@inkeep/agents-work-apps 0.65.1 → 0.66.0

package/dist/github/config.js

@@ -19,7 +19,7 @@ function getGitHubAppConfig() {
 	});
 	if (!result.success) {
 		const errorMessage = `GitHub App credentials are not configured. ${result.error.issues.map((issue) => issue.message).join(". ")}. Please set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY environment variables.`;
-		logger.error({}, errorMessage);
+		logger.error(errorMessage);
 		throw new Error(errorMessage);
 	}
 	cachedConfig = result.data;

package/dist/github/jwks.js

@@ -7,7 +7,7 @@ const GITHUB_OIDC_JWKS_URL = "https://token.actions.githubusercontent.com/.well-
 const CACHE_TTL_MS = 3600 * 1e3;
 let jwksCache = null;
 function createJwksWithLogging() {
-	logger.info({}, "Creating new JWKS fetch function for GitHub OIDC");
+	logger.info("Creating new JWKS fetch function for GitHub OIDC");
 	return createRemoteJWKSet(new URL(GITHUB_OIDC_JWKS_URL), { cacheMaxAge: CACHE_TTL_MS });
 }
 function isCacheExpired() {
@@ -70,7 +70,7 @@ async function getJwkForToken(header) {
 }
 function clearJwksCache() {
 	jwksCache = null;
-	logger.debug({}, "JWKS cache cleared");
+	logger.debug("JWKS cache cleared");
 }
 function getJwksCacheStatus() {
 	if (!jwksCache) return { cached: false };

package/dist/github/mcp/auth.d.ts

@@ -1,7 +1,7 @@
-import * as hono0 from "hono";
+import * as hono2 from "hono";
 
 //#region src/github/mcp/auth.d.ts
-declare const githubMcpAuth: () => hono0.MiddlewareHandler<{
+declare const githubMcpAuth: () => hono2.MiddlewareHandler<{
   Variables: {
     toolId: string;
     tenantId: string;

package/dist/github/mcp/index.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types8 from "hono/types";
 
 //#region src/github/mcp/index.d.ts
 declare const app: Hono<{
@@ -8,6 +8,6 @@ declare const app: Hono<{
     tenantId: string;
     projectId: string;
   };
-}, hono_types7.BlankSchema, "/">;
+}, hono_types8.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/oidcToken.js

@@ -72,7 +72,7 @@ async function validateOidcToken(token) {
 		};
 	} catch (error) {
 		if (error instanceof errors.JWTExpired) {
-			logger.warn({}, "OIDC token has expired");
+			logger.warn("OIDC token has expired");
 			return {
 				success: false,
 				errorType: "expired",
@@ -108,7 +108,7 @@ async function validateOidcToken(token) {
 			};
 		}
 		if (error instanceof errors.JWSSignatureVerificationFailed) {
-			logger.warn({}, "Invalid OIDC token signature");
+			logger.warn("Invalid OIDC token signature");
 			return {
 				success: false,
 				errorType: "invalid_signature",

package/dist/github/routes/setup.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types3 from "hono/types";
+import * as hono_types4 from "hono/types";
 
 //#region src/github/routes/setup.d.ts
-declare const app: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
+declare const app: Hono<hono_types4.BlankEnv, hono_types4.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/tokenExchange.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
+import * as hono_types6 from "hono/types";
 
 //#region src/github/routes/tokenExchange.d.ts
-declare const app: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+declare const app: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/tokenExchange.js

@@ -35,9 +35,9 @@ app.post("/", async (c) => {
 		}, 400);
 	}
 	const body = parseResult.data;
-	logger.info({}, "Processing token exchange request");
+	logger.info("Processing token exchange request");
 	if (!isGitHubAppConfigured()) {
-		logger.error({}, "GitHub App credentials not configured");
+		logger.error("GitHub App credentials not configured");
 		const errorMessage = "GitHub App credentials are not configured. Please contact the administrator to set up GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.";
 		c.header("Content-Type", "application/problem+json");
 		return c.json({

package/dist/github/routes/webhooks.js

@@ -42,7 +42,7 @@ function verifyWebhookSignature(payload, signature, secret) {
 const app = new Hono();
 app.post("/", async (c) => {
 	if (!isWebhookConfigured()) {
-		logger.error({}, "GitHub webhook secret not configured");
+		logger.error("GitHub webhook secret not configured");
 		return c.json({ error: "GitHub webhook secret not configured" }, 500);
 	}
 	const rawBody = await c.req.text();

package/dist/slack/dispatcher.js

@@ -8,6 +8,7 @@ import { handleMessageShortcut, handleOpenAgentSelectorModal, handleToolApproval
 import { handleDirectMessage } from "./services/events/direct-message.js";
 import { handleModalSubmission } from "./services/events/modal-submission.js";
 import "./services/events/index.js";
+import { cleanupWorkspaceInstallation } from "./services/workspace-cleanup.js";
 import "./services/index.js";
 import { flushTraces } from "@inkeep/agents-core";
 
