diff --git a/skills/productivity/teams-meeting-pipeline/SKILL.md b/skills/productivity/teams-meeting-pipeline/SKILL.md index 9dce9b94e0..4ad37c4758 100644 --- a/skills/productivity/teams-meeting-pipeline/SKILL.md +++ b/skills/productivity/teams-meeting-pipeline/SKILL.md @@ -1,8 +1,8 @@ --- name: teams-meeting-pipeline -description: "Operate the Teams meeting summary pipeline via Hermes CLI." -version: 1.0.0 -author: Hermes Agent +description: "Operate the Teams meeting summary pipeline via Hermes CLI — summarize meetings, inspect pipeline status, replay jobs, manage Microsoft Graph subscriptions." +version: 1.1.0 +author: Hermes Agent + Teknium license: MIT prerequisites: env_vars: [MSGRAPH_TENANT_ID, MSGRAPH_CLIENT_ID, MSGRAPH_CLIENT_SECRET] @@ -10,25 +10,36 @@ prerequisites: metadata: hermes: tags: [Teams, Microsoft Graph, Meetings, Productivity, Operations] + related_docs: + - /docs/guides/microsoft-graph-app-registration + - /docs/user-guide/messaging/teams-meetings + - /docs/guides/operate-teams-meeting-pipeline --- # Teams Meeting Pipeline -Use this skill when the user asks to summarize a Teams meeting, extract action items, inspect pipeline status, replay a stored job, or validate Microsoft Graph meeting-ingest setup. +Use this skill whenever the user asks about Microsoft Teams meeting summaries, transcripts, recordings, action items, Graph subscriptions, or any operational question about the Teams meeting pipeline. Works in any language — the triggers below are examples, not an exhaustive list. -Prefer the Hermes CLI over ad hoc scripts. Route operator actions through the terminal tool with `hermes teams-pipeline ...`. +Everything operator-facing is a `hermes teams-pipeline` subcommand run via the terminal tool. There are no new model tools for this pipeline — the CLI is the surface. -## When to use +## When to use this skill -- "Teams meeting ozetle" -- "action item cikar" -- "toplanti notu" -- "pipeline durumu" -- "replay job" +The user is asking to: +- summarize a Teams meeting / extract action items / pull meeting notes +- check pipeline status, inspect a stored meeting job, or see recent meetings +- replay / re-run a stored job that failed or needs a fresh summary +- validate Microsoft Graph setup after changing env or config +- troubleshoot "meeting summary never arrived" or "no new meetings are ingesting" +- manage Graph webhook subscriptions (create, renew, delete, inspect) +- set up automated subscription renewal (see pitfall below) -## Required environment +Multilingual trigger examples (not exhaustive): +- English: "summarize the Teams meeting", "pipeline status", "replay job X" +- Turkish: "Teams meeting özetle", "action item çıkar", "toplantı notu", "pipeline durumu", "replay job" -Set these in `~/.hermes/.env` before using the pipeline: +## Prerequisites + +Before using the pipeline, verify these are set in `~/.hermes/.env`: ```bash MSGRAPH_TENANT_ID=... @@ -36,15 +47,70 @@ MSGRAPH_CLIENT_ID=... MSGRAPH_CLIENT_SECRET=... ``` -## Common commands +If any are missing, direct the user to the Azure app registration guide at `/docs/guides/microsoft-graph-app-registration` — they need an Azure AD app registration with admin-consented Graph application permissions before the pipeline will work. + +## Command reference + +### Status and inspection (start here) ```bash -hermes teams-pipeline list -hermes teams-pipeline show -hermes teams-pipeline replay -hermes teams-pipeline fetch --meeting-id -hermes teams-pipeline token-health -hermes teams-pipeline maintain-subscriptions +hermes teams-pipeline validate # config snapshot — run first after any change +hermes teams-pipeline token-health # Graph token status +hermes teams-pipeline token-health --force-refresh # force a fresh token acquisition +hermes teams-pipeline list # recent meeting jobs +hermes teams-pipeline list --status failed # only failed jobs +hermes teams-pipeline show # full detail of one job +hermes teams-pipeline subscriptions # current Graph webhook subscriptions ``` -Start with `validate`, `list`, or `show` when the user asks for status. Use `replay` only when they explicitly want to rerun a stored job. Use `fetch` for dry-run artifact checks before changing pipeline config. +### Re-running / debugging + +```bash +hermes teams-pipeline run # replay a stored job (re-summarize, re-deliver) +hermes teams-pipeline fetch --meeting-id # dry-run: resolve meeting + transcript without persisting +hermes teams-pipeline fetch --join-web-url "" # dry-run