agent-messenger 2.0.0 → 2.1.0

package/src/platforms/webex/credential-manager.ts

@@ -0,0 +1,197 @@
+import { existsSync } from 'node:fs'
+import { mkdir, readFile, rename, rm, writeFile } from 'node:fs/promises'
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+
+import { getWebexAppCredentials } from './app-config'
+import type { WebexConfig } from './types'
+import { WebexConfigSchema } from './types'
+
+const OAUTH_DEVICE_AUTHORIZE_URL = 'https://webexapis.com/v1/device/authorize'
+const OAUTH_DEVICE_TOKEN_URL = 'https://webexapis.com/v1/device/token'
+const OAUTH_TOKEN_URL = 'https://webexapis.com/v1/access_token'
+const OAUTH_SCOPES = 'spark:all'
+
+export { OAUTH_SCOPES }
+
+export class WebexCredentialManager {
+  private configDir: string
+  private credentialsPath: string
+
+  constructor(configDir?: string) {
+    this.configDir = configDir ?? join(homedir(), '.config', 'agent-messenger')
+    this.credentialsPath = join(this.configDir, 'webex-credentials.json')
+  }
+
+  async loadConfig(): Promise<WebexConfig | null> {
+    if (!existsSync(this.credentialsPath)) return null
+    const content = await readFile(this.credentialsPath, 'utf-8')
+    const result = WebexConfigSchema.safeParse(JSON.parse(content))
+    if (!result.success) return null
+    return result.data
+  }
+
+  async saveConfig(config: WebexConfig): Promise<void> {
+    await mkdir(this.configDir, { recursive: true })
+    const tmpPath = `${this.credentialsPath}.tmp`
+    await writeFile(tmpPath, JSON.stringify(config, null, 2), {
+      encoding: 'utf-8',
+      mode: 0o600,
+    })
+    await rename(tmpPath, this.credentialsPath)
+  }
+
+  async getToken(clientId?: string, clientSecret?: string): Promise<string | null> {
+    const config = await this.loadConfig()
+    if (!config) return null
+
+    if (config.tokenType === 'manual') {
+      return config.accessToken
+    }
+
+    if (config.expiresAt < Date.now() + 5 * 60 * 1000) {
+      const builtinCreds = getWebexAppCredentials()
+      const resolvedClientId = clientId ?? config.clientId ?? builtinCreds.clientId
+      const resolvedClientSecret = clientSecret ?? config.clientSecret ?? builtinCreds.clientSecret
+      const refreshed = await this.refreshToken(config.refreshToken, resolvedClientId, resolvedClientSecret)
+      if (refreshed) return refreshed.accessToken
+      return null
+    }
+
+    return config.accessToken
+  }
+
+  async refreshToken(refreshToken: string, clientId: string, clientSecret: string): Promise<WebexConfig | null> {
+    try {
+      const response = await fetch(OAUTH_TOKEN_URL, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'refresh_token',
+          client_id: clientId,
+          client_secret: clientSecret,
+          refresh_token: refreshToken,
+        }),
+      })
+
+      if (!response.ok) return null
+
+      const data = (await response.json()) as {
+        access_token: string
+        refresh_token: string
+        expires_in: number
+      }
+
+      const config: WebexConfig = {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresAt: Date.now() + data.expires_in * 1000,
+      }
+
+      await this.saveConfig(config)
+      return config
+    } catch {
+      return null
+    }
+  }
+
+  async requestDeviceCode(clientId: string, scopes?: string): Promise<{
+    deviceCode: string
+    userCode: string
+    verificationUri: string
+    verificationUriComplete: string
+    expiresIn: number
+    interval: number
+  }> {
+    const response = await fetch(OAUTH_DEVICE_AUTHORIZE_URL, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: clientId,
+        scope: scopes ?? OAUTH_SCOPES,
+      }),
+    })
+
+    if (!response.ok) {
+      const errorBody = await response.text()
+      throw new Error(`Device authorization failed: ${response.status} ${errorBody}`)
+    }
+
+    const data = (await response.json()) as {
+      device_code: string
+      user_code: string
+      verification_uri: string
+      verification_uri_complete: string
+      expires_in: number
+      interval: number
+    }
+
+    return {
+      deviceCode: data.device_code,
+      userCode: data.user_code,
+      verificationUri: data.verification_uri,
+      verificationUriComplete: data.verification_uri_complete,
+      expiresIn: data.expires_in,
+      interval: data.interval,
+    }
+  }
+
+  async pollDeviceToken(deviceCode: string, interval: number, expiresIn: number, clientId: string, clientSecret?: string): Promise<WebexConfig> {
+    const basicAuth = btoa(`${clientId}:${clientSecret ?? ''}`)
+    const deadline = Date.now() + expiresIn * 1000
+
+    while (Date.now() < deadline) {
+      await new Promise((resolve) => setTimeout(resolve, interval * 1000))
+
+      const response = await fetch(OAUTH_DEVICE_TOKEN_URL, {
+        method: 'POST',
+        headers: {
+          Authorization: `Basic ${basicAuth}`,
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: new URLSearchParams({
+          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+          device_code: deviceCode,
+          client_id: clientId,
+        }),
+      })
+
+      if (response.ok) {
+        const data = (await response.json()) as {
+          access_token: string
+          refresh_token: string
+          expires_in: number
+        }
+
+        const config: WebexConfig = {
+          accessToken: data.access_token,
+          refreshToken: data.refresh_token,
+          expiresAt: Date.now() + data.expires_in * 1000,
+        }
+
+        return config
+      }
+
+      if (response.status === 428) continue
+
+      const errorBody = (await response.json().catch(() => null)) as {
+        errors?: Array<{ description: string }>
+      } | null
+      const errorDesc = errorBody?.errors?.[0]?.description ?? ''
+
+      if (errorDesc.includes('authorization_pending') || errorDesc.includes('slow_down')) {
+        continue
+      }
+
+      throw new Error(`Device token exchange failed: ${response.status} ${errorDesc}`)
+    }
+
+    throw new Error('Device authorization timed out')
+  }
+
+  async clearCredentials(): Promise<void> {
+    if (existsSync(this.credentialsPath)) {
+      await rm(this.credentialsPath)
+    }
+  }
+}

