npm - @sena-ai/platform-core - Versions diffs - 1.4.0 - Mend

@sena-ai/platform-core 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (158) hide show

package/dist/app.d.ts +9 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +147 -0
package/dist/app.js.map +1 -0
package/dist/auth/handler.d.ts +19 -0
package/dist/auth/handler.d.ts.map +1 -0
package/dist/auth/handler.js +213 -0
package/dist/auth/handler.js.map +1 -0
package/dist/auth/session.d.ts +16 -0
package/dist/auth/session.d.ts.map +1 -0
package/dist/auth/session.js +54 -0
package/dist/auth/session.js.map +1 -0
package/dist/db/d1/index.d.ts +14 -0
package/dist/db/d1/index.d.ts.map +1 -0
package/dist/db/d1/index.js +252 -0
package/dist/db/d1/index.js.map +1 -0
package/dist/db/d1/schema.d.ts +610 -0
package/dist/db/d1/schema.d.ts.map +1 -0
package/dist/db/d1/schema.js +58 -0
package/dist/db/d1/schema.js.map +1 -0
package/dist/db/mysql/index.d.ts +14 -0
package/dist/db/mysql/index.d.ts.map +1 -0
package/dist/db/mysql/index.js +248 -0
package/dist/db/mysql/index.js.map +1 -0
package/dist/db/mysql/schema.d.ts +562 -0
package/dist/db/mysql/schema.d.ts.map +1 -0
package/dist/db/mysql/schema.js +61 -0
package/dist/db/mysql/schema.js.map +1 -0
package/dist/db/postgresql/index.d.ts +14 -0
package/dist/db/postgresql/index.d.ts.map +1 -0
package/dist/db/postgresql/index.js +246 -0
package/dist/db/postgresql/index.js.map +1 -0
package/dist/db/postgresql/schema.d.ts +591 -0
package/dist/db/postgresql/schema.d.ts.map +1 -0
package/dist/db/postgresql/schema.js +64 -0
package/dist/db/postgresql/schema.js.map +1 -0
package/dist/index.d.ts +6 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +3 -0
package/dist/index.js.map +1 -0
package/dist/relay/api-proxy.d.ts +10 -0
package/dist/relay/api-proxy.d.ts.map +1 -0
package/dist/relay/api-proxy.js +40 -0
package/dist/relay/api-proxy.js.map +1 -0
package/dist/runtime/cf/crypto.d.ts +7 -0
package/dist/runtime/cf/crypto.d.ts.map +1 -0
package/dist/runtime/cf/crypto.js +48 -0
package/dist/runtime/cf/crypto.js.map +1 -0
package/dist/runtime/cf/index.d.ts +20 -0
package/dist/runtime/cf/index.d.ts.map +1 -0
package/dist/runtime/cf/index.js +14 -0
package/dist/runtime/cf/index.js.map +1 -0
package/dist/runtime/cf/relay.d.ts +11 -0
package/dist/runtime/cf/relay.d.ts.map +1 -0
package/dist/runtime/cf/relay.js +57 -0
package/dist/runtime/cf/relay.js.map +1 -0
package/dist/runtime/cf/vault.d.ts +7 -0
package/dist/runtime/cf/vault.d.ts.map +1 -0
package/dist/runtime/cf/vault.js +68 -0
package/dist/runtime/cf/vault.js.map +1 -0
package/dist/runtime/node/crypto.d.ts +6 -0
package/dist/runtime/node/crypto.d.ts.map +1 -0
package/dist/runtime/node/crypto.js +26 -0
package/dist/runtime/node/crypto.js.map +1 -0
package/dist/runtime/node/index.d.ts +17 -0
package/dist/runtime/node/index.d.ts.map +1 -0
package/dist/runtime/node/index.js +14 -0
package/dist/runtime/node/index.js.map +1 -0
package/dist/runtime/node/relay.d.ts +6 -0
package/dist/runtime/node/relay.d.ts.map +1 -0
package/dist/runtime/node/relay.js +73 -0
package/dist/runtime/node/relay.js.map +1 -0
package/dist/runtime/node/vault.d.ts +7 -0
