hippo-memory 0.38.0 → 0.40.0

package/dist/connectors/slack/deletion.d.ts

@@ -10,5 +10,15 @@ export interface DeletionResult {
     status: DeletionStatus;
     memoryId: string | null;
 }
+/**
+ * Handle Slack `message_deleted`. v0.39 commit 3 closes the prior race where
+ * the archive committed but `markEventSeen` ran on a second db handle — a
+ * crash between them left the deletion event un-acked, and the next retry
+ * hit a now-archived row and returned `not_found` instead of `duplicate`.
+ *
+ * Fix: pass `afterArchive` to `archiveRaw`, which runs inside the same
+ * SAVEPOINT as the archive itself. The slack_event_log row commits with the
+ * archive or not at all.
+ */
 export declare function handleMessageDeleted(ctx: Context, input: DeletionInput): DeletionResult;
 //# sourceMappingURL=deletion.d.ts.map

package/dist/connectors/slack/deletion.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deletion.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/deletion.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AAIxD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,WAAW,GAAG,WAAW,CAAC;AAEpE,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,GAAG,cAAc,CAgCvF"}
+{"version":3,"file":"deletion.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/deletion.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AAIxD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,WAAW,GAAG,WAAW,CAAC;AAEpE,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,GAAG,cAAc,CA0CvF"}

package/dist/connectors/slack/deletion.js

@@ -1,6 +1,16 @@
 import { archiveRaw } from '../../api.js';
 import { openHippoDb, closeHippoDb } from '../../db.js';
 import { markEventSeen, hasSeenEvent } from './idempotency.js';
+/**
+ * Handle Slack `message_deleted`. v0.39 commit 3 closes the prior race where
+ * the archive committed but `markEventSeen` ran on a second db handle — a
+ * crash between them left the deletion event un-acked, and the next retry
+ * hit a now-archived row and returned `not_found` instead of `duplicate`.
+ *
+ * Fix: pass `afterArchive` to `archiveRaw`, which runs inside the same
+ * SAVEPOINT as the archive itself. The slack_event_log row commits with the
+ * archive or not at all.
+ */
 export function handleMessageDeleted(ctx, input) {
     const db = openHippoDb(ctx.hippoRoot);
     let memoryId = null;
@@ -22,6 +32,9 @@ export function handleMessageDeleted(ctx, input) {
         closeHippoDb(db);
     }
     if (!memoryId) {
+        // No row to archive — still mark the deletion event seen so a retry returns
+        // 'duplicate'. There is nothing to roll back here, so the second-handle
+        // pattern is fine for this branch.
         const db2 = openHippoDb(ctx.hippoRoot);
         try {
             markEventSeen(db2, input.eventId, null);
@@ -31,16 +44,14 @@ export function handleMessageDeleted(ctx, input) {
         }
         return { status: 'not_found', memoryId: null };
     }
-    // api.archiveRaw now handles legacy mirror cleanup centrally so every caller
-    // (CLI, REST route, MCP tool, this connector) gets the GDPR-correct archive.
-    archiveRaw(ctx, memoryId, `source_deleted:slack:${input.teamId}:${input.channelId}:${input.deletedTs}`);
-    const db3 = openHippoDb(ctx.hippoRoot);
-    try {
-        markEventSeen(db3, input.eventId, memoryId);
-    }
-    finally {
-        closeHippoDb(db3);
-    }
+    // Archive + event-log mark commit together via afterArchive. The hook
+    // receives the same db handle the archive is using, so the INSERT lives
+    // inside the SAVEPOINT.
+    archiveRaw(ctx, memoryId, `source_deleted:slack:${input.teamId}:${input.channelId}:${input.deletedTs}`, {
+        afterArchive: (sameDb, archivedId) => {
+            markEventSeen(sameDb, input.eventId, archivedId);
+        },
+    });
     return { status: 'archived', memoryId };
 }
 //# sourceMappingURL=deletion.js.map