@@ -131,6 +132,55 @@ async function dispatchSlackEvent(eventType, payload, options, span) {
 					errorStack
 				}, "Failed to handle direct message (outer catch)");
 			}).finally(() => flushTraces()));
+		} else if (innerEventType === "app_uninstalled" && teamId) {
+			outcome = "handled";
+			span.setAttribute(SLACK_SPAN_KEYS.OUTCOME, outcome);
+			span.updateName("slack.webhook app_uninstalled");
+			logger.info({ teamId }, "Handling event: app_uninstalled");
+			registerBackgroundWork(cleanupWorkspaceInstallation({
+				teamId,
+				skipTokenRevocation: true
+			}).then((result) => {
+				logger.info({
+					teamId,
+					success: result.success,
+					dbCleaned: result.dbCleaned
+				}, "app_uninstalled cleanup completed");
+			}).catch((err) => {
+				const errorMessage = err instanceof Error ? err.message : String(err);
+				logger.error({
+					errorMessage,
+					teamId
+				}, "Failed to handle app_uninstalled");
+			}).finally(() => flushTraces()));
+		} else if (innerEventType === "tokens_revoked" && teamId) {
+			outcome = "handled";
+			span.setAttribute(SLACK_SPAN_KEYS.OUTCOME, outcome);
+			span.updateName("slack.webhook tokens_revoked");
+			const tokensEvent = payload.event;
+			const revokedBotTokens = tokensEvent?.tokens?.bot ?? [];
+			const revokedOauthTokens = tokensEvent?.tokens?.oauth ?? [];
+			logger.info({
+				teamId,
+				revokedBotCount: revokedBotTokens.length,
+				revokedOauthCount: revokedOauthTokens.length
+			}, "Handling event: tokens_revoked");
+			if (revokedBotTokens.length > 0) registerBackgroundWork(cleanupWorkspaceInstallation({
+				teamId,
+				skipTokenRevocation: true
+			}).then((result) => {
+				logger.info({
+					teamId,
+					success: result.success,
+					dbCleaned: result.dbCleaned
+				}, "tokens_revoked (bot) cleanup completed");
+			}).catch((err) => {
+				const errorMessage = err instanceof Error ? err.message : String(err);
+				logger.error({
+					errorMessage,
+					teamId
+				}, "Failed to handle tokens_revoked (bot)");
+			}).finally(() => flushTraces()));
 		} else {
 			outcome = "ignored_unknown_event";
 			span.setAttribute(SLACK_SPAN_KEYS.OUTCOME, outcome);

package/dist/slack/mcp/index.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types8 from "hono/types";
+import * as hono_types3 from "hono/types";
 
 //#region src/slack/mcp/index.d.ts
 interface ChannelInfo {
@@ -18,6 +18,6 @@ declare const app: Hono<{
     tenantId: string;
     projectId: string;
   };
-}, hono_types8.BlankSchema, "/">;
+}, hono_types3.BlankSchema, "/">;
 //#endregion
 export { ChannelInfo, app as default, pruneStaleChannelIds };

package/dist/slack/middleware/permissions.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types.js";
-import * as hono1 from "hono";
+import * as hono0 from "hono";
 
 //#region src/slack/middleware/permissions.d.ts
 /**
@@ -14,7 +14,7 @@ declare const requireWorkspaceAdmin: <Env extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>() => hono1.MiddlewareHandler<Env, string, {}, Response>;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
 /**
  * Middleware that requires either:
  * 1. Org admin/owner role (can modify any channel), OR
@@ -26,6 +26,6 @@ declare const requireChannelMemberOrAdmin: <Env extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>() => hono1.MiddlewareHandler<Env, string, {}, Response>;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
 //#endregion
 export { isOrgAdmin, requireChannelMemberOrAdmin, requireWorkspaceAdmin };