package/dist/runtime/node/vault.d.ts.map +1 -0
package/dist/runtime/node/vault.js +41 -0
package/dist/runtime/node/vault.js.map +1 -0
package/dist/slack/events.d.ts +15 -0
package/dist/slack/events.d.ts.map +1 -0
package/dist/slack/events.js +63 -0
package/dist/slack/events.js.map +1 -0
package/dist/slack/oauth.d.ts +13 -0
package/dist/slack/oauth.d.ts.map +1 -0
package/dist/slack/oauth.js +90 -0
package/dist/slack/oauth.js.map +1 -0
package/dist/slack/provisioner.d.ts +60 -0
package/dist/slack/provisioner.d.ts.map +1 -0
package/dist/slack/provisioner.js +156 -0
package/dist/slack/provisioner.js.map +1 -0
package/dist/types/crypto.d.ts +15 -0
package/dist/types/crypto.d.ts.map +1 -0
package/dist/types/crypto.js +2 -0
package/dist/types/crypto.js.map +1 -0
package/dist/types/index.d.ts +6 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +2 -0
package/dist/types/index.js.map +1 -0
package/dist/types/platform.d.ts +25 -0
package/dist/types/platform.d.ts.map +1 -0
package/dist/types/platform.js +2 -0
package/dist/types/platform.js.map +1 -0
package/dist/types/relay.d.ts +16 -0
package/dist/types/relay.d.ts.map +1 -0
package/dist/types/relay.js +2 -0
package/dist/types/relay.js.map +1 -0
package/dist/types/repository.d.ts +78 -0
package/dist/types/repository.d.ts.map +1 -0
package/dist/types/repository.js +6 -0
package/dist/types/repository.js.map +1 -0
package/dist/types/vault.d.ts +9 -0
package/dist/types/vault.d.ts.map +1 -0
package/dist/types/vault.js +2 -0
package/dist/types/vault.js.map +1 -0
package/dist/web/api.d.ts +9 -0
package/dist/web/api.d.ts.map +1 -0
package/dist/web/api.js +144 -0
package/dist/web/api.js.map +1 -0
package/dist/web/pages.d.ts +4 -0
package/dist/web/pages.d.ts.map +1 -0
package/dist/web/pages.js +401 -0
package/dist/web/pages.js.map +1 -0
package/dist/web/setup.d.ts +5 -0
package/dist/web/setup.d.ts.map +1 -0
package/dist/web/setup.js +208 -0
package/dist/web/setup.js.map +1 -0
package/package.json +46 -0
package/src/app.ts +221 -0
package/src/auth/handler.ts +343 -0
package/src/auth/session.ts +89 -0
package/src/db/d1/index.ts +304 -0
package/src/db/d1/schema.ts +62 -0
package/src/db/mysql/index.ts +301 -0
package/src/db/mysql/schema.ts +78 -0
package/src/db/postgresql/index.ts +311 -0
package/src/db/postgresql/schema.ts +82 -0
package/src/index.ts +21 -0
package/src/relay/api-proxy.ts +61 -0
package/src/runtime/cf/crypto.ts +74 -0
package/src/runtime/cf/index.ts +31 -0
package/src/runtime/cf/relay.ts +74 -0
package/src/runtime/cf/vault.ts +99 -0
package/src/runtime/node/crypto.ts +33 -0
package/src/runtime/node/index.ts +28 -0
package/src/runtime/node/relay.ts +98 -0
package/src/runtime/node/vault.ts +50 -0
package/src/slack/events.ts +92 -0
package/src/slack/oauth.ts +127 -0
package/src/slack/provisioner.ts +256 -0
package/src/types/crypto.ts +14 -0
package/src/types/index.ts +14 -0
package/src/types/platform.ts +31 -0
package/src/types/relay.ts +16 -0
package/src/types/repository.ts +93 -0
package/src/types/vault.ts +8 -0
package/src/web/api.ts +204 -0
package/src/web/pages.ts +458 -0
package/src/web/setup.ts +270 -0
package/tsconfig.json +19 -0
package/tsconfig.tsbuildinfo +1 -0

