talon-agent 1.0.0

package/src/frontend/teams/graph.ts

@@ -0,0 +1,297 @@
+/**
+ * Microsoft Graph API integration — device code auth + chat message polling.
+ *
+ * Uses the Microsoft Graph PowerShell well-known client ID (no app registration needed).
+ * Authenticates via device code flow, then polls a Teams GROUP CHAT for new messages.
+ *
+ * Key: Chat.Read scope does NOT require admin consent (unlike ChannelMessage.Read.All).
+ * Tokens are persisted to disk so re-auth is only needed when refresh tokens expire.
+ */
+
+import { existsSync, readFileSync, mkdirSync } from "node:fs";
+import { resolve } from "node:path";
+import writeFileAtomic from "write-file-atomic";
+import { log, logError, logWarn } from "../../util/log.js";
+import { proxyFetch } from "./proxy-fetch.js";
+import { dirs } from "../../util/paths.js";
+import { stripHtml } from "./formatting.js";
+
+// ── Constants ────────────────────────────────────────────────────────────────
+
+/** Microsoft Graph PowerShell — supports arbitrary delegated scopes, no app registration. */
+const CLIENT_ID = "14d82eec-204b-4c2f-b7e8-296a70dab67e";
+const TENANT = "organizations";
+const AUTH_BASE = `https://login.microsoftonline.com/${TENANT}/oauth2/v2.0`;
+const GRAPH_BASE = "https://graph.microsoft.com/v1.0";
+const SCOPES = "Chat.Read Chat.ReadBasic User.Read offline_access";
+
+const TOKEN_FILE = resolve(dirs.data, "teams-tokens.json");
+
+// ── Types ────────────────────────────────────────────────────────────────────
+
+type StoredTokens = {
+  accessToken: string;
+  refreshToken: string;
+  expiresAt: number; // epoch ms
+  chatId?: string;
+  chatTopic?: string;
+  userId?: string;
+};
+
+type DeviceCodeResponse = {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  expires_in: number;
+  interval: number;
+  message: string;
+};
+
+type TokenResponse = {
+  access_token: string;
+  refresh_token?: string;
+  expires_in: number;
+  scope?: string;
+  error?: string;
+  error_description?: string;
+};
+
+export type ChatMessage = {
+  id: string;
+  text: string;
+  senderName: string;
+  senderId: string;
+  chatId: string;
+  createdDateTime: string;
+  messageType: string;
+  edited: boolean;
+};
+
+// ── Token storage ────────────────────────────────────────────────────────────
+
+function loadTokens(): StoredTokens | null {
+  try {
+    if (existsSync(TOKEN_FILE)) {
+      return JSON.parse(readFileSync(TOKEN_FILE, "utf-8"));
+    }
+  } catch { /* corrupt */ }
+  return null;
+}
+
+function saveTokens(tokens: StoredTokens): void {
+  if (!existsSync(dirs.data)) mkdirSync(dirs.data, { recursive: true });
+  writeFileAtomic.sync(TOKEN_FILE, JSON.stringify(tokens, null, 2) + "\n");
+}
+
+// ── OAuth helpers ────────────────────────────────────────────────────────────
+
+async function postForm(url: string, params: Record<string, string>): Promise<Record<string, unknown>> {
+  const body = new URLSearchParams(params).toString();
+  const resp = await proxyFetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body,
+    signal: AbortSignal.timeout(15_000),
+  });
+  return (await resp.json()) as Record<string, unknown>;
+}
+
+async function refreshAccessToken(refreshToken: string): Promise<StoredTokens | null> {
+  const data = (await postForm(`${AUTH_BASE}/token`, {
+    grant_type: "refresh_token",
+    client_id: CLIENT_ID,
+    refresh_token: refreshToken,
+    scope: SCOPES,
+  })) as TokenResponse;
+
+  if (data.error) {
