import type { BlockStreamingCoalesceConfig, ContextVisibilityMode, DmPolicy, GroupPolicy, MarkdownConfig, } from "./types.base.js"; import type { ChannelHealthMonitorConfig, ChannelHeartbeatVisibilityConfig, } from "./types.channels.js"; import type { DmConfig } from "./types.messages.js"; import type { SecretInput } from "./types.secrets.js"; import type { GroupToolPolicyBySenderConfig, GroupToolPolicyConfig } from "./types.tools.js"; export type MSTeamsWebhookConfig = { /** Port for the webhook server. Default: 3978. */ port?: number; /** Path for the messages endpoint. Default: /api/messages. */ path?: string; }; /** * Bot Framework OAuth SSO configuration for Microsoft Teams. * * When enabled, the plugin handles the `signin/tokenExchange` and * `signin/verifyState` invoke activities that Teams sends after an * `oauthCard` is presented to the user. The exchanged user token is * persisted via the Bot Framework User Token service so downstream * tools can call Microsoft Graph with delegated permissions. * * Prerequisites (Azure portal): * - The bot's Azure AD (Entra) app is configured with an exposed API * scope (for example `access_as_user`) and lists the Teams client * IDs in `knownClientApplications`. * - The Bot Framework channel registration has an OAuth Connection * Setting whose name matches `connectionName` below, pointing at * the same Azure AD app. */ export type MSTeamsSsoConfig = { /** If true, handle signin/tokenExchange + signin/verifyState invokes. Default: false. */ enabled?: boolean; /** * Name of the OAuth connection configured on the Bot Framework channel * registration (Azure Bot resource). Required when `enabled` is true. */ connectionName?: string; }; /** Reply style for MS Teams messages. */ export type MSTeamsReplyStyle = "thread" | "top-level"; /** Channel-level config for MS Teams. */ export type MSTeamsChannelConfig = { /** Require @mention to respond. Default: true. */ requireMention?: boolean; /** Optional tool policy overrides for this channel. */ tools?: GroupToolPolicyConfig; toolsBySender?: GroupToolPolicyBySenderConfig; /** Reply style: "thread" replies to the message, "top-level" posts a new message. */ replyStyle?: MSTeamsReplyStyle; }; /** Team-level config for MS Teams. */ export type MSTeamsTeamConfig = { /** Default requireMention for channels in this team. */ requireMention?: boolean; /** Default tool policy for channels in this team. */ tools?: GroupToolPolicyConfig; toolsBySender?: GroupToolPolicyBySenderConfig; /** Default reply style for channels in this team. */ replyStyle?: MSTeamsReplyStyle; /** Per-channel overrides. Key is conversation ID (e.g., "19:...@thread.tacv2"). */ channels?: Record; }; export type MSTeamsConfig = { /** If false, do not start the MS Teams provider. Default: true. */ enabled?: boolean; /** Optional provider capability tags used for agent/runtime guidance. */ capabilities?: string[]; /** * Break-glass override: allow mutable identity matching (display names/UPNs) in allowlists. * Default behavior is ID-only matching. */ dangerouslyAllowNameMatching?: boolean; /** Markdown formatting overrides (tables). */ markdown?: MarkdownConfig; /** Allow channel-initiated config writes (default: true). */ configWrites?: boolean; /** Azure Bot App ID (from Azure Bot registration). */ appId?: string; /** Azure Bot App Password / Client Secret. */ appPassword?: SecretInput; /** Azure AD Tenant ID (for single-tenant bots). */ tenantId?: string; /** * Authentication type. * - `"secret"` (default): uses `appPassword` (client secret). * - `"federated"`: uses workload identity / managed identity / certificate. */ authType?: "secret" | "federated"; /** Path to a PEM certificate file for certificate-based auth. Used when `authType` is `"federated"`. */ certificatePath?: string; /** Certificate thumbprint (hex SHA-1) for certificate-based auth. */ certificateThumbprint?: string; /** If `true`, use Azure Managed Identity (system- or user-assigned) instead of a certificate. */ useManagedIdentity?: boolean; /** User-assigned managed-identity client ID. When