package/src/slack/provisioner.ts ADDED Viewed

@@ -0,0 +1,256 @@
+import type { Vault } from '../types/vault.js'
+import type {
+  BotRepository,
+  ConfigTokenRepository,
+} from '../types/repository.js'
+const SLACK_MANIFEST_TEMPLATE = (opts: {
+  botName: string
+  botUsername: string
+  eventUrl: string
+  redirectUrl: string
+}) => ({
+  display_information: {
+    name: opts.botName,
+    description: `${opts.botName} -- powered by sena-ai`,
+    background_color: '#1a1a2e',
+  },
+  features: {
+    bot_user: {
+      display_name: opts.botUsername,
+      always_online: true,
+    },
+  },
+  oauth_config: {
+    redirect_urls: [opts.redirectUrl],
+    scopes: {
+      bot: [
+        'app_mentions:read',
+        'chat:write',
+        'chat:write.public',
+        'channels:history',
+        'channels:read',
+        'channels:join',
+        'groups:history',
+        'groups:read',
+        'im:history',
+        'im:read',
+        'im:write',
+        'reactions:read',
+        'reactions:write',
+        'files:read',
+        'files:write',
+        'users:read',
+      ],
+    },
+  },
+  settings: {
+    event_subscriptions: {
+      request_url: opts.eventUrl,
+      bot_events: [
+        'app_mention',
+        'message.channels',
+        'message.groups',
+        'message.im',
+        'reaction_added',
+      ],
+    },
+    interactivity: {
+      is_enabled: false,
+    },
+    org_deploy_enabled: false,
+    socket_mode_enabled: false,
+  },
+})
+type ManifestCreateResponse = {
+  ok: boolean
+  app_id?: string
+  credentials?: {
+    client_id?: string
+    client_secret?: string
+    signing_secret?: string
+  }
+  error?: string
+}
+type TokenRotateResponse = {
+  ok: boolean
+  token?: string
+  refresh_token?: string
+  exp?: number
+  error?: string
+}
+export interface Provisioner {
+  rotateConfigToken(workspaceId: string): Promise<boolean>
+  createApp(
+    workspaceId: string,
+    botId: string,
+    botName: string,
+    botUsername: string,
+  ): Promise<{
+    ok: boolean
+    appId?: string
+    clientId?: string
+    clientSecret?: string
+    signingSecret?: string
+    error?: string
+  }>
+  deleteApp(
+    workspaceId: string,
+    appId: string,
+  ): Promise<{ ok: boolean; error?: string }>
+  SLACK_MANIFEST_TEMPLATE: typeof SLACK_MANIFEST_TEMPLATE
+}
+/**
+ * Slack App Configuration Token management.
+ * One Config Token per workspace manages multiple apps.
+ */
+export function createProvisioner(
+  botRepo: BotRepository,
+  configTokenRepo: ConfigTokenRepository,
+  vault: Vault,
+  platformBaseUrl: string,
+): Provisioner {
+  async function rotateConfigToken(workspaceId: string): Promise<boolean> {
+    const row = await configTokenRepo.findByWorkspaceId(workspaceId)
+    if (!row) return false
+    const refreshToken = await vault.decrypt(row.refreshTokenEnc)
+    const res = await fetch('https://slack.com/api/tooling.tokens.rotate', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({ refresh_token: refreshToken }),
+    })
+    const data = (await res.json()) as TokenRotateResponse
+    if (!data.ok || !data.token || !data.refresh_token) {
+      console.error(
+        `[provisioner] rotate failed for ${workspaceId}:`,
