nemoris 0.1.0 → 0.1.2

package/src/runtime/slack-inbound.js

@@ -1,249 +1,249 @@
-import crypto from "node:crypto";
-
-/**
- * Slack Inbound Handler — validates signatures, deduplicates, and enqueues
- * incoming Slack events and slash commands as interactive jobs.
- */
-
-const MAX_TURNS = 10;
-
-export class SlackInboundHandler {
-  constructor({ stateStore, slackConfig, availablePeers = [], agentHealthCheck = null, logger = console }) {
-    this.store = stateStore;
-    this.config = slackConfig;
-    this.availablePeers = availablePeers;
-    this.agentHealthCheck = agentHealthCheck;
-    this.logger = logger;
-
-    this.botToken = this.config.botToken;
-    this.signingSecret = this.config.signingSecret;
-
-    // Rate limiter: Map<userId, { count, windowStart }>
-    this._rateLimitMax = Number(process.env.NEMORIS_RATE_LIMIT_MAX ?? 10);
-    this._rateLimitWindowMs = Number(process.env.NEMORIS_RATE_LIMIT_WINDOW_MS ?? 60_000);
-    this._rateBuckets = new Map();
-  }
-
-  _checkRateLimit(userId) {
-    const now = Date.now();
-    const bucket = this._rateBuckets.get(userId);
-    if (!bucket || now - bucket.windowStart >= this._rateLimitWindowMs) {
-      this._rateBuckets.set(userId, { count: 1, windowStart: now });
-      return true;
-    }
-    if (bucket.count >= this._rateLimitMax) {
-      return false;
-    }
-    bucket.count += 1;
-    return true;
-  }
-
-  /**
-   * Verify Slack request signature using HMAC-SHA256.
-   * Signature base string: v0:<timestamp>:<body>
-   */
-  verifySignature(headers, rawBody) {
-    const timestamp = headers["x-slack-request-timestamp"];
-    const signature = headers["x-slack-signature"];
-
-    if (!timestamp || !signature || !this.signingSecret) {
-      return false;
-    }
-
-    // Protect against replay attacks (5 minute window)
-    const now = Math.floor(Date.now() / 1000);
-    if (Math.abs(now - Number(timestamp)) > 300) {
-      return false;
-    }
-
-    const baseString = `v0:${timestamp}:${rawBody}`;
-    const hmac = crypto.createHmac("sha256", this.signingSecret);
-    const mySignature = "v0=" + hmac.update(baseString).digest("hex");
-
-    try {
-      return crypto.timingSafeEqual(Buffer.from(mySignature), Buffer.from(signature));
-    } catch {
-      return false;
-    }
-  }
-
-  /**
-   * Process inbound Slack event payload.
-   */
-  handleEvent(payload) {
-    if (payload.type === "url_verification") {
-      return { action: "challenge", challenge: payload.challenge };
-    }
-
-    const event = payload.event;
-    if (!event) {
-      return { action: "ignored", reason: "no_event" };
-    }
-
-    // Ignore bot messages
-    if (event.bot_id || event.subtype === "bot_message") {
-      return { action: "ignored", reason: "bot_message" };
-    }
-
-    if (!event.text || !event.channel || !event.user) {
-      return { action: "ignored", reason: "incomplete_event" };
-    }
-
-    const { channel, user, text, ts, team } = event;
-    const teamId = team || event.team_id;
-    const sessionKey = `slack:${teamId}:${channel}`;
-    const jobId = `slack-${channel}-${ts}`;
-
-    // Deduplicate by ts
-    if (this.store.interactiveJobExists(jobId)) {
-      return { action: "deduplicated", jobId };
-    }
-
-    // Look up or create session
-    let session = this.store.getChatSession(sessionKey);
-
-    // Auto-bind (Slack doesn't have a simple operatorChatId check in instructions, 
-    // but mirroring Telegram pattern for consistency)
-    if (!session) {
-      // For Slack MVP, we might want to auto-bind if enabled or authorized.
-      // Instructions say "mirroring Telegram pattern exactly".
-      // Telegram has _isAuthorized(chatId). 
-      // Slack config doesn't have authorized ids in instructions, 
-      // but let's assume we allow if authorized or it's the operator.
