npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4393.1.de282b5dfd - Mend

@open-mercato/core 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4393.1.de282b5dfd

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (533) hide show

package/dist/modules/communication_channels/lib/gmail-pubsub-jwt.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/gmail-pubsub-jwt.ts"],
+  "sourcesContent": ["import crypto from 'node:crypto'\n\n/**\n * Spec C \u00A7 Phase C2 \u2014 Verify a Gmail Pub/Sub push request.\n *\n * Pub/Sub push subscriptions authenticate with a Google-signed RS256 JWT\n * passed in the `Authorization: Bearer \u2026` header. The token's claims contain\n *   - `iss`: `https://accounts.google.com`\n *   - `aud`: the configured audience (typically the webhook URL)\n *   - `email`: the publishing service-account address (e.g.\n *     `gmail-api-push@system.gserviceaccount.com` for Gmail watch)\n *   - `email_verified: true`\n *\n * The default verifier downloads Google's public x509 certs and caches them\n * for an hour. Tests inject a mock verifier via `setGmailPubSubVerifier(...)`.\n */\n\nconst GOOGLE_CERTS_URL = 'https://www.googleapis.com/oauth2/v1/certs'\nconst CERT_CACHE_TTL_MS = 60 * 60 * 1000\nconst CERT_FETCH_TIMEOUT_MS = 5000\n// Google mints OIDC tokens with one of these two issuer strings.\nconst GOOGLE_ACCEPTED_ISSUERS = new Set(['https://accounts.google.com', 'accounts.google.com'])\n\nexport interface GmailPubSubJwtClaims {\n  iss: string\n  aud: string | string[]\n  email?: string\n  emailVerified?: boolean\n  exp: number\n  iat: number\n  sub?: string\n}\n\nexport interface GmailPubSubVerifyInput {\n  authorizationHeader: string | null | undefined\n  expectedAudience: string\n  expectedEmail: string\n}\n\nexport interface GmailPubSubVerifier {\n  verify(input: GmailPubSubVerifyInput): Promise<GmailPubSubJwtClaims>\n}\n\nexport class GmailPubSubJwtError extends Error {\n  readonly code: 'missing_token' | 'invalid_format' | 'invalid_signature' | 'expired' | 'wrong_issuer' | 'wrong_audience' | 'wrong_email' | 'fetch_certs_failed'\n  constructor(message: string, code: GmailPubSubJwtError['code']) {\n    super(message)\n    this.name = 'GmailPubSubJwtError'\n    this.code = code\n  }\n}\n\ninterface CertCacheEntry {\n  certs: Record<string, string>\n  fetchedAt: number\n}\n\nclass FetchGmailPubSubVerifier implements GmailPubSubVerifier {\n  private certCache: CertCacheEntry | null = null\n\n  async verify(input: GmailPubSubVerifyInput): Promise<GmailPubSubJwtClaims> {\n    const token = extractBearer(input.authorizationHeader)\n    if (!token) throw new GmailPubSubJwtError('Missing Authorization bearer token', 'missing_token')\n\n    const parts = token.split('.')\n    if (parts.length !== 3) {\n      throw new GmailPubSubJwtError('JWT must have three dot-separated parts', 'invalid_format')\n    }\n    const [headerB64, payloadB64, signatureB64] = parts\n    let header: Record<string, unknown>\n    let claims: GmailPubSubJwtClaims\n    try {\n      header = JSON.parse(Buffer.from(headerB64, 'base64url').toString('utf-8')) as Record<string, unknown>\n      claims = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf-8')) as GmailPubSubJwtClaims\n    } catch {\n      throw new GmailPubSubJwtError('JWT header/payload not parseable', 'invalid_format')\n    }\n    const kid = typeof header.kid === 'string' ? header.kid : null\n    const alg = typeof header.alg === 'string' ? header.alg : null\n    if (!kid || alg !== 'RS256') {\n      throw new GmailPubSubJwtError(`Unsupported JWT alg/kid: alg=${alg ?? '?'} kid=${kid ?? '?'}`, 'invalid_format')\n    }\n\n    const certs = await this.getCerts()\n    const cert = certs[kid]\n    if (!cert) {\n      // Cert rotated; refetch once and retry.\n      this.certCache = null\n      const refreshed = await this.getCerts()\n      const fresh = refreshed[kid]\n      if (!fresh) throw new GmailPubSubJwtError(`No cert for kid=${kid}`, 'invalid_signature')\n      verifySignature(`${headerB64}.${payloadB64}`, signatureB64, fresh)\n    } else {\n      verifySignature(`${headerB64}.${payloadB64}`, signatureB64, cert)\n    }\n\n    validateClaims(claims, input)\n    return claims\n  }\n\n  private async getCerts(): Promise<Record<string, string>> {\n    if (this.certCache && Date.now() - this.certCache.fetchedAt < CERT_CACHE_TTL_MS) {\n      return this.certCache.certs\n    }\n    let res: Response\n    const controller = new AbortController()\n    const timer = setTimeout(() => controller.abort(), CERT_FETCH_TIMEOUT_MS)\n    try {\n      res = await fetch(GOOGLE_CERTS_URL, { signal: controller.signal })\n    } catch (err) {\n      throw new GmailPubSubJwtError(\n        `Failed to fetch Google certs: ${err instanceof Error ? err.message : String(err)}`,\n        'fetch_certs_failed',\n      )\n    } finally {\n      clearTimeout(timer)\n    }\n    if (!res.ok) {\n      throw new GmailPubSubJwtError(`Google certs endpoint returned ${res.status}`, 'fetch_certs_failed')\n    }\n    let parsed: unknown\n    try {\n      parsed = await res.json()\n    } catch (err) {\n      throw new GmailPubSubJwtError(\n        `Google certs endpoint returned invalid JSON: ${err instanceof Error ? err.message : String(err)}`,\n        'fetch_certs_failed',\n      )\n    }\n    const certs = toCertMap(parsed)\n    if (!certs) {\n      // Never cache an empty/malformed payload \u2014 a single bad 200 would otherwise\n      // disable Gmail push verification for the whole CERT_CACHE_TTL_MS window.\n      throw new GmailPubSubJwtError('Google certs endpoint returned an unexpected shape', 'fetch_certs_failed')\n    }\n    this.certCache = { certs, fetchedAt: Date.now() }\n    return certs\n  }\n}\n\n/**\n * Validates that a parsed Google certs response is a non-empty `kid \u2192 PEM` map.\n * Returns the typed map on success, or `null` when the shape is unusable so the\n * caller can fail closed instead of caching garbage.\n */\nfunction toCertMap(value: unknown): Record<string, string> | null {\n  if (value == null || typeof value !== 'object' || Array.isArray(value)) return null\n  const entries = Object.entries(value as Record<string, unknown>)\n  if (entries.length === 0) return null\n  const certs: Record<string, string> = {}\n  for (const [kid, pem] of entries) {\n    if (typeof pem !== 'string' || pem.length === 0) return null\n    certs[kid] = pem\n  }\n  return certs\n}\n\nfunction extractBearer(header: string | null | undefined): string | null {\n  if (!header) return null\n  const match = /^Bearer\\s+(.+)$/i.exec(header.trim())\n  return match ? match[1].trim() : null\n}\n\nfunction verifySignature(input: string, signatureB64: string, cert: string): void {\n  const verifier = crypto.createVerify('RSA-SHA256')\n  verifier.update(input)\n  verifier.end()\n  const signature = Buffer.from(signatureB64, 'base64url')\n  const ok = verifier.verify(cert, signature)\n  if (!ok) {\n    throw new GmailPubSubJwtError('JWT signature verification failed', 'invalid_signature')\n  }\n}\n\nfunction validateClaims(claims: GmailPubSubJwtClaims, input: GmailPubSubVerifyInput): void {\n  const now = Math.floor(Date.now() / 1000)\n  // Fail closed: a token without a numeric `exp` has no expiry, so a captured\n  // push JWT could otherwise be replayed indefinitely. Require `exp` and reject\n  // anything already past it (with a small clock-skew allowance).\n  if (typeof claims.exp !== 'number' || claims.exp < now - 5) {\n    throw new GmailPubSubJwtError('JWT expired or missing exp', 'expired')\n  }\n  // Reject a future-dated `iat` beyond the clock-skew allowance: a token\n  // \"issued\" in the future signals a forged token or a badly-skewed clock.\n  // Reuses the `expired` code (both are temporal-validity failures \u2192 401).\n  if (typeof claims.iat === 'number' && claims.iat > now + 5) {\n    throw new GmailPubSubJwtError('JWT issued in the future', 'expired')\n  }\n  // Verify the issuer is Google (defense-in-depth alongside the signature +\n  // service-account email checks; the file header documents this requirement).\n  if (typeof claims.iss !== 'string' || !GOOGLE_ACCEPTED_ISSUERS.has(claims.iss)) {\n    throw new GmailPubSubJwtError(\n      `JWT issuer not accepted (got ${typeof claims.iss === 'string' ? claims.iss : 'none'})`,\n      'wrong_issuer',\n    )\n  }\n  const audOk = Array.isArray(claims.aud)\n    ? claims.aud.includes(input.expectedAudience)\n    : claims.aud === input.expectedAudience\n  if (!audOk) {\n    throw new GmailPubSubJwtError(\n      `JWT audience mismatch (expected ${input.expectedAudience})`,\n      'wrong_audience',\n    )\n  }\n  // Google uses `email_verified` in the wire format; our type uses camelCase.\n  // Accept either to be defensive.\n  const emailVerified =\n    claims.emailVerified === true ||\n    (claims as unknown as { email_verified?: boolean }).email_verified === true\n  if (!emailVerified || claims.email !== input.expectedEmail) {\n    throw new GmailPubSubJwtError(\n      `JWT email mismatch (expected ${input.expectedEmail})`,\n      'wrong_email',\n    )\n  }\n}\n\nlet cachedVerifier: GmailPubSubVerifier | null = null\n\nexport function getGmailPubSubVerifier(): GmailPubSubVerifier {\n  if (!cachedVerifier) cachedVerifier = new FetchGmailPubSubVerifier()\n  return cachedVerifier\n}\n\nexport function setGmailPubSubVerifier(verifier: GmailPubSubVerifier | null): void {\n  cachedVerifier = verifier\n}\n\n/**\n * Decode a Pub/Sub envelope from the webhook body.\n *\n * Shape: `{ message: { data: base64<JSON>, messageId, publishTime, attributes }, subscription }`.\n *\n * Gmail's payload (`data` field) decodes to `{ emailAddress, historyId }`.\n */\nexport interface PubSubEnvelope {\n  message: {\n    data: string\n    messageId: string\n    publishTime?: string\n    attributes?: Record<string, string>\n  }\n  subscription?: string\n}\n\nexport interface GmailPushPayload {\n  emailAddress: string\n  historyId: string | number\n}\n\nexport function decodeGmailPubSubBody(rawBody: string): GmailPushPayload {\n  let envelope: PubSubEnvelope\n  try {\n    envelope = JSON.parse(rawBody) as PubSubEnvelope\n  } catch {\n    throw new GmailPubSubJwtError('Body is not valid JSON', 'invalid_format')\n  }\n  if (!envelope.message?.data) {\n    throw new GmailPubSubJwtError('Envelope missing message.data', 'invalid_format')\n  }\n  let payloadText: string\n  try {\n    payloadText = Buffer.from(envelope.message.data, 'base64').toString('utf-8')\n  } catch {\n    throw new GmailPubSubJwtError('message.data not base64 decodable', 'invalid_format')\n  }\n  let payload: GmailPushPayload\n  try {\n    payload = JSON.parse(payloadText) as GmailPushPayload\n  } catch {\n    throw new GmailPubSubJwtError('message.data JSON not parseable', 'invalid_format')\n  }\n  if (!payload.emailAddress || payload.historyId === undefined) {\n    throw new GmailPubSubJwtError('message.data missing emailAddress or historyId', 'invalid_format')\n  }\n  return payload\n}\n"],
+  "mappings": "AAAA,OAAO,YAAY;AAiBnB,MAAM,mBAAmB;AACzB,MAAM,oBAAoB,KAAK,KAAK;AACpC,MAAM,wBAAwB;AAE9B,MAAM,0BAA0B,oBAAI,IAAI,CAAC,+BAA+B,qBAAqB,CAAC;AAsBvF,MAAM,4BAA4B,MAAM;AAAA,EAE7C,YAAY,SAAiB,MAAmC;AAC9D,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;AAOA,MAAM,yBAAwD;AAAA,EAA9D;AACE,SAAQ,YAAmC;AAAA;AAAA,EAE3C,MAAM,OAAO,OAA8D;AACzE,UAAM,QAAQ,cAAc,MAAM,mBAAmB;AACrD,QAAI,CAAC,MAAO,OAAM,IAAI,oBAAoB,sCAAsC,eAAe;AAE/F,UAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,QAAI,MAAM,WAAW,GAAG;AACtB,YAAM,IAAI,oBAAoB,2CAA2C,gBAAgB;AAAA,IAC3F;AACA,UAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAC9C,QAAI;AACJ,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,OAAO,KAAK,WAAW,WAAW,EAAE,SAAS,OAAO,CAAC;AACzE,eAAS,KAAK,MAAM,OAAO,KAAK,YAAY,WAAW,EAAE,SAAS,OAAO,CAAC;AAAA,IAC5E,QAAQ;AACN,YAAM,IAAI,oBAAoB,oCAAoC,gBAAgB;AAAA,IACpF;AACA,UAAM,MAAM,OAAO,OAAO,QAAQ,WAAW,OAAO,MAAM;AAC1D,UAAM,MAAM,OAAO,OAAO,QAAQ,WAAW,OAAO,MAAM;AAC1D,QAAI,CAAC,OAAO,QAAQ,SAAS;AAC3B,YAAM,IAAI,oBAAoB,gCAAgC,OAAO,GAAG,QAAQ,OAAO,GAAG,IAAI,gBAAgB;AAAA,IAChH;AAEA,UAAM,QAAQ,MAAM,KAAK,SAAS;AAClC,UAAM,OAAO,MAAM,GAAG;AACtB,QAAI,CAAC,MAAM;AAET,WAAK,YAAY;AACjB,YAAM,YAAY,MAAM,KAAK,SAAS;AACtC,YAAM,QAAQ,UAAU,GAAG;AAC3B,UAAI,CAAC,MAAO,OAAM,IAAI,oBAAoB,mBAAmB,GAAG,IAAI,mBAAmB;AACvF,sBAAgB,GAAG,SAAS,IAAI,UAAU,IAAI,cAAc,KAAK;AAAA,IACnE,OAAO;AACL,sBAAgB,GAAG,SAAS,IAAI,UAAU,IAAI,cAAc,IAAI;AAAA,IAClE;AAEA,mBAAe,QAAQ,KAAK;AAC5B,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,WAA4C;AACxD,QAAI,KAAK,aAAa,KAAK,IAAI,IAAI,KAAK,UAAU,YAAY,mBAAmB;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AACA,QAAI;AACJ,UAAM,aAAa,IAAI,gBAAgB;AACvC,UAAM,QAAQ,WAAW,MAAM,WAAW,MAAM,GAAG,qBAAqB;AACxE,QAAI;AACF,YAAM,MAAM,MAAM,kBAAkB,EAAE,QAAQ,WAAW,OAAO,CAAC;AAAA,IACnE,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR,iCAAiC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AACA,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,oBAAoB,kCAAkC,IAAI,MAAM,IAAI,oBAAoB;AAAA,IACpG;AACA,QAAI;AACJ,QAAI;AACF,eAAS,MAAM,IAAI,KAAK;AAAA,IAC1B,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR,gDAAgD,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,QAChG;AAAA,MACF;AAAA,IACF;AACA,UAAM,QAAQ,UAAU,MAAM;AAC9B,QAAI,CAAC,OAAO;AAGV,YAAM,IAAI,oBAAoB,sDAAsD,oBAAoB;AAAA,IAC1G;AACA,SAAK,YAAY,EAAE,OAAO,WAAW,KAAK,IAAI,EAAE;AAChD,WAAO;AAAA,EACT;AACF;AAOA,SAAS,UAAU,OAA+C;AAChE,MAAI,SAAS,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,EAAG,QAAO;AAC/E,QAAM,UAAU,OAAO,QAAQ,KAAgC;AAC/D,MAAI,QAAQ,WAAW,EAAG,QAAO;AACjC,QAAM,QAAgC,CAAC;AACvC,aAAW,CAAC,KAAK,GAAG,KAAK,SAAS;AAChC,QAAI,OAAO,QAAQ,YAAY,IAAI,WAAW,EAAG,QAAO;AACxD,UAAM,GAAG,IAAI;AAAA,EACf;AACA,SAAO;AACT;AAEA,SAAS,cAAc,QAAkD;AACvE,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,QAAQ,mBAAmB,KAAK,OAAO,KAAK,CAAC;AACnD,SAAO,QAAQ,MAAM,CAAC,EAAE,KAAK,IAAI;AACnC;AAEA,SAAS,gBAAgB,OAAe,cAAsB,MAAoB;AAChF,QAAM,WAAW,OAAO,aAAa,YAAY;AACjD,WAAS,OAAO,KAAK;AACrB,WAAS,IAAI;AACb,QAAM,YAAY,OAAO,KAAK,cAAc,WAAW;AACvD,QAAM,KAAK,SAAS,OAAO,MAAM,SAAS;AAC1C,MAAI,CAAC,IAAI;AACP,UAAM,IAAI,oBAAoB,qCAAqC,mBAAmB;AAAA,EACxF;AACF;AAEA,SAAS,eAAe,QAA8B,OAAqC;AACzF,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAIxC,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,MAAM,MAAM,GAAG;AAC1D,UAAM,IAAI,oBAAoB,8BAA8B,SAAS;AAAA,EACvE;AAIA,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,MAAM,MAAM,GAAG;AAC1D,UAAM,IAAI,oBAAoB,4BAA4B,SAAS;AAAA,EACrE;AAGA,MAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,wBAAwB,IAAI,OAAO,GAAG,GAAG;AAC9E,UAAM,IAAI;AAAA,MACR,gCAAgC,OAAO,OAAO,QAAQ,WAAW,OAAO,MAAM,MAAM;AAAA,MACpF;AAAA,IACF;AAAA,EACF;AACA,QAAM,QAAQ,MAAM,QAAQ,OAAO,GAAG,IAClC,OAAO,IAAI,SAAS,MAAM,gBAAgB,IAC1C,OAAO,QAAQ,MAAM;AACzB,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR,mCAAmC,MAAM,gBAAgB;AAAA,MACzD;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBACJ,OAAO,kBAAkB,QACxB,OAAmD,mBAAmB;AACzE,MAAI,CAAC,iBAAiB,OAAO,UAAU,MAAM,eAAe;AAC1D,UAAM,IAAI;AAAA,MACR,gCAAgC,MAAM,aAAa;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAI,iBAA6C;AAE1C,SAAS,yBAA8C;AAC5D,MAAI,CAAC,eAAgB,kBAAiB,IAAI,yBAAyB;AACnE,SAAO;AACT;AAEO,SAAS,uBAAuB,UAA4C;AACjF,mBAAiB;AACnB;AAwBO,SAAS,sBAAsB,SAAmC;AACvE,MAAI;AACJ,MAAI;AACF,eAAW,KAAK,MAAM,OAAO;AAAA,EAC/B,QAAQ;AACN,UAAM,IAAI,oBAAoB,0BAA0B,gBAAgB;AAAA,EAC1E;AACA,MAAI,CAAC,SAAS,SAAS,MAAM;AAC3B,UAAM,IAAI,oBAAoB,iCAAiC,gBAAgB;AAAA,EACjF;AACA,MAAI;AACJ,MAAI;AACF,kBAAc,OAAO,KAAK,SAAS,QAAQ,MAAM,QAAQ,EAAE,SAAS,OAAO;AAAA,EAC7E,QAAQ;AACN,UAAM,IAAI,oBAAoB,qCAAqC,gBAAgB;AAAA,EACrF;AACA,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,WAAW;AAAA,EAClC,QAAQ;AACN,UAAM,IAAI,oBAAoB,mCAAmC,gBAAgB;AAAA,EACnF;AACA,MAAI,CAAC,QAAQ,gBAAgB,QAAQ,cAAc,QAAW;AAC5D,UAAM,IAAI,oBAAoB,kDAAkD,gBAAgB;AAAA,EAClG;AACA,SAAO;AACT;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/mutation-guards.js ADDED Viewed

