botinabox 1.3.0 → 1.4.0

package/dist/channels/slack/index.js

@@ -4,7 +4,7 @@ import {
   extractVoiceTranscript,
   parseSlackEvent,
   transcribeAudio
-} from "../../chunk-GS2JFL6I.js";
+} from "../../chunk-NNPCKR6G.js";
 
 // src/channels/slack/outbound.ts
 function formatForSlack(text) {
@@ -67,8 +67,8 @@ var SlackAdapter = class {
   /** Simulate receiving an inbound message (for testing/webhooks). */
   async receive(event) {
     if (this.onMessage) {
-      const { parseSlackEvent: parseSlackEvent2 } = await import("../../inbound-AFBUPSPG.js");
-      const { enrichVoiceMessage: enrichVoiceMessage2 } = await import("../../inbound-AFBUPSPG.js");
+      const { parseSlackEvent: parseSlackEvent2 } = await import("../../inbound-ZJHAYVMF.js");
+      const { enrichVoiceMessage: enrichVoiceMessage2 } = await import("../../inbound-ZJHAYVMF.js");
       let msg = parseSlackEvent2(event);
       if (msg.body.includes("[Voice message") && this.config?.botToken) {
         msg = await enrichVoiceMessage2(msg, this.config.botToken);

package/dist/channels/webhook/index.js

@@ -87,8 +87,9 @@ var WebhookServer = class {
       res.writeHead(200, { "Content-Type": "application/json" });
       res.end(JSON.stringify({ ok: true }));
     } catch (err) {
+      console.error("[webhook] Error:", err);
       res.writeHead(500, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: String(err) }));
+      res.end(JSON.stringify({ error: "Internal server error" }));
     }
   }
 };

package/dist/chunk-J6S6QMUY.js

@@ -0,0 +1,144 @@
+// src/channels/slack/transcribe.ts
+import { execFileSync } from "child_process";
+import { writeFileSync, unlinkSync, mkdirSync } from "fs";
+import { join } from "path";
+import { randomUUID } from "crypto";
+import os from "os";
+import { createRequire } from "module";
+var TEMP_DIR = join(os.tmpdir(), "botinabox-audio");
+async function transcribeAudio(audioBuffer, filename, opts) {
+  let whisper;
+  try {
+    const require2 = createRequire(import.meta.url);
+    const mod = require2("whisper-node");
+    whisper = mod.whisper ?? mod.default ?? mod;
+  } catch {
+    console.warn("[botinabox] whisper-node not installed \u2014 voice transcription unavailable. Run: npm install whisper-node && npx whisper-node download");
+    return null;
+  }
+  try {
+    execSync("ffmpeg -version", { stdio: "ignore" });
+  } catch {
+    console.warn("[botinabox] ffmpeg not found \u2014 required for audio conversion. Install: brew install ffmpeg");
+    return null;
+  }
+  const id = randomUUID().slice(0, 8);
+  const ext = filename.split(".").pop() ?? "aac";
+  mkdirSync(TEMP_DIR, { recursive: true });
+  const inputPath = join(TEMP_DIR, `${id}.${ext}`);
+  const wavPath = join(TEMP_DIR, `${id}.wav`);
+  try {
+    writeFileSync(inputPath, audioBuffer);
+    execFileSync("ffmpeg", ["-y", "-i", inputPath, "-ar", "16000", "-ac", "1", "-c:a", "pcm_s16le", wavPath], {
+      stdio: "ignore",
+      timeout: 3e4
+    });
+    const segments = await whisper(wavPath, {
+      modelName: opts?.modelName ?? "base.en",
+      whisperOptions: {
+        language: opts?.language ?? "auto"
+      }
+    });
+    if (!segments || segments.length === 0) return null;
+    return segments.map((s) => s.speech).join(" ").trim();
+  } catch (err) {
+    console.error("[botinabox] Transcription failed:", err);
+    return null;
+  } finally {
+    try {
+      unlinkSync(inputPath);
+    } catch {
+    }
+    try {
+      unlinkSync(wavPath);
+    } catch {
+    }
+  }
+}
+async function downloadAudio(url, token) {
+  try {
+    const resp = await fetch(url, {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!resp.ok) {
+      console.error(`[botinabox] Audio download failed: ${resp.status} ${resp.statusText}`);
+      return null;
+    }
+    return Buffer.from(await resp.arrayBuffer());
+  } catch (err) {
+    console.error("[botinabox] Audio download error:", err);
+    return null;
+  }
+}
+
+// src/channels/slack/inbound.ts
+var AUDIO_TYPES = /* @__PURE__ */ new Set(["aac", "mp4", "m4a", "ogg", "webm", "mp3", "wav"]);
+function extractVoiceTranscript(file) {
+  const isAudio = file.subtype === "slack_audio" || AUDIO_TYPES.has(file.filetype ?? "");
+  if (!isAudio) return null;
+  const transcript = file.transcription?.preview?.content ?? (typeof file.preview === "string" ? file.preview : null);
+  return transcript ?? null;
+}
+function parseSlackEvent(event) {
+  const id = event.client_msg_id ?? event.ts ?? event.event_ts ?? `slack-${Date.now()}`;
+  const channel = event.channel ?? "unknown";
+  const from = event.user ?? "unknown";
+  const threadId = event.thread_ts !== void 0 ? event.thread_ts : void 0;
+  const receivedAt = event.ts ? new Date(parseFloat(event.ts) * 1e3).toISOString() : (/* @__PURE__ */ new Date()).toISOString();
+  let body = event.text ?? "";
+  if (event.subtype === "file_share" && event.files?.length) {
+    for (const file of event.files) {
+      const transcript = extractVoiceTranscript(file);
+      if (transcript) {
+        body = body ? `${body}
+
+[Voice message] ${transcript}` : `[Voice message] ${transcript}`;
+        break;
+      }
+    }
+  }
+  if (event.subtype === "file_share" && event.files?.length && !body) {
+    const hasAudio = event.files.some(
+      (f) => f.subtype === "slack_audio" || AUDIO_TYPES.has(f.filetype ?? "")
+    );
+    if (hasAudio) {
+      body = "[Voice message \u2014 no transcript available]";
+    }
+  }
+  return {
+    id,
+    channel,
+    from,
+    body,
+    threadId,
+    receivedAt,
+    raw: event
+  };
+}
+async function enrichVoiceMessage(msg, botToken) {
+  if (!msg.body.includes("[Voice message \u2014 no transcript available]")) return msg;
+  const raw = msg.raw;
+  const files = raw?.files;
+  if (!files?.length) return msg;
+  const audioFile = files.find(
+    (f) => f.subtype === "slack_audio" || AUDIO_TYPES.has(f.filetype ?? "")
+  );
+  if (!audioFile?.url_private) return msg;
+  const buffer = await downloadAudio(audioFile.url_private, botToken);
+  if (!buffer) return msg;
+  const filename = audioFile.name ?? `voice.${audioFile.filetype ?? "aac"}`;
+  const transcript = await transcribeAudio(buffer, filename);
+  if (!transcript) return msg;
+  return {
+    ...msg,
+    body: `[Voice message] ${transcript}`
+  };
+}
+
+export {
+  transcribeAudio,
+  downloadAudio,
+  extractVoiceTranscript,
+  parseSlackEvent,
+  enrichVoiceMessage
+};

