agent-messenger 2.9.0 → 2.10.0

package/src/platforms/webex/client.ts

@@ -21,12 +21,14 @@ export class WebexClient {
   private globalRateLimitUntil: number = 0
   private encryption: WebexEncryptionService | null = null
 
-  async login(credentials?: { token: string }): Promise<this> {
+  async login(credentials?: { token: string; deviceUrl?: string; tokenType?: string }): Promise<this> {
     if (credentials) {
       if (!credentials.token) {
         throw new WebexError('Token is required', 'missing_token')
       }
       this.token = credentials.token
+      if (credentials.deviceUrl !== undefined) this.deviceUrl = credentials.deviceUrl
+      if (credentials.tokenType !== undefined) this.tokenType = credentials.tokenType
       return this
     }
 
@@ -161,9 +163,28 @@ export class WebexClient {
   }
 
   async testAuth(): Promise<WebexPerson> {
+    if (this.useInternalAPI) {
+      try {
+        return await this.request<WebexPerson>('GET', '/people/me')
+      } catch (err) {
+        const isAuthError = err instanceof WebexError && (err.code === 'http_401' || err.code === 'http_403')
+        if (!isAuthError) throw err
+        await this.testAuthInternal()
+        return { id: '', emails: [], displayName: '', orgId: '', type: 'person', created: '' } as WebexPerson
+      }
+    }
     return this.request<WebexPerson>('GET', '/people/me')
   }
 
+  private async testAuthInternal(): Promise<void> {
+    if (!this.deviceUrl) {
+      throw new WebexError('No device URL available for internal API validation', 'no_device_url')
+    }
+    await this.internalRequest<InternalConversation>(
+      '/conversations?participantsLimit=0&activitiesLimit=0&conversationsLimit=1',
+    )
+  }
+
   async listSpaces(options?: { type?: string; max?: number }): Promise<WebexSpace[]> {
     const params = new URLSearchParams()
     if (options?.type) params.set('type', options.type)
@@ -248,10 +269,15 @@ export class WebexClient {
   private async buildEncryptedObject(
     convUuid: string,
     text: string,
-    options?: { markdown?: boolean },
+    options?: { markdown?: boolean; forEdit?: boolean },
   ): Promise<{ object: Record<string, string>; encryptionKeyUrl?: string }> {
     const displayName = options?.markdown ? stripMarkdown(text) : text
-    const content = options?.markdown ? markdownToHtml(text) : text
+    let content: string | undefined
+    if (options?.markdown) {
+      content = markdownToHtml(text)
+    } else if (options?.forEdit) {
+      content = text
+    }
 
     if (this.encryption) {
       const conv = await this.internalRequest<InternalConversation>(
@@ -260,21 +286,25 @@ export class WebexClient {
       const keyUri = conv.defaultActivityEncryptionKeyUrl
       if (keyUri) {
         const encryptedDisplayName = await this.encryption.encryptText(keyUri, displayName)
-        const encryptedContent = await this.encryption.encryptText(keyUri, content)
-        if (encryptedDisplayName && encryptedContent) {
-          return {
-            object: {
-              objectType: 'comment',
-              displayName: encryptedDisplayName,
-              content: encryptedContent,
-            },
-            encryptionKeyUrl: keyUri,
+        const encryptedContent = content ? await this.encryption.encryptText(keyUri, content) : undefined
+        if (encryptedDisplayName) {
+          const object: Record<string, string> = {
+            objectType: 'comment',
+            displayName: encryptedDisplayName,
+          }
+          if (encryptedContent) {
+            object.content = encryptedContent
           }
+          return { object, encryptionKeyUrl: keyUri }
         }
       }
     }
 
