@kodelyth/msteams 2026.5.39 → 2026.5.42

package/src/pending-uploads-fs.test.ts

@@ -0,0 +1,261 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { prepareFileConsentActivityFs } from "./file-consent-helpers.js";
+import {
+  getPendingUploadFs,
+  removePendingUploadFs,
+  setPendingUploadActivityIdFs,
+  storePendingUploadFs,
+} from "./pending-uploads-fs.js";
+import { clearPendingUploads } from "./pending-uploads.js";
+import { setMSTeamsRuntime } from "./runtime.js";
+import { msteamsRuntimeStub } from "./test-runtime.js";
+
+// Track temp dirs created by each test so afterEach can clean them up.
+const createdTempDirs: string[] = [];
+
+async function makeTempStateDir(): Promise<string> {
+  const dir = await fs.promises.mkdtemp(path.join(os.tmpdir(), "klaw-msteams-pending-"));
+  createdTempDirs.push(dir);
+  return dir;
+}
+
+function makeEnv(stateDir: string): NodeJS.ProcessEnv {
+  return { ...process.env, KLAW_STATE_DIR: stateDir };
+}
+
+async function requirePendingUpload(id: string, env: NodeJS.ProcessEnv) {
+  const upload = await getPendingUploadFs(id, { env });
+  if (!upload) {
+    throw new Error(`expected pending upload ${id}`);
+  }
+  return upload;
+}
+
+async function cleanupTempDirs(): Promise<void> {
+  while (createdTempDirs.length > 0) {
+    const dir = createdTempDirs.pop();
+    if (!dir) {
+      continue;
+    }
+    try {
+      await fs.promises.rm(dir, { recursive: true, force: true });
+    } catch {
+      // tmp dir may already be gone
+    }
+  }
+}
+
+describe("msteams pending uploads (fs-backed)", () => {
+  beforeEach(() => {
+    setMSTeamsRuntime(msteamsRuntimeStub);
+    clearPendingUploads();
+  });
+
+  afterEach(async () => {
+    await cleanupTempDirs();
+    vi.useRealTimers();
+  });
+
+  it("stores and retrieves a pending upload by id", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+
+    await storePendingUploadFs(
+      {
+        id: "upload-1",
+        buffer: Buffer.from("hello world"),
+        filename: "greeting.txt",
+        contentType: "text/plain",
+        conversationId: "19:conv@thread.v2",
+      },
+      { env },
+    );
+
+    const loaded = await requirePendingUpload("upload-1", env);
+    expect(loaded.id).toBe("upload-1");
+    expect(loaded.filename).toBe("greeting.txt");
+    expect(loaded.contentType).toBe("text/plain");
+    expect(loaded.conversationId).toBe("19:conv@thread.v2");
+    expect(loaded.buffer.toString("utf8")).toBe("hello world");
+  });
+
+  it("returns undefined for missing and undefined ids", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+
+    expect(await getPendingUploadFs(undefined, { env })).toBeUndefined();
+    expect(await getPendingUploadFs("does-not-exist", { env })).toBeUndefined();
+  });
+
+  it("persists so another reader finds the entry (simulates cross-process)", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+
+    // First "process": writer
+    await storePendingUploadFs(
+      {
+        id: "upload-x",
+        buffer: Buffer.from("top secret"),
+        filename: "secret.bin",
+        conversationId: "19:conv@thread.v2",
+      },
+      { env },
+    );
+
+    // Confirm the backing file actually exists on disk with expected shape
+    const storePath = path.join(stateDir, "msteams-pending-uploads.json");
+    const raw = await fs.promises.readFile(storePath, "utf-8");
+    const parsed = JSON.parse(raw) as {
+      version: number;
+      uploads: Record<string, { bufferBase64: string; filename: string }>;
+    };
+    expect(parsed.version).toBe(1);
+    expect(parsed.uploads["upload-x"]?.filename).toBe("secret.bin");
+    expect(Buffer.from(parsed.uploads["upload-x"].bufferBase64, "base64").toString("utf8")).toBe(
+      "top secret",
+    );
+
+    // Second "process": reader using the same state dir
+    const reader = await getPendingUploadFs("upload-x", { env });
+    expect(reader?.buffer.toString("utf8")).toBe("top secret");
+    expect(reader?.filename).toBe("secret.bin");
+  });
+
+  it("removes persisted entries", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+
+    await storePendingUploadFs(
+      {
+        id: "upload-rm",
+        buffer: Buffer.from("x"),
+        filename: "rm.bin",
+        conversationId: "19:conv@thread.v2",
+      },
+      { env },
+    );
+    const loaded = await requirePendingUpload("upload-rm", env);
+    expect(loaded.id).toBe("upload-rm");
