sanook-cli 0.5.1 → 0.5.2

package/dist/gateway/email.js

@@ -0,0 +1,472 @@
+import { randomUUID } from 'node:crypto';
+import net from 'node:net';
+import tls from 'node:tls';
+import { hostname } from 'node:os';
+import { redactKey } from '../providers/keys.js';
+import { runGatewayAgent } from './session.js';
+export function normalizeEmailAddress(address) {
+    const trimmed = address.trim();
+    if (!/^[^\s@<>]+@[^\s@<>]+\.[^\s@<>]+$/.test(trimmed)) {
+        throw new Error(`email address ไม่ถูกต้อง: ${address}`);
+    }
+    return trimmed;
+}
+function encodeHeader(raw) {
+    const clean = raw.replace(/[\r\n]+/g, ' ').trim();
+    return /^[\x20-\x7e]*$/.test(clean) ? clean : `=?UTF-8?B?${Buffer.from(clean, 'utf8').toString('base64')}?=`;
+}
+function dotStuff(body) {
+    return body.replace(/\r?\n/g, '\r\n').replace(/^\./gm, '..');
+}
+function messageDomain(address) {
+    return address.split('@')[1] || hostname() || 'localhost';
+}
+export function buildEmailMessage(config, to, text, subject = 'Sanook') {
+    return buildEmailMessageWithHeaders(config, to, text, { subject });
+}
+export function buildEmailMessageWithHeaders(config, to, text, options = {}) {
+    const from = normalizeEmailAddress(config.address);
+    const recipient = normalizeEmailAddress(to);
+    const messageId = `<${randomUUID()}@${messageDomain(from)}>`;
+    const fromHeader = config.fromName ? `${encodeHeader(config.fromName)} <${from}>` : from;
+    const refs = [options.references, options.inReplyTo].filter(Boolean).join(' ').trim();
+    const headers = [
+        `From: ${fromHeader}`,
+        `To: ${recipient}`,
+        `Subject: ${encodeHeader(options.subject ?? 'Sanook')}`,
+        `Date: ${new Date().toUTCString()}`,
+        `Message-ID: ${messageId}`,
+        ...(options.inReplyTo ? [`In-Reply-To: ${options.inReplyTo}`] : []),
+        ...(refs ? [`References: ${refs}`] : []),
+        'MIME-Version: 1.0',
+        'Content-Type: text/plain; charset=UTF-8',
+        'Content-Transfer-Encoding: 8bit',
+    ];
+    return {
+        messageId,
+        raw: `${headers.join('\r\n')}\r\n\r\n${dotStuff(text)}\r\n`,
+    };
+}
+function connectSocket(host, port, secure) {
+    return new Promise((resolve, reject) => {
+        const socket = secure
+            ? tls.connect({ host, port, servername: host }, () => resolve(socket))
+            : net.connect({ host, port }, () => resolve(socket));
+        socket.once('error', reject);
+    });
+}
+function readResponse(socket, timeoutMs = 20_000) {
+    return new Promise((resolve, reject) => {
+        let buffer = '';
+        const timer = setTimeout(() => cleanup(new Error('SMTP timeout')), timeoutMs);
+        const onData = (chunk) => {
+            buffer += chunk.toString();
+            const lines = buffer.split(/\r?\n/).filter(Boolean);
+            const last = lines[lines.length - 1];
+            const done = last?.match(/^(\d{3}) /);
+            if (done)
+                cleanup(undefined, { code: Number(done[1]), text: lines.join('\n') });
+        };
+        const onError = (e) => cleanup(e);
+        const cleanup = (err, value) => {
+            clearTimeout(timer);
+            socket.off('data', onData);
+            socket.off('error', onError);
+            if (err)
+                reject(err);
+            else
+                resolve(value);
+        };
+        socket.on('data', onData);
+        socket.once('error', onError);
+    });
+}
+async function command(socket, line, ok) {
+    socket.write(`${line}\r\n`);
+    const response = await readResponse(socket);
+    const accepted = Array.isArray(ok) ? ok : [ok];
+    if (!accepted.includes(response.code))
+        throw new Error(`SMTP ${line.split(/\s+/)[0]} failed: ${response.text}`);
+    return response;
+}
+async function wrapStartTls(socket, host) {
+    return new Promise((resolve, reject) => {
+        const secured = tls.connect({ socket: socket, servername: host }, () => resolve(secured));
+        secured.once('error', reject);
