@kodelyth/twitch 2026.5.42 → 2026.6.2

package/src/access-control.test.ts

@@ -1,373 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { checkTwitchAccessControl } from "./access-control.js";
-import type { TwitchAccountConfig, TwitchChatMessage } from "./types.js";
-
-describe("checkTwitchAccessControl", () => {
-  const mockAccount: TwitchAccountConfig = {
-    username: "testbot",
-    accessToken: "test",
-    clientId: "test-client-id",
-    channel: "testchannel",
-  };
-
-  const mockMessage: TwitchChatMessage = {
-    username: "testuser",
-    userId: "123456",
-    message: "hello bot",
-    channel: "testchannel",
-  };
-
-  function runAccessCheck(params: {
-    account?: Partial<TwitchAccountConfig>;
-    message?: Partial<TwitchChatMessage>;
-  }) {
-    return checkTwitchAccessControl({
-      message: {
-        ...mockMessage,
-        ...params.message,
-      },
-      account: {
-        ...mockAccount,
-        ...params.account,
-      },
-      botUsername: "testbot",
-    });
-  }
-
-  async function expectSingleRoleAllowed(params: {
-    role: NonNullable<TwitchAccountConfig["allowedRoles"]>[number];
-    message: Partial<TwitchChatMessage>;
-  }) {
-    const result = await runAccessCheck({
-      account: { allowedRoles: [params.role] },
-      message: {
-        message: "@testbot hello",
-        ...params.message,
-      },
-    });
-    expect(result.allowed).toBe(true);
-    return result;
-  }
-
-  async function expectAllowedAccessCheck(params: {
-    account?: Partial<TwitchAccountConfig>;
-    message?: Partial<TwitchChatMessage>;
-  }) {
-    const result = await runAccessCheck({
-      account: params.account,
-      message: {
-        message: "@testbot hello",
-        ...params.message,
-      },
-    });
-    expect(result.allowed).toBe(true);
-    return result;
-  }
-
-  async function expectAllowFromBlocked(params: {
-    allowFrom: string[];
-    allowedRoles?: NonNullable<TwitchAccountConfig["allowedRoles"]>;
-    message?: Partial<TwitchChatMessage>;
-    reason: string;
-  }) {
-    const result = await runAccessCheck({
-      account: {
-        allowFrom: params.allowFrom,
-        allowedRoles: params.allowedRoles,
-      },
-      message: {
-        message: "@testbot hello",
-        ...params.message,
-      },
-    });
-    expect(result.allowed).toBe(false);
-    expect(result.reason).toContain(params.reason);
-  }
-
-  describe("when no restrictions are configured", () => {
-    it("allows messages that mention the bot (default requireMention)", async () => {
-      const result = await runAccessCheck({
-        message: {
-          message: "@testbot hello",
-        },
-      });
-      expect(result.allowed).toBe(true);
-    });
-  });
-
-  describe("requireMention default", () => {
-    it("defaults to true when undefined", async () => {
-      const result = await runAccessCheck({
-        message: {
-          message: "hello bot",
-        },
-      });
-      expect(result.allowed).toBe(false);
-      expect(result.reason).toContain("does not mention the bot");
-    });
-
-    it("allows mention when requireMention is undefined", async () => {
-      const result = await runAccessCheck({
-        message: {
-          message: "@testbot hello",
-        },
-      });
-      expect(result.allowed).toBe(true);
-    });
-  });
-
-  describe("requireMention", () => {
-    it("allows messages that mention the bot", async () => {
-      const result = await runAccessCheck({
-        account: { requireMention: true },
-        message: { message: "@testbot hello" },
-      });
-      expect(result.allowed).toBe(true);
-    });
-
-    it("blocks messages that don't mention the bot", async () => {
-      const result = await runAccessCheck({
-        account: { requireMention: true },
-      });
-      expect(result.allowed).toBe(false);
-      expect(result.reason).toContain("does not mention the bot");
-    });
-
-    it("is case-insensitive for bot username", async () => {
-      const result = await runAccessCheck({
-        account: { requireMention: true },
-        message: { message: "@TestBot hello" },
-      });
-      expect(result.allowed).toBe(true);
-    });
-  });
-
-  describe("allowFrom allowlist", () => {
-    it("allows users in the allowlist", async () => {
-      const result = await expectAllowedAccessCheck({
-        account: {
-          allowFrom: ["123456", "789012"],
-        },
-      });
-      expect(result.matchKey).toBe("123456");
-      expect(result.matchSource).toBe("allowlist");
-    });
-
-    it("blocks users not in allowlist when allowFrom is set", async () => {
