@ouro.bot/cli 0.1.0-alpha.38 → 0.1.0-alpha.39

package/dist/senses/pipeline.js

@@ -0,0 +1,124 @@
+"use strict";
+// Shared per-turn pipeline for all senses.
+// Senses are thin transport adapters; this module owns the common lifecycle:
+//   resolve friend -> trust gate -> load session -> drain pending -> runAgent -> postTurn -> token accumulation.
+//
+// Transport-level concerns (BB API calls, Teams cards, readline) stay in sense adapters.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleInboundTurn = handleInboundTurn;
+const runtime_1 = require("../nerves/runtime");
+// ── Pipeline ──────────────────────────────────────────────────────
+async function handleInboundTurn(input) {
+    // Step 1: Resolve friend
+    const resolvedContext = await input.friendResolver.resolve();
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.pipeline_start",
+        message: "inbound turn pipeline started",
+        meta: {
+            channel: input.channel,
+            friendId: resolvedContext.friend.id,
+            senseType: input.capabilities.senseType,
+        },
+    });
+    // Step 2: Trust gate
+    const gateInput = {
+        friend: resolvedContext.friend,
+        provider: input.provider ?? "local",
+        externalId: input.externalId ?? "",
+        tenantId: input.tenantId,
+        channel: input.channel,
+        senseType: input.capabilities.senseType,
+        isGroupChat: input.isGroupChat ?? false,
+        groupHasFamilyMember: input.groupHasFamilyMember ?? false,
+        hasExistingGroupWithFamily: input.hasExistingGroupWithFamily ?? false,
+    };
+    const gateResult = input.enforceTrustGate(gateInput);
+    // Gate rejection: return early, no agent turn
+    if (!gateResult.allowed) {
+        (0, runtime_1.emitNervesEvent)({
+            component: "senses",
+            event: "senses.pipeline_gate_reject",
+            message: "trust gate rejected inbound turn",
+            meta: {
+                channel: input.channel,
+                friendId: resolvedContext.friend.id,
+                reason: gateResult.reason,
+            },
+        });
+        return {
+            resolvedContext,
+            gateResult,
+        };
+    }
+    // Step 3: Load/create session
+    const session = await input.sessionLoader.loadOrCreate();
+    const sessionMessages = session.messages;
+    // Step 4: Drain pending messages
+    const pending = input.drainPending(input.pendingDir);
+    // Assemble messages: session messages + pending (formatted) + inbound user messages
+    if (pending.length > 0) {
+        // Format pending messages and prepend to the user content
+        const pendingSection = pending
+            .map((msg) => `[pending from ${msg.from}]: ${msg.content}`)
+            .join("\n");
+        // If there are inbound user messages, prepend pending to the first one
+        if (input.messages.length > 0) {
+            const firstMsg = input.messages[0];
+            if (firstMsg.role === "user") {
+                if (typeof firstMsg.content === "string") {
+                    input.messages[0] = {
+                        ...firstMsg,
+                        content: `## pending messages\n${pendingSection}\n\n${firstMsg.content}`,
+                    };
+                }
+                else {
+                    input.messages[0] = {
+                        ...firstMsg,
+                        content: [
+                            { type: "text", text: `## pending messages\n${pendingSection}\n\n` },
+                            ...firstMsg.content,
+                        ],
+                    };
+                }
+            }
+        }
+    }
+    // Append user messages from the inbound turn
+    for (const msg of input.messages) {
+        sessionMessages.push(msg);
+    }
+    // Step 5: runAgent
+    const existingToolContext = input.runAgentOptions?.toolContext;
+    const runAgentOptions = {
+        ...input.runAgentOptions,
+        toolContext: {
+            /* v8 ignore next -- default no-op signin satisfies interface; real signin injected by sense adapter @preserve */
+            signin: async () => undefined,
+            ...existingToolContext,
+            context: resolvedContext,
+            friendStore: input.friendStore,
+        },
+    };
+    const result = await input.runAgent(sessionMessages, input.callbacks, input.channel, input.signal, runAgentOptions);
+    // Step 6: postTurn
+    input.postTurn(sessionMessages, session.sessionPath, result.usage);
+    // Step 7: Token accumulation
+    await input.accumulateFriendTokens(input.friendStore, resolvedContext.friend.id, result.usage);
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.pipeline_end",
+        message: "inbound turn pipeline completed",
+        meta: {
+            channel: input.channel,
+            friendId: resolvedContext.friend.id,
+        },
+    });
+    return {
+        resolvedContext,
+        gateResult,
+        usage: result.usage,
+        sessionPath: session.sessionPath,
+        messages: sessionMessages,
+    };
+}

package/dist/senses/teams.js

@@ -58,6 +58,7 @@ const commands_1 = require("./commands");
 const nerves_1 = require("../nerves");
 const runtime_1 = require("../nerves/runtime");
 const store_file_1 = require("../mind/friends/store-file");
+const types_1 = require("../mind/friends/types");
 const resolver_1 = require("../mind/friends/resolver");
 const tokens_1 = require("../mind/friends/tokens");
 const turn_coordinator_1 = require("../heart/turn-coordinator");
@@ -65,6 +66,8 @@ const identity_1 = require("../heart/identity");
 const http = __importStar(require("http"));
 const path = __importStar(require("path"));
 const trust_gate_1 = require("./trust-gate");
+const pipeline_1 = require("./pipeline");
+const pending_1 = require("../mind/pending");
 // Strip @mention markup from incoming messages.