+    });
+}
+async function sendViaSmtp(email) {
+    const port = email.config.smtpPort ?? 587;
+    const implicitTls = port === 465;
+    let socket = await connectSocket(email.config.smtpHost, port, implicitTls);
+    try {
+        const greeting = await readResponse(socket);
+        if (greeting.code !== 220)
+            throw new Error(`SMTP greeting failed: ${greeting.text}`);
+        let ehlo = await command(socket, `EHLO ${hostname() || 'localhost'}`, 250);
+        if (!implicitTls && /STARTTLS/im.test(ehlo.text)) {
+            await command(socket, 'STARTTLS', 220);
+            socket = await wrapStartTls(socket, email.config.smtpHost);
+            ehlo = await command(socket, `EHLO ${hostname() || 'localhost'}`, 250);
+        }
+        if (!implicitTls && port !== 25 && !/AUTH/im.test(ehlo.text)) {
+            throw new Error('SMTP server did not advertise AUTH after EHLO');
+        }
+        const auth = Buffer.from(`\0${email.config.address}\0${email.config.password}`, 'utf8').toString('base64');
+        await command(socket, `AUTH PLAIN ${auth}`, 235);
+        await command(socket, `MAIL FROM:<${normalizeEmailAddress(email.config.address)}>`, 250);
+        await command(socket, `RCPT TO:<${normalizeEmailAddress(email.to)}>`, [250, 251]);
+        await command(socket, 'DATA', 354);
+        socket.write(`${email.raw}\r\n.\r\n`);
+        const sent = await readResponse(socket);
+        if (sent.code !== 250)
+            throw new Error(`SMTP DATA failed: ${sent.text}`);
+        await command(socket, 'QUIT', 221).catch(() => { });
+    }
+    finally {
+        socket.end();
+    }
+}
+export async function sendEmailMessage(config, to, text, options = {}) {
+    if (!config.address || !config.password || !config.smtpHost) {
+        throw new Error('Email ต้องมี address, password และ smtpHost');
+    }
+    const recipient = normalizeEmailAddress(to);
+    const { raw, messageId } = buildEmailMessageWithHeaders(config, recipient, text, options);
+    await (options.transport ?? sendViaSmtp)({ config, to: recipient, raw });
+    return { to: recipient, messageId };
+}
+function headerValue(raw, name) {
+    const lines = raw.replace(/\r?\n[ \t]+/g, ' ').split(/\r?\n/);
+    const prefix = `${name.toLowerCase()}:`;
+    const found = lines.find((line) => line.toLowerCase().startsWith(prefix));
+    return found?.slice(prefix.length).trim();
+}
+function splitHeaderBody(raw) {
+    const match = raw.match(/\r?\n\r?\n/);
+    if (!match || match.index == null)
+        return { headers: raw, body: '' };
+    return { headers: raw.slice(0, match.index), body: raw.slice(match.index + match[0].length) };
+}
+function decodeQuotedPrintableHeader(raw) {
+    const bytes = [];
+    for (let i = 0; i < raw.length; i += 1) {
+        const char = raw[i];
+        if (char === '_') {
+            bytes.push(0x20);
+            continue;
+        }
+        if (char === '=' && /^[0-9A-Fa-f]{2}$/.test(raw.slice(i + 1, i + 3))) {
+            bytes.push(Number.parseInt(raw.slice(i + 1, i + 3), 16));
+            i += 2;
+            continue;
+        }
+        bytes.push(...Buffer.from(char, 'utf8'));
+    }
+    return Buffer.from(bytes).toString('utf8');
+}
+function decodeHeader(raw) {
+    if (!raw)
+        return '';
+    return raw.replace(/=\?utf-8\?([bq])\?([^?]+)\?=/gi, (_m, encoding, value) => encoding.toLowerCase() === 'b' ? Buffer.from(value, 'base64').toString('utf8') : decodeQuotedPrintableHeader(value));
+}
+export function extractEmailAddress(raw) {
+    const match = raw.match(/<([^<>@\s]+@[^<>@\s]+)>/);
+    return (match?.[1] ?? raw).replace(/^mailto:/i, '').trim().toLowerCase();
+}
+function stripHtml(raw) {
+    return raw
+        .replace(/<style[\s\S]*?<\/style>/gi, '')
+        .replace(/<script[\s\S]*?<\/script>/gi, '')
+        .replace(/<br\s*\/?>/gi, '\n')
+        .replace(/<\/p>/gi, '\n')
+        .replace(/<[^>]+>/g, '')
+        .replace(/&nbsp;/g, ' ')
+        .replace(/&lt;/g, '<')
+        .replace(/&gt;/g, '>')
