@ouro.bot/cli 0.1.0-alpha.469 → 0.1.0-alpha.470

package/dist/mailroom/outbound.js

@@ -33,15 +33,20 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseAcsEmailDeliveryReportEvent = void 0;
+exports.createAcsEmailProviderClient = createAcsEmailProviderClient;
 exports.resolveOutboundTransport = resolveOutboundTransport;
 exports.createMailDraft = createMailDraft;
 exports.confirmMailDraftSend = confirmMailDraftSend;
 exports.listMailOutboundRecords = listMailOutboundRecords;
+exports.reconcileOutboundDeliveryEvent = reconcileOutboundDeliveryEvent;
 const crypto = __importStar(require("node:crypto"));
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const runtime_1 = require("../nerves/runtime");
+const autonomy_1 = require("./autonomy");
 const core_1 = require("./core");
+Object.defineProperty(exports, "parseAcsEmailDeliveryReportEvent", { enumerable: true, get: function () { return core_1.parseAcsEmailDeliveryReportEvent; } });
 function isRecord(value) {
     return !!value && typeof value === "object" && !Array.isArray(value);
 }
@@ -49,12 +54,100 @@ function textField(value, key) {
     const raw = value[key];
     return typeof raw === "string" ? raw.trim() : "";
 }
+function credentialFields(value) {
+    if (!isRecord(value))
+        return undefined;
+    const accessKey = textField(value, "accessKey");
+    const connectionString = textField(value, "connectionString");
+    const fields = {
+        ...(accessKey ? { accessKey } : {}),
+        ...(connectionString ? { connectionString } : {}),
+    };
+    return Object.keys(fields).length > 0 ? fields : undefined;
+}
 function normalizeList(values) {
     return values
         .map((value) => value.trim())
         .filter(Boolean)
         .map(core_1.normalizeMailAddress);
 }
+function contentHash(body) {
+    return crypto.createHash("sha256").update(body, "utf-8").digest("base64");
+}
+function hmacSignature(input) {
+    const stringToSign = `${input.method}\n${input.pathAndQuery}\n${input.date};${input.host};${input.contentHash}`;
+    return crypto.createHmac("sha256", Buffer.from(input.accessKey, "base64")).update(stringToSign, "utf-8").digest("base64");
+}
+function recipientObjects(addresses) {
+    return addresses.map((address) => ({ address }));
+}
+function providerMessageIdFromOperationLocation(operationLocation) {
+    const match = operationLocation.match(/\/operations\/([^?/#]+)/);
+    return match?.[1] ?? "";
+}
+function createAcsEmailProviderClient(input) {
+    const endpoint = input.endpoint.replace(/\/+$/, "");
+    const fetchImpl = input.fetch ?? fetch;
+    return {
+        async submit(submitInput) {
+            const url = new URL(`${endpoint}/emails:send?api-version=2025-09-01`);
+            const senderAddress = submitInput.transport.senderAddress ?? submitInput.draft.from;
+            const body = JSON.stringify({
+                senderAddress,
+                recipients: {
+                    to: recipientObjects(submitInput.draft.to),
+                    cc: recipientObjects(submitInput.draft.cc),
+                    bcc: recipientObjects(submitInput.draft.bcc),
+                },
+                content: {
+                    subject: submitInput.draft.subject,
+                    plainText: submitInput.draft.text,
+                },
+            });
+            const date = (input.now ?? (() => new Date()))().toUTCString();
+            const hash = contentHash(body);
+            const signature = hmacSignature({
+                method: "POST",
+                pathAndQuery: `${url.pathname}${url.search}`,
+                date,
+                host: url.host,
+                contentHash: hash,
+                accessKey: input.accessKey,
+            });
+            const response = await fetchImpl(url.toString(), {
+                method: "POST",
+                headers: {
+                    "content-type": "application/json",
+                    "x-ms-date": date,
+                    "x-ms-content-sha256": hash,
+                    authorization: `HMAC-SHA256 SignedHeaders=x-ms-date;host;x-ms-content-sha256&Signature=${signature}`,
+                },
+                body,
+            });
+            const operationLocation = response.headers.get("operation-location") ?? undefined;
+            const providerRequestId = response.headers.get("x-ms-request-id") ?? undefined;
+            const payload = await response.json().catch(() => ({}));
+            if (!response.ok) {