@@ -0,0 +1,114 @@
+import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import {
+  CommunicationChannel,
+  ExternalConversation,
+  MessageChannelLink
+} from "../data/entities.js";
+class ChannelMutationBlockedError extends Error {
+  constructor(reason, channelId, message) {
+    super(message);
+    this.name = "ChannelMutationBlockedError";
+    this.reason = reason;
+    this.channelId = channelId;
+    this.errors = { channelId: message };
+  }
+}
+async function guardChannelDelete(em, input) {
+  const channel = await findOneWithDecryption(
+    em,
+    CommunicationChannel,
+    {
+      id: input.channelId,
+      tenantId: input.scope.tenantId,
+      organizationId: input.scope.organizationId ?? null,
+      deletedAt: null
+    },
+    void 0,
+    input.scope
+  );
+  if (!channel) {
+    throw new ChannelMutationBlockedError(
+      "channel_not_found",
+      input.channelId,
+      "Channel not found in this tenant scope."
+    );
+  }
+  if (input.force) return;
+  const inboundCount = await countInboundLinksForChannel(em, input.channelId, input.scope);
+  if (inboundCount > 0) {
+    throw new ChannelMutationBlockedError(
+      "channel_has_inbound_history",
+      input.channelId,
+      `Channel has ${inboundCount} inbound message${inboundCount === 1 ? "" : "s"} in history. Pass force=true to delete anyway.`
+    );
+  }
+}
+async function guardOutboundCreate(em, input) {
+  const channel = await findOneWithDecryption(
+    em,
+    CommunicationChannel,
+    {
+      id: input.channelId,
+      tenantId: input.scope.tenantId,
+      organizationId: input.scope.organizationId ?? null,
+      deletedAt: null
+    },
+    void 0,
+    input.scope
+  );
+  if (!channel) {
+    throw new ChannelMutationBlockedError(
+      "channel_not_found",
+      input.channelId,
+      "Channel not found in this tenant scope."
+    );
+  }
+  if (channel.status === "requires_reauth") {
+    throw new ChannelMutationBlockedError(
+      "channel_requires_reauth",
+      input.channelId,
+      "This channel needs reconnection before it can send messages. Open Profile -> Communication channels to reconnect."
+    );
+  }
+  if (channel.status === "disconnected") {
+    throw new ChannelMutationBlockedError(
+      "channel_disconnected",
+      input.channelId,
+      "This channel is disconnected and cannot send messages."
+    );
+  }
+}
+async function countInboundLinksForChannel(em, channelId, scope) {
+  const conversations = await findWithDecryption(
+    em,
+    ExternalConversation,
+    {
+      channelId,
+      tenantId: scope.tenantId,
+      organizationId: scope.organizationId ?? null
+    },
+    { fields: ["id"] },
+    scope
+  );
+  if (conversations.length === 0) return 0;
+  const conversationIds = conversations.map((c) => c.id);
+  const count = await em.count(
+    MessageChannelLink,
+    {
+      externalConversationId: { $in: conversationIds },
+      direction: "inbound",
+      tenantId: scope.tenantId,
+      organizationId: scope.organizationId ?? null
+    }
+  );
+  return typeof count === "number" ? count : 0;
+}
+const countUnreadInboundForChannel = countInboundLinksForChannel;
+export {
+  ChannelMutationBlockedError,
+  countInboundLinksForChannel,
+  countUnreadInboundForChannel,
+  guardChannelDelete,
+  guardOutboundCreate
+};
+//# sourceMappingURL=mutation-guards.js.map

