@nordbyte/nordrelay 0.7.0 → 0.8.1

package/dist/peer-client.js

@@ -4,6 +4,73 @@ import { createPairingSignaturePayload, signPeerPayload, fingerprintForPublicKey
 import { signPeerRequest } from "./peer-auth.js";
 import { PeerStore } from "./peer-store.js";
 import { PEER_PROTOCOL_VERSION, } from "./peer-types.js";
+export async function checkPeerEndpoint(url, options = {}) {
+    const target = joinPeerUrl(url, "/peer/healthz");
+    const startedAt = Date.now();
+    try {
+        const result = await requestJson({
+            url: target,
+            method: "GET",
+            expectedTlsFingerprint: options.expectedTlsFingerprint,
+            allowSelfSigned: true,
+            timeoutMs: options.timeoutMs ?? 4_000,
+        });
+        return {
+            ok: true,
+            status: "reachable",
+            url: target,
+            latencyMs: Date.now() - startedAt,
+            statusCode: result.statusCode,
+            tlsFingerprint: result.tlsFingerprint,
+            detail: result.data?.ok === true ? "Peer health endpoint is reachable." : "Endpoint responded, but did not return the expected peer health payload.",
+        };
+    }
+    catch (error) {
+        return {
+            ok: false,
+            status: "unreachable",
+            url: target,
+            latencyMs: Date.now() - startedAt,
+            detail: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+export async function checkPeerIdentityEndpoint(url, options = {}) {
+    const target = joinPeerUrl(url, "/peer/identity");
+    const startedAt = Date.now();
+    try {
+        const result = await requestJson({
+            url: target,
+            method: "GET",
+            expectedTlsFingerprint: options.expectedTlsFingerprint,
+            allowSelfSigned: true,
+            timeoutMs: options.timeoutMs ?? 4_000,
+        });
+        const identity = parsePeerIdentity(result.data?.identity);
+        const protocolVersion = result.data?.protocolVersion;
+        return {
+            ok: Boolean(identity) && protocolVersion === PEER_PROTOCOL_VERSION,
+            status: "reachable",
+            url: target,
+            latencyMs: Date.now() - startedAt,
+            statusCode: result.statusCode,
+            tlsFingerprint: result.tlsFingerprint,
+            identity,
+            detail: identity && protocolVersion === PEER_PROTOCOL_VERSION
+                ? "Peer identity endpoint is reachable."
+                : "Endpoint responded, but did not return the expected peer identity payload.",
+        };
+    }
+    catch (error) {
+        return {
+            ok: false,
+            status: "unreachable",
+            url: target,
+            latencyMs: Date.now() - startedAt,
+            detail: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
 export async function pairPeer(options, identity, store = new PeerStore()) {
     const timestamp = new Date().toISOString();
     const payload = createPairingSignaturePayload(identity.public.nodeId, timestamp, options.code);
@@ -34,7 +101,7 @@ export async function pairPeer(options, identity, store = new PeerStore()) {
         nodeId: result.data.identity.nodeId,
         publicKey: result.data.identity.publicKey,
         fingerprint: result.data.identity.fingerprint,
-        tlsFingerprint: result.tlsFingerprint,
+        tlsFingerprint: result.tlsFingerprint ?? null,
         secret: result.data.secret,
         enabled: true,
         direction: "outbound",
@@ -209,10 +276,11 @@ async function requestJson(options) {
                     reject(new Error(message));
                     return;
                 }
-                resolve({ data: data, tlsFingerprint });
+                resolve({ data: data, statusCode: res.statusCode, tlsFingerprint });
             });
         });
         req.on("error", reject);
+        req.setTimeout(options.timeoutMs ?? 15_000, () => req.destroy(new Error(`Peer request timed out after ${options.timeoutMs ?? 15_000}ms.`)));
         if (bodyText)
             req.write(bodyText);
         req.end();
@@ -254,3 +322,23 @@ function normalizePeerUrl(value) {
 function normalizeFingerprint(value) {
     return value?.trim().toLowerCase();
 }
+function parsePeerIdentity(value) {
+    if (!value || typeof value !== "object") {
+        return undefined;
+    }
+    const record = value;
+    if (typeof record.nodeId !== "string" ||
+        typeof record.name !== "string" ||
+        typeof record.publicKey !== "string" ||
+        typeof record.fingerprint !== "string" ||
+        typeof record.createdAt !== "string") {
+        return undefined;
+    }
+    return {
+        nodeId: record.nodeId,
+        name: record.name,
+        publicKey: record.publicKey,
+        fingerprint: record.fingerprint,
+        createdAt: record.createdAt,
+    };
+}

