@inkeep/agents-work-apps 0.58.14 → 0.58.16

package/dist/github/index.d.ts

@@ -4,10 +4,10 @@ import "./routes/setup.js";
 import "./routes/tokenExchange.js";
 import { WebhookVerificationResult, verifyWebhookSignature } from "./routes/webhooks.js";
 import { Hono } from "hono";
-import * as hono_types0 from "hono/types";
+import * as hono_types3 from "hono/types";
 
 //#region src/github/index.d.ts
-declare function createGithubRoutes(): Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
-declare const githubRoutes: Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
+declare function createGithubRoutes(): Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
+declare const githubRoutes: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
 //#endregion
 export { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, GitHubAppConfig, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, WebhookVerificationResult, clearConfigCache, createAppJwt, createGithubRoutes, determineStatus, fetchInstallationDetails, fetchInstallationRepositories, generateInstallationAccessToken, getGitHubAppConfig, getGitHubAppName, getStateSigningSecret, getWebhookSecret, githubRoutes, isGitHubAppConfigured, isGitHubAppNameConfigured, isStateSigningConfigured, isWebhookConfigured, lookupInstallationForRepo, validateGitHubAppConfigOnStartup, validateGitHubInstallFlowConfigOnStartup, validateGitHubWebhookConfigOnStartup, verifyWebhookSignature };

package/dist/github/mcp/auth.d.ts

@@ -1,7 +1,7 @@
-import * as hono0 from "hono";
+import * as hono2 from "hono";
 
 //#region src/github/mcp/auth.d.ts
-declare const githubMcpAuth: () => hono0.MiddlewareHandler<{
+declare const githubMcpAuth: () => hono2.MiddlewareHandler<{
   Variables: {
     toolId: string;
     tenantId: string;

package/dist/github/mcp/index.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types3 from "hono/types";
+import * as hono_types10 from "hono/types";
 
 //#region src/github/mcp/index.d.ts
 declare const app: Hono<{
@@ -8,6 +8,6 @@ declare const app: Hono<{
     tenantId: string;
     projectId: string;
   };
-}, hono_types3.BlankSchema, "/">;
+}, hono_types10.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/mcp/schemas.d.ts

@@ -76,8 +76,8 @@ declare const ChangedFileSchema: z.ZodObject<{
   path: z.ZodString;
   status: z.ZodEnum<{
     added: "added";
-    modified: "modified";
     removed: "removed";
+    modified: "modified";
     renamed: "renamed";
     copied: "copied";
     changed: "changed";

package/dist/github/routes/setup.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types0 from "hono/types";
 
 //#region src/github/routes/setup.d.ts
-declare const app: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
+declare const app: Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/tokenExchange.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types9 from "hono/types";
+import * as hono_types1 from "hono/types";
 
 //#region src/github/routes/tokenExchange.d.ts
-declare const app: Hono<hono_types9.BlankEnv, hono_types9.BlankSchema, "/">;
+declare const app: Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/webhooks.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
+import * as hono_types7 from "hono/types";
 
 //#region src/github/routes/webhooks.d.ts
 interface WebhookVerificationResult {
@@ -7,6 +7,6 @@ interface WebhookVerificationResult {
   error?: string;
 }
 declare function verifyWebhookSignature(payload: string, signature: string | undefined, secret: string): WebhookVerificationResult;
-declare const app: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+declare const app: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
 //#endregion
 export { WebhookVerificationResult, app as default, verifyWebhookSignature };

package/dist/slack/mcp/auth.d.ts

@@ -1,7 +1,7 @@
-import * as hono0 from "hono";
+import * as hono1 from "hono";
 
 //#region src/slack/mcp/auth.d.ts
-declare const slackMcpAuth: () => hono0.MiddlewareHandler<{
+declare const slackMcpAuth: () => hono1.MiddlewareHandler<{
   Variables: {
     toolId: string;
     tenantId: string;

package/dist/slack/mcp/index.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types4 from "hono/types";
+import * as hono_types9 from "hono/types";
 