-      await expectAllowFromBlocked({
-        allowFrom: ["789012"],
-        reason: "allowFrom",
-      });
-    });
-
-    it("blocks everyone when allowFrom is explicitly empty", async () => {
-      await expectAllowFromBlocked({
-        allowFrom: [],
-        reason: "allowFrom",
-      });
-    });
-
-    it("blocks messages without userId", async () => {
-      await expectAllowFromBlocked({
-        allowFrom: ["123456"],
-        message: { userId: undefined },
-        reason: "user ID not available",
-      });
-    });
-
-    it("bypasses role checks when user is in allowlist", async () => {
-      const account: TwitchAccountConfig = {
-        ...mockAccount,
-        allowFrom: ["123456"],
-        allowedRoles: ["owner"],
-      };
-      const message: TwitchChatMessage = {
-        ...mockMessage,
-        message: "@testbot hello",
-        isOwner: false,
-      };
-
-      const result = await checkTwitchAccessControl({
-        message,
-        account,
-        botUsername: "testbot",
-      });
-      expect(result.allowed).toBe(true);
-    });
-
-    it("blocks user with role when not in allowlist", async () => {
-      await expectAllowFromBlocked({
-        allowFrom: ["789012"],
-        allowedRoles: ["moderator"],
-        message: { userId: "123456", isMod: true },
-        reason: "allowFrom",
-      });
-    });
-
-    it("blocks user not in allowlist even when roles configured", async () => {
-      await expectAllowFromBlocked({
-        allowFrom: ["789012"],
-        allowedRoles: ["moderator"],
-        message: { userId: "123456", isMod: false },
-        reason: "allowFrom",
-      });
-    });
-  });
-
-  describe("allowedRoles", () => {
-    it("allows users with matching role", async () => {
-      const result = await expectSingleRoleAllowed({
-        role: "moderator",
-        message: { isMod: true },
-      });
-      expect(result.matchSource).toBe("role");
-    });
-
-    it("allows users with any of multiple roles", async () => {
-      const account: TwitchAccountConfig = {
-        ...mockAccount,
-        allowedRoles: ["moderator", "vip", "subscriber"],
-      };
-      const message: TwitchChatMessage = {
-        ...mockMessage,
-        message: "@testbot hello",
-        isVip: true,
-        isMod: false,
-        isSub: false,
-      };
-
-      const result = await checkTwitchAccessControl({
-        message,
-        account,
-        botUsername: "testbot",
-      });
-      expect(result.allowed).toBe(true);
-    });
-
-    it("blocks users without matching role", async () => {
-      const account: TwitchAccountConfig = {
-        ...mockAccount,
-        allowedRoles: ["moderator"],
-      };
-      const message: TwitchChatMessage = {
-        ...mockMessage,
-        message: "@testbot hello",
-        isMod: false,
-      };
-
-      const result = await checkTwitchAccessControl({
-        message,
-        account,
-        botUsername: "testbot",
-      });
-      expect(result.allowed).toBe(false);
-      expect(result.reason).toContain("does not have any of the required roles");
-    });
-
-    it("allows all users when role is 'all'", async () => {
-      const result = await expectAllowedAccessCheck({
-        account: {
-          allowedRoles: ["all"],
-        },
-      });
-      expect(result.matchKey).toBe("all");
-    });
-
-    it("handles moderator role", async () => {
-      await expectSingleRoleAllowed({
-        role: "moderator",
-        message: { isMod: true },
-      });
-    });
-
-    it("handles subscriber role", async () => {
-      await expectSingleRoleAllowed({
-        role: "subscriber",
-        message: { isSub: true },
-      });
-    });
-
-    it("handles owner role", async () => {
-      await expectSingleRoleAllowed({
-        role: "owner",
-        message: { isOwner: true },
-      });
-    });
-
-    it("handles vip role", async () => {
-      await expectSingleRoleAllowed({
-        role: "vip",
-        message: { isVip: true },
-      });
-    });
-  });
-
-  describe("combined restrictions", () => {
-    it("checks requireMention before allowlist", async () => {
-      const account: TwitchAccountConfig = {
-        ...mockAccount,
-        requireMention: true,
-        allowFrom: ["123456"],
-      };
-      const message: TwitchChatMessage = {
-        ...mockMessage,
-        message: "hello", // No mention
-      };
-
-      const result = await checkTwitchAccessControl({
-        message,
-        account,
-        botUsername: "testbot",
-      });
-      expect(result.allowed).toBe(false);
-      expect(result.reason).toContain("does not mention the bot");
