agent-messenger 2.9.0 → 2.10.0

package/src/platforms/teams/credential-manager.test.ts

@@ -88,6 +88,31 @@ describe('TeamsCredentialManager', () => {
     expect(team).toBeNull()
   })
 
+  test('getTokenWithExpiry includes region', async () => {
+    const manager = setup()
+    await manager.saveConfig({
+      current_account: 'work',
+      accounts: {
+        work: {
+          token: 'test-token',
+          token_expires_at: '2025-12-31T23:59:59Z',
+          region: 'emea',
+          account_type: 'work',
+          current_team: null,
+          teams: {},
+        },
+      },
+    })
+
+    const token = await manager.getTokenWithExpiry()
+    expect(token).toEqual({
+      token: 'test-token',
+      tokenExpiresAt: '2025-12-31T23:59:59Z',
+      accountType: 'work',
+      region: 'emea',
+    })
+  })
+
   test('getCurrentTeam returns null when current_team is set but team not in teams record', async () => {
     const manager = setup()
     await manager.setToken('test-token', 'work')

package/src/platforms/teams/credential-manager.ts

@@ -3,7 +3,7 @@ import { mkdir, readFile, rm, writeFile } from 'node:fs/promises'
 import { homedir } from 'node:os'
 import { join } from 'node:path'
 
-import type { TeamsAccount, TeamsAccountType, TeamsConfig, TeamsConfigLegacy } from './types'
+import type { TeamsAccount, TeamsAccountType, TeamsConfig, TeamsConfigLegacy, TeamsRegion } from './types'
 
 export class TeamsCredentialManager {
   static accountOverride?: TeamsAccountType
@@ -78,12 +78,22 @@ export class TeamsCredentialManager {
     return this.resolveCurrentAccount(config)?.token ?? null
   }
 
-  async getTokenWithExpiry(): Promise<{ token: string; tokenExpiresAt?: string } | null> {
+  async getTokenWithExpiry(): Promise<{
+    token: string
+    tokenExpiresAt?: string
+    accountType?: TeamsAccountType
+    region?: TeamsRegion
+  } | null> {
     const config = await this.loadConfig()
     if (!config) return null
     const account = this.resolveCurrentAccount(config)
     if (!account?.token) return null
-    return { token: account.token, tokenExpiresAt: account.token_expires_at }
+    return {
+      token: account.token,
+      tokenExpiresAt: account.token_expires_at,
+      accountType: account.account_type,
+      region: account.region,
+    }
   }
 
   async setToken(token: string, accountType: TeamsAccountType, expiresAt?: string): Promise<void> {

package/src/platforms/teams/ensure-auth.test.ts

@@ -10,6 +10,7 @@ let extractSpy: ReturnType<typeof spyOn>
 let testAuthSpy: ReturnType<typeof spyOn>
 let listTeamsSpy: ReturnType<typeof spyOn>
 let saveConfigSpy: ReturnType<typeof spyOn>
+let getRegionSpy: ReturnType<typeof spyOn>
 
 beforeEach(() => {
   loadConfigSpy = spyOn(TeamsCredentialManager.prototype, 'loadConfig').mockResolvedValue(null)
@@ -28,6 +29,8 @@ beforeEach(() => {
     { id: 'team-2', name: 'Team Two' },
   ])
 
+  getRegionSpy = spyOn(TeamsClient.prototype, 'getRegion').mockReturnValue('emea')
+
   saveConfigSpy = spyOn(TeamsCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
 })
 