package/dist/peer-readiness.js

@@ -0,0 +1,77 @@
+import net from "node:net";
+export async function buildPeerReadiness(config) {
+    const listenUrl = peerListenUrl(config);
+    const localListening = await checkLocalPort(config.peerHost, config.peerPort);
+    const loopbackOnly = isLoopbackUrl(listenUrl);
+    const bindLoopbackOnly = isLoopbackHost(config.peerHost);
+    const warnings = [];
+    if (!config.peerEnabled) {
+        warnings.push("Peer server is disabled. Invites can be created, but pairing will fail until NORDRELAY_PEER_ENABLED=true and NordRelay is restarted.");
+    }
+    if (config.peerEnabled && !localListening) {
+        warnings.push(`Peer server is enabled, but no listener was detected on ${connectHostForBindHost(config.peerHost)}:${config.peerPort}.`);
+    }
+    if (loopbackOnly) {
+        warnings.push("Listen URL uses a loopback host. Other machines cannot reach this URL unless they run on the same host.");
+    }
+    if (bindLoopbackOnly && !loopbackOnly) {
+        warnings.push("Peer server is bound to loopback. Remote access requires a local tunnel, reverse proxy, or port forward to this host.");
+    }
+    if (!config.peerTlsEnabled && (!loopbackOnly || !bindLoopbackOnly)) {
+        warnings.push("Peer TLS is disabled. Use TLS for non-loopback or internet-reachable peer endpoints.");
+    }
+    return {
+        enabled: config.peerEnabled,
+        listenUrl,
+        bindHost: config.peerHost,
+        port: config.peerPort,
+        tlsEnabled: config.peerTlsEnabled,
+        requireTls: config.peerRequireTls,
+        localListening,
+        loopbackOnly,
+        bindLoopbackOnly,
+        manualCheckCommand: `nordrelay peer check ${listenUrl}`,
+        warnings,
+    };
+}
+export function peerListenUrl(config) {
+    if (config.peerPublicUrl)
+        return config.peerPublicUrl;
+    const scheme = config.peerTlsEnabled ? "https" : "http";
+    const host = config.peerHost === "0.0.0.0" || config.peerHost === "::" ? "127.0.0.1" : config.peerHost;
+    const displayHost = host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+    return `${scheme}://${displayHost}:${config.peerPort}`;
+}
+function checkLocalPort(host, port) {
+    return new Promise((resolve) => {
+        const socket = net.createConnection({ host: connectHostForBindHost(host), port });
+        const finish = (ok) => {
+            socket.removeAllListeners();
+            socket.destroy();
+            resolve(ok);
+        };
+        socket.setTimeout(1_500);
+        socket.once("connect", () => finish(true));
+        socket.once("timeout", () => finish(false));
+        socket.once("error", () => finish(false));
+    });
+}
+function connectHostForBindHost(host) {
+    if (!host || host === "0.0.0.0")
+        return "127.0.0.1";
+    if (host === "::")
+        return "::1";
+    return host;
+}
+function isLoopbackUrl(value) {
+    try {
+        return isLoopbackHost(new URL(value).hostname);
+    }
+    catch {
+        return false;
+    }
+}
+function isLoopbackHost(host) {
+    const normalized = host.replace(/^\[|\]$/g, "").toLowerCase();
+    return normalized === "localhost" || normalized === "::1" || normalized === "0:0:0:0:0:0:0:1" || normalized.startsWith("127.");
+}

