agent-slack 0.5.5 → 0.6.1

package/dist/index.js

@@ -229,10 +229,11 @@ async function copySqliteForRead(dbPath) {
 
 // src/auth/chromium-cookie.ts
 import { pbkdf2Sync, createDecipheriv } from "node:crypto";
-function decryptChromiumCookieValue(data, password, iterations) {
+function decryptChromiumCookieValue(data, options) {
   if (!data || data.length === 0) {
     return "";
   }
+  const { password, iterations } = options;
   if (iterations < 1) {
     throw new RangeError(`iterations must be >= 1, got ${iterations}`);
   }
@@ -373,7 +374,7 @@ async function extractCookieDFromBrave() {
   const passwords = getSafeStoragePasswords();
   for (const password of passwords) {
     try {
-      const decrypted = decryptChromiumCookieValue(data, password, 1003);
+      const decrypted = decryptChromiumCookieValue(data, { password, iterations: 1003 });
       const match = decrypted.match(/xoxd-[A-Za-z0-9%/+_=.-]+/);
       if (match) {
         return match[0];
@@ -529,18 +530,10 @@ function parseSlackCurlCommand(curlInput) {
 
 // src/auth/desktop.ts
 import { cp, mkdir, rm as rm2, unlink } from "node:fs/promises";
-import {
-  existsSync as existsSync4,
-  readFileSync as readFileSync2,
-  readdirSync,
-  copyFileSync,
-  writeFileSync,
-  unlinkSync
-} from "node:fs";
-import { execFileSync as execFileSync2 } from "node:child_process";
-import { createDecipheriv as createDecipheriv2, randomUUID } from "node:crypto";
-import { homedir as homedir3, platform as platform4, tmpdir as tmpdir2 } from "node:os";
-import { join as join5 } from "node:path";
+import { existsSync as existsSync5, readdirSync, copyFileSync, unlinkSync as unlinkSync2 } from "node:fs";
+import { execFileSync as execFileSync3 } from "node:child_process";
+import { homedir as homedir3, platform as platform4, tmpdir as tmpdir3 } from "node:os";
+import { join as join6 } from "node:path";
 
 // src/lib/leveldb-reader.ts
 import { readdir as readdir2, readFile as readFile2 } from "node:fs/promises";
@@ -801,32 +794,152 @@ async function findKeysContaining(dir, substring) {
   return allEntries.filter((entry) => entry.key.includes(substring));
 }
 