 // Removes <at>...</at> tags and trims extra whitespace.
 // Fallback safety net -- the SDK's activity.mentions.stripText should handle
@@ -446,49 +449,24 @@ async function handleTeamsMessage(text, stream, conversationId, teamsContext, se
     // before sync I/O (session load, trim) blocks the event loop.
     stream.update((0, phrases_1.pickPhrase)((0, phrases_1.getPhrases)().thinking) + "...");
     await new Promise(r => setImmediate(r));
-    // Resolve context kernel (identity + channel) early so we can use the friend UUID for session path
+    // Resolve identity provider early for friend resolution + slash command session path
     const store = getFriendStore();
     const provider = teamsContext?.aadObjectId ? "aad" : "teams-conversation";
     const externalId = teamsContext?.aadObjectId || conversationId;
-    const toolContext = teamsContext ? {
-        graphToken: teamsContext.graphToken,
-        adoToken: teamsContext.adoToken,
-        githubToken: teamsContext.githubToken,
-        signin: teamsContext.signin,
-        friendStore: store,
-        summarize: (0, core_1.createSummarize)(),
-        tenantId: teamsContext.tenantId,
-        botApi: teamsContext.botApi,
-    } : undefined;
-    if (toolContext) {
-        const resolver = new resolver_1.FriendResolver(store, {
-            provider,
-            externalId,
-            tenantId: teamsContext?.tenantId,
-            displayName: teamsContext?.displayName || "Unknown",
-            channel: "teams",
-        });
-        toolContext.context = await resolver.resolve();
-    }
-    const friendId = toolContext?.context?.friend?.id || "default";
-    if (toolContext?.context?.friend) {
-        const trustGate = (0, trust_gate_1.enforceTrustGate)({
-            friend: toolContext.context.friend,
-            provider,
-            externalId,
-            tenantId: teamsContext?.tenantId,
-            channel: "teams",
-        });
-        if (!trustGate.allowed) {
-            if (trustGate.reason === "stranger_first_reply") {
-                stream.emit(trustGate.autoReply);
-            }
-            return;
-        }
-    }
+    // Build FriendResolver for the pipeline
+    const resolver = new resolver_1.FriendResolver(store, {
+        provider,
+        externalId,
+        tenantId: teamsContext?.tenantId,
+        displayName: teamsContext?.displayName || "Unknown",
+        channel: "teams",
+    });
+    // Pre-resolve friend for session path + slash commands (pipeline will re-use the cached result)
+    const resolvedContext = await resolver.resolve();
+    const friendId = resolvedContext.friend.id;
     const registry = (0, commands_1.createCommandRegistry)();
     (0, commands_1.registerDefaultCommands)(registry);
-    // Check for slash commands
+    // Check for slash commands (before pipeline -- these are transport-level concerns)
     const parsed = (0, commands_1.parseSlashCommand)(text);
     if (parsed) {
         const dispatchResult = registry.dispatch(parsed.command, { channel: "teams" });
@@ -505,35 +483,86 @@ async function handleTeamsMessage(text, stream, conversationId, teamsContext, se
             }
         }
     }
-    // Load or create session
-    const sessPath = (0, config_2.sessionPath)(friendId, "teams", conversationId);
-    const existing = (0, context_1.loadSession)(sessPath);
-    const messages = existing?.messages && existing.messages.length > 0
-        ? existing.messages
-        : [{ role: "system", content: await (0, prompt_1.buildSystem)("teams", undefined, toolContext?.context) }];
-    // Repair any orphaned tool calls from a previous aborted turn
-    (0, core_1.repairOrphanedToolCalls)(messages);
-    // Push user message
-    messages.push({ role: "user", content: text });
-    // Run agent
+    // ── Teams adapter concerns: controller, callbacks, session path ──────────
     const controller = new AbortController();
     const channelConfig = (0, config_2.getTeamsChannelConfig)();
