npm - @kodelyth/googlechat - Versions diffs - 2026.5.39 → 2026.5.42 - Mend

@kodelyth/googlechat 2026.5.39 → 2026.5.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/api.ts +3 -0
package/channel-config-api.ts +1 -0
package/channel-plugin-api.ts +1 -0
package/config-api.ts +2 -0
package/contract-api.ts +5 -0
package/dist/actions-YK1wn4ed.js +160 -0
package/dist/api-BkZX4VNX.js +633 -0
package/dist/api.js +3 -0
package/dist/channel-DFZdjXD6.js +584 -0
package/dist/channel-config-api.js +6 -0
package/dist/channel-plugin-api.js +2 -0
package/dist/channel.runtime-en3RNg9S.js +998 -0
package/dist/contract-api.js +3 -0
package/dist/doctor-contract-8SF6XoKj.js +151 -0
package/dist/doctor-contract-api.js +2 -0
package/dist/index.js +22 -0
package/dist/runtime-api-DUH2Cg-0.js +29 -0
package/dist/runtime-api.js +2 -0
package/dist/secret-contract-DWX4ikgT.js +99 -0
package/dist/secret-contract-api.js +2 -0
package/dist/setup-entry.js +15 -0
package/dist/setup-plugin-api.js +75 -0
package/dist/setup-surface-B3Fa7XRx.js +321 -0
package/dist/test-api.js +3 -0
package/doctor-contract-api.ts +1 -0
package/index.ts +20 -0
package/klaw.plugin.json +2 -967
package/package.json +4 -4
package/runtime-api.ts +55 -0
package/secret-contract-api.ts +5 -0
package/setup-entry.ts +13 -0
package/setup-plugin-api.ts +3 -0
package/src/accounts.ts +181 -0
package/src/actions.test.ts +289 -0
package/src/actions.ts +227 -0
package/src/api.ts +316 -0
package/src/approval-auth.test.ts +24 -0
package/src/approval-auth.ts +32 -0
package/src/auth.ts +218 -0
package/src/channel-config.test.ts +39 -0
package/src/channel.adapters.ts +340 -0
package/src/channel.deps.runtime.ts +29 -0
package/src/channel.runtime.ts +17 -0
package/src/channel.setup.ts +98 -0
package/src/channel.test.ts +784 -0
package/src/channel.ts +277 -0
package/src/config-schema.test.ts +31 -0
package/src/config-schema.ts +3 -0
package/src/doctor-contract.test.ts +75 -0
package/src/doctor-contract.ts +182 -0
package/src/doctor.ts +57 -0
package/src/gateway.ts +63 -0
package/src/google-auth.runtime.test.ts +543 -0
package/src/google-auth.runtime.ts +568 -0
package/src/group-policy.ts +17 -0
package/src/monitor-access.test.ts +491 -0
package/src/monitor-access.ts +465 -0
package/src/monitor-durable.test.ts +39 -0
package/src/monitor-durable.ts +23 -0
package/src/monitor-reply-delivery.ts +156 -0
package/src/monitor-routing.ts +65 -0
package/src/monitor-types.ts +33 -0
package/src/monitor-webhook.test.ts +587 -0
package/src/monitor-webhook.ts +303 -0
package/src/monitor.reply-delivery.test.ts +144 -0
package/src/monitor.test.ts +159 -0
package/src/monitor.ts +527 -0
package/src/monitor.webhook-routing.test.ts +257 -0
package/src/runtime.ts +9 -0
package/src/secret-contract.test.ts +60 -0
package/src/secret-contract.ts +161 -0
package/src/setup-core.ts +40 -0
package/src/setup-surface.ts +243 -0
package/src/setup.test.ts +619 -0
package/src/targets.test.ts +453 -0
package/src/targets.ts +66 -0
package/src/types.config.ts +3 -0
package/src/types.ts +73 -0
package/test-api.ts +2 -0
package/tsconfig.json +16 -0
package/api.js +0 -7
package/channel-config-api.js +0 -7
package/channel-plugin-api.js +0 -7
package/contract-api.js +0 -7
package/doctor-contract-api.js +0 -7
package/index.js +0 -7
package/runtime-api.js +0 -7
package/secret-contract-api.js +0 -7
package/setup-entry.js +0 -7
package/setup-plugin-api.js +0 -7
package/test-api.js +0 -7

package/src/monitor-access.test.ts ADDED Viewed

@@ -0,0 +1,491 @@
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+const createChannelPairingController = vi.hoisted(() => vi.fn());
+const isDangerousNameMatchingEnabled = vi.hoisted(() => vi.fn());
+const resolveAllowlistProviderRuntimeGroupPolicy = vi.hoisted(() => vi.fn());
+const resolveDefaultGroupPolicy = vi.hoisted(() => vi.fn());
+const warnMissingProviderGroupPolicyFallbackOnce = vi.hoisted(() => vi.fn());
+const sendGoogleChatMessage = vi.hoisted(() => vi.fn());
+vi.mock("../runtime-api.js", () => ({
+  GROUP_POLICY_BLOCKED_LABEL: { space: "space" },
+  createChannelPairingController,
+  isDangerousNameMatchingEnabled,
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+  warnMissingProviderGroupPolicyFallbackOnce,
+}));
+vi.mock("./api.js", () => ({
+  sendGoogleChatMessage,
+}));
+function createCore() {
+  return {
+    channel: {
+      commands: {
+        shouldComputeCommandAuthorized: vi.fn(() => false),
+        resolveCommandAuthorizedFromAuthorizers: vi.fn(() => false),