+        .replace(/&amp;/g, '&');
+}
+function decodeTransfer(raw, encoding) {
+    if (/base64/i.test(encoding ?? ''))
+        return Buffer.from(raw.replace(/\s+/g, ''), 'base64').toString('utf8');
+    if (/quoted-printable/i.test(encoding ?? '')) {
+        return raw
+            .replace(/=\r?\n/g, '')
+            .replace(/=([0-9A-F]{2})/gi, (_m, hex) => String.fromCharCode(Number.parseInt(hex, 16)));
+    }
+    return raw;
+}
+function messageBody(raw) {
+    const { headers, body } = splitHeaderBody(raw);
+    if (!body)
+        return '';
+    const contentType = headerValue(headers, 'Content-Type') ?? '';
+    const encoding = headerValue(headers, 'Content-Transfer-Encoding');
+    const boundary = contentType.match(/boundary="?([^";]+)"?/i)?.[1];
+    if (boundary) {
+        const parts = body.split(`--${boundary}`);
+        const textPart = parts.find((part) => /content-type:\s*text\/plain/i.test(part));
+        const htmlPart = parts.find((part) => /content-type:\s*text\/html/i.test(part));
+        const chosen = textPart ?? htmlPart ?? '';
+        const { headers: partHeaders, body: partBody } = splitHeaderBody(chosen);
+        if (partBody) {
+            const decoded = decodeTransfer(partBody, headerValue(partHeaders, 'Content-Transfer-Encoding'));
+            return /content-type:\s*text\/html/i.test(partHeaders) ? stripHtml(decoded).trim() : decoded.trim();
+        }
+    }
+    const decoded = decodeTransfer(body, encoding);
+    return /text\/html/i.test(contentType) ? stripHtml(decoded).trim() : decoded.trim();
+}
+export function parseRawEmail(uid, raw) {
+    const { headers } = splitHeaderBody(raw);
+    return {
+        uid,
+        from: extractEmailAddress(headerValue(headers, 'From') ?? ''),
+        subject: decodeHeader(headerValue(headers, 'Subject')) || '(no subject)',
+        text: messageBody(raw),
+        messageId: headerValue(headers, 'Message-ID'),
+        references: headerValue(headers, 'References'),
+        autoSubmitted: headerValue(headers, 'Auto-Submitted'),
+        precedence: headerValue(headers, 'Precedence'),
+        listUnsubscribe: headerValue(headers, 'List-Unsubscribe'),
+    };
+}
+export function shouldProcessEmail(email, config) {
+    const from = extractEmailAddress(email.from);
+    const self = extractEmailAddress(config.address);
+    if (!from || from === self)
+        return false;
+    if (/^(no-?reply|mailer-daemon|postmaster|bounce)@/i.test(from))
+        return false;
+    if (email.autoSubmitted && !/^no$/i.test(email.autoSubmitted))
+        return false;
+    if (/bulk|junk|list/i.test(email.precedence ?? ''))
+        return false;
+    if (email.listUnsubscribe)
+        return false;
+    if (config.allowAllUsers)
+        return true;
+    const allowed = new Set((config.allowedUsers ?? []).map((s) => s.toLowerCase()));
+    return allowed.has(from);
+}
+function imapQuote(raw) {
+    return `"${raw.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+}
+function escapeRegExp(raw) {
+    return raw.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function readImapGreeting(socket, timeoutMs = 30_000) {
+    return new Promise((resolve, reject) => {
+        let buffer = '';
+        const timer = setTimeout(() => cleanup(new Error('IMAP greeting timeout')), timeoutMs);
+        const onData = (chunk) => {
+            buffer += chunk.toString('utf8');
+            if (/^\* (OK|PREAUTH|BYE|BAD)/m.test(buffer))
+                cleanup(undefined, buffer);
+        };
+        const onError = (e) => cleanup(e);
+        const cleanup = (err, value) => {
+            clearTimeout(timer);
+            socket.off('data', onData);
+            socket.off('error', onError);
+            if (err)
+                reject(err);
+            else
+                resolve(value ?? buffer);
+        };
+        socket.on('data', onData);
+        socket.once('error', onError);
+    });
+}
+function readImapResponse(socket, tag, timeoutMs = 30_000) {
+    return new Promise((resolve, reject) => {
