@bamdra/bamdra-user-bind 0.1.3 → 0.1.5

package/dist/index.js

@@ -59,6 +59,17 @@ var TABLES = {
   issues: "bamdra_user_bind_issues",
   audits: "bamdra_user_bind_audits"
 };
+var REQUIRED_FEISHU_IDENTITY_SCOPES = [
+  "contact:user.employee_id:readonly",
+  "contact:user.base:readonly"
+];
+function logUserBindEvent(event, details = {}) {
+  try {
+    console.info("[bamdra-user-bind]", event, JSON.stringify(details));
+  } catch {
+    console.info("[bamdra-user-bind]", event);
+  }
+}
 var UserBindStore = class {
   constructor(dbPath, exportPath, profileMarkdownRoot) {
     this.dbPath = dbPath;
@@ -412,6 +423,9 @@ var UserBindRuntime = class {
   config;
   sessionCache = /* @__PURE__ */ new Map();
   bindingCache = /* @__PURE__ */ new Map();
+  feishuScopeStatus = null;
+  bitableMirror = null;
+  feishuTokenCache = /* @__PURE__ */ new Map();
   close() {
     this.store.close();
   }
@@ -446,13 +460,26 @@ var UserBindRuntime = class {
     const binding = this.store.findBinding(parsed.channelType, parsed.openId);
     let userId = binding?.userId ?? null;
     let source = binding?.source ?? "local";
-    if (!userId && parsed.channelType === "feishu" && parsed.openId) {
-      const remote = await this.tryResolveFeishuUser(parsed.openId);
-      if (remote?.userId) {
-        userId = remote.userId;
-        source = remote.source;
-      } else {
-        this.store.recordIssue("feishu-resolution", `Failed to resolve real user id for ${parsed.openId}`);
+    let remoteProfilePatch = {};
+    if (parsed.channelType === "feishu" && parsed.openId) {
+      const scopeStatus = await this.ensureFeishuScopeStatus();
+      if (scopeStatus.missingIdentityScopes.length > 0) {
+        const details = `Missing Feishu scopes: ${scopeStatus.missingIdentityScopes.join(", ")}`;
+        logUserBindEvent("feishu-scope-missing", {
+          openId: parsed.openId,
+          missingScopes: scopeStatus.missingIdentityScopes
+        });
+        this.store.recordIssue("feishu-scope-missing", details);
+      }
+      if (!userId) {
+        const remote = await this.tryResolveFeishuUser(parsed.openId);
+        if (remote?.userId) {
+          userId = remote.userId;
+          source = remote.source;
+          remoteProfilePatch = remote.profilePatch;
+        } else {
+          this.store.recordIssue("feishu-resolution", `Failed to resolve real user id for ${parsed.openId}`);
+        }
       }
     }
     if (!userId) {
@@ -465,7 +492,8 @@ var UserBindRuntime = class {
       openId: parsed.openId,
       source,
       profilePatch: {
-        name: parsed.senderName
+        name: parsed.senderName,
+        ...remoteProfilePatch
       }
     });
     const identity = {
@@ -483,6 +511,9 @@ var UserBindRuntime = class {
       expiresAt: Date.now() + this.config.cacheTtlMs,
       identity
     });
+    if (parsed.channelType === "feishu") {
+      await this.syncFeishuMirror(identity);
+    }
     return identity;
   }
   async getMyProfile(context) {
@@ -677,24 +708,260 @@ var UserBindRuntime = class {
     return identity;
   }
   async tryResolveFeishuUser(openId) {
+    logUserBindEvent("feishu-resolution-start", { openId });
+    const accounts = readFeishuAccountsFromOpenClawConfig();
+    if (accounts.length === 0) {
+      logUserBindEvent("feishu-resolution-skipped", { reason: "no-feishu-accounts-configured" });
+      return null;
+    }
+    for (const account of accounts) {
+      try {
+        const token = await this.getFeishuAppAccessToken(account);
+        const result = await feishuJsonRequest(
+          account,
+          `/open-apis/contact/v3/users/${encodeURIComponent(openId)}?user_id_type=open_id`,
+          token
+        );
+        const candidate = extractDeepString(result, [
+          ["data", "user", "user_id"],
+          ["user", "user_id"],
+          ["data", "user_id"]
+        ]);