     const callbacks = createTeamsCallbacks(stream, controller, sendMessage, { conversationId, flushIntervalMs: channelConfig.flushIntervalMs });
     const traceId = (0, nerves_1.createTraceId)();
-    const agentOptions = {};
-    agentOptions.traceId = traceId;
-    if (toolContext)
-        agentOptions.toolContext = toolContext;
+    const sessPath = (0, config_2.sessionPath)(friendId, "teams", conversationId);
+    const teamsCapabilities = (0, channel_1.getChannelCapabilities)("teams");
+    const pendingDir = (0, pending_1.getPendingDir)((0, identity_1.getAgentName)(), friendId, "teams", conversationId);
+    // Build Teams-specific toolContext fields for injection into the pipeline
+    const teamsToolContext = teamsContext ? {
+        graphToken: teamsContext.graphToken,
+        adoToken: teamsContext.adoToken,
+        githubToken: teamsContext.githubToken,
+        signin: teamsContext.signin,
+        summarize: (0, core_1.createSummarize)(),
+        tenantId: teamsContext.tenantId,
+        botApi: teamsContext.botApi,
+    } : {};
+    // Build runAgentOptions with Teams-specific fields
+    const agentOptions = {
+        traceId,
+        toolContext: teamsToolContext,
+        drainSteeringFollowUps: () => _turnCoordinator.drainFollowUps(turnKey).map((m) => ({ text: m.text })),
+    };
     if (channelConfig.skipConfirmation)
         agentOptions.skipConfirmation = true;
-    agentOptions.drainSteeringFollowUps = () => _turnCoordinator.drainFollowUps(turnKey).map((m) => ({ text: m.text }));
-    const result = await (0, core_1.runAgent)(messages, callbacks, "teams", controller.signal, agentOptions);
+    // ── Call shared pipeline ──────────────────────────────────────────
+    const result = await (0, pipeline_1.handleInboundTurn)({
+        channel: "teams",
+        capabilities: teamsCapabilities,
+        messages: [{ role: "user", content: text }],
+        callbacks,
+        friendResolver: { resolve: () => Promise.resolve(resolvedContext) },
+        sessionLoader: {
+            loadOrCreate: async () => {
+                const existing = (0, context_1.loadSession)(sessPath);
+                const messages = existing?.messages && existing.messages.length > 0
+                    ? existing.messages
+                    : [{ role: "system", content: await (0, prompt_1.buildSystem)("teams", undefined, resolvedContext) }];
+                (0, core_1.repairOrphanedToolCalls)(messages);
+                return { messages, sessionPath: sessPath };
+            },
+        },
+        pendingDir,
+        friendStore: store,
+        provider,
+        externalId,
+        tenantId: teamsContext?.tenantId,
+        isGroupChat: false,
+        groupHasFamilyMember: false,
+        hasExistingGroupWithFamily: false,
+        enforceTrustGate: trust_gate_1.enforceTrustGate,
+        drainPending: pending_1.drainPending,
+        runAgent: (msgs, cb, channel, sig, opts) => (0, core_1.runAgent)(msgs, cb, channel, sig, {
+            ...opts,
+            toolContext: {
+                /* v8 ignore next -- default no-op signin; pipeline provides the real one @preserve */
+                signin: async () => undefined,
+                ...opts?.toolContext,
+                summarize: teamsToolContext.summarize,
+            },
+        }),
+        postTurn: context_1.postTurn,
+        accumulateFriendTokens: tokens_1.accumulateFriendTokens,
+        signal: controller.signal,
+        runAgentOptions: agentOptions,
+    });
+    // ── Handle gate result ────────────────────────────────────────
+    if (!result.gateResult.allowed) {
+        if ("autoReply" in result.gateResult && result.gateResult.autoReply) {
+            stream.emit(result.gateResult.autoReply);
+        }
+        return;
+    }
     // Flush any remaining accumulated text at end of turn
     await callbacks.flush();
     // After the agent loop, check if any tool returned AUTH_REQUIRED and trigger signin.