-    return { object: { objectType: 'comment', displayName, content } }
+    const object: Record<string, string> = { objectType: 'comment', displayName }
+    if (content) {
+      object.content = content
+    }
+    return { object }
   }
 
   private async sendMessageInternal(
@@ -349,6 +379,11 @@ export class WebexClient {
     if (this.useInternalAPI) {
       const activity = await this.internalRequest<InternalActivity>(`/activities/${messageId}`)
       const convId = activity.target?.id ?? ''
+      // Internal API responses don't carry the cluster shard (e.g. `us-west-2_r`) the
+      // public roomId encoding requires. The `unknown` placeholder is a sentinel — it
+      // round-trips through other internal API calls because they decode only the
+      // conversation UUID suffix. Callers that need a public-API-safe roomId should
+      // obtain it from `listSpaces()` or pass it through from a prior `sendMessage`.
       const roomId = convId ? Buffer.from(`ciscospark://urn:TEAM:unknown/ROOM/${convId}`).toString('base64') : ''
       return this.activityToMessage(activity, roomId)
     }
@@ -381,14 +416,17 @@ export class WebexClient {
   ): Promise<WebexMessage> {
     if (this.useInternalAPI) {
       const convUuid = this.decodeConvUuid(roomId)
-      const { object, encryptionKeyUrl } = await this.buildEncryptedObject(convUuid, text, options)
+      const { object, encryptionKeyUrl } = await this.buildEncryptedObject(convUuid, text, {
+        ...options,
+        forEdit: true,
+      })
 
       const activity: Record<string, unknown> = {
         verb: 'post',
         object,
         target: { id: convUuid, objectType: 'conversation' },
         parent: { id: messageId, type: 'edit' },
-        clientTempId: `tmp-${Date.now()}`,
+        clientTempId: `tmp-${Date.now()}-edit`,
       }
 
       if (encryptionKeyUrl) {
@@ -399,6 +437,16 @@ export class WebexClient {
         method: 'POST',
         body: JSON.stringify(activity),
       })
+
+      // Tolerate responses that omit `parent` (server may return minimal shape) —
+      // only fail on an explicit mismatch between the echoed parent and the edited id.
+      if (result.parent && result.parent.id !== messageId) {
+        throw new WebexError(
+          `Edit rejected: server linked the new activity ${result.id} to ${result.parent.id} instead of ${messageId}.`,
+          'edit_failed',
+        )
+      }
+
       return this.activityToMessage(result, roomId)
     }
     const body = options?.markdown ? { roomId, markdown: text } : { roomId, text }
@@ -443,6 +491,7 @@ interface InternalActivity {
     encryptionKeyUrl?: string
   }
   target?: { id: string; encryptionKeyUrl?: string }
+  parent?: { id: string; type: string }
   published: string
   encryptionKeyUrl?: string
 }

package/src/platforms/webex/commands/auth.test.ts

@@ -3,7 +3,9 @@ import * as childProcess from 'node:child_process'
 
 import { WebexClient } from '../client'
 import { WebexCredentialManager } from '../credential-manager'
-import { loginAction, logoutAction, statusAction } from './auth'
+import { WebexTokenExtractor } from '../token-extractor'
+import { WebexError } from '../types'
+import { extractAction, loginAction, logoutAction, statusAction } from './auth'
 
 describe('auth commands', () => {
   let consoleSpy: ReturnType<typeof spyOn>
@@ -208,6 +210,125 @@ describe('auth commands', () => {
     })
   })
 