package/dist/connectors/slack/deletion.js.map

@@ -1 +1 @@
-{"version":3,"file":"deletion.js","sourceRoot":"","sources":["../../../src/connectors/slack/deletion.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAgB/D,MAAM,UAAU,oBAAoB,CAAC,GAAY,EAAE,KAAoB;IACrE,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,IAAI,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QACjD,CAAC;QACD,MAAM,GAAG,GAAG,WAAW,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAC5E,yEAAyE;QACzE,kEAAkE;QAClE,0EAA0E;QAC1E,kBAAkB;QAClB,MAAM,GAAG,GAAG,EAAE;aACX,OAAO,CAAC,mFAAmF,CAAC;aAC5F,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAgC,CAAC;QACzD,QAAQ,GAAG,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC;IAC7B,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC;YAAC,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAAC,CAAC;gBACxC,CAAC;YAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAAC,CAAC;QAC9B,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACjD,CAAC;IACD,6EAA6E;IAC7E,6EAA6E;IAC7E,UAAU,CAAC,GAAG,EAAE,QAAQ,EAAE,wBAAwB,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;IACxG,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvC,IAAI,CAAC;QAAC,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAAC,CAAC;YAC5C,CAAC;QAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IAAC,CAAC;IAC9B,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAC1C,CAAC"}
+{"version":3,"file":"deletion.js","sourceRoot":"","sources":["../../../src/connectors/slack/deletion.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAgB,MAAM,cAAc,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAgB/D;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAY,EAAE,KAAoB;IACrE,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,IAAI,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QACjD,CAAC;QACD,MAAM,GAAG,GAAG,WAAW,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAC5E,yEAAyE;QACzE,kEAAkE;QAClE,0EAA0E;QAC1E,kBAAkB;QAClB,MAAM,GAAG,GAAG,EAAE;aACX,OAAO,CAAC,mFAAmF,CAAC;aAC5F,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAgC,CAAC;QACzD,QAAQ,GAAG,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC;IAC7B,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,4EAA4E;QAC5E,wEAAwE;QACxE,mCAAmC;QACnC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC;YAAC,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAAC,CAAC;gBACxC,CAAC;YAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAAC,CAAC;QAC9B,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACjD,CAAC;IACD,sEAAsE;IACtE,wEAAwE;IACxE,wBAAwB;IACxB,UAAU,CACR,GAAG,EACH,QAAQ,EACR,wBAAwB,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,EAAE,EAC5E;QACE,YAAY,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE;YACnC,aAAa,CAAC,MAAM,EAAE,KAAK,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QACnD,CAAC;KACF,CACF,CAAC;IACF,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAC1C,CAAC"}

package/dist/connectors/slack/dlq.d.ts

@@ -1,21 +1,79 @@
 import type { DatabaseSyncLike } from '../../db.js';
+import type { Context } from '../../api.js';
+export type DlqBucket = 'parse_error' | 'unroutable' | 'signature_fail';
 export interface DlqItem {
     id: number;
     tenantId: string;
+    teamId: string | null;
     rawPayload: string;
     error: string;
     receivedAt: string;
     retriedAt: string | null;
+    bucket: DlqBucket | string;
+    retryCount: number;
+    signature: string | null;
+    slackTimestamp: string | null;
 }
+/**
+ * v0.39 commit 3: writeToDlq is now bucket-aware. `bucket` defaults to
+ * 'parse_error' to preserve the legacy single-arg call sites while letting
+ * new callers tag rows for `hippo slack dlq replay` triage.
+ *
+ * `tenantId: null` means "no tenant resolved" (unroutable team). Stored as
+ * the sentinel '__unroutable__' so the column stays NOT NULL — a mismatch
+ * the listing CLI surfaces explicitly.
+ */
 export interface WriteDlqOpts {
-    tenantId: string;
+    tenantId: string | null;
     rawPayload: string;
     error: string;
+    bucket?: DlqBucket;
+    teamId?: string | null;
+    signature?: string | null;
+    slackTimestamp?: string | null;
 }
 export declare function writeToDlq(db: DatabaseSyncLike, opts: WriteDlqOpts): number;
 export declare function listDlq(db: DatabaseSyncLike, opts: {
     tenantId: string;
     limit?: number;
 }): DlqItem[];
+export declare function getDlqEntry(db: DatabaseSyncLike, id: number): DlqItem | null;
 export declare function markDlqRetried(db: DatabaseSyncLike, id: number): void;
+export interface ReplayDlqOpts {
+    /** Skip signature verification when the row's signature/timestamp are missing or stale. */
+    force?: boolean;
+    /** Current signing secret. If omitted, signature check is skipped (force-only path). */
+    signingSecret?: string;
+    /** Now (unix seconds) override for tests. */
+    now?: number;
+    /** Skew window override for tests. */
+    skewSeconds?: number;
+}
+export interface ReplayDlqResult {
+    ok: boolean;
+    status: string;
+    memoryId: string | null;
+    retryCount: number;
+    reason?: string;
+}
+/**
+ * Replay a DLQ row through the normal ingest path. Used by `hippo slack dlq
+ * replay <id> [--force]`.
+ *
+ * Behavior:
+ *   1. SELECT the row.
+ *   2. If signature + slack_timestamp are present and `signingSecret` is set,
+ *      re-verify with the CURRENT secret (not previous). Failure → bail unless
+ *      --force. Legacy rows from before v19 may have NULL signature; those
+ *      require --force to replay safely.
+ *   3. Re-parse the raw_payload and dispatch to ingestMessage / handleMessageDeleted.
+ *   4. On success: mark retried_at, increment retry_count.
+ *   5. On failure: increment retry_count only, leave the row.
+ *
+ * The replay always uses the routing the deployment has NOW (current
+ * slack_workspaces table + env), not whatever was in effect when the original
+ * envelope was DLQed. That is intentional: the DLQ exists to be drained after
+ * the operator fixed the routing.
+ */
+export declare function replayDlqEntry(ctx: Pick<Context, 'hippoRoot'>, id: number, opts?: ReplayDlqOpts): ReplayDlqResult;
 //# sourceMappingURL=dlq.d.ts.map