+        if (!candidate) {
+          continue;
+        }
+        logUserBindEvent("feishu-resolution-success", {
+          accountId: account.accountId,
+          openId,
+          userId: candidate
+        });
+        return {
+          userId: candidate,
+          source: `feishu-api:${account.accountId}`,
+          profilePatch: {
+            name: extractDeepString(result, [["data", "user", "name"], ["user", "name"]]),
+            email: extractDeepString(result, [["data", "user", "email"], ["user", "email"]]),
+            avatar: extractDeepString(result, [["data", "user", "avatar", "avatar_origin"], ["user", "avatar", "avatar_origin"]])
+          }
+        };
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logUserBindEvent("feishu-resolution-attempt-failed", {
+          accountId: account.accountId,
+          openId,
+          message
+        });
+      }
+    }
+    const executor = this.host.callTool ?? this.host.invokeTool;
+    if (typeof executor === "function") {
+      try {
+        const result = await executor.call(this.host, "feishu_user_get", {
+          user_id_type: "open_id",
+          user_id: openId
+        });
+        const candidate = extractDeepString(result, [
+          ["data", "user", "user_id"],
+          ["user", "user_id"],
+          ["data", "user_id"]
+        ]);
+        if (candidate) {
+          return {
+            userId: candidate,
+            source: "feishu-tool-fallback",
+            profilePatch: {
+              name: extractDeepString(result, [["data", "user", "name"], ["user", "name"]])
+            }
+          };
+        }
+      } catch {
+      }
+    }
+    logUserBindEvent("feishu-resolution-empty", { openId });
+    return null;
+  }
+  async ensureFeishuScopeStatus() {
+    if (this.feishuScopeStatus) {
+      return this.feishuScopeStatus;
+    }
+    const accounts = readFeishuAccountsFromOpenClawConfig();
+    for (const account of accounts) {
+      try {
+        const token = await this.getFeishuAppAccessToken(account);
+        const result = await feishuJsonRequest(
+          account,
+          "/open-apis/application/v6/scopes",
+          token
+        );
+        const scopes = extractScopes(result);
+        this.feishuScopeStatus = {
+          scopes,
+          missingIdentityScopes: REQUIRED_FEISHU_IDENTITY_SCOPES.filter((scope) => !scopes.includes(scope)),
+          hasDocumentAccess: scopes.some((scope) => scope.startsWith("bitable:") || scope.startsWith("drive:") || scope.startsWith("docx:") || scope.startsWith("docs:"))
+        };
+        logUserBindEvent("feishu-scopes-read", {
+          accountId: account.accountId,
+          ...this.feishuScopeStatus
+        });
+        return this.feishuScopeStatus;
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logUserBindEvent("feishu-scopes-attempt-failed", { accountId: account.accountId, message });
+      }
+    }
+    const executor = this.host.callTool ?? this.host.invokeTool;
+    if (typeof executor === "function") {
+      try {
+        const result = await executor.call(this.host, "feishu_app_scopes", {});
+        const scopes = extractScopes(result);
+        this.feishuScopeStatus = {
+          scopes,
+          missingIdentityScopes: REQUIRED_FEISHU_IDENTITY_SCOPES.filter((scope) => !scopes.includes(scope)),
+          hasDocumentAccess: scopes.some((scope) => scope.startsWith("bitable:") || scope.startsWith("drive:") || scope.startsWith("docx:") || scope.startsWith("docs:"))
+        };
+        logUserBindEvent("feishu-scopes-read", this.feishuScopeStatus);
+        return this.feishuScopeStatus;
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logUserBindEvent("feishu-scopes-failed", { message });
+        this.store.recordIssue("feishu-scope-read", message);
+      }
+    }
+    this.feishuScopeStatus = {
+      scopes: [],