@@ -37,6 +40,7 @@ afterEach(() => {
   testAuthSpy?.mockRestore()
   listTeamsSpy?.mockRestore()
   saveConfigSpy?.mockRestore()
+  getRegionSpy?.mockRestore()
 })
 
 describe('ensureTeamsAuth', () => {
@@ -78,6 +82,7 @@ describe('ensureTeamsAuth', () => {
         accounts: expect.objectContaining({
           work: expect.objectContaining({
             token: 'test-teams-token',
+            region: 'emea',
             current_team: 'team-1',
             teams: {
               'team-1': { team_id: 'team-1', team_name: 'Team One' },
@@ -215,7 +220,7 @@ describe('ensureTeamsAuth', () => {
         current_account: 'work',
         accounts: expect.objectContaining({
           work: expect.objectContaining({ token: 'work-token', current_team: 'team-w' }),
-          personal: expect.objectContaining({ token: 'personal-token', current_team: 'team-p' }),
+          personal: expect.objectContaining({ token: 'personal-token', region: 'emea', current_team: 'team-p' }),
         }),
       }),
     )

package/src/platforms/teams/ensure-auth.ts

@@ -23,11 +23,15 @@ export async function ensureTeamsAuth(): Promise<void> {
 
     for (const { token, accountType } of extracted) {
       try {
-        const client = await new TeamsClient().login({ token })
+        const client = await new TeamsClient().login({
+          token,
+          accountType,
+          region: config?.accounts[accountType]?.region,
+        })
         await client.testAuth()
 
         const teams = await client.listTeams()
-        if (teams.length === 0) continue
+        if (accountType !== 'personal' && teams.length === 0) continue
 
         const teamMap: Record<string, { team_id: string; team_name: string }> = {}
         for (const team of teams) {
@@ -38,6 +42,7 @@ export async function ensureTeamsAuth(): Promise<void> {
         const account: TeamsAccount = {
           token,
           token_expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          region: client.getRegion(),
           account_type: accountType,
           user_name: existing?.user_name,
           current_team: existing?.current_team ?? teams[0].id,

package/src/platforms/teams/token-extractor.ts

@@ -55,9 +55,11 @@ export class TeamsTokenExtractor {
   private platform: NodeJS.Platform
   private decryptor: ChromiumCookieDecryptor
   private cookieReader: ChromiumCookieReader
+  private debugLog: ((message: string) => void) | null
 
-  constructor(platform?: NodeJS.Platform, keyCache?: DerivedKeyCache) {
+  constructor(platform?: NodeJS.Platform, keyCache?: DerivedKeyCache, debugLog?: (message: string) => void) {
     this.platform = platform ?? process.platform
+    this.debugLog = debugLog ?? null
 
     const resolvedKeyCache = keyCache ?? new DerivedKeyCache()
     this.decryptor = new ChromiumCookieDecryptor({
@@ -69,6 +71,10 @@ export class TeamsTokenExtractor {
     this.cookieReader = new ChromiumCookieReader()
   }
 
+  private debug(message: string): void {
+    this.debugLog?.(message)
+  }
+
   getDesktopCookiesPaths(): TeamsCookiePath[] {
     switch (this.platform) {
       case 'darwin': {
@@ -197,17 +203,38 @@ export class TeamsTokenExtractor {
   private async extractFromCookiesDB(): Promise<ExtractedTeamsToken[]> {
     const results: ExtractedTeamsToken[] = []
     const seenAccountTypes = new Set<TeamsAccountType>()
+    const allPaths = this.getTeamsCookiesPaths()
+
+    this.debug(`Scanning ${allPaths.length} candidate cookie path(s)`)
+
+    for (const { path: dbPath, accountType } of allPaths) {
+      if (!dbPath) continue
+
+      if (!existsSync(dbPath)) {
+        this.debug(`  [skip] ${dbPath} (not found)`)
+        continue
+      }
+
+      if (seenAccountTypes.has(accountType)) {
+        this.debug(`  [skip] ${dbPath} (already have ${accountType} account)`)
+        continue
+      }
 
-    for (const { path: dbPath, accountType } of this.getTeamsCookiesPaths()) {
-      if (!dbPath || !existsSync(dbPath) || seenAccountTypes.has(accountType)) continue
+      this.debug(`  [try]  ${dbPath} (${accountType})`)
 
       const token = await this.copyAndExtract(dbPath)
       if (token && this.isValidSkypeToken(token)) {
+        this.debug(`  [ok]   Extracted valid token (${token.length} chars)`)
         results.push({ token, accountType })
         seenAccountTypes.add(accountType)
+      } else if (token) {
+        this.debug(`  [fail] Token too short (${token.length} chars, need >=50)`)
+      } else {
+        this.debug(`  [fail] No token extracted`)
       }
     }
 