+                const reason = typeof payload.error?.message === "string" ? payload.error.message : `HTTP ${response.status}`;
+                throw new Error(`ACS outbound send failed: ${reason}`);
+            }
+            const providerMessageId = typeof payload.id === "string"
+                ? payload.id
+                : operationLocation
+                    ? providerMessageIdFromOperationLocation(operationLocation)
+                    : "";
+            if (!providerMessageId)
+                throw new Error("ACS outbound send did not return an operation id");
+            return {
+                provider: "azure-communication-services",
+                providerMessageId,
+                ...(operationLocation ? { operationLocation } : {}),
+                ...(providerRequestId ? { providerRequestId } : {}),
+                submittedAt: submitInput.submittedAt,
+            };
+        },
+    };
+}
 function draftId() {
     return `draft_${crypto.randomBytes(12).toString("hex")}`;
 }
@@ -75,14 +168,21 @@ function resolveOutboundTransport(config) {
         return { kind: "local-sink", sinkPath };
     }
     if (transport === "azure-communication-services") {
+        if ("credentialItemNoteQuery" in outbound || "noteQuery" in outbound || "notes" in outbound) {
+            throw new Error("outbound provider binding must not infer credentials from vault notes");
+        }
         const endpoint = textField(outbound, "endpoint");
         if (!endpoint)
             throw new Error("outbound Azure Communication Services transport is missing endpoint");
         const senderAddress = textField(outbound, "senderAddress");
+        const credentialItem = textField(outbound, "credentialItem");
+        const fields = credentialFields(outbound.credentialFields);
         return {
             kind: "azure-communication-services",
             endpoint,
             ...(senderAddress ? { senderAddress } : {}),
+            ...(credentialItem ? { credentialItem } : {}),
+            ...(fields ? { credentialFields: fields } : {}),
         };
     }
     throw new Error("outbound mail transport is not configured; human-required: choose local-sink or azure-communication-services");
@@ -134,36 +234,94 @@ function appendLocalSink(transport, record, sentAt) {
         bcc: record.bcc,
         subject: record.subject,
         text: record.text,
+        sendMode: record.sendMode,
+        policyId: record.policyDecision?.policyId ?? null,
         sentAt,
     })}\n`, "utf-8");
     return transportMessageId;
 }
 function transportSend(transport, record, sentAt) {
-    if (transport.kind === "local-sink")
-        return appendLocalSink(transport, record, sentAt);
-    throw new Error("Azure Communication Services outbound send is configured but not enabled on this machine; human-required setup is still needed");
+    return appendLocalSink(transport, record, sentAt);
 }
 async function confirmMailDraftSend(input) {
-    if (input.autonomous) {
-        throw new Error("Autonomous mail sending is disabled; create a draft and require explicit confirmation instead");
-    }
-    if (input.confirmation !== "CONFIRM_SEND") {
-        throw new Error("mail_send requires confirmation=CONFIRM_SEND before any outbound mail leaves the agent");
-    }
     const draft = await input.store.getMailOutbound(input.draftId);
     if (!draft || draft.agentId !== input.agentId)
         throw new Error(`No draft found for ${input.draftId}`);
     if (draft.status !== "draft")
         throw new Error(`Draft ${input.draftId} is already ${draft.status}`);
     const sentAt = (input.now ?? (() => new Date()))().toISOString();
-    const transportMessageId = transportSend(input.transport, draft, sentAt);
-    const sent = {
+    const recentOutbound = await input.store.listMailOutbound(input.agentId);
+    const policyDecision = input.autonomous
+        ? (() => {
+            if (!input.autonomyPolicy) {
+                throw new Error("Autonomous mail sending requires an enabled native-agent policy");
+            }
+            const decision = (0, autonomy_1.evaluateNativeMailSendPolicy)({
+                policy: input.autonomyPolicy,
+                draft,
+                recentOutbound,
+                now: new Date(sentAt),
+            });
+            if (!decision.allowed) {
+                if (decision.mode === "confirmation-required") {
+                    throw new Error(`Autonomous mail send ${decision.code} requires confirmation=CONFIRM_SEND: ${decision.reason}`);
+                }