+// src/auth/desktop-crypto.ts
+import { existsSync as existsSync4, readFileSync as readFileSync2, writeFileSync, unlinkSync } from "node:fs";
+import { execFileSync as execFileSync2 } from "node:child_process";
+import { createDecipheriv as createDecipheriv2, randomUUID } from "node:crypto";
+import { tmpdir as tmpdir2 } from "node:os";
+import { join as join5 } from "node:path";
+var IS_MACOS4 = process.platform === "darwin";
+var IS_LINUX2 = process.platform === "linux";
+function getSafeStoragePasswords2(prefix) {
+  if (IS_MACOS4) {
+    const keychainQueries = [
+      { service: "Slack Safe Storage", account: "Slack Key" },
+      { service: "Slack Safe Storage", account: "Slack App Store Key" },
+      { service: "Slack Safe Storage" },
+      { service: "Chrome Safe Storage" },
+      { service: "Chromium Safe Storage" }
+    ];
+    const passwords = [];
+    for (const q of keychainQueries) {
+      try {
+        const args = ["-w", "-s", q.service];
+        if (q.account) {
+          args.push("-a", q.account);
+        }
+        const out = execFileSync2("security", ["find-generic-password", ...args], {
+          encoding: "utf8",
+          stdio: ["ignore", "pipe", "ignore"]
+        }).trim();
+        if (out) {
+          passwords.push(out);
+        }
+      } catch {}
+    }
+    if (passwords.length > 0) {
+      return [...new Set(passwords)];
+    }
+  }
+  if (IS_LINUX2) {
+    const attributes = [
+      ["application", "com.slack.Slack"],
+      ["application", "Slack"],
+      ["application", "slack"],
+      ["service", "Slack Safe Storage"]
+    ];
+    const passwords = [];
+    for (const pair of attributes) {
+      try {
+        const out = execFileSync2("secret-tool", ["lookup", ...pair], {
+          encoding: "utf8",
+          stdio: ["ignore", "pipe", "ignore"]
+        }).trim();
+        if (out) {
+          passwords.push(out);
+        }
+      } catch {}
+    }
+    if (prefix === "v11") {
+      passwords.push("");
+    }
+    passwords.push("peanuts");
+    return [...new Set(passwords)];
+  }
+  throw new Error("Could not read Safe Storage password from desktop keychain.");
+}
+function decryptCookieWindows(encrypted, slackDataDir) {
+  const localStatePath = join5(slackDataDir, "Local State");
+  if (!existsSync4(localStatePath)) {
+    throw new Error(`Local State file not found: ${localStatePath}`);
+  }
+  let localState;
+  try {
+    localState = JSON.parse(readFileSync2(localStatePath, "utf8"));
+  } catch (error) {
+    throw new Error(`Failed to parse Local State file: ${localStatePath}`, { cause: error });
+  }
+  const osCrypt = isRecord(localState) ? localState.os_crypt : undefined;
+  if (!isRecord(osCrypt) || typeof osCrypt.encrypted_key !== "string") {
+    throw new Error("No os_crypt.encrypted_key in Local State");
+  }
+  const encKeyFull = Buffer.from(osCrypt.encrypted_key, "base64");
+  const encKeyBlob = encKeyFull.subarray(5);
+  const id = randomUUID();
+  const encKeyFile = join5(tmpdir2(), `as-key-enc-${id}.bin`);
+  const decKeyFile = join5(tmpdir2(), `as-key-dec-${id}.bin`);
+  writeFileSync(encKeyFile, encKeyBlob, { mode: 384 });
+  try {
+    const psEncKeyFile = encKeyFile.replaceAll("'", "''");
+    const psDecKeyFile = decKeyFile.replaceAll("'", "''");
+    const psCmd = [
+      "Add-Type -AssemblyName System.Security",
+      `$e=[System.IO.File]::ReadAllBytes('${psEncKeyFile}')`,
+      "$d=[System.Security.Cryptography.ProtectedData]::Unprotect($e,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)",
+      `[System.IO.File]::WriteAllBytes('${psDecKeyFile}',$d)`
+    ].join("; ");
+    execFileSync2("powershell", ["-ExecutionPolicy", "Bypass", "-Command", psCmd], {
+      stdio: "pipe"
+    });
+    if (!existsSync4(decKeyFile)) {
+      throw new Error("DPAPI decryption failed: PowerShell did not produce the decrypted key file");
+    }
+    const aesKey = readFileSync2(decKeyFile);
+    const nonce = encrypted.subarray(3, 15);
+    const ciphertextWithTag = encrypted.subarray(15);
+    const tag = ciphertextWithTag.subarray(-16);
+    const ciphertext = ciphertextWithTag.subarray(0, -16);
+    const decipher = createDecipheriv2("aes-256-gcm", aesKey, nonce);
+    decipher.setAuthTag(tag);
+    let decrypted = decipher.update(ciphertext, undefined, "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  } finally {
+    try {
+      unlinkSync(encKeyFile);
+    } catch {}
+    try {
+      unlinkSync(decKeyFile);
+    } catch {}
+  }
+}
+
 // src/auth/desktop.ts
 var PLATFORM2 = platform4();
-var IS_MACOS4 = PLATFORM2 === "darwin";
-var IS_LINUX2 = PLATFORM2 === "linux";
+var IS_MACOS5 = PLATFORM2 === "darwin";
+var IS_LINUX3 = PLATFORM2 === "linux";
 var IS_WIN32 = PLATFORM2 === "win32";
-var SLACK_SUPPORT_DIR_ELECTRON = join5(homedir3(), "Library", "Application Support", "Slack");
-var SLACK_SUPPORT_DIR_APPSTORE = join5(homedir3(), "Library", "Containers", "com.tinyspeck.slackmacgap", "Data", "Library", "Application Support", "Slack");