package/dist/slack/routes/events.js

@@ -28,14 +28,14 @@ app.post("/commands", async (c) => {
 	const timestamp = c.req.header("x-slack-request-timestamp") || "";
 	const signature = c.req.header("x-slack-signature") || "";
 	if (!env.SLACK_SIGNING_SECRET) {
-		logger.error({}, "SLACK_SIGNING_SECRET not configured - rejecting request");
+		logger.error("SLACK_SIGNING_SECRET not configured - rejecting request");
 		return c.json({
 			response_type: "ephemeral",
 			text: "Server configuration error"
 		}, 500);
 	}
 	if (!verifySlackRequest(env.SLACK_SIGNING_SECRET, body, timestamp, signature)) {
-		logger.error({}, "Invalid Slack request signature");
+		logger.error("Invalid Slack request signature");
 		return c.json({
 			response_type: "ephemeral",
 			text: "Invalid request signature"
@@ -100,7 +100,7 @@ app.post("/events", async (c) => {
 			if (!env.SLACK_SIGNING_SECRET) {
 				outcome = "error";
 				span.setAttribute(SLACK_SPAN_KEYS.OUTCOME, outcome);
-				logger.error({}, "SLACK_SIGNING_SECRET not configured - rejecting request");
+				logger.error("SLACK_SIGNING_SECRET not configured - rejecting request");
 				span.end();
 				return c.json({ error: "Server configuration error" }, 500);
 			}
@@ -114,7 +114,7 @@ app.post("/events", async (c) => {
 			if (eventType === "url_verification") {
 				outcome = "url_verification";
 				span.setAttribute(SLACK_SPAN_KEYS.OUTCOME, outcome);
-				logger.info({}, "Responding to Slack URL verification challenge");
+				logger.info("Responding to Slack URL verification challenge");
 				span.end();
 				return c.text(String(eventBody.challenge));
 			}
@@ -146,12 +146,12 @@ app.post("/nango-webhook", async (c) => {
 	const body = await c.req.text();
 	const nangoSecret = env.NANGO_SLACK_SECRET_KEY || env.NANGO_SECRET_KEY;
 	if (!nangoSecret) {
-		logger.error({}, "No Nango secret key configured — rejecting webhook");
+		logger.error("No Nango secret key configured — rejecting webhook");
 		return c.json({ error: "Server configuration error" }, 503);
 	}
 	const signature = c.req.header("x-nango-signature");
 	if (!signature) {
-		logger.warn({}, "Missing Nango webhook signature");
+		logger.warn("Missing Nango webhook signature");
 		return c.json({ error: "Missing signature" }, 401);
 	}
 	const crypto = await import("node:crypto");

package/dist/slack/routes/oauth.js

@@ -44,12 +44,12 @@ function parseOAuthState(stateStr) {
 	try {
 		const [data, signature] = stateStr.split(".");
 		if (!data || !signature) {
-			logger.warn({}, "OAuth state missing signature");
+			logger.warn("OAuth state missing signature");
 			return null;
 		}
 		const expectedSignature = crypto$1.createHmac("sha256", getStateSigningSecret()).update(data).digest("base64url");
 		if (signature.length !== expectedSignature.length || !crypto$1.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature))) {
-			logger.warn({}, "Invalid OAuth state signature");
+			logger.warn("Invalid OAuth state signature");
 			return null;
 		}
 		const decoded = Buffer.from(data, "base64url").toString("utf-8");
@@ -139,7 +139,7 @@ app.openapi(createProtectedRoute({
 		return c.redirect(`${dashboardUrl}?error=${encodeURIComponent(error)}`);
 	}
 	if (!code) {
-		logger.error({}, "No code provided in OAuth callback");
+		logger.error("No code provided in OAuth callback");
 		return c.redirect(`${dashboardUrl}?error=no_code`);
 	}
 	try {
@@ -161,7 +161,7 @@ app.openapi(createProtectedRoute({
 		} catch (fetchErr) {
 			clearTimeout(timeout);
 			if (fetchErr.name === "AbortError") {
-				logger.error({}, "Slack token exchange timed out");
+				logger.error("Slack token exchange timed out");
 				return c.redirect(`${dashboardUrl}?error=timeout`);
 			}
 			throw fetchErr;

package/dist/slack/routes/workspaces.js

@@ -1,12 +1,13 @@
 import { getLogger } from "../../logger.js";
 import runDbClient_default from "../../db/runDbClient.js";
-import { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, listWorkspaceInstallations, setWorkspaceDefaultAgent } from "../services/nango.js";
+import { findWorkspaceConnectionByTeamId, listWorkspaceInstallations, setWorkspaceDefaultAgent } from "../services/nango.js";
 import { lookupAgentName } from "../services/agent-resolution.js";
-import { getBotMemberChannels, getSlackChannels, getSlackClient, revokeSlackToken } from "../services/client.js";
+import { getBotMemberChannels, getSlackChannels, getSlackClient } from "../services/client.js";
+import { cleanupWorkspaceInstallation } from "../services/workspace-cleanup.js";
 import "../services/index.js";
 import { requireChannelMemberOrAdmin, requireWorkspaceAdmin } from "../middleware/permissions.js";
 import { OpenAPIHono, z } from "@hono/zod-openapi";
-import { WorkAppSlackAgentConfigRequestSchema, deleteAllSlackMcpToolAccessConfigsByTenant, deleteAllWorkAppSlackChannelAgentConfigsByTeam, deleteAllWorkAppSlackUserMappingsByTeam, deleteWorkAppSlackChannelAgentConfig, deleteWorkAppSlackWorkspaceByNangoConnectionId, findWorkAppSlackChannelAgentConfig, findWorkAppSlackWorkspaceByTeamId, listWorkAppSlackChannelAgentConfigsByTeam, listWorkAppSlackUserMappingsByTeam, updateWorkAppSlackWorkspace, upsertWorkAppSlackChannelAgentConfig } from "@inkeep/agents-core";
+import { WorkAppSlackAgentConfigRequestSchema, deleteWorkAppSlackChannelAgentConfig, findWorkAppSlackChannelAgentConfig, findWorkAppSlackWorkspaceByTeamId, listWorkAppSlackChannelAgentConfigsByTeam, listWorkAppSlackUserMappingsByTeam, updateWorkAppSlackWorkspace, upsertWorkAppSlackChannelAgentConfig } from "@inkeep/agents-core";
 import { createProtectedRoute, inheritedWorkAppsAuth } from "@inkeep/agents-core/middleware";
 