+        data.error,
+      )
+      return false
+    }
+    await configTokenRepo.upsert({
+      workspaceId,
+      accessTokenEnc: await vault.encrypt(data.token),
+      refreshTokenEnc: await vault.encrypt(data.refresh_token),
+      expiresAt: new Date((data.exp ?? 0) * 1000),
+    })
+    return true
+  }
+  async function createApp(
+    workspaceId: string,
+    botId: string,
+    botName: string,
+    botUsername: string,
+  ): Promise<{
+    ok: boolean
+    appId?: string
+    clientId?: string
+    clientSecret?: string
+    signingSecret?: string
+    error?: string
+  }> {
+    const tokenRow = await configTokenRepo.findByWorkspaceId(workspaceId)
+    if (!tokenRow) {
+      return { ok: false, error: 'no config token for workspace' }
+    }
+    const configToken = await vault.decrypt(tokenRow.accessTokenEnc)
+    const eventUrl = `${platformBaseUrl}/slack/events/${botId}`
+    const redirectUrl = `${platformBaseUrl}/oauth/callback`
+    const manifest = SLACK_MANIFEST_TEMPLATE({
+      botName,
+      botUsername,
+      eventUrl,
+      redirectUrl,
+    })
+    const res = await fetch('https://slack.com/api/apps.manifest.create', {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${configToken}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ manifest }),
+    })
+    const data = (await res.json()) as ManifestCreateResponse
+    if (!data.ok) {
+      console.error(
+        `[provisioner] Slack API error detail:`,
+        JSON.stringify(data),
+      )
+      return { ok: false, error: data.error }
+    }
+    await botRepo.update(botId, {
+      slackAppId: data.app_id ?? null,
+      clientId: data.credentials?.client_id ?? null,
+      clientSecretEnc: data.credentials?.client_secret
+        ? await vault.encrypt(data.credentials.client_secret)
+        : null,
+      signingSecretEnc: data.credentials?.signing_secret
+        ? await vault.encrypt(data.credentials.signing_secret)
+        : null,
+      manifestJson: JSON.stringify(manifest),
+    })
+    return {
+      ok: true,
+      appId: data.app_id,
+      clientId: data.credentials?.client_id,
+      clientSecret: data.credentials?.client_secret,
+      signingSecret: data.credentials?.signing_secret,
+    }
+  }
+  async function deleteApp(
+    workspaceId: string,
+    appId: string,
+  ): Promise<{ ok: boolean; error?: string }> {
+    const tokenRow = await configTokenRepo.findByWorkspaceId(workspaceId)
+    if (!tokenRow) {
+      return { ok: false, error: 'no config token for workspace' }
+    }
+    const configToken = await vault.decrypt(tokenRow.accessTokenEnc)
+    const res = await fetch('https://slack.com/api/apps.manifest.delete', {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${configToken}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ app_id: appId }),
+    })
+    const data = (await res.json()) as { ok: boolean; error?: string }
+    if (!data.ok) {
+      console.error(
+        `[provisioner] Slack app delete failed for ${appId}:`,
+        JSON.stringify(data),
+      )
+      return { ok: false, error: data.error }
+    }
+    return { ok: true }
+  }
+  return {
+    rotateConfigToken,
+    createApp,
+    deleteApp,
+    SLACK_MANIFEST_TEMPLATE,
+  }
+}