-var SLACK_SUPPORT_DIR_LINUX = join5(homedir3(), ".config", "Slack");
-var SLACK_SUPPORT_DIR_LINUX_FLATPAK = join5(homedir3(), ".var", "app", "com.slack.Slack", "config", "Slack");
-var SLACK_SUPPORT_DIR_WIN_APPDATA = join5(process.env.APPDATA || join5(homedir3(), "AppData", "Roaming"), "Slack");
+var SLACK_SUPPORT_DIR_ELECTRON = join6(homedir3(), "Library", "Application Support", "Slack");
+var SLACK_SUPPORT_DIR_APPSTORE = join6(homedir3(), "Library", "Containers", "com.tinyspeck.slackmacgap", "Data", "Library", "Application Support", "Slack");
+var SLACK_SUPPORT_DIR_LINUX = join6(homedir3(), ".config", "Slack");
+var SLACK_SUPPORT_DIR_LINUX_FLATPAK = join6(homedir3(), ".var", "app", "com.slack.Slack", "config", "Slack");
+var SLACK_SUPPORT_DIR_WIN_APPDATA = join6(process.env.APPDATA || join6(homedir3(), "AppData", "Roaming"), "Slack");
 function getWindowsStoreSlackPath() {
-  const pkgBase = join5(process.env.LOCALAPPDATA || join5(homedir3(), "AppData", "Local"), "Packages");
+  const pkgBase = join6(process.env.LOCALAPPDATA || join6(homedir3(), "AppData", "Local"), "Packages");
   try {
     const entries = readdirSync(pkgBase);
     const slackPkg = entries.find((e) => e.startsWith("com.tinyspeck.slackdesktop_"));
     if (slackPkg) {
-      return join5(pkgBase, slackPkg, "LocalCache", "Roaming", "Slack");
+      return join6(pkgBase, slackPkg, "LocalCache", "Roaming", "Slack");
     }
   } catch {}
   return null;
 }
 function getAllSlackPaths() {
   let candidates;
-  if (IS_MACOS4) {
+  if (IS_MACOS5) {
     candidates = [SLACK_SUPPORT_DIR_ELECTRON, SLACK_SUPPORT_DIR_APPSTORE];
-  } else if (IS_LINUX2) {
+  } else if (IS_LINUX3) {
     candidates = [SLACK_SUPPORT_DIR_LINUX_FLATPAK, SLACK_SUPPORT_DIR_LINUX];
   } else if (IS_WIN32) {
     candidates = [SLACK_SUPPORT_DIR_WIN_APPDATA];
@@ -842,16 +955,16 @@ function getAllSlackPaths() {
   }
   const results = [];
   for (const dir of candidates) {
-    const leveldbDir = join5(dir, "Local Storage", "leveldb");
-    if (existsSync4(leveldbDir)) {
-      const cookiesDbCandidates = [join5(dir, "Network", "Cookies"), join5(dir, "Cookies")];
-      const cookiesDb = cookiesDbCandidates.find((candidate) => existsSync4(candidate)) || cookiesDbCandidates[0];
+    const leveldbDir = join6(dir, "Local Storage", "leveldb");
+    if (existsSync5(leveldbDir)) {
+      const cookiesDbCandidates = [join6(dir, "Network", "Cookies"), join6(dir, "Cookies")];
+      const cookiesDb = cookiesDbCandidates.find((candidate) => existsSync5(candidate)) || cookiesDbCandidates[0];
       results.push({ leveldbDir, cookiesDb, baseDir: dir });
     }
   }
   if (results.length === 0) {
     throw new Error(`Slack Desktop data not found. Checked:
-  - ${candidates.map((d) => join5(d, "Local Storage", "leveldb")).join(`
+  - ${candidates.map((d) => join6(d, "Local Storage", "leveldb")).join(`
   - `)}`);
   }
   return results;
@@ -869,13 +982,13 @@ function toDesktopTeam(value) {
   return { url, name, token };
 }
 async function snapshotLevelDb(srcDir) {
-  const base = join5(homedir3(), ".config", "agent-slack", "cache", "leveldb-snapshots");
-  const dest = join5(base, `${Date.now()}`);
+  const base = join6(homedir3(), ".config", "agent-slack", "cache", "leveldb-snapshots");
+  const dest = join6(base, `${Date.now()}`);
   await mkdir(base, { recursive: true });
-  let useNodeCopy = !IS_MACOS4;
-  if (IS_MACOS4) {
+  let useNodeCopy = !IS_MACOS5;
+  if (IS_MACOS5) {
     try {
-      execFileSync2("cp", ["-cR", srcDir, dest], {
+      execFileSync3("cp", ["-cR", srcDir, dest], {
         stdio: ["ignore", "ignore", "ignore"]
       });
     } catch {
@@ -886,7 +999,7 @@ async function snapshotLevelDb(srcDir) {
     await cp(srcDir, dest, { recursive: true, force: true });
   }
   try {
-    await unlink(join5(dest, "LOCK"));
+    await unlink(join6(dest, "LOCK"));
   } catch {}
   return dest;
 }
@@ -928,7 +1041,7 @@ function parseLocalConfig(raw) {
   throw lastErr || new Error("localConfig not parseable");
 }
 async function extractTeamsFromSlackLevelDb(leveldbDir) {
-  if (!existsSync4(leveldbDir)) {
+  if (!existsSync5(leveldbDir)) {
     throw new Error(`Slack LevelDB not found: ${leveldbDir}`);
   }
   const snap = await snapshotLevelDb(leveldbDir);
@@ -969,124 +1082,13 @@ async function extractTeamsFromSlackLevelDb(leveldbDir) {
     } catch {}
   }
 }
-function getSafeStoragePasswords2(prefix) {
-  if (IS_MACOS4) {
-    const keychainQueries = [
-      { service: "Slack Safe Storage", account: "Slack Key" },
-      { service: "Slack Safe Storage", account: "Slack App Store Key" },
-      { service: "Slack Safe Storage" },
-      { service: "Chrome Safe Storage" },
-      { service: "Chromium Safe Storage" }
-    ];
-    const passwords = [];
-    for (const q of keychainQueries) {
-      try {
-        const args = ["-w", "-s", q.service];
