npm - slackhive - Versions diffs - 0.1.37 → 0.1.39 - Mend

slackhive 0.1.37 → 0.1.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (542) hide show

package/apps/web/src/lib/__tests__/skill-templates.test.ts ADDED Viewed

@@ -0,0 +1,237 @@
+/**
+ * @fileoverview Unit tests for skill-templates.ts — SKILL_TEMPLATES.
+ *
+ * Verifies each template generates the correct skill files with expected
+ * content, structure, and agent name/persona interpolation.
+ *
+ * No database or network required.
+ *
+ * @module web/lib/__tests__/skill-templates.test
+ */
+import { describe, it, expect } from 'vitest';
+import { SKILL_TEMPLATES } from '@/lib/skill-templates';
+import type { Agent } from '@slackhive/shared';
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function makeAgent(overrides: Partial<Agent> = {}): Agent {
+  return {
+    id: 'agent-1',
+    slug: 'test-bot',
+    name: 'TestBot',
+    persona: undefined,
+    description: undefined,
+    slackBotToken: 'xoxb-fake',
+    slackAppToken: 'xapp-fake',
+    slackSigningSecret: 'secret',
+    slackBotUserId: undefined,
+    model: 'claude-opus-4-5',
+    status: 'stopped',
+    enabled: true,
+    isBoss: false,
+    reportsTo: [],
+    claudeMd: '',
+    createdBy: 'system',
+    createdAt: new Date(),
+    updatedAt: new Date(),
+    ...overrides,
+  };
+}
+// ─── Common assertions ────────────────────────────────────────────────────────
+function expectValidSkills(skills: ReturnType<typeof SKILL_TEMPLATES['blank']>) {
+  expect(skills.length).toBeGreaterThan(0);
+  for (const skill of skills) {
+    expect(skill.category).toBeTruthy();
+    expect(skill.filename).toMatch(/\.md$/);
+    expect(skill.content.trim()).toBeTruthy();
+    expect(typeof skill.sortOrder).toBe('number');
+  }
+}
+function expectUniqueSortOrders(skills: ReturnType<typeof SKILL_TEMPLATES['blank']>) {
+  const orders = skills.map(s => s.sortOrder);
+  expect(new Set(orders).size).toBe(orders.length);
+}
+// ─── blank template ───────────────────────────────────────────────────────────
+describe('SKILL_TEMPLATES.blank', () => {
+  it('returns exactly one skill file', () => {
+    const skills = SKILL_TEMPLATES.blank(makeAgent());
+    expect(skills).toHaveLength(1);
+  });
+  it('interpolates agent name into the skill heading', () => {
+    const skills = SKILL_TEMPLATES.blank(makeAgent({ name: 'MyBot' }));
+    expect(skills[0].content).toContain('# MyBot');
+  });
+  it('uses agent persona when provided', () => {
+    const skills = SKILL_TEMPLATES.blank(makeAgent({ persona: 'A grumpy assistant.' }));
+    expect(skills[0].content).toContain('A grumpy assistant.');
+  });
+  it('generates default persona when persona is undefined', () => {
+    const skills = SKILL_TEMPLATES.blank(makeAgent({ name: 'MyBot', persona: undefined }));
+    expect(skills[0].content).toContain('You are MyBot');
+  });
+  it('includes description when provided', () => {
+    const skills = SKILL_TEMPLATES.blank(makeAgent({ description: 'Handles billing queries.' }));
+    expect(skills[0].content).toContain('Handles billing queries.');
+  });
+  it('omits description section when description is undefined', () => {
+    const skills = SKILL_TEMPLATES.blank(makeAgent({ description: undefined }));
+    expect(skills[0].content).not.toContain('## What you do');
+  });
+  it('produces a valid skill structure', () => {
+    expectValidSkills(SKILL_TEMPLATES.blank(makeAgent()));
+  });
+});
+// ─── data-analyst template ────────────────────────────────────────────────────
+describe('SKILL_TEMPLATES.data-analyst', () => {
+  it('returns 3 skill files', () => {
+    expect(SKILL_TEMPLATES['data-analyst'](makeAgent())).toHaveLength(3);
+  });
+  it('interpolates agent name in identity skill', () => {