+    expect(loaded.filename).toBe("rm.bin");
+    expect(loaded.contentType).toBeUndefined();
+    expect(loaded.conversationId).toBe("19:conv@thread.v2");
+    expect(loaded.consentCardActivityId).toBeUndefined();
+    expect(loaded.buffer.toString("utf8")).toBe("x");
+    expect(Number.isFinite(loaded.createdAt)).toBe(true);
+
+    await removePendingUploadFs("upload-rm", { env });
+    expect(await getPendingUploadFs("upload-rm", { env })).toBeUndefined();
+  });
+
+  it("remove is a no-op for unknown ids", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+
+    await expect(removePendingUploadFs("never-existed", { env })).resolves.toBeUndefined();
+    await expect(removePendingUploadFs(undefined, { env })).resolves.toBeUndefined();
+  });
+
+  it("expires entries past their ttl on read", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+    const now = new Date("2026-05-08T00:00:00.000Z");
+    vi.useFakeTimers({ now });
+
+    await storePendingUploadFs(
+      {
+        id: "upload-old",
+        buffer: Buffer.from("stale"),
+        filename: "stale.txt",
+        conversationId: "19:conv@thread.v2",
+      },
+      { env, ttlMs: 1 },
+    );
+    vi.setSystemTime(now.getTime() + 2);
+    expect(await getPendingUploadFs("upload-old", { env, ttlMs: 1 })).toBeUndefined();
+  });
+
+  it("updates consent card activity id on an existing entry", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+
+    await storePendingUploadFs(
+      {
+        id: "upload-a",
+        buffer: Buffer.from("payload"),
+        filename: "f.txt",
+        conversationId: "19:conv@thread.v2",
+      },
+      { env },
+    );
+
+    await setPendingUploadActivityIdFs("upload-a", "activity-xyz", { env });
+    const loaded = await getPendingUploadFs("upload-a", { env });
+    expect(loaded?.consentCardActivityId).toBe("activity-xyz");
+  });
+
+  it("ignores malformed or empty store files and returns undefined", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+    const storePath = path.join(stateDir, "msteams-pending-uploads.json");
+    await fs.promises.writeFile(storePath, "not valid json", "utf-8");
+
+    // Should not throw and should treat as empty
+    expect(await getPendingUploadFs("anything", { env })).toBeUndefined();
+
+    await fs.promises.writeFile(storePath, JSON.stringify({ version: 2, uploads: {} }), "utf-8");
+    expect(await getPendingUploadFs("anything", { env })).toBeUndefined();
+  });
+});
+
+describe("prepareFileConsentActivityFs end-to-end", () => {
+  beforeEach(() => {
+    setMSTeamsRuntime(msteamsRuntimeStub);
+    clearPendingUploads();
+  });
+
+  afterEach(async () => {
+    await cleanupTempDirs();
+  });
+
+  it("writes the pending upload to the fs store with the same id as the card", async () => {
+    const stateDir = await makeTempStateDir();
+    const env = makeEnv(stateDir);
+    // Redirect state dir via env so the helper's FS writes land under our tmp
+    const originalEnv = process.env.KLAW_STATE_DIR;
+    process.env.KLAW_STATE_DIR = stateDir;
+
+    try {
+      const result = await prepareFileConsentActivityFs({
+        media: {
+          buffer: Buffer.from("cli file"),
+          filename: "cli.bin",
+          contentType: "application/octet-stream",
+        },
+        conversationId: "19:victim@thread.v2",
+        description: "Sent via CLI",
+      });
+
+      expect(result.uploadId).toMatch(/[0-9a-f-]/);
+      const attachments = result.activity.attachments as Array<Record<string, unknown>>;
+      expect(attachments).toHaveLength(1);
+      const content = attachments[0]?.content as { acceptContext: { uploadId: string } };
+      expect(content.acceptContext.uploadId).toBe(result.uploadId);
+
+      // Reader in (simulated) other process finds the entry under the same key
+      const loaded = await requirePendingUpload(result.uploadId, env);
+      expect(loaded.filename).toBe("cli.bin");
+      expect(loaded.contentType).toBe("application/octet-stream");
+      expect(loaded.conversationId).toBe("19:victim@thread.v2");
+      expect(loaded.buffer.toString("utf8")).toBe("cli file");
+    } finally {
+      if (originalEnv === undefined) {
+        delete process.env.KLAW_STATE_DIR;
+      } else {
+        process.env.KLAW_STATE_DIR = originalEnv;
+      }
+    }
+  });
+});

package/src/pending-uploads-fs.ts

@@ -0,0 +1,235 @@
+/**
+ * Filesystem-backed pending upload store for the FileConsentCard flow.