-        if (q.account) {
-          args.push("-a", q.account);
-        }
-        const out = execFileSync2("security", ["find-generic-password", ...args], {
-          encoding: "utf8",
-          stdio: ["ignore", "pipe", "ignore"]
-        }).trim();
-        if (out) {
-          passwords.push(out);
-        }
-      } catch {}
-    }
-    if (passwords.length > 0) {
-      return [...new Set(passwords)];
-    }
-  }
-  if (IS_LINUX2) {
-    const attributes = [
-      ["application", "com.slack.Slack"],
-      ["application", "Slack"],
-      ["application", "slack"],
-      ["service", "Slack Safe Storage"]
-    ];
-    const passwords = [];
-    for (const pair of attributes) {
-      try {
-        const out = execFileSync2("secret-tool", ["lookup", ...pair], {
-          encoding: "utf8",
-          stdio: ["ignore", "pipe", "ignore"]
-        }).trim();
-        if (out) {
-          passwords.push(out);
-        }
-      } catch {}
-    }
-    if (prefix === "v11") {
-      passwords.push("");
-    }
-    passwords.push("peanuts");
-    return [...new Set(passwords)];
-  }
-  throw new Error("Could not read Safe Storage password from desktop keychain.");
-}
-function decryptCookieWindows(encrypted, slackDataDir) {
-  const localStatePath = join5(slackDataDir, "Local State");
-  if (!existsSync4(localStatePath)) {
-    throw new Error(`Local State file not found: ${localStatePath}`);
-  }
-  let localState;
-  try {
-    localState = JSON.parse(readFileSync2(localStatePath, "utf8"));
-  } catch (error) {
-    throw new Error(`Failed to parse Local State file: ${localStatePath}`, { cause: error });
-  }
-  const osCrypt = isRecord(localState) ? localState.os_crypt : undefined;
-  if (!isRecord(osCrypt) || typeof osCrypt.encrypted_key !== "string") {
-    throw new Error("No os_crypt.encrypted_key in Local State");
-  }
-  const encKeyFull = Buffer.from(osCrypt.encrypted_key, "base64");
-  const encKeyBlob = encKeyFull.subarray(5);
-  const id = randomUUID();
-  const encKeyFile = join5(tmpdir2(), `as-key-enc-${id}.bin`);
-  const decKeyFile = join5(tmpdir2(), `as-key-dec-${id}.bin`);
-  writeFileSync(encKeyFile, encKeyBlob, { mode: 384 });
-  try {
-    const psEncKeyFile = encKeyFile.replaceAll("'", "''");
-    const psDecKeyFile = decKeyFile.replaceAll("'", "''");
-    const psCmd = [
-      "Add-Type -AssemblyName System.Security",
-      `$e=[System.IO.File]::ReadAllBytes('${psEncKeyFile}')`,
-      "$d=[System.Security.Cryptography.ProtectedData]::Unprotect($e,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)",
-      `[System.IO.File]::WriteAllBytes('${psDecKeyFile}',$d)`
-    ].join("; ");
-    execFileSync2("powershell", ["-ExecutionPolicy", "Bypass", "-Command", psCmd], {
-      stdio: "pipe"
-    });
-    if (!existsSync4(decKeyFile)) {
-      throw new Error("DPAPI decryption failed: PowerShell did not produce the decrypted key file");
-    }
-    const aesKey = readFileSync2(decKeyFile);
-    const nonce = encrypted.subarray(3, 15);
-    const ciphertextWithTag = encrypted.subarray(15);
-    const tag = ciphertextWithTag.subarray(-16);
-    const ciphertext = ciphertextWithTag.subarray(0, -16);
-    const decipher = createDecipheriv2("aes-256-gcm", aesKey, nonce);
-    decipher.setAuthTag(tag);
-    let decrypted = decipher.update(ciphertext, undefined, "utf8");
-    decrypted += decipher.final("utf8");
-    return decrypted;
-  } finally {
-    try {
-      unlinkSync(encKeyFile);
-    } catch {}
-    try {
-      unlinkSync(decKeyFile);
-    } catch {}
-  }
-}
 async function extractCookieDFromSlackCookiesDb(cookiesPath, slackDataDir) {
-  if (!existsSync4(cookiesPath)) {
+  if (!existsSync5(cookiesPath)) {
     throw new Error(`Slack Cookies DB not found: ${cookiesPath}`);
   }
   let dbPathToQuery = cookiesPath;
   if (IS_WIN32) {
-    const tmpCopy = join5(tmpdir2(), `agent-slack-cookies-${Date.now()}`);
+    const tmpCopy = join6(tmpdir3(), `agent-slack-cookies-${Date.now()}`);
     copyFileSync(cookiesPath, tmpCopy);
     dbPathToQuery = tmpCopy;
   }
@@ -1096,7 +1098,7 @@ async function extractCookieDFromSlackCookiesDb(cookiesPath, slackDataDir) {
   } finally {
     if (IS_WIN32 && dbPathToQuery !== cookiesPath) {
       try {
-        unlinkSync(dbPathToQuery);
+        unlinkSync2(dbPathToQuery);
       } catch {}
     }
   }
@@ -1128,7 +1130,10 @@ async function extractCookieDFromSlackCookiesDb(cookiesPath, slackDataDir) {
   const passwords = getSafeStoragePasswords2(prefix);
   for (const password of passwords) {
     try {
-      const decrypted = decryptChromiumCookieValue(data, password, IS_LINUX2 ? 1 : 1003);
+      const decrypted = decryptChromiumCookieValue(data, {
+        password,
+        iterations: IS_LINUX3 ? 1 : 1003
+      });
       const match = decrypted.match(/xoxd-[A-Za-z0-9%/+_=.-]+/);
       if (match) {
         return match[0];
@@ -1159,8 +1164,8 @@ async function extractFromSlackDesktop() {
 }
 