package/dist/connectors/slack/dlq.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dlq.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/dlq.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,wBAAgB,UAAU,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,YAAY,GAAG,MAAM,CAK3E;AAED,wBAAgB,OAAO,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,EAAE,CAYnG;AAED,wBAAgB,cAAc,CAAC,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,GAAG,IAAI,CAErE"}
+{"version":3,"file":"dlq.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/dlq.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAQ5C,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,gBAAgB,CAAC;AAExE,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,SAAS,GAAG,MAAM,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED,wBAAgB,UAAU,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,YAAY,GAAG,MAAM,CAkB3E;AAED,wBAAgB,OAAO,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,EAAE,CAYnG;AAED,wBAAgB,WAAW,CAAC,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAW5E;AAkBD,wBAAgB,cAAc,CAAC,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,GAAG,IAAI,CAGrE;AAED,MAAM,WAAW,aAAa;IAC5B,2FAA2F;IAC3F,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,cAAc,CAC5B,GAAG,EAAE,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAC/B,EAAE,EAAE,MAAM,EACV,IAAI,GAAE,aAAkB,GACvB,eAAe,CAmIjB"}

package/dist/connectors/slack/dlq.js

@@ -1,23 +1,221 @@
+import { openHippoDb, closeHippoDb } from '../../db.js';
+import { ingestMessage } from './ingest.js';
+import { resolveTenantForTeam } from './tenant-routing.js';
+import { verifySlackSignature } from './signature.js';
+import { isSlackEventEnvelope, isSlackMessageEvent } from './types.js';
+import { handleMessageDeleted } from './deletion.js';
 export function writeToDlq(db, opts) {
     const result = db
-        .prepare(`INSERT INTO slack_dlq (tenant_id, raw_payload, error, received_at) VALUES (?, ?, ?, ?)`)
-        .run(opts.tenantId, opts.rawPayload, opts.error, new Date().toISOString());
+        .prepare(`INSERT INTO slack_dlq
+        (tenant_id, team_id, raw_payload, error, received_at, bucket, signature, slack_timestamp)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`)
+        .run(opts.tenantId ?? '__unroutable__', opts.teamId ?? null, opts.rawPayload, opts.error, new Date().toISOString(), opts.bucket ?? 'parse_error', opts.signature ?? null, opts.slackTimestamp ?? null);
     return Number(result.lastInsertRowid);
 }
 export function listDlq(db, opts) {
     const rows = db
-        .prepare(`SELECT id, tenant_id, raw_payload, error, received_at, retried_at FROM slack_dlq WHERE tenant_id = ? ORDER BY received_at ASC LIMIT ?`)
+        .prepare(`SELECT id, tenant_id, team_id, raw_payload, error, received_at, retried_at,
+              bucket, retry_count, signature, slack_timestamp
+         FROM slack_dlq
+        WHERE tenant_id = ?
+        ORDER BY received_at ASC
+        LIMIT ?`)
         .all(opts.tenantId, opts.limit ?? 100);
-    return rows.map((r) => ({
+    return rows.map(rowToItem);
+}
+export function getDlqEntry(db, id) {
+    const row = db
+        .prepare(`SELECT id, tenant_id, team_id, raw_payload, error, received_at, retried_at,
+              bucket, retry_count, signature, slack_timestamp
+         FROM slack_dlq
+        WHERE id = ?`)
+        .get(id);
+    if (!row)
+        return null;
+    return rowToItem(row);
+}
+function rowToItem(r) {
+    return {
         id: Number(r.id),
         tenantId: String(r.tenant_id),
+        teamId: r.team_id == null ? null : String(r.team_id),
         rawPayload: String(r.raw_payload),
         error: String(r.error),
         receivedAt: String(r.received_at),
         retriedAt: r.retried_at == null ? null : String(r.retried_at),
-    }));
+        bucket: r.bucket == null ? 'parse_error' : String(r.bucket),
+        retryCount: Number(r.retry_count ?? 0),
+        signature: r.signature == null ? null : String(r.signature),
+        slackTimestamp: r.slack_timestamp == null ? null : String(r.slack_timestamp),
+    };
 }
 export function markDlqRetried(db, id) {
-    db.prepare(`UPDATE slack_dlq SET retried_at = ? WHERE id = ?`).run(new Date().toISOString(), id);
+    db.prepare(`UPDATE slack_dlq SET retried_at = ?, retry_count = retry_count + 1 WHERE id = ?`)
+        .run(new Date().toISOString(), id);
+}
+/**
+ * Replay a DLQ row through the normal ingest path. Used by `hippo slack dlq
+ * replay <id> [--force]`.
+ *
+ * Behavior:
+ *   1. SELECT the row.
+ *   2. If signature + slack_timestamp are present and `signingSecret` is set,
+ *      re-verify with the CURRENT secret (not previous). Failure → bail unless
+ *      --force. Legacy rows from before v19 may have NULL signature; those
+ *      require --force to replay safely.
+ *   3. Re-parse the raw_payload and dispatch to ingestMessage / handleMessageDeleted.