package/dist/modules/communication_channels/lib/mutation-guards.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/mutation-guards.ts"],
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport {\n  CommunicationChannel,\n  ExternalConversation,\n  ExternalMessage,\n  MessageChannelLink,\n} from '../data/entities'\n\n/**\n * Hub-side mutation guards (Phase 4 of the email integration spec).\n *\n * These guards are plain functions that any caller (CRUD route, command,\n * subscriber) can invoke to enforce hub invariants before mutating state.\n * They throw `ChannelMutationBlockedError` on violations so the caller can\n * map the error to an HTTP 4xx (typically 422) without leaking internals.\n *\n * Why functions, not the generic `validateCrudMutationGuard`:\n *   The hub's writes are channel-shaped rather than entity-shaped \u2014 \"deleting a\n *   channel with unread inbound\" is not a per-entity invariant the generic\n *   CRUD guard layer can express. These functions encode hub semantics directly\n *   and stay invocation-site agnostic.\n */\n\nexport type ChannelMutationGuardReason =\n  | 'channel_has_inbound_history'\n  | 'channel_requires_reauth'\n  | 'channel_disconnected'\n  | 'channel_not_found'\n  /**\n   * @deprecated Use `channel_has_inbound_history`. Kept for one minor release\n   * so external callers/tests catch a transition window. Round-2 F8 rename.\n   */\n  | 'channel_has_unread_inbound'\n\nexport class ChannelMutationBlockedError extends Error {\n  readonly reason: ChannelMutationGuardReason\n  readonly channelId: string\n  /** Field-level error message keyed by `channelId` \u2014 for `createCrudFormError`. */\n  readonly errors: Record<string, string>\n\n  constructor(reason: ChannelMutationGuardReason, channelId: string, message: string) {\n    super(message)\n    this.name = 'ChannelMutationBlockedError'\n    this.reason = reason\n    this.channelId = channelId\n    this.errors = { channelId: message }\n  }\n}\n\nexport interface ChannelScope {\n  tenantId: string\n  organizationId?: string | null\n}\n\nexport interface GuardChannelDeleteInput {\n  channelId: string\n  scope: ChannelScope\n  /** Bypass the unread-inbound check; used by admin \"force delete\" actions. */\n  force?: boolean\n}\n\n/**\n * Guard `channel.delete`.\n *\n * Blocks when the channel still has ANY inbound `MessageChannelLink` rows.\n * Implementation note: the hub doesn't track per-message read state \u2014 that\n * lives on the messages module's `MessageRecipient.read_at`. Counting unread\n * across the module boundary would require either raw cross-module SQL\n * (forbidden by AGENTS.md) or a QueryEngine round-trip per delete. We pick\n * the simpler safety contract: block delete when ANY inbound link exists,\n * with `force: true` as the escape hatch.\n *\n * Pass `force: true` to bypass \u2014 exposed to admins so they can hard-delete a\n * channel whose mailbox they no longer care about (e.g. ex-employee\n * offboarding).\n */\nexport async function guardChannelDelete(\n  em: EntityManager,\n  input: GuardChannelDeleteInput,\n): Promise<void> {\n  const channel = await findOneWithDecryption(\n    em,\n    CommunicationChannel,\n    {\n      id: input.channelId,\n      tenantId: input.scope.tenantId,\n      organizationId: input.scope.organizationId ?? null,\n      deletedAt: null,\n    },\n    undefined,\n    input.scope,\n  )\n  if (!channel) {\n    throw new ChannelMutationBlockedError(\n      'channel_not_found',\n      input.channelId,\n      'Channel not found in this tenant scope.',\n    )\n  }\n  if (input.force) return\n\n  const inboundCount = await countInboundLinksForChannel(em, input.channelId, input.scope)\n  if (inboundCount > 0) {\n    throw new ChannelMutationBlockedError(\n      'channel_has_inbound_history',\n      input.channelId,\n      `Channel has ${inboundCount} inbound message${inboundCount === 1 ? '' : 's'} in history. Pass force=true to delete anyway.`,\n    )\n  }\n}\n\nexport interface GuardOutboundCreateInput {\n  channelId: string\n  scope: ChannelScope\n}\n\n/**\n * Guard `message.create` for outbound sends.\n *\n * Blocks when the target channel is in `requires_reauth` or `disconnected` \u2014\n * outbound sends through a re-auth-needed channel will fail at the provider\n * anyway, and blocking here gives a deterministic 422 with a field-level error\n * instead of an opaque 500. The hub's `mark_channel_requires_reauth` command\n * sets the status when refresh fails (slice 3b).\n */\nexport async function guardOutboundCreate(\n  em: EntityManager,\n  input: GuardOutboundCreateInput,\n): Promise<void> {\n  const channel = await findOneWithDecryption(\n    em,\n    CommunicationChannel,\n    {\n      id: input.channelId,\n      tenantId: input.scope.tenantId,\n      organizationId: input.scope.organizationId ?? null,\n      deletedAt: null,\n    },\n    undefined,\n    input.scope,\n  )\n  if (!channel) {\n    throw new ChannelMutationBlockedError(\n      'channel_not_found',\n      input.channelId,\n      'Channel not found in this tenant scope.',\n    )\n  }\n  if (channel.status === 'requires_reauth') {\n    throw new ChannelMutationBlockedError(\n      'channel_requires_reauth',\n      input.channelId,\n      'This channel needs reconnection before it can send messages. Open Profile -> Communication channels to reconnect.',\n    )\n  }\n  if (channel.status === 'disconnected') {\n    throw new ChannelMutationBlockedError(\n      'channel_disconnected',\n      input.channelId,\n      'This channel is disconnected and cannot send messages.',\n    )\n  }\n}\n\n/**\n * Returns the count of inbound `MessageChannelLink` rows the bridge created for\n * this channel. Used as the safety check before allowing a channel delete.\n *\n * Path: `external_conversations` (by channelId) \u2192 `message_channel_links` (by\n * externalConversationId, direction='inbound'). Both tables are hub-owned, so\n * we stay on the right side of the cross-module isolation rule. No raw SQL.\n *\n * Round-2 F8 rename (2026-05-26): was `countUnreadInboundForChannel`, but the\n * function never counted \"unread\" \u2014 it always counted all inbound links. The\n * old name is preserved as a `@deprecated` alias for one minor version.\n */\nexport async function countInboundLinksForChannel(\n  em: EntityManager,\n  channelId: string,\n  scope: ChannelScope,\n): Promise<number> {\n  const conversations = await findWithDecryption(\n    em,\n    ExternalConversation,\n    {\n      channelId,\n      tenantId: scope.tenantId,\n      organizationId: scope.organizationId ?? null,\n    },\n    { fields: ['id'] },\n    scope,\n  )\n  if (conversations.length === 0) return 0\n  const conversationIds = (conversations as Array<{ id: string }>).map((c) => c.id)\n  const count = await em.count(\n    MessageChannelLink,\n    {\n      externalConversationId: { $in: conversationIds },\n      direction: 'inbound',\n      tenantId: scope.tenantId,\n      organizationId: scope.organizationId ?? null,\n    },\n  )\n  return typeof count === 'number' ? count : 0\n}\n\n/**\n * @deprecated Use `countInboundLinksForChannel`. Kept for one minor release so\n * external callers catch the rename window. Removed in the next minor.\n */\nexport const countUnreadInboundForChannel = countInboundLinksForChannel\n\n// Re-export entity types so callers can keep their typing tight.\nexport type { CommunicationChannel, ExternalMessage, MessageChannelLink }\n"],
+  "mappings": "AACA,SAAS,uBAAuB,0BAA0B;AAC1D;AAAA,EACE;AAAA,EACA;AAAA,EAEA;AAAA,OACK;AA4BA,MAAM,oCAAoC,MAAM;AAAA,EAMrD,YAAY,QAAoC,WAAmB,SAAiB;AAClF,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,YAAY;AACjB,SAAK,SAAS,EAAE,WAAW,QAAQ;AAAA,EACrC;AACF;AA6BA,eAAsB,mBACpB,IACA,OACe;AACf,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE,IAAI,MAAM;AAAA,MACV,UAAU,MAAM,MAAM;AAAA,MACtB,gBAAgB,MAAM,MAAM,kBAAkB;AAAA,MAC9C,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR;AACA,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI;AAAA,MACR;AAAA,MACA,MAAM;AAAA,MACN;AAAA,IACF;AAAA,EACF;AACA,MAAI,MAAM,MAAO;AAEjB,QAAM,eAAe,MAAM,4BAA4B,IAAI,MAAM,WAAW,MAAM,KAAK;AACvF,MAAI,eAAe,GAAG;AACpB,UAAM,IAAI;AAAA,MACR;AAAA,MACA,MAAM;AAAA,MACN,eAAe,YAAY,mBAAmB,iBAAiB,IAAI,KAAK,GAAG;AAAA,IAC7E;AAAA,EACF;AACF;AAgBA,eAAsB,oBACpB,IACA,OACe;AACf,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE,IAAI,MAAM;AAAA,MACV,UAAU,MAAM,MAAM;AAAA,MACtB,gBAAgB,MAAM,MAAM,kBAAkB;AAAA,MAC9C,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR;AACA,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI;AAAA,MACR;AAAA,MACA,MAAM;AAAA,MACN;AAAA,IACF;AAAA,EACF;AACA,MAAI,QAAQ,WAAW,mBAAmB;AACxC,UAAM,IAAI;AAAA,MACR;AAAA,MACA,MAAM;AAAA,MACN;AAAA,IACF;AAAA,EACF;AACA,MAAI,QAAQ,WAAW,gBAAgB;AACrC,UAAM,IAAI;AAAA,MACR;AAAA,MACA,MAAM;AAAA,MACN;AAAA,IACF;AAAA,EACF;AACF;AAcA,eAAsB,4BACpB,IACA,WACA,OACiB;AACjB,QAAM,gBAAgB,MAAM;AAAA,IAC1B;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM,kBAAkB;AAAA,IAC1C;AAAA,IACA,EAAE,QAAQ,CAAC,IAAI,EAAE;AAAA,IACjB;AAAA,EACF;AACA,MAAI,cAAc,WAAW,EAAG,QAAO;AACvC,QAAM,kBAAmB,cAAwC,IAAI,CAAC,MAAM,EAAE,EAAE;AAChF,QAAM,QAAQ,MAAM,GAAG;AAAA,IACrB;AAAA,IACA;AAAA,MACE,wBAAwB,EAAE,KAAK,gBAAgB;AAAA,MAC/C,WAAW;AAAA,MACX,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM,kBAAkB;AAAA,IAC1C;AAAA,EACF;AACA,SAAO,OAAO,UAAU,WAAW,QAAQ;AAC7C;AAMO,MAAM,+BAA+B;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/oauth-client-config.js ADDED Viewed

