feat(im): Add user-owned IM channel connections (#3487)

* Add user-owned IM channel connections

* Fix dev startup and channel connect popup

* Use async channel connect flow

* Harden dev service daemon startup

* Support local IM channel connections

* Align IM connections with local channels

* Fix safe user id digest algorithm

* Address Copilot IM channel feedback

* Address IM channel review comments

* Support all integrated IM channel connections

* Format additional channel connection tests

* Keep unavailable channel connect buttons clickable

* Fix IM channel provider icons

* Add runtime setup for enabled IM channels

* Guard global shortcut key handling

* Keep configured IM channels editable

* Avoid password autofill for channel secrets

* Make channel threads visible to connection owners

* Persist IM runtime config locally

* Allow disconnecting runtime IM channels

* Route no-auth channel sessions to local user

* Use default user for auth-disabled local mode

* Show IM channel source on threads

* Prefill IM channel runtime config

* Reflect IM channel runtime health

* Ignore Feishu message read events

* Ignore Feishu non-content message events

* Let setup wizard enable IM channels

* Fix frontend formatting after merge

* Stabilize backend tests without local config

* Isolate channel runtime config tests

* Address channel connection review comments

* Use sha256 user buckets with legacy migration

* Ensure runtime IM channels are ready after restart

* Persist disconnected IM channel state

* Address channel connection review comments

* Address channel connection review findings

Frontend connect flow:
- Open the runtime-config dialog only when a provider still needs
  credentials; configured providers go straight to the connect flow, so
  the binding-code/deep-link path is reachable from the UI again.
- After saving credentials, continue into the connect flow when a user
  binding is still required (multi-user mode) instead of stopping at a
  "Connected" toast.
- Extract shared provider-state helpers to core/channels/provider-state
  and add unit + e2e coverage for the direct-connect and
  configure-then-connect paths.

Provider status semantics:
- Report connection_status from the user's newest connection row;
  with no binding it is not_connected, except in auth-disabled local
  mode where a configured running channel is effectively connected.

Concurrency and event-loop correctness:
- Offload ChannelRuntimeConfigStore construction and writes, channel
  service construction, and Slack connection replies to threads; add a
  tests/blocking_io/ anchor for the runtime-config handlers.
- Consume binding codes with a conditional UPDATE so a code can only be
  used once under concurrent workers; retry upsert_connection as an
  update when a concurrent insert wins the unique constraint.
- Serialize ensure_channel_ready per channel so concurrent provider
  polls cannot double-start a channel worker.

Config and migration hardening:
- Stop mutating the get_app_config()-cached Telegram provider config;
  the runtime store now owns the UI-entered bot username.
- Register channel_connections in STARTUP_ONLY_FIELDS with the
  standardized startup-only Field description.
- Match the legacy unsafe-id bucket by recomputing its exact SHA-1 name
  so another user's same-prefix bucket can never be migrated.
- Remove the unused Telegram process_webhook_update path and document
  src/core/channels in the frontend docs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Address PR review comments on authz scoping and channel runtime

Security (review feedback from ShenAC-SAC):
- Scope internal-token callers to the connection owner carried in
  X-DeerFlow-Owner-User-Id instead of bypassing owner checks outright,
  in both require_permission(owner_check=True) and the stateless run
  endpoints. Internal callers keep access to their own and
  shared/legacy threads, and may claim a default-owned channel thread
  for its real owner, but a leaked internal token no longer grants
  cross-user thread access.
- Require admin privileges for POST/DELETE /api/channels/{provider}/
  runtime-config: runtime credentials and channel workers are
  instance-wide shared state (same model as the MCP config API).
  Read-only provider listing stays available to all users.

Performance (review feedback from willem-bd):
- Skip the redundant thread channel-metadata PATCH after the first
  successful backfill per thread.
- Reuse the per-connection Slack WebClient until its token changes
  instead of constructing one per outbound message.
- Reconcile channel readiness for all providers concurrently in
  GET /api/channels/providers.