+      missingIdentityScopes: [...REQUIRED_FEISHU_IDENTITY_SCOPES],
+      hasDocumentAccess: false
+    };
+    return this.feishuScopeStatus;
+  }
+  async getFeishuAppAccessToken(account) {
+    const cached = this.feishuTokenCache.get(account.accountId);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.token;
+    }
+    const base = resolveFeishuOpenApiBase(account.domain);
+    const response = await fetch(`${base}/open-apis/auth/v3/app_access_token/internal`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json; charset=utf-8"
+      },
+      body: JSON.stringify({
+        app_id: account.appId,
+        app_secret: account.appSecret
+      })
+    });
+    const payload = await response.json();
+    if (!response.ok || Number(payload.code ?? 0) !== 0) {
+      throw new Error(`Failed to get Feishu app access token for ${account.accountId}: ${JSON.stringify(payload)}`);
+    }
+    const token = asNullableString(payload.app_access_token);
+    if (!token) {
+      throw new Error(`Feishu app access token missing for ${account.accountId}`);
+    }
+    const expire = Number(payload.expire ?? 7200);
+    this.feishuTokenCache.set(account.accountId, {
+      token,
+      expiresAt: Date.now() + Math.max(60, expire - 120) * 1e3
+    });
+    return token;
+  }
+  async syncFeishuMirror(identity) {
+    const scopeStatus = await this.ensureFeishuScopeStatus();
+    if (!scopeStatus.hasDocumentAccess) {
+      return;
+    }
     const executor = this.host.callTool ?? this.host.invokeTool;
     if (typeof executor !== "function") {
-      return null;
+      return;
     }
     try {
-      const result = await executor.call(this.host, "feishu_user_get", {
-        user_id_type: "open_id",
-        user_id: openId
+      const mirror = await this.ensureFeishuBitableMirror(executor.bind(this.host));
+      if (!mirror.appToken || !mirror.tableId) {
+        return;
+      }
+      const existing = await executor.call(this.host, "feishu_bitable_list_records", {
+        app_token: mirror.appToken,
+        table_id: mirror.tableId
       });
-      const candidate = extractDeepString(result, [
-        ["data", "user", "user_id"],
-        ["user", "user_id"],
-        ["data", "user_id"]
+      const recordId = findBitableRecordId(existing, identity.userId);
+      const fields = {
+        user_id: identity.userId,
+        channel_type: identity.channelType,
+        open_id: identity.senderOpenId,
+        name: identity.profile.name,
+        nickname: identity.profile.nickname,
+        preferences: identity.profile.preferences,
+        personality: identity.profile.personality,
+        role: identity.profile.role,
+        timezone: identity.profile.timezone,
+        email: identity.profile.email,
+        avatar: identity.profile.avatar
+      };
+      if (recordId) {
+        await executor.call(this.host, "feishu_bitable_update_record", {
+          app_token: mirror.appToken,
+          table_id: mirror.tableId,
+          record_id: recordId,
+          fields
+        });
+      } else {
+        await executor.call(this.host, "feishu_bitable_create_record", {
+          app_token: mirror.appToken,
+          table_id: mirror.tableId,
+          fields
+        });
+      }
+      logUserBindEvent("feishu-bitable-sync-success", { userId: identity.userId });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      logUserBindEvent("feishu-bitable-sync-failed", { userId: identity.userId, message });
+      this.store.recordIssue("feishu-bitable-sync", message, identity.userId);
+    }
+  }
+  async ensureFeishuBitableMirror(executor) {
+    if (this.bitableMirror?.appToken && this.bitableMirror?.tableId) {
+      return this.bitableMirror;
+    }
+    try {
+      const app = await executor("feishu_bitable_create_app", { name: "Bamdra User Bind" });
+      const appToken = extractDeepString(app, [
+        ["data", "app", "app_token"],