 //#region src/slack/routes/workspaces.ts
@@ -72,7 +73,7 @@ app.openapi(createProtectedRoute({
 	try {
 		const sessionTenantId = c.get("tenantId");
 		if (!sessionTenantId) {
-			logger.warn({}, "No tenantId in session context — cannot list workspaces");
+			logger.warn("No tenantId in session context — cannot list workspaces");
 			return c.json({ workspaces: [] });
 		}
 		const workspaces = await listWorkspaceInstallations(sessionTenantId);
@@ -347,47 +348,21 @@ app.openapi(createProtectedRoute({
 }), async (c) => {
 	const { teamId: workspaceIdentifier } = c.req.valid("param");
 	let teamId;
-	let connectionId;
 	try {
 		if (workspaceIdentifier.includes(":")) {
-			connectionId = workspaceIdentifier;
 			const teamMatch = workspaceIdentifier.match(/T:([A-Z0-9]+)/);
 			if (!teamMatch) return c.json({ error: "Invalid connectionId format" }, 400);
 			teamId = teamMatch[1];
-		} else {
-			teamId = workspaceIdentifier;
-			connectionId = computeWorkspaceConnectionId({
-				teamId,
-				enterpriseId: void 0
-			});
-		}
+		} else teamId = workspaceIdentifier;
 		const workspace = await findWorkspaceConnectionByTeamId(teamId);
 		if (!workspace) return c.json({ error: "Workspace not found" }, 404);
-		if (workspace.botToken) if (await revokeSlackToken(workspace.botToken)) logger.info({ teamId }, "Revoked Slack bot token");
-		else logger.warn({ teamId }, "Failed to revoke Slack bot token, continuing with uninstall");
-		const tenantId = workspace.tenantId;
-		const deletedChannelConfigs = await deleteAllWorkAppSlackChannelAgentConfigsByTeam(runDbClient_default)(tenantId, teamId);
-		if (deletedChannelConfigs > 0) logger.info({
-			teamId,
-			deletedChannelConfigs
-		}, "Deleted channel configs for uninstalled workspace");
-		const deletedMappings = await deleteAllWorkAppSlackUserMappingsByTeam(runDbClient_default)(tenantId, teamId);
-		if (deletedMappings > 0) logger.info({
+		if (!verifyTenantOwnership(c, workspace.tenantId)) return c.json({ error: "Access denied" }, 403);
+		const result = await cleanupWorkspaceInstallation({ teamId });
+		if (!result.success) logger.error({
 			teamId,
-			deletedMappings
-		}, "Deleted user mappings for uninstalled workspace");
-		const deletedMcpConfigs = await deleteAllSlackMcpToolAccessConfigsByTenant(runDbClient_default)(tenantId);
-		if (deletedMcpConfigs > 0) logger.info({
-			teamId,
-			deletedMcpConfigs
-		}, "Deleted MCP tool access configs for uninstalled workspace");
-		if (await deleteWorkAppSlackWorkspaceByNangoConnectionId(runDbClient_default)(connectionId)) logger.info({ connectionId }, "Deleted workspace from database");
-		if (!await deleteWorkspaceInstallation(connectionId)) logger.error({ connectionId }, "deleteWorkspaceInstallation returned false (DB already cleaned up)");
-		clearWorkspaceConnectionCache(teamId);
-		logger.info({
-			connectionId,
-			teamId
-		}, "Deleted workspace installation and cleared cache");
+			result
+		}, "Workspace uninstall partially failed");
+		logger.info({ teamId }, "Workspace uninstalled via API");
 		return c.json({ success: true });
 	} catch (error) {
 		logger.error({