 // src/auth/firefox.ts
-import { existsSync as existsSync5 } from "node:fs";
-import { join as join6 } from "node:path";
+import { existsSync as existsSync6 } from "node:fs";
+import { join as join7 } from "node:path";
 var CONTROL_CHAR_RE = /[\u0000-\u001F]/g;
 function toStringValue(value) {
   if (typeof value === "string") {
@@ -1267,21 +1272,21 @@ function extractTeamsFromRawText(raw) {
   return teams;
 }
 function getLocalStorageDirs(profilePath) {
-  const roots = [join6(profilePath, "storage", "default")];
+  const roots = [join7(profilePath, "storage", "default")];
   const candidates = [];
   for (const root of roots) {
-    if (!existsSync5(root)) {
+    if (!existsSync6(root)) {
       continue;
     }
-    candidates.push(join6(root, "https+++app.slack.com", "ls"));
+    candidates.push(join7(root, "https+++app.slack.com", "ls"));
   }
   return candidates;
 }
 async function extractTeamsFromProfile(profilePath) {
   const lsDirs = getLocalStorageDirs(profilePath);
   for (const lsDir of lsDirs) {
-    const dbPath = join6(lsDir, "data.sqlite");
-    if (!existsSync5(dbPath)) {
+    const dbPath = join7(lsDir, "data.sqlite");
+    if (!existsSync6(dbPath)) {
       continue;
     }
     const copied = await copySqliteForRead(dbPath);
@@ -1306,8 +1311,8 @@ async function extractTeamsFromProfile(profilePath) {
   return null;
 }
 async function extractCookieDFromProfile(profilePath) {
-  const dbPath = join6(profilePath, "cookies.sqlite");
-  if (!existsSync5(dbPath)) {
+  const dbPath = join7(profilePath, "cookies.sqlite");
+  if (!existsSync6(dbPath)) {
     return null;
   }
   const copied = await copySqliteForRead(dbPath);
@@ -1368,9 +1373,9 @@ async function extractFromFirefox(input) {
 
