@nordbyte/nordrelay 0.7.0 → 0.8.0

package/dist/user-management.js

@@ -1,12 +1,12 @@
-import { createHash, randomBytes, randomUUID, scryptSync, timingSafeEqual } from "node:crypto";
 import { closeSync, mkdirSync, openSync, rmSync, statSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { ADMIN_GROUP_ID, BUILTIN_GROUPS, READONLY_GROUP_ID, USER_GROUP_ID, isPermission, } from "./access-control.js";
+import { ADMIN_GROUP_ID, USER_GROUP_ID, } from "./access-control.js";
 import { readJsonFileWithBackup, writeJsonFileAtomic } from "./persistence.js";
+import { allPermissionsSafe as ALL_PERMISSIONS_SAFE, assertActiveAdminExists, isPathInside, normalizeDiscordId, normalizeEmail, normalizeGroupIds, normalizeNumberList, normalizePayload, normalizePermissions, normalizeSlackId, normalizeStringList, normalizeWorkspacePath, slugify, } from "./user-management-normalize.js";
+import { constantTimeStringEqual, hashPassword, hashToken, randomId, randomLinkCode, randomSessionToken, sleepSync, verifyPasswordHash, } from "./user-management-crypto.js";
 const SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1000;
 const LINK_CODE_TTL_MS = 15 * 60 * 1000;
-const PASSWORD_KEYLEN = 64;
 const WRITE_LOCK_TIMEOUT_MS = 5_000;
 const STALE_LOCK_MS = 30_000;
 export class UserStore {
@@ -26,6 +26,7 @@ export class UserStore {
                 groups: this.groupsForUser(payload, user.id),
                 telegramIdentities: payload.telegramIdentities.filter((identity) => identity.userId === user.id),
                 discordIdentities: payload.discordIdentities.filter((identity) => identity.userId === user.id),
+                slackIdentities: payload.slackIdentities.filter((identity) => identity.userId === user.id),
                 webSessions: payload.webSessions
                     .filter((session) => session.userId === user.id)
                     .map(publicWebSession),
@@ -33,6 +34,7 @@ export class UserStore {
             groups: payload.groups,
             telegramChats: payload.telegramChats,
             discordChannels: payload.discordChannels,
+            slackChannels: payload.slackChannels,
             adminConfigured: payload.users.some((user) => user.active && this.groupIdsForUser(payload, user.id).includes(ADMIN_GROUP_ID)),
         };
     }
@@ -90,6 +92,12 @@ export class UserStore {
                     discordUserId: input.discordUserId,
                 });
             }
+            if (input.slackUserId !== undefined) {
+                this.upsertSlackIdentityInPayload(payload, user.id, {
+                    slackUserId: input.slackUserId,
+                    teamId: input.slackTeamId,
+                });
+            }
             return this.authenticatedUser(payload, user);
         });
     }
@@ -166,7 +174,7 @@ export class UserStore {
             if (!user) {
                 throw new Error("Active user not found.");
             }
-            const token = randomBytes(32).toString("hex");
+            const token = randomSessionToken();
             const now = new Date();
             const session = {
                 id: randomId(),
@@ -249,6 +257,22 @@ export class UserStore {
         const user = payload.users.find((candidate) => candidate.id === identity.userId && candidate.active);
         return user ? this.authenticatedUser(payload, user) : null;
     }
+    resolveSlackUser(input) {
+        const slackUserId = normalizeSlackId(input.slackUserId);
+        if (!slackUserId) {
+            return null;
+        }
+        const teamId = normalizeSlackId(input.teamId);
+        const payload = this.readPayload();
+        const identity = payload.slackIdentities.find((candidate) => candidate.slackUserId === slackUserId &&
+            candidate.active &&
+            (!teamId || !candidate.teamId || candidate.teamId === teamId));
+        if (!identity) {
+            return null;
+        }
+        const user = payload.users.find((candidate) => candidate.id === identity.userId && candidate.active);
+        return user ? this.authenticatedUser(payload, user) : null;
+    }
     linkTelegramUser(userId, input) {
         return this.mutatePayload((payload) => {
             const user = payload.users.find((candidate) => candidate.id === userId);
@@ -281,6 +305,22 @@ export class UserStore {
             return payload.discordIdentities.length !== before;
         });
     }
+    linkSlackUser(userId, input) {
+        return this.mutatePayload((payload) => {
+            const user = payload.users.find((candidate) => candidate.id === userId);
+            if (!user) {
+                throw new Error("User not found.");
+            }
+            return this.upsertSlackIdentityInPayload(payload, userId, input);
+        });
+    }
+    unlinkSlackIdentity(identityId) {
+        return this.mutatePayload((payload) => {
+            const before = payload.slackIdentities.length;