package/dist/chunk-NNPCKR6G.js

@@ -0,0 +1,144 @@
+// src/channels/slack/transcribe.ts
+import { execFileSync } from "child_process";
+import { writeFileSync, unlinkSync, mkdirSync } from "fs";
+import { join } from "path";
+import { randomUUID } from "crypto";
+import os from "os";
+import { createRequire } from "module";
+var TEMP_DIR = join(os.tmpdir(), "botinabox-audio");
+async function transcribeAudio(audioBuffer, filename, opts) {
+  let whisper;
+  try {
+    const require2 = createRequire(import.meta.url);
+    const mod = require2("whisper-node");
+    whisper = mod.whisper ?? mod.default ?? mod;
+  } catch {
+    console.warn("[botinabox] whisper-node not installed \u2014 voice transcription unavailable. Run: npm install whisper-node && npx whisper-node download");
+    return null;
+  }
+  try {
+    execFileSync("ffmpeg", ["-version"], { stdio: "ignore" });
+  } catch {
+    console.warn("[botinabox] ffmpeg not found \u2014 required for audio conversion. Install: brew install ffmpeg");
+    return null;
+  }
+  const id = randomUUID().slice(0, 8);
+  const ext = filename.split(".").pop() ?? "aac";
+  mkdirSync(TEMP_DIR, { recursive: true });
+  const inputPath = join(TEMP_DIR, `${id}.${ext}`);
+  const wavPath = join(TEMP_DIR, `${id}.wav`);
+  try {
+    writeFileSync(inputPath, audioBuffer);
+    execFileSync("ffmpeg", ["-y", "-i", inputPath, "-ar", "16000", "-ac", "1", "-c:a", "pcm_s16le", wavPath], {
+      stdio: "ignore",
+      timeout: 3e4
+    });
+    const segments = await whisper(wavPath, {
+      modelName: opts?.modelName ?? "base.en",
+      whisperOptions: {
+        language: opts?.language ?? "auto"
+      }
+    });
+    if (!segments || segments.length === 0) return null;
+    return segments.map((s) => s.speech).join(" ").trim();
+  } catch (err) {
+    console.error("[botinabox] Transcription failed:", err);
+    return null;
+  } finally {
+    try {
+      unlinkSync(inputPath);
+    } catch {
+    }
+    try {
+      unlinkSync(wavPath);
+    } catch {
+    }
+  }
+}
+async function downloadAudio(url, token) {
+  try {
+    const resp = await fetch(url, {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!resp.ok) {
+      console.error(`[botinabox] Audio download failed: ${resp.status} ${resp.statusText}`);
+      return null;
+    }
+    return Buffer.from(await resp.arrayBuffer());
+  } catch (err) {
+    console.error("[botinabox] Audio download error:", err);
+    return null;
+  }
+}
+
+// src/channels/slack/inbound.ts
+var AUDIO_TYPES = /* @__PURE__ */ new Set(["aac", "mp4", "m4a", "ogg", "webm", "mp3", "wav"]);
+function extractVoiceTranscript(file) {
+  const isAudio = file.subtype === "slack_audio" || AUDIO_TYPES.has(file.filetype ?? "");
+  if (!isAudio) return null;
+  const transcript = file.transcription?.preview?.content ?? (typeof file.preview === "string" ? file.preview : null);
+  return transcript ?? null;
+}
+function parseSlackEvent(event) {
+  const id = event.client_msg_id ?? event.ts ?? event.event_ts ?? `slack-${Date.now()}`;
+  const channel = event.channel ?? "unknown";
+  const from = event.user ?? "unknown";
+  const threadId = event.thread_ts !== void 0 ? event.thread_ts : void 0;
+  const receivedAt = event.ts ? new Date(parseFloat(event.ts) * 1e3).toISOString() : (/* @__PURE__ */ new Date()).toISOString();
+  let body = event.text ?? "";
+  if (event.subtype === "file_share" && event.files?.length) {
+    for (const file of event.files) {
+      const transcript = extractVoiceTranscript(file);
+      if (transcript) {
+        body = body ? `${body}
+
+[Voice message] ${transcript}` : `[Voice message] ${transcript}`;
+        break;
+      }
+    }
+  }
+  if (event.subtype === "file_share" && event.files?.length && !body) {
+    const hasAudio = event.files.some(
+      (f) => f.subtype === "slack_audio" || AUDIO_TYPES.has(f.filetype ?? "")
+    );
+    if (hasAudio) {
+      body = "[Voice message \u2014 no transcript available]";
+    }
+  }
+  return {
+    id,
+    channel,
+    from,
+    body,
+    threadId,
+    receivedAt,
+    raw: event
+  };
+}
+async function enrichVoiceMessage(msg, botToken) {
+  if (!msg.body.includes("[Voice message \u2014 no transcript available]")) return msg;
+  const raw = msg.raw;
+  const files = raw?.files;
+  if (!files?.length) return msg;
+  const audioFile = files.find(
+    (f) => f.subtype === "slack_audio" || AUDIO_TYPES.has(f.filetype ?? "")
+  );
+  if (!audioFile?.url_private) return msg;
+  const buffer = await downloadAudio(audioFile.url_private, botToken);
+  if (!buffer) return msg;
+  const filename = audioFile.name ?? `voice.${audioFile.filetype ?? "aac"}`;
+  const transcript = await transcribeAudio(buffer, filename);
+  if (!transcript) return msg;
+  return {
+    ...msg,
+    body: `[Voice message] ${transcript}`
+  };
+}
+
+export {
+  transcribeAudio,
+  downloadAudio,
+  extractVoiceTranscript,
+  parseSlackEvent,
+  enrichVoiceMessage
+};

