@vellumai/assistant 0.5.11 → 0.5.13

package/src/messaging/providers/slack/adapter.ts

@@ -32,8 +32,30 @@ import type {
 // Cache user display names to avoid repeated API calls within a session
 const userNameCache = new Map<string, string>();
 
+/**
+ * Cached auth resolved during resolveConnection().
+ *
+ * For Socket Mode this holds a raw bot token string; for OAuth it holds the
+ * OAuthConnection. The Slack client functions accept both via their own
+ * OAuthConnection | string union, so we can pass this value through directly.
+ */
+let _cachedSlackAuth: OAuthConnection | string | null = null;
+
+/**
+ * Get the Slack auth value to pass to Slack client functions.
+ * Prefers the explicit connection from the caller; falls back to the cached
+ * value set during resolveConnection().
+ */
+function getSlackAuth(connection?: OAuthConnection): OAuthConnection | string {
+  if (connection) return connection;
+  if (_cachedSlackAuth) return _cachedSlackAuth;
+  throw new Error(
+    "Slack: no connection or cached token available. Was resolveConnection() called?",
+  );
+}
+
 async function resolveUserName(
-  connectionOrToken: OAuthConnection | string,
+  auth: OAuthConnection | string,
   userId: string,
 ): Promise<string> {
   if (!userId) return "unknown";
@@ -41,7 +63,7 @@ async function resolveUserName(
   if (cached) return cached;
 
   try {
-    const resp = await slack.userInfo(connectionOrToken, userId);
+    const resp = await slack.userInfo(auth, userId);
     const name =
       resp.user.profile?.display_name ||
       resp.user.profile?.real_name ||
@@ -113,7 +135,7 @@ function mapSearchMatch(match: SlackSearchMatch): Message {
 export const slackProvider: MessagingProvider = {
   id: "slack",
   displayName: "Slack",
-  credentialService: "integration:slack",
+  credentialService: "slack",
   capabilities: new Set(["reactions", "threads", "leave_channel"]),
 
   async isConnected(): Promise<boolean> {
@@ -124,25 +146,31 @@ export const slackProvider: MessagingProvider = {
       credentialKey("slack_channel", "bot_token"),
     );
     if (botToken) return true;
-    // Preserve existing OAuth path (integration:slack) for backwards compat.
-    return isProviderConnected("integration:slack");
+    // Preserve existing OAuth path for backwards compat.
+    return isProviderConnected("slack");
   },
 
-  async resolveConnection(account?: string): Promise<OAuthConnection | string> {
-    // Socket Mode: return raw bot token if available.
+  async resolveConnection(
+    account?: string,
+  ): Promise<OAuthConnection | undefined> {
+    // Socket Mode: cache the raw bot token for use in adapter methods.
     // Token presence is sufficient — no connection row required.
     const botToken = await getSecureKeyAsync(
       credentialKey("slack_channel", "bot_token"),
     );
-    if (botToken) return botToken;
-    // Preserve existing OAuth path (integration:slack) for backwards compat.
-    return resolveOAuthConnection("integration:slack", { account });
+    if (botToken) {
+      _cachedSlackAuth = botToken;
+      return undefined;
+    }
+    // Preserve existing OAuth path for backwards compat.
+    const conn = await resolveOAuthConnection("slack", { account });
+    _cachedSlackAuth = conn;
+    return conn;
   },
 
-  async testConnection(
-    connectionOrToken: OAuthConnection | string,
-  ): Promise<ConnectionInfo> {
-    const resp = await slack.authTest(connectionOrToken);
+  async testConnection(connection?: OAuthConnection): Promise<ConnectionInfo> {
+    const auth = getSlackAuth(connection);
+    const resp = await slack.authTest(auth);
     return {
       connected: true,
       user: resp.user,
@@ -152,9 +180,10 @@ export const slackProvider: MessagingProvider = {
   },
 