+            payload.slackIdentities = payload.slackIdentities.filter((identity) => identity.id !== identityId);
+            return payload.slackIdentities.length !== before;
+        });
+    }
     createTelegramLinkCode(userId) {
         return this.mutatePayload((payload) => {
             if (!payload.users.some((user) => user.id === userId && user.active)) {
@@ -315,6 +355,23 @@ export class UserStore {
             return code;
         });
     }
+    createSlackLinkCode(userId) {
+        return this.mutatePayload((payload) => {
+            if (!payload.users.some((user) => user.id === userId && user.active)) {
+                throw new Error("Active user not found.");
+            }
+            const now = Date.now();
+            payload.slackLinkCodes = payload.slackLinkCodes.filter((code) => new Date(code.expiresAt).getTime() > now);
+            const code = {
+                code: randomLinkCode(),
+                userId,
+                createdAt: new Date(now).toISOString(),
+                expiresAt: new Date(now + LINK_CODE_TTL_MS).toISOString(),
+            };
+            payload.slackLinkCodes.push(code);
+            return code;
+        });
+    }
     consumeTelegramLinkCode(code, input) {
         return this.mutatePayload((payload) => {
             const normalized = code.trim().toUpperCase();
@@ -349,6 +406,23 @@ export class UserStore {
             return this.authenticatedUser(payload, user);
         });
     }
+    consumeSlackLinkCode(code, input) {
+        return this.mutatePayload((payload) => {
+            const normalized = code.trim().toUpperCase();
+            const now = Date.now();
+            const link = payload.slackLinkCodes.find((candidate) => candidate.code === normalized && new Date(candidate.expiresAt).getTime() > now);
+            if (!link) {
+                throw new Error("Invalid or expired link code.");
+            }
+            const user = payload.users.find((candidate) => candidate.id === link.userId && candidate.active);
+            if (!user) {
+                throw new Error("Linked user is not active.");
+            }
+            this.upsertSlackIdentityInPayload(payload, user.id, input);
+            payload.slackLinkCodes = payload.slackLinkCodes.filter((candidate) => candidate.code !== normalized);
+            return this.authenticatedUser(payload, user);
+        });
+    }
     registerTelegramChat(input) {
         return this.mutatePayload((payload) => {
             const now = new Date().toISOString();
@@ -441,6 +515,55 @@ export class UserStore {
             return channel;
         });
     }
+    registerSlackChannel(input) {
+        return this.mutatePayload((payload) => {
+            const now = new Date().toISOString();
+            const channelId = normalizeSlackId(input.channelId);
+            if (!channelId) {
+                throw new Error("Slack channel id is required.");
+            }
+            const teamId = normalizeSlackId(input.teamId);
+            const existing = payload.slackChannels.find((channel) => channel.channelId === channelId && channel.teamId === teamId);
+            const allowedGroupIds = normalizeGroupIds(payload, input.allowedGroupIds ?? [], null);
+            if (existing) {
+                existing.title = input.title ?? existing.title;
+                existing.type = input.type ?? existing.type;
+                existing.enabled = input.enabled ?? existing.enabled;
+                existing.allowedGroupIds = allowedGroupIds;
+                existing.updatedAt = now;
+                return existing;
+            }
+            const channel = {
+                id: randomId(),
+                teamId,
+                channelId,
+                title: input.title,
+                type: input.type,
+                enabled: input.enabled ?? true,
+                allowedGroupIds,
+                createdAt: now,
+                updatedAt: now,
+            };
+            payload.slackChannels.push(channel);
+            return channel;
+        });
+    }
+    updateSlackChannel(id, patch) {
+        return this.mutatePayload((payload) => {
+            const channel = payload.slackChannels.find((candidate) => candidate.id === id);
+            if (!channel) {
+                throw new Error("Slack channel not found.");
+            }
+            if (patch.enabled !== undefined)
+                channel.enabled = patch.enabled;
+            if (patch.title !== undefined)
+                channel.title = patch.title;
+            if (patch.allowedGroupIds !== undefined)
+                channel.allowedGroupIds = normalizeGroupIds(payload, patch.allowedGroupIds, null);
+            channel.updatedAt = new Date().toISOString();
+            return channel;
+        });
+    }
     isTelegramChatAllowed(chatId, chatType, user) {
         if (chatId === undefined) {
             return false;