+        let buffer = '';
+        const tagPattern = escapeRegExp(tag);
+        const timer = setTimeout(() => cleanup(new Error('IMAP timeout')), timeoutMs);
+        const onData = (chunk) => {
+            buffer += chunk.toString('utf8');
+            if (new RegExp(`^${tagPattern} (OK|NO|BAD)`, 'm').test(buffer))
+                cleanup(undefined, buffer);
+        };
+        const onError = (e) => cleanup(e);
+        const cleanup = (err, value) => {
+            clearTimeout(timer);
+            socket.off('data', onData);
+            socket.off('error', onError);
+            if (err)
+                reject(err);
+            else
+                resolve(value ?? buffer);
+        };
+        socket.on('data', onData);
+        socket.once('error', onError);
+    });
+}
+async function imapCommand(socket, tag, commandText) {
+    socket.write(`${tag} ${commandText}\r\n`);
+    const response = await readImapResponse(socket, tag);
+    if (!new RegExp(`^${escapeRegExp(tag)} OK`, 'm').test(response))
+        throw new Error(`IMAP ${commandText.split(/\s+/)[0]} failed: ${response}`);
+    return response;
+}
+export function parseImapSearchResponse(response) {
+    const line = response.split(/\r?\n/).find((l) => l.startsWith('* SEARCH'));
+    if (!line)
+        return [];
+    return line
+        .slice('* SEARCH'.length)
+        .trim()
+        .split(/\s+/)
+        .filter(Boolean)
+        .map(Number)
+        .filter((n) => Number.isSafeInteger(n));
+}
+export function parseImapFetchResponse(response) {
+    const out = [];
+    const marker = /UID\s+(\d+)[\s\S]*?BODY(?:\.PEEK)?\[\]\s+\{(\d+)\}\r?\n/gim;
+    let match;
+    while ((match = marker.exec(response))) {
+        const uid = Number(match[1]);
+        const len = Number(match[2]);
+        const bodyStart = marker.lastIndex;
+        const raw = response.slice(bodyStart, bodyStart + len);
+        if (Number.isSafeInteger(uid) && raw)
+            out.push(parseRawEmail(uid, raw));
+        marker.lastIndex = bodyStart + len;
+    }
+    return out;
+}
+async function connectImap(config) {
+    const port = config.imapPort ?? 993;
+    return connectSocket(config.imapHost, port, port === 993);
+}
+export async function fetchUnseenEmails(config) {
+    if (!config.address || !config.password || !config.imapHost)
+        throw new Error('Email ต้องมี address, password และ imapHost');
+    const socket = await connectImap(config);
+    try {
+        const greeting = await readImapGreeting(socket).catch(() => '');
+        if (greeting && /^(\* )?BAD/im.test(greeting))
+            throw new Error(`IMAP greeting failed: ${greeting}`);
+        await imapCommand(socket, 'A1', `LOGIN ${imapQuote(config.address)} ${imapQuote(config.password)}`);
+        await imapCommand(socket, 'A2', 'SELECT INBOX');
+        const search = await imapCommand(socket, 'A3', 'UID SEARCH UNSEEN');
+        const uids = parseImapSearchResponse(search);
+        if (!uids.length)
+            return [];
+        const fetch = await imapCommand(socket, 'A4', `UID FETCH ${uids.join(',')} (UID BODY.PEEK[])`);
+        return parseImapFetchResponse(fetch);
+    }
+    finally {
+        await imapCommand(socket, 'ZZ', 'LOGOUT').catch(() => { });
+        socket.end();
+    }
+}
+export async function markEmailSeen(config, uid) {
+    if (!config.address || !config.password || !config.imapHost)
+        throw new Error('Email ต้องมี address, password และ imapHost');
+    const socket = await connectImap(config);
+    try {
+        await readImapGreeting(socket).catch(() => '');
+        await imapCommand(socket, 'A1', `LOGIN ${imapQuote(config.address)} ${imapQuote(config.password)}`);
+        await imapCommand(socket, 'A2', 'SELECT INBOX');
+        await imapCommand(socket, 'A3', `UID STORE ${uid} +FLAGS.SILENT (\\Seen)`);
+    }
+    finally {
+        await imapCommand(socket, 'ZZ', 'LOGOUT').catch(() => { });
+        socket.end();
+    }
+}
+function replySubject(subject) {
+    return /^re:/i.test(subject) ? subject : `Re: ${subject}`;