     // This must happen after the stream is done so the OAuth card renders properly.
-    if (teamsContext) {
-        const allContent = messages.map(m => typeof m.content === "string" ? m.content : "").join("\n");
+    if (teamsContext && result.messages) {
+        const allContent = result.messages.map(m => typeof m.content === "string" ? m.content : "").join("\n");
         if (allContent.includes("AUTH_REQUIRED:graph") && teamsContext.graphConnectionName)
             await teamsContext.signin(teamsContext.graphConnectionName);
         if (allContent.includes("AUTH_REQUIRED:ado") && teamsContext.adoConnectionName)
@@ -541,12 +570,6 @@ async function handleTeamsMessage(text, stream, conversationId, teamsContext, se
         if (allContent.includes("AUTH_REQUIRED:github") && teamsContext.githubConnectionName)
             await teamsContext.signin(teamsContext.githubConnectionName);
     }
-    // Trim context and save session
-    (0, context_1.postTurn)(messages, sessPath, result.usage);
-    // Accumulate token usage on friend record
-    if (toolContext?.context?.friend?.id) {
-        await (0, tokens_1.accumulateFriendTokens)(store, toolContext.context.friend.id, result.usage);
-    }
     // SDK auto-closes the stream after our handler returns (app.process.js)
 }
 // Internal port for the secondary bot App (not exposed externally).
@@ -739,7 +762,6 @@ function registerBotHandlers(app, label) {
         (0, runtime_1.emitNervesEvent)({ level: "error", event: "channel.app_error", component: "channels", message: `[${label}] ${msg}`, meta: {} });
     });
 }
-const TEAMS_PROACTIVE_ALLOWED_TRUST = new Set(["family", "friend"]);
 function findAadObjectId(friend) {
     for (const ext of friend.externalIds) {
         if (ext.provider === "aad" && !ext.externalId.startsWith("group:")) {
@@ -838,7 +860,7 @@ async function drainAndSendPendingTeams(store, botApi, pendingRoot) {
             });
             continue;
         }
-        if (!TEAMS_PROACTIVE_ALLOWED_TRUST.has(friend.trustLevel ?? "stranger")) {
+        if (!types_1.TRUSTED_LEVELS.has(friend.trustLevel ?? "stranger")) {
             result.skipped++;
             try {
                 fs.unlinkSync(filePath);

package/dist/senses/trust-gate.js

@@ -39,6 +39,10 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const identity_1 = require("../heart/identity");
 const runtime_1 = require("../nerves/runtime");
+const types_1 = require("../mind/friends/types");
+const pending_1 = require("../mind/pending");
+// TODO: agent should pre-configure auto-reply voice
+// This is a canned reply; in future the agent should compose their own first-contact message
 exports.STRANGER_AUTO_REPLY = "I'm sorry, I'm not allowed to talk to strangers";
 function buildExternalKey(provider, externalId, tenantId) {
     return `${provider}:${tenantId ?? ""}:${externalId}`;
@@ -77,16 +81,107 @@ function appendPrimaryNotification(bundleRoot, provider, externalId, tenantId, n
     fs.mkdirSync(inboxDir, { recursive: true });
     fs.appendFileSync(notificationsPath, `${JSON.stringify(payload)}\n`, "utf8");
 }
+function writeInnerPendingNotice(bundleRoot, noticeContent, nowIso) {
+    const innerPendingDir = path.join(bundleRoot, "state", "pending", pending_1.INNER_DIALOG_PENDING.friendId, pending_1.INNER_DIALOG_PENDING.channel, pending_1.INNER_DIALOG_PENDING.key);
+    const fileName = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`;
+    const filePath = path.join(innerPendingDir, fileName);
+    const payload = {
+        from: "instinct",
+        content: noticeContent,
+        timestamp: Date.now(),
+        at: nowIso,
+    };
+    fs.mkdirSync(innerPendingDir, { recursive: true });
+    fs.writeFileSync(filePath, JSON.stringify(payload), "utf-8");
+}
 function enforceTrustGate(input) {
+    const { senseType } = input;
+    // Local (CLI) and internal (inner dialog) — always allow
+    if (senseType === "local" || senseType === "internal") {
+        return { allowed: true };
+    }
+    // Closed senses (Teams) — org already gates access, allow all trust levels
+    if (senseType === "closed") {
+        return { allowed: true };
+    }
+    // Open senses (BlueBubbles/iMessage) — enforce trust rules
     const trustLevel = input.friend.trustLevel ?? "friend";