@@ -479,6 +602,26 @@ export class UserStore {
         const userGroupIds = new Set(user.groups.map((group) => group.id));
         return access.allowedGroupIds.some((groupId) => userGroupIds.has(groupId)) && this.canUseDiscordChannel(user, channelId);
     }
+    isSlackChannelAllowed(input, user) {
+        const channelId = normalizeSlackId(input.channelId);
+        if (!channelId) {
+            return false;
+        }
+        if (input.isDirectMessage) {
+            return this.canUseSlackChannel(user, channelId);
+        }
+        const teamId = normalizeSlackId(input.teamId);
+        const payload = this.readPayload();
+        const access = payload.slackChannels.find((channel) => channel.channelId === channelId && channel.teamId === teamId);
+        if (!access?.enabled) {
+            return false;
+        }
+        if (access.allowedGroupIds.length === 0) {
+            return this.canUseSlackChannel(user, channelId);
+        }
+        const userGroupIds = new Set(user.groups.map((group) => group.id));
+        return access.allowedGroupIds.some((groupId) => userGroupIds.has(groupId)) && this.canUseSlackChannel(user, channelId);
+    }
     hasPermission(user, permission) {
         return Boolean(permission && user?.permissions.includes(permission));
     }
@@ -509,6 +652,13 @@ export class UserStore {
         }
         return user.groups.some((group) => group.discordChannelIds.length === 0 || group.discordChannelIds.includes(normalized));
     }
+    canUseSlackChannel(user, channelId) {
+        const normalized = normalizeSlackId(channelId);
+        if (!user || !normalized) {
+            return true;
+        }
+        return user.groups.some((group) => group.slackChannelIds.length === 0 || group.slackChannelIds.includes(normalized));
+    }
     createGroup(input) {
         return this.mutatePayload((payload) => {
             const now = new Date().toISOString();
@@ -529,6 +679,7 @@ export class UserStore {
                 workspaceRoots: normalizeStringList(input.workspaceRoots ?? []),
                 telegramChatIds: normalizeNumberList(input.telegramChatIds ?? []),
                 discordChannelIds: normalizeStringList(input.discordChannelIds ?? []),
+                slackChannelIds: normalizeStringList(input.slackChannelIds ?? []),
                 createdAt: now,
                 updatedAt: now,
             };
@@ -560,6 +711,8 @@ export class UserStore {
                 group.telegramChatIds = normalizeNumberList(patch.telegramChatIds);
             if (patch.discordChannelIds !== undefined)
                 group.discordChannelIds = normalizeStringList(patch.discordChannelIds);
+            if (patch.slackChannelIds !== undefined)
+                group.slackChannelIds = normalizeStringList(patch.slackChannelIds);
             group.updatedAt = new Date().toISOString();
             return group;
         });
@@ -641,6 +794,42 @@ export class UserStore {
         payload.discordIdentities.push(identity);
         return identity;
     }
+    upsertSlackIdentityInPayload(payload, userId, input) {
+        const slackUserId = normalizeSlackId(input.slackUserId);
+        if (!slackUserId) {
+            throw new Error("Slack user id is required.");
+        }
+        const teamId = normalizeSlackId(input.teamId);
+        const now = new Date().toISOString();
+        for (const identity of payload.slackIdentities) {
+            if (identity.slackUserId === slackUserId && (identity.teamId ?? "") === (teamId ?? "") && identity.userId !== userId) {
+                identity.active = false;
+            }
+        }
+        const existing = payload.slackIdentities.find((identity) => identity.userId === userId &&
+            identity.slackUserId === slackUserId &&
+            (identity.teamId ?? "") === (teamId ?? ""));
+        if (existing) {
+            existing.username = input.username ?? existing.username;
+            existing.realName = input.realName ?? existing.realName;
+            existing.active = true;
+            existing.updatedAt = now;
+            return existing;
+        }
+        const identity = {
+            id: randomId(),
+            userId,
+            slackUserId,
+            teamId,
+            username: input.username,
+            realName: input.realName,
+            active: true,
+            linkedAt: now,
+            updatedAt: now,
+        };
+        payload.slackIdentities.push(identity);
+        return identity;
+    }
     pruneExpiredSessionsInPayload(payload) {
         const now = Date.now();
         payload.webSessions = payload.webSessions.filter((session) => new Date(session.expiresAt).getTime() > now);
@@ -722,195 +911,3 @@ export function publicUserSnapshot(snapshot) {
         }),
     };
 }
-function normalizePayload(payload) {
-    const now = new Date().toISOString();
-    const groupsById = new Map();