package/src/platforms/webex/ensure-auth.test.ts

@@ -0,0 +1,85 @@
+import { afterEach, beforeEach, describe, expect, spyOn, test } from 'bun:test'
+
+import { WebexClient } from './client'
+import { WebexCredentialManager } from './credential-manager'
+import { ensureWebexAuth } from './ensure-auth'
+
+let loadConfigSpy: ReturnType<typeof spyOn>
+let getTokenSpy: ReturnType<typeof spyOn>
+let loginSpy: ReturnType<typeof spyOn>
+let testAuthSpy: ReturnType<typeof spyOn>
+
+beforeEach(() => {
+  loadConfigSpy = spyOn(WebexCredentialManager.prototype, 'loadConfig').mockResolvedValue(null)
+  getTokenSpy = spyOn(WebexCredentialManager.prototype, 'getToken').mockResolvedValue(null)
+  loginSpy = spyOn(WebexClient.prototype, 'login').mockResolvedValue({} as WebexClient)
+  testAuthSpy = spyOn(WebexClient.prototype, 'testAuth').mockResolvedValue({
+    id: 'user-123',
+    displayName: 'Test User',
+    emails: ['test@example.com'],
+    type: 'person',
+  })
+})
+
+afterEach(() => {
+  loadConfigSpy?.mockRestore()
+  getTokenSpy?.mockRestore()
+  loginSpy?.mockRestore()
+  testAuthSpy?.mockRestore()
+})
+
+describe('ensureWebexAuth', () => {
+  test('does nothing when no config stored', async () => {
+    // given
+    loadConfigSpy.mockResolvedValue(null)
+
+    // when
+    await ensureWebexAuth()
+
+    // then
+    expect(getTokenSpy).not.toHaveBeenCalled()
+    expect(testAuthSpy).not.toHaveBeenCalled()
+  })
+
+  test('validates token when stored', async () => {
+    // given
+    loadConfigSpy.mockResolvedValue({
+      accessToken: 'test-webex-token',
+      refreshToken: 'refresh',
+      expiresAt: Date.now() + 3600000,
+      clientId: 'stored-id',
+      clientSecret: 'stored-secret',
+    })
+    getTokenSpy.mockResolvedValue('test-webex-token')
+
+    // when
+    await ensureWebexAuth()
+
+    // then
+    expect(getTokenSpy).toHaveBeenCalledWith('stored-id', 'stored-secret')
+    expect(loginSpy).toHaveBeenCalledWith({ token: 'test-webex-token' })
+    expect(testAuthSpy).toHaveBeenCalled()
+  })
+
+  test('does not throw when token validation fails', async () => {
+    // given
+    loadConfigSpy.mockResolvedValue({
+      accessToken: 'invalid-token',
+      refreshToken: 'refresh',
+      expiresAt: Date.now() + 3600000,
+    })
+    getTokenSpy.mockResolvedValue('invalid-token')
+    testAuthSpy.mockRejectedValue(new Error('401 Unauthorized'))
+
+    // when / then
+    await expect(ensureWebexAuth()).resolves.toBeUndefined()
+  })
+
+  test('does not throw when credential manager fails', async () => {
+    // given
+    getTokenSpy.mockRejectedValue(new Error('Disk read error'))
+
+    // when / then
+    await expect(ensureWebexAuth()).resolves.toBeUndefined()
+  })
+})

