@nordbyte/nordrelay 0.6.0 → 0.8.0

package/dist/telegram-preference-commands.js

@@ -1,8 +1,5 @@
-import { formatQuietHours, isQuietNow, parseMirrorMode, parseNotifyMode, parseQuietHours, parseVoiceBackendPreference, } from "./bot-preferences.js";
-import { capabilitiesOf, idOf, labelOf, parseToggle, } from "./bot-rendering.js";
-import { friendlyErrorText } from "./error-messages.js";
+import { capabilitiesOf, labelOf, } from "./bot-rendering.js";
 import { escapeHTML } from "./format.js";
-import { getAvailableBackends } from "./voice.js";
 import { evaluateWorkspacePolicy, filterAllowedWorkspaces, renderWorkspacePolicyLine, } from "./workspace-policy.js";
 import { safeReply } from "./telegram-output.js";
 export function registerTelegramPreferenceCommands(options) {
@@ -18,28 +15,15 @@ export function registerTelegramPreferenceCommands(options) {
             return;
         }
         const argument = (ctx.message?.text ?? "").replace(/^\/mirror(?:@\w+)?\s*/i, "").trim();
-        if (argument) {
-            const mode = parseMirrorMode(argument, options.getEffectiveMirrorMode(contextKey));
-            if (!["off", "status", "final", "full"].includes(argument.toLowerCase())) {
-                await safeReply(ctx, escapeHTML("Usage: /mirror [off|status|final|full]"), {
-                    fallbackText: "Usage: /mirror [off|status|final|full]",
-                });
-                return;
-            }
-            options.preferencesStore.update(contextKey, { mirrorMode: mode });
-        }
-        const mode = options.getEffectiveMirrorMode(contextKey);
-        const plain = [
-            `CLI mirroring: ${mode}`,
-            `Minimum update interval: ${options.config.telegramMirrorMinUpdateMs} ms`,
-            "Modes: off, status, final, full",
-        ].join("\n");
-        const html = [
-            `<b>CLI mirroring:</b> <code>${escapeHTML(mode)}</code>`,
-            `<b>Minimum update interval:</b> <code>${options.config.telegramMirrorMinUpdateMs} ms</code>`,
-            "<b>Modes:</b> <code>off</code>, <code>status</code>, <code>final</code>, <code>full</code>",
-        ].join("\n");
-        await safeReply(ctx, html, { fallbackText: plain });
+        const response = options.commandService.renderMirrorPreference({
+            source: "telegram",
+            contextKey,
+            argument,
+            preferencesStore: options.preferencesStore,
+            cliMirrorSupported: capabilitiesOf(session.getInfo()).cliMirror,
+            agentLabel: labelOf(session.getInfo()),
+        });
+        await safeReply(ctx, response.html, { fallbackText: response.plain });
     });
     options.bot.command("notify", async (ctx) => {
         const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
@@ -48,45 +32,13 @@ export function registerTelegramPreferenceCommands(options) {
         }
         const { contextKey } = contextSession;
         const argument = (ctx.message?.text ?? "").replace(/^\/notify(?:@\w+)?\s*/i, "").trim();
-        if (argument) {
-            const quietMatch = argument.match(/^quiet\s+(.+)$/i);
-            if (quietMatch) {
-                let quietHours;
-                try {
-                    quietHours = quietMatch[1].toLowerCase() === "off" ? null : parseQuietHours(quietMatch[1]);
-                }
-                catch (error) {
-                    await safeReply(ctx, escapeHTML(`Invalid quiet hours: ${friendlyErrorText(error)}`), {
-                        fallbackText: `Invalid quiet hours: ${friendlyErrorText(error)}`,
-                    });
-                    return;
-                }
-                options.preferencesStore.update(contextKey, { quietHours });
-            }
-            else {
-                const mode = parseNotifyMode(argument, options.getEffectiveNotifyMode(contextKey));
-                if (!["off", "minimal", "all"].includes(argument.toLowerCase())) {
-                    await safeReply(ctx, escapeHTML("Usage: /notify [off|minimal|all] or /notify quiet HH-HH"), {
-                        fallbackText: "Usage: /notify [off|minimal|all] or /notify quiet HH-HH",
-                    });
-                    return;
-                }
-                options.preferencesStore.update(contextKey, { notifyMode: mode });
-            }
-        }
-        const mode = options.getEffectiveNotifyMode(contextKey);
-        const quietHours = options.getEffectiveQuietHours(contextKey);
-        const plain = [
-            `Notifications: ${mode}`,
-            `Quiet hours: ${formatQuietHours(quietHours)}`,
-            `Currently quiet: ${isQuietNow(quietHours) ? "yes" : "no"}`,
-        ].join("\n");
-        const html = [
-            `<b>Notifications:</b> <code>${escapeHTML(mode)}</code>`,
