@nordbyte/nordrelay 0.7.0 → 0.8.1

package/dist/slack-channel-runtime.js

@@ -0,0 +1,147 @@
+import { createReadStream } from "node:fs";
+import { SlackChannelAdapter, } from "./channel-adapter.js";
+import { redactText } from "./redaction.js";
+import { slackRateLimiter } from "./slack-rate-limit.js";
+const SLACK_TEXT_LIMIT = 40000;
+const SLACK_SAFE_TEXT_LIMIT = 3500;
+export const SLACK_ACTION_PREFIX = "nr:";
+export class SlackBotChannelRuntime {
+    client;
+    id = "slack";
+    label = "Slack";
+    capabilities = new SlackChannelAdapter().capabilities;
+    constructor(client) {
+        this.client = client;
+    }
+    describe() {
+        return new SlackChannelAdapter().describe();
+    }
+    async sendMessage(context, message) {
+        const chunks = splitSlackMessage(slackMessageText(message));
+        let firstTs = "";
+        for (const [index, chunk] of chunks.entries()) {
+            const result = await slackRateLimiter.run(slackBucket(context), "sendMessage", () => this.client.chat.postMessage({
+                channel: context.chatId,
+                thread_ts: message.threadId ?? context.topicId,
+                text: chunk,
+                mrkdwn: true,
+                blocks: slackBlocks({ ...message, fallbackText: chunk, text: chunk }, index === chunks.length - 1),
+                unfurl_links: false,
+                unfurl_media: false,
+            }));
+            firstTs ||= result.ts ?? "";
+        }
+        return { messageId: firstTs };
+    }
+    async editMessage(context, messageId, message) {
+        const text = trimSlackMessage(slackMessageText(message));
+        await slackRateLimiter.run(slackBucket(context), "editMessage", () => this.client.chat.update({
+            channel: context.chatId,
+            ts: messageId,
+            text,
+            blocks: slackBlocks({ ...message, fallbackText: text, text }, true),
+            unfurl_links: false,
+            unfurl_media: false,
+        })).catch(async () => {
+            await this.sendMessage(context, message);
+        });
+    }
+    async sendTyping(context) {
+        await slackRateLimiter.run(slackBucket(context), "typing", async () => {
+            await this.client.assistant?.threads?.setStatus?.({
+                channel_id: context.chatId,
+                thread_ts: context.topicId,
+                status: "Working...",
+            });
+        }).catch(() => { });
+    }
+    async sendFile(context, file) {
+        const result = await slackRateLimiter.run(slackBucket(context), "sendFile", () => this.client.files.uploadV2({
+            channel_id: context.chatId,
+            thread_ts: file.threadId ?? context.topicId,
+            file: createReadStream(file.localPath),
+            filename: file.name,
+            title: file.name,
+            initial_comment: file.caption ? trimSlackMessage(redactText(file.caption)) : undefined,