by join URL +``` + +### Subscription management + +```bash +hermes teams-pipeline subscribe \ + --resource communications/onlineMeetings/getAllTranscripts \ + --notification-url https:///msgraph/webhook \ + --client-state "$MSGRAPH_WEBHOOK_CLIENT_STATE" + +hermes teams-pipeline renew-subscription --expiration +hermes teams-pipeline delete-subscription +hermes teams-pipeline maintain-subscriptions # renew near-expiry ones +hermes teams-pipeline maintain-subscriptions --dry-run # show what would be renewed +``` + +## Decision tree for common asks + +- User asks "why didn't I get a summary for today's meeting?" → start with `list --status failed`, then `show ` on the relevant row. If the job doesn't exist at all, check `subscriptions` — the webhook may have expired (see pitfall below). +- User asks "is setup working?" → `validate`, then `token-health`, then `subscriptions`. If all three pass, request a test meeting and check `list` for a fresh row. +- User asks "re-run summary for meeting X" → `list` to find the job ID, `run ` to replay. If it fails again, `show ` to inspect the error and `fetch --meeting-id` to dry-run the artifact resolution. +- User asks "add meeting X to the pipeline" → usually you don't — the pipeline is subscription-driven, not per-meeting. If they want a specific past meeting summarized, use `fetch` to pull transcript + `run` after a job is created. + +## Critical pitfall: Graph subscriptions expire in 72 hours + +Microsoft Graph caps webhook subscriptions at 72 hours and **will not auto-renew them**. If `maintain-subscriptions` is not scheduled, meeting notifications silently stop arriving 3 days after any manual subscription creation. + +When the user reports "the pipeline worked yesterday but nothing is arriving today": +1. Run `hermes teams-pipeline subscriptions` — if it's empty or all entries show `expirationDateTime` in the past, that's the cause. +2. Recreate with `subscribe` as shown above. +3. **Set up automated renewal immediately** via `hermes cron add`, a systemd timer, or plain crontab. The operator runbook at `/docs/guides/operate-teams-meeting-pipeline#automating-subscription-renewal-required-for-production` has all three options. 12-hour interval is safe (6x headroom against the 72h limit). + +## Other pitfalls + +- **Transcript not available yet.** Teams takes some time after a meeting ends to generate the transcript artifact. `fetch --meeting-id` on a just-ended meeting may return empty. Wait 2-5 minutes and retry, or let the Graph webhook drive ingestion naturally. +- **Delivery mode mismatch.** If summaries are produced (`list` shows success) but nothing lands in Teams, check `platforms.teams.extra.delivery_mode` and the matching target config (`incoming_webhook_url` OR `chat_id` OR `team_id`+`channel_id`). The writer reads these from config.yaml or `TEAMS_*` env vars. +- **Graph app permissions.** A token acquires cleanly (`token-health` passes) but Graph API calls return 401/403 when permissions were added but admin consent wasn't re-granted. Have the user revisit the app registration in the Azure portal and click "Grant admin consent" again. + +## Related docs + +Point the user to these when they need more depth than this skill covers: +- Azure app registration walkthrough: `/docs/guides/microsoft-graph-app-registration` +- Full pipeline setup: `/docs/user-guide/messaging/teams-meetings` +- Operator runbook (renewal automation, troubleshooting, go-live checklist): `/docs/guides/operate-teams-meeting-pipeline` +- Webhook listener setup: `/docs/user-guide/messaging/msgraph-webhook` diff --git a/website/docs/guides/operate-teams-meeting-pipeline.md b/website/docs/guides/operate-teams-meeting-pipeline.md index 7686e40aa0..1e32e74c1a 100644 --- a/website/docs/guides/operate-teams-meeting-pipeline.md +++ b/website/docs/guides/operate-teams-meeting-pipeline.md @@ -46,6 +46,89 @@ hermes teams-pipeline maintain-subscriptions hermes teams-pipeline maintain-subscriptions --dry-run ``` +### Automating subscription renewal (REQUIRED for production) + +**Microsoft Graph subscriptions expire in at most 72 hours.