-      if (this._isAuthorized(user)) {
-        this.store.bindChatSession({
-          chatId: sessionKey,
-          agentId: this.config.defaultAgent || "nemo",
-          boundBy: "default",
-        });
-        session = this.store.getChatSession(sessionKey);
-      }
-    }
-
-    if (!session) {
-      this.logger.warn(`[slack-inbound] Unauthorized user: ${user} in channel: ${channel}`);
-      return { action: "rejected", reason: "unauthorized" };
-    }
-
-    const agentId = session.agent_id;
-
-    // Check agent availability
-    if (this.agentHealthCheck) {
-      const health = this.agentHealthCheck(agentId);
-      if (!health.available) {
-        return {
-          action: "agent_unavailable",
-          agentId,
-          reason: health.reason,
-          reply: `Agent ${agentId} is no longer available.`,
-        };
-      }
-    }
-
-    // Rate limit check
-    if (!this._checkRateLimit(user)) {
-      this.logger.warn(`[slack-inbound] Rate limit exceeded for user: ${user}`);
-      return {
-        action: "rate_limited",
-        userId: user,
-        reply: "Slow down — max 10 messages per minute.",
-      };
-    }
-
-    // Enqueue job
-    this.store.enqueueInteractiveJob({
-      jobId, 
-      agentId, 
-      input: text, 
-      source: "slack", 
-      chatId: sessionKey,
-    });
-
-    return { action: "enqueued", jobId, agentId, chatId: sessionKey };
-  }
-
-  /**
-   * Process slash commands.
-   */
-  handleSlashCommand(payload) {
-    const { command, text, channel_id, user_id, team_id } = payload;
-    const sessionKey = `slack:${team_id}:${channel_id}`;
-    
-    // Commands require an existing session
-    const session = this.store.getChatSession(sessionKey);
-    if (!session) {
-      return "Unauthorized. Start a conversation first.";
-    }
-
-    const cmd = command.toLowerCase();
-    const parts = text ? text.trim().split(/\s+/) : [];
-
-    switch (cmd) {
-      case "/status": {
-        return `Agent: ${session.agent_id}\nBound by: ${session.bound_by}\nSlack inbound: ACTIVE`;
-      }
-      case "/agents": {
-        const list = this.availablePeers.length > 0 ? this.availablePeers.join(", ") : "No agents configured";
-        return `Available agents: ${list}`;
-      }
-      case "/who": {
-        return `Current agent: ${session.agent_id}`;
-      }
-      case "/switch": {
-        const targetAgent = parts[0];
-        if (!targetAgent) return "Usage: /switch <agent-name>";
-        if (!this.availablePeers.includes(targetAgent)) {
-          return `Unknown agent "${targetAgent}". Use /agents to see available agents.`;
-        }
-        this.store.bindChatSession({ chatId: sessionKey, agentId: targetAgent, boundBy: "user" });
-        return `Switched to ${targetAgent}.`;
-      }
-      case "/help": {
-        return [
-          "/status — Show agent and session status",
-          "/agents — List available agents",
-          "/who — Show current agent",
-          "/switch <agent> — Switch active agent",
-          "/help — Show this message",
-        ].join("\n");
-      }
-      default:
-        return `Unknown command: ${command}`;
-    }
-  }
-
-  /**
-   * POST to Slack chat.postMessage API.
-   */
-  async postMessage(channel, text) {
-    if (!this.botToken) {
-      this.logger.error("[slack-inbound] Missing botToken for postMessage");
-      return { ok: false, error: "missing_token" };
-    }
-
-    try {
-      const res = await fetch("https://slack.com/api/chat.postMessage", {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "Authorization": `Bearer ${this.botToken}`,
-        },
-        body: JSON.stringify({ channel, text }),
-      });
-      const body = await res.json();
-      if (!body.ok) {
-        this.logger.error(`[slack-inbound] chat.postMessage failed: ${body.error}`);
-      }
-      return body;
-    } catch (error) {
-      this.logger.error(`[slack-inbound] postMessage error: ${error.message}`);
-      return { ok: false, error: error.message };
-    }
-  }
-
-  _isAuthorized(_user) {
-    // Instructions don't specify authorization rules for Slack beyond "mirroring Telegram".