package/src/platforms/webex/ensure-auth.ts

@@ -0,0 +1,19 @@
+import { WebexClient } from './client'
+import { WebexCredentialManager } from './credential-manager'
+
+export async function ensureWebexAuth(): Promise<void> {
+  try {
+    const credManager = new WebexCredentialManager()
+    const config = await credManager.loadConfig()
+    if (!config) return
+
+    const token = await credManager.getToken(config.clientId, config.clientSecret)
+    if (!token) return
+
+    const client = new WebexClient()
+    await client.login({ token })
+    await client.testAuth()
+  } catch {
+    // Intentionally silent — best-effort preflight that should not block commands
+  }
+}

package/src/platforms/webex/index.test.ts

@@ -0,0 +1,25 @@
+import { describe, expect, test } from 'bun:test'
+
+import * as webex from './index'
+
+describe('webex barrel exports', () => {
+  test('exports WebexClient', () => {
+    expect(webex.WebexClient).toBeDefined()
+  })
+
+  test('exports WebexCredentialManager', () => {
+    expect(webex.WebexCredentialManager).toBeDefined()
+  })
+
+  test('exports WebexError', () => {
+    expect(webex.WebexError).toBeDefined()
+  })
+
+  test('exports Zod schemas', () => {
+    expect(webex.WebexSpaceSchema).toBeDefined()
+    expect(webex.WebexMessageSchema).toBeDefined()
+    expect(webex.WebexPersonSchema).toBeDefined()
+    expect(webex.WebexMembershipSchema).toBeDefined()
+    expect(webex.WebexConfigSchema).toBeDefined()
+  })
+})

package/src/platforms/webex/index.ts

@@ -0,0 +1,17 @@
+export { WebexClient } from './client'
+export { WebexCredentialManager } from './credential-manager'
+export { WebexError } from './types'
+export type {
+  WebexConfig,
+  WebexMembership,
+  WebexMessage,
+  WebexPerson,
+  WebexSpace,
+} from './types'
+export {
+  WebexConfigSchema,
+  WebexMembershipSchema,
+  WebexMessageSchema,
+  WebexPersonSchema,
+  WebexSpaceSchema,
+} from './types'