+        shouldHandleTextCommands: vi.fn(() => false),
+        isControlCommandMessage: vi.fn(() => false),
+      },
+      text: {
+        hasControlCommand: vi.fn(() => false),
+      },
+    },
+  };
+}
+function primeCommonDefaults() {
+  isDangerousNameMatchingEnabled.mockReturnValue(false);
+  resolveDefaultGroupPolicy.mockReturnValue("allowlist");
+  resolveAllowlistProviderRuntimeGroupPolicy.mockReturnValue({
+    groupPolicy: "allowlist",
+    providerMissingFallbackApplied: false,
+  });
+  warnMissingProviderGroupPolicyFallbackOnce.mockReturnValue(undefined);
+}
+const baseAccessConfig = {
+  channels: { googlechat: {} },
+  commands: { useAccessGroups: true },
+} as const;
+const defaultSender = {
+  senderId: "users/alice",
+  senderName: "Alice",
+  senderEmail: "alice@example.com",
+} as const;
+let applyGoogleChatInboundAccessPolicy: typeof import("./monitor-access.js").applyGoogleChatInboundAccessPolicy;
+function allowInboundGroupTraffic() {
+  createChannelPairingController.mockReturnValue({
+    readAllowFromStore: vi.fn(async () => []),
+    issueChallenge: vi.fn(),
+  });
+}
+async function applyInboundAccessPolicy(
+  overrides: Partial<Parameters<typeof applyGoogleChatInboundAccessPolicy>[0]>,
+) {
+  return applyGoogleChatInboundAccessPolicy({
+    account: {
+      accountId: "default",
+      config: {},
+    } as never,
+    config: baseAccessConfig as never,
+    core: createCore() as never,
+    space: { name: "spaces/AAA", displayName: "Team Room" } as never,
+    message: { annotations: [] } as never,
+    isGroup: true,
+    rawBody: "hello team",
+    logVerbose: vi.fn(),
+    ...defaultSender,
+    ...overrides,
+  } as never);
+}
+describe("googlechat inbound access policy", () => {
+  beforeAll(async () => {
+    ({ applyGoogleChatInboundAccessPolicy } = await import("./monitor-access.js"));
+  });
+  afterAll(() => {
+    vi.doUnmock("../runtime-api.js");
+    vi.doUnmock("./api.js");
+    vi.resetModules();
+  });
+  it.each([
+    {
+      name: "blocks raw email entries when dangerous name matching is disabled",
+      allowNameMatching: false,
+      allowFrom: ["jane@example.com"],
+      senderId: "users/123",
+      ok: false,
+    },
+    {
+      name: "matches raw email entries when dangerous name matching is enabled",
+      allowNameMatching: true,
+      allowFrom: ["jane@example.com"],
+      senderId: "users/123",
+      ok: true,
+    },
+    {
+      name: "does not treat users/<email> entries as email allowlist entries",
+      allowNameMatching: true,
+      allowFrom: ["users/jane@example.com"],
+      senderId: "users/123",
+      ok: false,
+    },
+    {
+      name: "matches user id entries",
+      allowNameMatching: false,
+      allowFrom: ["users/abc"],
+      senderId: "users/abc",
+      ok: true,
+    },
+  ])("$name", async ({ allowNameMatching, allowFrom, senderId, ok }) => {
+    primeCommonDefaults();
+    isDangerousNameMatchingEnabled.mockReturnValue(allowNameMatching);
+    createChannelPairingController.mockReturnValue({
+      readAllowFromStore: vi.fn(async () => []),
+      issueChallenge: vi.fn(),
+    });
+    const result = await applyInboundAccessPolicy({
+      isGroup: false,
+      account: {
+        accountId: "default",
+        config: {
+          dm: {
+            policy: "allowlist",
+            allowFrom,
+          },
+        },
+      } as never,
+      senderId,
+      senderEmail: "Jane@Example.com",
+    });
+    expect(result.ok).toBe(ok);
+  });
+  it("issues a pairing challenge for unauthorized DMs in pairing mode", async () => {
+    primeCommonDefaults();
+    const now = new Date("2026-05-09T06:35:00.000Z").getTime();
+    const issueChallenge = vi.fn(async ({ onCreated, sendPairingReply }) => {
+      onCreated?.();
+      await sendPairingReply("pairing text");
+    });
+    createChannelPairingController.mockReturnValue({
+      readAllowFromStore: vi.fn(async () => []),
+      issueChallenge,
+    });
+    sendGoogleChatMessage.mockResolvedValue({ ok: true });
+    const statusSink = vi.fn();
+    const logVerbose = vi.fn();
+    const account = {
+      accountId: "default",
+      config: {
+        dm: { policy: "pairing" },
+      },
+    };
+    vi.useFakeTimers();
+    vi.setSystemTime(now);
+    try {
+      await expect(
+        applyGoogleChatInboundAccessPolicy({
+          account: account as never,
+          config: {
+            channels: { googlechat: {} },
+          } as never,