package/dist/peer-runtime-service.js

@@ -6,6 +6,7 @@ import { permissionForWebRequest } from "./access-control.js";
 import { listChannelDescriptors } from "./channel-adapter.js";
 import { friendlyErrorText } from "./error-messages.js";
 import { getPackageVersion } from "./operations.js";
+import { checkPeerEndpoint } from "./peer-client.js";
 export class PeerRuntimeService {
     config;
     runtime;
@@ -26,6 +27,10 @@ export class PeerRuntimeService {
             this.assertScope(peer, "inspect");
             return { ok: true, status: "online", version: await getPackageVersion(), at: new Date().toISOString() };
         }
+        if (request.type === "peer.probe") {
+            this.assertScope(peer, "inspect");
+            return await this.handlePeerProbe(peer, request.payload);
+        }
         throw new Error(`Unsupported peer RPC type: ${request.type}`);
     }
     subscribe(peer, sourceContextKey, send) {
@@ -333,6 +338,16 @@ export class PeerRuntimeService {
             return runtime.restartConnector(remoteActor);
         throw new Error(`Remote endpoint is not implemented: ${method} ${path}`);
     }
+    async handlePeerProbe(peer, payload) {
+        const requestedUrl = stringValue(objectRecord(payload).url);
+        if (!peer.url) {
+            throw new Error("Remote probe refused because this peer has no registered URL. Pair with --public-url or set the peer URL first.");
+        }
+        if (requestedUrl && normalizePeerUrl(requestedUrl) !== normalizePeerUrl(peer.url)) {
+            throw new Error("Remote probe refused because the requested URL does not match this peer's registered URL.");
+        }
+        return await checkPeerEndpoint(peer.url, { expectedTlsFingerprint: peer.tlsFingerprint });
+    }
     assertScope(peer, permission) {
         if (!peer.scopes.includes(permission)) {
             throw new Error(`Peer permission denied: ${permission}`);
@@ -545,6 +560,13 @@ function normalizePath(value) {
     }
     return path;
 }
+function normalizePeerUrl(value) {
+    const url = new URL(value);
+    url.pathname = "";
+    url.search = "";
+    url.hash = "";
+    return url.toString().replace(/\/$/, "");
+}
 function objectRecord(value) {
     return value && typeof value === "object" && !Array.isArray(value) ? value : {};
 }

