@nordbyte/nordrelay 0.8.1 → 0.8.2

package/dist/{web-dashboard.js → web/web-dashboard.js}

@@ -1,47 +1,68 @@
 import { createServer } from "node:http";
-import { randomBytes } from "node:crypto";
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
 import os from "node:os";
 import path from "node:path";
 import { URL } from "node:url";
-import { enabledAgents } from "./agent-factory.js";
-import { buildAdapterConformanceMatrix } from "./adapter-conformance.js";
-import { listAgentAdapterDescriptors } from "./agent-adapter.js";
-import { isAgentId } from "./agent.js";
-import { AuditLogStore } from "./audit-log.js";
-import { listChannelDescriptors } from "./channel-adapter.js";
-import { permissionForWebRequest } from "./access-control.js";
-import { loadConfig } from "./config.js";
-import { friendlyErrorText } from "./error-messages.js";
-import { RelayRuntime } from "./relay-runtime.js";
-import { resolveDashboardEnvPath, SettingsService } from "./settings-service.js";
-import { mergeSettingsWizardTestSettings, runSettingsWizardTest } from "./settings-wizard-test.js";
-import { UserStore, publicUser } from "./user-management.js";
+import { enabledAgents } from "../agents/shared/agent-factory.js";
+import { buildAdapterConformanceMatrix } from "../agents/shared/adapter-conformance.js";
+import { listAgentAdapterDescriptors } from "../agents/shared/agent-adapter.js";
+import { isAgentId } from "../agents/shared/agent.js";
+import { AuditLogStore } from "../access/audit-log.js";
+import { listChannelDescriptors } from "../channels/shared/channel-adapter.js";
+import { permissionForWebRequest } from "../access/access-control.js";
+import { loadConfig } from "../core/config.js";
+import { friendlyErrorText } from "../core/error-messages.js";
+import { RelayRuntime } from "../runtime/relay-runtime.js";
+import { resolveDashboardEnvPath, SettingsService } from "../core/settings-service.js";
+import { mergeSettingsWizardTestSettings, runSettingsWizardTest } from "../core/settings-wizard-test.js";
+import { UserStore, publicUser } from "../access/user-management.js";
 import { handleDashboardAccessRoute } from "./web-dashboard-access-routes.js";
 import { handleDashboardArtifactRoute } from "./web-dashboard-artifact-routes.js";
-import { dashboardCss, dashboardJs } from "./web-dashboard-assets.js";
-import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson, sendText, } from "./web-dashboard-http.js";
+import { dashboardCss, dashboardJs, dashboardStaticAsset } from "./web-dashboard-assets.js";
+import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson, sendText, sendStaticFile, isRequestBodyTooLargeError, } from "./web-dashboard-http.js";
 import { renderDashboardApp, renderFirstRunSetupPage, renderLoginPage } from "./web-dashboard-pages.js";
 import { handleDashboardRuntimeRoute } from "./web-dashboard-runtime-routes.js";
 import { handleDashboardSessionRoute } from "./web-dashboard-session-routes.js";
 import { handleDashboardPeerRoute } from "./web-dashboard-peer-routes.js";
+import { PeerDiscoveryJobManager } from "../peers/peer-discovery-jobs.js";
+import { recordWebApiMetric } from "./web-performance.js";
+import { createCspNonce, isMutatingWebApiRequest, requiresWebCsrf } from "./web-dashboard-security.js";
+import { consumeRateLimit, resetRateLimit } from "./web-rate-limit.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
+const WEB_API_MUTATION_LIMIT = 240;
+const WEB_API_MUTATION_WINDOW_MS = 60_000;
+const WEB_API_MUTATION_BLOCK_MS = 60_000;
 const options = parseOptions(process.argv.slice(2));
 const config = loadConfig();
 const runtime = new RelayRuntime(config);
 const settings = new SettingsService(resolveDashboardEnvPath(options.home));
 const users = new UserStore(options.home);
 const auditLog = new AuditLogStore(config.workspace, config.stateBackend, config.auditMaxEvents);
+const peerDiscoveryJobs = new PeerDiscoveryJobManager(config, options.home);
 const loginAttempts = new Map();
+const apiMutationAttempts = new Map();