+    logError("teams", `Token refresh failed: ${data.error_description || data.error}`);
+    return null;
+  }
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token || refreshToken,
+    expiresAt: Date.now() + data.expires_in * 1000 - 60_000, // 1 min buffer
+  };
+}
+
+// ── Device code flow ─────────────────────────────────────────────────────────
+
+export async function deviceCodeAuth(): Promise<StoredTokens> {
+  const dcResp = (await postForm(`${AUTH_BASE}/devicecode`, {
+    client_id: CLIENT_ID,
+    scope: SCOPES,
+  })) as unknown as DeviceCodeResponse;
+
+  // Print instructions for the user
+  console.log();
+  console.log(`  To sign in, open: ${dcResp.verification_uri}`);
+  console.log(`  Enter code: ${dcResp.user_code}`);
+  console.log();
+  log("teams", `Device code auth: go to ${dcResp.verification_uri} and enter ${dcResp.user_code}`);
+
+  // Poll for token
+  const pollInterval = (dcResp.interval || 5) * 1000;
+  const deadline = Date.now() + dcResp.expires_in * 1000;
+
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, pollInterval));
+
+    const tokenResp = (await postForm(`${AUTH_BASE}/token`, {
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      client_id: CLIENT_ID,
+      device_code: dcResp.device_code,
+    })) as TokenResponse;
+
+    if (tokenResp.access_token) {
+      log("teams", "Device code auth successful");
+      const tokens: StoredTokens = {
+        accessToken: tokenResp.access_token,
+        refreshToken: tokenResp.refresh_token || "",
+        expiresAt: Date.now() + tokenResp.expires_in * 1000 - 60_000,
+      };
+      saveTokens(tokens);
+      return tokens;
+    }
+
+    if (tokenResp.error === "authorization_pending") continue;
+    if (tokenResp.error === "slow_down") {
+      await new Promise((r) => setTimeout(r, 5000));
+      continue;
+    }
+
+    throw new Error(`Auth failed: ${tokenResp.error_description || tokenResp.error}`);
+  }
+
+  throw new Error("Device code auth timed out (15 minutes)");
+}
+
+// ── Graph API client ─────────────────────────────────────────────────────────
+
+export class GraphClient {
+  private tokens: StoredTokens;
+
+  constructor(tokens: StoredTokens) {
+    this.tokens = tokens;
+  }
+
+  private async ensureValidToken(): Promise<string> {
+    if (Date.now() < this.tokens.expiresAt) {
+      return this.tokens.accessToken;
+    }
+
+    log("teams", "Refreshing access token...");
+    const refreshed = await refreshAccessToken(this.tokens.refreshToken);
+    if (!refreshed) throw new Error("Token refresh failed — re-authentication needed");
+
+    this.tokens = { ...this.tokens, ...refreshed };
+    saveTokens(this.tokens);
+    return this.tokens.accessToken;
+  }
+
+  private async graphGet(path: string): Promise<Record<string, unknown>> {
+    const token = await this.ensureValidToken();
+    const resp = await proxyFetch(`${GRAPH_BASE}${path}`, {
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(15_000),
+    });
+
+    if (!resp.ok) {
+      const body = await resp.text().catch(() => "");
+      throw new Error(`Graph API ${path} failed: ${resp.status} ${body}`);
+    }
+
+    return (await resp.json()) as Record<string, unknown>;
+  }
+
+  // ── User info ──────────────────────────────────────────────────────────
+
+  async getMe(): Promise<{ id: string; displayName: string }> {
+    const data = await this.graphGet("/me?$select=id,displayName");
+    return { id: data.id as string, displayName: data.displayName as string };