-            `<b>Quiet hours:</b> <code>${escapeHTML(formatQuietHours(quietHours))}</code>`,
-            `<b>Currently quiet:</b> <code>${isQuietNow(quietHours) ? "yes" : "no"}</code>`,
-        ].join("\n");
-        await safeReply(ctx, html, { fallbackText: plain });
+        const response = options.commandService.renderNotifyPreference({
+            source: "telegram",
+            contextKey,
+            argument,
+            preferencesStore: options.preferencesStore,
+        });
+        await safeReply(ctx, response.html, { fallbackText: response.plain });
     });
     options.bot.command("workspaces", async (ctx) => {
         const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
@@ -131,68 +83,12 @@ export function registerTelegramPreferenceCommands(options) {
         }
         const { contextKey } = contextSession;
         const argument = (ctx.message?.text ?? "").replace(/^\/voice(?:@\w+)?\s*/i, "").trim();
-        if (argument) {
-            const parts = argument.split(/\s+/);
-            const key = parts[0]?.toLowerCase();
-            const value = parts.slice(1).join(" ").trim();
-            if (key === "backend" && value) {
-                options.preferencesStore.update(contextKey, { voiceBackend: parseVoiceBackendPreference(value) });
-            }
-            else if (key === "language") {
-                options.preferencesStore.update(contextKey, { voiceLanguage: value && value.toLowerCase() !== "auto" ? value : null });
-            }
-            else if (key === "transcribe_only" || key === "transcribe-only") {
-                const enabled = parseToggle(value);
-                if (enabled === undefined) {
-                    await safeReply(ctx, escapeHTML("Usage: /voice transcribe_only on|off"), {
-                        fallbackText: "Usage: /voice transcribe_only on|off",
-                    });
-                    return;
-                }
-                options.preferencesStore.update(contextKey, { voiceTranscribeOnly: enabled });
-            }
-            else {
-                await safeReply(ctx, escapeHTML("Usage: /voice, /voice backend auto|parakeet|faster-whisper|openai, /voice language auto|<code>, /voice transcribe_only on|off"), {
-                    fallbackText: "Usage: /voice, /voice backend auto|parakeet|faster-whisper|openai, /voice language auto|<code>, /voice transcribe_only on|off",
-                });
-                return;
-            }
-        }
-        const backends = await getAvailableBackends().catch(() => []);
-        if (backends.length === 0) {
-            await safeReply(ctx, [
-                "<b>Voice transcription is not available.</b>",
-                "",
-                "Install <code>faster-whisper</code> + ffmpeg, install <code>parakeet-coreml</code> on macOS Apple Silicon, or set <code>OPENAI_API_KEY</code>.",
-                "<i>Cloud transcription uses OPENAI_API_KEY, not CODEX_API_KEY.</i>",
-            ].join("\n"), {
-                fallbackText: [
-                    "Voice transcription is not available.",
-                    "",
-                    "Install faster-whisper + ffmpeg, install parakeet-coreml on macOS Apple Silicon, or set OPENAI_API_KEY.",
-                    "Cloud transcription uses OPENAI_API_KEY, not CODEX_API_KEY.",
-                ].join("\n"),
-            });
-            return;
-        }
-        const joined = backends.join(" + ");
-        const backendPreference = options.getEffectiveVoiceBackend(contextKey);
-        const language = options.getEffectiveVoiceLanguage(contextKey);
-        const transcribeOnly = options.isVoiceTranscribeOnly(contextKey);
-        const plain = [
-            `Voice backends: ${joined}`,
-            `Preferred backend: ${backendPreference}`,
-            `Language: ${language ?? "auto"}`,
-            `Transcribe only: ${transcribeOnly ? "on" : "off"}`,
-        ].join("\n");
-        const html = [
-            `<b>Voice backends:</b> <code>${escapeHTML(joined)}</code>`,
-            `<b>Preferred backend:</b> <code>${escapeHTML(backendPreference)}</code>`,
-            `<b>Language:</b> <code>${escapeHTML(language ?? "auto")}</code>`,
-            `<b>Transcribe only:</b> <code>${transcribeOnly ? "on" : "off"}</code>`,
-        ].join("\n");
-        await safeReply(ctx, html, {
-            fallbackText: plain,
+        const response = await options.commandService.renderVoicePreference({
+            source: "telegram",
+            contextKey,
+            argument,
+            preferencesStore: options.preferencesStore,
         });
+        await safeReply(ctx, response.html, { fallbackText: response.plain });
     });
 }