** If nothing renews them, meeting notifications silently stop after 3 days and the pipeline looks "broken." This is the #1 operational failure mode for any Graph-backed integration. + +You MUST run `maintain-subscriptions` on a schedule. Pick one of these three options: + +#### Option 1: Hermes cron (recommended if you already run the Hermes gateway) + +Hermes ships a built-in cron scheduler. Add a script-only cron job that runs every 12 hours (gives 6x headroom against the 72h expiry window): + +```bash +hermes cron add \ + --name "teams-pipeline-maintain-subscriptions" \ + --schedule "0 */12 * * *" \ + --script-only \ + --command "hermes teams-pipeline maintain-subscriptions" +``` + +Verify it was registered and inspect the next run time: + +```bash +hermes cron list +hermes cron show teams-pipeline-maintain-subscriptions +``` + +#### Option 2: systemd timer (recommended for Linux production deployments) + +Create `/etc/systemd/system/hermes-teams-pipeline-maintain.service`: + +```ini +[Unit] +Description=Hermes Teams pipeline subscription maintenance +After=network-online.target + +[Service] +Type=oneshot +User=hermes +EnvironmentFile=/etc/hermes/env +ExecStart=/usr/local/bin/hermes teams-pipeline maintain-subscriptions +``` + +And `/etc/systemd/system/hermes-teams-pipeline-maintain.timer`: + +```ini +[Unit] +Description=Run Hermes Teams pipeline subscription maintenance every 12 hours + +[Timer] +OnBootSec=5min +OnUnitActiveSec=12h +Persistent=true + +[Install] +WantedBy=timers.target +``` + +Enable: + +```bash +sudo systemctl daemon-reload +sudo systemctl enable --now hermes-teams-pipeline-maintain.timer +systemctl list-timers hermes-teams-pipeline-maintain.timer +``` + +#### Option 3: Plain crontab + +```cron +0 */12 * * * /usr/local/bin/hermes teams-pipeline maintain-subscriptions >> /var/log/hermes/teams-pipeline-maintain.log 2>&1 +``` + +Make sure the cron environment has the `MSGRAPH_*` credentials. Simplest fix: source `~/.hermes/.env` at the top of a wrapper script that crontab calls. + +#### Verifying renewal is working + +After you've set up the schedule, check renewal activity after the first scheduled run: + +```bash +hermes teams-pipeline subscriptions # should show expirationDateTime advanced +hermes teams-pipeline maintain-subscriptions --dry-run # should show "0 expiring soon" most of the time +``` + +If you ever see your Graph webhook mysteriously "stop working" after exactly ~72 hours, this is the first thing to check: did the renewal job actually run? + ### Inspect recent jobs ```bash @@ -145,6 +228,7 @@ Check: - [ ] Notion and Linear sinks are configured only if actually needed - [ ] `hermes teams-pipeline validate` returns an OK snapshot - [ ] `hermes teams-pipeline token-health --force-refresh` succeeds +- [ ] **`maintain-subscriptions` is scheduled** (Hermes cron, systemd timer, or crontab — see [Automating subscription renewal](#automating-subscription-renewal-required-for-production)). Without this, Graph subscriptions silently expire within 72 hours. - [ ] a real end-to-end meeting event has produced a stored job - [ ] at least one summary has reached the intended delivery sink diff --git a/website/docs/user-guide/messaging/teams-meetings.md b/website/docs/user-guide/messaging/teams-meetings.md index 9e231a5a80..825b2da5b1 100644 --- a/website/docs/user-guide/messaging/teams-meetings.md +++ b/website/docs/user-guide/messaging/teams-meetings.md @@ -194,6 +194,12 @@ hermes teams-pipeline subscribe \ --client-state "$MSGRAPH_WEBHOOK_CLIENT_STATE" ``` +:::warning Graph subscriptions expire in 72 hours + +Microsoft Graph caps webhook subscriptions at 72 hours and will not auto-renew them. You MUST schedule `hermes teams-pipeline maintain-subscriptions` before going live, or notifications will silently stop three days after any manual subscription creation. See [Automating subscription renewal](/docs/guides/operate-teams-meeting-pipeline#automating-subscription-renewal-required-for-production) in the operator runbook — three options (Hermes cron, systemd timer, plain crontab). + +::: + For subscription maintenance and day-2 operator flows, continue with the guide: [Operate the Teams Meeting Pipeline](/docs/guides/operate-teams-meeting-pipeline). ## Validation diff --git a/website/sidebars.ts b/website/sidebars.ts index f46e2d5659..bdc66d9cfa 100644 --- a/website/sidebars.ts +++ b/website/sidebars.ts @@ -138,6 +138,7 @@ const sidebars: SidebarsConfig = { 'user-guide/messaging/qqbot', 'user-guide/messaging/yuanbao', 'user-guide/messaging/teams', + 'user-guide/messaging/teams-meetings', 'user-guide/messaging/msgraph-webhook', 'user-guide/messaging/open-webui', 'user-guide/messaging/webhooks', @@ -185,6 +186,7 @@ const sidebars: SidebarsConfig = { 'guides/aws-bedrock', 'guides/azure-foundry', 'guides/microsoft-graph-app-registration', + 'guides/operate-teams-meeting-pipeline', ], }, {