+  }
+
+  // ── Chat discovery ─────────────────────────────────────────────────────
+
+  async listChats(): Promise<Array<{ id: string; topic: string | null; chatType: string }>> {
+    const data = await this.graphGet("/me/chats?$top=50");
+    const chats = data.value as Array<Record<string, unknown>>;
+    return chats.map((c) => ({
+      id: c.id as string,
+      topic: (c.topic as string) || null,
+      chatType: c.chatType as string,
+    }));
+  }
+
+  // ── Message reading ────────────────────────────────────────────────────
+
+  async getChatMessages(chatId: string, top = 20): Promise<ChatMessage[]> {
+    const data = await this.graphGet(
+      `/me/chats/${chatId}/messages?$top=${top}`,
+    );
+
+    const raw = data.value as Array<Record<string, unknown>>;
+    return raw
+      .filter((m) => (m.messageType as string) === "message")
+      .map((m) => {
+        const from = m.from as Record<string, unknown> | null;
+        const user = from?.user as Record<string, unknown> | null;
+        const body = m.body as { contentType: string; content: string } | null;
+
+        let text = body?.content || "";
+        if (body?.contentType === "html") {
+          text = stripHtml(text);
+        }
+
+        return {
+          id: m.id as string,
+          text,
+          senderName: (user?.displayName as string) || "Unknown",
+          senderId: (user?.id as string) || "",
+          chatId,
+          createdDateTime: m.createdDateTime as string,
+          messageType: m.messageType as string,
+          edited: m.lastEditedDateTime != null,
+        };
+      });
+  }
+
+  // ── Stored config ──────────────────────────────────────────────────────
+
+  getStoredChatId(): string | undefined { return this.tokens.chatId; }
+  getStoredChatTopic(): string | undefined { return this.tokens.chatTopic; }
+  getStoredUserId(): string | undefined { return this.tokens.userId; }
+
+  saveChatConfig(chatId: string, chatTopic: string, userId: string): void {
+    this.tokens.chatId = chatId;
+    this.tokens.chatTopic = chatTopic;
+    this.tokens.userId = userId;
+    saveTokens(this.tokens);
+  }
+}
+
+// ── Init helper ──────────────────────────────────────────────────────────────
+
+/**
+ * Initialize the Graph client — loads stored tokens or runs device code flow.
+ */
+export async function initGraphClient(): Promise<GraphClient> {
+  // Clear old tokens that used channel scopes
+  const stored = loadTokens();
+
+  if (stored && stored.refreshToken) {
+    log("teams", "Found stored tokens, validating...");
+    const refreshed = await refreshAccessToken(stored.refreshToken);
+    if (refreshed) {
+      const tokens = { ...stored, ...refreshed };
+      saveTokens(tokens);
+      log("teams", "Tokens refreshed successfully");
+      return new GraphClient(tokens);
+    }
+    logWarn("teams", "Stored tokens expired, re-authenticating...");
+  }
+
+  const tokens = await deviceCodeAuth();
+  return new GraphClient(tokens);
+}

package/src/frontend/teams/index.ts

@@ -0,0 +1,308 @@
+/**
+ * Teams frontend — bidirectional messaging via Power Automate + Graph API.
+ *
+ * SEND (Talon → Teams):  POST Adaptive Cards to a Power Automate workflow webhook URL.
+ * RECEIVE (Teams → Talon): Poll group chat messages via Microsoft Graph API
+ *                          using Chat.Read scope (no admin consent needed).
+ *
+ * No Azure AD app registration, no Bot Framework, no admin consent.
