publish-kit sync 2026-05-16

Author: publish-kit

CHANGELOG.md

@@ -1,19 +1,52 @@
-## 2026-04-16
+## 2026-05-16
 
-+ added    personas/flo-rivers.md
-+ added    personas/holly-helpdesk.md
-+ added    personas/paige-turner.md
-+ added    personas/stan-dardson.md
-+ added    personas/stella-fullstack.md
-+ added    runbooks/_template.md
-+ added    runbooks/anthropic-api.md
-+ added    runbooks/apollo-api.md
-+ added    runbooks/clickup-api.md
-+ added    runbooks/credential-vault.md
-+ added    runbooks/github-api.md
-+ added    runbooks/helpjuice-api.md
-+ added    runbooks/salesforce-cli.md
-+ added    skills/build-tool/SKILL.md
-+ added    skills/catalog/SKILL.md
-+ added    skills/changelog-polish/SKILL.md
-+ added    skills/toolreview/SKILL.md
++ added    examples/teams-dm-bot/README.md
++ added    examples/teams-dm-bot/bin/fetch-conv-ref.sh
++ added    examples/teams-dm-bot/bin/send-dm.sh
++ added    examples/teams-dm-bot/functions/function_app.py
++ added    examples/teams-dm-bot/functions/host.json
++ added    examples/teams-dm-bot/functions/requirements.txt
++ added    examples/teams-dm-bot/manifest/color.png
++ added    examples/teams-dm-bot/manifest/make-zip.sh
++ added    examples/teams-dm-bot/manifest/manifest.json
++ added    examples/teams-dm-bot/manifest/outline.png
++ added    examples/teams-dm-bot/worker/index.js
++ added    examples/teams-dm-bot/worker/wrangler.toml
++ added    runbooks/_start-task-gotchas.md
++ added    runbooks/azure-container-apps.md
++ added    runbooks/browser-harness.md
++ added    runbooks/browser-use-api.md
++ added    runbooks/case-email-cc-preservation.md
++ added    runbooks/claude-code-bash.md
++ added    runbooks/claude-workflow.md
++ added    runbooks/cloudflare.md
++ added    runbooks/firecrawl.md
++ added    runbooks/fireflies-api.md
++ added    runbooks/github-actions-oidc.md
++ added    runbooks/google-workspace.md
++ added    runbooks/iterm-tmux.md
++ added    runbooks/macos-shell.md
++ added    runbooks/maestro-local-dispatch.md
++ added    runbooks/netsapiens-api.md
++ added    runbooks/notion-api.md
++ added    runbooks/playwright-cli.md
++ added    runbooks/postmark.md
++ added    runbooks/publish-kit.md
++ added    runbooks/simplesat-api.md
++ added    runbooks/slack-api.md
++ added    runbooks/subagent-dispatch.md
++ added    runbooks/talentlms.md
++ added    runbooks/teams-bot-dm.md
++ added    runbooks/unifi-network.md
+~ modified personas/flo-rivers.md
+~ modified personas/holly-helpdesk.md
+~ modified personas/paige-turner.md
+~ modified personas/stan-dardson.md
+~ modified personas/stella-fullstack.md
+~ modified runbooks/_template.md
+~ modified runbooks/clickup-api.md
+~ modified runbooks/credential-vault.md
+~ modified runbooks/github-api.md
+~ modified runbooks/helpjuice-api.md
+~ modified runbooks/salesforce-cli.md
+~ modified skills/toolreview/SKILL.md