package/dist/user-management-crypto.js

@@ -0,0 +1,38 @@
+import { createHash, randomBytes, randomUUID, scryptSync, timingSafeEqual } from "node:crypto";
+const PASSWORD_KEYLEN = 64;
+export function sleepSync(ms) {
+    const end = Date.now() + ms;
+    while (Date.now() < end) {
+        // The lock is only held around tiny JSON mutations; a short spin keeps the implementation dependency-free.
+    }
+}
+export function hashPassword(password) {
+    if (password.length < 8) {
+        throw new Error("Password must be at least 8 characters.");
+    }
+    const salt = randomBytes(16).toString("hex");
+    const hash = scryptSync(password, salt, PASSWORD_KEYLEN).toString("hex");
+    return { salt, hash };
+}
+export function verifyPasswordHash(password, salt, expectedHash) {
+    const actual = scryptSync(password, salt, PASSWORD_KEYLEN);
+    const expected = Buffer.from(expectedHash, "hex");
+    return actual.length === expected.length && timingSafeEqual(actual, expected);
+}
+export function hashToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+export function constantTimeStringEqual(left, right) {
+    const leftBuffer = Buffer.from(left);
+    const rightBuffer = Buffer.from(right);
+    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+export function randomId() {
+    return randomUUID().replace(/-/g, "").slice(0, 12);
+}
+export function randomLinkCode() {
+    return `NR-${randomBytes(4).toString("hex").toUpperCase()}`;
+}
+export function randomSessionToken() {
+    return randomBytes(32).toString("hex");
+}