+    this.debug(`Extraction complete: ${results.length} token(s) found`)
     return results
   }
 
@@ -216,11 +243,26 @@ export class TeamsTokenExtractor {
 
     try {
       tempPath = this.copyDatabaseToTemp(dbPath, dbPath)
-      const localStatePath =
-        this.platform === 'win32' ? (findLocalStatePath(dbPath) ?? this.getLocalStatePath()) : undefined
+
+      let localStatePath: string | undefined
+      if (this.platform === 'win32') {
+        localStatePath = findLocalStatePath(dbPath) ?? undefined
+        if (localStatePath) {
+          this.debug(`    Local State (from cookie path): ${localStatePath}`)
+        } else {
+          localStatePath = this.getLocalStatePath()
+          if (existsSync(localStatePath)) {
+            this.debug(`    Local State (fallback): ${localStatePath}`)
+          } else {
+            this.debug(`    Local State not found (tried fallback: ${localStatePath})`)
+            localStatePath = undefined
+          }
+        }
+      }
 
       return await this.extractFromSQLite(tempPath, localStatePath)
-    } catch {
+    } catch (error) {
+      this.debug(`    Copy/extract error: ${(error as Error).message}`)
       return null
     } finally {
       this.cleanupTempFile(tempPath)
@@ -231,27 +273,50 @@ export class TeamsTokenExtractor {
     try {
       for (const hostPattern of TEAMS_HOST_PATTERNS) {
         const sql = `
-          SELECT encrypted_value 
+          SELECT value, encrypted_value 
           FROM cookies 
           WHERE name = '${SKYPETOKEN_COOKIE_NAME}' 
           AND host_key LIKE '%${hostPattern}%'
           LIMIT 1
         `
 
-        type CookieRow = { encrypted_value?: Uint8Array | Buffer } | null
+        type CookieRow = { value?: string; encrypted_value?: Uint8Array | Buffer } | null
 
         const row = await this.cookieReader.queryFirst<CookieRow>(dbPath, sql)
-        if (!row?.encrypted_value) continue
+        if (!row) continue
+
+        if (row.value && row.value.length >= 50) {
+          this.debug(`    Found plaintext cookie for ${hostPattern} (${row.value.length} chars)`)
+          return row.value
+        }
+
+        if (!row.encrypted_value || row.encrypted_value.length === 0) {
+          this.debug(`    No cookie data for ${hostPattern}`)
+          continue
+        }
+
+        const encBuf = Buffer.from(row.encrypted_value)
+        const isEncrypted = this.isEncryptedValue(encBuf)
+        this.debug(
+          `    Found cookie for ${hostPattern}: ${encBuf.length} bytes, encrypted=${isEncrypted}, prefix=${encBuf.subarray(0, 3).toString('utf8')}`,
+        )
 
-        const decryptedBuf = this.decryptor.decryptCookieRaw(Buffer.from(row.encrypted_value), localStatePath)
-        if (!decryptedBuf) continue
+        const decryptedBuf = this.decryptor.decryptCookieRaw(encBuf, localStatePath)
+        if (!decryptedBuf) {
+          this.debug(`    Decryption failed`)
+          continue
+        }
 
+        this.debug(`    Decrypted: ${decryptedBuf.length} bytes`)
         const token = this.postProcessDecrypted(decryptedBuf)
         if (this.isValidSkypeToken(token)) return token
+
+        this.debug(`    Post-process result not a valid token (${token.length} chars)`)
       }
 
       return null
-    } catch {
+    } catch (error) {
+      this.debug(`    SQLite query error: ${(error as Error).message}`)
       return null
     }
   }

package/src/platforms/teams/types.test.ts

@@ -203,6 +203,7 @@ test('TeamsConfigSchema validates config with multiple accounts', () => {
       work: {
         token: 'work_token',
         token_expires_at: '2024-01-01T00:00:00.000Z',
+        region: 'emea',
         account_type: 'work',
         user_name: 'Work User',
         current_team: '19:abc123@thread.tacv2',
@@ -224,6 +225,22 @@ test('TeamsConfigSchema validates config with multiple accounts', () => {
   expect(result.success).toBe(true)
 })
 