+ *   4. On success: mark retried_at, increment retry_count.
+ *   5. On failure: increment retry_count only, leave the row.
+ *
+ * The replay always uses the routing the deployment has NOW (current
+ * slack_workspaces table + env), not whatever was in effect when the original
+ * envelope was DLQed. That is intentional: the DLQ exists to be drained after
+ * the operator fixed the routing.
+ */
+export function replayDlqEntry(ctx, id, opts = {}) {
+    const db = openHippoDb(ctx.hippoRoot);
+    let row;
+    try {
+        row = getDlqEntry(db, id);
+    }
+    finally {
+        closeHippoDb(db);
+    }
+    if (!row) {
+        return { ok: false, status: 'not_found', memoryId: null, retryCount: 0, reason: `dlq id ${id} not found` };
+    }
+    // Signature verification (current secret, not previous).
+    if (!opts.force) {
+        if (!row.signature || !row.slackTimestamp) {
+            return {
+                ok: false,
+                status: 'sig_missing',
+                memoryId: null,
+                retryCount: row.retryCount,
+                reason: 'legacy row without signature/timestamp; pass --force to replay',
+            };
+        }
+        if (opts.signingSecret) {
+            const ok = verifySlackSignature({
+                rawBody: row.rawPayload,
+                signature: row.signature,
+                timestamp: row.slackTimestamp,
+                signingSecret: opts.signingSecret,
+                now: opts.now,
+                // Replays happen long after the fact — give them a wider skew unless overridden.
+                skewSeconds: opts.skewSeconds ?? 60 * 60 * 24 * 365,
+            });
+            if (!ok) {
+                return {
+                    ok: false,
+                    status: 'sig_fail',
+                    memoryId: null,
+                    retryCount: row.retryCount,
+                    reason: 'signature did not verify against current SLACK_SIGNING_SECRET; pass --force to replay anyway',
+                };
+            }
+        }
+    }
+    // Parse + dispatch.
+    let parsed;
+    try {
+        parsed = JSON.parse(row.rawPayload);
+    }
+    catch (e) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'parse_error',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: `still unparseable: ${e.message}`,
+        };
+    }
+    if (!isSlackEventEnvelope(parsed)) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'unhandled',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: 'not an event_callback envelope',
+        };
+    }
+    // Resolve tenant against current state. If still unroutable, bail.
+    const db2 = openHippoDb(ctx.hippoRoot);
+    let tenant;
+    try {
+        tenant = resolveTenantForTeam(db2, parsed.team_id);
+    }
+    finally {
+        closeHippoDb(db2);
+    }
+    if (!tenant) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'unroutable',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: `team_id ${parsed.team_id} still unroutable`,
+        };
+    }
+    const replayCtx = {
+        hippoRoot: ctx.hippoRoot,
+        tenantId: tenant,
+        actor: 'connector:slack:replay',
+    };
+    const inner = parsed.event;
+    if (!isSlackMessageEvent(inner)) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'unhandled',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: `unhandled inner event type`,
+        };
+    }
+    if (inner.subtype === 'message_deleted' && inner.deleted_ts) {
+        const r = handleMessageDeleted(replayCtx, {
+            teamId: parsed.team_id,
+            channelId: inner.channel,
+            deletedTs: inner.deleted_ts,
+            eventId: parsed.event_id,
+        });
+        markRetried(ctx.hippoRoot, id);
+        return { ok: true, status: r.status, memoryId: r.memoryId, retryCount: row.retryCount + 1 };
+    }
+    const result = ingestMessage(replayCtx, {
+        teamId: parsed.team_id,
+        channel: {
+            id: inner.channel,
+            is_private: inner.channel_type !== 'channel',
+            is_im: inner.channel_type === 'im',
+            is_mpim: inner.channel_type === 'mpim',
+        },
+        message: inner,
+        eventId: parsed.event_id,
+    });
+    markRetried(ctx.hippoRoot, id);
+    return { ok: true, status: result.status, memoryId: result.memoryId, retryCount: row.retryCount + 1 };
+}
+function markRetried(hippoRoot, id) {
+    const db = openHippoDb(hippoRoot);
+    try {
+        markDlqRetried(db, id);
+    }
+    finally {
+        closeHippoDb(db);
+    }
+}
+function bumpRetryCount(hippoRoot, id) {
+    const db = openHippoDb(hippoRoot);
+    try {
+        db.prepare(`UPDATE slack_dlq SET retry_count = retry_count + 1 WHERE id = ?`).run(id);
+    }
+    finally {
+        closeHippoDb(db);
+    }
 }
 //# sourceMappingURL=dlq.js.map

