feat(chat): add push notification delivery endpoint and notify commands

[dhairyashiil]

Summary

Adds push notification delivery to the companion chat app so it can receive booking notifications dispatched by the /cal backend (PR #2927).

New endpoint: POST /api/notifications/deliver — authenticates via x-cal-delivery-secret header (HMAC + timingSafeEqual), validates the request body (including runtime validation of Slack teamId, payload fields, and timezone), then delegates to deliverNotifications() which fans out via Promise.allSettled to per-platform delivery modules. Returns 422 if the formatter crashes on bad input.

New commands: /cal notify on|off (Slack) and /notify on|off (Telegram) — toggle push notification subscriptions via the Cal.com API. Handles 404 specifically when the user isn't subscribed. Telegram rejects /notify in group chats (only works in private DM with the bot).

Files created:

• apps/chat/lib/push-notifications/types.ts — shared DeliverResult type (with error field for retry/unsubscribe decisions)
• apps/chat/lib/push-notifications/formatter.ts — ChatPushPayload type + buildPushCard() with URL validation, unknown notificationType fallback
• apps/chat/lib/push-notifications/deliver-slack.ts — per-identifier Slack DM with structured SlackAPIError detection + logging
• apps/chat/lib/push-notifications/deliver-telegram.ts — per-identifier Telegram DM with invalid chat detection + logging
• apps/chat/lib/push-notifications/service.ts — deliverNotifications() fan-out with discriminated union narrowing + logging
• apps/chat/app/api/notifications/deliver/route.ts — thin POST route (auth + parse + delegate) with pre-computed HMAC, payload validation, logging

Files modified:

• apps/chat/lib/calcom/client.ts — 4 subscription methods (register/remove × Slack/Telegram)
• apps/chat/lib/handlers/slack.ts — case "notify": subcommand with 404 handling
• apps/chat/lib/handlers/telegram.ts — /notify command with group rejection + CalcomApiError import
• apps/chat/lib/notifications.ts — /notify added to both Slack and Telegram help cards
• apps/chat/lib/env.ts — CALCOM_DELIVERY_SECRET validation (hard fail prod, warn dev only)
• apps/chat/.env.example — documented new env var

Review & Testing Checklist for Human

• Confirm backend API contract: does /cal deliver Slack subscriptions as { identifier, teamId } or { identifier, deviceId }? Registration sends deviceId but delivery expects teamId — if the backend doesn't remap, every Slack delivery will silently fail
• Confirm backend upserts on double-subscribe (running /cal notify on twice) — if it creates duplicates, users get duplicate notifications
• Confirm backend populates data.url with the specific booking URL — currently falls back to https://app.cal.com/bookings
• Verify CALCOM_DELIVERY_SECRET matches CALCOM_CHAT_DELIVERY_SECRET on the /cal backend before deploying
• Test POST /api/notifications/deliver with valid/invalid secrets, malformed payloads (bad timezone, null hosts)
• Test /cal notify on and /cal notify off in Slack — verify DM confirmation and 404 handling
• Test /notify on in a Telegram group — should reject with "check your DMs" message
• Test /notify on and /notify off in a private Telegram chat — verify subscription lifecycle

Notes

• The 3 failing CI checks are pre-existing: Vercel preview deployments for extension/MCP apps + apply-labels-from-issue bot
• Post-deployment: add /notify - Toggle booking push notifications on/off in BotFather (Settings → Edit Commands)
• ChatPushPayload mirrors the type from /cal PR #2927 — notificationType is typed as string to gracefully handle future values with a fallback badge

Link to Devin session: https://app.devin.ai/sessions/53397cfd38d34318bf6b3694a8ff7721
Requested by: @dhairyashiil

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

Deployment failed with the following error:

You don't have permission to create a Preview Deployment for this Vercel project: cal-companion-mcp.

View Documentation: https://vercel.com/docs/accounts/team-members-and-roles

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
cal-companion-chat	Ignored		May 25, 2026 9:22pm

[cubic-dev-ai]

1 issue found across 15 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/chat/lib/push-notifications/formatter.ts">

<violation number="1" location="apps/chat/lib/push-notifications/formatter.ts:31">
P2: `isHttpUrl` is too permissive for values that are interpolated into markdown/link fields. Use strict URL parsing so malformed or markdown-breaking URLs are rejected before building card links.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: isHttpUrl is too permissive for values that are interpolated into markdown/link fields. Use strict URL parsing so malformed or markdown-breaking URLs are rejected before building card links.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/chat/lib/push-notifications/formatter.ts, line 31:

<comment>`isHttpUrl` is too permissive for values that are interpolated into markdown/link fields. Use strict URL parsing so malformed or markdown-breaking URLs are rejected before building card links.</comment>

<file context>
@@ -0,0 +1,113 @@
+};
+
+function isHttpUrl(url: string): boolean {
+  return /^https?:\/\//i.test(url);
+}
+
</file context>