+test('TeamsConfigSchema rejects invalid region', () => {
+  const result = TeamsConfigSchema.safeParse({
+    current_account: 'work',
+    accounts: {
+      work: {
+        token: 'token_value',
+        region: 'invalid',
+        account_type: 'work',
+        current_team: null,
+        teams: {},
+      },
+    },
+  })
+  expect(result.success).toBe(false)
+})
+
 test('TeamsConfigSchema rejects missing required fields', () => {
   const result = TeamsConfigSchema.safeParse({
     current_account: null,

package/src/platforms/teams/types.ts

@@ -55,9 +55,12 @@ export interface TeamsCredentials {
 
 export type TeamsAccountType = 'work' | 'personal'
 
+export type TeamsRegion = 'amer' | 'emea' | 'apac'
+
 export interface TeamsAccount {
   token: string
   token_expires_at?: string
+  region?: TeamsRegion
   account_type: TeamsAccountType
   user_name?: string
   current_team: string | null
@@ -141,9 +144,12 @@ export const TeamsCredentialsSchema = z.object({
 
 export const TeamsAccountTypeSchema = z.enum(['work', 'personal'])
 
+export const TeamsRegionSchema = z.enum(['amer', 'emea', 'apac'])
+
 export const TeamsAccountSchema = z.object({
   token: z.string(),
   token_expires_at: z.string().optional(),
+  region: TeamsRegionSchema.optional(),
   account_type: TeamsAccountTypeSchema,
   user_name: z.string().optional(),
   current_team: z.string().nullable(),

package/src/platforms/webex/client.test.ts

@@ -1,6 +1,9 @@
 import { afterEach, beforeEach, describe, expect, test } from 'bun:test'
 
+import * as jose from 'node-jose'
+
 import { WebexClient } from './client'
+import { WebexEncryptionService } from './encryption'
 import { WebexError } from './types'
 
 describe('WebexClient', () => {
@@ -56,6 +59,17 @@ describe('WebexClient', () => {
       await expect(new WebexClient().login({ token: '' })).rejects.toThrow(WebexError)
       await expect(new WebexClient().login({ token: '' })).rejects.toThrow('Token is required')
     })
+
+    test('accepts deviceUrl and tokenType', async () => {
+      const client = await new WebexClient().login({
+        token: 'test-token',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1',
+        tokenType: 'extracted',
+      })
+      expect(client).toBeInstanceOf(WebexClient)
+      expect((client as any).deviceUrl).toBe('https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1')
+      expect((client as any).tokenType).toBe('extracted')
+    })
   })
 
   describe('testAuth', () => {
@@ -84,6 +98,59 @@ describe('WebexClient', () => {
       const client = await new WebexClient().login({ token: 'bad-token' })
       await expect(client.testAuth()).rejects.toThrow(WebexError)
     })
+
+    test('falls back to internal API when public API fails for extracted tokens', async () => {
+      // given - public API rejects, internal API succeeds
+      mockResponse({ message: 'Unauthorized' }, 401)
+      fetchResponses.push(
+        new Response(JSON.stringify({ id: 'conv-1', activities: { items: [] } }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        }),
+      )
+
+      const client = await new WebexClient().login({
+        token: 'extracted-token',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1',
+        tokenType: 'extracted',
+      })
+
+      // when
+      const person = await client.testAuth()
+
+      // then - succeeds via internal API
+      expect(fetchCalls.length).toBe(2)
+      expect(fetchCalls[0].url).toBe('https://webexapis.com/v1/people/me')
+      expect(fetchCalls[1].url).toContain('conv-r.wbx2.com/conversation/api/v1/conversations')
+      expect(person).toBeTruthy()
+    })
+
+    test('throws when both public and internal APIs fail for extracted tokens', async () => {
+      // given - both APIs reject
+      mockResponse({ message: 'Unauthorized' }, 401)
+      fetchResponses.push(
+        new Response(JSON.stringify({ message: 'Unauthorized' }), {
+          status: 401,
+          headers: { 'Content-Type': 'application/json' },
+        }),
+      )
+
+      const client = await new WebexClient().login({
+        token: 'bad-extracted-token',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1',
+        tokenType: 'extracted',
+      })
+
+      await expect(client.testAuth()).rejects.toThrow(WebexError)
+    })
+
+    test('does not use internal API fallback for non-extracted tokens', async () => {
+      mockResponse({ message: 'Unauthorized' }, 401)
+
+      const client = await new WebexClient().login({ token: 'bad-token' })
+      await expect(client.testAuth()).rejects.toThrow(WebexError)
+      expect(fetchCalls.length).toBe(1)
+    })
   })
 