package/src/platforms/webex/types.test.ts

@@ -0,0 +1,307 @@
+import { expect, test } from 'bun:test'
+
+import {
+  WebexConfigSchema,
+  WebexError,
+  WebexMembershipSchema,
+  WebexMessageSchema,
+  WebexPersonSchema,
+  WebexSpaceSchema,
+} from './types'
+
+test('WebexSpaceSchema validates valid space', () => {
+  const result = WebexSpaceSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    title: 'Project Alpha',
+    type: 'group',
+    isLocked: false,
+    lastActivity: '2024-01-15T10:30:00.000Z',
+    created: '2024-01-01T00:00:00.000Z',
+    creatorId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexSpaceSchema validates space with optional teamId', () => {
+  const result = WebexSpaceSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    title: 'Project Alpha',
+    type: 'group',
+    isLocked: true,
+    teamId: 'Y2lzY29zcGFyazovL3VzL1RFQU0vdGVhbQ',
+    lastActivity: '2024-01-15T10:30:00.000Z',
+    created: '2024-01-01T00:00:00.000Z',
+    creatorId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexSpaceSchema validates direct space type', () => {
+  const result = WebexSpaceSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1JPT00vZGlyZWN0',
+    title: 'Direct Message',
+    type: 'direct',
+    isLocked: false,
+    lastActivity: '2024-01-15T10:30:00.000Z',
+    created: '2024-01-01T00:00:00.000Z',
+    creatorId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexSpaceSchema rejects missing required fields', () => {
+  const result = WebexSpaceSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    title: 'Project Alpha',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexSpaceSchema rejects invalid type', () => {
+  const result = WebexSpaceSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    title: 'Project Alpha',
+    type: 'channel',
+    isLocked: false,
+    lastActivity: '2024-01-15T10:30:00.000Z',
+    created: '2024-01-01T00:00:00.000Z',
+    creatorId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexMessageSchema validates valid message', () => {
+  const result = WebexMessageSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL01FU1NBR0UvbXNn',
+    roomId: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    roomType: 'group',
+    text: 'Hello world',
+    personId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    personEmail: 'user@example.com',
+    created: '2024-01-15T10:30:00.000Z',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexMessageSchema validates message with optional fields', () => {
+  const result = WebexMessageSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL01FU1NBR0UvbXNn',
+    roomId: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    roomType: 'group',
+    text: 'Hello world',
+    markdown: '**Hello world**',
+    html: '<strong>Hello world</strong>',
+    files: ['https://webexapis.com/v1/contents/file1'],
+    personId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    personEmail: 'user@example.com',
+    created: '2024-01-15T10:30:00.000Z',
+    parentId: 'Y2lzY29zcGFyazovL3VzL01FU1NBR0UvcGFyZW50',
+    mentionedPeople: ['Y2lzY29zcGFyazovL3VzL1BFT1BMRS9tZW50aW9u'],
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexMessageSchema rejects missing required fields', () => {
+  const result = WebexMessageSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL01FU1NBR0UvbXNn',
+    roomId: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    text: 'Hello world',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexMessageSchema rejects invalid roomType', () => {
+  const result = WebexMessageSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL01FU1NBR0UvbXNn',
+    roomId: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    roomType: 'team',
+    personId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    personEmail: 'user@example.com',
+    created: '2024-01-15T10:30:00.000Z',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexPersonSchema validates valid person', () => {
+  const result = WebexPersonSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    emails: ['user@example.com'],
+    displayName: 'Test User',
+    orgId: 'Y2lzY29zcGFyazovL3VzL09SR0FOSVpBVElPTi9vcmc',
+    type: 'person',
+    created: '2024-01-01T00:00:00.000Z',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexPersonSchema validates person with optional fields', () => {
+  const result = WebexPersonSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    emails: ['user@example.com', 'user@work.com'],
+    displayName: 'Test User',
+    nickName: 'Tester',
+    firstName: 'Test',
+    lastName: 'User',
+    avatar: 'https://example.com/avatar.jpg',
+    orgId: 'Y2lzY29zcGFyazovL3VzL09SR0FOSVpBVElPTi9vcmc',
+    type: 'person',
+    created: '2024-01-01T00:00:00.000Z',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexPersonSchema validates bot type', () => {