 const firstRunSetupToken = users.hasAdminUser() ? undefined : randomBytes(18).toString("base64url");
 const firstRunSetupRequiresToken = !isLoopbackHost(options.host);
+const csrfSecret = randomBytes(32).toString("base64url");
 if (firstRunSetupToken) {
     console.log(`NordRelay first-run setup token: ${firstRunSetupToken}`);
 }
 class AccessDeniedError extends Error {
 }
 const server = createServer((req, res) => {
+    const startedAt = Date.now();
+    const pathName = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`).pathname;
+    res.on("finish", () => {
+        recordWebApiMetric({
+            method: req.method ?? "GET",
+            path: pathName,
+            statusCode: res.statusCode,
+            durationMs: Date.now() - startedAt,
+        });
+    });
     void handleRequest(req, res).catch((error) => {
-        sendJson(res, error instanceof AccessDeniedError ? 403 : 500, { error: friendlyErrorText(error) });
+        const status = error instanceof AccessDeniedError ? 403 : isRequestBodyTooLargeError(error) ? 413 : 500;
+        sendJson(res, status, { error: friendlyErrorText(error) });
     });
 });
 await new Promise((resolve) => server.listen(options.port, options.host, resolve));
@@ -62,27 +83,52 @@ async function handleRequest(req, res) {
         handleLogout(req, res);
         return;
     }
+    if (servePublicDashboardAsset(url.pathname, res)) {
+        return;
+    }
     const authenticated = authenticateRequest(req);
     if (url.pathname === "/api/auth/me" && req.method === "GET") {
         if (!authenticated) {
             sendJson(res, 401, { error: "Authentication required", adminConfigured: users.hasAdminUser() });
             return;
         }
-        sendJson(res, 200, currentUserDto(authenticated));
+        sendJson(res, 200, currentUserDto(authenticated, req));
         return;
     }
     if (!authenticated) {
         if (url.pathname === "/" || url.pathname === "/index.html") {
+            const cspNonce = createCspNonce();
             if (!users.hasAdminUser()) {
-                sendText(res, 200, renderFirstRunSetupPage({ tokenRequired: firstRunSetupRequiresToken || !isLoopbackRequest(req) }), "text/html; charset=utf-8");
+                sendText(res, 200, renderFirstRunSetupPage({ tokenRequired: firstRunSetupRequiresToken || !isLoopbackRequest(req), cspNonce }), "text/html; charset=utf-8", { cspNonce });
                 return;
             }
-            sendText(res, 200, renderLoginPage({ adminConfigured: users.hasAdminUser() }), "text/html; charset=utf-8");
+            sendText(res, 200, renderLoginPage({ adminConfigured: users.hasAdminUser(), cspNonce }), "text/html; charset=utf-8", { cspNonce });
             return;
         }
         sendJson(res, 401, { error: "Authentication required", adminConfigured: users.hasAdminUser() });
         return;
     }
+    if (isMutatingWebApiRequest(req.method, url.pathname)) {
+        const limited = consumeRateLimit(apiMutationAttempts, `${req.socket.remoteAddress ?? "unknown"}:${authenticated.user.id}`, WEB_API_MUTATION_LIMIT, WEB_API_MUTATION_WINDOW_MS, WEB_API_MUTATION_BLOCK_MS);
+        if (limited.limited) {
+            sendJson(res, 429, { error: "Too many API changes. Try again later.", retryAfterMs: limited.retryAfterMs });
+            return;
+        }
+    }
+    if (requiresCsrf(req, url) && !verifyCsrf(req)) {
+        audit({
+            action: "permission_denied",
+            status: "denied",
+            channelId: "web",
+            contextKey: "web",
+            actor: webActivityActor(authenticated),
+            actorId: authenticated.user.id,
+            actorRole: authenticated.groups.map((group) => group.name).join(", "),
+            description: `Invalid CSRF token for ${req.method ?? "GET"} ${url.pathname}`,
+        });
+        sendJson(res, 403, { error: "Invalid CSRF token." });
+        return;
+    }
     if (url.pathname === "/healthz") {
         if (!users.hasPermission(authenticated, "inspect")) {
             sendText(res, 403, "access denied\n", "text/plain; charset=utf-8");