-    // For MVP, we'll allow all if not explicitly restricted.
-    return true; 
-  }
-}
+import crypto from "node:crypto";
+
+/**
+ * Slack Inbound Handler — validates signatures, deduplicates, and enqueues
+ * incoming Slack events and slash commands as interactive jobs.
+ */
+
+const MAX_TURNS = 10;
+
+export class SlackInboundHandler {
+  constructor({ stateStore, slackConfig, availablePeers = [], agentHealthCheck = null, logger = console }) {
+    this.store = stateStore;
+    this.config = slackConfig;
+    this.availablePeers = availablePeers;
+    this.agentHealthCheck = agentHealthCheck;
+    this.logger = logger;
+
+    this.botToken = this.config.botToken;
+    this.signingSecret = this.config.signingSecret;
+
+    // Rate limiter: Map<userId, { count, windowStart }>
+    this._rateLimitMax = Number(process.env.NEMORIS_RATE_LIMIT_MAX ?? 10);
+    this._rateLimitWindowMs = Number(process.env.NEMORIS_RATE_LIMIT_WINDOW_MS ?? 60_000);
+    this._rateBuckets = new Map();
+  }
+
+  _checkRateLimit(userId) {
+    const now = Date.now();
+    const bucket = this._rateBuckets.get(userId);
+    if (!bucket || now - bucket.windowStart >= this._rateLimitWindowMs) {
+      this._rateBuckets.set(userId, { count: 1, windowStart: now });
+      return true;
+    }
+    if (bucket.count >= this._rateLimitMax) {
+      return false;
+    }
+    bucket.count += 1;
+    return true;
+  }
+
+  /**
+   * Verify Slack request signature using HMAC-SHA256.
+   * Signature base string: v0:<timestamp>:<body>
+   */
+  verifySignature(headers, rawBody) {
+    const timestamp = headers["x-slack-request-timestamp"];
+    const signature = headers["x-slack-signature"];
+
+    if (!timestamp || !signature || !this.signingSecret) {
+      return false;
+    }
+
+    // Protect against replay attacks (5 minute window)
+    const now = Math.floor(Date.now() / 1000);
+    if (Math.abs(now - Number(timestamp)) > 300) {
+      return false;
+    }
+
+    const baseString = `v0:${timestamp}:${rawBody}`;
+    const hmac = crypto.createHmac("sha256", this.signingSecret);
+    const mySignature = "v0=" + hmac.update(baseString).digest("hex");
+
+    try {
+      return crypto.timingSafeEqual(Buffer.from(mySignature), Buffer.from(signature));
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Process inbound Slack event payload.
+   */
+  handleEvent(payload) {
+    if (payload.type === "url_verification") {
+      return { action: "challenge", challenge: payload.challenge };
+    }
+
+    const event = payload.event;
+    if (!event) {
+      return { action: "ignored", reason: "no_event" };
+    }
+
+    // Ignore bot messages
+    if (event.bot_id || event.subtype === "bot_message") {
+      return { action: "ignored", reason: "bot_message" };
+    }
+
+    if (!event.text || !event.channel || !event.user) {
+      return { action: "ignored", reason: "incomplete_event" };
+    }
+
+    const { channel, user, text, ts, team } = event;
+    const teamId = team || event.team_id;
+    const sessionKey = `slack:${teamId}:${channel}`;
+    const jobId = `slack-${channel}-${ts}`;
+
+    // Deduplicate by ts
+    if (this.store.interactiveJobExists(jobId)) {
+      return { action: "deduplicated", jobId };
+    }
+
+    // Look up or create session
+    let session = this.store.getChatSession(sessionKey);
+
+    // Auto-bind (Slack doesn't have a simple operatorChatId check in instructions, 
+    // but mirroring Telegram pattern for consistency)
+    if (!session) {
+      // For Slack MVP, we might want to auto-bind if enabled or authorized.
+      // Instructions say "mirroring Telegram pattern exactly".
+      // Telegram has _isAuthorized(chatId). 
+      // Slack config doesn't have authorized ids in instructions, 
+      // but let's assume we allow if authorized or it's the operator.