package/dist/peer-server.js

@@ -4,6 +4,7 @@ import { URL } from "node:url";
 import { friendlyErrorText } from "./error-messages.js";
 import { createPairingSignaturePayload, createSharedSecret, ensurePeerTlsFiles, fingerprintForPublicKey, loadOrCreatePeerIdentity, verifyPeerPayload, } from "./peer-identity.js";
 import { header, PeerNonceCache, verifyPeerRequest } from "./peer-auth.js";
+import { checkPeerIdentityEndpoint } from "./peer-client.js";
 import { peerRuntimeContextKey } from "./peer-context.js";
 import { PeerStore } from "./peer-store.js";
 import { PeerRuntimeService, peerError } from "./peer-runtime-service.js";
@@ -78,7 +79,7 @@ export async function startPeerServer(options) {
             if (req.method === "POST" && url.pathname === "/peer/pair") {
                 const bodyText = await readBody(req, 128 * 1024);
                 const body = parseJson(bodyText);
-                const response = handlePair(body);
+                const response = await handlePair(body);
                 sendJson(res, 201, response);
                 return;
             }
@@ -123,7 +124,7 @@ export async function startPeerServer(options) {
             sendJson(res, status, { error: friendlyErrorText(error) });
         }
     }
-    function handlePair(body) {
+    async function handlePair(body) {
         if (!body?.identity?.nodeId || !body.identity.publicKey || !body.code || !body.signature || !body.timestamp) {
             throw new Error("Invalid peer pairing request.");
         }
@@ -140,17 +141,20 @@ export async function startPeerServer(options) {
         if (!verifyPeerPayload(body.identity.publicKey, signaturePayload, body.signature)) {
             throw new Error("Invalid peer pairing signature.");
         }
+        const publicUrl = body.publicUrl?.trim() || undefined;
+        const publicUrlTlsFingerprint = publicUrl ? await verifyPairingPublicUrl(publicUrl, body.identity) : undefined;
         const invitation = store.consumeInvitation(body.code, body.identity.nodeId);
         const secret = createSharedSecret();
         const peer = store.upsertPeer({
             name: body.name?.trim() || body.identity.name || invitation.name,
-            url: body.publicUrl,
+            url: publicUrl,
             nodeId: body.identity.nodeId,
             publicKey: body.identity.publicKey,
             fingerprint: body.identity.fingerprint,
+            tlsFingerprint: publicUrl ? publicUrlTlsFingerprint ?? null : undefined,
             secret,
             enabled: true,
-            direction: body.publicUrl ? "bidirectional" : "inbound",
+            direction: publicUrl ? "bidirectional" : "inbound",
             scopes: invitation.scopes,
             allowedAgents: invitation.allowedAgents,
             allowedWorkspaceRoots: invitation.allowedWorkspaceRoots,
@@ -167,6 +171,18 @@ export async function startPeerServer(options) {
             workspaceAliases: peer.workspaceAliases,
         };
     }
+    async function verifyPairingPublicUrl(publicUrl, expectedIdentity) {
+        const probe = await checkPeerIdentityEndpoint(publicUrl, { timeoutMs: 4_000 });
+        if (!probe.ok || !probe.identity) {
+            throw new Error(`Peer public URL is not reachable or does not expose a valid NordRelay identity: ${probe.detail}`);
+        }
+        if (probe.identity.nodeId !== expectedIdentity.nodeId ||
+            probe.identity.publicKey !== expectedIdentity.publicKey ||
+            probe.identity.fingerprint !== expectedIdentity.fingerprint) {
+            throw new Error("Peer public URL identity does not match the pairing identity.");
+        }
+        return probe.tlsFingerprint;
+    }
     function authenticate(req, method, pathname, body) {
         const peerId = header(req, "x-nordrelay-peer-id");
         const peer = peerId ? store.get(peerId) : null;

package/dist/peer-store.js

@@ -21,6 +21,7 @@ export class PeerStore {
             enabled: options.enabled,
             listenUrl: options.listenUrl,
             requireTls: options.requireTls,
+            readiness: options.readiness,
             peers: payload.peers.map(publicPeer),
             invitations: payload.invitations.map(publicInvitation),
         };
@@ -90,7 +91,9 @@ export class PeerStore {
                 existing.url = input.url ?? existing.url;
                 existing.publicKey = input.publicKey;
                 existing.fingerprint = input.fingerprint;
-                existing.tlsFingerprint = input.tlsFingerprint ?? existing.tlsFingerprint;
+                if (input.tlsFingerprint !== undefined) {
+                    existing.tlsFingerprint = input.tlsFingerprint || undefined;
+                }
                 existing.secret = input.secret;
                 existing.enabled = input.enabled ?? existing.enabled;
                 existing.direction = mergeDirection(existing.direction, input.direction ?? existing.direction);
@@ -110,7 +113,7 @@ export class PeerStore {
                 nodeId: input.nodeId,
                 publicKey: input.publicKey,
                 fingerprint: input.fingerprint,
-                tlsFingerprint: input.tlsFingerprint,
+                tlsFingerprint: input.tlsFingerprint || undefined,
                 secret: input.secret,
                 enabled: input.enabled ?? true,
                 direction: input.direction ?? "outbound",
@@ -180,6 +183,18 @@ export class PeerStore {
         });
         return removed;
     }
+    deleteInvitation(id) {
+        let removed = null;
+        this.mutatePayload((payload) => {
+            const index = payload.invitations.findIndex((invitation) => invitation.id === id);
+            if (index < 0) {
+                return;
+            }
+            const [invitation] = payload.invitations.splice(index, 1);
+            removed = invitation;
+        });
+        return removed ? publicInvitation(removed) : null;
+    }
     patchPeer(id, patch) {
         this.mutatePayload((payload) => {
             const peer = payload.peers.find((candidate) => candidate.id === id || candidate.nodeId === id);