-    });
-
-    it("checks requireMention before sender allowlists for unauthorized chat", async () => {
-      const result = await runAccessCheck({
-        account: {
-          requireMention: true,
-          allowFrom: ["789012"],
-        },
-        message: {
-          message: "ordinary chat",
-          userId: "123456",
-        },
-      });
-
-      expect(result.allowed).toBe(false);
-      expect(result.reason).toContain("does not mention the bot");
-    });
-
-    it("checks requireMention before role gates for unauthorized chat", async () => {
-      const result = await runAccessCheck({
-        account: {
-          requireMention: true,
-          allowedRoles: ["moderator"],
-        },
-        message: {
-          message: "ordinary chat",
-          isMod: false,
-        },
-      });
-
-      expect(result.allowed).toBe(false);
-      expect(result.reason).toContain("does not mention the bot");
-    });
-
-    it("checks allowlist before allowedRoles", async () => {
-      const result = await runAccessCheck({
-        account: {
-          allowFrom: ["123456"],
-          allowedRoles: ["owner"],
-        },
-        message: {
-          message: "@testbot hello",
-          isOwner: false,
-        },
-      });
-      expect(result.allowed).toBe(true);
-      expect(result.matchSource).toBe("allowlist");
-    });
-  });
-});

package/src/access-control.ts

@@ -1,195 +0,0 @@
-import {
-  createChannelIngressResolver,
-  defineStableChannelIngressIdentity,
-  type ChannelIngressIdentitySubjectInput,
-  type IngressReasonCode,
-} from "klaw/plugin-sdk/channel-ingress-runtime";
-import { normalizeLowercaseStringOrEmpty } from "klaw/plugin-sdk/string-coerce-runtime";
-import type { TwitchAccountConfig, TwitchChatMessage } from "./types.js";
-
-type TwitchAccessControlResult = {
-  allowed: boolean;
-  reason?: string;
-  matchKey?: string;
-  matchSource?: string;
-};
-
-type TwitchPolicyKind = "open" | "allowFrom" | "role";
-
-const twitchUserIdentity = defineStableChannelIngressIdentity({
-  key: "sender-id",
-  entryIdPrefix: "twitch-user-entry",
-});
-
-const twitchRoleIdentity = defineStableChannelIngressIdentity({
-  key: "role-moderator",
-  kind: "role",
-  normalizeEntry: normalizeTwitchRole,
-  normalizeSubject: normalizeTwitchRole,
-  aliases: ["owner", "vip", "subscriber"].map((role) => ({
-    key: `role-${role}`,
-    kind: "role",
-    normalizeEntry: () => null,
-    normalizeSubject: normalizeTwitchRole,
-  })),
-  isWildcardEntry: (entry) => normalizeTwitchRole(entry) === "all",
-  resolveEntryId: ({ entryIndex }) => `twitch-role-entry-${entryIndex + 1}`,
-});
-
-export async function checkTwitchAccessControl(params: {
-  message: TwitchChatMessage;
-  account: TwitchAccountConfig;
-  botUsername: string;
-}): Promise<TwitchAccessControlResult> {
-  const { message, account, botUsername } = params;
-  const policyKind = resolveTwitchPolicyKind(account);
-  const resolved = await createChannelIngressResolver({
-    channelId: "twitch",
-    accountId: "default",
-    identity: policyKind === "role" ? twitchRoleIdentity : twitchUserIdentity,
-  }).message({
-    subject:
-      policyKind === "role"
-        ? twitchRoleSubject(message)
-        : ({ stableId: message.userId } satisfies ChannelIngressIdentitySubjectInput),
-    conversation: {
-      kind: "group",
-      id: message.channel,
-    },
-    event: { mayPair: false },
-    mentionFacts: {
-      canDetectMention: true,
-      wasMentioned: mentionsBot(message.message, botUsername),
-    },
-    dmPolicy: "open",
-    groupPolicy: policyKind === "open" ? "open" : "allowlist",
-    policy: {
-      activation: {
-        requireMention: account.requireMention ?? true,
-        allowTextCommands: false,
-        order: "before-sender",
-      },
-    },
-    groupAllowFrom:
-      policyKind === "allowFrom"
-        ? account.allowFrom
-        : policyKind === "role"
-          ? account.allowedRoles
-          : undefined,
-  });
-  const decision = resolved.ingress;
-
-  if (decision.decisiveGateId === "activation" && decision.admission !== "dispatch") {
-    return {
-      allowed: false,
-      reason: "message does not mention the bot (requireMention is enabled)",
-    };
-  }
-
-  if (decision.admission === "dispatch") {
-    if (policyKind === "allowFrom") {
-      return {
-        allowed: true,
-        matchKey: params.message.userId,
-        matchSource: "allowlist",
-      };
-    }
-    if (policyKind === "role") {
-      return {
-        allowed: true,
-        matchKey: params.account.allowedRoles?.join(","),
-        matchSource: "role",
-      };