package/dist/slack/services/client.js

@@ -380,7 +380,7 @@ async function revokeSlackToken(token) {
 	try {
 		const result = await new WebClient(token).auth.revoke();
 		if (result.ok) {
-			logger.info({}, "Successfully revoked Slack token");
+			logger.info("Successfully revoked Slack token");
 			return true;
 		}
 		logger.warn({ error: result.error }, "Token revocation returned non-ok status");
@@ -388,7 +388,7 @@ async function revokeSlackToken(token) {
 	} catch (error) {
 		const errorMessage = error instanceof Error ? error.message : String(error);
 		if (errorMessage.includes("token_revoked") || errorMessage.includes("invalid_auth")) {
-			logger.info({}, "Token already revoked or invalid");
+			logger.info("Token already revoked or invalid");
 			return true;
 		}
 		logger.error({ error }, "Failed to revoke Slack token");

package/dist/slack/services/events/utils.d.ts

@@ -9,10 +9,10 @@ import { AgentOption } from "../modals.js";
  * Called on every @mention and /inkeep command — caching avoids redundant DB queries.
  */
 declare function findCachedUserMapping(tenantId: string, slackUserId: string, teamId: string, clientId?: string): Promise<{
+  slackUserId: string;
   id: string;
   createdAt: string;
   updatedAt: string;
-  slackUserId: string;
   tenantId: string;
   clientId: string;
   slackTeamId: string;

package/dist/slack/services/index.d.ts

@@ -14,5 +14,6 @@ import { PublicExecutionParams, executeAgentPublicly } from "./events/execution.
 import { handleModalSubmission } from "./events/modal-submission.js";
 import "./events/index.js";
 import { parseSlackCommandBody, parseSlackEventBody, verifySlackRequest } from "./security.js";
+import { WorkspaceCleanupResult, cleanupWorkspaceInstallation } from "./workspace-cleanup.js";
 import { getBotTokenForTeam, setBotTokenForTeam } from "./workspace-tokens.js";
-export { AgentConfigSources, AgentOption, AgentResolutionParams, BuildAgentSelectorModalParams, BuildMessageShortcutModalParams, ContextBlockParams, DefaultAgentConfig, InlineSelectorMetadata, ModalMetadata, PublicExecutionParams, ResolvedAgentConfig, SlackCommandPayload, SlackCommandResponse, SlackErrorType, SlackWorkspaceConnection, StreamResult, ToolApprovalButtonValue, ToolApprovalButtonValueSchema, WorkspaceInstallData, buildAgentSelectorModal, buildCitationsBlock, buildDataArtifactBlocks, buildDataComponentBlocks, buildMessageShortcutModal, buildSummaryBreadcrumbBlock, buildToolApprovalBlocks, buildToolApprovalDoneBlocks, buildToolApprovalExpiredBlocks, buildToolOutputErrorBlock, checkIfBotThread, checkUserIsChannelMember, classifyError, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createAlreadyLinkedMessage, createConnectSession, createContextBlock, createContextBlockFromText, createCreateInkeepAccountMessage, createErrorMessage, createNotLinkedMessage, createSmartLinkMessage, createStatusMessage, createUnlinkSuccessMessage, createUpdatedHelpMessage, deleteWorkspaceInstallation, executeAgentPublicly, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, findWorkspaceConnectionByTeamId, generateSlackConversationId, getAgentConfigSources, getBotMemberChannels, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackChannelInfo, getSlackChannels, getSlackClient, getSlackIntegrationId, getSlackNango, getSlackTeamInfo, getSlackUserByEmail, getSlackUserInfo, getSlackUsers, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, handleAgentPickerCommand, handleAppMention, handleCommand, handleDirectMessage, handleHelpCommand, handleLinkCommand, handleMessageShortcut, handleModalSubmission, handleOpenAgentSelectorModal, handleQuestionCommand, handleStatusCommand, handleToolApproval, handleUnlinkCommand, listWorkspaceInstallations, lookupAgentName, lookupProjectName, markdownToMrkdwn, openDmConversation, parseSlackCommandBody, parseSlackEventBody, postMessage, postMessageInThread, resolveEffectiveAgent, revokeSlackToken, sendResponseUrlMessage, setBotTokenForTeam, setWorkspaceDefaultAgent, storeWorkspaceInstallation, streamAgentResponse, updateConnectionMetadata, validateBotChannelMembership, verifySlackRequest };
+export { AgentConfigSources, AgentOption, AgentResolutionParams, BuildAgentSelectorModalParams, BuildMessageShortcutModalParams, ContextBlockParams, DefaultAgentConfig, InlineSelectorMetadata, ModalMetadata, PublicExecutionParams, ResolvedAgentConfig, SlackCommandPayload, SlackCommandResponse, SlackErrorType, SlackWorkspaceConnection, StreamResult, ToolApprovalButtonValue, ToolApprovalButtonValueSchema, WorkspaceCleanupResult, WorkspaceInstallData, buildAgentSelectorModal, buildCitationsBlock, buildDataArtifactBlocks, buildDataComponentBlocks, buildMessageShortcutModal, buildSummaryBreadcrumbBlock, buildToolApprovalBlocks, buildToolApprovalDoneBlocks, buildToolApprovalExpiredBlocks, buildToolOutputErrorBlock, checkIfBotThread, checkUserIsChannelMember, classifyError, cleanupWorkspaceInstallation, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createAlreadyLinkedMessage, createConnectSession, createContextBlock, createContextBlockFromText, createCreateInkeepAccountMessage, createErrorMessage, createNotLinkedMessage, createSmartLinkMessage, createStatusMessage, createUnlinkSuccessMessage, createUpdatedHelpMessage, deleteWorkspaceInstallation, executeAgentPublicly, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, findWorkspaceConnectionByTeamId, generateSlackConversationId, getAgentConfigSources, getBotMemberChannels, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackChannelInfo, getSlackChannels, getSlackClient, getSlackIntegrationId, getSlackNango, getSlackTeamInfo, getSlackUserByEmail, getSlackUserInfo, getSlackUsers, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, handleAgentPickerCommand, handleAppMention, handleCommand, handleDirectMessage, handleHelpCommand, handleLinkCommand, handleMessageShortcut, handleModalSubmission, handleOpenAgentSelectorModal, handleQuestionCommand, handleStatusCommand, handleToolApproval, handleUnlinkCommand, listWorkspaceInstallations, lookupAgentName, lookupProjectName, markdownToMrkdwn, openDmConversation, parseSlackCommandBody, parseSlackEventBody, postMessage, postMessageInThread, resolveEffectiveAgent, revokeSlackToken, sendResponseUrlMessage, setBotTokenForTeam, setWorkspaceDefaultAgent, storeWorkspaceInstallation, streamAgentResponse, updateConnectionMetadata, validateBotChannelMembership, verifySlackRequest };