@@ -0,0 +1,32 @@
+async function resolveOAuthClientCredentials(credentialsService, providerKey, scope) {
+  if (!credentialsService) return null;
+  const integrationId = `channel_${providerKey}`;
+  const organizations = [scope.organizationId, null];
+  const tried = /* @__PURE__ */ new Set();
+  for (const organizationId of organizations) {
+    if (tried.has(organizationId)) continue;
+    tried.add(organizationId);
+    let row = null;
+    try {
+      row = await credentialsService.resolve(integrationId, {
+        tenantId: scope.tenantId,
+        organizationId,
+        userId: null
+      });
+    } catch (resolveErr) {
+      console.warn(
+        "[internal] [communication_channels] resolveOAuthClientCredentials: credential resolve failed for an org scope:",
+        resolveErr instanceof Error ? resolveErr.message : resolveErr
+      );
+      row = null;
+    }
+    if (row && typeof row.clientId === "string" && row.clientId.length > 0) {
+      return row;
+    }
+  }
+  return null;
+}
+export {
+  resolveOAuthClientCredentials
+};
+//# sourceMappingURL=oauth-client-config.js.map

package/dist/modules/communication_channels/lib/oauth-client-config.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/oauth-client-config.ts"],
+  "sourcesContent": ["/**\n * Minimal shape of the integrations credentials service `resolve` we depend on.\n * Declared locally so this helper compiles even when the integrations module is\n * disabled in a downstream app.\n */\ntype CredentialsResolver = {\n  resolve: (\n    integrationId: string,\n    scope: { tenantId: string; organizationId: string; userId?: string | null },\n  ) => Promise<Record<string, unknown> | null>\n}\n\nexport type OAuthClientCredentialsScope = {\n  tenantId: string\n  organizationId: string | null\n}\n\n/**\n * Resolve a provider's tenant-level OAuth *client application* credentials\n * (clientId / clientSecret / scopes) configured by an admin under the\n * `channel_<provider>` integration in the Integrations UI.\n *\n * Why `channel_<provider>` and NOT `oauth_<provider>`: each provider package\n * registers its OAuth client-credential fields on the `channel_<provider>`\n * integration \u2014 that is the row the admin edits and the health check reads.\n * Earlier code resolved a phantom `oauth_<provider>` id that nothing ever\n * writes, so every connect / code-exchange / refresh failed with\n * \"Invalid \u2026 OAuth client credentials: expected string, received undefined\"\n * even while the integration showed as configured and healthy.\n *\n * Scoping: the client app config is stored at TENANT scope (`userId = null`),\n * distinct from the per-user OAuth *tokens* that live under the SAME\n * `channel_<provider>` id at USER scope. We therefore always resolve at\n * `userId: null`, trying the caller's organization first and then the\n * organization-agnostic (`organizationId: null`) row, so a single platform /\n * tenant OAuth app can serve every organization (and so a config saved while\n * the admin had no active organization is still found).\n *\n * Returns `null` when no usable client row exists \u2014 callers MUST surface an\n * actionable \"provider not configured\" error instead of handing an empty\n * object to the adapter.\n */\nexport async function resolveOAuthClientCredentials(\n  credentialsService: CredentialsResolver | null | undefined,\n  providerKey: string,\n  scope: OAuthClientCredentialsScope,\n): Promise<Record<string, unknown> | null> {\n  if (!credentialsService) return null\n  const integrationId = `channel_${providerKey}`\n  const organizations: Array<string | null> = [scope.organizationId, null]\n  const tried = new Set<string | null>()\n  for (const organizationId of organizations) {\n    if (tried.has(organizationId)) continue\n    tried.add(organizationId)\n    let row: Record<string, unknown> | null = null\n    try {\n      // `organizationId` may be `null` to match the organization-agnostic row;\n      // the credentials filter translates `null` into a SQL `IS NULL` match.\n      row = await credentialsService.resolve(integrationId, {\n        tenantId: scope.tenantId,\n        organizationId: organizationId as unknown as string,\n        userId: null,\n      })\n    } catch (resolveErr) {\n      // A resolve error (e.g. a transient DB issue) for this org scope shouldn't\n      // abort the lookup \u2014 fall through to the next scope \u2014 but surface it so a\n      // real misconfiguration isn't silently swallowed.\n      console.warn(\n        '[internal] [communication_channels] resolveOAuthClientCredentials: credential resolve failed for an org scope:',\n        resolveErr instanceof Error ? resolveErr.message : resolveErr,\n      )\n      row = null\n    }\n    if (row && typeof row.clientId === 'string' && row.clientId.length > 0) {\n      return row\n    }\n  }\n  return null\n}\n"],
+  "mappings": "AA0CA,eAAsB,8BACpB,oBACA,aACA,OACyC;AACzC,MAAI,CAAC,mBAAoB,QAAO;AAChC,QAAM,gBAAgB,WAAW,WAAW;AAC5C,QAAM,gBAAsC,CAAC,MAAM,gBAAgB,IAAI;AACvE,QAAM,QAAQ,oBAAI,IAAmB;AACrC,aAAW,kBAAkB,eAAe;AAC1C,QAAI,MAAM,IAAI,cAAc,EAAG;AAC/B,UAAM,IAAI,cAAc;AACxB,QAAI,MAAsC;AAC1C,QAAI;AAGF,YAAM,MAAM,mBAAmB,QAAQ,eAAe;AAAA,QACpD,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,SAAS,YAAY;AAInB,cAAQ;AAAA,QACN;AAAA,QACA,sBAAsB,QAAQ,WAAW,UAAU;AAAA,MACrD;AACA,YAAM;AAAA,IACR;AACA,QAAI,OAAO,OAAO,IAAI,aAAa,YAAY,IAAI,SAAS,SAAS,GAAG;AACtE,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/oauth-state.js ADDED Viewed