+          core: createCore() as never,
+          space: { name: "spaces/AAA", displayName: "DM" } as never,
+          message: { annotations: [] } as never,
+          isGroup: false,
+          senderId: "users/abc",
+          senderName: "Alice",
+          senderEmail: "alice@example.com",
+          rawBody: "hello",
+          statusSink,
+          logVerbose,
+        }),
+      ).resolves.toEqual({ ok: false });
+      expect(issueChallenge).toHaveBeenCalledTimes(1);
+      expect(sendGoogleChatMessage).toHaveBeenCalledWith({
+        account,
+        space: "spaces/AAA",
+        text: "pairing text",
+      });
+      expect(statusSink).toHaveBeenCalledWith({
+        lastOutboundAt: now,
+      });
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+  it("allows group traffic when sender and mention gates pass", async () => {
+    primeCommonDefaults();
+    allowInboundGroupTraffic();
+    const core = createCore();
+    core.channel.commands.shouldComputeCommandAuthorized.mockReturnValue(true);
+    core.channel.commands.resolveCommandAuthorizedFromAuthorizers.mockReturnValue(true);
+    await expect(
+      applyInboundAccessPolicy({
+        account: {
+          accountId: "default",
+          config: {
+            botUser: "users/app-bot",
+            groups: {
+              "spaces/AAA": {
+                users: ["users/alice"],
+                requireMention: true,
+                systemPrompt: " group prompt ",
+              },
+            },
+          },
+        } as never,
+        core: core as never,
+        message: {
+          annotations: [
+            {
+              type: "USER_MENTION",
+              userMention: { user: { name: "users/app-bot" } },
+            },
+          ],
+        } as never,
+      }),
+    ).resolves.toEqual({
+      ok: true,
+      commandAuthorized: true,
+      effectiveWasMentioned: true,
+      groupSystemPrompt: "group prompt",
+    });
+  });
+  it("allows group traffic from generic message sender access groups", async () => {
+    primeCommonDefaults();
+    allowInboundGroupTraffic();
+    const result = await applyInboundAccessPolicy({
+      config: {
+        ...baseAccessConfig,
+        accessGroups: {
+          operators: {
+            type: "message.senders",
+            members: {
+              googlechat: ["users/alice"],
+            },
+          },
+        },
+      } as never,
+      account: {
+        accountId: "default",
+        config: {
+          groups: {
+            "spaces/AAA": {
+              users: ["accessGroup:operators"],
+              requireMention: false,
+            },
+          },
+        },
+      } as never,
+    });
+    expect(result.ok).toBe(true);
+  });
+  it("expands generic message sender access groups before DM access checks", async () => {
+    primeCommonDefaults();
+    const readAllowFromStore = vi.fn(async () => []);
+    createChannelPairingController.mockReturnValue({
+      readAllowFromStore,
+      issueChallenge: vi.fn(),
+    });
+    const result = await applyInboundAccessPolicy({
+      isGroup: false,
+      config: {
+        ...baseAccessConfig,
+        accessGroups: {
+          operators: {
+            type: "message.senders",
+            members: {
+              googlechat: ["users/alice"],
+            },
+          },
+        },
+      } as never,
+      account: {
+        accountId: "default",
+        config: {
+          dm: {
+            policy: "allowlist",
+            allowFrom: ["accessGroup:operators"],
+          },
+        },
+      } as never,
+    });
+    expect(result.ok).toBe(true);
+    expect(readAllowFromStore).not.toHaveBeenCalled();
+  });
+  it("preserves allowlist group policy when a routed space has no sender allowlist", async () => {
+    primeCommonDefaults();
+    allowInboundGroupTraffic();
+    const logVerbose = vi.fn();
+    await expect(
+      applyInboundAccessPolicy({
+        account: {
+          accountId: "default",
+          config: {
+            dm: {
+              policy: "allowlist",
+              allowFrom: ["users/alice"],
+            },
+            groups: {
+              "spaces/AAA": {
+                enabled: true,
+              },
+            },
+          },
+        } as never,
+        logVerbose,
+      }),
+    ).resolves.toEqual({ ok: false });
+    expect(logVerbose).toHaveBeenCalledWith(
+      "drop group message (sender policy blocked, reason=groupPolicy=allowlist (empty allowlist), space=spaces/AAA)",