Also resolve the code-quality unused-import flag in the blocking-io
anchor by pre-importing the channel service via importlib.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Fix prettier formatting in provider-state test

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* Reconcile UI runtime channel config with config reload on restart

Main now reloads a channel's config.yaml entry on restart_channel()
(#3514, issue #3497). Adapt the user-owned connection flow to coexist:

- configure_channel() restarts with reload_config=False — the caller
  just supplied the authoritative config (browser-entered credentials
  that are never written to config.yaml), so a file reload must not
  clobber it with the stale on-disk entry.
- _load_channel_config() re-applies the UI runtime-store overlay used
  at startup, so an operator-triggered restart keeps browser-entered
  credentials for channels without a config.yaml entry and does not
  resurrect a channel disconnected from the UI.
- Offload the reload's disk IO (config.yaml + runtime store) with
  asyncio.to_thread, matching the blocking-IO policy on this branch.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

frontend/tests/unit/core/channels/api.test.ts

@@ -0,0 +1,220 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+vi.mock("@/core/api/fetcher", () => ({
+  fetch: vi.fn(),
+}));
+
+vi.mock("@/core/config", () => ({
+  getBackendBaseURL: () => "/backend",
+}));
+
+import { fetch as fetcher } from "@/core/api/fetcher";
+import {
+  configureChannelProvider,
+  connectChannelProvider,
+  disconnectChannelConnection,
+  disconnectChannelProvider,
+  listChannelConnections,
+  listChannelProviders,
+} from "@/core/channels/api";
+
+const mockedFetch = vi.mocked(fetcher);
+
+function jsonResponse(status: number, body: unknown): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    statusText: status >= 400 ? "Bad Request" : "OK",
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+beforeEach(() => {
+  mockedFetch.mockReset();
+});
+
+describe("channels api", () => {
+  test("loads provider catalog", async () => {
+    mockedFetch.mockResolvedValueOnce(
+      jsonResponse(200, {
+        enabled: true,
+        providers: [
+          {
+            provider: "telegram",
+            display_name: "Telegram",
+            enabled: true,
+            configured: true,
+            auth_mode: "deep_link",
+            connection_status: "not_connected",
+            credential_values: {
+              bot_token: "********",
+              bot_username: "deerflow_bot",
+            },
+          },
+        ],
+      }),
+    );
+
+    await expect(listChannelProviders()).resolves.toMatchObject({
+      enabled: true,
+      providers: [
+        {
+          provider: "telegram",
+          display_name: "Telegram",
+          credential_values: {
+            bot_token: "********",
+            bot_username: "deerflow_bot",
+          },
+        },
+      ],
+    });
+    expect(mockedFetch).toHaveBeenCalledWith("/backend/api/channels/providers");
+  });
+
+  test("loads current user's connections", async () => {
+    mockedFetch.mockResolvedValueOnce(
+      jsonResponse(200, {
+        connections: [
+          {
+            id: "connection-1",
+            provider: "telegram",
+            status: "connected",
+            external_account_name: "Alice",
+            scopes: [],
+            metadata: {},
+          },
+        ],
+      }),
+    );
+
+    await expect(listChannelConnections()).resolves.toMatchObject([
+      { id: "connection-1", provider: "telegram", status: "connected" },
+    ]);
+    expect(mockedFetch).toHaveBeenCalledWith(
