bug: yivi-dialog sends `pg4outlook` (was `pg4ol`) and stale ADDIN_VERSION="0.1.0" in client-version header

[dobby-coder]

Summary

Two related defects in the X-PostGuard-Client-Version header that the launchevent's Yivi dialog sends to PKG and Cryptify. Both silently break per-client metrics — sends still succeed but the dashboards mis-attribute them.

1. Wrong client-id token (regression of PR #11)

src/yivi-dialog/yivi-dialog.ts:135 hardcodes:

"X-PostGuard-Client-Version": `Outlook,1.0,pg4outlook,${ADDIN_VERSION}`,

The PKG (postguard/pg-pkg/src/middleware/metrics.rs) keys its Prometheus counter on the third comma-separated field. Org convention is:

• pg4ol for Outlook (this addon)
• pg4tb for Thunderbird

pg4outlook was the v0.2.0 rewrite bug that PR #11 fixed in the taskpane, and the dialog runtime has reintroduced it. The taskpane code (src/lib/pkg-client.ts:13) already exposes CLIENT_ID = "pg4ol" and a clientHeaders() helper — the dialog should use the same.

The dialog header is also missing the X-Cryptify-Source: outlook header that clientHeaders() adds; without it, cryptify's detect_channel mis-classifies dialog-flow uploads (its origin check on addin.*.postguard.eu falls back to the website channel).

2. Stale ADDIN_VERSION = "0.1.0"

Hardcoded in three files, never matched the real package version:

• src/yivi-dialog/yivi-dialog.ts:22
• src/taskpane/compose-view.ts:39
• src/taskpane/read-view.ts:34

package.json is at 0.4.0 and the open release-please PR (#95) bumps to 0.5.0. The fourth field of the client-version header is meant to track the deployed extension version; right now every release reports as 0.1.0, so the PKG metric cannot distinguish current vs. historical clients.

Suggested fix

1. In src/yivi-dialog/yivi-dialog.ts, replace the hardcoded headers object on line 134-136 with a call to clientHeaders(ADDIN_VERSION) from ../lib/pkg-client. (The import already brings in PKG_URL/CRYPTIFY_URL/POSTGUARD_WEBSITE_URL from that module.)
2. Replace the three const ADDIN_VERSION = "0.1.0" declarations with a single source of truth. Two options:
   • Import the version from package.json via webpack's DefinePlugin / EnvironmentPlugin (same mechanism used for PKG_URL etc.). Add process.env.ADDIN_VERSION set from require('./package.json').version.
   • Or declare export const ADDIN_VERSION = "<version>" in src/lib/pkg-client.ts and update it on release. Less reliable; release-please can probably bump it via extra-files config though.
3. Optionally: extract recipientsKey, guessContentType, and the Office.js promise wrappers into shared lib modules. Separate issue — see follow-up.

Verification

• grep -rn "pg4outlook\|pg4ol" src — should only return pg4ol (in pkg-client.ts).
• grep -rn "ADDIN_VERSION" src — all references should resolve to a single constant matching package.json.
• Build + lint + typecheck + manifest validate all pass.
• Manual smoke test: trigger the one-click flow (Encrypt-on-send via the dialog), confirm the network tab shows pg4ol,<current-version> in the header on both PKG and Cryptify requests, and that X-Cryptify-Source: outlook is present on the Cryptify upload.

/dobby

[dobby-coder]

Dobby has received the request! Routing to the right specialist now...

[dobby-coder]

/dobby

[dobby-coder]

Dobby has received the request! Routing to the right specialist now...

[dobby-coder]

Plan

Root cause confirmed in the dialog runtime:

• src/yivi-dialog/yivi-dialog.ts:135 builds the header inline with pg4outlook (should be pg4ol) and skips X-Cryptify-Source: outlook. The fix is to call the existing clientHeaders() helper from src/lib/pkg-client.ts:15 (the same one compose-view.ts:466 and read-view.ts:170 already use).
• ADDIN_VERSION = "0.1.0" appears in three files (yivi-dialog.ts:22, compose-view.ts:39, read-view.ts:34). package.json is 0.4.0; release PR chore(master): release 0.5.0 #95 will bump it to 0.5.0. So every release ships with the same stale 0.1.0 value in the fourth field of the client-version header.