   describe('listSpaces', () => {
@@ -402,10 +469,11 @@ describe('WebexClient', () => {
     })
 
     const createExtractedClient = async () => {
-      const client = await new WebexClient().login({ token: 'extracted-token' })
-      ;(client as any).deviceUrl = TEST_DEVICE_URL
-      ;(client as any).tokenType = 'extracted'
-      return client
+      return new WebexClient().login({
+        token: 'extracted-token',
+        deviceUrl: TEST_DEVICE_URL,
+        tokenType: 'extracted',
+      })
     }
 
     describe('sendMessage', () => {
@@ -419,7 +487,7 @@ describe('WebexClient', () => {
         expect(fetchCalls[0].options?.method).toBe('POST')
       })
 
-      test('body has verb, object type, displayName, and content', async () => {
+      test('body has verb, object type, and displayName (no content for plain text)', async () => {
         mockResponse(mockActivity('Hello world'))
 
         const client = await createExtractedClient()
@@ -429,7 +497,7 @@ describe('WebexClient', () => {
         expect(body.verb).toBe('post')
         expect(body.object.objectType).toBe('comment')
         expect(body.object.displayName).toBe('Hello world')
-        expect(body.object.content).toBe('Hello world')
+        expect(body.object.content).toBeUndefined()
       })
 
       test('body has target with decoded conv UUID and conversation type', async () => {
@@ -488,7 +556,7 @@ describe('WebexClient', () => {
         expect(body.object.markdown).toBeUndefined()
       })
 
-      test('markdown option does not affect plain text messages', async () => {
+      test('plain text messages omit content field', async () => {
         mockResponse(mockActivity('Hello world'))
 
         const client = await createExtractedClient()
@@ -496,7 +564,7 @@ describe('WebexClient', () => {
 
         const body = JSON.parse(fetchCalls[0].options?.body as string)
         expect(body.object.displayName).toBe('Hello world')
-        expect(body.object.content).toBe('Hello world')
+        expect(body.object.content).toBeUndefined()
       })
     })
 
@@ -620,8 +688,11 @@ describe('WebexClient', () => {
     })
 
     describe('editMessage', () => {
+      const mockEditActivity = (text: string, parentId = 'activity-123') =>
+        mockActivity(text, { parent: { id: parentId, type: 'edit' } })
+
       test('posts activity with verb post and parent edit reference', async () => {
-        mockResponse(mockActivity('Edited text'))
+        mockResponse(mockEditActivity('Edited text'))
 
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
@@ -631,8 +702,8 @@ describe('WebexClient', () => {
         expect(body.parent).toEqual({ id: 'activity-123', type: 'edit' })
       })
 
-      test('body has object with comment type and new text', async () => {
-        mockResponse(mockActivity('Edited text'))
+      test('plain text edit populates both displayName and content to avoid auto-tombstone', async () => {
+        mockResponse(mockEditActivity('Edited text'))
 
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
@@ -643,8 +714,18 @@ describe('WebexClient', () => {
         expect(body.object.content).toBe('Edited text')
       })
 