package/dist/chunk-XYF5PSB2.js

@@ -0,0 +1,389 @@
+// src/connectors/google/oauth.ts
+var _google;
+async function getGoogle() {
+  if (!_google) {
+    try {
+      const mod = await import("googleapis");
+      _google = mod.google;
+    } catch {
+      throw new Error(
+        "googleapis is required for Google connectors. Install it: npm install googleapis"
+      );
+    }
+  }
+  return _google;
+}
+async function createOAuth2Client(config) {
+  const google = await getGoogle();
+  return new google.auth.OAuth2(
+    config.clientId,
+    config.clientSecret,
+    config.redirectUri
+  );
+}
+function getAuthUrl(client, scopes) {
+  return client.generateAuthUrl({
+    access_type: "offline",
+    prompt: "consent",
+    scope: scopes
+  });
+}
+async function exchangeCode(client, code) {
+  const { tokens } = await client.getToken(code);
+  return tokens;
+}
+async function createServiceAccountClient(config, scopes) {
+  const google = await getGoogle();
+  const auth = new google.auth.GoogleAuth({
+    ...config.keyFile ? { keyFile: config.keyFile } : {},
+    ...config.credentials ? { credentials: config.credentials } : {},
+    scopes,
+    clientOptions: { subject: config.subject }
+  });
+  return auth.getClient();
+}
+async function loadTokens(getter, accountKey) {
+  const raw = await getter(`google_tokens:${accountKey}`);
+  if (!raw) return null;
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function saveTokens(setter, accountKey, tokens) {
+  await setter(`google_tokens:${accountKey}`, JSON.stringify(tokens));
+}
+async function refreshIfNeeded(client, tokens, saver) {
+  const buffer = 6e4;
+  const isExpired = tokens.expiry_date != null && Date.now() >= tokens.expiry_date - buffer;
+  if (!isExpired) return tokens;
+  client.setCredentials(tokens);
+  const { credentials } = await client.refreshAccessToken();
+  const refreshed = {
+    access_token: credentials.access_token,
+    refresh_token: credentials.refresh_token ?? tokens.refresh_token,
+    expiry_date: credentials.expiry_date ?? void 0,
+    token_type: credentials.token_type ?? "Bearer"
+  };
+  if (saver) {
+    await saver(refreshed);
+  }
+  return refreshed;
+}
+
+// src/connectors/google/gmail-connector.ts
+var GoogleGmailConnector = class {
+  id = "google-gmail";
+  meta = {
+    displayName: "Google Gmail",
+    provider: "google",
+    dataType: "email"
+  };
+  tokenLoader;
+  tokenSaver;
+  client = null;
+  config = null;
+  tokens = null;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  gmail = null;
+  constructor(opts = {}) {
+    this.tokenLoader = opts.tokenLoader;
+    this.tokenSaver = opts.tokenSaver;
+  }
+  // ── Lifecycle ──────────────────────────────────────────────────
+  async connect(config) {
+    this.config = config;
+    const scopes = config.scopes ?? [
+      "https://www.googleapis.com/auth/gmail.readonly"
+    ];
+    if (config.serviceAccount) {
+      this.client = await createServiceAccountClient(config.serviceAccount, scopes);
+    } else if (config.oauth) {
+      this.client = await createOAuth2Client(config.oauth);
+      if (!this.tokenLoader) {
+        throw new Error("tokenLoader required for OAuth2 flow");
+      }
+      this.tokens = await loadTokens(this.tokenLoader, config.account);
+      if (!this.tokens) {
+        throw new Error(
+          `No stored tokens for account ${config.account}. Complete the OAuth flow first.`
+        );
+      }
+      this.tokens = await refreshIfNeeded(
+        this.client,
+        this.tokens,
+        this.tokenSaver ? async (t) => saveTokens(this.tokenSaver, config.account, t) : void 0
+      );
+      this.client.setCredentials(this.tokens);
+    } else {
+      throw new Error("Either serviceAccount or oauth config is required");
+    }
+    const { google } = await import("googleapis");
+    this.gmail = google.gmail({ version: "v1", auth: this.client });
+  }
+  async disconnect() {
+    this.client = null;
+    this.gmail = null;
+    this.tokens = null;
+    this.config = null;
+  }
+  async healthCheck() {
+    try {
+      this.ensureConnected();
+      const res = await this.gmail.users.getProfile({ userId: "me" });
+      return { ok: true, account: res.data.emailAddress };
+    } catch (err) {
+      return { ok: false, error: errorMessage(err) };
+    }