Plan (single PR, fixes both):

1. webpack.config.js: add process.env.ADDIN_VERSION to the DefinePlugin block, sourced from require('./package.json').version. Same wiring already used for PKG_URL / CRYPTIFY_URL / POSTGUARD_WEBSITE_URL. No release-please config change required — package.json is already bumped automatically on every release.
2. src/lib/pkg-client.ts: export ADDIN_VERSION: string = process.env.ADDIN_VERSION as string; so the value flows through the same module that already centralises the URLs and clientHeaders().
3. Delete the three local const ADDIN_VERSION = "0.1.0" declarations in yivi-dialog.ts, compose-view.ts, read-view.ts; import ADDIN_VERSION from ../lib/pkg-client instead.
4. src/yivi-dialog/yivi-dialog.ts: import clientHeaders from ../lib/pkg-client and replace the inline headers: { "X-PostGuard-Client-Version": ... } with headers: clientHeaders(ADDIN_VERSION). That also adds the missing X-Cryptify-Source: outlook header for the dialog flow.

Out of scope (separate concern, not what this issue is about):

• POSTGUARD_VERSION = "0.1.0" in launchevent.ts:41 and compose-view.ts:61 is the value of the x-postguard interop marker header (independent signal that the message went through PostGuard), not the metrics header. Leaving it alone for this PR — its lifecycle is different (cross-client interop, not per-release).

Verification before pushing:

• npm run build (production).
• npm run lint.
• npm run validate (manifest).
• grep -rn "pg4outlook\|pg4ol" src → only pg4ol in pkg-client.ts.
• grep -rn "ADDIN_VERSION" src → all references resolve to the single export in pkg-client.ts.
• Confirm the bundled yivi-dialog.js literal contains Outlook,1.0,pg4ol,0.4.0 (or whatever package.json says at build time) and X-Cryptify-Source.

[dobby-coder]

Plan

Two related defects in the X-PostGuard-Client-Version header — fix both in one PR. Verified the issue's diagnosis against the tree at babe96b.

1. yivi-dialog.ts uses the wrong helper

src/yivi-dialog/yivi-dialog.ts:131-137 constructs the headers object inline (pg4outlook, no X-Cryptify-Source). The taskpane code at src/lib/pkg-client.ts:15-25 already exposes clientHeaders() which returns the canonical pair (pg4ol + X-Cryptify-Source: outlook).

Change: import clientHeaders from ../lib/pkg-client and replace the inline headers: { ... } block with headers: clientHeaders(ADDIN_VERSION). Same shape as compose-view.ts:466 and read-view.ts:170.

2. Stale hardcoded ADDIN_VERSION = "0.1.0"

Three sites:

• src/yivi-dialog/yivi-dialog.ts:22
• src/taskpane/compose-view.ts:39
• src/taskpane/read-view.ts:34

Single source of truth via webpack DefinePlugin (same mechanism already used for PKG_URL, CRYPTIFY_URL, POSTGUARD_WEBSITE_URL, ADDIN_PUBLIC_URL):

1. In webpack.config.js, read version from package.json (const { version } = require("./package.json")) and inject "process.env.ADDIN_VERSION": JSON.stringify(version) into the existing DefinePlugin block.
2. In src/lib/pkg-client.ts, add export const ADDIN_VERSION: string = process.env.ADDIN_VERSION as string; next to the other build-time constants.
3. In all three view files, remove const ADDIN_VERSION = "0.1.0"; and import ADDIN_VERSION from ../lib/pkg-client.

This is preferred over option (b) in the issue (release-please extra-files) because release-please's release-type: node already bumps package.json natively — no extra config, no second source of truth to drift.

Verification (from the issue, plus the usual)

• grep -rn "pg4outlook" src → empty.
• grep -rn "pg4ol" src → only src/lib/pkg-client.ts:13.
• grep -rn "ADDIN_VERSION" src → all references resolve to the pkg-client.ts export; no string literals remain.
• grep -rn '0\.1\.0' src → no stale version strings.
• npm run lint, npx tsc --noEmit, npm run build, npm run validate — all green.
• Manual smoke test is documented but not executable in this environment (Outlook desktop is needed); will note that in the PR body.

Files changed

• webpack.config.js — inject ADDIN_VERSION via DefinePlugin.
• src/lib/pkg-client.ts — export ADDIN_VERSION.
• src/yivi-dialog/yivi-dialog.ts — drop literal, import constant, call clientHeaders().
• src/taskpane/compose-view.ts — drop literal, import constant.
• src/taskpane/read-view.ts — drop literal, import constant.

Out of scope: extracting recipientsKey / guessContentType / Office.js promise wrappers — the issue calls that out as a separate follow-up. Will not touch them here.