 //#region src/slack/mcp/index.d.ts
 interface ChannelInfo {
@@ -18,6 +18,6 @@ declare const app: Hono<{
     tenantId: string;
     projectId: string;
   };
-}, hono_types4.BlankSchema, "/">;
+}, hono_types9.BlankSchema, "/">;
 //#endregion
 export { ChannelInfo, app as default, pruneStaleChannelIds };

package/dist/slack/middleware/permissions.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types.js";
-import * as hono1 from "hono";
+import * as hono0 from "hono";
 
 //#region src/slack/middleware/permissions.d.ts
 /**
@@ -14,7 +14,7 @@ declare const requireWorkspaceAdmin: <Env extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>() => hono1.MiddlewareHandler<Env, string, {}, Response>;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
 /**
  * Middleware that requires either:
  * 1. Org admin/owner role (can modify any channel), OR
@@ -26,6 +26,6 @@ declare const requireChannelMemberOrAdmin: <Env extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>() => hono1.MiddlewareHandler<Env, string, {}, Response>;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
 //#endregion
 export { isOrgAdmin, requireChannelMemberOrAdmin, requireWorkspaceAdmin };

package/dist/slack/routes/oauth.d.ts

@@ -13,8 +13,9 @@ interface OAuthState {
 declare function getStateSigningSecret(): string;
 declare function createOAuthState(tenantId?: string): string;
 declare function parseOAuthState(stateStr: string): OAuthState | null;
+declare function sanitizeTenantId(raw: string): string;
 declare const app: OpenAPIHono<{
   Variables: WorkAppsVariables;
 }, {}, "/">;
 //#endregion
-export { createOAuthState, app as default, getBotTokenForTeam, getStateSigningSecret, parseOAuthState, setBotTokenForTeam };
+export { createOAuthState, app as default, getBotTokenForTeam, getStateSigningSecret, parseOAuthState, sanitizeTenantId, setBotTokenForTeam };

package/dist/slack/routes/oauth.js

@@ -5,6 +5,7 @@ import { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, deleteWork
 import { getSlackClient, getSlackTeamInfo, getSlackUserInfo } from "../services/client.js";
 import { getBotTokenForTeam, setBotTokenForTeam } from "../services/workspace-tokens.js";
 import "../services/index.js";
+import { BOT_SCOPES_CSV } from "../slack-scopes.js";
 import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { createWorkAppSlackWorkspace, isUniqueConstraintError, listWorkAppSlackWorkspacesByTenant } from "@inkeep/agents-core";
 import * as crypto$1 from "node:crypto";
@@ -70,6 +71,9 @@ function parseOAuthState(stateStr) {
 		return null;
 	}
 }
+function sanitizeTenantId(raw) {
+	return /^[a-zA-Z0-9_-]+$/.test(raw) ? raw : "";
+}
 const app = new OpenAPIHono();
 app.openapi(createProtectedRoute({
 	method: "get",
@@ -89,30 +93,10 @@ app.openapi(createProtectedRoute({
 	const { tenant_id: tenantId } = c.req.valid("query");
 	const clientId = env.SLACK_CLIENT_ID;
 	const redirectUri = `${env.SLACK_APP_URL}/work-apps/slack/oauth_redirect`;
-	const botScopes = [
-		"app_mentions:read",
-		"channels:history",
-		"channels:read",
-		"chat:write",
-		"chat:write.public",
-		"commands",
-		"files:write",
-		"groups:history",
-		"groups:read",
-		"im:history",
-		"im:read",
-		"im:write",
-		"team:read",
-		"users:read",
-		"users:read.email",
-		"search:read.public",
-		"search:read.files",
-		"search:read.users"
-	].join(",");
 	const state = createOAuthState(tenantId);
 	const slackAuthUrl = new URL("https://slack.com/oauth/v2/authorize");
 	slackAuthUrl.searchParams.set("client_id", clientId || "");
-	slackAuthUrl.searchParams.set("scope", botScopes);
+	slackAuthUrl.searchParams.set("scope", BOT_SCOPES_CSV);
 	slackAuthUrl.searchParams.set("redirect_uri", redirectUri);
 	slackAuthUrl.searchParams.set("state", state);
 	logger.info({
@@ -142,7 +126,9 @@ app.openapi(createProtectedRoute({
 }), async (c) => {
 	const { code, error, state: stateParam } = c.req.valid("query");
 	const parsedState = stateParam ? parseOAuthState(stateParam) : null;
-	const tenantId = parsedState?.tenantId || "";
+	const rawTenantId = parsedState?.tenantId || "";
+	const tenantId = sanitizeTenantId(rawTenantId);
+	if (rawTenantId && !tenantId) logger.warn({ rawTenantId: rawTenantId.slice(0, 50) }, "Rejected invalid tenantId from OAuth state");
 	const dashboardUrl = `${manageUiUrl}/${tenantId}/work-apps/slack`;
 	if (!stateParam || !parsedState) {
 		logger.error({ hasState: !!stateParam }, "Invalid or missing OAuth state parameter");
@@ -346,4 +332,4 @@ app.openapi(createProtectedRoute({
 var oauth_default = app;
 