+  }
+  // ── Auth ───────────────────────────────────────────────────────
+  async authenticate(codeProvider) {
+    if (!this.config) {
+      return { success: false, error: "Call connect() first to set config, or pass config and call authenticate() before connect()." };
+    }
+    try {
+      if (!this.config.oauth) {
+        return { success: false, error: "OAuth config required for browser-based authenticate(). Use serviceAccount for headless auth." };
+      }
+      if (!this.tokenSaver) {
+        return { success: false, error: "tokenSaver required for authenticate() flow." };
+      }
+      const client = await createOAuth2Client(this.config.oauth);
+      const scopes = this.config.scopes ?? [
+        "https://www.googleapis.com/auth/gmail.readonly",
+        "https://www.googleapis.com/auth/gmail.send"
+      ];
+      const authUrl = getAuthUrl(client, scopes);
+      const code = await codeProvider(authUrl);
+      const tokens = await exchangeCode(client, code);
+      await saveTokens(this.tokenSaver, this.config.account, tokens);
+      this.tokens = tokens;
+      this.client = client;
+      this.client.setCredentials(tokens);
+      const { google } = await import("googleapis");
+      this.gmail = google.gmail({ version: "v1", auth: this.client });
+      return { success: true, account: this.config.account };
+    } catch (err) {
+      return { success: false, error: errorMessage(err) };
+    }
+  }
+  // ── Sync ───────────────────────────────────────────────────────
+  async sync(options) {
+    this.ensureConnected();
+    if (options?.cursor) {
+      return this.syncIncremental(options.cursor, options.limit);
+    }
+    return this.syncFull(options);
+  }
+  /** Incremental sync using Gmail history API. */
+  async syncIncremental(startHistoryId, limit) {
+    const records = [];
+    const errors = [];
+    const seenIds = /* @__PURE__ */ new Set();
+    let pageToken;
+    let latestHistoryId = startHistoryId;
+    do {
+      const res = await this.gmail.users.history.list({
+        userId: "me",
+        startHistoryId,
+        historyTypes: ["messageAdded"],
+        ...pageToken ? { pageToken } : {}
+      });
+      latestHistoryId = res.data.historyId ?? latestHistoryId;
+      const histories = res.data.history ?? [];
+      for (const h of histories) {
+        for (const added of h.messagesAdded ?? []) {
+          const msgId = added.message?.id;
+          if (!msgId || seenIds.has(msgId)) continue;
+          seenIds.add(msgId);
+          try {
+            const record = await this.fetchMessage(msgId);
+            records.push(record);
+          } catch (err) {
+            errors.push({ id: msgId, error: errorMessage(err) });
+          }
+          if (limit && records.length >= limit) {
+            return { records, cursor: latestHistoryId, hasMore: true, errors };
+          }
+        }
+      }
+      pageToken = res.data.nextPageToken ?? void 0;
+    } while (pageToken);
+    return { records, cursor: latestHistoryId, hasMore: false, errors };
+  }
+  /** Full sync — list messages and fetch each one. */
+  async syncFull(options) {
+    const records = [];
+    const errors = [];
+    const maxResults = options?.limit ?? 100;
+    let query = "";
+    if (options?.since) {
+      const epoch = Math.floor(new Date(options.since).getTime() / 1e3);
+      query = `after:${epoch}`;
+    }
+    if (options?.filters?.q) {
+      query = query ? `${query} ${options.filters.q}` : String(options.filters.q);
+    }
+    let pageToken;
+    let collected = 0;
+    do {
+      const res = await this.gmail.users.messages.list({
+        userId: "me",
+        maxResults: Math.min(maxResults - collected, 100),
+        ...query ? { q: query } : {},
+        ...pageToken ? { pageToken } : {}
+      });
+      const messages = res.data.messages ?? [];
+      for (const msg of messages) {
+        try {
+          const record = await this.fetchMessage(msg.id);
+          records.push(record);
+        } catch (err) {
+          errors.push({ id: msg.id, error: errorMessage(err) });
+        }
+        collected++;
+        if (collected >= maxResults) break;
+      }
+      pageToken = res.data.nextPageToken ?? void 0;
+    } while (pageToken && collected < maxResults);