+      if (this._isAuthorized(user)) {
+        this.store.bindChatSession({
+          chatId: sessionKey,
+          agentId: this.config.defaultAgent || "nemo",
+          boundBy: "default",
+        });
+        session = this.store.getChatSession(sessionKey);
+      }
+    }
+
+    if (!session) {
+      this.logger.warn(`[slack-inbound] Unauthorized user: ${user} in channel: ${channel}`);
+      return { action: "rejected", reason: "unauthorized" };
+    }
+
+    const agentId = session.agent_id;
+
+    // Check agent availability
+    if (this.agentHealthCheck) {
+      const health = this.agentHealthCheck(agentId);
+      if (!health.available) {
+        return {
+          action: "agent_unavailable",
+          agentId,
+          reason: health.reason,
+          reply: `Agent ${agentId} is no longer available.`,
+        };
+      }
+    }
+
+    // Rate limit check
+    if (!this._checkRateLimit(user)) {
+      this.logger.warn(`[slack-inbound] Rate limit exceeded for user: ${user}`);
+      return {
+        action: "rate_limited",
+        userId: user,
+        reply: "Slow down — max 10 messages per minute.",
+      };
+    }
+
+    // Enqueue job
+    this.store.enqueueInteractiveJob({
+      jobId, 
+      agentId, 
+      input: text, 
+      source: "slack", 
+      chatId: sessionKey,
+    });
+
+    return { action: "enqueued", jobId, agentId, chatId: sessionKey };
+  }
+
+  /**
+   * Process slash commands.
+   */
+  handleSlashCommand(payload) {
+    const { command, text, channel_id, user_id, team_id } = payload;
+    const sessionKey = `slack:${team_id}:${channel_id}`;
+    
+    // Commands require an existing session
+    const session = this.store.getChatSession(sessionKey);
+    if (!session) {
+      return "Unauthorized. Start a conversation first.";
+    }
+
+    const cmd = command.toLowerCase();
+    const parts = text ? text.trim().split(/\s+/) : [];
+
+    switch (cmd) {
+      case "/status": {
+        return `Agent: ${session.agent_id}\nBound by: ${session.bound_by}\nSlack inbound: ACTIVE`;
+      }
+      case "/agents": {
+        const list = this.availablePeers.length > 0 ? this.availablePeers.join(", ") : "No agents configured";
+        return `Available agents: ${list}`;
+      }
+      case "/who": {
+        return `Current agent: ${session.agent_id}`;
+      }
+      case "/switch": {
+        const targetAgent = parts[0];
+        if (!targetAgent) return "Usage: /switch <agent-name>";
+        if (!this.availablePeers.includes(targetAgent)) {
+          return `Unknown agent "${targetAgent}". Use /agents to see available agents.`;
+        }
+        this.store.bindChatSession({ chatId: sessionKey, agentId: targetAgent, boundBy: "user" });
+        return `Switched to ${targetAgent}.`;
+      }
+      case "/help": {
+        return [
+          "/status — Show agent and session status",
+          "/agents — List available agents",
+          "/who — Show current agent",
+          "/switch <agent> — Switch active agent",
+          "/help — Show this message",
+        ].join("\n");
+      }
+      default:
+        return `Unknown command: ${command}`;
+    }
+  }
+
+  /**
+   * POST to Slack chat.postMessage API.
+   */
+  async postMessage(channel, text) {
+    if (!this.botToken) {
+      this.logger.error("[slack-inbound] Missing botToken for postMessage");
+      return { ok: false, error: "missing_token" };
+    }
+
+    try {
+      const res = await fetch("https://slack.com/api/chat.postMessage", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${this.botToken}`,
+        },
+        body: JSON.stringify({ channel, text }),
+      });
+      const body = await res.json();
+      if (!body.ok) {
+        this.logger.error(`[slack-inbound] chat.postMessage failed: ${body.error}`);
+      }
+      return body;
+    } catch (error) {
+      this.logger.error(`[slack-inbound] postMessage error: ${error.message}`);
+      return { ok: false, error: error.message };
+    }
+  }
+
+  _isAuthorized(_user) {
+    // Instructions don't specify authorization rules for Slack beyond "mirroring Telegram".
+    // For MVP, we'll allow all if not explicitly restricted.
+    return true; 
+  }
+}