package/dist/relay-runtime-helpers.js

@@ -131,7 +131,9 @@ export function promptActivityToUnifiedJob(event) {
             ? "Telegram"
             : event.source === "discord"
                 ? "Discord"
-                : "CLI";
+                : event.source === "slack"
+                    ? "Slack"
+                    : "CLI";
     const promptKey = event.threadId ?? event.contextKey ?? event.id;
     return {
         id: `prompt:${event.source}:${promptKey}:${event.id}`,

package/dist/relay-runtime.js

@@ -29,6 +29,8 @@ import { activeSessionPriority, activityToUnifiedJob, agentUpdateStatusToUnified
 import { renderSessionInfoPlain, renderSessionUsageRows } from "./session-format.js";
 import { SessionLockStore } from "./session-locks.js";
 import { SessionRegistry } from "./session-registry.js";
+import { collectSlackDiagnostics } from "./slack-diagnostics.js";
+import { getSlackRateLimitMetrics } from "./slack-rate-limit.js";
 import { createSupportBundle } from "./support-bundle.js";
 import { transcribeAudio } from "./voice.js";
 import { WebActivityStore, WebChatStore, } from "./web-state.js";
@@ -330,6 +332,11 @@ export class RelayRuntime {
                     queuePaused: this.queueService.isPaused(),
                     externalMirror: this.externalActivityMonitor.snapshot(),
                     agentDiagnostics: getAgentDiagnostics(session, this.config),
+                    slackDiagnostics: await collectSlackDiagnostics({
+                        config: this.config,
+                        timeoutMs: 2_500,
+                        rateLimit: getSlackRateLimitMetrics(),
+                    }),
                 },
             };
         });