+        }));
+        return { messageId: result.files?.[0]?.id ?? "" };
+    }
+}
+export function slackMessageText(message) {
+    const text = message.fallbackText?.trim() || stripHtml(message.text).trim() || ".";
+    return text.length <= SLACK_TEXT_LIMIT ? text : `${text.slice(0, SLACK_TEXT_LIMIT - 1)}…`;
+}
+export function slackActionId(action) {
+    const raw = `${SLACK_ACTION_PREFIX}${action}`;
+    return raw.length <= 255 ? raw : `${SLACK_ACTION_PREFIX}${action.slice(0, 255 - SLACK_ACTION_PREFIX.length)}`;
+}
+export function actionFromSlackActionId(actionId) {
+    return actionId.startsWith(SLACK_ACTION_PREFIX) ? actionId.slice(SLACK_ACTION_PREFIX.length) : null;
+}
+export function splitSlackMessage(text) {
+    const normalized = text || ".";
+    if (normalized.length <= SLACK_SAFE_TEXT_LIMIT) {
+        return [normalized];
+    }
+    const chunks = [];
+    let remaining = normalized;
+    while (remaining.length > 0) {
+        const slice = remaining.slice(0, SLACK_SAFE_TEXT_LIMIT);
+        const breakAt = Math.max(slice.lastIndexOf("\n"), slice.lastIndexOf(" "));
+        const length = breakAt > 400 ? breakAt : SLACK_SAFE_TEXT_LIMIT;
+        chunks.push(remaining.slice(0, length).trimEnd() || ".");
+        remaining = remaining.slice(length).trimStart();
+    }
+    return chunks;
+}
+export function trimSlackMessage(text) {
+    return text.length <= SLACK_SAFE_TEXT_LIMIT ? text : `${text.slice(0, SLACK_SAFE_TEXT_LIMIT - 1)}…`;
+}
+export function slackBlocks(message, includeButtons = true) {
+    const blocks = [
+        {
+            type: "section",
+            text: {
+                type: "mrkdwn",
+                text: trimSlackMessage(slackMessageText(message)),
+            },
+        },
+    ];
+    if (includeButtons && message.buttons?.length) {
+        blocks.push(...message.buttons.slice(0, 5).map((row) => ({
+            type: "actions",
+            elements: row.slice(0, 5).map((button) => slackButton(button)),
+        })));
+    }
+    return blocks;
+}
+function slackButton(button) {
+    return {
+        type: "button",
+        text: {
+            type: "plain_text",
+            text: trimButtonLabel(button.label),
+            emoji: true,
+        },
+        action_id: slackActionId(button.action),
+        value: button.action.slice(0, 2000),
+    };
+}
+function slackBucket(context) {
+    return context.topicId ?? context.chatId;
+}
+function stripHtml(text) {
+    return text
+        .replace(/<br\s*\/?>/gi, "\n")
+        .replace(/<\/(p|div|li|pre)>/gi, "\n")
+        .replace(/<[^>]+>/g, "")
+        .replace(/&lt;/g, "<")
+        .replace(/&gt;/g, ">")
+        .replace(/&amp;/g, "&")
+        .replace(/&quot;/g, "\"")
+        .replace(/&#39;/g, "'");
+}
+function trimButtonLabel(label) {
+    const trimmed = label.trim() || "Action";
+    return trimmed.length <= 75 ? trimmed : trimmed.slice(0, 75);
+}