package/dist/user-management-normalize.js

@@ -0,0 +1,188 @@
+import path from "node:path";
+import { ADMIN_GROUP_ID, BUILTIN_GROUPS, READONLY_GROUP_ID, isPermission, } from "./access-control.js";
+export function normalizePayload(payload) {
+    const now = new Date().toISOString();
+    const groupsById = new Map();
+    for (const group of BUILTIN_GROUPS) {
+        groupsById.set(group.id, {
+            ...group,
+            permissions: group.id === ADMIN_GROUP_ID ? allPermissionsSafe() : group.permissions,
+            agentIds: [],
+            workspaceRoots: [],
+            telegramChatIds: [],
+            discordChannelIds: [],
+            slackChannelIds: [],
+            createdAt: now,
+            updatedAt: now,
+        });
+    }
+    for (const group of payload?.groups ?? []) {
+        if (!isGroupRecord(group))
+            continue;
+        groupsById.set(group.id, {
+            ...group,
+            permissions: group.id === ADMIN_GROUP_ID ? allPermissionsSafe() : normalizePermissions(group.permissions),
+            system: BUILTIN_GROUPS.some((builtin) => builtin.id === group.id) || group.system,
+            agentIds: normalizeStringList(group.agentIds),
+            workspaceRoots: normalizeStringList(group.workspaceRoots),
+            telegramChatIds: normalizeNumberList(group.telegramChatIds),
+            discordChannelIds: normalizeStringList(group.discordChannelIds),
+            slackChannelIds: normalizeStringList(group.slackChannelIds),
+        });
+    }
+    const groups = Array.from(groupsById.values());
+    const groupIds = new Set(groups.map((group) => group.id));
+    const users = (payload?.users ?? []).filter(isUserRecord);
+    const userIds = new Set(users.map((user) => user.id));
+    return {
+        version: 1,
+        users,
+        groups,
+        userGroups: (payload?.userGroups ?? []).filter((item) => isUserGroupRecord(item) && userIds.has(item.userId) && groupIds.has(item.groupId)),
+        telegramIdentities: (payload?.telegramIdentities ?? []).filter((item) => isTelegramIdentityRecord(item) && userIds.has(item.userId)),
+        telegramChats: (payload?.telegramChats ?? []).filter(isTelegramChatAccessRecord).map((chat) => ({
+            ...chat,
+            allowedGroupIds: chat.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
+        })),
+        discordIdentities: (payload?.discordIdentities ?? []).filter((item) => isDiscordIdentityRecord(item) && userIds.has(item.userId)),
+        discordChannels: (payload?.discordChannels ?? []).filter(isDiscordChannelAccessRecord).map((channel) => ({
+            ...channel,
+            allowedGroupIds: channel.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
+        })),
+        slackIdentities: (payload?.slackIdentities ?? []).filter((item) => isSlackIdentityRecord(item) && userIds.has(item.userId)),
+        slackChannels: (payload?.slackChannels ?? []).filter(isSlackChannelAccessRecord).map((channel) => ({
+            ...channel,
+            allowedGroupIds: channel.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
+        })),
+        webSessions: (payload?.webSessions ?? []).filter((item) => isWebSessionRecord(item) && userIds.has(item.userId)),
+        telegramLinkCodes: (payload?.telegramLinkCodes ?? []).filter((item) => isTelegramLinkCodeRecord(item) && userIds.has(item.userId)),
+        discordLinkCodes: (payload?.discordLinkCodes ?? []).filter((item) => isDiscordLinkCodeRecord(item) && userIds.has(item.userId)),
+        slackLinkCodes: (payload?.slackLinkCodes ?? []).filter((item) => isSlackLinkCodeRecord(item) && userIds.has(item.userId)),
+    };
+}
+export function normalizeEmail(email) {
+    return email.trim().toLowerCase();
+}
+export function normalizeGroupIds(payload, values, emptyFallback = READONLY_GROUP_ID) {
+    const available = new Set(payload.groups.map((group) => group.id));
+    const groupIds = Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)));
+    for (const groupId of groupIds) {
+        if (!available.has(groupId)) {
+            throw new Error(`Unknown group: ${groupId}`);
+        }
+    }
+    return groupIds.length > 0 ? groupIds : (emptyFallback ? [emptyFallback] : []);
+}
+export function normalizePermissions(values, strict = false) {
+    const permissions = [];
+    for (const value of values ?? []) {
+        if (isPermission(value)) {
+            if (!permissions.includes(value)) {
+                permissions.push(value);
+            }
+            continue;
+        }
+        if (strict && value.trim()) {
+            throw new Error(`Unknown permission: ${value}`);
+        }
+    }
+    return permissions;
+}
+export function normalizeStringList(values) {
+    return Array.from(new Set((values ?? []).map((value) => value.trim()).filter(Boolean)));
+}
+export function normalizeNumberList(values) {
+    return Array.from(new Set((values ?? []).filter((value) => Number.isInteger(value))));
+}
+export function normalizeDiscordId(value) {
+    const normalized = String(value ?? "").trim();
+    return normalized || undefined;
+}
+export function normalizeSlackId(value) {
+    const normalized = String(value ?? "").trim();
+    return normalized || undefined;
+}
+export function assertActiveAdminExists(payload) {
+    const hasAdmin = payload.users.some((user) => user.active && payload.userGroups.some((item) => item.userId === user.id && item.groupId === ADMIN_GROUP_ID));
+    if (!hasAdmin) {
+        throw new Error("Cannot remove or disable the last active admin user.");
+    }
+}
+export function normalizeWorkspacePath(value) {
+    return path.resolve(value);
+}
+export function isPathInside(candidate, root) {
+    const relative = path.relative(root, candidate);
+    return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}
+export function slugify(value) {
+    return value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+}
+export function allPermissionsSafe() {
+    return [...BUILTIN_GROUPS.find((group) => group.id === ADMIN_GROUP_ID).permissions];
+}
+function isUserRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.email === "string" &&
+        typeof candidate.displayName === "string" && typeof candidate.passwordHash === "string" &&
+        typeof candidate.passwordSalt === "string" && typeof candidate.active === "boolean";
+}
+function isGroupRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.name === "string" &&
+        Array.isArray(candidate.permissions);
+}
+function isUserGroupRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.userId === "string" && typeof candidate.groupId === "string";
+}
+function isTelegramIdentityRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        Number.isInteger(candidate.telegramUserId) && typeof candidate.active === "boolean";
+}
+function isTelegramChatAccessRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && Number.isInteger(candidate.chatId) &&
+        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
+}
+function isDiscordIdentityRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.discordUserId === "string" && typeof candidate.active === "boolean";
+}
+function isDiscordChannelAccessRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.channelId === "string" &&
+        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
+}
+function isSlackIdentityRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.slackUserId === "string" && typeof candidate.active === "boolean";
+}
+function isSlackChannelAccessRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.channelId === "string" &&
+        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
+}
+function isWebSessionRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.tokenHash === "string" && typeof candidate.expiresAt === "string";
+}
+function isTelegramLinkCodeRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.expiresAt === "string";
+}
+function isDiscordLinkCodeRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.expiresAt === "string";
+}
+function isSlackLinkCodeRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.expiresAt === "string";
+}

package/dist/user-management-types.js

@@ -0,0 +1 @@
+export {};