package/dist/settings-wizard-test.js

@@ -0,0 +1,216 @@
+export async function runSettingsWizardTest(channel, settings) {
+    const parsedChannel = parseSettingsWizardChannel(channel);
+    const checks = parsedChannel === "telegram"
+        ? await testTelegram(settings)
+        : parsedChannel === "discord"
+            ? await testDiscord(settings)
+            : await testSlack(settings);
+    return { channel: parsedChannel, checkedAt: new Date().toISOString(), checks };
+}
+export function mergeSettingsWizardTestSettings(activeSettings, submittedSettings) {
+    const merged = {};
+    for (const [key, value] of Object.entries(activeSettings)) {
+        if (value !== undefined) {
+            merged[key] = value;
+        }
+    }
+    for (const [key, value] of Object.entries(submittedSettings)) {
+        if (typeof value !== "string" || isMaskedSecret(value)) {
+            continue;
+        }
+        merged[key] = value;
+    }
+    return merged;
+}
+function parseSettingsWizardChannel(value) {
+    if (value === "telegram" || value === "discord" || value === "slack") {
+        return value;
+    }
+    throw new Error("Invalid settings wizard channel.");
+}
+async function testTelegram(settings) {
+    const token = settings.TELEGRAM_BOT_TOKEN ?? "";
+    const transport = settings.TELEGRAM_TRANSPORT || "polling";
+    const checks = [
+        tokenCheck("Telegram bot token", token, /^[0-9]{5,}:[A-Za-z0-9_-]{20,}$/),
+        {
+            label: "Telegram transport",
+            status: transport === "polling" || transport === "webhook" ? "ok" : "error",
+            detail: transport === "webhook" ? "Webhook mode selected." : "Polling mode selected.",
+        },
+    ];
+    if (transport === "webhook") {
+        checks.push({
+            label: "Webhook public URL",
+            status: /^https:\/\//.test(settings.TELEGRAM_WEBHOOK_URL ?? "") ? "ok" : "error",
+            detail: settings.TELEGRAM_WEBHOOK_URL ? "HTTPS URL configured." : "Webhook mode requires a public HTTPS URL.",
+        }, {
+            label: "Webhook bind endpoint",
+            status: settings.TELEGRAM_WEBHOOK_HOST && Number.isFinite(Number(settings.TELEGRAM_WEBHOOK_PORT)) && String(settings.TELEGRAM_WEBHOOK_PATH ?? "").startsWith("/") ? "ok" : "error",
+            detail: "Host, port, and path must describe the local webhook listener.",
+        });
+    }
+    if (isUsableSecret(token, /^[0-9]{5,}:[A-Za-z0-9_-]{20,}$/)) {
+        checks.push(await fetchTelegramIdentity(token));
+    }
+    return checks;
+}
+async function testDiscord(settings) {
+    const token = settings.DISCORD_BOT_TOKEN ?? "";
+    const clientId = settings.DISCORD_CLIENT_ID ?? "";
+    const commandMode = settings.DISCORD_COMMAND_MODE || "both";
+    const checks = [
+        tokenCheck("Discord bot token", token, /^.{20,}$/),
+        {
+            label: "Discord client ID",
+            status: isSnowflake(clientId) ? "ok" : "error",
+            detail: isSnowflake(clientId) ? "Application ID looks valid." : "Copy Application ID from Discord Developer Portal > General Information.",
+        },
+        listCheck("Discord guild IDs", settings.DISCORD_GUILD_IDS, isSnowflake),
+        listCheck("Allowed Discord guilds", settings.DISCORD_ALLOWED_GUILD_IDS, isSnowflake),
+        listCheck("Allowed Discord channels", settings.DISCORD_ALLOWED_CHANNEL_IDS, isSnowflake),
+        {
+            label: "Discord command mode",
+            status: commandMode === "slash" || commandMode === "message" || commandMode === "both" ? "ok" : "error",
+            detail: "Supported values are slash, message, or both.",
+        },
+    ];
+    if ((commandMode === "message" || commandMode === "both") && !truthy(settings.DISCORD_MESSAGE_CONTENT_ENABLED)) {
+        checks.push({
+            label: "Message Content Intent",
+            status: "warn",
+            detail: "Message command mode needs Message Content Intent enabled in the Discord Developer Portal.",
+        });
+    }
+    if (isUsableSecret(token, /^.{20,}$/)) {
+        checks.push(await fetchDiscordIdentity(token));
+    }
+    return checks;
+}
+async function testSlack(settings) {
+    const botToken = settings.SLACK_BOT_TOKEN ?? "";
+    const appToken = settings.SLACK_APP_TOKEN ?? "";
+    const socketMode = truthy(settings.SLACK_SOCKET_MODE);
+    const checks = [
+        tokenCheck("Slack bot token", botToken, /^xoxb-/),
+        {
+            label: "Slack command",
+            status: !settings.SLACK_COMMAND || settings.SLACK_COMMAND.startsWith("/") ? "ok" : "error",
+            detail: settings.SLACK_COMMAND || "/nordrelay",
+        },
+        listCheck("Allowed Slack teams", settings.SLACK_ALLOWED_TEAM_IDS, isSlackId),