 // src/auth/paths.ts
 import { homedir as homedir4 } from "node:os";
-import { join as join7 } from "node:path";
-var AGENT_SLACK_DIR = join7(homedir4(), ".config", "agent-slack");
-var CREDENTIALS_FILE = join7(AGENT_SLACK_DIR, "credentials.json");
+import { join as join8 } from "node:path";
+var AGENT_SLACK_DIR = join8(homedir4(), ".config", "agent-slack");
+var CREDENTIALS_FILE = join8(AGENT_SLACK_DIR, "credentials.json");
 var KEYCHAIN_SERVICE = "agent-slack";
 
 // src/lib/fs.ts
@@ -1425,31 +1430,31 @@ var CredentialsSchema = z.object({
 
 // src/auth/keychain.ts
 import { platform as platform5 } from "node:os";
-import { execFileSync as execFileSync3 } from "node:child_process";
-var IS_MACOS5 = platform5() === "darwin";
+import { execFileSync as execFileSync4 } from "node:child_process";
+var IS_MACOS6 = platform5() === "darwin";
 function keychainGet(account, service) {
-  if (!IS_MACOS5) {
+  if (!IS_MACOS6) {
     return null;
   }
   try {
-    const result = execFileSync3("security", ["find-generic-password", "-s", service, "-a", account, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "ignore"] });
+    const result = execFileSync4("security", ["find-generic-password", "-s", service, "-a", account, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "ignore"] });
     return result.trim() || null;
   } catch {
     return null;
   }
 }
 function keychainSet(input) {
-  if (!IS_MACOS5) {
+  if (!IS_MACOS6) {
     return false;
   }
   const { account, value, service } = input;
   try {
     try {
-      execFileSync3("security", ["delete-generic-password", "-s", service, "-a", account], {
+      execFileSync4("security", ["delete-generic-password", "-s", service, "-a", account], {
         stdio: ["pipe", "pipe", "ignore"]
       });
     } catch {}
-    execFileSync3("security", ["add-generic-password", "-s", service, "-a", account, "-w", value], {
+    execFileSync4("security", ["add-generic-password", "-s", service, "-a", account, "-w", value], {
       stdio: "pipe"
     });
     return true;
@@ -1461,7 +1466,7 @@ function keychainSet(input) {
 // src/auth/store.ts
 import { platform as platform6 } from "node:os";
 var KEYCHAIN_PLACEHOLDER = "__KEYCHAIN__";
-var IS_MACOS6 = platform6() === "darwin";
+var IS_MACOS7 = platform6() === "darwin";
 function normalizeWorkspaceUrl(workspaceUrl) {
   const u = new URL(workspaceUrl);
   return `${u.protocol}//${u.host}`;
@@ -1515,7 +1520,7 @@ async function saveCredentials(credentials) {
     }))
   };
   const filePayload = structuredClone(payload);
-  if (IS_MACOS6) {
+  if (IS_MACOS7) {
     const firstBrowser = payload.workspaces.find((w) => w.auth.auth_type === "browser");
     let xoxdStored = false;
     if (firstBrowser?.auth.auth_type === "browser" && !isPlaceholderSecret(firstBrowser.auth.xoxd_cookie)) {
@@ -1752,6 +1757,10 @@ function normalizeConversationsPage(resp) {
 function normalizeConversationsLimit(value) {
   return Math.min(Math.max(value ?? 100, 1), 1000);
 }
+async function markConversation(client, options) {
+  const { channelId, ts } = options;
+  await client.api("conversations.mark", { channel: channelId, ts });
+}
 
 // src/cli/workspace-selector.ts
 function normalizeUrl(u) {
@@ -2406,15 +2415,23 @@ function registerAuthCommand(input) {
 