-    for (const group of BUILTIN_GROUPS) {
-        groupsById.set(group.id, {
-            ...group,
-            permissions: group.id === ADMIN_GROUP_ID ? ALL_PERMISSIONS_SAFE() : group.permissions,
-            agentIds: [],
-            workspaceRoots: [],
-            telegramChatIds: [],
-            discordChannelIds: [],
-            createdAt: now,
-            updatedAt: now,
-        });
-    }
-    for (const group of payload?.groups ?? []) {
-        if (!isGroupRecord(group))
-            continue;
-        groupsById.set(group.id, {
-            ...group,
-            permissions: group.id === ADMIN_GROUP_ID ? ALL_PERMISSIONS_SAFE() : normalizePermissions(group.permissions),
-            system: BUILTIN_GROUPS.some((builtin) => builtin.id === group.id) || group.system,
-            agentIds: normalizeStringList(group.agentIds),
-            workspaceRoots: normalizeStringList(group.workspaceRoots),
-            telegramChatIds: normalizeNumberList(group.telegramChatIds),
-            discordChannelIds: normalizeStringList(group.discordChannelIds),
-        });
-    }
-    const groups = Array.from(groupsById.values());
-    const groupIds = new Set(groups.map((group) => group.id));
-    const users = (payload?.users ?? []).filter(isUserRecord);
-    const userIds = new Set(users.map((user) => user.id));
-    return {
-        version: 1,
-        users,
-        groups,
-        userGroups: (payload?.userGroups ?? []).filter((item) => isUserGroupRecord(item) && userIds.has(item.userId) && groupIds.has(item.groupId)),
-        telegramIdentities: (payload?.telegramIdentities ?? []).filter((item) => isTelegramIdentityRecord(item) && userIds.has(item.userId)),
-        telegramChats: (payload?.telegramChats ?? []).filter(isTelegramChatAccessRecord).map((chat) => ({
-            ...chat,
-            allowedGroupIds: chat.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
-        })),
-        discordIdentities: (payload?.discordIdentities ?? []).filter((item) => isDiscordIdentityRecord(item) && userIds.has(item.userId)),
-        discordChannels: (payload?.discordChannels ?? []).filter(isDiscordChannelAccessRecord).map((channel) => ({
-            ...channel,
-            allowedGroupIds: channel.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
-        })),
-        webSessions: (payload?.webSessions ?? []).filter((item) => isWebSessionRecord(item) && userIds.has(item.userId)),
-        telegramLinkCodes: (payload?.telegramLinkCodes ?? []).filter((item) => isTelegramLinkCodeRecord(item) && userIds.has(item.userId)),
-        discordLinkCodes: (payload?.discordLinkCodes ?? []).filter((item) => isDiscordLinkCodeRecord(item) && userIds.has(item.userId)),
-    };
-}
-function normalizeEmail(email) {
-    return email.trim().toLowerCase();
-}
-function normalizeGroupIds(payload, values, emptyFallback = READONLY_GROUP_ID) {
-    const available = new Set(payload.groups.map((group) => group.id));
-    const groupIds = Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)));
-    for (const groupId of groupIds) {
-        if (!available.has(groupId)) {
-            throw new Error(`Unknown group: ${groupId}`);
-        }
-    }
-    return groupIds.length > 0 ? groupIds : (emptyFallback ? [emptyFallback] : []);
-}
-function normalizePermissions(values, strict = false) {
-    const permissions = [];
-    for (const value of values ?? []) {
-        if (isPermission(value)) {
-            if (!permissions.includes(value)) {
-                permissions.push(value);
-            }
-            continue;
-        }
-        if (strict && value.trim()) {
-            throw new Error(`Unknown permission: ${value}`);
-        }
-    }
-    return permissions;
-}
-function normalizeStringList(values) {
-    return Array.from(new Set((values ?? []).map((value) => value.trim()).filter(Boolean)));
-}
-function normalizeNumberList(values) {
-    return Array.from(new Set((values ?? []).filter((value) => Number.isInteger(value))));
-}
-function normalizeDiscordId(value) {
-    const normalized = String(value ?? "").trim();
-    return normalized || undefined;
-}
-function assertActiveAdminExists(payload) {
-    const hasAdmin = payload.users.some((user) => user.active && payload.userGroups.some((item) => item.userId === user.id && item.groupId === ADMIN_GROUP_ID));
-    if (!hasAdmin) {
-        throw new Error("Cannot remove or disable the last active admin user.");
-    }
-}
-function normalizeWorkspacePath(value) {
-    return path.resolve(value);
-}
-function isPathInside(candidate, root) {
-    const relative = path.relative(root, candidate);
-    return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
-}
-function sleepSync(ms) {
-    const end = Date.now() + ms;
-    while (Date.now() < end) {
-        // The lock is only held around tiny JSON mutations; a short spin keeps the implementation dependency-free.