package/dist/slack/services/index.js

@@ -13,6 +13,7 @@ import { handleDirectMessage } from "./events/direct-message.js";
 import { handleModalSubmission } from "./events/modal-submission.js";
 import "./events/index.js";
 import { parseSlackCommandBody, parseSlackEventBody, verifySlackRequest } from "./security.js";
+import { cleanupWorkspaceInstallation } from "./workspace-cleanup.js";
 import { getBotTokenForTeam, setBotTokenForTeam } from "./workspace-tokens.js";
 
-export { SlackErrorType, ToolApprovalButtonValueSchema, buildAgentSelectorModal, buildCitationsBlock, buildDataArtifactBlocks, buildDataComponentBlocks, buildMessageShortcutModal, buildSummaryBreadcrumbBlock, buildToolApprovalBlocks, buildToolApprovalDoneBlocks, buildToolApprovalExpiredBlocks, buildToolOutputErrorBlock, checkIfBotThread, checkUserIsChannelMember, classifyError, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createAlreadyLinkedMessage, createConnectSession, createContextBlock, createContextBlockFromText, createCreateInkeepAccountMessage, createErrorMessage, createNotLinkedMessage, createSmartLinkMessage, createStatusMessage, createUnlinkSuccessMessage, createUpdatedHelpMessage, deleteWorkspaceInstallation, executeAgentPublicly, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, findWorkspaceConnectionByTeamId, generateSlackConversationId, getAgentConfigSources, getBotMemberChannels, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackChannelInfo, getSlackChannels, getSlackClient, getSlackIntegrationId, getSlackNango, getSlackTeamInfo, getSlackUserByEmail, getSlackUserInfo, getSlackUsers, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, handleAgentPickerCommand, handleAppMention, handleCommand, handleDirectMessage, handleHelpCommand, handleLinkCommand, handleMessageShortcut, handleModalSubmission, handleOpenAgentSelectorModal, handleQuestionCommand, handleStatusCommand, handleToolApproval, handleUnlinkCommand, listWorkspaceInstallations, lookupAgentName, lookupProjectName, markdownToMrkdwn, openDmConversation, parseSlackCommandBody, parseSlackEventBody, postMessage, postMessageInThread, resolveEffectiveAgent, revokeSlackToken, sendResponseUrlMessage, setBotTokenForTeam, setWorkspaceDefaultAgent, storeWorkspaceInstallation, streamAgentResponse, updateConnectionMetadata, validateBotChannelMembership, verifySlackRequest };
+export { SlackErrorType, ToolApprovalButtonValueSchema, buildAgentSelectorModal, buildCitationsBlock, buildDataArtifactBlocks, buildDataComponentBlocks, buildMessageShortcutModal, buildSummaryBreadcrumbBlock, buildToolApprovalBlocks, buildToolApprovalDoneBlocks, buildToolApprovalExpiredBlocks, buildToolOutputErrorBlock, checkIfBotThread, checkUserIsChannelMember, classifyError, cleanupWorkspaceInstallation, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createAlreadyLinkedMessage, createConnectSession, createContextBlock, createContextBlockFromText, createCreateInkeepAccountMessage, createErrorMessage, createNotLinkedMessage, createSmartLinkMessage, createStatusMessage, createUnlinkSuccessMessage, createUpdatedHelpMessage, deleteWorkspaceInstallation, executeAgentPublicly, extractApiErrorMessage, fetchAgentsForProject, fetchProjectsForTenant, findCachedUserMapping, findWorkspaceConnectionByTeamId, generateSlackConversationId, getAgentConfigSources, getBotMemberChannels, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackChannelInfo, getSlackChannels, getSlackClient, getSlackIntegrationId, getSlackNango, getSlackTeamInfo, getSlackUserByEmail, getSlackUserInfo, getSlackUsers, getThreadContext, getUserFriendlyErrorMessage, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, handleAgentPickerCommand, handleAppMention, handleCommand, handleDirectMessage, handleHelpCommand, handleLinkCommand, handleMessageShortcut, handleModalSubmission, handleOpenAgentSelectorModal, handleQuestionCommand, handleStatusCommand, handleToolApproval, handleUnlinkCommand, listWorkspaceInstallations, lookupAgentName, lookupProjectName, markdownToMrkdwn, openDmConversation, parseSlackCommandBody, parseSlackEventBody, postMessage, postMessageInThread, resolveEffectiveAgent, revokeSlackToken, sendResponseUrlMessage, setBotTokenForTeam, setWorkspaceDefaultAgent, storeWorkspaceInstallation, streamAgentResponse, updateConnectionMetadata, validateBotChannelMembership, verifySlackRequest };

