +182,10 @@ function buildDataComponentBlocks(component) {
 	if (Object.keys(payload).length > 0) if (isFlatRecord(payload)) {
 		const fields = Object.entries(payload).slice(0, 10).map(([k, v]) => {
 			const val = String(v ?? "");
+			const truncated = val.length > 80 ? `${val.slice(0, 80)}…` : val;
 			return {
 				type: "mrkdwn",
-				text: `*${k}*\n${val.length > 80 ? `${val.slice(0, 80)}…` : val}`
+				text: `*${escapeSlackMrkdwn(k)}*\n${escapeSlackMrkdwn(truncated)}`
 			};
 		});
 		blocks.push({
@@ -203,7 +207,7 @@ function buildDataComponentBlocks(component) {
 		type: "context",
 		elements: [{
 			type: "mrkdwn",
-			text: `data component · type: ${componentType}`
+			text: `data component · type: ${escapeSlackMrkdwn(componentType)}`
 		}]
 	});
 	return {
@@ -219,7 +223,8 @@ function buildDataArtifactBlocks(artifact) {
 		const MAX_SOURCES = 10;
 		const lines = sourcesArray.slice(0, MAX_SOURCES).map((s) => {
 			const url = s.url || s.href;
-			const title = s.title || s.name || url;
+			const rawTitle = s.title || s.name || url;
+			const title = rawTitle ? escapeSlackLinkText(rawTitle) : rawTitle;
 			return url ? `• <${url}|${title}>` : null;
 		}).filter((l) => l !== null);
 		if (lines.length > 0) {
@@ -247,7 +252,7 @@ function buildDataArtifactBlocks(artifact) {
 		type: "context",
 		elements: [{
 			type: "mrkdwn",
-			text: `type: ${artifactType}`
+			text: `type: ${escapeSlackMrkdwn(artifactType)}`
 		}]
 	});
 	let overflowContent;
@@ -267,10 +272,11 @@ function buildDataArtifactBlocks(artifact) {
 }
 function buildCitationsBlock(citations) {
 	const MAX_CITATIONS = 10;
-	const lines = citations.slice(0, MAX_CITATIONS).map((c) => {
+	const lines = citations.slice(0, MAX_CITATIONS).map((c, i) => {
 		const url = c.url;
-		const title = c.title || url;
-		return url ? `• <${url}|${title}>` : null;
+		const rawTitle = c.title || url;
+		const title = rawTitle ? escapeSlackLinkText(rawTitle) : rawTitle;
+		return url ? `<${url}|[${i + 1}] ${title}>` : null;
 	}).filter((l) => l !== null);
 	if (lines.length === 0) return [];
 	const suffix = citations.length > MAX_CITATIONS ? `\n_and ${citations.length - MAX_CITATIONS} more_` : "";

package/dist/slack/services/events/streaming.js

@@ -349,10 +349,14 @@ async function streamAgentResponse(params) {
 							const artifactData = data.data;
 							if (typeof artifactData.type === "string" && artifactData.type.toLowerCase() === "citation") {
 								const summary = artifactData.artifactSummary;
-								if (summary?.url && !citations.some((c) => c.url === summary.url)) citations.push({
-									title: summary.title,
-									url: summary.url
-								});
+								if (summary?.url && !citations.some((c) => c.url === summary.url)) {
+									citations.push({
+										title: summary.title,
+										url: summary.url
+									});
+									const citationIndex = citations.length;
+									if (fullText.length > 0) await withTimeout(streamer.append({ markdown_text: `<${summary.url}|[${citationIndex}]>` }), CHATSTREAM_OP_TIMEOUT_MS, "streamer.append").catch((e) => logger.warn({ error: e }, "Failed to append inline citation"));
+								}
 							} else if (richMessageCount < MAX_RICH_MESSAGES) {
 								const { blocks, overflowContent, artifactName } = buildDataArtifactBlocks({ data: artifactData });
 								if (overflowContent) {