+    const profile = await this.gmail.users.getProfile({ userId: "me" });
+    const cursor = profile.data.historyId ?? void 0;
+    return {
+      records,
+      cursor,
+      hasMore: !!pageToken,
+      errors
+    };
+  }
+  // ── Push (send email) ─────────────────────────────────────────
+  async push(payload) {
+    this.ensureConnected();
+    try {
+      const toHeader = payload.to.map(formatAddress).join(", ");
+      const ccHeader = payload.cc.length ? `Cc: ${payload.cc.map(formatAddress).join(", ")}\r
+` : "";
+      const bccHeader = payload.bcc.length ? `Bcc: ${payload.bcc.map(formatAddress).join(", ")}\r
+` : "";
+      const mime = [
+        `To: ${toHeader}\r
+`,
+        ccHeader,
+        bccHeader,
+        `Subject: ${payload.subject}\r
+`,
+        `Content-Type: text/plain; charset="UTF-8"\r
+`,
+        `\r
+`,
+        payload.body ?? ""
+      ].join("");
+      const encoded = Buffer.from(mime).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+      const res = await this.gmail.users.messages.send({
+        userId: "me",
+        requestBody: { raw: encoded }
+      });
+      return { success: true, externalId: res.data.id };
+    } catch (err) {
+      return { success: false, error: errorMessage(err) };
+    }
+  }
+  // ── Internals ─────────────────────────────────────────────────
+  ensureConnected() {
+    if (!this.gmail || !this.config) {
+      throw new Error("GoogleGmailConnector is not connected. Call connect() first.");
+    }
+  }
+  /** Fetch a single message by ID and parse into an EmailRecord. */
+  async fetchMessage(messageId) {
+    const res = await this.gmail.users.messages.get({
+      userId: "me",
+      id: messageId,
+      format: "full"
+    });
+    const msg = res.data;
+    const headers = msg.payload?.headers ?? [];
+    const getHeader = (name) => headers.find((h) => h.name.toLowerCase() === name.toLowerCase())?.value ?? "";
+    return {
+      gmailId: msg.id,
+      threadId: msg.threadId,
+      account: this.config.account,
+      subject: getHeader("Subject"),
+      from: parseAddress(getHeader("From")),
+      to: parseAddressList(getHeader("To")),
+      cc: parseAddressList(getHeader("Cc")),
+      bcc: parseAddressList(getHeader("Bcc")),
+      date: new Date(getHeader("Date")).toISOString(),
+      snippet: msg.snippet ?? "",
+      body: extractPlainTextBody(msg.payload),
+      labels: msg.labelIds ?? [],
+      isRead: !(msg.labelIds ?? []).includes("UNREAD")
+    };
+  }
+};
+function extractPlainTextBody(payload) {
+  if (!payload) return void 0;
+  if (payload.mimeType === "text/plain" && payload.body?.data) {
+    return decodeBase64Url(payload.body.data);
+  }
+  if (payload.parts) {
+    for (const part of payload.parts) {
+      if (part.mimeType === "text/plain" && part.body?.data) {
+        return decodeBase64Url(part.body.data);
+      }
+    }
+    for (const part of payload.parts) {
+      if (part.mimeType?.startsWith("multipart/")) {
+        const result = extractPlainTextBody(part);
+        if (result) return result;
+      }
+    }
+  }
+  return void 0;
+}
+function decodeBase64Url(data) {
+  const base64 = data.replace(/-/g, "+").replace(/_/g, "/");
+  return Buffer.from(base64, "base64").toString("utf-8");
+}
+function parseAddress(raw) {
+  const match = raw.match(/^(.+?)\s*<([^>]+)>$/);
+  if (match) {
+    return { name: match[1].replace(/^["']|["']$/g, "").trim(), email: match[2] };
+  }
+  return { email: raw.trim() };
+}
+function parseAddressList(raw) {
+  if (!raw.trim()) return [];
+  const results = [];
+  let current = "";
+  let depth = 0;
+  for (const ch of raw) {
+    if (ch === "<") depth++;
+    else if (ch === ">") depth--;
+    else if (ch === "," && depth === 0) {
+      if (current.trim()) results.push(parseAddress(current.trim()));
+      current = "";
+      continue;
+    }
+    current += ch;
+  }
+  if (current.trim()) results.push(parseAddress(current.trim()));
+  return results;
+}
+function formatAddress(addr) {
+  return addr.name ? `${addr.name} <${addr.email}>` : addr.email;
+}
+function errorMessage(err) {
+  return err instanceof Error ? err.message : String(err);
+}
+
+export {
+  createOAuth2Client,
+  getAuthUrl,
+  exchangeCode,
+  createServiceAccountClient,
+  loadTokens,
+  saveTokens,
+  refreshIfNeeded,
+  GoogleGmailConnector
+};