-    if (trustLevel !== "stranger") {
+    // Family and friend — always allow on open
+    if ((0, types_1.isTrustedLevel)(trustLevel)) {
         return { allowed: true };
     }
     const bundleRoot = input.bundleRoot ?? (0, identity_1.getAgentRoot)();
-    const repliesPath = path.join(bundleRoot, "stranger-replies.json");
     const nowIso = (input.now ?? (() => new Date()))().toISOString();
+    // Acquaintance rules
+    if (trustLevel === "acquaintance") {
+        return handleAcquaintance(input, bundleRoot, nowIso);
+    }
+    // Stranger rules (trustLevel === "stranger")
+    return handleStranger(input, bundleRoot, nowIso);
+}
+function handleAcquaintance(input, bundleRoot, nowIso) {
+    const { isGroupChat, groupHasFamilyMember, hasExistingGroupWithFamily } = input;
+    // Group chat with family member present — allow
+    if (isGroupChat && groupHasFamilyMember) {
+        return { allowed: true };
+    }
+    let result;
+    let noticeDetail;
+    if (isGroupChat) {
+        // Group chat without family member — reject silently
+        result = { allowed: false, reason: "acquaintance_group_no_family" };
+        noticeDetail = `acquaintance "${input.friend.name}" messaged in a group chat without a family member present`;
+    }
+    else if (hasExistingGroupWithFamily) {
+        // 1:1 but shares a group with family — redirect
+        result = {
+            allowed: false,
+            reason: "acquaintance_1on1_has_group",
+            autoReply: "Hey! Reach me in our group chat instead.",
+        };
+        noticeDetail = `acquaintance "${input.friend.name}" DMed me directly — redirected to our group chat`;
+    }
+    else {
+        // 1:1, no shared group with family — redirect to any group
+        result = {
+            allowed: false,
+            reason: "acquaintance_1on1_no_group",
+            autoReply: "Hey! Reach me in a group chat instead.",
+        };
+        noticeDetail = `acquaintance "${input.friend.name}" DMed me directly — asked to reach me in a group chat`;
+    }
+    (0, runtime_1.emitNervesEvent)({
+        level: "warn",
+        component: "senses",
+        event: "senses.trust_gate",
+        message: "acquaintance message blocked",
+        meta: {
+            channel: input.channel,
+            provider: input.provider,
+            reason: result.reason,
+        },
+    });
+    try {
+        writeInnerPendingNotice(bundleRoot, noticeDetail, nowIso);
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "senses",
+            event: "senses.trust_gate_error",
+            message: "failed to write inner pending notice",
+            meta: {
+                reason: error instanceof Error ? error.message : String(error),
+            },
+        });
+    }
+    return result;
+}
+function handleStranger(input, bundleRoot, nowIso) {
+    const repliesPath = path.join(bundleRoot, "stranger-replies.json");
     const externalKey = buildExternalKey(input.provider, input.externalId, input.tenantId);
     const state = loadRepliesState(repliesPath);
+    // Subsequent contact — silent drop
     if (state[externalKey]) {
         (0, runtime_1.emitNervesEvent)({
             level: "warn",
@@ -103,6 +198,7 @@ function enforceTrustGate(input) {
             reason: "stranger_silent_drop",
         };
     }
+    // First contact — auto-reply, persist state, notify agent
     state[externalKey] = nowIso;
     try {
         persistRepliesState(repliesPath, state);
@@ -132,6 +228,21 @@ function enforceTrustGate(input) {
             },
         });
     }
+    const noticeDetail = `stranger "${input.friend.name}" tried to reach me via ${input.channel}. Auto-replied once.`;
+    try {
+        writeInnerPendingNotice(bundleRoot, noticeDetail, nowIso);
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "senses",
+            event: "senses.trust_gate_error",
+            message: "failed to write inner pending notice",
+            meta: {
+                reason: error instanceof Error ? error.message : String(error),
+            },
+        });
+    }
     (0, runtime_1.emitNervesEvent)({
         level: "warn",
         component: "senses",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.38",
+  "version": "0.1.0-alpha.39",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",