 //#endregion
-export { createOAuthState, oauth_default as default, getBotTokenForTeam, getStateSigningSecret, parseOAuthState, setBotTokenForTeam };
+export { createOAuthState, oauth_default as default, getBotTokenForTeam, getStateSigningSecret, parseOAuthState, sanitizeTenantId, setBotTokenForTeam };

package/dist/slack/services/events/utils.d.ts

@@ -9,12 +9,12 @@ import { AgentOption } from "../modals.js";
  * Called on every @mention and /inkeep command — caching avoids redundant DB queries.
  */
 declare function findCachedUserMapping(tenantId: string, slackUserId: string, teamId: string, clientId?: string): Promise<{
-  slackUserId: string;
-  id: string;
   createdAt: string;
   updatedAt: string;
+  id: string;
   tenantId: string;
   clientId: string;
+  slackUserId: string;
   slackTeamId: string;
   slackEnterpriseId: string | null;
   inkeepUserId: string;

package/dist/slack/slack-app-manifest.js

@@ -0,0 +1,35 @@
+//#region src/slack/slack-app-manifest.json
+var oauth_config = {
+	"redirect_urls": ["https://api.nango.dev/oauth/callback", "https://<YOUR_API_DOMAIN>/work-apps/slack/oauth_redirect"],
+	"scopes": {
+		"user": ["users:read", "users:read.email"],
+		"bot": [
+			"app_mentions:read",
+			"channels:history",
+			"channels:read",
+			"channels:join",
+			"chat:write",
+			"chat:write.public",
+			"commands",
+			"files:write",
+			"files:read",
+			"groups:history",
+			"groups:read",
+			"im:history",
+			"im:read",
+			"im:write",
+			"mpim:history",
+			"mpim:read",
+			"mpim:write",
+			"team:read",
+			"users:read",
+			"users:read.email",
+			"search:read.public",
+			"search:read.files",
+			"search:read.users"
+		]
+	}
+};
+
+//#endregion
+export { oauth_config };

package/dist/slack/slack-scopes.d.ts

@@ -0,0 +1,5 @@
+//#region src/slack/slack-scopes.d.ts
+declare const BOT_SCOPES: readonly string[];
+declare const BOT_SCOPES_CSV: string;
+//#endregion
+export { BOT_SCOPES, BOT_SCOPES_CSV };

package/dist/slack/slack-scopes.js

@@ -0,0 +1,10 @@
+import { oauth_config } from "./slack-app-manifest.js";
+
+//#region src/slack/slack-scopes.ts
+const scopes = oauth_config.scopes?.bot;
+if (!Array.isArray(scopes) || scopes.length === 0) throw new Error("slack-app-manifest.json is missing oauth_config.scopes.bot — check the manifest structure");
+const BOT_SCOPES = scopes;
+const BOT_SCOPES_CSV = BOT_SCOPES.join(",");
+
+//#endregion
+export { BOT_SCOPES, BOT_SCOPES_CSV };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-work-apps",
-  "version": "0.58.14",
+  "version": "0.58.16",
   "description": "First party integrations for Inkeep Agents",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",
@@ -33,7 +33,7 @@
     "jose": "^6.1.0",
     "minimatch": "^10.2.1",
     "slack-block-builder": "^2.8.0",
-    "@inkeep/agents-core": "0.58.14"
+    "@inkeep/agents-core": "0.58.16"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",