@@ -92,7 +138,8 @@ async function handleRequest(req, res) {
         return;
     }
     if (url.pathname === "/" || url.pathname === "/index.html") {
-        sendText(res, 200, renderDashboardApp(), "text/html; charset=utf-8");
+        const cspNonce = createCspNonce();
+        sendText(res, 200, renderDashboardApp({ cspNonce }), "text/html; charset=utf-8", { cspNonce });
         return;
     }
     if (url.pathname === "/assets/dashboard.css") {
@@ -113,6 +160,25 @@ async function handleRequest(req, res) {
     }
     await handleApi(req, res, url, authenticated);
 }
+function servePublicDashboardAsset(pathname, res) {
+    const assetName = pathname === "/favicon.ico"
+        ? "favicon.ico"
+        : pathname === "/assets/favicon.png"
+            ? "favicon.png"
+            : pathname === "/assets/logo.png"
+                ? "logo.png"
+                : null;
+    if (!assetName) {
+        return false;
+    }
+    const asset = dashboardStaticAsset(assetName);
+    if (!asset) {
+        sendText(res, 404, "not found\n", "text/plain; charset=utf-8");
+        return true;
+    }
+    sendStaticFile(res, asset.filePath, asset.contentType);
+    return true;
+}
 async function handleApi(req, res, url, authUser) {
     const permission = permissionForWebRequest(req.method, url.pathname);
     if (!permission) {
@@ -160,7 +226,7 @@ async function handleApi(req, res, url, authUser) {
     if (req.method === "GET" && url.pathname === "/api/bootstrap") {
         await assertCurrentSessionScope(authUser);
         sendJson(res, 200, {
-            auth: currentUserDto(authUser),
+            auth: currentUserDto(authUser, req),
             channels: listChannelDescriptors(),
             agentAdapters: listAgentAdapterDescriptors().filter((adapter) => users.canUseAgent(authUser, adapter.id)),
             adapterConformance: scopedAdapterConformance(authUser),
@@ -192,6 +258,7 @@ async function handleApi(req, res, url, authUser) {
         config,
         home: options.home,
         runtime,
+        discoveryJobs: peerDiscoveryJobs,
         activityActor: webActivityActor(authUser),
         auditPeerAction: (action, description) => auditUserAction(authUser, action, description),
     })) {
@@ -330,8 +397,8 @@ async function handleFirstRunSetup(req, res) {
         actor: webActivityActor(authUser),
         detail: authUser.user.email,
     });
-    setSessionCookie(res, session.token);
-    sendJson(res, 201, currentUserDto(authUser));
+    setSessionCookie(res, session.token, req);
+    sendJson(res, 201, currentUserDto(authUser, undefined, session.token));
 }
 async function handleLogin(req, res) {
     const body = await readJsonBody(req);
@@ -387,8 +454,8 @@ async function handleLogin(req, res) {
         actor: webActivityActor(authUser),
         detail: authUser.user.email,
     });
-    setSessionCookie(res, session.token);
-    sendJson(res, 200, currentUserDto(authUser));
+    setSessionCookie(res, session.token, req);
+    sendJson(res, 200, currentUserDto(authUser, undefined, session.token));
 }
 function isLoopbackRequest(req) {
     const address = req.socket.remoteAddress ?? "";
@@ -402,6 +469,10 @@ function isLoopbackHost(host) {
 }
 function handleLogout(req, res) {
     const authUser = authenticateRequest(req);
+    if (authUser && !verifyCsrf(req)) {
+        sendJson(res, 403, { error: "Invalid CSRF token." });
+        return;
+    }
     users.destroyWebSession(parseCookies(req.headers.cookie ?? "").nr_session);
     if (authUser) {
         auditUserAction(authUser, "auth_logout", authUser.user.email);
@@ -431,19 +502,49 @@ function authenticateRequest(req) {
     const cookies = parseCookies(req.headers.cookie ?? "");
     return users.resolveWebSession(cookies.nr_session);
 }
-function setSessionCookie(res, token) {
-    res.setHeader("set-cookie", `nr_session=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/`);
+function setSessionCookie(res, token, req) {
+    const secure = req && isHttpsRequest(req) ? "; Secure" : "";