   async listConversations(
-    connectionOrToken: OAuthConnection | string,
+    connection: OAuthConnection | undefined,
     options?: ListOptions,
   ): Promise<Conversation[]> {
+    const auth = getSlackAuth(connection);
     const typeMap: Record<string, string> = {
       channel: "public_channel,private_channel",
       dm: "im",
@@ -174,7 +203,7 @@ export const slackProvider: MessagingProvider = {
     // Paginate through all results
     do {
       const resp = await slack.listConversations(
-        connectionOrToken,
+        auth,
         types,
         options?.excludeArchived ?? true,
         options?.limit ?? 200,
@@ -191,7 +220,7 @@ export const slackProvider: MessagingProvider = {
     for (const conv of conversations) {
       if (conv.type === "dm" && conv.metadata?.dmUserId) {
         conv.name = await resolveUserName(
-          connectionOrToken,
+          auth,
           conv.metadata.dmUserId as string,
         );
       }
@@ -201,12 +230,13 @@ export const slackProvider: MessagingProvider = {
   },
 
   async getHistory(
-    connectionOrToken: OAuthConnection | string,
+    connection: OAuthConnection | undefined,
     conversationId: string,
     options?: HistoryOptions,
   ): Promise<Message[]> {
+    const auth = getSlackAuth(connection);
     const resp = await slack.conversationHistory(
-      connectionOrToken,
+      auth,
       conversationId,
       options?.limit ?? 50,
       options?.before,
@@ -215,7 +245,7 @@ export const slackProvider: MessagingProvider = {
 
     const messages: Message[] = [];
     for (const msg of resp.messages) {
-      const name = await resolveUserName(connectionOrToken, msg.user ?? "");
+      const name = await resolveUserName(auth, msg.user ?? "");
       messages.push(mapMessage(msg, conversationId, name));
     }
 
@@ -223,15 +253,12 @@ export const slackProvider: MessagingProvider = {
   },
 
   async search(
-    connectionOrToken: OAuthConnection | string,
+    connection: OAuthConnection | undefined,
     query: string,
     options?: SearchOptions,
   ): Promise<SearchResult> {
-    const resp = await slack.searchMessages(
-      connectionOrToken,
-      query,
-      options?.count ?? 20,
-    );
+    const auth = getSlackAuth(connection);
+    const resp = await slack.searchMessages(auth, query, options?.count ?? 20);
     return {
       total: resp.messages.total,
       messages: resp.messages.matches.map(mapSearchMatch),
@@ -240,13 +267,14 @@ export const slackProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    connectionOrToken: OAuthConnection | string,
+    connection: OAuthConnection | undefined,
     conversationId: string,
     text: string,
     options?: SendOptions,
   ): Promise<SendResult> {
+    const auth = getSlackAuth(connection);
     const resp = await slack.postMessage(
-      connectionOrToken,
+      auth,
       conversationId,
       text,
       options?.threadId,
@@ -259,32 +287,34 @@ export const slackProvider: MessagingProvider = {
   },
 
   async getThreadReplies(
-    connectionOrToken: OAuthConnection | string,
+    connection: OAuthConnection | undefined,
     conversationId: string,
     threadId: string,
     options?: HistoryOptions,
   ): Promise<Message[]> {
+    const auth = getSlackAuth(connection);
     const resp = await slack.conversationReplies(
-      connectionOrToken,
+      auth,
       conversationId,
       threadId,
       options?.limit ?? 50,
     );
     const messages: Message[] = [];
     for (const msg of resp.messages) {
-      const name = await resolveUserName(connectionOrToken, msg.user ?? "");
+      const name = await resolveUserName(auth, msg.user ?? "");
       messages.push(mapMessage(msg, conversationId, name));
     }
     return messages;
   },
 
   async markRead(
-    connectionOrToken: OAuthConnection | string,
+    connection: OAuthConnection | undefined,
     conversationId: string,
     messageId?: string,
   ): Promise<void> {
+    const auth = getSlackAuth(connection);
     // Slack's conversations.mark requires a timestamp — use the provided one or "now"
     const ts = messageId ?? String(Date.now() / 1000);
-    await slack.conversationMark(connectionOrToken, conversationId, ts);
+    await slack.conversationMark(auth, conversationId, ts);
   },
 };

package/src/messaging/providers/telegram-bot/adapter.ts

@@ -6,7 +6,7 @@
  * with OAuth tokens, Telegram delivery is proxied through the gateway which
  * owns the bot token and handles Telegram API retries.
  *
- * The `connectionOrToken` parameter in MessagingProvider methods is unused
+ * The `connection` parameter in MessagingProvider methods is unused
  * for Telegram because delivery is authenticated via the gateway's bearer
  * token, not a per-user OAuth token.
  */
@@ -76,9 +76,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
     return !!webhookSecret;
   },
 