+}
+export async function sendEmailReply(config, email, text) {
+    await sendEmailMessage(config, email.from, text || '(ไม่มีผลลัพธ์)', {
+        subject: replySubject(email.subject),
+        inReplyTo: email.messageId,
+        references: email.references,
+    });
+}
+function emailPrompt(email) {
+    return [
+        `Email from: ${email.from}`,
+        `Subject: ${email.subject}`,
+        '',
+        'Message:',
+        email.text || '(empty)',
+    ].join('\n');
+}
+export function startEmail(opts) {
+    if (!opts.address || !opts.password || !opts.imapHost || !opts.smtpHost) {
+        opts.onLog?.('Email ไม่เริ่ม: ต้องตั้ง address/password/imapHost/smtpHost');
+        return () => { };
+    }
+    if (!opts.allowAllUsers && !opts.allowedUsers?.length) {
+        opts.onLog?.('⛔ Email ไม่เริ่ม: ต้องตั้ง allowedUsers หรือ allowAllUsers — remote surface นี้รัน agent ได้');
+        return () => { };
+    }
+    const pollMs = Math.max(5, opts.pollIntervalSeconds ?? 15) * 1000;
+    const poller = opts.poller ?? fetchUnseenEmails;
+    const markSeen = opts.markSeen ?? markEmailSeen;
+    const sendReply = opts.sendReply ?? sendEmailReply;
+    const running = new Set();
+    let stopped = false;
+    let busy = false;
+    opts.onLog?.(`Email: IMAP polling เริ่มแล้ว (${opts.address}, ทุก ${pollMs / 1000}s)`);
+    async function handle(email) {
+        if (running.has(email.uid))
+            return;
+        running.add(email.uid);
+        try {
+            if (!shouldProcessEmail(email, opts)) {
+                opts.onLog?.(`Email: ข้าม ${email.uid} จาก ${email.from} (ไม่ผ่าน policy)`);
+                return;
+            }
+            opts.onLog?.(`Email ${email.uid} จาก ${email.from}: ${email.subject.slice(0, 60)}`);
+            try {
+                const result = await runGatewayAgent({
+                    platform: 'email',
+                    target: email.from,
+                    model: opts.model,
+                    prompt: emailPrompt(email),
+                    userText: email.text,
+                    budgetUsd: opts.budgetUsd,
+                    permissionMode: opts.allowWrite === true ? 'auto' : 'ask',
+                });
+                if (!result.suppressDelivery)
+                    await sendReply(opts, email, result.text || '(ไม่มีผลลัพธ์)');
+            }
+            catch (e) {
+                opts.onLog?.(`Email run error (${email.uid}): ${redactKey(e.message)}`);
+                await sendReply(opts, email, 'เกิดข้อผิดพลาดภายใน').catch((err) => opts.onLog?.(`Email reply error (${email.uid}): ${redactKey(err.message)}`));
+            }
+        }
+        finally {
+            await markSeen(opts, email.uid).catch((e) => opts.onLog?.(`Email mark-seen error (${email.uid}): ${redactKey(e.message)}`));
+            running.delete(email.uid);
+        }
+    }
+    async function tick() {
+        if (stopped || busy)
+            return;
+        busy = true;
+        try {
+            const emails = await poller(opts);
+            for (const email of emails)
+                await handle(email);
+        }
+        catch (e) {
+            if (!stopped)
+                opts.onLog?.(`Email poll error: ${redactKey(e.message)}`);
+        }
+        finally {
+            busy = false;
+        }
+    }
+    void tick();
+    const timer = setInterval(() => void tick(), pollMs);
+    return () => {
+        stopped = true;
+        clearInterval(timer);
+    };
+}

package/dist/gateway/googlechat.js

@@ -0,0 +1,207 @@
+import { createSign } from 'node:crypto';
+import { readFile } from 'node:fs/promises';
+import { redactKey } from '../providers/keys.js';
+const GOOGLE_CHAT_API_BASE_URL = 'https://chat.googleapis.com';
+const GOOGLE_OAUTH_TOKEN_URI = 'https://oauth2.googleapis.com/token';
+const GOOGLE_CHAT_SCOPE = 'https://www.googleapis.com/auth/chat.bot';
+const GOOGLE_CHAT_TEXT_LIMIT = 4_000;
+function redactGoogleChatDetail(raw, secrets) {
+    let safe = redactKey(raw);