package/dist/cli.js

@@ -3,7 +3,7 @@
 // src/cli.ts
 import * as readline from "readline";
 import * as fs from "fs";
-import { execSync } from "child_process";
+import { execFileSync } from "child_process";
 
 // src/update-check.ts
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
@@ -104,7 +104,7 @@ async function runUpdate(currentVersion) {
   }
   console.log(`Updating to ${latest}...`);
   try {
-    execSync("npm install -g botinabox@latest", { stdio: "inherit" });
+    execFileSync("npm", ["install", "-g", "botinabox@latest"], { stdio: "inherit" });
     console.log(`Updated botinabox ${currentVersion} \u2192 ${latest}`);
   } catch {
     console.error("Update failed. Try running manually: npm install -g botinabox@latest");
@@ -178,7 +178,7 @@ async function authGoogle(args) {
       });
     }
   };
-  const { GoogleGmailConnector } = await import("./gmail-connector-PS2VLGNE.js");
+  const { GoogleGmailConnector } = await import("./gmail-connector-ULSMN6X2.js");
   const connector = new GoogleGmailConnector({ tokenLoader, tokenSaver });
   connector.config = {
     account,

package/dist/connectors/google/index.js

@@ -7,7 +7,7 @@ import {
   loadTokens,
   refreshIfNeeded,
   saveTokens
-} from "../../chunk-UACT2WXX.js";
+} from "../../chunk-XYF5PSB2.js";
 
 // src/connectors/google/calendar-connector.ts
 var GoogleCalendarConnector = class {

package/dist/gmail-connector-ULSMN6X2.js

@@ -0,0 +1,6 @@
+import {
+  GoogleGmailConnector
+} from "./chunk-XYF5PSB2.js";
+export {
+  GoogleGmailConnector
+};

package/dist/inbound-MCOLRH6U.js

@@ -0,0 +1,10 @@
+import {
+  enrichVoiceMessage,
+  extractVoiceTranscript,
+  parseSlackEvent
+} from "./chunk-J6S6QMUY.js";
+export {
+  enrichVoiceMessage,
+  extractVoiceTranscript,
+  parseSlackEvent
+};

package/dist/inbound-ZJHAYVMF.js

@@ -0,0 +1,10 @@
+import {
+  enrichVoiceMessage,
+  extractVoiceTranscript,
+  parseSlackEvent
+} from "./chunk-NNPCKR6G.js";
+export {
+  enrichVoiceMessage,
+  extractVoiceTranscript,
+  parseSlackEvent
+};

