paperclip-plugin-google-chat 0.1.2 → 0.1.3

package/dist/config.d.ts

@@ -1,13 +1,23 @@
 /**
  * Instance configuration for the Google Chat plugin.
  *
- * Secret values (Google Chat incoming-webhook URLs, an optional service-account
- * key) are NEVER stored here in plaintext. The config holds **secret references**
- * — opaque UUIDs minted by Paperclip's secret store — which the worker resolves at
- * runtime via `ctx.secrets.resolve(ref)`. This mirrors the Telegram plugin's
- * `telegramBotTokenRef` pattern and keeps credentials out of config exports/logs.
+ * Webhook URLs can be supplied two ways:
+ *  - **Secret reference** (`*WebhookUrlRef`, a UUID) → resolved at runtime via
+ *    `ctx.secrets.resolve(ref)`. The most secure option, BUT plugin secret-ref
+ *    resolution is gated on the host: some Paperclip builds disable it ("Plugin
+ *    secret references are disabled until company-scoped plugin config lands").
+ *  - **Raw URL** (`*WebhookUrl`) → the incoming-webhook URL stored directly in
+ *    config. Works on every build, but the URL (a credential) lives in the
+ *    instance config in plaintext. The worker **prefers the raw URL** and falls
+ *    back to the ref, so you can switch to refs once your host supports them.
  */
 export interface GoogleChatConfig {
+    /** Raw Google Chat *incoming webhook* URL for the default space. */
+    defaultWebhookUrl?: string;
+    /** Optional per-category raw webhook URLs. */
+    approvalsWebhookUrl?: string;
+    errorsWebhookUrl?: string;
+    digestWebhookUrl?: string;
     /** Secret ref → a Google Chat *incoming webhook* URL for the default space. */
     defaultWebhookUrlRef?: string;
     /** Optional per-category routing. Each is a secret ref to a space webhook URL. */
@@ -29,10 +39,12 @@ export interface GoogleChatConfig {
     /** Master switch for inbound slash commands. */
     enableCommands?: boolean;
     /**
-     * Shared verification token. Google Chat includes a bearer/verification token on
-     * each request; we compare it to reject forged webhook deliveries. Stored as a
-     * secret ref. (For production, prefer verifying the Google-signed bearer JWT.)
+     * Shared verification token Google Chat includes on each request; we compare it
+     * to reject forged webhook deliveries. Provide EITHER the raw token
+     * (`verificationToken`) or a secret ref (`verificationTokenRef`); the worker
+     * prefers the raw value. (For production, prefer the Google-signed bearer JWT.)
      */
+    verificationToken?: string;
     verificationTokenRef?: string;
     /** Allowlist of Google Chat space IDs permitted to issue commands. Empty = all. */
     allowedSpaceIds?: string[];
@@ -47,10 +59,27 @@ export declare const DEFAULT_CONFIG: GoogleChatConfig;
 export declare const INSTANCE_CONFIG_SCHEMA: {
     readonly type: "object";
     readonly properties: {
+        readonly defaultWebhookUrl: {
+            readonly type: "string";
+            readonly title: "Default space webhook URL";
+            readonly description: "Raw Google Chat incoming-webhook URL for the default space. Use this if your Paperclip build disables plugin secret references; otherwise prefer the secret-ref field below.";
+        };
+        readonly approvalsWebhookUrl: {
+            readonly type: "string";
+            readonly title: "Approvals space webhook URL";
+        };
+        readonly errorsWebhookUrl: {
+            readonly type: "string";
+            readonly title: "Errors space webhook URL";
+        };
+        readonly digestWebhookUrl: {
+            readonly type: "string";
+            readonly title: "Digest space webhook URL";
+        };
         readonly defaultWebhookUrlRef: {
             readonly type: "string";
             readonly title: "Default space webhook (secret ref)";
-            readonly description: "Secret reference to a Google Chat incoming-webhook URL. Create the secret in Paperclip, paste the returned UUID here.";
+            readonly description: "Secret reference (UUID) to a Google Chat incoming-webhook URL. Requires host support for plugin secret references; the raw URL field above takes precedence.";
         };
         readonly approvalsWebhookUrlRef: {
             readonly type: "string";
@@ -99,6 +128,10 @@ export declare const INSTANCE_CONFIG_SCHEMA: {
             readonly title: "Enable inbound slash commands";
             readonly default: true;
         };
+        readonly verificationToken: {
+            readonly type: "string";
+            readonly title: "Verification token (raw)";
+        };
         readonly verificationTokenRef: {
             readonly type: "string";
             readonly title: "Verification token (secret ref)";