@@ -0,0 +1,128 @@
+import crypto from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+const COMMUNICATION_CHANNELS_OAUTH_STATE_TTL_MS = 5 * 60 * 1e3;
+const HKDF_SALT = Buffer.from("open-mercato-channels-oauth-state-v1");
+const HKDF_INFO = Buffer.from("communication_channels-oauth-state-cookie");
+const COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME = "om_cc_oauth_state";
+const DEFAULT_OAUTH_RETURN_URL = "/backend/profile/communication-channels";
+class OAuthStateError extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "OAuthStateError";
+  }
+}
+function isSafeOAuthReturnUrl(value) {
+  if (typeof value !== "string") return false;
+  if (value.length === 0 || value.length > 2048) return false;
+  if (!value.startsWith("/") || value.startsWith("//")) return false;
+  if (value.includes("\\")) return false;
+  try {
+    const base = new URL("https://open-mercato.local");
+    const parsed = new URL(value, base);
+    return parsed.origin === base.origin && parsed.pathname.startsWith("/");
+  } catch {
+    return false;
+  }
+}
+function normalizeOAuthReturnUrl(value, fallback = DEFAULT_OAUTH_RETURN_URL) {
+  return isSafeOAuthReturnUrl(value) ? value : fallback;
+}
+function deriveKey(secret) {
+  return Buffer.from(crypto.hkdfSync("sha256", secret, HKDF_SALT, HKDF_INFO, 32));
+}
+function getSecret() {
+  const dedicated = process.env.OM_HUB_OAUTH_STATE_KEY ?? process.env.KMS_MASTER_KEY;
+  if (dedicated) return dedicated;
+  if (process.env.NODE_ENV === "production") {
+    throw new Error("[internal] OM_HUB_OAUTH_STATE_KEY or KMS_MASTER_KEY required in production");
+  }
+  const fallback = process.env.JWT_SECRET;
+  if (!fallback) {
+    throw new OAuthStateError(
+      "OM_HUB_OAUTH_STATE_KEY (or fallback KMS_MASTER_KEY / JWT_SECRET) must be set",
+      "missing_secret"
+    );
+  }
+  return fallback;
+}
+function encryptOAuthState(payload) {
+  const key = deriveKey(getSecret());
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const json = JSON.stringify(payload);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const ciphertext = Buffer.concat([cipher.update(json, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, ciphertext]).toString("base64url");
+}
+function decryptOAuthState(cookie) {
+  try {
+    const key = deriveKey(getSecret());
+    const combined = Buffer.from(cookie, "base64url");
+    if (combined.length < IV_LENGTH + TAG_LENGTH) return null;
+    const iv = combined.subarray(0, IV_LENGTH);
+    const tag = combined.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+    const ciphertext = combined.subarray(IV_LENGTH + TAG_LENGTH);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+    return JSON.parse(decrypted);
+  } catch {
+    return null;
+  }
+}
+function verifyOAuthState(input) {
+  if (!input.cookie) {
+    throw new OAuthStateError("Missing state cookie", "invalid_cookie");
+  }
+  const payload = decryptOAuthState(input.cookie);
+  if (!payload) {
+    throw new OAuthStateError("Invalid state cookie", "decrypt_failed");
+  }
+  const now = input.now ?? Date.now();
+  if (payload.expiresAt < now) {
+    throw new OAuthStateError("State cookie expired", "expired");
+  }
+  if (payload.userId !== input.expectedUserId) {
+    throw new OAuthStateError("State cookie userId mismatch", "user_mismatch");
+  }
+  if (input.expectedProviderKey && payload.providerKey !== input.expectedProviderKey) {
+    throw new OAuthStateError("State cookie providerKey mismatch", "invalid_cookie");
+  }
+  if (input.expectedState && payload.state !== input.expectedState) {
+    throw new OAuthStateError("State cookie state nonce mismatch", "invalid_cookie");
+  }
+  return payload;
+}
+function createOAuthState(params) {
+  const state = crypto.randomBytes(32).toString("base64url");
+  const nonce = crypto.randomBytes(16).toString("base64url");
+  const payload = {
+    state,
+    nonce,
+    userId: params.userId,
+    tenantId: params.tenantId,
+    organizationId: params.organizationId ?? null,
+    providerKey: params.providerKey,
+    returnUrl: params.returnUrl,
+    extra: params.extra,
+    expiresAt: Date.now() + COMMUNICATION_CHANNELS_OAUTH_STATE_TTL_MS
+  };
+  const cookie = encryptOAuthState(payload);
+  return { payload, cookie, stateParam: state };
+}
+export {
+  COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME,
+  COMMUNICATION_CHANNELS_OAUTH_STATE_TTL_MS,
+  DEFAULT_OAUTH_RETURN_URL,
+  OAuthStateError,
+  createOAuthState,
+  decryptOAuthState,
+  encryptOAuthState,
+  isSafeOAuthReturnUrl,
+  normalizeOAuthReturnUrl,
+  verifyOAuthState
+};
+//# sourceMappingURL=oauth-state.js.map