+ *
+ * The CLI `message send --media` path runs in a different process from the
+ * gateway's bot monitor that receives the `fileConsent/invoke` callback.
+ * An in-memory `pending-uploads.ts` store cannot bridge those processes, so
+ * when the user clicks "Allow" the monitor handler's lookup misses and the
+ * user sees "card action not supported".
+ *
+ * This FS store persists pending uploads to a JSON file (with the file buffer
+ * base64-encoded) so any process that shares the Klaw state dir can read
+ * them back. The in-memory store in `pending-uploads.ts` is still the fast
+ * path for same-process flows (for example the messenger reply path); this FS
+ * store is a cross-process fallback.
+ */
+
+import { resolveMSTeamsStorePath } from "./storage.js";
+import { readJsonFile, withFileLock, writeJsonFile } from "./store-fs.js";
+
+/** TTL for persisted pending uploads (matches in-memory store). */
+const PENDING_UPLOAD_TTL_MS = 5 * 60 * 1000;
+
+/** Cap to avoid unbounded growth if a process crashes mid-flow. */
+const MAX_PENDING_UPLOADS = 100;
+
+const STORE_FILENAME = "msteams-pending-uploads.json";
+
+type PendingUploadFsRecord = {
+  id: string;
+  bufferBase64: string;
+  filename: string;
+  contentType?: string;
+  conversationId: string;
+  /** Activity ID of the original FileConsentCard, used to replace it after upload */
+  consentCardActivityId?: string;
+  createdAt: number;
+};
+
+type PendingUploadFs = {
+  id: string;
+  buffer: Buffer;
+  filename: string;
+  contentType?: string;
+  conversationId: string;
+  consentCardActivityId?: string;
+  createdAt: number;
+};
+
+type PendingUploadStoreData = {
+  version: 1;
+  uploads: Record<string, PendingUploadFsRecord>;
+};
+
+const empty: PendingUploadStoreData = { version: 1, uploads: {} };
+
+type PendingUploadsFsOptions = {
+  env?: NodeJS.ProcessEnv;
+  homedir?: () => string;
+  stateDir?: string;
+  storePath?: string;
+  ttlMs?: number;
+};
+
+function resolveFilePath(options: PendingUploadsFsOptions | undefined): string {
+  return resolveMSTeamsStorePath({
+    filename: STORE_FILENAME,
+    env: options?.env,
+    homedir: options?.homedir,
+    stateDir: options?.stateDir,
+    storePath: options?.storePath,
+  });
+}
+
+function pruneExpired(
+  uploads: Record<string, PendingUploadFsRecord>,
+  nowMs: number,
+  ttlMs: number,
+): Record<string, PendingUploadFsRecord> {
+  const kept: Record<string, PendingUploadFsRecord> = {};
+  for (const [id, record] of Object.entries(uploads)) {
+    if (nowMs - record.createdAt <= ttlMs) {
+      kept[id] = record;
+    }
+  }
+  return kept;
+}
+
+function pruneToLimit(
+  uploads: Record<string, PendingUploadFsRecord>,
+): Record<string, PendingUploadFsRecord> {
+  const entries = Object.entries(uploads);
+  if (entries.length <= MAX_PENDING_UPLOADS) {
+    return uploads;
+  }
+  // Oldest createdAt first; drop the oldest until we fit.
+  entries.sort((a, b) => a[1].createdAt - b[1].createdAt);
+  const keep = entries.slice(entries.length - MAX_PENDING_UPLOADS);
+  return Object.fromEntries(keep);
+}
+
+function recordToUpload(record: PendingUploadFsRecord): PendingUploadFs {
+  return {
+    id: record.id,
+    buffer: Buffer.from(record.bufferBase64, "base64"),
+    filename: record.filename,
+    contentType: record.contentType,
+    conversationId: record.conversationId,
+    consentCardActivityId: record.consentCardActivityId,
+    createdAt: record.createdAt,
+  };
+}
+
+function isValidStore(value: unknown): value is PendingUploadStoreData {
+  if (!value || typeof value !== "object") {
+    return false;
+  }
+  const candidate = value as Partial<PendingUploadStoreData>;
+  return (
+    candidate.version === 1 &&
+    typeof candidate.uploads === "object" &&
+    candidate.uploads !== null &&
+    !Array.isArray(candidate.uploads)
+  );
+}
+
+async function readStore(filePath: string, ttlMs: number): Promise<PendingUploadStoreData> {
+  const { value } = await readJsonFile<unknown>(filePath, empty);
+  if (!isValidStore(value)) {
+    return { version: 1, uploads: {} };
+  }
+  const uploads = pruneToLimit(pruneExpired(value.uploads, Date.now(), ttlMs));
+  return { version: 1, uploads };
+}
+
+/**
+ * Persist a pending upload record so another process can read it back.