+ */
+
+import type { TalonConfig } from "../../util/config.js";
+import type { ContextManager } from "../../core/types.js";
+import type { Gateway } from "../../core/gateway.js";
+import { log, logError } from "../../util/log.js";
+import { deriveNumericChatId } from "../../util/chat-id.js";
+import { createTeamsActionHandler } from "./actions.js";
+import { splitTeamsMessage, buildAdaptiveCard } from "./formatting.js";
+import { initGraphClient, type GraphClient, type ChatMessage } from "./graph.js";
+import { proxyFetch } from "./proxy-fetch.js";
+
+// ── Types ────────────────────────────────────────────────────────────────────
+
+export type TeamsFrontend = {
+  context: ContextManager;
+  sendTyping: (chatId: number) => Promise<void>;
+  sendMessage: (chatId: number, text: string) => Promise<void>;
+  getBridgePort: () => number;
+  init: () => Promise<void>;
+  start: () => Promise<void>;
+  stop: () => Promise<void>;
+};
+
+// ── Frontend factory ─────────────────────────────────────────────────────────
+
+export function createTeamsFrontend(
+  config: TalonConfig,
+  gateway: Gateway,
+): TeamsFrontend {
+  const webhookUrl = (config as Record<string, unknown>).teamsWebhookUrl as string;
+  const botDisplayName = ((config as Record<string, unknown>).teamsBotDisplayName as string) || "";
+  const pollIntervalMs = ((config as Record<string, unknown>).teamsGraphPollMs as number) || 10_000;
+  const configChatTopic = ((config as Record<string, unknown>).teamsChatTopic as string) || "";
+
+  let graphClient: GraphClient | null = null;
+  let pollTimer: ReturnType<typeof setInterval> | null = null;
+  let lastSeenMessageId: string | null = null;
+  let myUserId: string | null = null;
+  let polling = false;
+
+  const context: ContextManager = {
+    acquire: (chatId: number, stringId?: string) => gateway.setContext(chatId, stringId),
+    release: (chatId: number) => gateway.clearContext(chatId),
+    getMessageCount: (chatId: number) => gateway.getMessageCount(chatId),
+  };
+
+  return {
+    context,
+
+    // Teams has no typing indicator via webhooks
+    sendTyping: async () => {},
+
+    sendMessage: async (_chatId: number, text: string) => {
+      if (!text.trim()) return;
+      try {
+        const chunks = splitTeamsMessage(text);
+        for (const chunk of chunks) {
+          const card = buildAdaptiveCard(chunk);
+          await proxyFetch(webhookUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(card),
+            signal: AbortSignal.timeout(15_000),
+          });
+        }
+      } catch (err) {
+        logError("teams", `sendMessage failed: ${err instanceof Error ? err.message : err}`);
+      }
+    },
+
+    getBridgePort: () => gateway.getPort(),
+
+    async init() {
+      // Register action handler with the gateway
+      gateway.setFrontendHandler(createTeamsActionHandler(webhookUrl, gateway));
+      const port = await gateway.start(19876);
+      log("teams", `Gateway on port ${port}`);
+
+      // Authenticate with Microsoft Graph
+      log("teams", "Initializing Microsoft Graph client...");
+      graphClient = await initGraphClient();
+
+      // Get our own user ID (to filter out our own messages)
+      const me = await graphClient.getMe();
+      myUserId = me.id;
+      log("teams", `Authenticated as: ${me.displayName} (${me.id})`);
+
+      // Discover or load chat
+      let chatId = graphClient.getStoredChatId();
+
+      if (!chatId) {
+        log("teams", "No chat configured, discovering...");
+        const chats = await graphClient.listChats();
+
+        if (chats.length === 0) throw new Error("No chats found");
+
+        // Try to match by topic name if configured
+        let selectedChat = chats[0];
+        if (configChatTopic) {
+          const match = chats.find((c) =>
+            c.topic?.toLowerCase().includes(configChatTopic.toLowerCase()),
+          );
+          if (match) selectedChat = match;
+          else log("teams", `No chat matching topic "${configChatTopic}", using most recent`);
+        }
+
+        chatId = selectedChat.id;
+        const topic = selectedChat.topic || "(unnamed chat)";
+
+        graphClient.saveChatConfig(chatId, topic, myUserId);
+        log("teams", `Configured chat: ${topic} [${selectedChat.chatType}]`);
+      } else {
+        log("teams", `Using chat: ${graphClient.getStoredChatTopic() || chatId}`);
+      }
+
+      // Seed lastSeenMessageId from current messages (don't process old messages)