package/dist/modules/communication_channels/lib/oauth-state.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/oauth-state.ts"],
+  "sourcesContent": ["import crypto from 'node:crypto'\n\n/**\n * OAuth state-cookie helper for the communication_channels hub.\n *\n * **Ported (re-implemented locally), NOT imported, from `packages/enterprise/src/modules/sso/lib/state-cookie.ts`.**\n * Root `AGENTS.md` rule: `@open-mercato/core` MUST NOT import from `@open-mercato/enterprise`.\n *\n * Design (per email integration spec \u00A7 OSS Independence + \u00A7 Hub Deltas \u2192 Delta 7):\n *   - AES-256-GCM payload encryption.\n *   - HKDF (SHA-256) key derivation from `OM_HUB_OAUTH_STATE_KEY` (falling back to\n *     `KMS_MASTER_KEY`). In production those dedicated keys are required; only in\n *     dev/test do we fall back to `JWT_SECRET` so envs that configure one secret\n *     still work. Production refuses the `JWT_SECRET` fallback so a session-secret\n *     leak cannot also forge OAuth-state cookies.\n *   - 5-minute TTL \u2014 short window to bound replay surface.\n *   - Payload binds the initiating `userId` so the callback rejects state cookies\n *     used by a different session.\n *\n * The output is a base64url string that we set on an HttpOnly + SameSite=Lax cookie.\n * Forgery requires the encryption key (KMS-managed in production).\n */\n\nconst ALGORITHM = 'aes-256-gcm'\nconst IV_LENGTH = 12\nconst TAG_LENGTH = 16\nexport const COMMUNICATION_CHANNELS_OAUTH_STATE_TTL_MS = 5 * 60 * 1000\nconst HKDF_SALT = Buffer.from('open-mercato-channels-oauth-state-v1')\nconst HKDF_INFO = Buffer.from('communication_channels-oauth-state-cookie')\n\nexport const COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME =\n  'om_cc_oauth_state'\n\nexport const DEFAULT_OAUTH_RETURN_URL = '/backend/profile/communication-channels'\n\n/** Errors thrown by the helpers. Stable for tests + route mapping. */\nexport class OAuthStateError extends Error {\n  override name = 'OAuthStateError'\n  constructor(\n    message: string,\n    readonly code:\n      | 'missing_secret'\n      | 'invalid_cookie'\n      | 'expired'\n      | 'user_mismatch'\n      | 'decrypt_failed',\n  ) {\n    super(message)\n  }\n}\n\n/**\n * Canonical state-cookie payload \u2014 provider-agnostic. Each OAuth provider\n * adapter (Gmail, \u2026) packs its own per-flow nonce / verifier into\n * the `extra` field rather than extending this shape.\n */\nexport interface OAuthStatePayload {\n  /** Nonce-like opaque value mirrored into the OAuth `state` query parameter. */\n  state: string\n  /** Per-flow CSRF nonce, returned alongside the OAuth response. */\n  nonce: string\n  /** Tenant-scoped user that initiated the flow. Validated on callback. */\n  userId: string\n  /** Tenant scope so the callback can pin the channel to the same tenant. */\n  tenantId: string\n  /** Optional organization id for multi-org tenants. */\n  organizationId?: string | null\n  /** Provider key (e.g. `gmail`) \u2014 routes the callback. */\n  providerKey: string\n  /** Where to redirect on success. Defaults to the profile page in the route. */\n  returnUrl?: string\n  /** Wall-clock expiry (ms since epoch). */\n  expiresAt: number\n  /** Provider-specific extras (PKCE code_verifier, scopes, login_hint, \u2026). */\n  extra?: Record<string, unknown>\n}\n\nexport function isSafeOAuthReturnUrl(value: string | null | undefined): value is string {\n  if (typeof value !== 'string') return false\n  if (value.length === 0 || value.length > 2048) return false\n  if (!value.startsWith('/') || value.startsWith('//')) return false\n  if (value.includes('\\\\')) return false\n  try {\n    const base = new URL('https://open-mercato.local')\n    const parsed = new URL(value, base)\n    return parsed.origin === base.origin && parsed.pathname.startsWith('/')\n  } catch {\n    return false\n  }\n}\n\nexport function normalizeOAuthReturnUrl(\n  value: string | null | undefined,\n  fallback: string = DEFAULT_OAUTH_RETURN_URL,\n): string {\n  return isSafeOAuthReturnUrl(value) ? value : fallback\n}\n\nfunction deriveKey(secret: string): Buffer {\n  return Buffer.from(crypto.hkdfSync('sha256', secret, HKDF_SALT, HKDF_INFO, 32))\n}\n\nfunction getSecret(): string {\n  const dedicated = process.env.OM_HUB_OAUTH_STATE_KEY ?? process.env.KMS_MASTER_KEY\n  if (dedicated) return dedicated\n  // No dedicated key configured. Fail closed in production rather than deriving\n  // the state-cookie key from JWT_SECRET (the platform session-signing secret) \u2014\n  // sharing that key means a JWT_SECRET leak also lets an attacker forge OAuth\n  // state cookies, bypassing the userId/tenant binding. In non-production we fall\n  // back to JWT_SECRET so dev/test envs that only configure one secret still work.\n  if (process.env.NODE_ENV === 'production') {\n    throw new Error('[internal] OM_HUB_OAUTH_STATE_KEY or KMS_MASTER_KEY required in production')\n  }\n  const fallback = process.env.JWT_SECRET\n  if (!fallback) {\n    throw new OAuthStateError(\n      'OM_HUB_OAUTH_STATE_KEY (or fallback KMS_MASTER_KEY / JWT_SECRET) must be set',\n      'missing_secret',\n    )\n  }\n  return fallback\n}\n\n/** Encrypt + sign a state payload. Output is a base64url string suitable for a cookie. */\nexport function encryptOAuthState(payload: OAuthStatePayload): string {\n  const key = deriveKey(getSecret())\n  const iv = crypto.randomBytes(IV_LENGTH)\n  const json = JSON.stringify(payload)\n\n  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)\n  const ciphertext = Buffer.concat([cipher.update(json, 'utf8'), cipher.final()])\n  const tag = cipher.getAuthTag()\n\n  return Buffer.concat([iv, tag, ciphertext]).toString('base64url')\n}\n\n/**\n * Decrypt + verify a state cookie. Returns the payload or `null` if the cookie\n * is malformed / tampered. Returns the payload (NOT null) when the cookie has\n * expired \u2014 callers should check `expiresAt` themselves with the verification\n * helper below for stable status codes.\n */\nexport function decryptOAuthState(cookie: string): OAuthStatePayload | null {\n  try {\n    const key = deriveKey(getSecret())\n    const combined = Buffer.from(cookie, 'base64url')\n    if (combined.length < IV_LENGTH + TAG_LENGTH) return null\n\n    const iv = combined.subarray(0, IV_LENGTH)\n    const tag = combined.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH)\n    const ciphertext = combined.subarray(IV_LENGTH + TAG_LENGTH)\n\n    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv)\n    decipher.setAuthTag(tag)\n    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8')\n\n    return JSON.parse(decrypted) as OAuthStatePayload\n  } catch {\n    return null\n  }\n}\n\n/**\n * Verify a state cookie against the current session.\n *\n * Throws an {@link OAuthStateError} with a stable `code` field on any check\n * failure so route handlers can map to consistent HTTP responses + redirect\n * flash codes.\n */\nexport function verifyOAuthState(input: {\n  cookie: string | null | undefined\n  expectedUserId: string\n  expectedProviderKey?: string\n  expectedState?: string\n  now?: number\n}): OAuthStatePayload {\n  if (!input.cookie) {\n    throw new OAuthStateError('Missing state cookie', 'invalid_cookie')\n  }\n  const payload = decryptOAuthState(input.cookie)\n  if (!payload) {\n    throw new OAuthStateError('Invalid state cookie', 'decrypt_failed')\n  }\n  const now = input.now ?? Date.now()\n  if (payload.expiresAt < now) {\n    throw new OAuthStateError('State cookie expired', 'expired')\n  }\n  if (payload.userId !== input.expectedUserId) {\n    throw new OAuthStateError('State cookie userId mismatch', 'user_mismatch')\n  }\n  if (input.expectedProviderKey && payload.providerKey !== input.expectedProviderKey) {\n    throw new OAuthStateError('State cookie providerKey mismatch', 'invalid_cookie')\n  }\n  if (input.expectedState && payload.state !== input.expectedState) {\n    throw new OAuthStateError('State cookie state nonce mismatch', 'invalid_cookie')\n  }\n  return payload\n}\n\n/**\n * Create a fresh state payload + matching `state` query parameter. PKCE\n * verifiers are NOT generated here \u2014 the provider adapter decides whether it\n * needs PKCE and packs the verifier into `extra` itself.\n */\nexport function createOAuthState(params: {\n  userId: string\n  tenantId: string\n  organizationId?: string | null\n  providerKey: string\n  returnUrl?: string\n  extra?: Record<string, unknown>\n}): { payload: OAuthStatePayload; cookie: string; stateParam: string } {\n  const state = crypto.randomBytes(32).toString('base64url')\n  const nonce = crypto.randomBytes(16).toString('base64url')\n  const payload: OAuthStatePayload = {\n    state,\n    nonce,\n    userId: params.userId,\n    tenantId: params.tenantId,\n    organizationId: params.organizationId ?? null,\n    providerKey: params.providerKey,\n    returnUrl: params.returnUrl,\n    extra: params.extra,\n    expiresAt: Date.now() + COMMUNICATION_CHANNELS_OAUTH_STATE_TTL_MS,\n  }\n  const cookie = encryptOAuthState(payload)\n  return { payload, cookie, stateParam: state }\n}\n"],
+  "mappings": "AAAA,OAAO,YAAY;AAuBnB,MAAM,YAAY;AAClB,MAAM,YAAY;AAClB,MAAM,aAAa;AACZ,MAAM,4CAA4C,IAAI,KAAK;AAClE,MAAM,YAAY,OAAO,KAAK,sCAAsC;AACpE,MAAM,YAAY,OAAO,KAAK,2CAA2C;AAElE,MAAM,iDACX;AAEK,MAAM,2BAA2B;AAGjC,MAAM,wBAAwB,MAAM;AAAA,EAEzC,YACE,SACS,MAMT;AACA,UAAM,OAAO;AAPJ;AAHX,SAAS,OAAO;AAAA,EAWhB;AACF;AA4BO,SAAS,qBAAqB,OAAmD;AACtF,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,MAAM,WAAW,KAAK,MAAM,SAAS,KAAM,QAAO;AACtD,MAAI,CAAC,MAAM,WAAW,GAAG,KAAK,MAAM,WAAW,IAAI,EAAG,QAAO;AAC7D,MAAI,MAAM,SAAS,IAAI,EAAG,QAAO;AACjC,MAAI;AACF,UAAM,OAAO,IAAI,IAAI,4BAA4B;AACjD,UAAM,SAAS,IAAI,IAAI,OAAO,IAAI;AAClC,WAAO,OAAO,WAAW,KAAK,UAAU,OAAO,SAAS,WAAW,GAAG;AAAA,EACxE,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,wBACd,OACA,WAAmB,0BACX;AACR,SAAO,qBAAqB,KAAK,IAAI,QAAQ;AAC/C;AAEA,SAAS,UAAU,QAAwB;AACzC,SAAO,OAAO,KAAK,OAAO,SAAS,UAAU,QAAQ,WAAW,WAAW,EAAE,CAAC;AAChF;AAEA,SAAS,YAAoB;AAC3B,QAAM,YAAY,QAAQ,IAAI,0BAA0B,QAAQ,IAAI;AACpE,MAAI,UAAW,QAAO;AAMtB,MAAI,QAAQ,IAAI,aAAa,cAAc;AACzC,UAAM,IAAI,MAAM,4EAA4E;AAAA,EAC9F;AACA,QAAM,WAAW,QAAQ,IAAI;AAC7B,MAAI,CAAC,UAAU;AACb,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,kBAAkB,SAAoC;AACpE,QAAM,MAAM,UAAU,UAAU,CAAC;AACjC,QAAM,KAAK,OAAO,YAAY,SAAS;AACvC,QAAM,OAAO,KAAK,UAAU,OAAO;AAEnC,QAAM,SAAS,OAAO,eAAe,WAAW,KAAK,EAAE;AACvD,QAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC9E,QAAM,MAAM,OAAO,WAAW;AAE9B,SAAO,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC,EAAE,SAAS,WAAW;AAClE;AAQO,SAAS,kBAAkB,QAA0C;AAC1E,MAAI;AACF,UAAM,MAAM,UAAU,UAAU,CAAC;AACjC,UAAM,WAAW,OAAO,KAAK,QAAQ,WAAW;AAChD,QAAI,SAAS,SAAS,YAAY,WAAY,QAAO;AAErD,UAAM,KAAK,SAAS,SAAS,GAAG,SAAS;AACzC,UAAM,MAAM,SAAS,SAAS,WAAW,YAAY,UAAU;AAC/D,UAAM,aAAa,SAAS,SAAS,YAAY,UAAU;AAE3D,UAAM,WAAW,OAAO,iBAAiB,WAAW,KAAK,EAAE;AAC3D,aAAS,WAAW,GAAG;AACvB,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC,EAAE,SAAS,MAAM;AAEhG,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AASO,SAAS,iBAAiB,OAMX;AACpB,MAAI,CAAC,MAAM,QAAQ;AACjB,UAAM,IAAI,gBAAgB,wBAAwB,gBAAgB;AAAA,EACpE;AACA,QAAM,UAAU,kBAAkB,MAAM,MAAM;AAC9C,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,gBAAgB,wBAAwB,gBAAgB;AAAA,EACpE;AACA,QAAM,MAAM,MAAM,OAAO,KAAK,IAAI;AAClC,MAAI,QAAQ,YAAY,KAAK;AAC3B,UAAM,IAAI,gBAAgB,wBAAwB,SAAS;AAAA,EAC7D;AACA,MAAI,QAAQ,WAAW,MAAM,gBAAgB;AAC3C,UAAM,IAAI,gBAAgB,gCAAgC,eAAe;AAAA,EAC3E;AACA,MAAI,MAAM,uBAAuB,QAAQ,gBAAgB,MAAM,qBAAqB;AAClF,UAAM,IAAI,gBAAgB,qCAAqC,gBAAgB;AAAA,EACjF;AACA,MAAI,MAAM,iBAAiB,QAAQ,UAAU,MAAM,eAAe;AAChE,UAAM,IAAI,gBAAgB,qCAAqC,gBAAgB;AAAA,EACjF;AACA,SAAO;AACT;AAOO,SAAS,iBAAiB,QAOsC;AACrE,QAAM,QAAQ,OAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,QAAM,QAAQ,OAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,QAAM,UAA6B;AAAA,IACjC;AAAA,IACA;AAAA,IACA,QAAQ,OAAO;AAAA,IACf,UAAU,OAAO;AAAA,IACjB,gBAAgB,OAAO,kBAAkB;AAAA,IACzC,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO;AAAA,IAClB,OAAO,OAAO;AAAA,IACd,WAAW,KAAK,IAAI,IAAI;AAAA,EAC1B;AACA,QAAM,SAAS,kBAAkB,OAAO;AACxC,SAAO,EAAE,SAAS,QAAQ,YAAY,MAAM;AAC9C;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/oauth-token.js ADDED Viewed

@@ -0,0 +1,45 @@
+function tokenResponseToExpiresAt(token, nowMs = Date.now()) {
+  if (typeof token.expires_in !== "number") return void 0;
+  return new Date(nowMs + token.expires_in * 1e3);
+}
+const DEFAULT_OAUTH_TOKEN_TIMEOUT_MS = 1e4;
+function resolveTokenTimeoutMs() {
+  const fromEnv = Number.parseInt(process.env.OM_OAUTH_TOKEN_TIMEOUT_MS ?? "", 10);
+  return Number.isFinite(fromEnv) && fromEnv > 0 ? fromEnv : DEFAULT_OAUTH_TOKEN_TIMEOUT_MS;
+}
+async function requestOAuthToken(tokenUrl, params, options) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), resolveTokenTimeoutMs());
+  let res;
+  try {
+    res = await fetch(tokenUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params.toString(),
+      signal: controller.signal
+    });
+  } catch (err) {
+    if (err instanceof Error && err.name === "AbortError") {
+      throw new Error(`${options.errorLabel}: token endpoint timed out`);
+    }
+    throw new Error(`${options.errorLabel}: ${err instanceof Error ? err.message : String(err)}`);
+  } finally {
+    clearTimeout(timeout);
+  }
+  const raw = await res.text();
+  let body;
+  try {
+    body = JSON.parse(raw);
+  } catch {
+    throw new Error(`${options.errorLabel}: non-JSON response (status ${res.status})`);
+  }
+  if (!res.ok || body.error) {
+    throw new Error(`${options.errorLabel}: ${body.error_description ?? body.error ?? res.statusText}`);
+  }
+  return body;
+}
+export {
+  requestOAuthToken,
+  tokenResponseToExpiresAt
+};
+//# sourceMappingURL=oauth-token.js.map