package/src/types/crypto.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * CryptoProvider interface: platform-agnostic crypto operations.
+ * Node.js uses node:crypto, CF Workers uses Web Crypto API.
+ */
+export interface CryptoProvider {
+  /** Generate a random hex string of the given byte length. */
+  randomHex(byteLength: number): Promise<string>
+  /** Generate a UUID v4. */
+  uuid(): string
+  /** Compute HMAC-SHA256 and return hex digest. */
+  hmacSha256(key: string, data: string): Promise<string>
+  /** Constant-time string comparison. */
+  timingSafeEqual(a: string, b: string): Promise<boolean>
+}

package/src/types/index.ts ADDED Viewed

@@ -0,0 +1,14 @@
+export type { Vault } from './vault.js'
+export type { RelayHub } from './relay.js'
+export type { CryptoProvider } from './crypto.js'
+export type {
+  BotRow,
+  ConfigTokenRow,
+  OAuthStateRow,
+  WorkspaceAdminConfigRow,
+  BotRepository,
+  ConfigTokenRepository,
+  OAuthStateRepository,
+  WorkspaceAdminConfigRepository,
+} from './repository.js'
+export type { Platform, AppConfig } from './platform.js'

package/src/types/platform.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { Vault } from './vault.js'
+import type { RelayHub } from './relay.js'
+import type { CryptoProvider } from './crypto.js'
+import type {
+  BotRepository,
+  ConfigTokenRepository,
+  OAuthStateRepository,
+  WorkspaceAdminConfigRepository,
+} from './repository.js'
+/**
+ * Main Platform interface composing all platform-specific services.
+ * Implemented by platform-node and platform-cf.
+ */
+export interface Platform {
+  vault: Vault
+  relay: RelayHub
+  crypto: CryptoProvider
+  bots: BotRepository
+  configTokens: ConfigTokenRepository
+  oauthStates: OAuthStateRepository
+  workspaceAdminConfig: WorkspaceAdminConfigRepository
+}
+/**
+ * Application configuration shared across runtimes.
+ */
+export interface AppConfig {
+  platformBaseUrl: string
+  workspaceId: string
+}

package/src/types/relay.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { Context } from 'hono'
+/**
+ * RelayHub interface: manages connections between the platform and local bot runtimes.
+ * Node.js uses SSE, CF Workers uses WebSocket via Durable Objects.
+ */
+export interface RelayHub {
+  /** Handle a new streaming connection from a bot runtime. */
+  handleStream(c: Context, botId: string, connectKey: string): Promise<Response>
+  /** Dispatch a Slack event to the connected bot runtime. */
+  dispatch(botId: string, event: unknown): boolean
+  /** Check if a specific bot is connected. */
+  isConnected(botId: string): boolean
+  /** List all connected bot IDs. */
+  connectedBots(): string[]
+}

package/src/types/repository.ts ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * Database row types and repository interfaces.
+ * These abstract away the underlying DB (MySQL, PostgreSQL, D1/SQLite) and ORM (Drizzle).
+ */
+export interface BotRow {
+  id: string
+  name: string
+  botUsername: string
+  profileImageUrl: string | null
+  connectKey: string
+  slackAppId: string | null
+  slackTeamId: string | null
+  botTokenEnc: string | null
+  signingSecretEnc: string | null
+  clientId: string | null
+  clientSecretEnc: string | null
+  manifestJson: string | null
+  status: 'pending' | 'active' | 'disabled'
+  createdAt: Date
+  updatedAt: Date
+}
+export interface ConfigTokenRow {
+  workspaceId: string
+  accessTokenEnc: string
+  refreshTokenEnc: string
+  expiresAt: Date
+  updatedAt: Date
+}
+export interface OAuthStateRow {
+  state: string
+  botId: string
+  expiresAt: Date
+}
+export interface WorkspaceAdminConfigRow {
+  workspaceId: string
+  slackClientId: string | null
+  slackClientSecretEnc: string | null
+  dCookieEnc: string | null
+  xoxcTokenEnc: string | null
+  workspaceDomain: string | null
+  updatedAt: Date
+  updatedByUserId: string | null
+}
+export interface BotRepository {
+  findById(id: string): Promise<BotRow | null>
+  findByConnectKey(connectKey: string): Promise<BotRow | null>
+  findByConnectKeyAndStatus(
+    connectKey: string,
+    status: BotRow['status'],
+  ): Promise<BotRow | null>
+  findByIdAndStatus(
+    id: string,
+    status: BotRow['status'],
+  ): Promise<BotRow | null>
+  findAll(): Promise<BotRow[]>
+  findAllSummary(): Promise<
+    Array<{
+      id: string
+      name: string
+      profileImageUrl: string | null
+      slackAppId: string | null
+      slackTeamId: string | null
+      status: BotRow['status']
+      createdAt: Date
+    }>
+  >
+  create(bot: Omit<BotRow, 'createdAt' | 'updatedAt'>): Promise<void>
+  update(id: string, data: Partial<Omit<BotRow, 'id'>>): Promise<void>
+  delete(id: string): Promise<void>
+}
+export interface ConfigTokenRepository {
+  findByWorkspaceId(id: string): Promise<ConfigTokenRow | null>
+  findAll(): Promise<ConfigTokenRow[]>
+  upsert(row: Omit<ConfigTokenRow, 'updatedAt'>): Promise<void>
+}
+export interface OAuthStateRepository {
+  create(row: OAuthStateRow): Promise<void>
+  consume(state: string): Promise<OAuthStateRow | null>
+  deleteExpired(): Promise<void>
+}
+export interface WorkspaceAdminConfigRepository {
+  findByWorkspaceId(workspaceId: string): Promise<WorkspaceAdminConfigRow | null>
+  findAll(): Promise<WorkspaceAdminConfigRow[]>
+  upsert(config: Omit<WorkspaceAdminConfigRow, 'updatedAt'>): Promise<void>
+}