package/dist/slack/services/events/utils.d.ts

@@ -8,12 +8,12 @@ import { AgentOption } from "../modals.js";
  * Called on every @mention and /inkeep command — caching avoids redundant DB queries.
  */
 declare function findCachedUserMapping(tenantId: string, slackUserId: string, teamId: string, clientId?: string): Promise<{
-  slackUserId: string;
-  id: string;
   createdAt: string;
   updatedAt: string;
+  id: string;
   tenantId: string;
   clientId: string;
+  slackUserId: string;
   slackTeamId: string;
   slackEnterpriseId: string | null;
   inkeepUserId: string;
@@ -22,6 +22,18 @@ declare function findCachedUserMapping(tenantId: string, slackUserId: string, te
   linkedAt: string;
   lastUsedAt: string | null;
 } | null>;
+/**
+ * Escape special characters in Slack mrkdwn link display text.
+ * In Slack's <url|text> format, `>` terminates the link, `<` opens a new one,
+ * and `&` begins an HTML entity — all must be escaped.
+ */
+declare function escapeSlackLinkText(text: string): string;
+/**
+ * Escape special characters in Slack mrkdwn text.
+ * In Slack's mrkdwn, `&`, `<`, and `>` are treated as HTML entities/tags
+ * and must be escaped in all dynamic mrkdwn text fields.
+ */
+declare function escapeSlackMrkdwn(text: string): string;
 /**
  * Convert standard Markdown to Slack's mrkdwn format
  *
@@ -167,4 +179,4 @@ declare function formatChannelContext(channelInfo: {
   name?: string;
 } | null): string;
 //#endregion
-export { ProjectOption, SlackAttachment, SlackErrorType, checkIfBotThread, classifyError, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, formatAttachments, formatChannelContext, formatChannelLabel, generateSlackConversationId, getChannelAgentConfig, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, markdownToMrkdwn, resolveChannelAgentConfig, sendResponseUrlMessage, timedOp };
+export { ProjectOption, SlackAttachment, SlackErrorType, checkIfBotThread, classifyError, escapeSlackLinkText, escapeSlackMrkdwn, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, formatAttachments, formatChannelContext, formatChannelLabel, generateSlackConversationId, getChannelAgentConfig, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, markdownToMrkdwn, resolveChannelAgentConfig, sendResponseUrlMessage, timedOp };

package/dist/slack/services/events/utils.js

@@ -50,6 +50,22 @@ async function findCachedUserMapping(tenantId, slackUserId, teamId, clientId = "
 	return mapping;
 }
 /**
+* Escape special characters in Slack mrkdwn link display text.
+* In Slack's <url|text> format, `>` terminates the link, `<` opens a new one,
+* and `&` begins an HTML entity — all must be escaped.
+*/
+function escapeSlackLinkText(text) {
+	return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+/**
+* Escape special characters in Slack mrkdwn text.
+* In Slack's mrkdwn, `&`, `<`, and `>` are treated as HTML entities/tags
+* and must be escaped in all dynamic mrkdwn text fields.
+*/
+function escapeSlackMrkdwn(text) {
+	return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+/**
 * Convert standard Markdown to Slack's mrkdwn format
 *
 * Key differences:
@@ -63,7 +79,7 @@ function markdownToMrkdwn(markdown) {
 	if (!markdown) return markdown;
 	let result = markdown;
 	result = result.replace(/^#{1,6}\s+(.+)$/gm, "*$1*");
-	result = result.replace(/\[([^\]]+)\]\(([^)]+)\)/g, "<$2|$1>");
+	result = result.replace(/\[([^\]]+)\]\(([^)]+)\)/g, (_, text, url) => `<${url}|${escapeSlackLinkText(text)}>`);
 	result = result.replace(/\*\*([^*]+)\*\*/g, "*$1*");
 	result = result.replace(/__([^_]+)__/g, "*$1*");
 	result = result.replace(/~~([^~]+)~~/g, "~$1~");
@@ -426,4 +442,4 @@ function formatChannelContext(channelInfo) {
 }
 
 //#endregion
-export { SlackErrorType, checkIfBotThread, classifyError, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, formatAttachments, formatChannelContext, formatChannelLabel, generateSlackConversationId, getChannelAgentConfig, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, markdownToMrkdwn, resolveChannelAgentConfig, sendResponseUrlMessage, timedOp };
+export { SlackErrorType, checkIfBotThread, classifyError, escapeSlackLinkText, escapeSlackMrkdwn, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, formatAttachments, formatChannelContext, formatChannelLabel, generateSlackConversationId, getChannelAgentConfig, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, markdownToMrkdwn, resolveChannelAgentConfig, sendResponseUrlMessage, timedOp };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-work-apps",
-  "version": "0.0.0-dev-20260225215837",
+  "version": "0.0.0-dev-20260225221013",
   "description": "First party integrations for Inkeep Agents",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",
@@ -33,7 +33,7 @@
     "jose": "^6.1.0",
     "minimatch": "^10.1.1",
     "slack-block-builder": "^2.8.0",
-    "@inkeep/agents-core": "0.0.0-dev-20260225215837"
+    "@inkeep/agents-core": "0.0.0-dev-20260225221013"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",