+    for (const secret of secrets) {
+        const value = secret?.trim();
+        if (value)
+            safe = safe.split(value).join('<secret>');
+    }
+    return safe;
+}
+function base64Url(input) {
+    return Buffer.from(input).toString('base64url');
+}
+export function normalizeGoogleChatApiBaseUrl(raw) {
+    const value = raw?.trim() || GOOGLE_CHAT_API_BASE_URL;
+    try {
+        const url = new URL(value);
+        if (url.protocol !== 'https:')
+            return undefined;
+        return url.toString().replace(/\/+$/, '');
+    }
+    catch {
+        return undefined;
+    }
+}
+export function normalizeGoogleChatWebhookUrl(raw) {
+    const value = raw?.trim();
+    if (!value)
+        return undefined;
+    try {
+        const url = new URL(value);
+        if (url.protocol !== 'https:')
+            return undefined;
+        return url.toString();
+    }
+    catch {
+        return undefined;
+    }
+}
+export function chunkGoogleChatText(raw, limit = GOOGLE_CHAT_TEXT_LIMIT) {
+    const text = raw.trim() || '(ไม่มีผลลัพธ์)';
+    if (text.length <= limit)
+        return [text];
+    const chunks = [];
+    for (let index = 0; index < text.length; index += limit) {
+        chunks.push(text.slice(index, index + limit));
+    }
+    return chunks;
+}
+export function parseGoogleChatTarget(config, explicitTarget) {
+    const target = explicitTarget?.trim() || config.homeChannel?.trim();
+    if (!target) {
+        const webhook = normalizeGoogleChatWebhookUrl(config.incomingWebhookUrl);
+        if (webhook)
+            return { type: 'webhook', value: webhook };
+        throw new Error('ต้องระบุ Google Chat space/webhook target หรือ home channel ใน gateway config');
+    }
+    if (/^https:\/\//i.test(target)) {
+        const webhookUrl = normalizeGoogleChatWebhookUrl(target);
+        if (!webhookUrl)
+            throw new Error('Google Chat incoming webhook target ต้องเป็น HTTPS URL ที่ถูกต้อง');
+        return { type: 'webhook', value: webhookUrl };
+    }
+    if (target.toLowerCase() === 'webhook') {
+        const webhookUrl = normalizeGoogleChatWebhookUrl(config.incomingWebhookUrl);
+        if (!webhookUrl)
+            throw new Error('ยังไม่ได้ตั้ง Google Chat incoming webhook URL');
+        return { type: 'webhook', value: webhookUrl };
+    }
+    const cleaned = target.replace(/^space[:/](?:spaces\/)?/i, 'spaces/').trim();
+    const match = /^(spaces\/[^/\s]+)(?:\/threads\/(.+))?$/.exec(cleaned);
+    if (!match)
+        throw new Error('Google Chat target ต้องเป็น spaces/<space-id> หรือ spaces/<space-id>/threads/<thread-id>');
+    const space = match[1];
+    const thread = match[2] ? `${space}/threads/${match[2]}` : undefined;
+    return { type: 'space', value: thread ?? space, space, thread };
+}
+export function googleChatApiUrl(config, path) {
+    const baseUrl = normalizeGoogleChatApiBaseUrl(config.apiBaseUrl);
+    if (!baseUrl)
+        throw new Error('Google Chat API base URL ต้องเป็น https:// URL');
+    return new URL(path, `${baseUrl}/`).toString();
+}
+export async function readGoogleServiceAccount(path) {
+    const parsed = JSON.parse(await readFile(path, 'utf8'));
+    if (!parsed || typeof parsed !== 'object')
+        throw new Error('Google Chat service account JSON ไม่ถูกต้อง');
+    return parsed;
+}
+export function googleServiceAccountJwt(serviceAccount, now = Math.floor(Date.now() / 1000)) {
+    const issuer = serviceAccount.client_email?.trim();
+    const privateKey = serviceAccount.private_key;
+    const audience = serviceAccount.token_uri?.trim() || GOOGLE_OAUTH_TOKEN_URI;
+    if (!issuer || !privateKey)
+        throw new Error('Google Chat service account JSON ต้องมี client_email และ private_key');
+    const header = base64Url(JSON.stringify({ alg: 'RS256', typ: 'JWT' }));
+    const payload = base64Url(JSON.stringify({
+        iss: issuer,
+        scope: GOOGLE_CHAT_SCOPE,
+        aud: audience,
+        iat: now,
+        exp: now + 3600,
+    }));
+    const unsigned = `${header}.${payload}`;