+  describe('extractAction', () => {
+    test('passes deviceUrl and tokenType to client.login', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'extracted-token-at-least-twenty-chars',
+        refreshToken: 'refresh-token',
+        expiresAt: Date.now() + 3600000,
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/test-device-id',
+        userId: 'user-1',
+      })
+      const loginSpy = protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+
+      await extractAction({ pretty: false })
+
+      expect(loginSpy).toHaveBeenCalledWith({
+        token: 'extracted-token-at-least-twenty-chars',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/test-device-id',
+        tokenType: 'extracted',
+      })
+    })
+
+    test('attempts refresh when token is expired', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'expired-token-at-least-twenty-chars-',
+        refreshToken: 'valid-refresh-token',
+        expiresAt: Date.now() - 7200000,
+      })
+      const refreshSpy = protoSpy(WebexCredentialManager.prototype, 'refreshToken').mockResolvedValue({
+        accessToken: 'refreshed-token-at-least-twenty-ch',
+        refreshToken: 'new-refresh',
+        expiresAt: Date.now() + 3600000,
+      })
+      const loginSpy = protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockResolvedValue(mockPerson)
+      protoSpy(WebexCredentialManager.prototype, 'saveConfig').mockResolvedValue(undefined)
+
+      await extractAction({ pretty: false })
+
+      expect(refreshSpy).toHaveBeenCalled()
+      expect(loginSpy).toHaveBeenCalledWith(expect.objectContaining({ token: 'refreshed-token-at-least-twenty-ch' }))
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.authenticated).toBe(true)
+      expect(output.refreshed).toBe(true)
+    })
+
+    test('reports expired token with actionable hint when refresh fails', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'expired-token-at-least-twenty-chars-',
+        refreshToken: 'bad-refresh-token',
+        expiresAt: Date.now() - 7200000,
+      })
+      protoSpy(WebexCredentialManager.prototype, 'refreshToken').mockResolvedValue(null)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockRejectedValue(new WebexError('Unauthorized', 'http_401'))
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.error).toContain('expired')
+      expect(output.hint).toContain('web.webex.com')
+      expect(output.hint).toContain('not webex.com')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
+
+    test('rethrows non-auth errors even when token is expired', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'expired-token-at-least-twenty-chars-',
+        refreshToken: 'bad-refresh-token',
+        expiresAt: Date.now() - 7200000,
+      })
+      protoSpy(WebexCredentialManager.prototype, 'refreshToken').mockResolvedValue(null)
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockRejectedValue(new Error('Network error'))
+      protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleErrorSpy.mock.calls[consoleErrorSpy.mock.calls.length - 1]?.[0] as string | undefined
+      if (lastCall) {
+        const output = JSON.parse(lastCall)
+        expect(output.error).toContain('Network error')
+      }
+    })
+
+    test('rethrows non-expiry auth errors', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue({
+        accessToken: 'valid-token-at-least-twenty-chars-xx',
+        expiresAt: Date.now() + 3600000,
+      })
+      protoSpy(WebexClient.prototype, 'login').mockResolvedValue(new WebexClient())
+      protoSpy(WebexClient.prototype, 'testAuth').mockRejectedValue(new Error('Network error'))
+      protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleErrorSpy.mock.calls[consoleErrorSpy.mock.calls.length - 1]?.[0] as string | undefined
+      if (lastCall) {
+        const output = JSON.parse(lastCall)
+        expect(output.error).toContain('Network error')
+      }
+    })
+
+    test('outputs no token found when extract returns null', async () => {
+      protoSpy(WebexTokenExtractor.prototype, 'extract').mockResolvedValue(null)
+      const exitSpy = protoSpy(process, 'exit').mockImplementation(() => undefined as never)
+
+      await extractAction({ pretty: false })
+
+      const lastCall = consoleSpy.mock.calls[consoleSpy.mock.calls.length - 1][0] as string
+      const output = JSON.parse(lastCall)
+      expect(output.error).toContain('No Webex token found')
+      expect(exitSpy).toHaveBeenCalledWith(1)
+    })
+  })
+
   describe('logoutAction', () => {
     test('clears credentials when authenticated', async () => {
       protoSpy(WebexCredentialManager.prototype, 'loadConfig').mockResolvedValue({

package/src/platforms/webex/commands/auth.ts

@@ -8,6 +8,7 @@ import { getWebexAppCredentials } from '../app-config'
 import { WebexClient } from '../client'
 import { WebexCredentialManager } from '../credential-manager'
 import { WebexTokenExtractor } from '../token-extractor'
+import { WebexError } from '../types'
 
 interface ResolvedCredentials {
   clientId: string
@@ -142,7 +143,8 @@ export async function statusAction(options: { pretty?: boolean }): Promise<void>
 
 export async function extractAction(options: { pretty?: boolean; debug?: boolean }): Promise<void> {
   try {
-    const extractor = new WebexTokenExtractor(undefined, options.debug ? (msg) => debug(`[debug] ${msg}`) : undefined)
+    const debugLog = options.debug ? (msg: string) => debug(`[debug] ${msg}`) : undefined
+    const extractor = new WebexTokenExtractor(undefined, debugLog)
 
     if (options.debug) {
       debug('[debug] Searching browser profiles for Webex tokens...')
@@ -155,7 +157,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
         formatOutput(
           {
             error:
-              'No Webex token found in any browser. Make sure you are logged in to web.webex.com in Chrome, Edge, Arc, or Brave.',
+              'No Webex token found in any browser. Make sure you are logged in at https://web.webex.com (not webex.com) in Chrome, Edge, Arc, or Brave.',
             hint: 'Run "auth login" for OAuth Device Grant flow, or --debug for more info.',
           },
           options.pretty,
@@ -165,30 +167,83 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
       return
     }
 