+    const skills = SKILL_TEMPLATES['data-analyst'](makeAgent({ name: 'DataBot' }));
+    const identity = skills.find(s => s.filename === 'identity.md')!;
+    expect(identity.content).toContain('# DataBot');
+  });
+  it('uses agent persona when provided', () => {
+    const skills = SKILL_TEMPLATES['data-analyst'](makeAgent({ persona: 'Expert SQL analyst.' }));
+    const identity = skills.find(s => s.filename === 'identity.md')!;
+    expect(identity.content).toContain('Expert SQL analyst.');
+  });
+  it('includes workflow.md with query execution steps', () => {
+    const skills = SKILL_TEMPLATES['data-analyst'](makeAgent());
+    const workflow = skills.find(s => s.filename === 'workflow.md')!;
+    expect(workflow).toBeDefined();
+    expect(workflow.content).toContain('Understand');
+    expect(workflow.content).toContain('Execute');
+  });
+  it('includes response-format.md', () => {
+    const skills = SKILL_TEMPLATES['data-analyst'](makeAgent());
+    expect(skills.find(s => s.filename === 'response-format.md')).toBeDefined();
+  });
+  it('skills are in ascending sortOrder', () => {
+    const skills = SKILL_TEMPLATES['data-analyst'](makeAgent());
+    const orders = skills.map(s => s.sortOrder);
+    expect(orders).toEqual([...orders].sort((a, b) => a - b));
+  });
+  it('has unique sort orders', () => {
+    expectUniqueSortOrders(SKILL_TEMPLATES['data-analyst'](makeAgent()));
+  });
+  it('produces valid skill structures', () => {
+    expectValidSkills(SKILL_TEMPLATES['data-analyst'](makeAgent()));
+  });
+});
+// ─── writer template ──────────────────────────────────────────────────────────
+describe('SKILL_TEMPLATES.writer', () => {
+  it('returns 2 skill files', () => {
+    expect(SKILL_TEMPLATES.writer(makeAgent())).toHaveLength(2);
+  });
+  it('interpolates agent name in identity skill', () => {
+    const skills = SKILL_TEMPLATES.writer(makeAgent({ name: 'WriterBot' }));
+    const identity = skills.find(s => s.filename === 'identity.md')!;
+    expect(identity.content).toContain('# WriterBot');
+  });
+  it('includes style-guide.md with writing guidelines', () => {
+    const skills = SKILL_TEMPLATES.writer(makeAgent());
+    const guide = skills.find(s => s.filename === 'style-guide.md')!;
+    expect(guide).toBeDefined();
+    expect(guide.content).toContain('Active voice');
+  });
+  it('has unique sort orders', () => {
+    expectUniqueSortOrders(SKILL_TEMPLATES.writer(makeAgent()));
+  });
+  it('produces valid skill structures', () => {
+    expectValidSkills(SKILL_TEMPLATES.writer(makeAgent()));
+  });
+});
+// ─── developer template ───────────────────────────────────────────────────────
+describe('SKILL_TEMPLATES.developer', () => {
+  it('returns 2 skill files', () => {
+    expect(SKILL_TEMPLATES.developer(makeAgent())).toHaveLength(2);
+  });
+  it('interpolates agent name in identity skill', () => {
+    const skills = SKILL_TEMPLATES.developer(makeAgent({ name: 'DevBot' }));
+    const identity = skills.find(s => s.filename === 'identity.md')!;
+    expect(identity.content).toContain('# DevBot');
+  });
+  it('includes code-standards.md with security mention', () => {
+    const skills = SKILL_TEMPLATES.developer(makeAgent());
+    const standards = skills.find(s => s.filename === 'code-standards.md')!;
+    expect(standards).toBeDefined();
+    expect(standards.content).toContain('security');
+  });
+  it('has unique sort orders', () => {
+    expectUniqueSortOrders(SKILL_TEMPLATES.developer(makeAgent()));
+  });
+  it('produces valid skill structures', () => {
+    expectValidSkills(SKILL_TEMPLATES.developer(makeAgent()));
+  });
+});
+// ─── All templates ────────────────────────────────────────────────────────────