+      try {
+        const existing = await graphClient.getChatMessages(chatId, 5);
+        if (existing.length > 0) {
+          lastSeenMessageId = existing[0].id;
+          log("teams", `Seeded last message ID: ${lastSeenMessageId}`);
+        }
+      } catch (err) {
+        logError("teams", `Failed to seed messages: ${err instanceof Error ? err.message : err}`);
+      }
+    },
+
+    async start() {
+      if (!graphClient) throw new Error("Graph client not initialized");
+
+      const chatId = graphClient.getStoredChatId()!;
+      const { execute } = await import("../../core/dispatcher.js");
+
+      log("teams", "Teams frontend running");
+      log("teams", `Send: Power Automate webhook`);
+      log("teams", `Receive: Graph API chat polling every ${pollIntervalMs / 1000}s`);
+
+      // ── Poll loop ──────────────────────────────────────────────────────
+      async function poll(): Promise<void> {
+        if (polling) return;
+        polling = true;
+
+        try {
+          if (!graphClient) return;
+          const messages = await graphClient.getChatMessages(chatId, 20);
+
+          // Find new messages — messages are returned newest first
+          // IDs are opaque strings, so compare by createdDateTime
+          const newMessages: ChatMessage[] = [];
+          for (const msg of messages) {
+            if (lastSeenMessageId && msg.id === lastSeenMessageId) break;
+            newMessages.push(msg);
+          }
+
+          if (newMessages.length > 0) {
+            lastSeenMessageId = newMessages[0].id;
+          }
+
+          // Process in chronological order (oldest first)
+          for (const msg of newMessages.reverse()) {
+            if (!msg.text.trim()) continue;
+            if (msg.edited) continue;
+
+            // Skip bot/workflow messages by display name (echo loop prevention).
+            // We do NOT filter by user ID — the authenticated user also sends
+            // real messages that Talon should respond to.
+            if (botDisplayName && msg.senderName.toLowerCase() === botDisplayName.toLowerCase()) {
+              continue;
+            }
+
+            const numericChatId = deriveNumericChatId(msg.chatId);
+            const talonChatId = `teams_chat_${msg.chatId}`;
+
+            // ── Slash commands ──
+            const trimmed = msg.text.trim().toLowerCase();
+            if (trimmed === "/reset") {
+              const { resetSession } = await import("../../storage/sessions.js");
+              const { clearHistory } = await import("../../storage/history.js");
+              resetSession(talonChatId);
+              clearHistory(talonChatId);
+              log("teams", `Session reset by ${msg.senderName}`);
+              const card = buildAdaptiveCard("Session cleared.");
+              await proxyFetch(webhookUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(card),
+                signal: AbortSignal.timeout(15_000),
+              }).catch(() => {});
+              continue;
+            }
+            if (trimmed === "/status") {
+              const { getSessionInfo } = await import("../../storage/sessions.js");
+              const info = getSessionInfo(talonChatId);
+              const u = info.usage;
+              const cacheHit = (u.totalInputTokens + u.totalCacheRead) > 0
+                ? Math.round((u.totalCacheRead / (u.totalInputTokens + u.totalCacheRead)) * 100) : 0;
+              const { getChatSettings } = await import("../../storage/chat-settings.js");
+              const model = (getChatSettings(talonChatId).model ?? config.model as string).replace("claude-", "");
+              const avgMs = info.turns > 0 ? Math.round(u.totalResponseMs / info.turns) : 0;
+              const contextUsed = u.lastPromptTokens;
+              const contextMax = model.includes("opus") ? 1_000_000 : model.includes("sonnet") ? 1_000_000 : 200_000;
+              const contextPct = contextMax > 0 ? Math.round((contextUsed / contextMax) * 100) : 0;
+              const card = {
+                type: "message",
+                attachments: [{
+                  contentType: "application/vnd.microsoft.card.adaptive",
+                  contentUrl: null,
+                  content: {
+                    type: "AdaptiveCard",
+                    $schema: "http://adaptivecards.io/schemas/adaptive-card.json",
+                    version: "1.4",
+                    body: [
+                      { type: "TextBlock", text: "**Session**", wrap: true, size: "Medium", weight: "Bolder" },