+      "/backend/api/channels/connections",
+    );
+  });
+
+  test("starts a provider connection flow", async () => {
+    mockedFetch.mockResolvedValueOnce(
+      jsonResponse(200, {
+        provider: "telegram",
+        mode: "deep_link",
+        url: "https://t.me/deerflow_bot?start=state",
+        code: "state",
+        instruction: "Send /start state to the DeerFlow Telegram bot.",
+        expires_in: 600,
+      }),
+    );
+
+    await expect(connectChannelProvider("telegram")).resolves.toMatchObject({
+      provider: "telegram",
+      url: "https://t.me/deerflow_bot?start=state",
+      instruction: "Send /start state to the DeerFlow Telegram bot.",
+    });
+    expect(mockedFetch).toHaveBeenCalledWith(
+      "/backend/api/channels/telegram/connect",
+      { method: "POST" },
+    );
+  });
+
+  test("starts a binding-code connection flow", async () => {
+    mockedFetch.mockResolvedValueOnce(
+      jsonResponse(200, {
+        provider: "slack",
+        mode: "binding_code",
+        url: null,
+        code: "abc123",
+        instruction: "Send /connect abc123 to the DeerFlow Slack bot.",
+        expires_in: 600,
+      }),
+    );
+
+    await expect(connectChannelProvider("slack")).resolves.toMatchObject({
+      provider: "slack",
+      url: null,
+      code: "abc123",
+      instruction: "Send /connect abc123 to the DeerFlow Slack bot.",
+    });
+  });
+
+  test("submits runtime provider configuration", async () => {
+    mockedFetch.mockResolvedValueOnce(
+      jsonResponse(200, {
+        provider: "slack",
+        display_name: "Slack",
+        enabled: true,
+        configured: true,
+        connectable: true,
+        auth_mode: "binding_code",
+        connection_status: "not_connected",
+      }),
+    );
+
+    await expect(
+      configureChannelProvider("slack", {
+        bot_token: "xoxb-ui",
+        app_token: "xapp-ui",
+      }),
+    ).resolves.toMatchObject({
+      provider: "slack",
+      configured: true,
+      connectable: true,
+    });
+    expect(mockedFetch).toHaveBeenCalledWith(
+      "/backend/api/channels/slack/runtime-config",
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          values: { bot_token: "xoxb-ui", app_token: "xapp-ui" },
+        }),
+      },
+    );
+  });
+
+  test("disconnects a channel connection", async () => {
+    mockedFetch.mockResolvedValueOnce(new Response(null, { status: 204 }));
+
+    await expect(
+      disconnectChannelConnection("connection-1"),
+    ).resolves.toBeUndefined();
+    expect(mockedFetch).toHaveBeenCalledWith(
+      "/backend/api/channels/connections/connection-1",
+      { method: "DELETE" },
+    );
+  });
+
+  test("disconnects provider runtime configuration", async () => {
+    mockedFetch.mockResolvedValueOnce(
+      jsonResponse(200, {
+        provider: "slack",
+        display_name: "Slack",
+        enabled: true,
+        configured: false,
+        connectable: false,
+        auth_mode: "binding_code",
+        connection_status: "not_connected",
+      }),
+    );
+
+    await expect(disconnectChannelProvider("slack")).resolves.toMatchObject({
+      provider: "slack",
+      configured: false,
+      connection_status: "not_connected",
+    });
+    expect(mockedFetch).toHaveBeenCalledWith(
+      "/backend/api/channels/slack/runtime-config",
+      { method: "DELETE" },
+    );
+  });
+
+  test("uses backend detail for failed requests", async () => {
+    mockedFetch.mockResolvedValueOnce(
+      jsonResponse(400, { detail: "Channel provider is not configured" }),
+    );
+
+    await expect(connectChannelProvider("slack")).rejects.toThrow(
+      "Channel provider is not configured",
+    );
+  });
+});