package/dist/connectors/slack/dlq.js.map

@@ -1 +1 @@
-{"version":3,"file":"dlq.js","sourceRoot":"","sources":["../../../src/connectors/slack/dlq.ts"],"names":[],"mappings":"AAiBA,MAAM,UAAU,UAAU,CAAC,EAAoB,EAAE,IAAkB;IACjE,MAAM,MAAM,GAAG,EAAE;SACd,OAAO,CAAC,wFAAwF,CAAC;SACjG,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7E,OAAO,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,EAAoB,EAAE,IAA0C;IACtF,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CAAC,uIAAuI,CAAC;SAChJ,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,IAAI,GAAG,CAAmC,CAAC;IAC3E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtB,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;KAC9D,CAAC,CAAC,CAAC;AACN,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,EAAoB,EAAE,EAAU;IAC7D,EAAE,CAAC,OAAO,CAAC,kDAAkD,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;AACnG,CAAC"}
+{"version":3,"file":"dlq.js","sourceRoot":"","sources":["../../../src/connectors/slack/dlq.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAqCrD,MAAM,UAAU,UAAU,CAAC,EAAoB,EAAE,IAAkB;IACjE,MAAM,MAAM,GAAG,EAAE;SACd,OAAO,CACN;;uCAEiC,CAClC;SACA,GAAG,CACF,IAAI,CAAC,QAAQ,IAAI,gBAAgB,EACjC,IAAI,CAAC,MAAM,IAAI,IAAI,EACnB,IAAI,CAAC,UAAU,EACf,IAAI,CAAC,KAAK,EACV,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EACxB,IAAI,CAAC,MAAM,IAAI,aAAa,EAC5B,IAAI,CAAC,SAAS,IAAI,IAAI,EACtB,IAAI,CAAC,cAAc,IAAI,IAAI,CAC5B,CAAC;IACJ,OAAO,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,EAAoB,EAAE,IAA0C;IACtF,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CACN;;;;;gBAKU,CACX;SACA,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,IAAI,GAAG,CAAmC,CAAC;IAC3E,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,EAAoB,EAAE,EAAU;IAC1D,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CACN;;;qBAGe,CAChB;SACA,GAAG,CAAC,EAAE,CAAwC,CAAC;IAClD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,SAAS,CAAC,CAA0B;IAC3C,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7B,MAAM,EAAE,CAAC,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QACpD,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QAC3D,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC;QACtC,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3D,cAAc,EAAE,CAAC,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC;KAC7E,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,EAAoB,EAAE,EAAU;IAC7D,EAAE,CAAC,OAAO,CAAC,iFAAiF,CAAC;SAC1F,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;AACvC,CAAC;AAqBD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,cAAc,CAC5B,GAA+B,EAC/B,EAAU,EACV,OAAsB,EAAE;IAExB,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,GAAmB,CAAC;IACxB,IAAI,CAAC;QACH,GAAG,GAAG,WAAW,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5B,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IAC7G,CAAC;IAED,yDAAyD;IACzD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;YAC1C,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,aAAa;gBACrB,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,MAAM,EAAE,gEAAgE;aACzE,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,oBAAoB,CAAC;gBAC9B,OAAO,EAAE,GAAG,CAAC,UAAU;gBACvB,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,SAAS,EAAE,GAAG,CAAC,cAAc;gBAC7B,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,iFAAiF;gBACjF,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG;aACpD,CAAC,CAAC;YACH,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,UAAU;oBAClB,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,MAAM,EAAE,8FAA8F;iBACvG,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,aAAa;YACrB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,sBAAuB,CAAW,CAAC,OAAO,EAAE;SACrD,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,CAAC;QAClC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,gCAAgC;SACzC,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvC,IAAI,MAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,oBAAoB,CAAC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,YAAY;YACpB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,WAAW,MAAM,CAAC,OAAO,mBAAmB;SACrD,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAY;QACzB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,wBAAwB;KAChC,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC3B,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,4BAA4B;SACrC,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,KAAK,iBAAiB,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QAC5D,MAAM,CAAC,GAAG,oBAAoB,CAAC,SAAS,EAAE;YACxC,MAAM,EAAE,MAAM,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,OAAO;YACxB,SAAS,EAAE,KAAK,CAAC,UAAU;YAC3B,OAAO,EAAE,MAAM,CAAC,QAAQ;SACzB,CAAC,CAAC;QACH,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC/B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;IAC9F,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,EAAE;QACtC,MAAM,EAAE,MAAM,CAAC,OAAO;QACtB,OAAO,EAAE;YACP,EAAE,EAAE,KAAK,CAAC,OAAO;YACjB,UAAU,EAAE,KAAK,CAAC,YAAY,KAAK,SAAS;YAC5C,KAAK,EAAE,KAAK,CAAC,YAAY,KAAK,IAAI;YAClC,OAAO,EAAE,KAAK,CAAC,YAAY,KAAK,MAAM;SACvC;QACD,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,MAAM,CAAC,QAAQ;KACzB,CAAC,CAAC;IACH,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC/B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;AACxG,CAAC;AAED,SAAS,WAAW,CAAC,SAAiB,EAAE,EAAU;IAChD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,CAAC;QAAC,cAAc,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAAC,CAAC;YACvB,CAAC;QAAC,YAAY,CAAC,EAAE,CAAC,CAAC;IAAC,CAAC;AAC/B,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB,EAAE,EAAU;IACnD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,EAAE,CAAC,OAAO,CAAC,iEAAiE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/connectors/slack/idempotency.d.ts