package/dist/slack-command-surface.js

@@ -0,0 +1,46 @@
+import { permissionForCommand } from "./access-control.js";
+import { normalizeChannelCommandName, parseChannelCommand } from "./channel-runtime.js";
+export function parseSlackMessageCommand(text) {
+    return parseChannelCommand(text, { allowBotMention: false });
+}
+export function parseSlackSlashCommand(text) {
+    const trimmed = text.trim();
+    const parsed = parseSlackMessageCommand(trimmed);
+    if (parsed) {
+        return parsed;
+    }
+    const [command = "prompt", ...rest] = trimmed.split(/\s+/);
+    if (!trimmed) {
+        return { command: "help", argument: "" };
+    }
+    return {
+        command: normalizeChannelCommandName(command),
+        argument: rest.join(" ").trim(),
+    };
+}
+export function requiredPermissionForSlackCommand(command, argument) {
+    const normalized = normalizeChannelCommandName(command);
+    if (normalized === "prompt")
+        return "prompt.send";
+    if (normalized === "queue")
+        return argument.trim() ? "queue.write" : "queue.read";
+    return permissionForCommand(normalized);
+}
+export function isUnauthenticatedSlackCommandAllowed(command) {
+    return normalizeChannelCommandName(command) === "link";
+}
+export function permissionForSlackAction(action) {
+    if (action.startsWith("slack_queue_") || action.startsWith("slack_peer_queue_"))
+        return "queue.write";
+    if (action.startsWith("slack_abort:"))
+        return "prompt.abort";
+    if (action.startsWith("slack_pick:"))
+        return "sessions.write";
+    if (action.startsWith("slack_artifact_delete:"))
+        return "files.write";
+    if (action.startsWith("slack_artifact_"))
+        return "files.read";
+    if (action.startsWith("agent-update:"))
+        return "updates.run";
+    return null;
+}

