@snf/qa-bot-core 0.2.30-rc.1 → 0.2.30-rc.11

package/dist/types/components/TurnstileWidget.d.ts

@@ -0,0 +1,12 @@
+import React from 'react';
+interface TurnstileWidgetProps {
+    siteKey: string;
+    onVerify: (token: string) => void;
+    onError?: () => void;
+}
+/**
+ * Renders a Cloudflare Turnstile widget inline in the chat.
+ * Used as a `component` on a flow step (same pattern as LoginButton).
+ */
+declare const TurnstileWidget: React.FC<TurnstileWidgetProps>;
+export default TurnstileWidget;

package/dist/types/config.d.ts

@@ -2,7 +2,7 @@ import type { Settings, Flow } from 'react-chatbotify';
 /**
  * Analytics event types fired by qa-bot-core
  */
-export type QABotAnalyticsEventType = 'chatbot_open' | 'chatbot_close' | 'chatbot_new_chat' | 'chatbot_question_sent' | 'chatbot_answer_received' | 'chatbot_answer_error' | 'chatbot_rating_sent' | 'chatbot_login_prompt_shown' | 'chatbot_login_clicked' | 'chatbot_link_clicked';
+export type QABotAnalyticsEventType = 'chatbot_open' | 'chatbot_close' | 'chatbot_new_chat' | 'chatbot_question_sent' | 'chatbot_answer_received' | 'chatbot_answer_error' | 'chatbot_rating_sent' | 'chatbot_login_prompt_shown' | 'chatbot_login_clicked' | 'chatbot_link_clicked' | 'chatbot_turnstile_shown' | 'chatbot_turnstile_completed' | 'chatbot_turnstile_error';
 /**
  * Analytics event payload
  *
@@ -83,6 +83,16 @@ export interface QABotProps {
      * - Optional: if not provided, requests will be anonymous
      */
     actingUser?: string;
+    /**
+     * Cloudflare Turnstile site key for bot protection.
+     * When provided, an invisible Turnstile widget is rendered on mount
+     * to silently verify the user.  The token is attached to every query
+     * automatically.  If silent verification fails, the backend's
+     * visible-challenge flow kicks in as a fallback.
+     *
+     * Omit or pass empty string to disable Turnstile entirely on the frontend.
+     */
+    turnstileSiteKey?: string;
     /**
      * Custom flow steps to merge with the built-in Q&A flow.
      * Use this to add ticket creation flows, feedback flows, etc.

package/dist/types/hooks/useTurnstile.d.ts

@@ -0,0 +1,27 @@
+/**
+ * useTurnstile — silent background Turnstile verification.
+ *
+ * Renders an invisible Cloudflare Turnstile widget on mount.  Most legitimate
+ * users get a token automatically (no UI).  The token is exposed so the
+ * qa-flow can attach it to every request.
+ *
+ * If silent verification fails (Cloudflare deems the visitor suspicious),
+ * `status` becomes 'failed' and the qa-flow falls back to the existing
+ * visible-challenge path (backend returns requires_turnstile, widget shown
+ * in chat).
+ *
+ * Turnstile tokens expire after ~300 s.  The widget's built-in
+ * `refresh-expired: auto` handles re-issuing before expiry.
+ */
+export type TurnstileStatus = 'idle' | 'loading' | 'verified' | 'failed';
+export interface UseTurnstileResult {
+    /** Current Turnstile token, or null if not yet verified / failed. */
+    token: string | null;
+    /** Lifecycle status of the silent verification. */
+    status: TurnstileStatus;
+}
+/**
+ * @param siteKey  Cloudflare Turnstile site key.  Pass `undefined` or empty
+ *                 string to disable (hook becomes a no-op).
+ */
+export declare function useTurnstile(siteKey: string | undefined): UseTurnstileResult;

package/dist/types/lib.d.ts

@@ -26,6 +26,7 @@ interface QABotConfig {
     embedded?: boolean;
     isLoggedIn: boolean;
     allowAnonAccess?: boolean;
+    turnstileSiteKey?: string;
     welcomeMessage: string;
     primaryColor?: string;
     secondaryColor?: string;