examples/teams-dm-bot/README.md

@@ -0,0 +1,64 @@
+# teams-dm-bot — Claude DMs you in Microsoft Teams
+
+A working skeleton: deploy → sideload → say "hi" → run a command → your message lands in Teams.
+
+**Full guide:** `runbooks/teams-bot-dm.md` (read this first).
+
+## What's here
+
+| Path | Purpose |
+|---|---|
+| `manifest/` | Teams app manifest + icons + zip helper |
+| `worker/` | Cloudflare Workers receiver (primary) |
+| `functions/` | Azure Functions Python alternative (use one or the other) |
+| `bin/fetch-conv-ref.sh` | One-shot: pull the cached conversation reference into `~/.config/teams-dm/` |
+| `bin/send-dm.sh` | Send a DM from anywhere on your machine |
+
+## 60-second quickstart
+
+1. Read the runbook. Seriously — it explains *why* the bootstrap dance exists.
+2. Create an Azure Bot resource (F0, free) + AAD app registration. Capture the App ID, tenant ID, and a client secret.
+3. Deploy the Worker:
+   ```bash
+   cd worker
+   wrangler kv:namespace create CONV_REF       # paste the id into wrangler.toml
+   wrangler secret put BOT_APP_ID
+   wrangler secret put BOT_APP_SECRET
+   wrangler secret put <credential-env>
+   wrangler secret put SETUP_SECRET            # any random string
+   wrangler deploy
+   ```
+4. Point Bot Service messaging endpoint → `https://<your-worker>.workers.dev/api/messages`.
+5. Edit `manifest/manifest.json` (`{{BOT_APP_ID}}`, `{{BOT_NAME}}`) → `manifest/make-zip.sh` → sideload in Teams (Apps → Manage your apps → Upload an app).
+6. DM the bot once with "hi". Wrangler tail should show a 200.
+7. Pull the conv reference + write env file:
+   ```bash
+   WORKER_URL=https://<your-worker>.workers.dev \
+   SETUP_SECRET=<the value you wrangled> \
+     ./bin/fetch-conv-ref.sh
+
+   cat > ~/.config/teams-dm/env <<EOF
+   BOT_APP_ID=<app id>
+   BOT_APP_SECRET=<client secret>
+   <credential-env>=<tenant id>
+   EOF
+   chmod 600 ~/.config/teams-dm/env
+   ```
+8. Send:
+   ```bash
+   ./bin/send-dm.sh "Claude says hi"
+   ./bin/send-dm.sh --markdown "**deploy** finished in _42s_"
+   ```
+
+## When it doesn't work
+
+See the runbook's gotcha catalog. The most common: messaging endpoint missing `/api/messages` suffix, `Microsoft.BotService` provider not registered in the subscription, tenant policy blocking custom app upload.
+
+## Wiring it into Claude Code
+
+Pick one:
+- Shell hook: a Claude Code `Stop` hook that calls `send-dm.sh` when a session ends
+- Slash command: a `/dm "..."` command that wraps `send-dm.sh`
+- Inline: ask Claude to run `bash <path>/send-dm.sh "message"` directly
+
+The send helper has no dependencies on Claude — it works from any process with `curl`, `python3`, and the env file readable.

examples/teams-dm-bot/bin/fetch-conv-ref.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# One-shot bootstrap helper.
+# Fetches the cached conversation reference from the Worker (or Function)
+# using the setup secret and writes it to ~/.config/teams-dm/conv-ref.json.
+#
+# Usage:
+#   WORKER_URL=https://my-bot.example.workers.dev \
+#   SETUP_SECRET=hunter2 \
+#     ./fetch-conv-ref.sh
+set -euo pipefail
+
+: "${WORKER_URL:?WORKER_URL must be set to your Worker or Function URL}"
+: "${SETUP_SECRET:?SETUP_SECRET must be set to the value you wrangled into the worker}"
+
+CONFIG_DIR="${HOME}/.config/teams-dm"
+mkdir -p "${CONFIG_DIR}"
+
+response_file="$(mktemp)"
+trap 'rm -f "${response_file}"' EXIT
+
+http_code="$(curl -sS -o "${response_file}" -w "%{http_code}" \
+  -H "X-Setup-Secret: ${SETUP_SECRET}" \
+  "${WORKER_URL%/}/conv-ref")"
+
+if [[ "${http_code}" != "200" ]]; then
+  echo "ERR: Worker returned ${http_code}" >&2
+  cat "${response_file}" >&2
+  exit 1
+fi
+
+# Sanity-check that we got JSON with a conversationId.
+if ! python3 -c "import json,sys; d=json.load(open('${response_file}')); sys.exit(0 if d.get('conversationId') and d.get('serviceUrl') else 1)"; then
+  echo "ERR: response did not contain conversationId + serviceUrl" >&2
+  cat "${response_file}" >&2
+  exit 1
+fi
+
+mv "${response_file}" "${CONFIG_DIR}/conv-ref.json"
+chmod 600 "${CONFIG_DIR}/conv-ref.json"
+echo "Saved: ${CONFIG_DIR}/conv-ref.json"