-    const client = await new WebexClient().login({ token: extracted.accessToken })
-    const person = await client.testAuth()
+    const isExpired = extracted.expiresAt != null && extracted.expiresAt > 0 && extracted.expiresAt < Date.now()
+    if (isExpired && options.debug) {
+      const agoMs = Date.now() - extracted.expiresAt!
+      const agoHours = Math.round(agoMs / 3_600_000)
+      debugLog?.(`Token expired ${agoHours > 0 ? `${agoHours}h ago` : 'recently'}.`)
+    }
+
+    let activeToken = extracted.accessToken
+    let refreshedConfig: { accessToken: string; refreshToken: string; expiresAt: number } | null = null
+
+    if (isExpired && extracted.refreshToken) {
+      debugLog?.('Attempting token refresh...')
+      const credManager = new WebexCredentialManager()
+      const { clientId, clientSecret } = getWebexAppCredentials()
+      refreshedConfig = await credManager.refreshToken(extracted.refreshToken, clientId, clientSecret)
+      if (refreshedConfig) {
+        debugLog?.('Token refreshed successfully.')
+        activeToken = refreshedConfig.accessToken
+      } else {
+        debugLog?.('Token refresh failed. Will attempt validation with expired token.')
+      }
+    }
+
+    const client = await new WebexClient().login({
+      token: activeToken,
+      deviceUrl: extracted.deviceUrl,
+      tokenType: 'extracted',
+    })
+
+    let person: { id: string; displayName: string; emails: string[] } | null = null
+    try {
+      const result = await client.testAuth()
+      if (result.id) {
+        person = { id: result.id, displayName: result.displayName, emails: result.emails }
+      }
+    } catch (authError) {
+      const isAuthFailure =
+        authError instanceof WebexError && (authError.code === 'http_401' || authError.code === 'http_403')
+      if (isExpired && isAuthFailure) {
+        console.log(
+          formatOutput(
+            {
+              error: 'Extracted browser token is expired and could not be refreshed.',
+              hint: 'Log in at https://web.webex.com (not webex.com) in your browser, then run "auth extract" again. Or use "auth login" for OAuth Device Grant flow.',
+            },
+            options.pretty,
+          ),
+        )
+        process.exit(1)
+        return
+      }
+      throw authError
+    }
 
     const credManager = new WebexCredentialManager()
     await credManager.saveConfig({
-      accessToken: extracted.accessToken,
-      refreshToken: extracted.refreshToken ?? '',
-      expiresAt: extracted.expiresAt ?? 0,
+      accessToken: activeToken,
+      refreshToken: refreshedConfig?.refreshToken ?? extracted.refreshToken ?? '',
+      expiresAt: refreshedConfig?.expiresAt ?? extracted.expiresAt ?? 0,
       tokenType: 'extracted',
       deviceUrl: extracted.deviceUrl,
       userId: extracted.userId,
       encryptionKeys: extracted.encryptionKeys ? Object.fromEntries(extracted.encryptionKeys) : undefined,
     })
 
-    console.log(
-      formatOutput(
-        {
-          user: { id: person.id, displayName: person.displayName, emails: person.emails },
-          authenticated: true,
-          tokenType: 'extracted',
-        },
-        options.pretty,
-      ),
-    )
+    const output: Record<string, unknown> = {
+      authenticated: true,
+      tokenType: 'extracted',
+    }
+    if (refreshedConfig) {
+      output['refreshed'] = true
+    }
+    if (person) {
+      output['user'] = person
+    }
+
+    console.log(formatOutput(output, options.pretty))
   } catch (error) {
     handleError(error as Error)
   }

package/src/platforms/webex/credential-manager.test.ts

@@ -291,6 +291,69 @@ describe('WebexCredentialManager', () => {
     expect(loaded?.clientSecret).toBe('my-client-secret')
   })
 