+describe('SKILL_TEMPLATES (all)', () => {
+  const templateNames = ['blank', 'data-analyst', 'writer', 'developer'] as const;
+  it('all templates are defined', () => {
+    for (const name of templateNames) {
+      expect(SKILL_TEMPLATES[name]).toBeTypeOf('function');
+    }
+  });
+  it('all templates produce skills in 00-core category', () => {
+    const agent = makeAgent();
+    for (const name of templateNames) {
+      const skills = SKILL_TEMPLATES[name](agent);
+      expect(skills.every(s => s.category === '00-core')).toBe(true);
+    }
+  });
+  it('all templates include an identity.md file', () => {
+    const agent = makeAgent();
+    for (const name of templateNames) {
+      const skills = SKILL_TEMPLATES[name](agent);
+      expect(skills.find(s => s.filename === 'identity.md')).toBeDefined();
+    }
+  });
+  it('all identity.md files start with the agent name as heading', () => {
+    const agent = makeAgent({ name: 'SpecialAgent' });
+    for (const name of templateNames) {
+      const skills = SKILL_TEMPLATES[name](agent);
+      const identity = skills.find(s => s.filename === 'identity.md')!;
+      expect(identity.content).toContain('# SpecialAgent');
+    }
+  });
+});

package/apps/web/src/lib/__tests__/slack-manifest.test.ts ADDED Viewed

@@ -0,0 +1,105 @@
+/**
+ * @fileoverview Unit tests for slack-manifest.ts — generateSlackManifest.
+ *
+ * Verifies manifest structure, scope assignment, deduplication, and defaults
+ * for both regular and boss agents.
+ *
+ * No database or network required.
+ *
+ * @module web/lib/__tests__/slack-manifest.test
+ */
+import { describe, it, expect } from 'vitest';
+import { generateSlackManifest } from '@/lib/slack-manifest';
+import { DEFAULT_SLACK_BOT_SCOPES, BOSS_ADDITIONAL_SCOPES } from '@slackhive/shared';
+// ─── generateSlackManifest ────────────────────────────────────────────────────
+describe('generateSlackManifest', () => {
+  it('sets display name from opts.name', () => {
+    const m = generateSlackManifest({ name: 'DataBot' });
+    expect(m.display_information.name).toBe('DataBot');
+    expect(m.features.bot_user.display_name).toBe('DataBot');
+  });
+  it('uses provided description in display_information', () => {
+    const m = generateSlackManifest({ name: 'Bot', description: 'My custom description' });
+    expect(m.display_information.description).toBe('My custom description');
+  });
+  it('generates default description from name when description is omitted', () => {
+    const m = generateSlackManifest({ name: 'DataBot' });
+    expect(m.display_information.description).toBe('DataBot — Claude Code AI agent');
+  });
+  it('includes all DEFAULT_SLACK_BOT_SCOPES for a non-boss agent', () => {
+    const m = generateSlackManifest({ name: 'Bot', isBoss: false });
+    for (const scope of DEFAULT_SLACK_BOT_SCOPES) {
+      expect(m.oauth_config.scopes.bot).toContain(scope);
+    }
+  });
+  it('includes boss scopes in addition to default scopes for boss agent', () => {
+    const m = generateSlackManifest({ name: 'Boss', isBoss: true });
+    const allExpected = [...new Set([...DEFAULT_SLACK_BOT_SCOPES, ...BOSS_ADDITIONAL_SCOPES])];
+    for (const scope of allExpected) {
+      expect(m.oauth_config.scopes.bot).toContain(scope);
+    }
+  });
+  it('does not include boss scopes for non-boss agent', () => {
+    const bossOnlyScopes = BOSS_ADDITIONAL_SCOPES.filter(s => !DEFAULT_SLACK_BOT_SCOPES.includes(s));
+    const m = generateSlackManifest({ name: 'Bot', isBoss: false });
+    for (const scope of bossOnlyScopes) {
+      expect(m.oauth_config.scopes.bot).not.toContain(scope);
+    }
+  });
+  it('deduplicates scopes — no scope appears twice', () => {
+    const m = generateSlackManifest({ name: 'Boss', isBoss: true });