-    }
-}
-function hashPassword(password) {
-    if (password.length < 8) {
-        throw new Error("Password must be at least 8 characters.");
-    }
-    const salt = randomBytes(16).toString("hex");
-    const hash = scryptSync(password, salt, PASSWORD_KEYLEN).toString("hex");
-    return { salt, hash };
-}
-function verifyPasswordHash(password, salt, expectedHash) {
-    const actual = scryptSync(password, salt, PASSWORD_KEYLEN);
-    const expected = Buffer.from(expectedHash, "hex");
-    return actual.length === expected.length && timingSafeEqual(actual, expected);
-}
-function hashToken(token) {
-    return createHash("sha256").update(token).digest("hex");
-}
-function constantTimeStringEqual(left, right) {
-    const leftBuffer = Buffer.from(left);
-    const rightBuffer = Buffer.from(right);
-    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
-}
-function randomId() {
-    return randomUUID().replace(/-/g, "").slice(0, 12);
-}
-function randomLinkCode() {
-    return `NR-${randomBytes(4).toString("hex").toUpperCase()}`;
-}
-function slugify(value) {
-    return value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
-}
-function ALL_PERMISSIONS_SAFE() {
-    return [...BUILTIN_GROUPS.find((group) => group.id === ADMIN_GROUP_ID).permissions];
-}
-function isUserRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.email === "string" &&
-        typeof candidate.displayName === "string" && typeof candidate.passwordHash === "string" &&
-        typeof candidate.passwordSalt === "string" && typeof candidate.active === "boolean";
-}
-function isGroupRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.name === "string" &&
-        Array.isArray(candidate.permissions);
-}
-function isUserGroupRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.userId === "string" && typeof candidate.groupId === "string";
-}
-function isTelegramIdentityRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
-        Number.isInteger(candidate.telegramUserId) && typeof candidate.active === "boolean";
-}
-function isTelegramChatAccessRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.id === "string" && Number.isInteger(candidate.chatId) &&
-        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
-}
-function isDiscordIdentityRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
-        typeof candidate.discordUserId === "string" && typeof candidate.active === "boolean";
-}
-function isDiscordChannelAccessRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.channelId === "string" &&
-        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
-}
-function isWebSessionRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
-        typeof candidate.tokenHash === "string" && typeof candidate.expiresAt === "string";
-}
-function isTelegramLinkCodeRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
-        typeof candidate.expiresAt === "string";
-}
-function isDiscordLinkCodeRecord(value) {
-    const candidate = value;
-    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
-        typeof candidate.expiresAt === "string";
-}

package/dist/web-api-contract.js

@@ -20,10 +20,13 @@ export const WEB_API_ROUTE_DEFINITIONS = [
     dynamic("/api/agent-update/:id/input", "^/api/agent-update/[^/]+/input$", ["POST"], "updates.run", `/api/agent-update/${stringToken}/input`),
     dynamic("/api/agent-update/:id/cancel", "^/api/agent-update/[^/]+/cancel$", ["POST"], "updates.run", `/api/agent-update/${stringToken}/cancel`),
     exact("/api/adapters/health", ["GET"], "inspect"),
+    exact("/api/adapters/conformance", ["GET"], "inspect"),
     exact("/api/peers", ["GET", "POST"], readWrite("peers.read", "peers.write")),
     exact("/api/peers/invite", ["POST"], "peers.write"),
     exact("/api/peers/pair", ["POST"], "peers.write"),
+    exact("/api/peers/probe", ["POST"], "peers.connect"),
     exact("/api/peers/global-sessions", ["GET"], "sessions.read"),
+    dynamic("/api/peers/invitations/:id", "^/api/peers/invitations/[^/]+$", ["DELETE"], "peers.write", `/api/peers/invitations/${stringToken}`),