package/dist/index.d.ts

@@ -1537,7 +1537,15 @@ interface SecretMeta {
 declare class SecretStore {
     private readonly db;
     private readonly hooks;
-    constructor(db: DataStore, hooks: HookBus);
+    private readonly encKey;
+    /**
+     * @param db - DataStore instance
+     * @param hooks - HookBus instance
+     * @param encryptionKey - Optional master key for encrypting secrets at rest.
+     *   When provided, all new secrets are encrypted with AES-256-GCM.
+     *   Existing plaintext secrets are read transparently (passthrough on decrypt).
+     */
+    constructor(db: DataStore, hooks: HookBus, encryptionKey?: string);
     set(input: SecretInput): Promise<SecretMeta>;
     get(name: string, environment?: string): Promise<string | null>;
     getMeta(name: string, environment?: string): Promise<SecretMeta | null>;

package/dist/index.js

@@ -1124,6 +1124,9 @@ var DataStore = class {
     for (const stmt of def.tableConstraints ?? []) {
       const upper = stmt.trimStart().toUpperCase();
       if (upper.startsWith("CREATE ") || upper.startsWith("DROP ") || upper.startsWith("ALTER ")) {
+        if (stmt.includes(";")) {
+          throw new DataStoreError(`Deferred DDL statement must not contain semicolons: ${stmt}`);
+        }
         this.deferredStatements.push(stmt);
       } else {
         inlineConstraints.push(stmt);
@@ -1146,8 +1149,11 @@ var DataStore = class {
     this.lattice.defineEntityContext(name, {
       slug: (row) => {
         const val = row[def.slugColumn];
-        if (val == null) return String(row.id ?? row.name ?? "unknown");
-        return String(val);
+        const raw = val == null ? String(row.id ?? row.name ?? "unknown") : String(val);
+        if (raw.includes("/") || raw.includes("\\") || raw.includes("..")) {
+          throw new Error(`Invalid slug "${raw}": contains path traversal characters`);
+        }
+        return raw;
       },
       directoryRoot: def.directory,
       files: def.files,
@@ -2728,9 +2734,10 @@ async function runPackageMigrations(db, migrations) {
 }
 
 // src/core/update/auto-update.ts
-import { execSync as execSync2 } from "child_process";
+import { execFileSync } from "child_process";
 import { readFileSync as readFileSync3 } from "fs";
 import { join as join5 } from "path";
+var SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
 function getInstalledVersion(pkgName) {
   try {
     const pkgPath = join5(process.cwd(), "node_modules", pkgName, "package.json");
@@ -2773,6 +2780,10 @@ async function autoUpdate(packages = ["botinabox", "latticesql"], opts) {
     const latest = await getLatestVersion(pkg);
     if (!latest) continue;
     if (isNewer(latest, installed)) {
+      if (!SEMVER_RE.test(latest)) {
+        console.error(`[autoUpdate] Rejecting invalid version "${latest}" for ${pkg}`);
+        continue;
+      }
       toInstall.push(`${pkg}@${latest}`);
       result.packages.push({ name: pkg, from: installed, to: latest });
     }
@@ -2780,7 +2791,7 @@ async function autoUpdate(packages = ["botinabox", "latticesql"], opts) {
   if (toInstall.length === 0) return result;
   log(`[autoUpdate] Updating: ${toInstall.join(", ")}`);
   try {
-    execSync2(`npm install ${toInstall.join(" ")}`, {
+    execFileSync("npm", ["install", ...toInstall], {
       cwd: process.cwd(),
       stdio: opts?.quiet ? "ignore" : "inherit",
       timeout: 6e4
@@ -3613,10 +3624,14 @@ var Scheduler = class {
     for (const schedule of schedules) {
       try {
         const config = JSON.parse(schedule.action_config || "{}");
+        const safeConfig = {};
+        for (const [k, v] of Object.entries(config)) {
+          if (!k.startsWith("__")) safeConfig[k] = v;
+        }
         await this.hooks.emit(schedule.action, {
           schedule_id: schedule.id,
           schedule_name: schedule.name,
-          ...config
+          ...safeConfig
         });
         await this.hooks.emit("schedule.fired", {
           schedule_id: schedule.id,
@@ -4136,19 +4151,57 @@ var UserRegistry = class {
 