package/dist/slack-diagnostics.js

@@ -0,0 +1,116 @@
+import { WebClient } from "@slack/web-api";
+import { friendlyErrorText } from "./error-messages.js";
+import { UserStore } from "./user-management.js";
+export async function collectSlackDiagnostics(input) {
+    const { config } = input;
+    const checks = [];
+    const userStore = input.userStore ?? new UserStore();
+    const registeredChannels = userStore.snapshot().slackChannels;
+    const mode = config.slackSocketMode ? "socket" : "http";
+    const configured = Boolean(config.slackBotToken) &&
+        (config.slackSocketMode ? Boolean(config.slackAppToken) : Boolean(config.slackSigningSecret));
+    checks.push(check(Boolean(config.slackBotToken), "Bot token", "SLACK_BOT_TOKEN is configured.", "SLACK_BOT_TOKEN is missing."));
+    checks.push(check(config.slackSocketMode ? Boolean(config.slackAppToken) : Boolean(config.slackSigningSecret), "Transport secret", config.slackSocketMode ? "Socket Mode app token is configured." : "HTTP signing secret is configured.", config.slackSocketMode ? "SLACK_APP_TOKEN is required for Socket Mode." : "SLACK_SIGNING_SECRET is required for HTTP Events mode."));
+    checks.push({
+        status: registeredChannels.length > 0 ? "ok" : "warn",
+        label: "Registered channels",
+        detail: registeredChannels.length > 0
+            ? `${registeredChannels.length} Slack channel access record(s) configured.`
+            : "No Slack channels are registered yet. Admins can use /register_channel or the WebUI Access page.",
+    });
+    checks.push({
+        status: config.slackAllowedTeamIds.length > 0 || config.slackAllowedChannelIds.length > 0 ? "ok" : "warn",
+        label: "Environment allow-list",
+        detail: config.slackAllowedTeamIds.length > 0 || config.slackAllowedChannelIds.length > 0
+            ? `Team allow-list: ${config.slackAllowedTeamIds.length}; channel allow-list: ${config.slackAllowedChannelIds.length}.`
+            : "No SLACK_ALLOWED_TEAM_IDS or SLACK_ALLOWED_CHANNEL_IDS are set. User/group permissions still apply.",
+    });
+    checks.push({
+        status: "ok",
+        label: "File upload smoke",
+        detail: "Slack file upload uses files.uploadV2; real upload probes are intentionally not sent without a target channel.",
+    });
+    let auth;
+    const channelChecks = [];
+    if (config.slackEnabled && config.slackBotToken) {
+        const client = new WebClient(config.slackBotToken);
+        const timeoutMs = input.timeoutMs ?? 4_000;
+        try {
+            const authResult = await withTimeout(client.auth.test(), timeoutMs);
+            auth = {
+                ok: Boolean(authResult.ok),
+                teamId: authResult.team_id,
+                userId: authResult.user_id,
+                botId: authResult.bot_id,
+                url: authResult.url,
+                detail: authResult.ok ? "Slack auth.test succeeded." : "Slack auth.test returned ok=false.",
+            };
+            checks.push({ status: auth.ok ? "ok" : "error", label: "Slack auth.test", detail: auth.detail });
+        }
+        catch (error) {
+            auth = { ok: false, detail: friendlyErrorText(error) };
+            checks.push({ status: "error", label: "Slack auth.test", detail: auth.detail });
+        }
+        for (const channel of registeredChannels.slice(0, input.channelProbeLimit ?? 5)) {
+            try {
+                const result = await withTimeout(client.conversations.info({ channel: channel.channelId }), timeoutMs);
+                channelChecks.push({
+                    channelId: channel.channelId,
+                    teamId: channel.teamId,
+                    title: channel.title,
+                    status: result.ok ? "ok" : "warn",
+                    detail: result.ok ? "Slack conversations.info succeeded." : "Slack conversations.info returned ok=false.",
+                });
+            }
+            catch (error) {
+                channelChecks.push({
+                    channelId: channel.channelId,
+                    teamId: channel.teamId,
+                    title: channel.title,
+                    status: "error",
+                    detail: friendlyErrorText(error),
+                });
+            }
+        }
+    }
+    else if (config.slackEnabled) {
+        checks.push({ status: "error", label: "Slack API probes", detail: "Cannot run Slack API probes without SLACK_BOT_TOKEN." });
+    }
+    else {
+        checks.push({ status: "skipped", label: "Slack API probes", detail: "Slack adapter is disabled." });
+    }
+    return {
+        enabled: config.slackEnabled,
+        mode,
+        configured,
+        generatedAt: new Date().toISOString(),
+        checks,
+        auth,
+        registeredChannels: registeredChannels.length,
+        channelChecks,
+        rateLimit: input.rateLimit,
+    };
+}
+function check(condition, label, okDetail, errorDetail) {
+    return {
+        status: condition ? "ok" : "error",
+        label,
+        detail: condition ? okDetail : errorDetail,
+    };
+}
+async function withTimeout(promise, timeoutMs) {
+    let timer;
+    try {
+        return await Promise.race([
+            promise,
+            new Promise((_, reject) => {
+                timer = setTimeout(() => reject(new Error(`Slack API probe timed out after ${timeoutMs}ms`)), timeoutMs);
+                timer.unref?.();
+            }),
+        ]);
+    }
+    finally {
+        if (timer)
+            clearTimeout(timer);
+    }
+}