@@ -1,4 +1,16 @@
 import type { DatabaseSyncLike } from '../../db.js';
+/**
+ * Thrown by the ingest afterWrite hook when a concurrent worker has already
+ * inserted slack_event_log for the same event_id. The throw propagates out of
+ * writeEntry's SAVEPOINT, rolling back the duplicate memory write so exactly
+ * one memory row exists per Slack event_id even under two-worker races.
+ *
+ * Caller maps to `{status: 'skipped_duplicate'}` at the public API boundary.
+ */
+export declare class DuplicateEventError extends Error {
+    readonly eventId: string;
+    constructor(eventId: string);
+}
 export declare function hasSeenEvent(db: DatabaseSyncLike, eventId: string): boolean;
 export declare function markEventSeen(db: DatabaseSyncLike, eventId: string, memoryId: string | null): void;
 export declare function lookupMemoryByEvent(db: DatabaseSyncLike, eventId: string): string | null;

package/dist/connectors/slack/idempotency.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"idempotency.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/idempotency.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,wBAAgB,YAAY,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAG3E;AAED,wBAAgB,aAAa,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAGlG;AAED,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKxF"}
+{"version":3,"file":"idempotency.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/idempotency.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD;;;;;;;GAOG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;gBACb,OAAO,EAAE,MAAM;CAK5B;AAED,wBAAgB,YAAY,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAG3E;AAED,wBAAgB,aAAa,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAGlG;AAED,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKxF"}

package/dist/connectors/slack/idempotency.js

@@ -1,3 +1,19 @@
+/**
+ * Thrown by the ingest afterWrite hook when a concurrent worker has already
+ * inserted slack_event_log for the same event_id. The throw propagates out of
+ * writeEntry's SAVEPOINT, rolling back the duplicate memory write so exactly
+ * one memory row exists per Slack event_id even under two-worker races.
+ *
+ * Caller maps to `{status: 'skipped_duplicate'}` at the public API boundary.
+ */
+export class DuplicateEventError extends Error {
+    eventId;
+    constructor(eventId) {
+        super(`duplicate slack event_id: ${eventId}`);
+        this.name = 'DuplicateEventError';
+        this.eventId = eventId;
+    }
+}
 export function hasSeenEvent(db, eventId) {
     const row = db.prepare(`SELECT 1 FROM slack_event_log WHERE event_id = ?`).get(eventId);
     return !!row;

package/dist/connectors/slack/idempotency.js.map

@@ -1 +1 @@
-{"version":3,"file":"idempotency.js","sourceRoot":"","sources":["../../../src/connectors/slack/idempotency.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,OAAe;IAChE,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,kDAAkD,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxF,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,EAAoB,EAAE,OAAe,EAAE,QAAuB;IAC1F,EAAE,CAAC,OAAO,CAAC,2FAA2F,CAAC;SACpG,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,QAAQ,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,EAAoB,EAAE,OAAe;IACvE,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,0DAA0D,CAAC,CAAC,GAAG,CAAC,OAAO,CAEjF,CAAC;IACd,OAAO,GAAG,EAAE,SAAS,IAAI,IAAI,CAAC;AAChC,CAAC"}
+{"version":3,"file":"idempotency.js","sourceRoot":"","sources":["../../../src/connectors/slack/idempotency.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IACnC,OAAO,CAAS;IACzB,YAAY,OAAe;QACzB,KAAK,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;CACF;AAED,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,OAAe;IAChE,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,kDAAkD,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxF,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,EAAoB,EAAE,OAAe,EAAE,QAAuB;IAC1F,EAAE,CAAC,OAAO,CAAC,2FAA2F,CAAC;SACpG,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,QAAQ,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,EAAoB,EAAE,OAAe;IACvE,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,0DAA0D,CAAC,CAAC,GAAG,CAAC,OAAO,CAEjF,CAAC;IACd,OAAO,GAAG,EAAE,SAAS,IAAI,IAAI,CAAC;AAChC,CAAC"}