+ * Pass in the pre-generated id (same as the one placed in the consent card
+ * context) so the in-memory and FS stores share the same key.
+ */
+export async function storePendingUploadFs(
+  upload: {
+    id: string;
+    buffer: Buffer;
+    filename: string;
+    contentType?: string;
+    conversationId: string;
+    consentCardActivityId?: string;
+  },
+  options?: PendingUploadsFsOptions,
+): Promise<void> {
+  const ttlMs = options?.ttlMs ?? PENDING_UPLOAD_TTL_MS;
+  const filePath = resolveFilePath(options);
+  await withFileLock(filePath, empty, async () => {
+    const store = await readStore(filePath, ttlMs);
+    store.uploads[upload.id] = {
+      id: upload.id,
+      bufferBase64: upload.buffer.toString("base64"),
+      filename: upload.filename,
+      contentType: upload.contentType,
+      conversationId: upload.conversationId,
+      consentCardActivityId: upload.consentCardActivityId,
+      createdAt: Date.now(),
+    };
+    store.uploads = pruneToLimit(pruneExpired(store.uploads, Date.now(), ttlMs));
+    await writeJsonFile(filePath, store);
+  });
+}
+
+/**
+ * Retrieve a persisted pending upload. Expired entries are treated as absent.
+ */
+export async function getPendingUploadFs(
+  id: string | undefined,
+  options?: PendingUploadsFsOptions,
+): Promise<PendingUploadFs | undefined> {
+  if (!id) {
+    return undefined;
+  }
+  const ttlMs = options?.ttlMs ?? PENDING_UPLOAD_TTL_MS;
+  const filePath = resolveFilePath(options);
+  const store = await readStore(filePath, ttlMs);
+  const record = store.uploads[id];
+  if (!record) {
+    return undefined;
+  }
+  if (Date.now() - record.createdAt > ttlMs) {
+    return undefined;
+  }
+  return recordToUpload(record);
+}
+
+/**
+ * Remove a persisted pending upload (after successful upload or decline).
+ * No-op if the entry is already gone.
+ */
+export async function removePendingUploadFs(
+  id: string | undefined,
+  options?: PendingUploadsFsOptions,
+): Promise<void> {
+  if (!id) {
+    return;
+  }
+  const ttlMs = options?.ttlMs ?? PENDING_UPLOAD_TTL_MS;
+  const filePath = resolveFilePath(options);
+  await withFileLock(filePath, empty, async () => {
+    const store = await readStore(filePath, ttlMs);
+    if (!(id in store.uploads)) {
+      return;
+    }
+    delete store.uploads[id];
+    await writeJsonFile(filePath, store);
+  });
+}
+
+/**
+ * Set the consent card activity ID on a persisted entry. Called after the
+ * FileConsentCard activity is sent and we know its message id.