package/dist/slack/services/nango.js

@@ -57,7 +57,7 @@ function getSlackIntegrationId() {
 }
 async function createConnectSession(params) {
 	if (isSlackDevMode()) {
-		logger.debug({}, "Skipping Nango connect session in dev mode");
+		logger.debug("Skipping Nango connect session in dev mode");
 		return null;
 	}
 	try {
@@ -340,7 +340,7 @@ async function storeWorkspaceInstallation(data) {
 		const integrationId = getSlackIntegrationId();
 		const secretKey = env.NANGO_SLACK_SECRET_KEY || env.NANGO_SECRET_KEY;
 		if (!secretKey) {
-			logger.error({}, "No Nango secret key available");
+			logger.error("No Nango secret key available");
 			return {
 				connectionId,
 				success: false

package/dist/slack/services/security.js

@@ -22,7 +22,7 @@ function verifySlackRequest(signingSecret, requestBody, timestamp, signature) {
 	try {
 		const fiveMinutesAgo = Math.floor(Date.now() / 1e3) - 300;
 		if (Number.parseInt(timestamp, 10) < fiveMinutesAgo) {
-			logger.warn({}, "Slack request timestamp too old");
+			logger.warn("Slack request timestamp too old");
 			return false;
 		}
 		const sigBaseString = `v0:${timestamp}:${requestBody}`;

package/dist/slack/services/workspace-cleanup.d.ts

@@ -0,0 +1,17 @@
+//#region src/slack/services/workspace-cleanup.d.ts
+interface WorkspaceCleanupResult {
+  success: boolean;
+  teamId: string;
+  tokenRevoked: boolean;
+  dbCleaned: boolean;
+  nangoCleaned: boolean;
+}
+declare function cleanupWorkspaceInstallation({
+  teamId,
+  skipTokenRevocation
+}: {
+  teamId: string;
+  skipTokenRevocation?: boolean;
+}): Promise<WorkspaceCleanupResult>;
+//#endregion
+export { WorkspaceCleanupResult, cleanupWorkspaceInstallation };