     dynamic("/api/peers/:id/health", "^/api/peers/[^/]+/health$", ["GET"], "peers.connect", `/api/peers/${stringToken}/health`),
     dynamic("/api/peers/:id", "^/api/peers/[^/]+$", ["PATCH", "DELETE"], "peers.write", `/api/peers/${stringToken}`),
     dynamic("/api/peers/:id/proxy", "^/api/peers/[^/]+/proxy$", ["POST"], "peers.connect", `/api/peers/${stringToken}/proxy`),
@@ -38,18 +41,23 @@ export const WEB_API_ROUTE_DEFINITIONS = [
     dynamic("/api/users/:id/telegram/:identityId", "^/api/users/[^/]+/telegram/[^/]+$", ["DELETE"], "users.write", `/api/users/${stringToken}/telegram/${stringToken}`),
     dynamic("/api/users/:id/discord", "^/api/users/[^/]+/discord$", ["POST"], "users.write", `/api/users/${stringToken}/discord`),
     dynamic("/api/users/:id/discord/:identityId", "^/api/users/[^/]+/discord/[^/]+$", ["DELETE"], "users.write", `/api/users/${stringToken}/discord/${stringToken}`),
+    dynamic("/api/users/:id/slack", "^/api/users/[^/]+/slack$", ["POST"], "users.write", `/api/users/${stringToken}/slack`),
+    dynamic("/api/users/:id/slack/:identityId", "^/api/users/[^/]+/slack/[^/]+$", ["DELETE"], "users.write", `/api/users/${stringToken}/slack/${stringToken}`),
     exact("/api/groups", ["GET", "POST"], readWrite("users.read", "users.write")),
     dynamic("/api/groups/:id", "^/api/groups/[^/]+$", ["PATCH"], "users.write", `/api/groups/${stringToken}`),
     exact("/api/telegram-chats", ["GET", "POST"], readWrite("users.read", "users.write")),
     dynamic("/api/telegram-chats/:id", "^/api/telegram-chats/[^/]+$", ["PATCH"], "users.write", `/api/telegram-chats/${stringToken}`),
     exact("/api/discord-channels", ["GET", "POST"], readWrite("users.read", "users.write")),
     dynamic("/api/discord-channels/:id", "^/api/discord-channels/[^/]+$", ["PATCH"], "users.write", `/api/discord-channels/${stringToken}`),
+    exact("/api/slack-channels", ["GET", "POST"], readWrite("users.read", "users.write")),
+    dynamic("/api/slack-channels/:id", "^/api/slack-channels/[^/]+$", ["PATCH"], "users.write", `/api/slack-channels/${stringToken}`),
     exact("/api/audit", ["GET"], "audit.read"),
     exact("/api/locks", ["GET", "POST", "DELETE"], readWrite("sessions.read", "sessions.write")),
     exact("/api/auth/status", ["GET"], "inspect"),
     exact("/api/auth/login", ["POST"], "auth.manage"),
     exact("/api/auth/logout", ["POST"], "auth.manage"),
     exact("/api/settings", ["GET", "PATCH"], readWrite("settings.read", "settings.write")),
+    exact("/api/settings/wizard/test", ["POST"], "settings.write"),
     exact("/api/control-options", ["GET"], "settings.read"),
     exact("/api/sessions", ["GET"], "sessions.read"),
     exact("/api/sessions/new", ["POST"], "sessions.write"),

package/dist/web-dashboard-access-routes.js

@@ -21,6 +21,8 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
             active: optionalBooleanField(body, "active") ?? true,
             telegramUserId: optionalNumberField(body, "telegramUserId"),
             discordUserId: optionalStringField(body, "discordUserId"),
+            slackUserId: optionalStringField(body, "slackUserId"),
+            slackTeamId: optionalStringField(body, "slackTeamId"),
         });
         options.auditUserAction(authUser, "user_created", user.user.email);
         sendJson(res, 201, { user: publicUser(user.user), groups: user.groups });
@@ -121,6 +123,34 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
         sendJson(res, 200, { removed });
         return true;
     }
+    const slackLinkMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/slack$/);
+    if (slackLinkMatch?.[1] && req.method === "POST") {
+        const body = await readJsonBody(req);
+        if (body.createCode === true) {
+            const userId = decodeURIComponent(slackLinkMatch[1]);
+            const linkCode = users.createSlackLinkCode(userId);
+            options.auditUserAction(authUser, "slack_link_created", userId);
+            sendJson(res, 201, { linkCode });
+            return true;
+        }
+        const identity = users.linkSlackUser(decodeURIComponent(slackLinkMatch[1]), {
+            slackUserId: stringField(body, "slackUserId"),