frontend/tests/unit/core/channels/open-connect-url.test.ts

@@ -0,0 +1,86 @@
+import { afterEach, describe, expect, test, vi } from "vitest";
+
+import {
+  closeConnectWindow,
+  openConnectUrl,
+  prepareConnectWindow,
+} from "@/core/channels/open-connect-url";
+
+type PopupStub = {
+  closed: boolean;
+  close: ReturnType<typeof vi.fn>;
+  location: {
+    replace: ReturnType<typeof vi.fn>;
+  };
+  opener: unknown;
+};
+
+function stubWindow(openResult: PopupStub | null) {
+  const assign = vi.fn();
+  const open = vi.fn(() => openResult);
+  vi.stubGlobal("window", {
+    open,
+    location: { assign },
+  });
+  return { assign, open };
+}
+
+function makePopup(): PopupStub {
+  return {
+    closed: false,
+    close: vi.fn(),
+    location: { replace: vi.fn() },
+    opener: {},
+  };
+}
+
+afterEach(() => {
+  vi.unstubAllGlobals();
+});
+
+describe("channel connect window helpers", () => {
+  test("opens a blank tab synchronously and detaches opener", () => {
+    const popup = makePopup();
+    const { open } = stubWindow(popup);
+
+    const prepared = prepareConnectWindow();
+
+    expect(open).toHaveBeenCalledWith("about:blank", "_blank");
+    expect(prepared).toBe(popup);
+    expect(popup.opener).toBeNull();
+  });
+
+  test("navigates a prepared popup without opening another window", () => {
+    const popup = makePopup();
+    const { assign, open } = stubWindow(null);
+
+    openConnectUrl(
+      "https://t.me/deerflow_bot?start=state",
+      popup as unknown as Window,
+    );
+
+    expect(open).not.toHaveBeenCalled();
+    expect(assign).not.toHaveBeenCalled();
+    expect(popup.location.replace).toHaveBeenCalledWith(
+      "https://t.me/deerflow_bot?start=state",
+    );
+  });
+
+  test("falls back to current-window navigation when no popup is available", () => {
+    const { assign } = stubWindow(null);
+
+    openConnectUrl("https://t.me/deerflow_bot?start=state");
+
+    expect(assign).toHaveBeenCalledWith(
+      "https://t.me/deerflow_bot?start=state",
+    );
+  });
+
+  test("closes a prepared popup on connect failure", () => {
+    const popup = makePopup();
+
+    closeConnectWindow(popup as unknown as Window);
+
+    expect(popup.close).toHaveBeenCalled();
+  });
+});

frontend/tests/unit/core/channels/provider-state.test.ts

@@ -0,0 +1,89 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  providerCanConnect,
+  providerCanEditRuntimeConfig,
+  providerNeedsRuntimeConfig,
+} from "@/core/channels/provider-state";
+import type { ChannelProvider } from "@/core/channels/types";
+
+function makeProvider(overrides: Partial<ChannelProvider>): ChannelProvider {
+  return {
+    provider: "slack",
+    display_name: "Slack",
+    enabled: true,
+    configured: true,
+    connectable: true,
+    auth_mode: "binding_code",
+    connection_status: "not_connected",
+    credential_fields: [
+      {
+        name: "bot_token",
+        label: "Bot token",
+        type: "password",
+        required: true,
+      },
+    ],
+    ...overrides,
+  };
+}
+
+describe("providerCanConnect", () => {
+  it("allows connecting a configured, not yet connected provider", () => {
+    expect(providerCanConnect(makeProvider({}))).toBe(true);
+  });
+
+  it("rejects an already connected provider", () => {
+    expect(
+      providerCanConnect(makeProvider({ connection_status: "connected" })),
+    ).toBe(false);
+  });
+
+  it("rejects a non-connectable provider", () => {
+    expect(providerCanConnect(makeProvider({ connectable: false }))).toBe(
+      false,
+    );
+  });
+
+  it("falls back to enabled+configured when connectable is missing", () => {
+    expect(providerCanConnect(makeProvider({ connectable: undefined }))).toBe(
+      true,
+    );
+    expect(
+      providerCanConnect(
+        makeProvider({ connectable: undefined, configured: false }),
+      ),
+    ).toBe(false);
+  });
+});
+
+describe("providerNeedsRuntimeConfig", () => {
+  it("requires setup only when enabled and unconfigured with fields", () => {
+    expect(
+      providerNeedsRuntimeConfig(makeProvider({ configured: false })),
+    ).toBe(true);
+    expect(providerNeedsRuntimeConfig(makeProvider({}))).toBe(false);
+    expect(
+      providerNeedsRuntimeConfig(
+        makeProvider({ configured: false, enabled: false }),
+      ),
+    ).toBe(false);
+    expect(
+      providerNeedsRuntimeConfig(
+        makeProvider({ configured: false, credential_fields: [] }),
+      ),
+    ).toBe(false);
+  });
+});
+
+describe("providerCanEditRuntimeConfig", () => {
+  it("is editable whenever enabled with credential fields", () => {
+    expect(providerCanEditRuntimeConfig(makeProvider({}))).toBe(true);
+    expect(providerCanEditRuntimeConfig(makeProvider({ enabled: false }))).toBe(
+      false,
+    );
+    expect(
+      providerCanEditRuntimeConfig(makeProvider({ credential_fields: [] })),
+    ).toBe(false);
+  });
+});