package/dist/config.js

@@ -1,11 +1,15 @@
 /**
  * Instance configuration for the Google Chat plugin.
  *
- * Secret values (Google Chat incoming-webhook URLs, an optional service-account
- * key) are NEVER stored here in plaintext. The config holds **secret references**
- * — opaque UUIDs minted by Paperclip's secret store — which the worker resolves at
- * runtime via `ctx.secrets.resolve(ref)`. This mirrors the Telegram plugin's
- * `telegramBotTokenRef` pattern and keeps credentials out of config exports/logs.
+ * Webhook URLs can be supplied two ways:
+ *  - **Secret reference** (`*WebhookUrlRef`, a UUID) → resolved at runtime via
+ *    `ctx.secrets.resolve(ref)`. The most secure option, BUT plugin secret-ref
+ *    resolution is gated on the host: some Paperclip builds disable it ("Plugin
+ *    secret references are disabled until company-scoped plugin config lands").
+ *  - **Raw URL** (`*WebhookUrl`) → the incoming-webhook URL stored directly in
+ *    config. Works on every build, but the URL (a credential) lives in the
+ *    instance config in plaintext. The worker **prefers the raw URL** and falls
+ *    back to the ref, so you can switch to refs once your host supports them.
  */
 export const DEFAULT_CONFIG = {
     notifyOnIssueCreated: false,
@@ -23,10 +27,18 @@ export const DEFAULT_CONFIG = {
 export const INSTANCE_CONFIG_SCHEMA = {
     type: "object",
     properties: {
+        defaultWebhookUrl: {
+            type: "string",
+            title: "Default space webhook URL",
+            description: "Raw Google Chat incoming-webhook URL for the default space. Use this if your Paperclip build disables plugin secret references; otherwise prefer the secret-ref field below.",
+        },
+        approvalsWebhookUrl: { type: "string", title: "Approvals space webhook URL" },
+        errorsWebhookUrl: { type: "string", title: "Errors space webhook URL" },
+        digestWebhookUrl: { type: "string", title: "Digest space webhook URL" },
         defaultWebhookUrlRef: {
             type: "string",
             title: "Default space webhook (secret ref)",
-            description: "Secret reference to a Google Chat incoming-webhook URL. Create the secret in Paperclip, paste the returned UUID here.",
+            description: "Secret reference (UUID) to a Google Chat incoming-webhook URL. Requires host support for plugin secret references; the raw URL field above takes precedence.",
         },
         approvalsWebhookUrlRef: { type: "string", title: "Approvals space webhook (secret ref)" },
         errorsWebhookUrlRef: { type: "string", title: "Errors space webhook (secret ref)" },
@@ -42,6 +54,7 @@ export const INSTANCE_CONFIG_SCHEMA = {
         notifyOnAgentRunFailed: { type: "boolean", title: "Notify on agent run failed", default: true },
         useCards: { type: "boolean", title: "Use Cards v2 formatting", default: false },
         enableCommands: { type: "boolean", title: "Enable inbound slash commands", default: true },
+        verificationToken: { type: "string", title: "Verification token (raw)" },
         verificationTokenRef: { type: "string", title: "Verification token (secret ref)" },
         allowedSpaceIds: { type: "array", title: "Allowed space IDs", items: { type: "string" } },
         allowedUserEmails: { type: "array", title: "Allowed user emails", items: { type: "string" } },
@@ -56,15 +69,17 @@ export function validateConfig(config) {
     if (config.dailyDigestTime && !/^([01]\d|2[0-3]):[0-5]\d$/.test(config.dailyDigestTime)) {
         errors.push("dailyDigestTime must be 24h HH:MM, e.g. 08:00");
     }
-    if (config.digestMode && !config.digestWebhookUrlRef && !config.defaultWebhookUrlRef) {
-        errors.push("digestMode is on but no digest/default webhook secret ref is set");
+    const hasDefault = Boolean(config.defaultWebhookUrl || config.defaultWebhookUrlRef);
+    const hasDigest = Boolean(config.digestWebhookUrl || config.digestWebhookUrlRef);
+    if (config.digestMode && !hasDigest && !hasDefault) {
+        errors.push("digestMode is on but no digest/default webhook (URL or secret ref) is set");
     }
     const anyNotify = config.notifyOnIssueCreated ||
         config.notifyOnIssueCompleted ||
         config.notifyOnApprovalRequested ||
         config.notifyOnAgentRunFailed;
-    if (anyNotify && !config.defaultWebhookUrlRef) {
-        warnings.push("Notifications are enabled but no defaultWebhookUrlRef is set — category routing only.");
+    if (anyNotify && !hasDefault) {
+        warnings.push("Notifications are enabled but no default webhook (URL or secret ref) is set — category routing only.");
     }
     if (config.serviceAccountKeyRef === "") {
         warnings.push("serviceAccountKeyRef is an empty string; leave it unset for webhook-only mode.");