+  test('getToken tries refresh for expired extracted tokens', async () => {
+    const originalFetch = globalThis.fetch
+    globalThis.fetch = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: 'refreshed-extracted-token',
+            refresh_token: 'new-refresh',
+            expires_in: 3600,
+          }),
+          { status: 200 },
+        ),
+      ),
+    ) as typeof fetch
+
+    await credManager.saveConfig({
+      accessToken: 'expired-extracted-token',
+      refreshToken: 'extracted-refresh',
+      expiresAt: Date.now() - 1000,
+      tokenType: 'extracted',
+    })
+
+    const token = await credManager.getToken()
+    expect(token).toBe('refreshed-extracted-token')
+
+    const config = await credManager.loadConfig()
+    expect(config?.tokenType).toBe('extracted')
+    expect(config?.accessToken).toBe('refreshed-extracted-token')
+
+    globalThis.fetch = originalFetch
+  })
+
+  test('getToken returns expired extracted token when refresh fails', async () => {
+    const originalFetch = globalThis.fetch
+    globalThis.fetch = mock(() =>
+      Promise.resolve(new Response('{"error":"invalid_grant"}', { status: 400 })),
+    ) as typeof fetch
+
+    await credManager.saveConfig({
+      accessToken: 'expired-extracted-token',
+      refreshToken: 'bad-refresh',
+      expiresAt: Date.now() - 1000,
+      tokenType: 'extracted',
+    })
+
+    const token = await credManager.getToken()
+    expect(token).toBe('expired-extracted-token')
+
+    globalThis.fetch = originalFetch
+  })
+
+  test('getToken returns non-expired extracted token without refresh', async () => {
+    await credManager.saveConfig({
+      accessToken: 'valid-extracted-token',
+      refreshToken: 'refresh',
+      expiresAt: Date.now() + 3600000,
+      tokenType: 'extracted',
+    })
+
+    const token = await credManager.getToken()
+    expect(token).toBe('valid-extracted-token')
+  })
+
   test('loadConfig backward compat — old config without clientId/clientSecret', async () => {
     // Write raw JSON without clientId/clientSecret fields
     const credPath = join(tempDir, 'webex-credentials.json')

package/src/platforms/webex/credential-manager.ts

@@ -45,16 +45,33 @@ export class WebexCredentialManager {
     const config = await this.loadConfig()
     if (!config) return null
 
-    if (config.tokenType === 'manual' || config.tokenType === 'extracted') {
+    if (config.tokenType === 'manual') {
       return config.accessToken
     }
 
-    if (config.expiresAt < Date.now() + 5 * 60 * 1000) {
+    const isExpired = config.expiresAt > 0 && config.expiresAt < Date.now() + 5 * 60 * 1000
+
+    if (config.tokenType === 'extracted') {
+      if (isExpired && config.refreshToken) {
+        const builtinCreds = getWebexAppCredentials()
+        const refreshed = await this.refreshToken(config.refreshToken, builtinCreds.clientId, builtinCreds.clientSecret)
+        if (refreshed) {
+          await this.saveConfig({ ...config, ...refreshed, tokenType: 'extracted' })
+          return refreshed.accessToken
+        }
+      }
+      return config.accessToken
+    }
+
+    if (isExpired) {
       const builtinCreds = getWebexAppCredentials()
       const resolvedClientId = clientId ?? config.clientId ?? builtinCreds.clientId
       const resolvedClientSecret = clientSecret ?? config.clientSecret ?? builtinCreds.clientSecret
       const refreshed = await this.refreshToken(config.refreshToken, resolvedClientId, resolvedClientSecret)
-      if (refreshed) return refreshed.accessToken
+      if (refreshed) {
+        await this.saveConfig({ ...config, ...refreshed })
+        return refreshed.accessToken
+      }
       return null
     }
 
@@ -82,14 +99,11 @@ export class WebexCredentialManager {
         expires_in: number
       }
 