+    const scopes = m.oauth_config.scopes.bot;
+    const unique = [...new Set(scopes)];
+    expect(scopes.length).toBe(unique.length);
+  });
+  it('enables socket_mode', () => {
+    const m = generateSlackManifest({ name: 'Bot' });
+    expect(m.settings.socket_mode_enabled).toBe(true);
+  });
+  it('subscribes to all required bot events', () => {
+    const m = generateSlackManifest({ name: 'Bot' });
+    const events = m.settings.event_subscriptions.bot_events;
+    expect(events).toContain('app_mention');
+    expect(events).toContain('message.im');
+    expect(events).toContain('message.channels');
+    expect(events).toContain('message.groups');
+    expect(events).toContain('member_joined_channel');
+  });
+  it('sets bot always_online to true', () => {
+    const m = generateSlackManifest({ name: 'Bot' });
+    expect(m.features.bot_user.always_online).toBe(true);
+  });
+  it('disables interactivity', () => {
+    const m = generateSlackManifest({ name: 'Bot' });
+    expect(m.settings.interactivity.is_enabled).toBe(false);
+  });
+  it('disables token rotation', () => {
+    const m = generateSlackManifest({ name: 'Bot' });
+    expect(m.settings.token_rotation_enabled).toBe(false);
+  });
+  it('treats isBoss=undefined the same as isBoss=false (no extra scopes)', () => {
+    const withFalse = generateSlackManifest({ name: 'Bot', isBoss: false });
+    const withUndefined = generateSlackManifest({ name: 'Bot' });
+    expect(withFalse.oauth_config.scopes.bot).toEqual(withUndefined.oauth_config.scopes.bot);
+  });
+  it('sets background_color to #1a1a1a', () => {
+    const m = generateSlackManifest({ name: 'Bot' });
+    expect(m.display_information.background_color).toBe('#1a1a1a');
+  });
+});

package/apps/web/src/lib/api-guard.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * @fileoverview API route guards — role-based access control for mutations.
+ *
+ * guardEditor: allows editor, admin, superadmin (blocks viewer)
+ * guardAdmin: allows admin, superadmin only (blocks viewer + editor)
+ *
+ * @module web/lib/api-guard
+ */
+import { NextResponse } from 'next/server';
+import { getSessionFromRequest, type Role } from './auth';
+import { userCanWriteAgent } from './db';
+const ROLE_LEVEL: Record<Role, number> = { viewer: 0, editor: 1, admin: 2, superadmin: 3 };
+/**
+ * Returns 403 if the user lacks editor role or above.
+ * Allows: editor, admin, superadmin. Blocks: viewer.
+ *
+ * @param {Request} req - Incoming request.
+ * @returns {NextResponse | null} 403 response or null if authorized.
+ */
+export function guardAdmin(req: Request): NextResponse | null {
+  const session = getSessionFromRequest(req);
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });
+  }
+  if ((ROLE_LEVEL[session.role] ?? -1) < ROLE_LEVEL.editor) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  }
+  return null;
+}
+/**
+ * Returns 403 if the user cannot write to the specified agent.
+ * Admins/superadmins always pass. Editors pass only if they created the agent
+ * or have been explicitly granted write access.
+ *
+ * @param {Request} req - Incoming request.
+ * @param {string} agentId - Agent UUID to check write access for.
+ * @returns {Promise<NextResponse | null>} 403 response or null if authorized.
+ */
+export async function guardAgentWrite(req: Request, agentId: string): Promise<NextResponse | null> {
+  const session = getSessionFromRequest(req);
+  if (!session) return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });
+  const allowed = await userCanWriteAgent(agentId, session.username, session.role);
+  if (!allowed) return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  return null;
+}
+/**
+ * Returns 403 if the user lacks admin role or above.