+        ["data", "app_token"],
+        ["app", "app_token"],
+        ["app_token"]
+      ]);
+      if (!appToken) {
+        return { appToken: null, tableId: null };
+      }
+      const meta = await executor("feishu_bitable_get_meta", { app_token: appToken });
+      const tableId = extractDeepString(meta, [
+        ["data", "tables", "0", "table_id"],
+        ["data", "items", "0", "table_id"],
+        ["tables", "0", "table_id"]
       ]);
-      return candidate ? { userId: candidate, source: "feishu-api" } : null;
+      if (!tableId) {
+        this.store.recordIssue("feishu-bitable-init", "Unable to determine users table id from Feishu bitable metadata");
+        return { appToken, tableId: null };
+      }
+      for (const fieldName of ["user_id", "channel_type", "open_id", "name", "nickname", "preferences", "personality", "role", "timezone", "email", "avatar"]) {
+        try {
+          await executor("feishu_bitable_create_field", {
+            app_token: appToken,
+            table_id: tableId,
+            field_name: fieldName,
+            type: 1
+          });
+        } catch {
+        }
+      }
+      this.bitableMirror = { appToken, tableId };
+      logUserBindEvent("feishu-bitable-ready", this.bitableMirror);
+      return this.bitableMirror;
     } catch (error) {
-      this.store.recordIssue("feishu-resolution", error instanceof Error ? error.message : String(error));
-      return null;
+      const message = error instanceof Error ? error.message : String(error);
+      logUserBindEvent("feishu-bitable-init-failed", { message });
+      this.store.recordIssue("feishu-bitable-init", message);
+      return { appToken: null, tableId: null };
     }
   }
 };
@@ -885,12 +1152,20 @@ function mapProfileRow(row) {
 }
 function parseIdentityContext(context) {
   const record = context && typeof context === "object" ? context : {};
-  const sender = record.sender && typeof record.sender === "object" ? record.sender : {};
-  const message = record.message && typeof record.message === "object" ? record.message : {};
-  const sessionId = asNullableString(record.sessionId) ?? asNullableString(record.sessionKey) ?? asNullableString(record.session?.id) ?? asNullableString(record.context?.sessionId);
-  const channelType = asNullableString(record.channelType) ?? asNullableString(record.channel?.type) ?? asNullableString(message.channel?.type) ?? asNullableString(record.provider);
-  const openId = asNullableString(sender.id) ?? asNullableString(sender.open_id) ?? asNullableString(sender.openId) ?? asNullableString(message.sender?.id);
-  const senderName = asNullableString(sender.name) ?? asNullableString(sender.display_name) ?? asNullableString(message.sender?.name);
+  const sender = findNestedRecord(record, ["sender"], ["message", "sender"], ["event", "sender"], ["payload", "sender"]);
+  const message = findNestedRecord(record, ["message"], ["event", "message"], ["payload", "message"]);
+  const session = findNestedRecord(record, ["session"], ["context", "session"]);
+  const channel = findNestedRecord(record, ["channel"], ["message", "channel"], ["event", "channel"], ["payload", "channel"]);
+  const metadataText = asNullableString(record.text) ?? asNullableString(message.text) ?? asNullableString(record.content) ?? asNullableString(findNestedValue(record, ["message", "content", "text"]));
+  const conversationInfo = metadataText ? extractTaggedJsonBlock(metadataText, "Conversation info (untrusted metadata)") : null;
+  const senderInfo = metadataText ? extractTaggedJsonBlock(metadataText, "Sender (untrusted metadata)") : null;
+  const senderIdFromText = metadataText ? extractRegexValue(metadataText, /"sender_id"\s*:\s*"([^"]+)"/) : null;
+  const senderNameFromText = metadataText ? extractRegexValue(metadataText, /"sender"\s*:\s*"([^"]+)"/) : null;