+                throw new Error(`${decision.code}: ${decision.reason}`);
+            }
+            return decision;
+        })()
+        : (() => {
+            if (input.confirmation !== "CONFIRM_SEND") {
+                throw new Error("mail_send requires confirmation=CONFIRM_SEND before any outbound mail leaves the agent");
+            }
+            return (0, autonomy_1.buildConfirmedMailSendDecision)({
+                draft,
+                policy: input.autonomyPolicy,
+                now: new Date(sentAt),
+            });
+        })();
+    const pendingSent = {
         ...draft,
-        status: "sent",
+        status: input.transport.kind === "local-sink" ? "sent" : "submitted",
         actor: input.actor,
         reason: input.reason,
         updatedAt: sentAt,
+        sendMode: input.autonomous ? "autonomous" : "confirmed",
+        policyDecision,
         sentAt,
+    };
+    if (input.transport.kind === "azure-communication-services") {
+        if (!input.providerClient) {
+            throw new Error("Azure Communication Services outbound send is configured but not enabled on this machine; human-required setup is still needed");
+        }
+        const submission = await input.providerClient.submit({
+            draft: pendingSent,
+            transport: input.transport,
+            submittedAt: sentAt,
+        });
+        const submitted = {
+            ...(0, core_1.buildMailProviderSubmission)({
+                draft: pendingSent,
+                provider: submission.provider,
+                providerMessageId: submission.providerMessageId,
+                submittedAt: submission.submittedAt ?? sentAt,
+                ...(submission.operationLocation ? { operationLocation: submission.operationLocation } : {}),
+                ...(submission.providerRequestId ? { providerRequestId: submission.providerRequestId } : {}),
+            }),
+            transport: input.transport.kind,
+        };
+        await input.store.upsertMailOutbound(submitted);
+        (0, runtime_1.emitNervesEvent)({
+            component: "senses",
+            event: "senses.mail_draft_submitted",
+            message: "mail draft submitted to outbound provider",
+            meta: { agentId: submitted.agentId, id: submitted.id, provider: submitted.provider, providerMessageId: submitted.providerMessageId },
+        });
+        return submitted;
+    }
+    const transportMessageId = transportSend(input.transport, pendingSent, sentAt);
+    const sent = {
+        ...pendingSent,
         transport: input.transport.kind,
         transportMessageId,
     };
@@ -179,3 +337,24 @@ async function confirmMailDraftSend(input) {
 function listMailOutboundRecords(store, agentId) {
     return store.listMailOutbound(agentId);
 }
+async function reconcileOutboundDeliveryEvent(input) {
+    const records = await input.store.listMailOutbound(input.agentId);
+    const outbound = records.find((record) => record.providerMessageId === input.event.providerMessageId);
+    if (!outbound)
+        throw new Error(`No outbound record found for provider message ${input.event.providerMessageId}`);
+    const updated = (0, core_1.reconcileMailDeliveryEvent)({ outbound, event: input.event });
+    await input.store.upsertMailOutbound(updated);
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_delivery_event_reconciled",
+        message: "mail delivery event reconciled",
+        meta: {
+            agentId: updated.agentId,
+            id: updated.id,
+            provider: input.event.provider,
+            providerEventId: input.event.providerEventId,
+            outcome: input.event.outcome,
+        },
+    });
+    return updated;
+}

package/dist/mailroom/reader.js

@@ -77,6 +77,9 @@ function parseMailroomConfig(value) {
     const host = textField(value, "host");
     const attentionIntervalMs = numberField(value, "attentionIntervalMs");
     const outbound = isRecord(value.outbound) ? { ...value.outbound } : undefined;
+    const autonomousSendPolicy = isRecord(value.autonomousSendPolicy)
+        ? { ...value.autonomousSendPolicy }
+        : undefined;
     return {
         mailboxAddress,
         ...(registryPath ? { registryPath } : {}),
@@ -89,6 +92,7 @@ function parseMailroomConfig(value) {
         ...(host ? { host } : {}),
         ...(attentionIntervalMs !== undefined ? { attentionIntervalMs } : {}),
         ...(outbound ? { outbound } : {}),
+        ...(autonomousSendPolicy ? { autonomousSendPolicy } : {}),
         privateKeys,
     };
 }