package/dist/types/utils/flows/qa-flow.d.ts

@@ -28,12 +28,19 @@ export interface CreateQAFlowParams {
     actingUser?: string;
     /** Enriched analytics tracker (adds common fields automatically) */
     trackEvent?: (event: AnalyticsEventInput) => void;
+    /**
+     * Returns the current silent Turnstile token (from useTurnstile hook).
+     * When available, attached to every request so the backend can verify
+     * without prompting.  When null, the backend's free-query allowance
+     * applies, and the visible challenge is the fallback.
+     */
+    getTurnstileToken?: () => string | null;
 }
 /**
  * Creates the basic Q&A conversation flow
  * Handles questions, responses, and optional ratings
  */
-export declare const createQAFlow: ({ endpoint, ratingEndpoint, apiKey, sessionId: getSessionId, isResetting, isLoggedIn, allowAnonAccess, loginUrl, actingUser, trackEvent }: CreateQAFlowParams) => {
+export declare const createQAFlow: ({ endpoint, ratingEndpoint, apiKey, sessionId: getSessionId, isResetting, isLoggedIn, allowAnonAccess, loginUrl, actingUser, trackEvent, getTurnstileToken, }: CreateQAFlowParams) => {
     qa_loop: {
         message: string;
         component: React.JSX.Element;
@@ -44,11 +51,11 @@ export declare const createQAFlow: ({ endpoint, ratingEndpoint, apiKey, sessionI
     };
 } | {
     qa_loop: {
-        message: (chatState: any) => Promise<"Thanks for the feedback! Feel free to ask another question." | "I wasn't able to verify you're human. Please try your question again." | "I apologize, but I'm having trouble processing your question. Please try again later.">;
+        message: (chatState: any) => Promise<"Thanks for the feedback! Feel free to ask another question." | "Verification failed. Please try your question again." | "I had trouble processing your question after verification. Please try again." | "Please verify you're human to continue." | "I apologize, but I'm having trouble processing your question. Please try again later.">;
         options: (chatState: any) => string[];
         renderMarkdown: string[];
         chatDisabled: boolean;
+        component: React.JSX.Element;
         path: string;
-        component?: undefined;
     };
 };

package/dist/types/utils/logger.d.ts

@@ -7,12 +7,13 @@
  * Usage for consumers:
  *   localStorage.setItem('QA_BOT_DEBUG', 'true');  // Enable debug logs + version
  */
-export declare const LIB_VERSION = "0.2.19";
+export declare const LIB_VERSION = "0.2.30-rc.11";
 export declare const logger: {
     version: () => void;
     session: (action: string, ...args: unknown[]) => void;
     history: (action: string, ...args: unknown[]) => void;
     message: (action: string, data: Record<string, unknown>) => void;
+    turnstile: (action: string, ...args: unknown[]) => void;
     warn: (...args: unknown[]) => void;
     error: (...args: unknown[]) => void;
 };

package/dist/types/utils/turnstile.d.ts

@@ -11,14 +11,14 @@
  */
 export declare function loadTurnstileScript(): Promise<void>;
 /**
- * Render the Turnstile widget into a container and return the token.
+ * Render the Turnstile widget by appending it to the last bot message bubble.
  *
- * Waits for the container element to appear in the DOM (since injectMessage
- * may not have flushed yet), then calls turnstile.render() and resolves
- * when the user completes the challenge.
+ * react-chatbotify's injectMessage() escapes HTML, so we can't inject a
+ * container div via message content. Instead, we wait for the text message
+ * to render, find the last bot message bubble in the DOM, and append the
+ * Turnstile widget container directly.
  *
  * @param siteKey - Cloudflare Turnstile site key (from the agent response)
- * @param containerId - DOM id of the container to render into
  * @returns The verification token string
  */
-export declare function renderTurnstileWidget(siteKey: string, containerId?: string): Promise<string>;
+export declare function renderTurnstileWidget(siteKey: string): Promise<string>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@snf/qa-bot-core",
-  "version": "0.2.30-rc.1",
+  "version": "0.2.30-rc.11",
   "description": "A configurable chatbot setup for quick integration of RAG-powered Q&A and rating system",
   "main": "./dist/qa-bot-core.umd.cjs",
   "module": "./dist/qa-bot-core.js",