package/src/types/vault.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * Vault interface for encrypting/decrypting secrets.
+ * All methods return Promises to support Web Crypto (async) implementations.
+ */
+export interface Vault {
+  encrypt(plaintext: string): Promise<string>
+  decrypt(encoded: string): Promise<string>
+}

package/src/web/api.ts ADDED Viewed

@@ -0,0 +1,204 @@
+import { Hono } from 'hono'
+import type { BotRepository } from '../types/repository.js'
+import type { CryptoProvider } from '../types/crypto.js'
+import type { Provisioner } from '../slack/provisioner.js'
+/**
+ * Web API endpoints for bot management.
+ */
+export function createWebApi(
+  botRepo: BotRepository,
+  provisioner: Provisioner,
+  crypto: CryptoProvider,
+  workspaceId: string,
+) {
+  const app = new Hono()
+  // POST /api/bots - Create a new bot
+  app.post('/api/bots', async (c) => {
+    const body = await c.req.json<{
+      name: string
+      botUsername: string
+      profileImage?: string | null
+    }>()
+    if (
+      !body.name ||
+      typeof body.name !== 'string' ||
+      body.name.trim().length === 0
+    ) {
+      return c.json({ error: '봇 이름을 입력해주세요.' }, 400)
+    }
+    const botUsername = (body.botUsername ?? '').trim()
+    if (
+      !botUsername ||
+      botUsername.length < 2 ||
+      botUsername.length > 80 ||
+      !/^[a-z0-9][a-z0-9-]*$/.test(botUsername)
+    ) {
+      return c.json(
+        { error: '봇 유저네임은 영문 소문자, 숫자, 하이픈만 사용 가능하며 2-80자여야 합니다.' },
+        400,
+      )
+    }
+    const botId = crypto.uuid()
+    const connectKey = `cpk_${await crypto.randomHex(20)}`
+    const name = body.name.trim()
+    const profileImageUrl =
+      typeof body.profileImage === 'string' &&
+      body.profileImage.startsWith('data:image/')
+        ? body.profileImage
+        : null
+    // Insert bot record
+    await botRepo.create({
+      id: botId,
+      name,
+      botUsername,
+      profileImageUrl,
+      connectKey,
+      slackAppId: null,
+      slackTeamId: null,
+      botTokenEnc: null,
+      signingSecretEnc: null,
+      clientId: null,
+      clientSecretEnc: null,
+      manifestJson: null,
+      status: 'pending',
+    })
+    // Provision Slack app asynchronously (CF Workers needs waitUntil to keep alive)
+    const provisionPromise = provisionSlackApp(
+      botId,
+      name,
+      botUsername,
+    ).catch((err: unknown) => {
+      console.error(
+        `[api] failed to provision Slack app for bot ${botId}:`,
+        err,
+      )
+    })
+    if (c.executionCtx?.waitUntil) {
+      c.executionCtx.waitUntil(provisionPromise)
+    }
+    return c.json({ ok: true, botId, connectKey })
+  })
+  // GET /api/bots/:botId - Get bot status
+  app.get('/api/bots/:botId', async (c) => {
+    const botId = c.req.param('botId')
+    const bot = await botRepo.findById(botId)
+    if (!bot) {
+      return c.json({ error: 'bot not found' }, 404)
+    }
+    return c.json({
+      bot: {
+        id: bot.id,
+        name: bot.name,
+        profileImageUrl: bot.profileImageUrl,
+        slackAppId: bot.slackAppId,