-      const config: WebexConfig = {
+      return {
         accessToken: data.access_token,
         refreshToken: data.refresh_token,
         expiresAt: Date.now() + data.expires_in * 1000,
-      }
-
-      await this.saveConfig(config)
-      return config
+      } satisfies Pick<WebexConfig, 'accessToken' | 'refreshToken' | 'expiresAt'>
     } catch {
       return null
     }

package/src/platforms/webex/encryption.test.ts

@@ -0,0 +1,54 @@
+import { describe, expect, test } from 'bun:test'
+
+import * as jose from 'node-jose'
+
+import { WebexEncryptionService } from './encryption'
+
+const decodeJweHeader = (jwe: string): Record<string, unknown> => {
+  const [header = ''] = jwe.split('.')
+  const padded = header + '='.repeat((4 - (header.length % 4)) % 4)
+  const json = Buffer.from(padded, 'base64url').toString('utf8')
+  return JSON.parse(json) as Record<string, unknown>
+}
+
+const createKeyring = async (keyUri: string) => {
+  const keystore = jose.JWK.createKeyStore()
+  const key = await keystore.generate('oct', 256, { alg: 'A256GCM' })
+  const jwk = key.toJSON(true)
+  const rawKeys = new Map<string, string>()
+  rawKeys.set(keyUri, JSON.stringify({ jwk }))
+  return new WebexEncryptionService(rawKeys)
+}
+
+describe('WebexEncryptionService', () => {
+  const keyUri = 'kms://kms-aore.wbx2.com/keys/7819829b-5e0d-4139-9cad-1b6fe7aee533'
+
+  test('encryptText emits JWE with alg, enc, and kid JOSE headers', async () => {
+    const service = await createKeyring(keyUri)
+
+    const jwe = await service.encryptText(keyUri, 'hello world')
+
+    expect(jwe).not.toBeNull()
+    const header = decodeJweHeader(jwe as string)
+    expect(header.alg).toBe('dir')
+    expect(header.enc).toBe('A256GCM')
+    expect(header.kid).toBe(keyUri)
+  })
+
+  test('encryptText returns null when key is unknown', async () => {
+    const service = await createKeyring(keyUri)
+
+    const jwe = await service.encryptText('kms://other/keys/missing', 'hello')
+
+    expect(jwe).toBeNull()
+  })
+
+  test('decryptText round-trips plaintext encrypted by encryptText', async () => {
+    const service = await createKeyring(keyUri)
+
+    const jwe = await service.encryptText(keyUri, 'round trip')
+    const plaintext = await service.decryptText(keyUri, jwe as string)
+
+    expect(plaintext).toBe('round trip')
+  })
+})

package/src/platforms/webex/encryption.ts

@@ -30,9 +30,11 @@ export class WebexEncryptionService {
     if (!key) return null
 
     try {
+      // Webex desktop/web clients auto-tombstone edit activities whose JWE is missing
+      // `kid` — they can't resolve the KMS key and treat the activity as malformed.
       return await jose.JWE.createEncrypt(
         { format: 'compact', contentAlg: 'A256GCM' },
-        { key, header: { alg: 'dir' }, reference: null },
+        { key, header: { alg: 'dir', kid: keyUri }, reference: null },
       ).final(plaintext, 'utf8')
     } catch {
       return null

package/src/platforms/webex/ensure-auth.ts

@@ -11,7 +11,11 @@ export async function ensureWebexAuth(): Promise<void> {
       const token = await credManager.getToken(config.clientId, config.clientSecret)
       if (token) {
         const client = new WebexClient()
-        await client.login({ token })
+        await client.login({
+          token,
+          deviceUrl: config.deviceUrl,
+          tokenType: config.tokenType,
+        })
         await client.testAuth()
         return
       }
@@ -22,7 +26,11 @@ export async function ensureWebexAuth(): Promise<void> {
     if (!extracted) return
 
     const client = new WebexClient()
-    await client.login({ token: extracted.accessToken })
+    await client.login({
+      token: extracted.accessToken,
+      deviceUrl: extracted.deviceUrl,
+      tokenType: 'extracted',
+    })
     await client.testAuth()
 
     await credManager.saveConfig({