+    );
+  });
+  it("keeps configured space users sender-scoped when group policy is open", async () => {
+    primeCommonDefaults();
+    resolveAllowlistProviderRuntimeGroupPolicy.mockReturnValue({
+      groupPolicy: "open",
+      providerMissingFallbackApplied: false,
+    });
+    allowInboundGroupTraffic();
+    const logVerbose = vi.fn();
+    await expect(
+      applyInboundAccessPolicy({
+        account: {
+          accountId: "default",
+          config: {
+            groupPolicy: "open",
+            groups: {
+              "spaces/AAA": {
+                users: ["users/bob"],
+                requireMention: false,
+              },
+            },
+          },
+        } as never,
+        logVerbose,
+      }),
+    ).resolves.toEqual({ ok: false });
+    expect(logVerbose).toHaveBeenCalledWith("drop group message (sender not allowed, users/alice)");
+  });
+  it("drops unauthorized group control commands", async () => {
+    primeCommonDefaults();
+    allowInboundGroupTraffic();
+    resolveAllowlistProviderRuntimeGroupPolicy.mockReturnValue({
+      groupPolicy: "open",
+      providerMissingFallbackApplied: false,
+    });
+    const core = createCore();
+    core.channel.commands.shouldComputeCommandAuthorized.mockReturnValue(true);
+    core.channel.commands.isControlCommandMessage.mockReturnValue(true);
+    const logVerbose = vi.fn();
+    await expect(
+      applyInboundAccessPolicy({
+        core: core as never,
+        account: {
+          accountId: "default",
+          config: {
+            groups: {
+              "spaces/AAA": {
+                requireMention: false,
+              },
+            },
+          },
+        } as never,
+        rawBody: "/admin",
+        logVerbose,
+      }),
+    ).resolves.toEqual({ ok: false });
+    expect(logVerbose).toHaveBeenCalledWith("googlechat: drop control command from users/alice");
+  });
+  it("does not match group policy by mutable space displayName when the stable id differs", async () => {
+    primeCommonDefaults();
+    allowInboundGroupTraffic();
+    const logVerbose = vi.fn();
+    await expect(
+      applyInboundAccessPolicy({
+        account: {
+          accountId: "default",
+          config: {
+            groups: {
+              "Finance Ops": {
+                users: ["users/alice"],
+                requireMention: true,
+                systemPrompt: "finance-only prompt",
+              },
+            },
+          },
+        } as never,
+        core: createCore() as never,
+        space: { name: "spaces/BBB", displayName: "Finance Ops" } as never,
+        message: {
+          annotations: [
+            {
+              type: "USER_MENTION",
+              userMention: { user: { name: "users/app" } },
+            },
+          ],
+        } as never,
+        rawBody: "show quarter close status",
+        logVerbose,
+      }),
+    ).resolves.toEqual({ ok: false });
+    expect(logVerbose).toHaveBeenCalledWith(
+      "Deprecated Google Chat group key detected: group routing now requires stable space ids (spaces/<spaceId>). Update channels.googlechat.groups keys: Finance Ops",
+    );
+    expect(logVerbose).toHaveBeenCalledWith(
+      "drop group message (deprecated mutable group key matched, space=spaces/BBB)",
+    );
+  });
+  it("fails closed instead of falling back to wildcard when a deprecated room key matches", async () => {
+    primeCommonDefaults();
+    resolveAllowlistProviderRuntimeGroupPolicy.mockReturnValue({
+      groupPolicy: "open",
+      providerMissingFallbackApplied: false,
+    });
+    allowInboundGroupTraffic();
+    const logVerbose = vi.fn();
+    await expect(
+      applyInboundAccessPolicy({
+        account: {
+          accountId: "default",
+          config: {
+            groupPolicy: "open",
+            groups: {
+              "*": {
+                users: ["users/alice"],
+              },
+              "Finance Ops": {
+                enabled: false,
+                users: ["users/bob"],
+              },
+            },
+          },
+        } as never,
+        core: createCore() as never,
+        space: { name: "spaces/BBB", displayName: "Finance Ops" } as never,
+        rawBody: "show quarter close status",
+        logVerbose,
+      }),
+    ).resolves.toEqual({ ok: false });
+    expect(logVerbose).toHaveBeenCalledWith(
+      "drop group message (deprecated mutable group key matched, space=spaces/BBB)",
+    );
+  });
+});