+ * Allows: admin, superadmin. Blocks: viewer, editor.
+ * Use this for user management endpoints only.
+ *
+ * @param {Request} req - Incoming request.
+ * @returns {NextResponse | null} 403 response or null if authorized.
+ */
+export function guardUserAdmin(req: Request): NextResponse | null {
+  const session = getSessionFromRequest(req);
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });
+  }
+  if ((ROLE_LEVEL[session.role] ?? -1) < ROLE_LEVEL.admin) {
+    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
+  }
+  return null;
+}

package/apps/web/src/lib/auth-context.tsx ADDED Viewed

@@ -0,0 +1,71 @@
+'use client';
+/**
+ * @fileoverview Client-side auth context — provides role info to components.
+ *
+ * Roles: superadmin > admin > editor > viewer
+ * - canEdit: editor, admin, superadmin (can create/edit agents, jobs, settings)
+ * - canManageUsers: admin, superadmin only (can create/delete users)
+ *
+ * @module web/lib/auth-context
+ */
+import { createContext, useContext, useEffect, useState } from 'react';
+interface AuthState {
+  username: string;
+  role: 'superadmin' | 'admin' | 'editor' | 'viewer' | null;
+  loading: boolean;
+  /** Can create/edit/delete agents, jobs, settings, MCPs. */
+  canEdit: boolean;
+  /** Can create/delete users (admin + superadmin only). */
+  canManageUsers: boolean;
+  logout: () => Promise<void>;
+}
+const AuthContext = createContext<AuthState>({
+  username: '', role: null, loading: true, canEdit: false, canManageUsers: false, logout: async () => {},
+});
+/**
+ * Provides auth state to the component tree.
+ *
+ * @param {{ children: React.ReactNode }} props
+ * @returns {JSX.Element}
+ */
+export function AuthProvider({ children }: { children: React.ReactNode }) {
+  const [username, setUsername] = useState('');
+  const [role, setRole] = useState<AuthState['role']>(null);
+  const [loading, setLoading] = useState(true);
+  useEffect(() => {
+    fetch('/api/auth/me')
+      .then(r => { if (!r.ok) throw new Error(); return r.json(); })
+      .then(data => { setUsername(data.username); setRole(data.role); })
+      .catch(() => {})
+      .finally(() => setLoading(false));
+  }, []);
+  const canEdit = role === 'superadmin' || role === 'admin' || role === 'editor';
+  const canManageUsers = role === 'superadmin' || role === 'admin';
+  const logout = async () => {
+    await fetch('/api/auth/logout', { method: 'POST' });
+    window.location.href = '/login';
+  };
+  return (
+    <AuthContext.Provider value={{ username, role, loading, canEdit, canManageUsers, logout }}>
+      {children}
+    </AuthContext.Provider>
+  );
+}
+/**
+ * Hook to access the current auth state.
+ *
+ * @returns {AuthState} Current auth state.
+ */
+export function useAuth(): AuthState {
+  return useContext(AuthContext);
+}

package/apps/web/src/lib/auth.ts ADDED Viewed

@@ -0,0 +1,128 @@
+/**
+ * @fileoverview Authentication utilities — cookie signing, user verification, role checks.
+ *
+ * Superadmin is checked against env vars (ADMIN_USERNAME/ADMIN_PASSWORD).
+ * DB users are checked with bcrypt. Sessions are HMAC-signed cookies.