+        slackTeamId: bot.slackTeamId,
+        clientId: bot.clientId,
+        status: bot.status,
+        connectKey: bot.connectKey,
+        createdAt: bot.createdAt,
+        updatedAt: bot.updatedAt,
+      },
+    })
+  })
+  // POST /api/bots/:botId/provision - Retry provisioning
+  app.post('/api/bots/:botId/provision', async (c) => {
+    const botId = c.req.param('botId')
+    const bot = await botRepo.findById(botId)
+    if (!bot) return c.json({ error: 'bot not found' }, 404)
+    if (bot.slackAppId) return c.json({ ok: true, appId: bot.slackAppId })
+    const provisionPromise = provisionSlackApp(botId, bot.name, bot.botUsername).catch(
+      (err: unknown) => {
+        console.error(`[api] retry provision failed for ${botId}:`, err)
+      },
+    )
+    if (c.executionCtx?.waitUntil) {
+      c.executionCtx.waitUntil(provisionPromise)
+    }
+    return c.json({ ok: true, message: 'provisioning started' })
+  })
+  // DELETE /api/bots/:botId - Delete a bot and its Slack app
+  app.delete('/api/bots/:botId', async (c) => {
+    const botId = c.req.param('botId')
+    const bot = await botRepo.findById(botId)
+    if (!bot) return c.json({ error: 'bot not found' }, 404)
+    // Delete Slack app if it exists
+    if (bot.slackAppId) {
+      const result = await provisioner.deleteApp(workspaceId, bot.slackAppId)
+      if (!result.ok) {
+        console.error(`[api] failed to delete Slack app ${bot.slackAppId}: ${result.error}`)
+        // Continue to delete from DB even if Slack deletion fails
+      }
+    }
+    await botRepo.delete(botId)
+    return c.json({ ok: true, deleted: botId })
+  })
+  // POST /api/bots/:botId/icon - Update bot profile image (DB only, Slack 아이콘은 수동 설정 필요)
+  app.post('/api/bots/:botId/icon', async (c) => {
+    const botId = c.req.param('botId')
+    const bot = await botRepo.findById(botId)
+    if (!bot) return c.json({ error: 'bot not found' }, 404)
+    const formData = await c.req.formData()
+    const file = formData.get('image')
+    if (!file || typeof file === 'string' || !('arrayBuffer' in file)) {
+      return c.json({ error: 'image file is required' }, 400)
+    }
+    const imageBuffer = await (file as Blob).arrayBuffer()
+    const bytes = new Uint8Array(imageBuffer)
+    let binaryStr = ''
+    for (let i = 0; i < bytes.length; i++) {
+      binaryStr += String.fromCharCode(bytes[i])
+    }
+    const base64 = btoa(binaryStr)
+    const blob = file as Blob
+    const mimeType = blob.type || 'image/png'
+    await botRepo.update(botId, {
+      profileImageUrl: `data:${mimeType};base64,${base64}`,
+    })
+    return c.json({ ok: true })
+  })
+  async function provisionSlackApp(
+    botId: string,
+    botName: string,
+    botUsername: string,
+  ) {
+    const result = await provisioner.createApp(
+      workspaceId,
+      botId,
+      botName,
+      botUsername,
+    )
+    if (!result.ok) {
+      console.error(
+        `[provisioner] failed to create Slack app: ${result.error}`,
+      )
+      return
+    }
+    console.log(
+      `[provisioner] Slack app created for bot ${botId}: ${result.appId}`,
+    )
+  }
+  return app
+}