 // src/slack/files.ts
 import { mkdir as mkdir3, writeFile as writeFile2 } from "node:fs/promises";
-import { basename, join as join8, resolve } from "node:path";
-import { existsSync as existsSync6 } from "node:fs";
+import { basename, join as join9, resolve } from "node:path";
+import { existsSync as existsSync7 } from "node:fs";
+class SlackDownloadError extends Error {
+  httpStatus;
+  constructor(message, httpStatus) {
+    super(message);
+    this.httpStatus = httpStatus;
+    this.name = "SlackDownloadError";
+  }
+}
 async function downloadSlackFile(input) {
   const { auth, url, destDir, preferredName, options } = input;
   const absDir = resolve(destDir);
   await mkdir3(absDir, { recursive: true });
   const name = sanitizeFilename(preferredName || basename(new URL(url).pathname) || "file");
-  const path = join8(absDir, name);
-  if (existsSync6(path)) {
+  const path = join9(absDir, name);
+  if (existsSync7(path)) {
     return path;
   }
   const headers = {};
@@ -2426,19 +2443,54 @@ async function downloadSlackFile(input) {
     headers.Referer = "https://app.slack.com/";
     headers["User-Agent"] = getUserAgent();
   }
-  const resp = await fetch(url, { headers });
+  let resp;
+  try {
+    resp = await fetch(url, { headers });
+  } catch (err) {
+    throw new SlackDownloadError(`Network error: ${err instanceof Error ? err.message : String(err)}`);
+  }
   if (!resp.ok) {
-    throw new Error(`Failed to download file (${resp.status})`);
+    throw new SlackDownloadError(`Failed to download file (${resp.status})`, resp.status);
   }
   const contentType = resp.headers.get("content-type") || "";
   if (!options?.allowHtml && contentType.includes("text/html")) {
-    const text = await resp.text();
-    throw new Error(`Downloaded HTML instead of file (auth likely failed). First bytes: ${JSON.stringify(text.slice(0, 120))}`);
+    let text;
+    try {
+      text = await resp.text();
+    } catch (err) {
+      throw new SlackDownloadError(`Failed to read download response body: ${err instanceof Error ? err.message : String(err)}`, resp.status);
+    }
+    throw new SlackDownloadError(`Downloaded HTML instead of file (auth likely failed). First bytes: ${JSON.stringify(text.slice(0, 120))}`, resp.status);
   }
-  const buf = Buffer.from(await resp.arrayBuffer());
+  let arrayBuffer;
+  try {
+    arrayBuffer = await resp.arrayBuffer();
+  } catch (err) {
+    throw new SlackDownloadError(`Failed to read download response body: ${err instanceof Error ? err.message : String(err)}`, resp.status);
+  }
+  const buf = Buffer.from(arrayBuffer);
   await writeFile2(path, buf);
   return path;
 }
+async function tryDownloadSlackFile(input) {
+  try {
+    const path = await downloadSlackFile(input);
+    return { ok: true, path };
+  } catch (err) {
+    if (err instanceof SlackDownloadError) {
+      return { ok: false, error: err.message, httpStatus: err.httpStatus };
+    }
+    throw err;
+  }
+}
+async function writeDownloadErrorFile(input) {
+  const absDir = resolve(input.destDir);
+  await mkdir3(absDir, { recursive: true });
+  const path = join9(absDir, sanitizeFilename(`${input.fileId}.download-error.txt`));
+  await writeFile2(path, `${input.error}
+`, "utf8");
+  return path;
+}
 function sanitizeFilename(name) {
   return name.replace(/[\\/<>:"|?*]/g, "_");
 }
@@ -2469,27 +2521,27 @@ function extractTag(html, tag) {
 }
 
 // src/lib/tmp-paths.ts
-import { join as join10, resolve as resolve2 } from "node:path";
+import { join as join11, resolve as resolve2 } from "node:path";
 import { mkdir as mkdir4 } from "node:fs/promises";
 
 // src/lib/app-dir.ts
-import { homedir as homedir5, tmpdir as tmpdir3 } from "node:os";
-import { join as join9 } from "node:path";
+import { homedir as homedir5, tmpdir as tmpdir4 } from "node:os";
+import { join as join10 } from "node:path";
 function getAppDir() {
   const xdg = process.env.XDG_RUNTIME_DIR?.trim();
   if (xdg) {
-    return join9(xdg, "agent-slack");
+    return join10(xdg, "agent-slack");
   }
   const home = homedir5();
   if (home) {
-    return join9(home, ".agent-slack");
+    return join10(home, ".agent-slack");
   }
-  return join9(tmpdir3(), "agent-slack");
+  return join10(tmpdir4(), "agent-slack");
 }
 