+    res.setHeader("set-cookie", `nr_session=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/${secure}`);
 }
 function clearSessionCookie(res) {
     res.setHeader("set-cookie", "nr_session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0");
 }
-function currentUserDto(authUser) {
+function isHttpsRequest(req) {
+    return Boolean(req.socket.encrypted) ||
+        String(req.headers["x-forwarded-proto"] ?? "").split(",")[0]?.trim().toLowerCase() === "https";
+}
+function currentUserDto(authUser, req, sessionToken) {
+    const token = sessionToken ?? (req ? parseCookies(req.headers.cookie ?? "").nr_session : undefined);
     return {
         user: publicUser(authUser.user),
         groups: authUser.groups,
         permissions: authUser.permissions,
+        csrfToken: token ? csrfTokenForSession(token) : undefined,
     };
 }
+function requiresCsrf(req, url) {
+    return requiresWebCsrf(req.method, url.pathname);
+}
+function verifyCsrf(req) {
+    const sessionToken = parseCookies(req.headers.cookie ?? "").nr_session;
+    const supplied = headerValue(req, "x-nordrelay-csrf");
+    if (!sessionToken || !supplied) {
+        return false;
+    }
+    return safeEqualString(supplied, csrfTokenForSession(sessionToken));
+}
+function csrfTokenForSession(sessionToken) {
+    return createHmac("sha256", csrfSecret).update(sessionToken).digest("base64url");
+}
+function headerValue(req, name) {
+    const value = req.headers[name.toLowerCase()];
+    return Array.isArray(value) ? value[0] ?? "" : value ?? "";
+}
+function safeEqualString(left, right) {
+    const leftBuffer = Buffer.from(left);
+    const rightBuffer = Buffer.from(right);
+    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
 function audit(event) {
     try {
         auditLog.append(event);
@@ -612,25 +713,6 @@ async function assertCurrentSessionScope(authUser) {
 function objectValue(value) {
     return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-function consumeRateLimit(buckets, key, limit, windowMs, blockMs) {
-    const now = Date.now();
-    const existing = buckets.get(key);
-    if (existing?.blockedUntil && existing.blockedUntil > now) {
-        return { limited: true, retryAfterMs: existing.blockedUntil - now };
-    }
-    const bucket = !existing || existing.resetAt <= now ? { count: 0, resetAt: now + windowMs } : existing;
-    bucket.count += 1;
-    if (bucket.count > limit) {
-        bucket.blockedUntil = now + blockMs;
-        buckets.set(key, bucket);
-        return { limited: true, retryAfterMs: blockMs };
-    }
-    buckets.set(key, bucket);
-    return { limited: false };
-}
-function resetRateLimit(buckets, key) {
-    buckets.delete(key);
-}
 function parseAgentId(value) {
     if (!value) {
         return undefined;
@@ -742,6 +824,8 @@ function activeSettingsValues(current) {
         TELEGRAM_EDIT_MIN_INTERVAL_MS: String(current.telegramEditMinIntervalMs),
         NORDRELAY_CLI_MIRROR_MODE: current.mirrorMode,
         NORDRELAY_CLI_MIRROR_MIN_UPDATE_MS: String(current.mirrorMinUpdateMs),
+        NORDRELAY_WEB_CLI_MIRROR_MODE: current.webMirrorMode === current.mirrorMode ? "" : current.webMirrorMode,
+        NORDRELAY_WEB_CLI_MIRROR_MIN_UPDATE_MS: current.webMirrorMinUpdateMs === current.mirrorMinUpdateMs ? "" : String(current.webMirrorMinUpdateMs),
         NORDRELAY_NOTIFY_MODE: current.notifyMode,
         NORDRELAY_QUIET_HOURS: quietValue(current.quietHours),
         NORDRELAY_AUTO_SEND_ARTIFACTS: boolValue(current.autoSendArtifacts),

package/dist/web/web-performance.js

@@ -0,0 +1,60 @@
+const recent = [];
+const routeMetrics = new Map();
+const MAX_RECENT = 200;
+export function recordWebApiMetric(sample) {
+    const next = {
+        ...sample,
+        durationMs: Math.max(0, Math.round(sample.durationMs)),
+        at: sample.at ?? new Date().toISOString(),
+    };
+    recent.push(next);
+    if (recent.length > MAX_RECENT) {
+        recent.splice(0, recent.length - MAX_RECENT);
+    }
+    const key = `${next.method} ${routeKey(next.path)}`;