-  async testConnection(
-    _connectionOrToken: OAuthConnection | string,
-  ): Promise<ConnectionInfo> {
+  async testConnection(_connection?: OAuthConnection): Promise<ConnectionInfo> {
     const botToken = await getBotToken();
     if (!botToken) {
       return {
@@ -123,7 +121,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    _connectionOrToken: OAuthConnection | string,
+    _connection: OAuthConnection | undefined,
     conversationId: string,
     text: string,
     _options?: SendOptions,
@@ -161,7 +159,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
   // interact with chats where users have initiated contact or the bot
   // has been added to a group.
   async listConversations(
-    _connectionOrToken: OAuthConnection | string,
+    _connection?: OAuthConnection,
     _options?: ListOptions,
   ): Promise<Conversation[]> {
     return [];
@@ -169,7 +167,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
 
   // Telegram Bot API does not provide message history retrieval.
   async getHistory(
-    _connectionOrToken: OAuthConnection | string,
+    _connection: OAuthConnection | undefined,
     _conversationId: string,
     _options?: HistoryOptions,
   ): Promise<Message[]> {
@@ -178,7 +176,7 @@ export const telegramBotMessagingProvider: MessagingProvider = {
 
   // Telegram Bot API does not support message search.
   async search(
-    _connectionOrToken: OAuthConnection | string,
+    _connection: OAuthConnection | undefined,
     _query: string,
     _options?: SearchOptions,
   ): Promise<SearchResult> {

package/src/messaging/providers/whatsapp/adapter.ts

@@ -5,7 +5,7 @@
  * endpoint. Delivery is proxied through the gateway which owns the Meta Cloud API
  * credentials (phone_number_id + access_token).
  *
- * The `connectionOrToken` parameter in MessagingProvider methods is unused
+ * The `connection` parameter in MessagingProvider methods is unused
  * for WhatsApp because delivery is authenticated via the gateway's bearer
  * token, not a per-user OAuth token.
  */
@@ -66,9 +66,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
     return hasWhatsAppCredentials();
   },
 
-  async testConnection(
-    _connectionOrToken: OAuthConnection | string,
-  ): Promise<ConnectionInfo> {
+  async testConnection(_connection?: OAuthConnection): Promise<ConnectionInfo> {
     if (!(await hasWhatsAppCredentials())) {
       return {
         connected: false,
@@ -96,7 +94,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
   },
 
   async sendMessage(
-    _connectionOrToken: OAuthConnection | string,
+    _connection: OAuthConnection | undefined,
     conversationId: string,
     text: string,
     options?: SendOptions,
@@ -140,7 +138,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not support listing conversations via this provider.
   async listConversations(
-    _connectionOrToken: OAuthConnection | string,
+    _connection?: OAuthConnection,
     _options?: ListOptions,
   ): Promise<Conversation[]> {
     return [];
@@ -148,7 +146,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not provide message history retrieval via the gateway.
   async getHistory(
-    _connectionOrToken: OAuthConnection | string,
+    _connection: OAuthConnection | undefined,
     _conversationId: string,
     _options?: HistoryOptions,
   ): Promise<Message[]> {
@@ -157,7 +155,7 @@ export const whatsappMessagingProvider: MessagingProvider = {
 