+            teamId: optionalStringField(body, "teamId"),
+            username: optionalStringField(body, "username"),
+            realName: optionalStringField(body, "realName"),
+        });
+        options.auditUserAction(authUser, "slack_linked", identity.slackUserId);
+        sendJson(res, 201, { identity });
+        return true;
+    }
+    const slackUnlinkMatch = url.pathname.match(/^\/api\/users\/[^/]+\/slack\/([^/]+)$/);
+    if (slackUnlinkMatch?.[1] && req.method === "DELETE") {
+        const identityId = decodeURIComponent(slackUnlinkMatch[1]);
+        const removed = users.unlinkSlackIdentity(identityId);
+        options.auditUserAction(authUser, "slack_unlinked", identityId);
+        sendJson(res, 200, { removed });
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/groups") {
         sendJson(res, 200, { groups: users.listGroups() });
         return true;
@@ -135,6 +165,7 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
             workspaceRoots: arrayStringField(body, "workspaceRoots"),
             telegramChatIds: arrayNumberField(body, "telegramChatIds"),
             discordChannelIds: arrayStringField(body, "discordChannelIds"),
+            slackChannelIds: arrayStringField(body, "slackChannelIds"),
         });
         options.auditUserAction(authUser, "group_created", group.id);
         sendJson(res, 201, { group });
@@ -151,6 +182,7 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
             workspaceRoots: body.workspaceRoots === undefined ? undefined : arrayStringField(body, "workspaceRoots"),
             telegramChatIds: body.telegramChatIds === undefined ? undefined : arrayNumberField(body, "telegramChatIds"),
             discordChannelIds: body.discordChannelIds === undefined ? undefined : arrayStringField(body, "discordChannelIds"),
+            slackChannelIds: body.slackChannelIds === undefined ? undefined : arrayStringField(body, "slackChannelIds"),
         });
         options.auditUserAction(authUser, "group_updated", group.id);
         sendJson(res, 200, { group });
@@ -215,6 +247,36 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
         sendJson(res, 200, { channel });
         return true;
     }
+    if (req.method === "GET" && url.pathname === "/api/slack-channels") {
+        sendJson(res, 200, { channels: users.snapshot().slackChannels });
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/slack-channels") {
+        const body = await readJsonBody(req);
+        const channel = users.registerSlackChannel({
+            teamId: optionalStringField(body, "teamId"),
+            channelId: stringField(body, "channelId"),
+            title: optionalStringField(body, "title"),
+            type: optionalStringField(body, "type"),
+            enabled: optionalBooleanField(body, "enabled") ?? true,
+            allowedGroupIds: arrayStringField(body, "allowedGroupIds"),
+        });
+        options.auditUserAction(authUser, "slack_channel_updated", channel.channelId);
+        sendJson(res, 201, { channel });
+        return true;
+    }
+    const slackChannelMatch = url.pathname.match(/^\/api\/slack-channels\/([^/]+)$/);
+    if (slackChannelMatch?.[1] && req.method === "PATCH") {
+        const body = await readJsonBody(req);
+        const channel = users.updateSlackChannel(decodeURIComponent(slackChannelMatch[1]), {
+            enabled: optionalBooleanField(body, "enabled"),
+            title: optionalStringField(body, "title"),
+            allowedGroupIds: body.allowedGroupIds === undefined ? undefined : arrayStringField(body, "allowedGroupIds"),
+        });
+        options.auditUserAction(authUser, "slack_channel_updated", channel.channelId);
+        sendJson(res, 200, { channel });
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/audit") {
         sendJson(res, 200, {
             events: runtime.audit({

package/dist/web-dashboard-assets.js

@@ -12,6 +12,7 @@ const clientSources = [
     "client/jobs.js",
     "client/metrics.js",
     "client/admin.js",
+    "client/settings-wizard.js",
 ];
 const styleSources = [
     "styles/theme.css",