package/dist/slack-rate-limit.js

@@ -0,0 +1,139 @@
+const DEFAULT_OPTIONS = {
+    minIntervalMs: 250,
+    editMinIntervalMs: 1_500,
+    typingMinIntervalMs: 4_500,
+    maxRetries: 5,
+};
+export class SlackRateLimiter {
+    options;
+    buckets = new Map();
+    queued = 0;
+    running = 0;
+    completed = 0;
+    failed = 0;
+    retries = 0;
+    rateLimitHits = 0;
+    lastRateLimitAt;
+    lastRetryAfterSeconds;
+    constructor(options = DEFAULT_OPTIONS) {
+        this.options = options;
+    }
+    configure(options) {
+        this.options = { ...this.options, ...options };
+    }
+    async run(bucket, method, operation) {
+        const normalizedBucket = `${method}:${bucket}`;
+        const state = this.getBucket(normalizedBucket);
+        this.queued += 1;
+        let releasePrevious;
+        const previous = state.chain;
+        state.chain = new Promise((resolve) => {
+            releasePrevious = resolve;
+        });
+        await previous.catch(() => { });
+        this.queued = Math.max(0, this.queued - 1);
+        this.running += 1;
+        try {
+            await this.waitForBucket(state, method);
+            const result = await this.runWithRetries(operation);
+            this.completed += 1;
+            state.lastRunAtMs = Date.now();
+            state.queuedUntilMs = Math.max(state.queuedUntilMs, state.lastRunAtMs + this.intervalForMethod(method));
+            return result;
+        }
+        catch (error) {
+            this.failed += 1;
+            throw error;
+        }
+        finally {
+            this.running = Math.max(0, this.running - 1);
+            releasePrevious();
+        }
+    }
+    getMetrics() {
+        return {
+            queued: this.queued,
+            running: this.running,
+            completed: this.completed,
+            failed: this.failed,
+            retries: this.retries,
+            rateLimitHits: this.rateLimitHits,
+            lastRateLimitAt: this.lastRateLimitAt,
+            lastRetryAfterSeconds: this.lastRetryAfterSeconds,
+            buckets: [...this.buckets.entries()]
+                .filter(([, state]) => state.queuedUntilMs > Date.now() || state.lastRunAtMs > 0)
+                .slice(0, 12)
+                .map(([bucket, state]) => ({
+                bucket,
+                queuedUntilMs: state.queuedUntilMs,
+                lastRunAtMs: state.lastRunAtMs,
+            })),
+        };
+    }
+    getBucket(bucket) {
+        let state = this.buckets.get(bucket);
+        if (!state) {
+            state = { chain: Promise.resolve(), queuedUntilMs: 0, lastRunAtMs: 0 };
+            this.buckets.set(bucket, state);
+        }
+        return state;
+    }
+    async waitForBucket(state, method) {
+        const interval = this.intervalForMethod(method);
+        const now = Date.now();
+        const earliest = Math.max(state.queuedUntilMs, state.lastRunAtMs + interval);
+        if (earliest > now) {
+            await delay(earliest - now);
+        }
+    }
+    async runWithRetries(operation) {
+        let attempt = 0;
+        while (true) {
+            try {
+                return await operation();
+            }
+            catch (error) {
+                const retryAfterSeconds = getRetryAfterSeconds(error);
+                if (retryAfterSeconds === undefined || attempt >= this.options.maxRetries) {
+                    throw error;
+                }
+                attempt += 1;
+                this.retries += 1;
+                this.rateLimitHits += 1;
+                this.lastRateLimitAt = new Date().toISOString();
+                this.lastRetryAfterSeconds = retryAfterSeconds;
+                await delay((retryAfterSeconds * 1000) + 250);
+            }
+        }
+    }
+    intervalForMethod(method) {
+        if (method.startsWith("edit"))
+            return this.options.editMinIntervalMs;
+        if (method.startsWith("typing"))
+            return this.options.typingMinIntervalMs;
+        return this.options.minIntervalMs;
+    }
+}
+export const slackRateLimiter = new SlackRateLimiter();
+export function getSlackRateLimitMetrics() {
+    return slackRateLimiter.getMetrics();
+}
+function getRetryAfterSeconds(error) {
+    if (!error || typeof error !== "object") {
+        return undefined;
+    }
+    const candidate = error;
+    if (typeof candidate.retryAfter === "number") {
+        return candidate.retryAfter;
+    }
+    if (typeof candidate.data?.retryAfter === "number") {
+        return candidate.data.retryAfter;
+    }
+    const header = candidate.headers?.["retry-after"];
+    const raw = Array.isArray(header) ? header[0] : header;
+    const parsed = Number(raw);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : undefined;
+}
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/dist/user-management-crypto.js

@@ -0,0 +1,38 @@
+import { createHash, randomBytes, randomUUID, scryptSync, timingSafeEqual } from "node:crypto";
+const PASSWORD_KEYLEN = 64;
+export function sleepSync(ms) {
+    const end = Date.now() + ms;
+    while (Date.now() < end) {
+        // The lock is only held around tiny JSON mutations; a short spin keeps the implementation dependency-free.
+    }
+}
+export function hashPassword(password) {
+    if (password.length < 8) {
+        throw new Error("Password must be at least 8 characters.");
+    }
+    const salt = randomBytes(16).toString("hex");
+    const hash = scryptSync(password, salt, PASSWORD_KEYLEN).toString("hex");
+    return { salt, hash };
+}
+export function verifyPasswordHash(password, salt, expectedHash) {
+    const actual = scryptSync(password, salt, PASSWORD_KEYLEN);
+    const expected = Buffer.from(expectedHash, "hex");
+    return actual.length === expected.length && timingSafeEqual(actual, expected);
+}
+export function hashToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+export function constantTimeStringEqual(left, right) {
+    const leftBuffer = Buffer.from(left);
+    const rightBuffer = Buffer.from(right);
+    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+export function randomId() {
+    return randomUUID().replace(/-/g, "").slice(0, 12);
+}
+export function randomLinkCode() {
+    return `NR-${randomBytes(4).toString("hex").toUpperCase()}`;
+}
+export function randomSessionToken() {
+    return randomBytes(32).toString("hex");
+}