package/dist/modules/communication_channels/lib/oauth-token.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/oauth-token.ts"],
+  "sourcesContent": ["/**\n * Shared OAuth2 token primitives for email channel providers. The authorize-URL\n * shape, PKCE usage, and userinfo handling differ per provider (e.g. Gmail)\n * and stay in each package \u2014 but the token response shape, the\n * form-urlencoded token POST, and the expiry computation are identical, so they\n * live here.\n */\n\nexport interface OAuthTokenResponse {\n  access_token: string\n  refresh_token?: string\n  expires_in?: number\n  scope?: string\n  token_type?: string\n  id_token?: string\n  error?: string\n  error_description?: string\n}\n\n/** Compute the absolute access-token expiry from `expires_in`, or `undefined` when absent. */\nexport function tokenResponseToExpiresAt(\n  token: OAuthTokenResponse,\n  nowMs: number = Date.now(),\n): Date | undefined {\n  if (typeof token.expires_in !== 'number') return undefined\n  return new Date(nowMs + token.expires_in * 1000)\n}\n\n/** Hard timeout for a token endpoint round-trip (ms). Overridable via env. */\nconst DEFAULT_OAUTH_TOKEN_TIMEOUT_MS = 10_000\n\nfunction resolveTokenTimeoutMs(): number {\n  const fromEnv = Number.parseInt(process.env.OM_OAUTH_TOKEN_TIMEOUT_MS ?? '', 10)\n  return Number.isFinite(fromEnv) && fromEnv > 0 ? fromEnv : DEFAULT_OAUTH_TOKEN_TIMEOUT_MS\n}\n\n/**\n * POST a form-urlencoded body to an OAuth token endpoint and return the parsed\n * token response. Throws `${errorLabel}: <reason>` when the endpoint returns a\n * non-2xx status, an `error` field, a non-JSON body, or does not respond within\n * the timeout. Bounding the request matters because token refresh sits on the\n * critical path of every poll/send \u2014 a hung token endpoint must fail fast, not\n * block the worker, and a proxy HTML error page must surface the real status\n * rather than a confusing JSON `SyntaxError`.\n */\nexport async function requestOAuthToken(\n  tokenUrl: string,\n  params: URLSearchParams,\n  options: { errorLabel: string },\n): Promise<OAuthTokenResponse> {\n  const controller = new AbortController()\n  const timeout = setTimeout(() => controller.abort(), resolveTokenTimeoutMs())\n  let res: Response\n  try {\n    res = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: params.toString(),\n      signal: controller.signal,\n    })\n  } catch (err) {\n    if (err instanceof Error && err.name === 'AbortError') {\n      throw new Error(`${options.errorLabel}: token endpoint timed out`)\n    }\n    throw new Error(`${options.errorLabel}: ${err instanceof Error ? err.message : String(err)}`)\n  } finally {\n    clearTimeout(timeout)\n  }\n\n  const raw = await res.text()\n  let body: OAuthTokenResponse\n  try {\n    body = JSON.parse(raw) as OAuthTokenResponse\n  } catch {\n    throw new Error(`${options.errorLabel}: non-JSON response (status ${res.status})`)\n  }\n  if (!res.ok || body.error) {\n    throw new Error(`${options.errorLabel}: ${body.error_description ?? body.error ?? res.statusText}`)\n  }\n  return body\n}\n"],
+  "mappings": "AAoBO,SAAS,yBACd,OACA,QAAgB,KAAK,IAAI,GACP;AAClB,MAAI,OAAO,MAAM,eAAe,SAAU,QAAO;AACjD,SAAO,IAAI,KAAK,QAAQ,MAAM,aAAa,GAAI;AACjD;AAGA,MAAM,iCAAiC;AAEvC,SAAS,wBAAgC;AACvC,QAAM,UAAU,OAAO,SAAS,QAAQ,IAAI,6BAA6B,IAAI,EAAE;AAC/E,SAAO,OAAO,SAAS,OAAO,KAAK,UAAU,IAAI,UAAU;AAC7D;AAWA,eAAsB,kBACpB,UACA,QACA,SAC6B;AAC7B,QAAM,aAAa,IAAI,gBAAgB;AACvC,QAAM,UAAU,WAAW,MAAM,WAAW,MAAM,GAAG,sBAAsB,CAAC;AAC5E,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,MAAM,UAAU;AAAA,MAC1B,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,OAAO,SAAS;AAAA,MACtB,QAAQ,WAAW;AAAA,IACrB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,cAAc;AACrD,YAAM,IAAI,MAAM,GAAG,QAAQ,UAAU,4BAA4B;AAAA,IACnE;AACA,UAAM,IAAI,MAAM,GAAG,QAAQ,UAAU,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAAA,EAC9F,UAAE;AACA,iBAAa,OAAO;AAAA,EACtB;AAEA,QAAM,MAAM,MAAM,IAAI,KAAK;AAC3B,MAAI;AACJ,MAAI;AACF,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB,QAAQ;AACN,UAAM,IAAI,MAAM,GAAG,QAAQ,UAAU,+BAA+B,IAAI,MAAM,GAAG;AAAA,EACnF;AACA,MAAI,CAAC,IAAI,MAAM,KAAK,OAAO;AACzB,UAAM,IAAI,MAAM,GAAG,QAAQ,UAAU,KAAK,KAAK,qBAAqB,KAAK,SAAS,IAAI,UAAU,EAAE;AAAA,EACpG;AACA,SAAO;AACT;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/pg-errors.js ADDED Viewed

@@ -0,0 +1,11 @@
+function isUniqueViolation(err) {
+  if (!err || typeof err !== "object") return false;
+  const code = err.code;
+  if (code === "23505") return true;
+  const message = err.message;
+  return typeof message === "string" && /duplicate key value|unique constraint/i.test(message);
+}
+export {
+  isUniqueViolation
+};
+//# sourceMappingURL=pg-errors.js.map

package/dist/modules/communication_channels/lib/pg-errors.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/pg-errors.ts"],
+  "sourcesContent": ["/**\n * Detect a Postgres unique-constraint violation (SQLSTATE 23505) regardless of\n * the ORM/driver layer that surfaces it. Shared across the hub's commands and\n * lib helpers so duplicate-insert handling stays consistent module-wide.\n */\nexport function isUniqueViolation(err: unknown): boolean {\n  if (!err || typeof err !== 'object') return false\n  const code = (err as { code?: string }).code\n  if (code === '23505') return true // Postgres unique_violation\n  const message = (err as { message?: string }).message\n  return typeof message === 'string' && /duplicate key value|unique constraint/i.test(message)\n}\n"],
+  "mappings": "AAKO,SAAS,kBAAkB,KAAuB;AACvD,MAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;AAC5C,QAAM,OAAQ,IAA0B;AACxC,MAAI,SAAS,QAAS,QAAO;AAC7B,QAAM,UAAW,IAA6B;AAC9C,SAAO,OAAO,YAAY,YAAY,yCAAyC,KAAK,OAAO;AAC7F;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/provider-health.js ADDED Viewed

@@ -0,0 +1,24 @@
+function makeClientConfigHealthCheck(options) {
+  return {
+    async check(credentials) {
+      const parsed = options.schema.safeParse(credentials ?? {});
+      if (!parsed.success) {
+        const first = parsed.error.issues[0];
+        return {
+          status: "unhealthy",
+          message: `${options.providerLabel} OAuth client config invalid: ${first?.message ?? "unknown validation error"}`,
+          details: { reason: "invalid_oauth_client" }
+        };
+      }
+      return {
+        status: "healthy",
+        message: `${options.providerLabel} OAuth client configured`,
+        details: { clientIdConfigured: true, ...options.healthyDetails?.(parsed.data) ?? {} }
+      };
+    }
+  };
+}
+export {
+  makeClientConfigHealthCheck
+};
+//# sourceMappingURL=provider-health.js.map

package/dist/modules/communication_channels/lib/provider-health.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/provider-health.ts"],
+  "sourcesContent": ["import type { ZodType } from 'zod'\nimport type { IntegrationScope } from '@open-mercato/shared/modules/integrations/types'\n\nexport type EmailHealthStatus = 'healthy' | 'degraded' | 'unhealthy'\n\nexport interface EmailHealthCheckResult {\n  status: EmailHealthStatus\n  message?: string\n  details?: Record<string, unknown>\n}\n\nexport interface EmailHealthCheck {\n  check: (credentials: Record<string, unknown> | null, scope: IntegrationScope) => Promise<EmailHealthCheckResult>\n}\n\n/**\n * Build a liveness probe for an OAuth-client-config integration. There is no\n * access token at this layer (the hub passes the tenant-scoped OAuth client\n * config, not per-user channel tokens), so a network call would always 401. The\n * cheap, deterministic probe is: confirm the client config is present and\n * well-formed. Per-user token validity is exercised on the channel itself\n * (send / poll surface `requires_reauth`).\n */\nexport function makeClientConfigHealthCheck<T>(options: {\n  schema: ZodType<T>\n  providerLabel: string\n  healthyDetails?: (parsed: T) => Record<string, unknown>\n}): EmailHealthCheck {\n  return {\n    async check(credentials) {\n      const parsed = options.schema.safeParse(credentials ?? {})\n      if (!parsed.success) {\n        const first = parsed.error.issues[0]\n        return {\n          status: 'unhealthy',\n          message: `${options.providerLabel} OAuth client config invalid: ${first?.message ?? 'unknown validation error'}`,\n          details: { reason: 'invalid_oauth_client' },\n        }\n      }\n      return {\n        status: 'healthy',\n        message: `${options.providerLabel} OAuth client configured`,\n        details: { clientIdConfigured: true, ...(options.healthyDetails?.(parsed.data) ?? {}) },\n      }\n    },\n  }\n}\n"],
+  "mappings": "AAuBO,SAAS,4BAA+B,SAI1B;AACnB,SAAO;AAAA,IACL,MAAM,MAAM,aAAa;AACvB,YAAM,SAAS,QAAQ,OAAO,UAAU,eAAe,CAAC,CAAC;AACzD,UAAI,CAAC,OAAO,SAAS;AACnB,cAAM,QAAQ,OAAO,MAAM,OAAO,CAAC;AACnC,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,SAAS,GAAG,QAAQ,aAAa,iCAAiC,OAAO,WAAW,0BAA0B;AAAA,UAC9G,SAAS,EAAE,QAAQ,uBAAuB;AAAA,QAC5C;AAAA,MACF;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,QAAQ,aAAa;AAAA,QACjC,SAAS,EAAE,oBAAoB,MAAM,GAAI,QAAQ,iBAAiB,OAAO,IAAI,KAAK,CAAC,EAAG;AAAA,MACxF;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/push-state.js ADDED Viewed