 // src/lib/tmp-paths.ts
 function getDownloadsDir() {
-  return resolve2(join10(getAppDir(), "tmp", "downloads"));
+  return resolve2(join11(getAppDir(), "tmp", "downloads"));
 }
 async function ensureDownloadsDir() {
   const dir = getDownloadsDir();
@@ -3120,14 +3172,16 @@ function toCompactMessage(msg, input) {
   const content = maxBodyChars >= 0 && rendered.length > maxBodyChars ? `${rendered.slice(0, maxBodyChars)}
 …` : rendered;
   const files = msg.files?.map((f) => {
-    const path = input?.downloadedPaths?.[f.id];
-    if (!path) {
+    const entry = input?.downloadedPaths?.[f.id];
+    if (!entry) {
       return null;
     }
-    return {
+    return entry.ok ? { name: f.name, mimetype: f.mimetype, mode: f.mode, path: entry.path } : {
+      name: f.name,
       mimetype: f.mimetype,
       mode: f.mode,
-      path
+      path: entry.path,
+      error: entry.error
     };
   }).filter((f) => Boolean(f));
   return {
@@ -3691,7 +3745,7 @@ async function uploadLocalFileToSlack(input) {
 
 // src/cli/message-file-downloads.ts
 import { readFile as readFile6, writeFile as writeFile3 } from "node:fs/promises";
-import { join as join11 } from "node:path";
+import { join as join12 } from "node:path";
 function inferFileExtension(file) {
   const mt = (file.mimetype || "").toLowerCase();
   const ft = (file.filetype || "").toLowerCase();
@@ -3734,11 +3788,11 @@ async function downloadCanvasAsMarkdown(input) {
   });
   const html = await readFile6(htmlPath, "utf8");
   if (looksLikeAuthPage(html)) {
-    throw new Error("Downloaded auth/login page instead of canvas content (token may be expired)");
+    throw new SlackDownloadError("Downloaded auth/login page instead of canvas content (token may be expired)");
   }
   const markdown = htmlToMarkdown(html).trim();
   const safeName = `${input.fileId.replace(/[\\/<>"|?*]/g, "_")}.md`;
-  const markdownPath = join11(input.destDir, safeName);
+  const markdownPath = join12(input.destDir, safeName);
   await writeFile3(markdownPath, markdown, "utf8");
   return markdownPath;
 }
@@ -3755,25 +3809,53 @@ async function downloadMessageFiles(input) {
       if (!url) {
         continue;
       }
-      try {
-        if (isCanvas) {
-          downloadedPaths[file.id] = await downloadCanvasAsMarkdown({
+      if (isCanvas) {
+        try {
+          const path = await downloadCanvasAsMarkdown({
             auth: input.auth,
             fileId: file.id,
             url,
             destDir: downloadsDir
           });
-        } else {
-          const ext = inferFileExtension(file);
-          downloadedPaths[file.id] = await downloadSlackFile({
-            auth: input.auth,
-            url,
+          downloadedPaths[file.id] = { ok: true, path };
+        } catch (err) {
+          if (!(err instanceof SlackDownloadError)) {
+            throw err;
+          }
+          const path = await writeDownloadErrorFile({
             destDir: downloadsDir,
-            preferredName: `${file.id}${ext ? `.${ext}` : ""}`
+            fileId: file.id,
+            error: err.message
           });
+          downloadedPaths[file.id] = {
+            ok: false,
+            error: err.message,
+            httpStatus: err.httpStatus,
+            path
+          };
+          console.error(`Warning: skipping file ${file.id}: ${err.message}`);
+        }
+      } else {
+        const ext = inferFileExtension(file);
+        const result = await tryDownloadSlackFile({
+          auth: input.auth,
+          url,
+          destDir: downloadsDir,
+          preferredName: `${file.id}${ext ? `.${ext}` : ""}`
+        });
+        if (!result.ok) {
+          downloadedPaths[file.id] = {
+            ...result,
+            path: await writeDownloadErrorFile({
+              destDir: downloadsDir,
+              fileId: file.id,
+              error: result.error
+            })
+          };
+          console.error(`Warning: skipping file ${file.id}: ${result.error}`);
+        } else {
+          downloadedPaths[file.id] = result;
         }
-      } catch (err) {
-        console.error(`Warning: skipping file ${file.id}: ${err instanceof Error ? err.message : String(err)}`);
       }
     }
   }
@@ -6605,18 +6687,22 @@ async function searchFilesViaSearchApi(client, input) {
     if (!id) {
       continue;
     }
-    const path = await downloadSlackFile({
+    const result = await tryDownloadSlackFile({
       auth: input.auth,
       url,
       destDir: downloadsDir,
       preferredName: `${id}${ext ? `.${ext}` : ""}`
     });
+    if (!result.ok) {
+      console.warn(`Warning: skipping file ${id}: ${result.error}`);
+      continue;
+    }
     const title = (getString(f.title) || getString(f.name) || "").trim();
     out.push({
       title: title || undefined,
       mimetype,
       mode,
-      path
+      path: result.path
     });
     if (out.length >= input.limit) {
       break;
@@ -6671,17 +6757,21 @@ async function searchFilesInChannelsFallback(client, input) {
         if (!id) {
           continue;
         }
-        const path = await downloadSlackFile({
+        const result = await tryDownloadSlackFile({
           auth: input.auth,
           url,
           destDir: downloadsDir,
           preferredName: `${id}${ext ? `.${ext}` : ""}`
         });
+        if (!result.ok) {
+          console.warn(`Warning: skipping file ${id}: ${result.error}`);
+          continue;
+        }
         out.push({
           title: title || undefined,
           mimetype,
           mode,
-          path
+          path: result.path
         });
         if (out.length >= input.limit) {
           return out;
@@ -6897,13 +6987,25 @@ async function downloadFilesForMessage(input) {
       continue;
     }
     const ext = inferExt(f);
-    const path = await downloadSlackFile({
+    const result = await tryDownloadSlackFile({
       auth: input.auth,
       url,
       destDir: input.downloadsDir,
       preferredName: `${f.id}${ext ? `.${ext}` : ""}`
     });
-    input.downloadedPaths[f.id] = path;
+    if (!result.ok) {
+      input.downloadedPaths[f.id] = {
+        ...result,
+        path: await writeDownloadErrorFile({
+          destDir: input.downloadsDir,
+          fileId: f.id,
+          error: result.error
+        })
+      };
+      console.warn(`Warning: file ${f.id}: ${result.error}`);
+    } else {
+      input.downloadedPaths[f.id] = result;
+    }
   }
 }
 function messageSummaryFromApiMessage(channelId, msg) {
@@ -7073,12 +7175,12 @@ function registerSearchCommand(input) {
 import { execSync as execSync2 } from "node:child_process";
 import { createHash } from "node:crypto";
 import { chmod, copyFile as copyFile2, mkdir as mkdir5, readFile as readFile7, rename, rm as rm3, writeFile as writeFile4 } from "node:fs/promises";
-import { tmpdir as tmpdir4 } from "node:os";
-import { basename as basename3, join as join12 } from "node:path";
+import { tmpdir as tmpdir5 } from "node:os";
+import { basename as basename3, join as join13 } from "node:path";
 var REPO = "stablyai/agent-slack";
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000;
 function getCachePath() {
-  return join12(getAppDir(), "update-check.json");
+  return join13(getAppDir(), "update-check.json");
 }
 function compareSemver(a, b) {
   const pa = a.replace(/^v/, "").split(".").map(Number);
@@ -7180,10 +7282,10 @@ async function performUpdate(latest) {
   const asset = detectPlatformAsset();
   const tag = `v${latest}`;
   const baseUrl = `https://github.com/${REPO}/releases/download/${tag}`;
-  const tmp = join12(tmpdir4(), `agent-slack-update-${Date.now()}`);
+  const tmp = join13(tmpdir5(), `agent-slack-update-${Date.now()}`);
   await mkdir5(tmp, { recursive: true });
-  const binTmp = join12(tmp, asset);
-  const sumsTmp = join12(tmp, "checksums-sha256.txt");
+  const binTmp = join13(tmp, asset);
+  const sumsTmp = join13(tmp, "checksums-sha256.txt");
   try {
     const [binResp, sumsResp] = await Promise.all([
       fetch(`${baseUrl}/${asset}`, { signal: AbortSignal.timeout(120000) }),
@@ -7774,6 +7876,49 @@ function registerChannelCommand(input) {
       process.exitCode = 1;
     }
   });
+  channelCmd.command("mark").description("Mark a channel/DM as read up to a given message").argument("<target>", "Slack message URL, #channel, or channel ID").option("--ts <ts>", "Message ts to mark as read (required when target is a channel name/ID)").option("--workspace <url>", "Workspace selector (full URL or unique substring; required if you have multiple workspaces)").action(async (...args) => {
+    const [targetArg, options] = args;
+    try {
+      const target = parseMsgTarget(targetArg);
+      let channelId;
+      let ts;
+      let workspaceUrl;
+      if (target.kind === "url") {
+        if (options.workspace) {
+          throw new Error("--workspace cannot be used with a URL target; the workspace is derived from the URL");
+        }
+        channelId = target.ref.channel_id;
+        ts = options.ts ?? target.ref.message_ts;
+        workspaceUrl = input.ctx.effectiveWorkspaceUrl(target.ref.workspace_url);
+      } else if (target.kind === "channel") {
+        if (!options.ts) {
+          throw new Error("--ts is required when target is a channel name or ID");
+        }
+        ({ ts } = options);
+        workspaceUrl = input.ctx.effectiveWorkspaceUrl(options.workspace);
+        channelId = target.channel;
+      } else {
+        throw new Error("User targets are not supported for channel mark");
+      }
+      await input.ctx.assertWorkspaceSpecifiedForChannelNames({
+        workspaceUrl,
+        channels: [channelId]
+      });
+      const resolvedId = await input.ctx.withAutoRefresh({
+        workspaceUrl,
+        work: async () => {
+          const { client } = await input.ctx.getClientForWorkspace(workspaceUrl);
+          const resolved = await resolveChannelId(client, channelId);
+          await markConversation(client, { channelId: resolved, ts });
+          return resolved;
+        }
+      });
+      console.log(JSON.stringify({ ok: true, channel: resolvedId, ts }, null, 2));
+    } catch (err) {
+      console.error(input.ctx.errorMessage(err));
+      process.exitCode = 1;
+    }
+  });
 }
 
 // src/index.ts
@@ -7796,5 +7941,5 @@ if (subcommand && subcommand !== "update") {
   backgroundUpdateCheck();
 }
 
-//# debugId=0E45A4F2F731E07C64756E2164756E21
+//# debugId=3EBC31FAC3ADA2FD64756E2164756E21
 //# sourceMappingURL=index.js.map