package/dist/user-management-normalize.js

@@ -0,0 +1,188 @@
+import path from "node:path";
+import { ADMIN_GROUP_ID, BUILTIN_GROUPS, READONLY_GROUP_ID, isPermission, } from "./access-control.js";
+export function normalizePayload(payload) {
+    const now = new Date().toISOString();
+    const groupsById = new Map();
+    for (const group of BUILTIN_GROUPS) {
+        groupsById.set(group.id, {
+            ...group,
+            permissions: group.id === ADMIN_GROUP_ID ? allPermissionsSafe() : group.permissions,
+            agentIds: [],
+            workspaceRoots: [],
+            telegramChatIds: [],
+            discordChannelIds: [],
+            slackChannelIds: [],
+            createdAt: now,
+            updatedAt: now,
+        });
+    }
+    for (const group of payload?.groups ?? []) {
+        if (!isGroupRecord(group))
+            continue;
+        groupsById.set(group.id, {
+            ...group,
+            permissions: group.id === ADMIN_GROUP_ID ? allPermissionsSafe() : normalizePermissions(group.permissions),
+            system: BUILTIN_GROUPS.some((builtin) => builtin.id === group.id) || group.system,
+            agentIds: normalizeStringList(group.agentIds),
+            workspaceRoots: normalizeStringList(group.workspaceRoots),
+            telegramChatIds: normalizeNumberList(group.telegramChatIds),
+            discordChannelIds: normalizeStringList(group.discordChannelIds),
+            slackChannelIds: normalizeStringList(group.slackChannelIds),
+        });
+    }
+    const groups = Array.from(groupsById.values());
+    const groupIds = new Set(groups.map((group) => group.id));
+    const users = (payload?.users ?? []).filter(isUserRecord);
+    const userIds = new Set(users.map((user) => user.id));
+    return {
+        version: 1,
+        users,
+        groups,
+        userGroups: (payload?.userGroups ?? []).filter((item) => isUserGroupRecord(item) && userIds.has(item.userId) && groupIds.has(item.groupId)),
+        telegramIdentities: (payload?.telegramIdentities ?? []).filter((item) => isTelegramIdentityRecord(item) && userIds.has(item.userId)),
+        telegramChats: (payload?.telegramChats ?? []).filter(isTelegramChatAccessRecord).map((chat) => ({
+            ...chat,
+            allowedGroupIds: chat.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
+        })),
+        discordIdentities: (payload?.discordIdentities ?? []).filter((item) => isDiscordIdentityRecord(item) && userIds.has(item.userId)),
+        discordChannels: (payload?.discordChannels ?? []).filter(isDiscordChannelAccessRecord).map((channel) => ({
+            ...channel,
+            allowedGroupIds: channel.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
+        })),
+        slackIdentities: (payload?.slackIdentities ?? []).filter((item) => isSlackIdentityRecord(item) && userIds.has(item.userId)),
+        slackChannels: (payload?.slackChannels ?? []).filter(isSlackChannelAccessRecord).map((channel) => ({
+            ...channel,
+            allowedGroupIds: channel.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
+        })),
+        webSessions: (payload?.webSessions ?? []).filter((item) => isWebSessionRecord(item) && userIds.has(item.userId)),
+        telegramLinkCodes: (payload?.telegramLinkCodes ?? []).filter((item) => isTelegramLinkCodeRecord(item) && userIds.has(item.userId)),
+        discordLinkCodes: (payload?.discordLinkCodes ?? []).filter((item) => isDiscordLinkCodeRecord(item) && userIds.has(item.userId)),
+        slackLinkCodes: (payload?.slackLinkCodes ?? []).filter((item) => isSlackLinkCodeRecord(item) && userIds.has(item.userId)),
+    };
+}
+export function normalizeEmail(email) {
+    return email.trim().toLowerCase();
+}
+export function normalizeGroupIds(payload, values, emptyFallback = READONLY_GROUP_ID) {
+    const available = new Set(payload.groups.map((group) => group.id));
+    const groupIds = Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)));
+    for (const groupId of groupIds) {
+        if (!available.has(groupId)) {
+            throw new Error(`Unknown group: ${groupId}`);