-    }
-    return {
-      allowed: true,
-    };
-  }
-
-  if (policyKind === "allowFrom") {
-    if (!params.message.userId) {
-      return {
-        allowed: false,
-        reason: "sender user ID not available for allowlist check",
-      };
-    }
-    return {
-      allowed: false,
-      reason: "sender is not in allowFrom allowlist",
-    };
-  }
-
-  if (policyKind === "role") {
-    return {
-      allowed: false,
-      reason: `sender does not have any of the required roles: ${params.account.allowedRoles?.join(", ") ?? ""}`,
-    };
-  }
-
-  return {
-    allowed: false,
-    reason: reasonForTwitchIngressDecision(decision),
-  };
-}
-
-function resolveTwitchPolicyKind(account: TwitchAccountConfig): TwitchPolicyKind {
-  if (account.allowFrom !== undefined) {
-    return "allowFrom";
-  }
-  if (account.allowedRoles && account.allowedRoles.length > 0) {
-    return "role";
-  }
-  return "open";
-}
-
-function twitchRoleSubject(message: TwitchChatMessage): ChannelIngressIdentitySubjectInput {
-  return {
-    stableId: message.isMod ? "moderator" : undefined,
-    aliases: {
-      "role-owner": message.isOwner ? "owner" : undefined,
-      "role-vip": message.isVip ? "vip" : undefined,
-      "role-subscriber": message.isSub ? "subscriber" : undefined,
-    },
-  };
-}
-
-function normalizeTwitchRole(value: string): string | null {
-  const role = normalizeLowercaseStringOrEmpty(value);
-  if (role === "*") {
-    return "all";
-  }
-  return role === "moderator" ||
-    role === "owner" ||
-    role === "vip" ||
-    role === "subscriber" ||
-    role === "all"
-    ? role
-    : null;
-}
-
-function reasonForTwitchIngressDecision(decision: { reasonCode: IngressReasonCode }): string {
-  switch (decision.reasonCode) {
-    case "activation_skipped":
-      return "message does not mention the bot (requireMention is enabled)";
-    case "group_policy_empty_allowlist":
-    case "group_policy_not_allowlisted":
-      return "sender is not in allowFrom allowlist";
-    default:
-      return decision.reasonCode;
-  }
-}
-
-function mentionsBot(message: string, botUsername: string): boolean {
-  const expected = normalizeLowercaseStringOrEmpty(botUsername);
-  const mentionRegex = /@(\w+)/g;
-  let match: RegExpExecArray | null;
-
-  while ((match = mentionRegex.exec(message)) !== null) {
-    const username = match[1] ? normalizeLowercaseStringOrEmpty(match[1]) : "";
-    if (username === expected) {
-      return true;
-    }
-  }
-
-  return false;
-}

package/src/actions.test.ts

@@ -1,75 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-import { twitchMessageActions } from "./actions.js";
-import type { ResolvedTwitchAccountContext } from "./config.js";
-import { resolveTwitchAccountContext } from "./config.js";
-import { twitchOutbound } from "./outbound.js";
-
-vi.mock("./config.js", () => ({
-  DEFAULT_ACCOUNT_ID: "default",
-  resolveTwitchAccountContext: vi.fn(),
-}));
-
-vi.mock("./outbound.js", () => ({
-  twitchOutbound: {
-    sendText: vi.fn(),
-  },
-}));
-
-function createSecondaryAccountContext(accountId = "secondary"): ResolvedTwitchAccountContext {
-  return {
-    accountId,
-    account: {
-      channel: "secondary-channel",
-      username: "secondary",
-      accessToken: "oauth:secondary-token",
-      clientId: "secondary-client",
-      enabled: true,
-    },
-    tokenResolution: { source: "config", token: "oauth:secondary-token" },
-    configured: true,
-    availableAccountIds: ["default", "secondary"],
-  };
-}
-
-describe("twitchMessageActions", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("uses configured defaultAccount when action accountId is omitted", async () => {
-    vi.mocked(resolveTwitchAccountContext)
-      .mockImplementationOnce(() => createSecondaryAccountContext())
-      .mockImplementation((_cfg, accountId) =>
-        createSecondaryAccountContext(accountId?.trim() || "secondary"),
-      );
-    const sendText = twitchOutbound.sendText;
-    if (!sendText) {
-      throw new Error("twitchOutbound.sendText is unavailable");
-    }
-    vi.mocked(sendText).mockResolvedValue({
-      channel: "twitch",
-      messageId: "msg-1",
-      timestamp: 1,
-    });
-    const cfg = {
-      channels: {
-        twitch: {
-          defaultAccount: "secondary",
-        },
-      },
-    };
-
-    await twitchMessageActions.handleAction!({
-      action: "send",
-      params: { message: "Hello!" },
-      cfg,
-    } as never);
-
-    expect(twitchOutbound.sendText).toHaveBeenCalledWith({
-      cfg,
-      to: "secondary-channel",
-      text: "Hello!",
-      accountId: "secondary",
-    });
-  });
-});