* msteams: add reaction support (inbound handlers + outbound Graph API)
* msteams: address PR #51646 review feedback
* msteams: remove react from advertised actions (requires Delegated auth)
* msteams: address PR #51646 remaining review feedback (dmPolicy, groupPolicy, reactions auth)
- Fix 1: DM reaction authorization now uses resolveDmGroupAccessWithLists to enforce
dmPolicy modes (open/disabled/allowlist/pairing), matching the message handler.
- Fix 2: Group policy in reaction handler already uses resolveDefaultGroupPolicy
for global defaults; moved declaration earlier to share with DM path.
- Fix 3: Restore read-only "reactions" (list) action with listReactionsMSTeams,
which uses GET and works with Application auth. Keep "react" (write) gated
behind delegated-auth.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* msteams: add shared Graph pagination helper (fetchAllGraphPages)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* msteams: add OAuth2 delegated auth flow (PKCE + authorization code)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* msteams: integrate delegated auth (config, token storage, react enablement)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* msteams: fix critical bugs found in architect review
- Fix fetchGraphJson→postGraphJson for setReaction/unsetReaction (was sending GET instead of POST)
- Fix CSRF bypass in OAuth parseCallbackInput (missing state no longer falls back silently)
- Remove stale delegated-auth warning logs (delegated auth is now implemented)
- Add CSRF test case for parseCallbackInput
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* msteams: fix 6 PR #51646 review blockers (PKCE/state separation, CSRF, imports, routing, delegated auth bootstrap)
* msteams: fix channel.runtime.ts duplicate imports + graph.ts test mock compat
* msteams: fix lint/boundary blockers revealed by CI after rebase
- token.ts/graph.test.ts: add curly braces around single-statement ifs
(eslint/curly).
- oauth.flow.ts: rename unused parseCallbackInput param to _expectedState.
- reaction-handler.test.ts: rename unused buildDeps param to _runtime.
- send.reactions.ts: drop unnecessary non-null assertions on tuple entries.
- setup-surface.ts: drop empty-object spread fallback flagged by
unicorn/no-useless-fallback-in-spread.
- graph.ts: move GraphPagedResponse/PaginatedResult type defs below
requestGraph so the raw fetch() stays on line 47 to match the existing
no-raw-channel-fetch allowlist entry.
- oauth.token.ts: route the Azure AD token exchange and refresh calls
through fetchWithSsrFGuard (matches the pattern in sdk.ts), removing
the unguarded raw fetch() callsites flagged by
lint:tmp:no-raw-channel-fetch.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(msteams): restore absolute Graph pagination helper
* fix(msteams): satisfy reaction handler lint
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Brad Groux <3053586+BradGroux@users.noreply.github.com>
When pinDns=false was set to avoid undici dispatcher corruption of
FormData bodies, resolvePinnedHostnameWithPolicy was skipped entirely,
removing SSRF hostname/private-IP validation.
Now the pinDns=false path runs hostname validation as a preflight
before creating the non-pinned dispatcher, preserving defense-in-depth.
Also renames a stale test description per Greptile review feedback.
The SSRF guard's pinned DNS dispatcher (undici) corrupts FormData
multipart bodies, causing audio transcription to fail with HTTP 400
on OpenAI-compatible providers. Always set pinDns: false in
postTranscriptionRequest so native fetch handles FormData correctly.
SSRF hostname validation is preserved via resolvePinnedHostnameWithPolicy.