+        listCheck("Allowed Slack channels", settings.SLACK_ALLOWED_CHANNEL_IDS, isSlackId),
+    ];
+    if (socketMode) {
+        checks.push(tokenCheck("Slack app token", appToken, /^xapp-/));
+    }
+    else {
+        checks.push({
+            label: "Slack signing secret",
+            status: settings.SLACK_SIGNING_SECRET ? "ok" : "error",
+            detail: settings.SLACK_SIGNING_SECRET ? "Signing secret configured." : "HTTP Events mode requires the Slack signing secret.",
+        }, {
+            label: "Slack HTTP port",
+            status: Number.isFinite(Number(settings.SLACK_PORT)) ? "ok" : "error",
+            detail: settings.SLACK_PORT || "Not configured.",
+        });
+    }
+    if (isUsableSecret(botToken, /^xoxb-/)) {
+        checks.push(await fetchSlackIdentity(botToken));
+    }
+    return checks;
+}
+function tokenCheck(label, value, pattern) {
+    if (!value) {
+        return { label, status: "error", detail: "Required value is missing." };
+    }
+    if (isMaskedSecret(value)) {
+        return { label, status: "warn", detail: "Secret is already configured. Paste the real value to run a live API test." };
+    }
+    return pattern.test(value)
+        ? { label, status: "ok", detail: "Format looks valid." }
+        : { label, status: "error", detail: "Value does not match the expected format." };
+}
+function listCheck(label, value, predicate) {
+    const items = parseList(value);
+    const invalid = items.filter((item) => !predicate(item));
+    if (invalid.length > 0) {
+        return { label, status: "error", detail: `Invalid values: ${invalid.join(", ")}` };
+    }
+    return { label, status: "ok", detail: items.length ? `${items.length} value(s) configured.` : "No allow-list configured." };
+}
+async function fetchTelegramIdentity(token) {
+    try {
+        const data = await fetchJson(`https://api.telegram.org/bot${token}/getMe`);
+        if (data.ok === true) {
+            const result = data.result;
+            return { label: "Telegram API", status: "ok", detail: `Bot reachable: ${result?.username ?? result?.first_name ?? "configured bot"}.` };
+        }
+        return { label: "Telegram API", status: "error", detail: String(data.description ?? "Telegram rejected the token.") };
+    }
+    catch (error) {
+        return { label: "Telegram API", status: "warn", detail: `Live check failed: ${errorText(error)}` };
+    }
+}
+async function fetchDiscordIdentity(token) {
+    try {
+        const data = await fetchJson("https://discord.com/api/v10/users/@me", {
+            headers: { authorization: `Bot ${token}` },
+        });
+        if (typeof data.id === "string") {
+            return { label: "Discord API", status: "ok", detail: `Bot reachable: ${data.username ?? data.id}.` };
+        }
+        return { label: "Discord API", status: "error", detail: String(data.message ?? "Discord rejected the bot token.") };
+    }
+    catch (error) {
+        return { label: "Discord API", status: "warn", detail: `Live check failed: ${errorText(error)}` };
+    }
+}
+async function fetchSlackIdentity(token) {
+    try {
+        const data = await fetchJson("https://slack.com/api/auth.test", {
+            headers: { authorization: `Bearer ${token}` },
+        });
+        if (data.ok === true) {
+            return { label: "Slack API", status: "ok", detail: `Bot reachable in ${data.team ?? "workspace"} as ${data.user ?? data.bot_id ?? "bot"}.` };
+        }
+        return { label: "Slack API", status: "error", detail: String(data.error ?? "Slack rejected the bot token.") };
+    }
+    catch (error) {
+        return { label: "Slack API", status: "warn", detail: `Live check failed: ${errorText(error)}` };
+    }
+}
+async function fetchJson(url, init = {}) {
+    const response = await fetch(url, {
+        ...init,
+        signal: AbortSignal.timeout(5_000),
+    });
+    const text = await response.text();
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return { ok: response.ok, status: response.status, description: text.slice(0, 200) };
+    }
+}
+function isUsableSecret(value, pattern) {
+    return Boolean(value) && !isMaskedSecret(value) && pattern.test(value);
+}
+function isMaskedSecret(value) {
+    return /^\*+$/.test(value) || value.includes("...");
+}
+function parseList(value) {
+    return String(value ?? "").split(",").map((item) => item.trim()).filter(Boolean);
+}
+function isSnowflake(value) {
+    return /^[0-9]{5,32}$/.test(value);
+}
+function isSlackId(value) {
+    return /^[A-Z0-9]{2,64}$/.test(value);
+}
+function truthy(value) {
+    return ["true", "1", "yes", "on"].includes(String(value ?? "").toLowerCase());
+}
+function errorText(error) {
+    return error instanceof Error ? error.message : String(error);
+}