+ */
+export async function setPendingUploadActivityIdFs(
+  id: string,
+  activityId: string,
+  options?: PendingUploadsFsOptions,
+): Promise<void> {
+  const ttlMs = options?.ttlMs ?? PENDING_UPLOAD_TTL_MS;
+  const filePath = resolveFilePath(options);
+  await withFileLock(filePath, empty, async () => {
+    const store = await readStore(filePath, ttlMs);
+    const record = store.uploads[id];
+    if (!record) {
+      return;
+    }
+    record.consentCardActivityId = activityId;
+    await writeJsonFile(filePath, store);
+  });
+}

package/src/pending-uploads.test.ts

@@ -0,0 +1,186 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import {
+  clearPendingUploads,
+  getPendingUpload,
+  getPendingUploadCount,
+  removePendingUpload,
+  setPendingUploadActivityId,
+  storePendingUpload,
+} from "./pending-uploads.js";
+
+function requirePendingUpload(id: string) {
+  const upload = getPendingUpload(id);
+  if (!upload) {
+    throw new Error(`expected pending upload ${id}`);
+  }
+  return upload;
+}
+
+describe("pending-uploads", () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    clearPendingUploads();
+  });
+
+  afterEach(() => {
+    clearPendingUploads();
+    vi.useRealTimers();
+  });
+
+  describe("storePendingUpload", () => {
+    it("stores and retrieves a pending upload", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        contentType: "text/plain",
+        conversationId: "conv-1",
+      });
+
+      const upload = requirePendingUpload(id);
+      expect(upload.id).toBe(id);
+      expect(upload.buffer.toString()).toBe("data");
+      expect(upload.filename).toBe("file.txt");
+      expect(upload.contentType).toBe("text/plain");
+      expect(upload.conversationId).toBe("conv-1");
+      expect(upload.createdAt).toBe(Date.now());
+    });
+
+    it("stores consentCardActivityId when provided", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+        consentCardActivityId: "activity-abc",
+      });
+
+      const upload = getPendingUpload(id);
+      expect(upload?.consentCardActivityId).toBe("activity-abc");
+    });
+
+    it("stores without consentCardActivityId when not provided", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+      });
+
+      const upload = getPendingUpload(id);
+      expect(upload?.consentCardActivityId).toBeUndefined();
+    });
+
+    it("auto-removes entry after TTL expires", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+      });
+
+      expect(requirePendingUpload(id).filename).toBe("file.txt");
+      vi.advanceTimersByTime(5 * 60 * 1000 + 1);
+      // After TTL the in-memory check also gates access
+      expect(getPendingUpload(id)).toBeUndefined();
+    });
+  });
+
+  describe("removePendingUpload", () => {
+    it("removes the entry immediately", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+      });
+
+      removePendingUpload(id);
+      expect(getPendingUpload(id)).toBeUndefined();
+    });
+
+    it("clears the TTL timer so it does not fire after explicit removal", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+      });
+
+      expect(getPendingUploadCount()).toBe(1);
+      removePendingUpload(id);
+      expect(getPendingUploadCount()).toBe(0);
+
+      // Advance past TTL — timer should have been cleared and count stays 0
+      vi.advanceTimersByTime(5 * 60 * 1000 + 1);
+      expect(getPendingUploadCount()).toBe(0);
+    });
+
+    it("leaves existing uploads untouched for undefined id", () => {
+      storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+      });
+
+      removePendingUpload(undefined);
+      expect(getPendingUploadCount()).toBe(1);
+    });
+
+    it("leaves the store empty for unknown ids", () => {
+      removePendingUpload("non-existent-id");
+      expect(getPendingUploadCount()).toBe(0);
+    });
+  });
+
+  describe("clearPendingUploads", () => {
+    it("removes all entries and cancels timers", () => {
+      storePendingUpload({ buffer: Buffer.from("a"), filename: "a.txt", conversationId: "c1" });
+      storePendingUpload({ buffer: Buffer.from("b"), filename: "b.txt", conversationId: "c2" });
+      expect(getPendingUploadCount()).toBe(2);
+
+      clearPendingUploads();
+      expect(getPendingUploadCount()).toBe(0);
+
+      // TTL timers should have been cleared — no side-effects after advance
+      vi.advanceTimersByTime(5 * 60 * 1000 + 1);
+      expect(getPendingUploadCount()).toBe(0);
+    });
+  });
+
+  describe("setPendingUploadActivityId", () => {
+    it("sets the consentCardActivityId on an existing upload", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+      });
+
+      expect(getPendingUpload(id)?.consentCardActivityId).toBeUndefined();
+
+      setPendingUploadActivityId(id, "activity-xyz");
+      expect(getPendingUpload(id)?.consentCardActivityId).toBe("activity-xyz");
+    });
+
+    it("leaves the store empty for unknown upload ids", () => {
+      setPendingUploadActivityId("non-existent", "activity-xyz");
+      expect(getPendingUploadCount()).toBe(0);
+    });
+  });
+
+  describe("getPendingUpload", () => {
+    it("returns undefined for undefined id", () => {
+      expect(getPendingUpload(undefined)).toBeUndefined();
+    });
+
+    it("returns undefined for unknown id", () => {
+      expect(getPendingUpload("no-such-id")).toBeUndefined();
+    });
+
+    it("returns undefined when entry is past TTL but timer has not yet fired", () => {
+      const id = storePendingUpload({
+        buffer: Buffer.from("data"),
+        filename: "file.txt",
+        conversationId: "conv-1",
+      });
+
+      // Manually advance time without firing timers to simulate stale entry
+      vi.setSystemTime(Date.now() + 5 * 60 * 1000 + 1);
+      expect(getPendingUpload(id)).toBeUndefined();
+    });
+  });
+});