   // WhatsApp does not support message search.
   async search(
-    _connectionOrToken: OAuthConnection | string,
+    _connection: OAuthConnection | undefined,
     _query: string,
     _options?: SearchOptions,
   ): Promise<SearchResult> {

package/src/notifications/adapters/telegram.ts

@@ -5,14 +5,20 @@
  * Follows the same delivery pattern used by guardian-dispatch: POST to
  * the gateway's `/deliver/telegram` endpoint with a chat ID and text
  * payload. The gateway forwards the message to the Telegram Bot API.
+ *
+ * For access request notifications, inline keyboard buttons ("Approve once",
+ * "Reject") are attached via the approval payload so the guardian can act
+ * without typing a command. If the rich delivery fails, the adapter falls
+ * back to plain text with typed-command instructions.
  */
 
 import { getGatewayInternalBaseUrl } from "../../config/env.js";
 import { mintDaemonDeliveryToken } from "../../runtime/auth/token-service.js";
+import type { ApprovalUIMetadata } from "../../runtime/channel-approval-types.js";
 import { deliverChannelReply } from "../../runtime/gateway-client.js";
 import { getLogger } from "../../util/logger.js";
 import { isConversationSeedSane } from "../conversation-seed-composer.js";
-import { nonEmpty } from "../copy-composer.js";
+import { buildAccessRequestContractText, nonEmpty } from "../copy-composer.js";
 import type {
   ChannelAdapter,
   ChannelDeliveryPayload,
@@ -40,6 +46,34 @@ function resolveTelegramMessageText(payload: ChannelDeliveryPayload): string {
   return payload.sourceEventName.replace(/[._]/g, " ");
 }
 
+/**
+ * Build an {@link ApprovalUIMetadata} for an access request so the gateway
+ * renders inline keyboard buttons in the Telegram message.
+ *
+ * Returns `undefined` when the context payload is missing the required
+ * `requestId`, in which case the caller should fall back to plain text.
+ */
+function buildAccessRequestApproval(
+  contextPayload: Record<string, unknown>,
+): ApprovalUIMetadata | undefined {
+  const requestId =
+    typeof contextPayload.requestId === "string"
+      ? contextPayload.requestId
+      : undefined;
+  if (!requestId) return undefined;
+
+  const plainTextFallback = buildAccessRequestContractText(contextPayload);
+
+  return {
+    requestId,
+    actions: [
+      { id: "approve_once", label: "Approve once" },
+      { id: "reject", label: "Reject" },
+    ],
+    plainTextFallback,
+  };
+}
+
 export class TelegramAdapter implements ChannelAdapter {
   readonly channel: NotificationChannel = "telegram";
 
@@ -66,10 +100,52 @@ export class TelegramAdapter implements ChannelAdapter {
     // delivery copy when available and avoid deterministic label prefixes.
     const messageText = resolveTelegramMessageText(payload);
 
+    // For access requests, attach inline keyboard buttons so the guardian
+    // can approve/reject with a single tap.
+    const isAccessRequest =
+      payload.sourceEventName === "ingress.access_request" &&
+      payload.contextPayload != null;
+
+    const approval = isAccessRequest
+      ? buildAccessRequestApproval(payload.contextPayload!)
+      : undefined;
+
     try {
+      if (approval) {
+        // Attempt rich delivery with inline keyboard buttons.
+        // On failure, fall back to plain text below.
+        try {
+          await deliverChannelReply(
+            deliverUrl,
+            { chatId, text: messageText, approval },
+            mintDaemonDeliveryToken(),
+          );
+
+          log.info(
+            { sourceEventName: payload.sourceEventName, chatId },
+            "Telegram access request notification delivered with inline buttons",
+          );
+
+          return { success: true };
+        } catch (richErr) {
+          log.warn(
+            { err: richErr, sourceEventName: payload.sourceEventName, chatId },
+            "Rich Telegram delivery failed — falling back to plain text",
+          );
+        }
+      }
+
+      // When falling back from rich delivery, append the plain-text
+      // instructions so the guardian still knows how to approve/reject.
+      const fallbackText =
+        approval?.plainTextFallback &&
+        !messageText.includes(approval.plainTextFallback)
+          ? `${messageText}\n\n${approval.plainTextFallback}`
+          : messageText;
+
       await deliverChannelReply(
         deliverUrl,
-        { chatId, text: messageText },
+        { chatId, text: fallbackText },
         mintDaemonDeliveryToken(),
       );