examples/teams-dm-bot/bin/send-dm.sh

@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+# Send a Teams DM as the bot. Outbound-only — uses the cached conversation
+# reference written by fetch-conv-ref.sh.
+#
+# Usage:
+#   ./send-dm.sh "message body"           # plain text
+#   ./send-dm.sh --markdown "**hi**"      # rendered as markdown
+set -euo pipefail
+
+CONFIG_DIR="${HOME}/.config/teams-dm"
+CONV_REF="${CONFIG_DIR}/conv-ref.json"
+ENV_FILE="${CONFIG_DIR}/env"
+TOKEN_CACHE="${TMPDIR:-/tmp}/teams-dm-token"
+
+[[ -f "${CONV_REF}" ]] || { echo "ERR: ${CONV_REF} not found. Run fetch-conv-ref.sh first." >&2; exit 1; }
+[[ -f "${ENV_FILE}" ]] || { echo "ERR: ${ENV_FILE} not found. See README for required vars." >&2; exit 1; }
+
+# shellcheck disable=SC1090
+source "${ENV_FILE}"
+: "${BOT_APP_ID:?BOT_APP_ID missing in ${ENV_FILE}}"
+: "${BOT_APP_SECRET:?BOT_APP_SECRET missing in ${ENV_FILE}}"
+: "${<credential-env>:?<credential-env> missing in ${ENV_FILE}}"
+
+text_format="plain"
+if [[ "${1:-}" == "--markdown" ]]; then
+  text_format="markdown"
+  shift
+fi
+text="${1:?usage: send-dm.sh [--markdown] \"message\"}"
+
+# Reuse cached token. Cache stores access_token + absolute expiry epoch on two
+# lines. Honor the token endpoint's expires_in minus a 60s clock-skew margin.
+# Atomic write via mktemp+mv. mkdir-based lock prevents concurrent invocations
+# from stampeding the token endpoint when the cache expires (mkdir is atomic
+# on all POSIX filesystems — no flock/portable lock-file dance needed).
+LOCK_DIR="${TOKEN_CACHE}.lock"
+acquire_lock() {
+  local tries=0
+  until mkdir "${LOCK_DIR}" 2>/dev/null; do
+    tries=$((tries + 1))
+    [[ $tries -gt 50 ]] && { echo "ERR: could not acquire token lock after 5s" >&2; return 1; }
+    sleep 0.1
+  done
+  trap 'rmdir "${LOCK_DIR}" 2>/dev/null' EXIT
+}
+release_lock() {
+  rmdir "${LOCK_DIR}" 2>/dev/null || true
+  trap - EXIT
+}
+
+get_token() {
+  if [[ -f "${TOKEN_CACHE}" ]]; then
+    local cached_exp cached_token
+    cached_exp="$(sed -n '2p' "${TOKEN_CACHE}" 2>/dev/null || echo 0)"
+    cached_token="$(sed -n '1p' "${TOKEN_CACHE}" 2>/dev/null || true)"
+    if [[ -n "${cached_token}" && "${cached_exp}" =~ ^[0-9]+$ ]]; then
+      if (( cached_exp - 60 > $(date +%s) )); then
+        echo "${cached_token}"
+        return
+      fi
+    fi
+  fi
+  # Cache miss or expired — serialize the refresh.
+  acquire_lock || return 1
+  # Re-check after acquiring lock — another process may have refreshed.
+  if [[ -f "${TOKEN_CACHE}" ]]; then
+    local cached_exp cached_token
+    cached_exp="$(sed -n '2p' "${TOKEN_CACHE}" 2>/dev/null || echo 0)"
+    cached_token="$(sed -n '1p' "${TOKEN_CACHE}" 2>/dev/null || true)"
+    if [[ -n "${cached_token}" && "${cached_exp}" =~ ^[0-9]+$ ]] && (( cached_exp - 60 > $(date +%s) )); then
+      release_lock
+      echo "${cached_token}"
+      return
+    fi
+  fi
+  local response
+  response="$(curl -sS -X POST \
+    "https://login.microsoftonline.com/${<credential-env>}/oauth2/v2.0/token" \
+    -d "client_id=${BOT_APP_ID}" \
+    -d "client_secret=${BOT_APP_SECRET}" \
+    -d "scope=https://api.botframework.com/.default" \
+    -d "grant_type=client_credentials")"
+  local parsed
+  parsed="$(echo "${response}" | python3 -c "
+import json, sys, time
+d = json.load(sys.stdin)
+if 'access_token' not in d:
+    sys.exit('ERR: token response missing access_token: ' + json.dumps(d))
+exp = int(time.time()) + int(d.get('expires_in', 3600))
+print(d['access_token'])
+print(exp)
+")"
+  local tmp
+  tmp="$(mktemp "${TOKEN_CACHE}.XXXXXX")"
+  printf '%s\n' "${parsed}" > "${tmp}"
+  chmod 600 "${tmp}"
+  mv "${tmp}" "${TOKEN_CACHE}"
+  release_lock
+  echo "${parsed%%$'\n'*}"
+}
+
+token="$(get_token)"
+conv_id="$(python3 -c "import json; print(json.load(open('${CONV_REF}'))['conversationId'])")"
+service_url="$(python3 -c "import json; print(json.load(open('${CONV_REF}'))['serviceUrl'].rstrip('/'))")"
+
+body="$(python3 -c "
+import json, sys
+print(json.dumps({
+  'type': 'message',
+  'textFormat': sys.argv[1],
+  'text': sys.argv[2],
+}))
+" "${text_format}" "${text}")"
+
+http_code="$(curl -sS -o /tmp/teams-dm-resp -w "%{http_code}" \
+  -X POST "${service_url}/v3/conversations/${conv_id}/activities" \
+  -H "Authorization: Bearer ${token}" \
+  -H "Content-Type: application/json" \
+  -d "${body}")"
+
+if [[ "${http_code}" == "401" ]]; then
+  # Token may have rotated — bust cache and retry once.
+  rm -f "${TOKEN_CACHE}"
+  token="$(get_token)"
+  http_code="$(curl -sS -o /tmp/teams-dm-resp -w "%{http_code}" \
+    -X POST "${service_url}/v3/conversations/${conv_id}/activities" \
+    -H "Authorization: Bearer ${token}" \
+    -H "Content-Type: application/json" \
+    -d "${body}")"
+fi
+
+if [[ "${http_code}" != "200" && "${http_code}" != "201" ]]; then
+  echo "ERR: send failed (HTTP ${http_code})" >&2
+  cat /tmp/teams-dm-resp >&2
+  exit 1
+fi
+echo "Sent."