@@ -0,0 +1,19 @@
+const PUSH_STATE_KEYS = [
+  "pushStatus",
+  "watchExpirationMs",
+  "pubsubTopic",
+  "lastPushError"
+];
+function preservePushState(previous, next) {
+  const prev = previous && typeof previous === "object" && !Array.isArray(previous) ? previous : {};
+  const merged = { ...next };
+  for (const key of PUSH_STATE_KEYS) {
+    if (!(key in merged) && key in prev) merged[key] = prev[key];
+  }
+  return merged;
+}
+export {
+  PUSH_STATE_KEYS,
+  preservePushState
+};
+//# sourceMappingURL=push-state.js.map

package/dist/modules/communication_channels/lib/push-state.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/push-state.ts"],
+  "sourcesContent": ["/**\n * Channel-state keys owned by the push-delivery lifecycle (Spec C), written by the\n * push register/renew commands rather than the sync cursor. They must survive a\n * sync-cursor replacement so watch/subscription renewal keeps working.\n */\nexport const PUSH_STATE_KEYS = [\n  'pushStatus',\n  'watchExpirationMs',\n  'pubsubTopic',\n  'lastPushError',\n] as const\n\n/**\n * Replace the channel sync-cursor state with the adapter's freshly decoded cursor\n * while carrying forward the hub-owned push keys the cursor does not manage.\n *\n * This MUST be a full replace, never a `{ ...previous, ...next }` spread: adapters\n * signal \"drain finished\" by OMITTING the mid-drain resumption tokens\n * (`pendingHistoryPageToken`, `pendingMessagesPageToken`) from\n * `next` (they are set to `undefined`, which `JSON.stringify` drops from the encoded\n * cursor). A spread would retain a stale token from `previous` and mis-route the\n * next push/poll cycle, so the poll worker and both push-sync workers share this\n * helper to stay consistent.\n */\nexport function preservePushState(\n  previous: unknown,\n  next: Record<string, unknown>,\n): Record<string, unknown> {\n  const prev =\n    previous && typeof previous === 'object' && !Array.isArray(previous)\n      ? (previous as Record<string, unknown>)\n      : {}\n  const merged: Record<string, unknown> = { ...next }\n  for (const key of PUSH_STATE_KEYS) {\n    if (!(key in merged) && key in prev) merged[key] = prev[key]\n  }\n  return merged\n}\n"],
+  "mappings": "AAKO,MAAM,kBAAkB;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAcO,SAAS,kBACd,UACA,MACyB;AACzB,QAAM,OACJ,YAAY,OAAO,aAAa,YAAY,CAAC,MAAM,QAAQ,QAAQ,IAC9D,WACD,CAAC;AACP,QAAM,SAAkC,EAAE,GAAG,KAAK;AAClD,aAAW,OAAO,iBAAiB;AACjC,QAAI,EAAE,OAAO,WAAW,OAAO,KAAM,QAAO,GAAG,IAAI,KAAK,GAAG;AAAA,EAC7D;AACA,SAAO;AACT;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/queue.js ADDED Viewed

@@ -0,0 +1,54 @@
+import { createModuleQueue } from "@open-mercato/queue";
+const queues = /* @__PURE__ */ new Map();
+function getCommunicationChannelsQueue(queueName) {
+  const existing = queues.get(queueName);
+  if (existing) return existing;
+  const concurrency = Math.min(
+    20,
+    Math.max(
+      1,
+      Number.parseInt(process.env.COMMUNICATION_CHANNELS_QUEUE_CONCURRENCY ?? "10", 10) || 10
+    )
+  );
+  const created = createModuleQueue(queueName, { concurrency });
+  queues.set(queueName, created);
+  return created;
+}
+const COMMUNICATION_CHANNELS_QUEUES = {
+  inbound: "communication-channels-inbound",
+  outbound: "communication-channels-outbound",
+  reactions: "communication-channels-reactions",
+  /**
+   * Per-channel polling queue (email integration spec — Phase 0 Delta 6).
+   * Populated by `poll-tick` every scheduler tick; one entry per due channel.
+   * Processed by `workers/poll-channel.ts`.
+   */
+  poll: "communication-channels-poll",
+  /**
+   * Hub-internal tick queue (email integration spec — Phase 0 Delta 6).
+   * One job per scheduler tick (60s default); worker enumerates due channels
+   * and fans out to the `poll` queue.
+   */
+  pollTick: "communication-channels-poll-tick",
+  /**
+   * Operator-triggered channel-history import queue (Spec B § Phase B6).
+   * One job per `/import-history` call; worker `channel-import-history` runs
+   * with concurrency 1 to avoid hammering the provider with parallel scans.
+   */
+  importHistory: "communication-channels-import-history",
+  /**
+   * Spec C § Phase C2 — Gmail Pub/Sub push delivery. The webhook enqueues
+   * one job per verified notification; the worker calls
+   * `adapter.applyPushNotification` (which delegates to `history.list`).
+   */
+  gmailHistorySync: "communication-channels-gmail-history-sync",
+  /**
+   * Spec C § Phase C4 — Renewal cron queues (daily / 2h cadence).
+   */
+  gmailRenewWatch: "communication-channels-gmail-renew-watch"
+};
+export {
+  COMMUNICATION_CHANNELS_QUEUES,
+  getCommunicationChannelsQueue
+};
+//# sourceMappingURL=queue.js.map

package/dist/modules/communication_channels/lib/queue.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/queue.ts"],
+  "sourcesContent": ["import { createModuleQueue, type Queue } from '@open-mercato/queue'\n\n/**\n * Queue helper for the communication_channels hub. Mirrors the\n * shipping_carriers pattern (`getShippingCarrierQueue`) so the route\n * and the worker share the same queue instance.\n *\n * Worker concurrency is also tunable via env (`COMMUNICATION_CHANNELS_QUEUE_CONCURRENCY`)\n * with a sensible default of 10 (per SPEC-045d \u00A76 inbound flow) and a hard ceiling of\n * 20 (ARCHITECTURE \u00A719 caps queue/worker concurrency at 20).\n */\nconst queues = new Map<string, Queue<Record<string, unknown>>>()\n\nexport function getCommunicationChannelsQueue(queueName: string): Queue<Record<string, unknown>> {\n  const existing = queues.get(queueName)\n  if (existing) return existing\n\n  const concurrency = Math.min(\n    20,\n    Math.max(\n      1,\n      Number.parseInt(process.env.COMMUNICATION_CHANNELS_QUEUE_CONCURRENCY ?? '10', 10) || 10,\n    ),\n  )\n  const created = createModuleQueue<Record<string, unknown>>(queueName, { concurrency })\n  queues.set(queueName, created)\n  return created\n}\n\n/** Canonical queue names exposed by the hub. */\nexport const COMMUNICATION_CHANNELS_QUEUES = {\n  inbound: 'communication-channels-inbound',\n  outbound: 'communication-channels-outbound',\n  reactions: 'communication-channels-reactions',\n  /**\n   * Per-channel polling queue (email integration spec \u2014 Phase 0 Delta 6).\n   * Populated by `poll-tick` every scheduler tick; one entry per due channel.\n   * Processed by `workers/poll-channel.ts`.\n   */\n  poll: 'communication-channels-poll',\n  /**\n   * Hub-internal tick queue (email integration spec \u2014 Phase 0 Delta 6).\n   * One job per scheduler tick (60s default); worker enumerates due channels\n   * and fans out to the `poll` queue.\n   */\n  pollTick: 'communication-channels-poll-tick',\n  /**\n   * Operator-triggered channel-history import queue (Spec B \u00A7 Phase B6).\n   * One job per `/import-history` call; worker `channel-import-history` runs\n   * with concurrency 1 to avoid hammering the provider with parallel scans.\n   */\n  importHistory: 'communication-channels-import-history',\n  /**\n   * Spec C \u00A7 Phase C2 \u2014 Gmail Pub/Sub push delivery. The webhook enqueues\n   * one job per verified notification; the worker calls\n   * `adapter.applyPushNotification` (which delegates to `history.list`).\n   */\n  gmailHistorySync: 'communication-channels-gmail-history-sync',\n  /**\n   * Spec C \u00A7 Phase C4 \u2014 Renewal cron queues (daily / 2h cadence).\n   */\n  gmailRenewWatch: 'communication-channels-gmail-renew-watch',\n} as const\n\nexport type CommunicationChannelsQueueName =\n  (typeof COMMUNICATION_CHANNELS_QUEUES)[keyof typeof COMMUNICATION_CHANNELS_QUEUES]\n"],
+  "mappings": "AAAA,SAAS,yBAAqC;AAW9C,MAAM,SAAS,oBAAI,IAA4C;AAExD,SAAS,8BAA8B,WAAmD;AAC/F,QAAM,WAAW,OAAO,IAAI,SAAS;AACrC,MAAI,SAAU,QAAO;AAErB,QAAM,cAAc,KAAK;AAAA,IACvB;AAAA,IACA,KAAK;AAAA,MACH;AAAA,MACA,OAAO,SAAS,QAAQ,IAAI,4CAA4C,MAAM,EAAE,KAAK;AAAA,IACvF;AAAA,EACF;AACA,QAAM,UAAU,kBAA2C,WAAW,EAAE,YAAY,CAAC;AACrF,SAAO,IAAI,WAAW,OAAO;AAC7B,SAAO;AACT;AAGO,MAAM,gCAAgC;AAAA,EAC3C,SAAS;AAAA,EACT,UAAU;AAAA,EACV,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMX,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMN,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMV,eAAe;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMf,kBAAkB;AAAA;AAAA;AAAA;AAAA,EAIlB,iBAAiB;AACnB;",
+  "names": []
+}

package/dist/modules/communication_channels/lib/reaction-processor-types.js ADDED Viewed

@@ -0,0 +1,5 @@
+const REACTION_PROCESSOR_MAX_ATTEMPTS = 3;
+export {
+  REACTION_PROCESSOR_MAX_ATTEMPTS
+};
+//# sourceMappingURL=reaction-processor-types.js.map

package/dist/modules/communication_channels/lib/reaction-processor-types.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/communication_channels/lib/reaction-processor-types.ts"],
+  "sourcesContent": ["import type { InboundReactionEvent } from './adapter'\n\n/**\n * Discriminated union of reaction-queue job payloads.\n *\n * Split into its own file so command modules can reference these types without\n * forming a circular import with the worker module (which references commands).\n */\n\nexport type ReactionScope = {\n  tenantId: string\n  organizationId: string | null\n}\n\nexport type ReactionJobBase = {\n  providerKey: string\n  channelId: string\n  scope: ReactionScope\n  /** Attempt number, 1-based. */\n  attempt?: number\n}\n\nexport type ReactionInboundJob = ReactionJobBase & {\n  kind: 'inbound'\n  channelType: string\n  event: InboundReactionEvent\n}\n\nexport type ReactionOutboundSendJob = ReactionJobBase & {\n  kind: 'outbound_send'\n  messageId: string\n  reactionId: string\n  emoji: string\n  /** External conversation reference for the provider call (e.g. Slack thread_ts). */\n  conversationId?: string\n}\n\nexport type ReactionOutboundRemoveJob = ReactionJobBase & {\n  kind: 'outbound_remove'\n  messageId: string\n  emoji: string\n  externalReactionId: string | null\n  conversationId?: string\n}\n\nexport type ReactionProcessorPayload =\n  | ReactionInboundJob\n  | ReactionOutboundSendJob\n  | ReactionOutboundRemoveJob\n\nexport const REACTION_PROCESSOR_MAX_ATTEMPTS = 3\n"],
+  "mappings": "AAkDO,MAAM,kCAAkC;",
+  "names": []
+}