+ *
+ * @module web/lib/auth
+ */
+import * as crypto from 'crypto';
+import bcrypt from 'bcryptjs';
+import { getUserByUsername } from './db';
+if (process.env.NODE_ENV === 'production' && !process.env.CI && (!process.env.AUTH_SECRET || !process.env.ADMIN_PASSWORD)) {
+  throw new Error('AUTH_SECRET and ADMIN_PASSWORD must be set in production. See .env.example.');
+}
+const AUTH_SECRET = process.env.AUTH_SECRET || 'change-this-secret-in-production';
+const ADMIN_USERNAME = process.env.ADMIN_USERNAME || 'admin';
+const ADMIN_PASSWORD = process.env.ADMIN_PASSWORD || 'changeme';
+const COOKIE_NAME = 'auth_session';
+export type Role = 'superadmin' | 'admin' | 'editor' | 'viewer';
+export interface SessionPayload {
+  username: string;
+  role: Role;
+}
+/**
+ * Signs a session payload into an HMAC cookie value.
+ *
+ * @param {SessionPayload} payload - The session data to sign.
+ * @returns {string} Signed cookie value (base64payload.base64sig).
+ */
+export function signSession(payload: SessionPayload): string {
+  const data = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const sig = crypto.createHmac('sha256', AUTH_SECRET).update(data).digest('base64url');
+  return `${data}.${sig}`;
+}
+/**
+ * Verifies an HMAC-signed session cookie and returns the payload.
+ *
+ * @param {string} cookie - The signed cookie value.
+ * @returns {SessionPayload | null} Decoded payload or null if invalid.
+ */
+export function verifySession(cookie: string): SessionPayload | null {
+  const parts = cookie.split('.');
+  if (parts.length !== 2) return null;
+  const [data, sig] = parts;
+  const expected = crypto.createHmac('sha256', AUTH_SECRET).update(data).digest('base64url');
+  if (sig !== expected) return null;
+  try {
+    return JSON.parse(Buffer.from(data, 'base64url').toString()) as SessionPayload;
+  } catch {
+    return null;
+  }
+}
+/**
+ * Authenticates a user by username and password.
+ * Checks superadmin env vars first, then DB users.
+ *
+ * @param {string} username - The username to authenticate.
+ * @param {string} password - The plaintext password.
+ * @returns {Promise<SessionPayload | null>} Session payload or null if auth fails.
+ */
+export async function authenticateUser(username: string, password: string): Promise<SessionPayload | null> {
+  // Check superadmin
+  if (username === ADMIN_USERNAME && password === ADMIN_PASSWORD) {
+    return { username, role: 'superadmin' };
+  }
+  // Check DB users
+  const user = await getUserByUsername(username);
+  if (!user) return null;
+  const valid = await bcrypt.compare(password, user.passwordHash);
+  if (!valid) return null;
+  return { username: user.username, role: user.role as Role };
+}
+/**
+ * Hashes a plaintext password with bcrypt.
+ *
+ * @param {string} password - Plaintext password.
+ * @returns {Promise<string>} Bcrypt hash.
+ */
+export async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, 10);
+}
+/**
+ * Extracts session from a Request's cookies.
+ *
+ * @param {Request} req - Incoming request.
+ * @returns {SessionPayload | null} Session payload or null.
+ */
+export function getSessionFromRequest(req: Request): SessionPayload | null {
+  const cookieHeader = req.headers.get('cookie') || '';
+  const match = cookieHeader.match(new RegExp(`${COOKIE_NAME}=([^;]+)`));
+  if (!match) return null;
+  return verifySession(decodeURIComponent(match[1]));
+}
+/**
+ * Requires at least the given role. Returns the session or throws.
+ *
+ * @param {Request} req - Incoming request.
+ * @param {'viewer' | 'admin'} minRole - Minimum required role.
+ * @returns {SessionPayload} Verified session.
+ * @throws {Error} If not authenticated or insufficient role.
+ */
+export function requireRole(req: Request, minRole: 'viewer' | 'editor' | 'admin'): SessionPayload {
+  const session = getSessionFromRequest(req);
+  if (!session) throw new Error('Not authenticated');
+  const roleLevel: Record<Role, number> = { viewer: 0, editor: 1, admin: 2, superadmin: 3 };
+  if ((roleLevel[session.role] ?? -1) < (roleLevel[minRole] ?? 0)) {
+    throw new Error('Insufficient permissions');
+  }
+  return session;
+}
+/** The cookie name used for auth sessions. */
+export { COOKIE_NAME };