+        }
+    }
+    return groupIds.length > 0 ? groupIds : (emptyFallback ? [emptyFallback] : []);
+}
+export function normalizePermissions(values, strict = false) {
+    const permissions = [];
+    for (const value of values ?? []) {
+        if (isPermission(value)) {
+            if (!permissions.includes(value)) {
+                permissions.push(value);
+            }
+            continue;
+        }
+        if (strict && value.trim()) {
+            throw new Error(`Unknown permission: ${value}`);
+        }
+    }
+    return permissions;
+}
+export function normalizeStringList(values) {
+    return Array.from(new Set((values ?? []).map((value) => value.trim()).filter(Boolean)));
+}
+export function normalizeNumberList(values) {
+    return Array.from(new Set((values ?? []).filter((value) => Number.isInteger(value))));
+}
+export function normalizeDiscordId(value) {
+    const normalized = String(value ?? "").trim();
+    return normalized || undefined;
+}
+export function normalizeSlackId(value) {
+    const normalized = String(value ?? "").trim();
+    return normalized || undefined;
+}
+export function assertActiveAdminExists(payload) {
+    const hasAdmin = payload.users.some((user) => user.active && payload.userGroups.some((item) => item.userId === user.id && item.groupId === ADMIN_GROUP_ID));
+    if (!hasAdmin) {
+        throw new Error("Cannot remove or disable the last active admin user.");
+    }
+}
+export function normalizeWorkspacePath(value) {
+    return path.resolve(value);
+}
+export function isPathInside(candidate, root) {
+    const relative = path.relative(root, candidate);
+    return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}
+export function slugify(value) {
+    return value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+}
+export function allPermissionsSafe() {
+    return [...BUILTIN_GROUPS.find((group) => group.id === ADMIN_GROUP_ID).permissions];
+}
+function isUserRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.email === "string" &&
+        typeof candidate.displayName === "string" && typeof candidate.passwordHash === "string" &&
+        typeof candidate.passwordSalt === "string" && typeof candidate.active === "boolean";
+}
+function isGroupRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.name === "string" &&
+        Array.isArray(candidate.permissions);
+}
+function isUserGroupRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.userId === "string" && typeof candidate.groupId === "string";
+}
+function isTelegramIdentityRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        Number.isInteger(candidate.telegramUserId) && typeof candidate.active === "boolean";
+}
+function isTelegramChatAccessRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && Number.isInteger(candidate.chatId) &&
+        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
+}
+function isDiscordIdentityRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.discordUserId === "string" && typeof candidate.active === "boolean";
+}
+function isDiscordChannelAccessRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.channelId === "string" &&
+        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
+}
+function isSlackIdentityRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.slackUserId === "string" && typeof candidate.active === "boolean";
+}
+function isSlackChannelAccessRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.channelId === "string" &&
+        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
+}
+function isWebSessionRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.tokenHash === "string" && typeof candidate.expiresAt === "string";
+}
+function isTelegramLinkCodeRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.expiresAt === "string";
+}
+function isDiscordLinkCodeRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.expiresAt === "string";
+}
+function isSlackLinkCodeRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.expiresAt === "string";
+}

package/dist/user-management-types.js

@@ -0,0 +1 @@
+export {};