+      test('clientTempId uses -edit suffix to match Webex web client format', async () => {
+        mockResponse(mockEditActivity('Edited text'))
+
+        const client = await createExtractedClient()
+        await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
+
+        const body = JSON.parse(fetchCalls[0].options?.body as string)
+        expect(body.clientTempId).toMatch(/^tmp-\d+-edit$/)
+      })
+
       test('target has decoded conv UUID', async () => {
-        mockResponse(mockActivity('Edited text'))
+        mockResponse(mockEditActivity('Edited text'))
 
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
@@ -654,7 +735,7 @@ describe('WebexClient', () => {
       })
 
       test('markdown option converts content to HTML and strips displayName', async () => {
-        mockResponse(mockActivity('italic text'))
+        mockResponse(mockEditActivity('italic text'))
 
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, '_italic text_', { markdown: true })
@@ -664,6 +745,69 @@ describe('WebexClient', () => {
         expect(body.object.content).toBe('<em>italic text</em>')
         expect(body.object.markdown).toBeUndefined()
       })
+
+      test('tolerates responses that omit parent (minimal success shape)', async () => {
+        mockResponse(mockActivity('Edited text'))
+
+        const client = await createExtractedClient()
+        const message = await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
+        expect(message.id).toBe('activity-123')
+      })
+
+      test('throws when server returns activity linked to a different parent', async () => {
+        mockResponse(mockEditActivity('Edited text', 'activity-999'))
+
+        const client = await createExtractedClient()
+        await expect(client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')).rejects.toThrow(/Edit rejected/)
+      })
+    })
+
+    describe('encrypted send and edit', () => {
+      const TEST_KEY_URI = 'kms://kms-aore.wbx2.com/keys/test-key-id'
+
+      const decodeJweHeader = (jwe: string): Record<string, unknown> => {
+        const [header = ''] = jwe.split('.')
+        const padded = header + '='.repeat((4 - (header.length % 4)) % 4)
+        return JSON.parse(Buffer.from(padded, 'base64url').toString('utf8')) as Record<string, unknown>
+      }
+
+      const createEncryptedClient = async () => {
+        const keystore = jose.JWK.createKeyStore()
+        const key = await keystore.generate('oct', 256, { alg: 'A256GCM' })
+        const rawKeys = new Map<string, string>([[TEST_KEY_URI, JSON.stringify({ jwk: key.toJSON(true) })]])
+        const service = new WebexEncryptionService(rawKeys)
+        const client = await createExtractedClient()
+        ;(client as unknown as { encryption: WebexEncryptionService }).encryption = service
+        return client
+      }
+
+      test('plain text send omits content field on encrypted path (preserves prior fix)', async () => {
+        mockResponse({ id: TEST_CONV_UUID, defaultActivityEncryptionKeyUrl: TEST_KEY_URI })
+        mockResponse(mockActivity('Hello world'))
+
+        const client = await createEncryptedClient()
+        await client.sendMessage(TEST_ROOM_ID, 'Hello world')
+
+        const body = JSON.parse(fetchCalls[1].options?.body as string)
+        expect(body.object.content).toBeUndefined()
+        expect(body.object.displayName.startsWith('eyJ')).toBe(true)
+        expect(body.encryptionKeyUrl).toBe(TEST_KEY_URI)
+      })
+
+      test('plain text edit encrypts both displayName and content with kid in JWE header', async () => {
+        mockResponse({ id: TEST_CONV_UUID, defaultActivityEncryptionKeyUrl: TEST_KEY_URI })
+        mockResponse(mockActivity('Edited text', { parent: { id: 'activity-123', type: 'edit' } }))
+
+        const client = await createEncryptedClient()
+        await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
+
+        const body = JSON.parse(fetchCalls[1].options?.body as string)
+        expect(body.object.displayName.startsWith('eyJ')).toBe(true)
+        expect(body.object.content.startsWith('eyJ')).toBe(true)
+        expect(body.encryptionKeyUrl).toBe(TEST_KEY_URI)
+        expect(decodeJweHeader(body.object.displayName).kid).toBe(TEST_KEY_URI)
+        expect(decodeJweHeader(body.object.content).kid).toBe(TEST_KEY_URI)
+      })
     })
 
     describe('sendDirectMessage', () => {