package/dist/connectors/slack/ingest.d.ts

@@ -8,7 +8,7 @@ export interface IngestInput {
     /** Slack event_id for the envelope (or for backfill, a synthesized stable id). */
     eventId: string;
 }
-export type IngestStatus = 'ingested' | 'duplicate' | 'skipped';
+export type IngestStatus = 'ingested' | 'duplicate' | 'skipped' | 'skipped_duplicate';
 export interface IngestResult {
     status: IngestStatus;
     memoryId: string | null;
@@ -20,6 +20,12 @@ export interface IngestResult {
  * - The memory write and the slack_event_log mark commit atomically through
  *   `api.remember`'s `afterWrite` hook — a crash between the two cannot
  *   produce a duplicate on the next retry.
+ * - The afterWrite hook uses an explicit `INSERT OR IGNORE` + changes-check:
+ *   if a concurrent worker beat us to slack_event_log between the pre-check
+ *   and the SAVEPOINT, we throw `DuplicateEventError` to roll back the memory
+ *   write. The pre-check `hasSeenEvent` stays as a fast path for the common
+ *   already-seen case, but the afterWrite throw is what makes idempotency
+ *   correct under two-worker concurrency (v0.39 commit 3 fix).
  * - Empty-body messages return 'skipped' but still mark seen so a replay
  *   returns 'duplicate' rather than re-running the transform.
  */

package/dist/connectors/slack/ingest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ingest.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/ingest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AAItD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,WAAW,CAAC;IACrB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,kFAAkF;IAClF,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,CAAC;AAEhE,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,YAAY,CAmC5E"}
+{"version":3,"file":"ingest.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/ingest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AAStD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,WAAW,CAAC;IACrB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,kFAAkF;IAClF,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,GAAG,mBAAmB,CAAC;AAEtF,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,YAAY,CA+D5E"}

package/dist/connectors/slack/ingest.js

@@ -1,6 +1,6 @@
 import { remember } from '../../api.js';
 import { openHippoDb, closeHippoDb } from '../../db.js';
-import { hasSeenEvent, markEventSeen, lookupMemoryByEvent } from './idempotency.js';
+import { hasSeenEvent, markEventSeen, lookupMemoryByEvent, DuplicateEventError, } from './idempotency.js';
 import { messageToRememberOpts } from './transform.js';
 /**
  * Ingest a Slack message into hippo as a kind='raw' memory.
@@ -9,6 +9,12 @@ import { messageToRememberOpts } from './transform.js';
  * - The memory write and the slack_event_log mark commit atomically through
  *   `api.remember`'s `afterWrite` hook — a crash between the two cannot
  *   produce a duplicate on the next retry.
+ * - The afterWrite hook uses an explicit `INSERT OR IGNORE` + changes-check:
+ *   if a concurrent worker beat us to slack_event_log between the pre-check
+ *   and the SAVEPOINT, we throw `DuplicateEventError` to roll back the memory
+ *   write. The pre-check `hasSeenEvent` stays as a fast path for the common
+ *   already-seen case, but the afterWrite throw is what makes idempotency
+ *   correct under two-worker concurrency (v0.39 commit 3 fix).
  * - Empty-body messages return 'skipped' but still mark seen so a replay
  *   returns 'duplicate' rather than re-running the transform.
  */
@@ -39,10 +45,38 @@ export function ingestMessage(ctx, input) {
     // so the memory row and the slack_event_log row commit (or roll back)
     // together. Slack's 1-minute retry window can no longer produce a duplicate
     // via the crash-between-handles race.
-    const result = remember({ ...ctx, actor: ctx.actor || 'connector:slack' }, {
-        ...opts,
-        afterWrite: (db, memoryId) => markEventSeen(db, input.eventId, memoryId),
-    });
-    return { status: 'ingested', memoryId: result.id };
+    try {
+        const result = remember({ ...ctx, actor: ctx.actor || 'connector:slack' }, {
+            ...opts,
+            afterWrite: (innerDb, memoryId) => {
+                const inserted = innerDb
+                    .prepare(`INSERT OR IGNORE INTO slack_event_log (event_id, ingested_at, memory_id) VALUES (?, ?, ?)`)
+                    .run(input.eventId, new Date().toISOString(), memoryId);
+                if ((Number(inserted.changes ?? 0)) === 0) {
+                    // Two-worker race: another writer reserved this event_id between
+                    // the pre-check and the write. Throw to roll back the SAVEPOINT
+                    // in writeEntry — the memory row gets discarded, idempotency
+                    // holds, exactly one memory exists for this event_id.
+                    throw new DuplicateEventError(input.eventId);
+                }
+            },
+        });
+        return { status: 'ingested', memoryId: result.id };
+    }
+    catch (e) {
+        if (e instanceof DuplicateEventError) {
+            // The other worker's memory row is already committed. Return its id
+            // so the caller behaves identically to the fast-path 'duplicate' branch.
+            const db3 = openHippoDb(ctx.hippoRoot);
+            try {
+                const cachedId = lookupMemoryByEvent(db3, input.eventId);
+                return { status: 'skipped_duplicate', memoryId: cachedId };
+            }
+            finally {
+                closeHippoDb(db3);
+            }
+        }
+        throw e;
+    }
 }
 //# sourceMappingURL=ingest.js.map