+                      { type: "FactSet", facts: [
+                        { title: "Model", value: model },
+                        { title: "Turns", value: String(info.turns) },
+                        { title: "Context", value: `${(contextUsed / 1000).toFixed(0)}K / ${(contextMax / 1000).toFixed(0)}K (${contextPct}%)` },
+                        { title: "Cache", value: `${cacheHit}% hit` },
+                        { title: "Input", value: `${u.totalInputTokens.toLocaleString()} tokens` },
+                        { title: "Output", value: `${u.totalOutputTokens.toLocaleString()} tokens` },
+                        { title: "Avg response", value: avgMs > 0 ? `${(avgMs / 1000).toFixed(1)}s` : "—" },
+                      ]},
+                    ],
+                  },
+                }],
+              };
+              await proxyFetch(webhookUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(card),
+                signal: AbortSignal.timeout(15_000),
+              }).catch(() => {});
+              continue;
+            }
+            if (trimmed === "/help") {
+              const helpText = "**Commands:**\n- `/reset` — clear session & history\n- `/status` — session stats\n- `/help` — this message";
+              const card = buildAdaptiveCard(helpText);
+              await proxyFetch(webhookUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(card),
+                signal: AbortSignal.timeout(15_000),
+              }).catch(() => {});
+              continue;
+            }
+
+            log("teams", `[${msg.senderName}]: ${msg.text.slice(0, 80)}${msg.text.length > 80 ? "..." : ""}`);
+
+            execute({
+              chatId: talonChatId,
+              numericChatId,
+              prompt: `[${msg.senderName}]: ${msg.text}`,
+              senderName: msg.senderName,
+              isGroup: true,
+              source: "message",
+              onStreamDelta: (_accumulated, phase) => {
+                if (phase) log("teams", `  phase: ${phase}`);
+              },
+              onToolUse: (toolName, input) => {
+                const detail = (input.description ?? input.command ?? input.action ?? input.query ?? input.url ?? input.name ?? "") as string;
+                log("teams", `  tool: ${toolName}${detail ? ` — ${String(detail).slice(0, 100)}` : ""}`);
+              },
+            }).then(async (result) => {
+              // Only deliver messages sent via the send_message tool.
+              // Do NOT send fallback text — if Claude chose not to use send_message,
+              // it's either choosing not to respond or outputting internal reasoning
+              // that shouldn't be shown to users.
+              if (result.bridgeMessageCount === 0 && result.text?.trim()) {
+                log("teams", `Suppressed fallback text (${result.text.length} chars) — no send_message tool used`);
+              }
+            }).catch((err) => {
+              logError("teams", `execute failed: ${err instanceof Error ? err.message : err}`);
+            });
+          }
+        } catch (err) {
+          logError("teams", `Poll error: ${err instanceof Error ? err.message : err}`);
+        } finally {
+          polling = false;
+        }
+      }
+
+      // Initial poll, then interval
+      await poll();
+      pollTimer = setInterval(poll, pollIntervalMs);
+
+      // Hold process open
+      await new Promise(() => {});
+    },
+
+    async stop() {
+      if (pollTimer) {
+        clearInterval(pollTimer);
+        pollTimer = null;
+      }
+      await gateway.stop();
+      log("teams", "Teams frontend stopped");
+    },
+  };
+}

package/src/frontend/teams/proxy-fetch.ts

@@ -0,0 +1,28 @@
+/**
+ * Proxy-aware fetch — uses HTTP_PROXY/HTTPS_PROXY env vars if set.
+ * Node's built-in fetch() does NOT respect proxy env vars by default.
+ */
+
+import { ProxyAgent } from "undici";
+
+const proxyUrl =
+  process.env.https_proxy ||
+  process.env.HTTPS_PROXY ||
+  process.env.http_proxy ||
+  process.env.HTTP_PROXY ||
+  "";
+
+const dispatcher = proxyUrl ? new ProxyAgent(proxyUrl) : undefined;
+
+/**
+ * Drop-in replacement for global fetch() that routes through the system proxy.
+ */
+export async function proxyFetch(
+  url: string | URL,
+  init?: RequestInit & { dispatcher?: unknown },
+): Promise<Response> {
+  return fetch(url, {
+    ...init,
+    ...(dispatcher ? { dispatcher } : {}),
+  } as RequestInit);
+}