+    const signature = createSign('RSA-SHA256').update(unsigned).sign(privateKey);
+    return `${unsigned}.${base64Url(signature)}`;
+}
+async function readGoogleChatJsonOrThrow(response, label, secrets = []) {
+    const text = await response.text().catch(() => '');
+    if (!response.ok)
+        throw new Error(`${label} ${response.status}${text ? `: ${redactGoogleChatDetail(text, secrets).slice(0, 240)}` : ''}`);
+    let json;
+    try {
+        json = (text ? JSON.parse(text) : {});
+    }
+    catch {
+        throw new Error(`${label} ${response.status}: response ไม่ใช่ JSON: ${redactGoogleChatDetail(text, secrets).slice(0, 240)}`);
+    }
+    const maybe = json;
+    const error = maybe.error;
+    if (error) {
+        const detail = typeof error === 'string'
+            ? maybe.error_description || error
+            : error.message || error.status || String(error.code ?? 'unknown');
+        throw new Error(`${label}: ${redactGoogleChatDetail(detail, secrets).slice(0, 200)}`);
+    }
+    return json;
+}
+export async function googleChatAccessToken(config) {
+    const serviceAccountPath = config.serviceAccountJson?.trim();
+    if (!serviceAccountPath)
+        throw new Error('ยังไม่ได้ตั้ง Google Chat service account JSON');
+    const serviceAccount = await readGoogleServiceAccount(serviceAccountPath);
+    const tokenUri = serviceAccount.token_uri?.trim() || GOOGLE_OAUTH_TOKEN_URI;
+    const assertion = googleServiceAccountJwt(serviceAccount);
+    const body = new URLSearchParams({
+        grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+        assertion,
+    });
+    const r = await fetch(tokenUri, {
+        method: 'POST',
+        headers: { 'content-type': 'application/x-www-form-urlencoded' },
+        body,
+    });
+    const json = await readGoogleChatJsonOrThrow(r, 'Google Chat OAuth token', [
+        serviceAccount.private_key,
+        assertion,
+    ]);
+    const token = json.access_token?.trim();
+    if (!token)
+        throw new Error('Google Chat OAuth token response ไม่มี access_token');
+    return token;
+}
+async function sendGoogleChatWebhook(webhookUrl, text) {
+    const messageIds = [];
+    for (const chunk of chunkGoogleChatText(text)) {
+        const r = await fetch(webhookUrl, {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ text: chunk }),
+        });
+        const json = await readGoogleChatJsonOrThrow(r, 'Google Chat incoming webhook', [webhookUrl]);
+        if (json.name)
+            messageIds.push(json.name);
+    }
+    return { mode: 'incoming_webhook', target: 'webhook', messageIds, messageCount: messageIds.length || chunkGoogleChatText(text).length };
+}
+async function sendGoogleChatApi(config, target, text) {
+    if (!target.space)
+        throw new Error('Google Chat API target ต้องเป็น space');
+    const token = await googleChatAccessToken(config);
+    const messageIds = [];
+    for (const chunk of chunkGoogleChatText(text)) {
+        const r = await fetch(googleChatApiUrl(config, `/v1/${target.space}/messages`), {
+            method: 'POST',
+            headers: {
+                authorization: `Bearer ${token}`,
+                'content-type': 'application/json',
+            },
+            body: JSON.stringify({
+                text: chunk,
+                ...(target.thread ? { thread: { name: target.thread } } : {}),
+            }),
+        });
+        const json = await readGoogleChatJsonOrThrow(r, 'Google Chat API message', [token]);
+        if (json.name)
+            messageIds.push(json.name);
+    }
+    return {
+        mode: 'chat_api',
+        target: target.value,
+        messageIds,
+        messageCount: messageIds.length || chunkGoogleChatText(text).length,
+    };
+}
+export async function sendGoogleChatMessage(config, text, explicitTarget) {
+    const target = parseGoogleChatTarget(config, explicitTarget);
+    if (target.type === 'webhook')
+        return sendGoogleChatWebhook(target.value, text);
+    return sendGoogleChatApi(config, target, text);
+}