package/dist/connectors/slack/ingest.js.map

@@ -1 +1 @@
-{"version":3,"file":"ingest.js","sourceRoot":"","sources":["../../../src/connectors/slack/ingest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAgB,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAmBvD;;;;;;;;;GASG;AACH,MAAM,UAAU,aAAa,CAAC,GAAY,EAAE,KAAkB;IAC5D,0EAA0E;IAC1E,oDAAoD;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,IAAI,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,mBAAmB,CAAC,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACnF,CAAC;IACH,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC;YACH,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC/C,CAAC;IAED,4EAA4E;IAC5E,sEAAsE;IACtE,4EAA4E;IAC5E,sCAAsC;IACtC,MAAM,MAAM,GAAG,QAAQ,CACrB,EAAE,GAAG,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,iBAAiB,EAAE,EACjD;QACE,GAAG,IAAI;QACP,UAAU,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,aAAa,CAAC,EAAE,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC;KACzE,CACF,CAAC;IACF,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;AACrD,CAAC"}
+{"version":3,"file":"ingest.js","sourceRoot":"","sources":["../../../src/connectors/slack/ingest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAgB,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EACL,YAAY,EACZ,aAAa,EACb,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAmBvD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,aAAa,CAAC,GAAY,EAAE,KAAkB;IAC5D,0EAA0E;IAC1E,oDAAoD;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,IAAI,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YACpC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,mBAAmB,CAAC,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACnF,CAAC;IACH,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC;YACH,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC/C,CAAC;IAED,4EAA4E;IAC5E,sEAAsE;IACtE,4EAA4E;IAC5E,sCAAsC;IACtC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CACrB,EAAE,GAAG,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,iBAAiB,EAAE,EACjD;YACE,GAAG,IAAI;YACP,UAAU,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;gBAChC,MAAM,QAAQ,GAAG,OAAO;qBACrB,OAAO,CACN,2FAA2F,CAC5F;qBACA,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1C,iEAAiE;oBACjE,gEAAgE;oBAChE,6DAA6D;oBAC7D,sDAAsD;oBACtD,MAAM,IAAI,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC;SACF,CACF,CAAC;QACF,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;IACrD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,mBAAmB,EAAE,CAAC;YACrC,oEAAoE;YACpE,yEAAyE;YACzE,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACvC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;gBACzD,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;YAC7D,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;QACD,MAAM,CAAC,CAAC;IACV,CAAC;AACH,CAAC"}

package/dist/connectors/slack/signature.d.ts

@@ -3,6 +3,13 @@ export interface VerifyOpts {
     timestamp: string;
     signature: string;
     signingSecret: string;
+    /**
+     * Previous signing secret during a rotation. v0.39 commit 3: deploy with
+     * both `SLACK_SIGNING_SECRET` (new) and `SLACK_SIGNING_SECRET_PREVIOUS` (old)
+     * set, verify both work, drop previous after rollover. The verifier tries
+     * `signingSecret` first, then `previousSecret` if that fails.
+     */
+    previousSecret?: string;
     /** Current unix seconds. Injectable for tests. */
     now?: number;
     /** Max allowed skew in seconds. Default 5 minutes (Slack's recommendation). */

package/dist/connectors/slack/signature.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signature.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/signature.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+EAA+E;IAC/E,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAa9D"}
+{"version":3,"file":"signature.d.ts","sourceRoot":"","sources":["../../../src/connectors/slack/signature.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kDAAkD;IAClD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+EAA+E;IAC/E,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAgBD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAU9D"}

package/dist/connectors/slack/signature.js

@@ -1,6 +1,16 @@
 import { createHmac, timingSafeEqual } from 'crypto';
+function verifyOne(rawBody, signature, timestamp, secret) {
+    if (!signature.startsWith('v0='))
+        return false;
+    const expected = `v0=${createHmac('sha256', secret).update(`v0:${timestamp}:${rawBody}`).digest('hex')}`;
+    const a = Buffer.from(signature, 'utf8');
+    const b = Buffer.from(expected, 'utf8');
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(a, b);
+}
 export function verifySlackSignature(opts) {
-    const { rawBody, timestamp, signature, signingSecret } = opts;
+    const { rawBody, timestamp, signature, signingSecret, previousSecret } = opts;
     const now = opts.now ?? Math.floor(Date.now() / 1000);
     const skew = opts.skewSeconds ?? 5 * 60;
     const ts = Number(timestamp);
@@ -8,13 +18,10 @@ export function verifySlackSignature(opts) {
         return false;
     if (Math.abs(now - ts) > skew)
         return false;
-    if (!signature.startsWith('v0='))
-        return false;
-    const expected = `v0=${createHmac('sha256', signingSecret).update(`v0:${timestamp}:${rawBody}`).digest('hex')}`;
-    const a = Buffer.from(signature, 'utf8');
-    const b = Buffer.from(expected, 'utf8');
-    if (a.length !== b.length)
-        return false;
-    return timingSafeEqual(a, b);
+    if (verifyOne(rawBody, signature, timestamp, signingSecret))
+        return true;
+    if (previousSecret && verifyOne(rawBody, signature, timestamp, previousSecret))
+        return true;
+    return false;
 }
 //# sourceMappingURL=signature.js.map