 // src/core/orchestrator/secret-store.ts
 import { v4 as uuidv42 } from "uuid";
+import { scryptSync, createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var ENC_PREFIX = "enc:";
+var ALGORITHM = "aes-256-gcm";
+var IV_LEN = 12;
+var TAG_LEN = 16;
+function deriveEncKey(masterKey) {
+  return scryptSync(masterKey, "botinabox-secrets-v1", 32);
+}
+function encryptValue(plaintext, key) {
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return ENC_PREFIX + Buffer.concat([iv, tag, encrypted]).toString("base64");
+}
+function decryptValue(ciphertext, key) {
+  if (!ciphertext.startsWith(ENC_PREFIX)) return ciphertext;
+  const buf = Buffer.from(ciphertext.slice(ENC_PREFIX.length), "base64");
+  const iv = buf.subarray(0, IV_LEN);
+  const tag = buf.subarray(IV_LEN, IV_LEN + TAG_LEN);
+  const data = buf.subarray(IV_LEN + TAG_LEN);
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(data).toString("utf8") + decipher.final("utf8");
+}
 var SecretStore = class {
   db;
   hooks;
-  constructor(db, hooks) {
+  encKey;
+  /**
+   * @param db - DataStore instance
+   * @param hooks - HookBus instance
+   * @param encryptionKey - Optional master key for encrypting secrets at rest.
+   *   When provided, all new secrets are encrypted with AES-256-GCM.
+   *   Existing plaintext secrets are read transparently (passthrough on decrypt).
+   */
+  constructor(db, hooks, encryptionKey) {
     this.db = db;
     this.hooks = hooks;
+    this.encKey = encryptionKey ? deriveEncKey(encryptionKey) : null;
   }
   async set(input) {
     const id = uuidv42();
-    await this.db.insert("secrets", { ...input, id });
+    const data = { ...input, id };
+    if (this.encKey && data.value) {
+      data.value = encryptValue(data.value, this.encKey);
+    }
+    await this.db.insert("secrets", data);
     await this.hooks.emit("secret.created", { name: input.name });
-    const row = await this.db.get("secrets", id);
-    return this._toMeta(row);
+    const inserted = await this.db.get("secrets", id);
+    return this._toMeta(inserted);
   }
   async get(name, environment = "production") {
     const rows = await this.db.query("secrets", {
@@ -4158,7 +4211,9 @@ var SecretStore = class {
     });
     if (rows.length === 0) return null;
     await this.hooks.emit("secret.accessed", { name, environment });
-    return rows[0].value ?? null;
+    const raw = rows[0].value ?? null;
+    if (raw && this.encKey) return decryptValue(raw, this.encKey);
+    return raw;
   }
   async getMeta(name, environment = "production") {
     const rows = await this.db.query("secrets", {
@@ -4182,8 +4237,9 @@ var SecretStore = class {
       limit: 1
     });
     if (rows.length === 0) throw new Error(`Secret "${name}" not found`);
+    const storedValue = this.encKey ? encryptValue(newValue, this.encKey) : newValue;
     await this.db.update("secrets", rows[0].id, {
-      value: newValue,
+      value: storedValue,
       updated_at: (/* @__PURE__ */ new Date()).toISOString()
     });
     await this.hooks.emit("secret.rotated", { name, environment });
@@ -4212,13 +4268,16 @@ var SecretStore = class {
       filters: [{ col: "deleted_at", op: "isNull" }],
       limit: 1
     });
-    return rows[0]?.value ?? void 0;
+    const raw = rows[0]?.value ?? void 0;
+    if (raw && this.encKey) return decryptValue(raw, this.encKey);
+    return raw;
   }
   /**
    * Persist a sync cursor by key. Creates or updates the secret.
    */
   async saveCursor(key, value) {
     const name = `sync-cursor:${key}`;
+    const storedValue = this.encKey ? encryptValue(value, this.encKey) : value;
     const rows = await this.db.query("secrets", {
       where: { name },
       filters: [{ col: "deleted_at", op: "isNull" }],
@@ -4226,7 +4285,7 @@ var SecretStore = class {
     });
     if (rows.length > 0) {
       await this.db.update("secrets", rows[0].id, {
-        value,
+        value: storedValue,
         updated_at: (/* @__PURE__ */ new Date()).toISOString()
       });
     } else {
@@ -4234,7 +4293,7 @@ var SecretStore = class {
         id: uuidv42(),
         name,
         type: "sync_cursor",
-        value
+        value: storedValue
       });
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botinabox",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Bot in a Box — framework for building multi-agent bots",
   "type": "module",
   "main": "./dist/index.js",
@@ -59,7 +59,7 @@
     "@types/uuid": "^10.0.0",
     "ajv": "^8.17.1",
     "cron-parser": "^4.9.0",
-    "latticesql": "^1.1.1",
+    "latticesql": "^1.2.0",
     "uuid": "^13.0.0",
     "yaml": "^2.7.0"
   },
@@ -68,7 +68,7 @@
   },
   "peerDependencies": {
     "@anthropic-ai/sdk": "^0.52.0",
-    "googleapis": ">=140.0.0",
+    "googleapis": ">=140.0.0 <200.0.0",
     "openai": "^4.104.0"
   },
   "peerDependenciesMeta": {