+  const result = WebexPersonSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9ib3Q',
+    emails: ['bot@webex.bot'],
+    displayName: 'My Bot',
+    orgId: 'Y2lzY29zcGFyazovL3VzL09SR0FOSVpBVElPTi9vcmc',
+    type: 'bot',
+    created: '2024-01-01T00:00:00.000Z',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexPersonSchema rejects missing required fields', () => {
+  const result = WebexPersonSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    displayName: 'Test User',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexPersonSchema rejects invalid type', () => {
+  const result = WebexPersonSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    emails: ['user@example.com'],
+    displayName: 'Test User',
+    orgId: 'Y2lzY29zcGFyazovL3VzL09SR0FOSVpBVElPTi9vcmc',
+    type: 'admin',
+    created: '2024-01-01T00:00:00.000Z',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexMembershipSchema validates valid membership', () => {
+  const result = WebexMembershipSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL01FTUJFUlNISVAvbWVt',
+    roomId: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    personId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    personEmail: 'user@example.com',
+    personDisplayName: 'Test User',
+    isModerator: false,
+    created: '2024-01-01T00:00:00.000Z',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexMembershipSchema validates moderator membership', () => {
+  const result = WebexMembershipSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL01FTUJFUlNISVAvbWVt',
+    roomId: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+    personId: 'Y2lzY29zcGFyazovL3VzL1BFT1BMRS9hYmM',
+    personEmail: 'moderator@example.com',
+    personDisplayName: 'Moderator User',
+    isModerator: true,
+    created: '2024-01-01T00:00:00.000Z',
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexMembershipSchema rejects missing required fields', () => {
+  const result = WebexMembershipSchema.safeParse({
+    id: 'Y2lzY29zcGFyazovL3VzL01FTUJFUlNISVAvbWVt',
+    roomId: 'Y2lzY29zcGFyazovL3VzL1JPT00vYWJj',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexConfigSchema validates valid OAuth config', () => {
+  const result = WebexConfigSchema.safeParse({
+    accessToken: 'test',
+    refreshToken: 'test',
+    expiresAt: 1234567890,
+  })
+  expect(result.success).toBe(true)
+})
+
+test('WebexConfigSchema validates config with clientId and clientSecret', () => {
+  const result = WebexConfigSchema.safeParse({
+    accessToken: 'test',
+    refreshToken: 'test',
+    expiresAt: 1234567890,
+    clientId: 'C123abc',
+    clientSecret: 'secret456',
+  })
+  expect(result.success).toBe(true)
+  if (result.success) {
+    expect(result.data.clientId).toBe('C123abc')
+    expect(result.data.clientSecret).toBe('secret456')
+  }
+})
+
+test('WebexConfigSchema validates config with tokenType oauth', () => {
+  const result = WebexConfigSchema.safeParse({
+    accessToken: 'test',
+    refreshToken: 'test',
+    expiresAt: 1234567890,
+    tokenType: 'oauth',
+  })
+  expect(result.success).toBe(true)
+  if (result.success) {
+    expect(result.data.tokenType).toBe('oauth')
+  }
+})
+
+test('WebexConfigSchema validates config with tokenType manual', () => {
+  const result = WebexConfigSchema.safeParse({
+    accessToken: 'test',
+    refreshToken: '',
+    expiresAt: 0,
+    tokenType: 'manual',
+  })
+  expect(result.success).toBe(true)
+  if (result.success) {
+    expect(result.data.tokenType).toBe('manual')
+  }
+})
+
+test('WebexConfigSchema rejects invalid tokenType', () => {
+  const result = WebexConfigSchema.safeParse({
+    accessToken: 'test',
+    refreshToken: 'test',
+    expiresAt: 1234567890,
+    tokenType: 'invalid',
+  })
+  expect(result.success).toBe(false)
+})
+
+test('WebexConfigSchema accepts config without clientId/clientSecret (backward compat)', () => {
+  const result = WebexConfigSchema.safeParse({
+    accessToken: 'test',
+    refreshToken: 'test',
+    expiresAt: 1234567890,
+  })
+  expect(result.success).toBe(true)
+  if (result.success) {
+    expect(result.data.clientId).toBeUndefined()
+    expect(result.data.clientSecret).toBeUndefined()
+  }
+})
+
+test('WebexConfigSchema rejects missing fields', () => {
+  const result = WebexConfigSchema.safeParse({})
+  expect(result.success).toBe(false)
+})
+
+test('WebexError has correct name and code', () => {
+  const error = new WebexError('Not found', 'NOT_FOUND')
+  expect(error.name).toBe('WebexError')
+  expect(error.message).toBe('Not found')
+  expect(error.code).toBe('NOT_FOUND')
+})
+
+test('WebexError is instance of Error', () => {
+  const error = new WebexError('Unauthorized', 'UNAUTHORIZED')
+  expect(error instanceof Error).toBe(true)
+})