package/dist/constants.d.ts

@@ -4,7 +4,7 @@
  * the same convention).
  */
 export declare const PLUGIN_ID = "google-chat";
-export declare const PLUGIN_VERSION = "0.1.2";
+export declare const PLUGIN_VERSION = "0.1.3";
 /** Webhook endpoint keys declared in the manifest and matched in `onWebhook`. */
 export declare const WEBHOOK_KEYS: {
     /** Google Chat app events (MESSAGE, ADDED_TO_SPACE, CARD_CLICKED, …) POST here. */

package/dist/constants.js

@@ -4,7 +4,7 @@
  * the same convention).
  */
 export const PLUGIN_ID = "google-chat";
-export const PLUGIN_VERSION = "0.1.2";
+export const PLUGIN_VERSION = "0.1.3";
 /** Webhook endpoint keys declared in the manifest and matched in `onWebhook`. */
 export const WEBHOOK_KEYS = {
     /** Google Chat app events (MESSAGE, ADDED_TO_SPACE, CARD_CLICKED, …) POST here. */

package/dist/worker.js

@@ -22,7 +22,20 @@ async function getConfig(ctx) {
     const raw = (await ctx.config.get());
     return { ...DEFAULT_CONFIG, ...raw };
 }
-/** Pick the secret ref for a route, falling back to the default webhook. */
+/** Raw webhook URL for a route, falling back to the default. */
+function rawUrlForRoute(config, route) {
+    switch (route) {
+        case "approvals":
+            return config.approvalsWebhookUrl ?? config.defaultWebhookUrl;
+        case "errors":
+            return config.errorsWebhookUrl ?? config.defaultWebhookUrl;
+        case "digest":
+            return config.digestWebhookUrl ?? config.defaultWebhookUrl;
+        default:
+            return config.defaultWebhookUrl;
+    }
+}
+/** Secret ref for a route, falling back to the default. */
 function refForRoute(config, route) {
     switch (route) {
         case "approvals":
@@ -35,15 +48,36 @@ function refForRoute(config, route) {
             return config.defaultWebhookUrlRef;
     }
 }
-/** Resolve a route's webhook URL (from a secret ref) and POST a message. */
+/**
+ * Resolve a route's webhook URL — preferring a raw URL (works on every host),
+ * falling back to a secret ref (only where the host enables plugin secret-ref
+ * resolution; some builds disable it). Returns null if neither yields a URL.
+ */
+async function resolveWebhookUrl(ctx, config, route) {
+    const raw = rawUrlForRoute(config, route);
+    if (raw)
+        return raw;
+    const ref = refForRoute(config, route);
+    if (!ref)
+        return null;
+    try {
+        return await ctx.secrets.resolve(ref);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        ctx.logger?.warn?.(`Could not resolve secret ref for route "${route}" (${msg}). ` +
+            `If your Paperclip build disables plugin secret references, set the raw "${route}WebhookUrl" field instead.`);
+        return null;
+    }
+}
+/** Resolve a route's webhook URL and POST a message. */
 async function post(ctx, route, message) {
     const config = await getConfig(ctx);
-    const ref = refForRoute(config, route);
-    if (!ref) {
-        ctx.logger?.warn?.(`No webhook secret ref configured for route "${route}"`);
+    const url = await resolveWebhookUrl(ctx, config, route);
+    if (!url) {
+        ctx.logger?.warn?.(`No webhook URL available for route "${route}"`);
         return { ok: false, status: 0, body: `no webhook configured for route ${route}` };
     }
-    const url = await ctx.secrets.resolve(ref);
     return postToWebhook((u, init) => ctx.http.fetch(u, init), url, message);
 }
 /** Build the inbound command dependencies against the SDK domain APIs. */
@@ -117,10 +151,10 @@ const plugin = definePlugin({
     async onHealth() {
         const ctx = currentCtx;
         const config = ctx ? await getConfig(ctx) : DEFAULT_CONFIG;
-        const configured = Boolean(config.defaultWebhookUrlRef);
+        const configured = Boolean(config.defaultWebhookUrl || config.defaultWebhookUrlRef);
         return {
             status: configured ? "ok" : "degraded",
-            message: configured ? "google-chat plugin ready" : "no defaultWebhookUrlRef configured",
+            message: configured ? "google-chat plugin ready" : "no default webhook URL or secret ref configured",
             details: { commandsEnabled: config.enableCommands !== false, digestMode: config.digestMode === true },
         };
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "paperclip-plugin-google-chat",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Bidirectional Google Chat integration for Paperclip — post agent/issue notifications to spaces and drive Paperclip from Chat slash commands.",
   "type": "module",
   "license": "MIT",