+    const existing = routeMetrics.get(key);
+    if (!existing) {
+        routeMetrics.set(key, {
+            method: next.method,
+            path: routeKey(next.path),
+            count: 1,
+            averageMs: next.durationMs,
+            maxMs: next.durationMs,
+            lastMs: next.durationMs,
+            lastStatusCode: next.statusCode,
+            lastAt: next.at,
+            totalMs: next.durationMs,
+        });
+        return;
+    }
+    existing.count += 1;
+    existing.totalMs += next.durationMs;
+    existing.averageMs = Math.round(existing.totalMs / existing.count);
+    existing.maxMs = Math.max(existing.maxMs, next.durationMs);
+    existing.lastMs = next.durationMs;
+    existing.lastStatusCode = next.statusCode;
+    existing.lastAt = next.at;
+}
+export function getWebApiPerformanceMetrics() {
+    return {
+        recent: [...recent].reverse().slice(0, 25),
+        slowest: [...recent].sort((left, right) => right.durationMs - left.durationMs).slice(0, 10),
+        routes: [...routeMetrics.values()]
+            .map(({ totalMs: _totalMs, ...metric }) => ({ ...metric }))
+            .sort((left, right) => right.averageMs - left.averageMs)
+            .slice(0, 25),
+    };
+}
+function routeKey(path) {
+    return path
+        .replace(/\/api\/peers\/[^/]+\/proxy$/, "/api/peers/:id/proxy")
+        .replace(/\/api\/peers\/[^/]+\/events$/, "/api/peers/:id/events")
+        .replace(/\/api\/peers\/[^/]+\/health$/, "/api/peers/:id/health")
+        .replace(/\/api\/peers\/[^/]+\/repin$/, "/api/peers/:id/repin")
+        .replace(/\/api\/agent-update\/[^/]+\/(log|input|cancel)$/, "/api/agent-update/:id/$1")
+        .replace(/\/api\/jobs\/[^/]+\/(log|action)$/, "/api/jobs/:id/$1")
+        .replace(/\/api\/users\/[^/]+\/sessions\/[^/]+$/, "/api/users/:id/sessions/:sessionId")
+        .replace(/\/api\/users\/[^/]+\/(password|telegram|discord|slack|sessions)$/, "/api/users/:id/$1")
+        .replace(/\/api\/peers\/discovery-jobs\/[^/]+\/(cancel|log)$/, "/api/peers/discovery-jobs/:id/$1")
+        .replace(/\/api\/peers\/discovery-jobs\/[^/]+$/, "/api/peers/discovery-jobs/:id");
+}

package/dist/web/web-rate-limit.js

@@ -0,0 +1,19 @@
+export function consumeRateLimit(buckets, key, maxAttempts, windowMs, blockMs, now = Date.now()) {
+    const existing = buckets.get(key);
+    if (existing?.blockedUntil && existing.blockedUntil > now) {
+        return { limited: true, retryAfterMs: existing.blockedUntil - now };
+    }
+    if (!existing || existing.resetAt <= now) {
+        buckets.set(key, { count: 1, resetAt: now + windowMs });
+        return { limited: false };
+    }
+    existing.count += 1;
+    if (existing.count > maxAttempts) {
+        existing.blockedUntil = now + blockMs;
+        return { limited: true, retryAfterMs: blockMs };
+    }
+    return { limited: false };
+}
+export function resetRateLimit(buckets, key) {
+    buckets.delete(key);
+}

package/dist/{web-state.js → web/web-state.js}

@@ -1,6 +1,6 @@
 import { randomUUID } from "node:crypto";
-import { activityActorLabel, activityCategoryForType, } from "./activity-events.js";
-import { createDocumentStore } from "./state-backend.js";
+import { activityActorLabel, activityCategoryForType, } from "../core/activity-events.js";
+import { createDocumentStore } from "../state/state-backend.js";
 const DEFAULT_CHAT_LIMIT = 300;
 const DEFAULT_ACTIVITY_LIMIT = 1000;
 export class WebChatStore {
@@ -16,9 +16,16 @@ export class WebChatStore {
         this.maxMessages = maxMessages;
     }
     append(input) {
+        return this.appendWithResult(input).message;
+    }
+    appendWithResult(input) {
         const payload = this.readPayload();
         const threadId = input.threadId || "pending";
         const messages = payload.messagesByThread[threadId] ?? [];
+        const duplicate = findDuplicateWebChatMessage(messages, { ...input, threadId });
+        if (duplicate) {
+            return { message: duplicate, inserted: false };
+        }