omitted with `useManagedIdentity: true`, system-assigned identity is used. */ managedIdentityClientId?: string; /** Webhook server configuration. */ webhook?: MSTeamsWebhookConfig; /** Direct message access policy (default: pairing). */ dmPolicy?: DmPolicy; /** Allowlist for DM senders (AAD object IDs or UPNs). */ allowFrom?: Array; /** Default delivery target for CLI --deliver when no explicit --reply-to is provided. */ defaultTo?: string; /** Optional allowlist for group/channel senders (AAD object IDs or UPNs). */ groupAllowFrom?: Array; /** * Controls how group/channel messages are handled: * - "open": groups bypass allowFrom; mention-gating applies * - "disabled": block all group messages * - "allowlist": only allow group messages from senders in groupAllowFrom/allowFrom */ groupPolicy?: GroupPolicy; /** Supplemental context visibility policy (all|allowlist|allowlist_quote). */ contextVisibility?: ContextVisibilityMode; /** Outbound text chunk size (chars). Default: 4000. */ textChunkLimit?: number; /** Chunking mode: "length" (default) splits by size; "newline" splits on every newline. */ chunkMode?: "length" | "newline"; /** Send native Teams typing indicator before replies. Default: true for groups/channels; DMs use informative stream status. */ typingIndicator?: boolean; /** Enable progressive block-by-block message delivery instead of a single reply. */ blockStreaming?: boolean; /** Merge streamed block replies before sending. */ blockStreamingCoalesce?: BlockStreamingCoalesceConfig; /** * Allowed host suffixes for inbound attachment downloads. * Use ["*"] to allow any host (not recommended). */ mediaAllowHosts?: Array; /** * Allowed host suffixes for attaching Authorization headers to inbound media retries. * Use specific hosts only; avoid multi-tenant suffixes. */ mediaAuthAllowHosts?: Array; /** Default: require @mention to respond in channels/groups. */ requireMention?: boolean; /** Max group/channel messages to keep as history context (0 disables). */ historyLimit?: number; /** Max DM turns to keep as history context. */ dmHistoryLimit?: number; /** Per-DM config overrides keyed by user ID. */ dms?: Record; /** Default reply style: "thread" replies to the message, "top-level" posts a new message. */ replyStyle?: MSTeamsReplyStyle; /** Per-team config. Key is team ID (from the /team/ URL path segment). */ teams?: Record; /** Max media size in MB (default: 100MB for OneDrive upload support). */ mediaMaxMb?: number; /** SharePoint site ID for file uploads in group chats/channels (e.g., "contoso.sharepoint.com,guid1,guid2"). */ sharePointSiteId?: string; /** Heartbeat visibility settings for this channel. */ heartbeat?: ChannelHeartbeatVisibilityConfig; /** Channel health monitor overrides for this channel. */ healthMonitor?: ChannelHealthMonitorConfig; /** Outbound response prefix override for this channel/account. */ responsePrefix?: string; /** Show a welcome Adaptive Card when the bot is added to a 1:1 chat. Default: true. */ welcomeCard?: boolean; /** Custom prompt starter labels shown on the welcome card. */ promptStarters?: string[]; /** Show a welcome message when the bot is added to a group chat. Default: false. */ groupWelcomeCard?: boolean; /** Enable the Teams feedback loop (thumbs up/down) on AI-generated messages. Default: true. */ feedbackEnabled?: boolean; /** Enable background reflection when a user gives negative feedback. Default: true. */ feedbackReflection?: boolean; /** Minimum interval (ms) between reflections per session. Default: 300000 (5 min). */ feedbackReflectionCooldownMs?: number; /** Delegated auth settings for user-scoped Graph API actions (e.g., reactions). */ delegatedAuth?: { /** Enable delegated auth (user sign-in for Graph actions that need user scope). */ enabled?: boolean; /** Additional scopes to request during OAuth consent. */ scopes?: string[]; }; /** Bot Framework OAuth SSO (signin/tokenExchange + signin/verifyState) settings. */ sso?: MSTeamsSsoConfig; }; declare module "./types.channels.js" { interface ChannelsConfig { msteams?: MSTeamsConfig; } }