package/dist/slack/services/workspace-cleanup.js

@@ -0,0 +1,82 @@
+import { getLogger } from "../../logger.js";
+import runDbClient_default from "../../db/runDbClient.js";
+import { clearWorkspaceConnectionCache, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId } from "./nango.js";
+import { revokeSlackToken } from "./client.js";
+import "./index.js";
+import { deleteAllSlackMcpToolAccessConfigsByTenant, deleteAllWorkAppSlackChannelAgentConfigsByTeam, deleteAllWorkAppSlackUserMappingsByTeam, deleteWorkAppSlackWorkspaceByNangoConnectionId } from "@inkeep/agents-core";
+
+//#region src/slack/services/workspace-cleanup.ts
+const logger = getLogger("slack-workspace-cleanup");
+async function cleanupWorkspaceInstallation({ teamId, skipTokenRevocation = false }) {
+	const result = {
+		success: false,
+		teamId,
+		tokenRevoked: false,
+		dbCleaned: false,
+		nangoCleaned: false
+	};
+	const workspace = await findWorkspaceConnectionByTeamId(teamId);
+	if (!workspace) {
+		logger.warn({ teamId }, "No workspace found for cleanup");
+		clearWorkspaceConnectionCache(teamId);
+		result.success = true;
+		return result;
+	}
+	const { tenantId, botToken, connectionId } = workspace;
+	if (!skipTokenRevocation && botToken) {
+		result.tokenRevoked = await revokeSlackToken(botToken);
+		if (result.tokenRevoked) logger.info({ teamId }, "Revoked Slack bot token during cleanup");
+		else logger.warn({ teamId }, "Failed to revoke Slack bot token, continuing with cleanup");
+	}
+	const steps = [
+		{
+			name: "channel_configs",
+			run: () => deleteAllWorkAppSlackChannelAgentConfigsByTeam(runDbClient_default)(tenantId, teamId)
+		},
+		{
+			name: "user_mappings",
+			run: () => deleteAllWorkAppSlackUserMappingsByTeam(runDbClient_default)(tenantId, teamId)
+		},
+		{
+			name: "mcp_configs",
+			run: () => deleteAllSlackMcpToolAccessConfigsByTenant(runDbClient_default)(tenantId)
+		},
+		{
+			name: "workspace_row",
+			run: () => deleteWorkAppSlackWorkspaceByNangoConnectionId(runDbClient_default)(connectionId)
+		},
+		{
+			name: "nango_connection",
+			run: () => deleteWorkspaceInstallation(connectionId)
+		}
+	];
+	const failures = [];
+	for (const step of steps) try {
+		await step.run();
+	} catch (error) {
+		failures.push(step.name);
+		logger.error({
+			error,
+			teamId,
+			connectionId,
+			step: step.name
+		}, "Cleanup step failed");
+	}
+	result.dbCleaned = !failures.some((f) => f !== "nango_connection");
+	result.nangoCleaned = !failures.includes("nango_connection");
+	clearWorkspaceConnectionCache(teamId);
+	result.success = failures.length === 0;
+	if (failures.length > 0) logger.error({
+		teamId,
+		connectionId,
+		failures
+	}, "Workspace cleanup completed with failures");
+	else logger.info({
+		teamId,
+		connectionId
+	}, "Workspace cleanup completed");
+	return result;
+}
+
+//#endregion
+export { cleanupWorkspaceInstallation };

package/dist/slack/slack-app-manifest.js

@@ -7,7 +7,6 @@ var oauth_config = {
 			"app_mentions:read",
 			"channels:history",
 			"channels:read",
-			"channels:join",
 			"chat:write",
 			"chat:write.public",
 			"commands",
@@ -23,10 +22,7 @@ var oauth_config = {
 			"mpim:write",
 			"team:read",
 			"users:read",
-			"users:read.email",
-			"search:read.public",
-			"search:read.files",
-			"search:read.users"
+			"users:read.email"
 		]
 	}
 };

package/dist/slack/socket-mode.js

@@ -11,7 +11,7 @@ const logger = getLogger("slack-socket-mode");
 const GLOBAL_KEY = "__inkeep_slack_socket_mode_client__";
 async function startSocketMode(appToken) {
 	if (globalThis[GLOBAL_KEY]) {
-		logger.info({}, "Socket Mode client already running (HMR reload detected), skipping");
+		logger.info("Socket Mode client already running (HMR reload detected), skipping");
 		return;
 	}
 	const { SocketModeClient } = await import("@slack/socket-mode");
@@ -19,7 +19,7 @@ async function startSocketMode(appToken) {
 	setupSocketModeListeners(client);
 	await client.start();
 	globalThis[GLOBAL_KEY] = client;
-	logger.info({}, "Slack Socket Mode client started");
+	logger.info("Slack Socket Mode client started");
 }
 function registerBackgroundWork(work) {
 	work.catch((err) => {
@@ -31,10 +31,10 @@ function setupSocketModeListeners(client) {
 		logger.error({ error: args[0] }, "Socket Mode client error");
 	});
 	client.on("disconnected", () => {
-		logger.warn({}, "Socket Mode client disconnected");
+		logger.warn("Socket Mode client disconnected");
 	});
 	client.on("reconnecting", () => {
-		logger.info({}, "Socket Mode client reconnecting...");
+		logger.info("Socket Mode client reconnecting...");
 	});
 	client.on("slack_event", async (...args) => {
 		const { ack, body, type } = args[0];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-work-apps",
-  "version": "0.65.1",
+  "version": "0.66.0",
   "description": "First party integrations for Inkeep Agents",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",
@@ -35,7 +35,7 @@
     "minimatch": "^10.2.1",
     "oxfmt": "^0.42.0",
     "slack-block-builder": "^2.8.0",
-    "@inkeep/agents-core": "0.65.1"
+    "@inkeep/agents-core": "0.66.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",