         const message = {
             id: randomId(),
             timestamp: input.timestamp ?? new Date().toISOString(),
@@ -31,7 +38,37 @@ export class WebChatStore {
         }
         payload.messagesByThread[threadId] = messages;
         this.store.write(payload);
-        return message;
+        return { message, inserted: true };
+    }
+    upsertByKey(input) {
+        const payload = this.readPayload();
+        const threadId = input.threadId || "pending";
+        const messages = payload.messagesByThread[threadId] ?? [];
+        const now = new Date().toISOString();
+        const existing = messages.find((message) => message.key === input.key);
+        if (existing) {
+            existing.role = input.role;
+            existing.text = input.text;
+            existing.source = input.source;
+            existing.turnId = input.turnId;
+            existing.timestamp = input.timestamp ?? now;
+            existing.key = input.key;
+            this.store.write(payload);
+            return { message: existing, inserted: false, updated: true };
+        }
+        const message = {
+            id: randomId(),
+            timestamp: input.timestamp ?? now,
+            ...input,
+            threadId,
+        };
+        messages.push(message);
+        if (messages.length > this.maxMessages) {
+            messages.splice(0, messages.length - this.maxMessages);
+        }
+        payload.messagesByThread[threadId] = messages;
+        this.store.write(payload);
+        return { message, inserted: true, updated: false };
     }
     list(threadId, limit = 200) {
         const messages = this.readPayload().messagesByThread[threadId || "pending"] ?? [];
@@ -53,7 +90,7 @@ export class WebChatStore {
         const messagesByThread = {};
         for (const [threadId, messages] of Object.entries(payload.messagesByThread)) {
             if (Array.isArray(messages)) {
-                messagesByThread[threadId] = messages.filter(isWebChatMessage).slice(-this.maxMessages);
+                messagesByThread[threadId] = dedupeWebChatMessages(messages.filter(isWebChatMessage)).slice(-this.maxMessages);
             }
         }
         return { version: 1, messagesByThread };
@@ -122,6 +159,7 @@ function isWebChatMessage(value) {
         typeof candidate.threadId === "string" &&
         typeof candidate.text === "string" &&
         typeof candidate.timestamp === "string" &&
+        (candidate.key === undefined || typeof candidate.key === "string") &&
         ["user", "agent", "system", "tool"].includes(candidate.role) &&
         ["web", "telegram", "discord", "slack", "cli"].includes(candidate.source);
 }
@@ -159,4 +197,35 @@ function activityActorMatches(actor, query) {
 function randomId() {
     return randomUUID().replace(/-/g, "").slice(0, 12);
 }
-export { activityActorLabel, activityCategoryForType, auditCategoryForAction, } from "./activity-events.js";
+function dedupeWebChatMessages(messages) {
+    const seen = new Set();
+    return messages.filter((message) => {
+        const key = webChatDedupKey(message);
+        if (!key) {
+            return true;
+        }
+        if (seen.has(key)) {
+            return false;
+        }
+        seen.add(key);
+        return true;
+    });
+}
+function findDuplicateWebChatMessage(messages, input) {
+    const key = webChatDedupKey(input);
+    return key ? messages.find((message) => webChatDedupKey(message) === key) : undefined;
+}
+function webChatDedupKey(message) {
+    const threadId = message.threadId || "pending";
+    if (message.key) {
+        return [threadId, message.key].join("\0");
+    }
+    if (message.turnId) {
+        return [threadId, message.role, message.source, message.turnId, message.text].join("\0");
+    }
+    if (message.timestamp) {
+        return [threadId, message.role, message.source, message.timestamp, message.text].join("\0");
+    }
+    return null;
+}
+export { activityActorLabel, activityCategoryForType, auditCategoryForAction, } from "../core/activity-events.js";