+  const senderNameFromMessageLine = metadataText ? extractRegexValue(metadataText, /\]\s*([^\n:：]{1,40})\s*[:：]/) : null;
+  const sessionId = asNullableString(record.sessionId) ?? asNullableString(record.sessionKey) ?? asNullableString(session.id) ?? asNullableString(record.context?.sessionId) ?? asNullableString(conversationInfo?.session_id) ?? asNullableString(conversationInfo?.message_id);
+  const channelType = asNullableString(record.channelType) ?? asNullableString(channel.type) ?? asNullableString(record.provider) ?? asNullableString(conversationInfo?.provider) ?? inferChannelTypeFromSessionId(sessionId);
+  const openId = asNullableString(sender.id) ?? asNullableString(sender.open_id) ?? asNullableString(sender.openId) ?? asNullableString(sender.user_id) ?? asNullableString(senderInfo?.id) ?? asNullableString(conversationInfo?.sender_id) ?? senderIdFromText ?? extractOpenIdFromSessionId(sessionId);
+  const senderName = asNullableString(sender.name) ?? asNullableString(sender.display_name) ?? asNullableString(senderInfo?.name) ?? asNullableString(conversationInfo?.sender) ?? senderNameFromText ?? senderNameFromMessageLine;
   return {
     sessionId,
     channelType,
@@ -898,6 +1173,67 @@ function parseIdentityContext(context) {
     senderName
   };
 }
+function findNestedRecord(root, ...paths) {
+  for (const path of paths) {
+    const value = findNestedValue(root, path);
+    if (value && typeof value === "object") {
+      return value;
+    }
+  }
+  return {};
+}
+function findNestedValue(root, path) {
+  let current = root;
+  for (const part of path) {
+    if (!current || typeof current !== "object") {
+      return null;
+    }
+    current = current[part];
+  }
+  return current;
+}
+function extractTaggedJsonBlock(text, label) {
+  const start = text.indexOf(label);
+  if (start < 0) {
+    return null;
+  }
+  const block = text.slice(start).match(/```json\s*([\s\S]*?)\s*```/i);
+  if (!block) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(block[1]);
+    return parsed && typeof parsed === "object" ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function inferChannelTypeFromSessionId(sessionId) {
+  if (!sessionId) {
+    return null;
+  }
+  if (sessionId.includes(":feishu:")) {
+    return "feishu";
+  }
+  if (sessionId.includes(":telegram:")) {
+    return "telegram";
+  }
+  if (sessionId.includes(":whatsapp:")) {
+    return "whatsapp";
+  }
+  return null;
+}
+function extractRegexValue(text, pattern) {
+  const match = text.match(pattern);
+  return match?.[1]?.trim() || null;
+}
+function extractOpenIdFromSessionId(sessionId) {
+  if (!sessionId) {
+    return null;
+  }
+  const match = sessionId.match(/:([A-Za-z0-9_-]+)$/);
+  return match?.[1] ?? null;
+}
 function getAgentIdFromContext(context) {
   const record = context && typeof context === "object" ? context : {};
   return asNullableString(record.agentId) ?? asNullableString(record.agent?.id) ?? asNullableString(record.agent?.name);
@@ -1141,6 +1477,119 @@ function ensureArrayIncludes(parent, key, value) {
   parent[key] = current;
   return true;
 }
+function extractScopes(result) {
+  const candidates = [
+    findNestedValue(result, ["data", "scopes"]),
+    findNestedValue(result, ["scopes"]),
+    findNestedValue(result, ["data", "items"])
+  ];
+  for (const candidate of candidates) {
+    if (!Array.isArray(candidate)) {
+      continue;
+    }
+    const scopes = candidate.map((item) => {
+      if (typeof item === "string") {
+        return item;
+      }
+      if (item && typeof item === "object") {
+        const record = item;
+        const scope = record.scope ?? record.name;
+        return typeof scope === "string" ? scope : "";
+      }
+      return "";
+    }).filter(Boolean);
+    if (scopes.length > 0) {
+      return scopes;
+    }
+  }
+  return [];
+}
+function findBitableRecordId(result, userId) {
+  const candidates = [
+    findNestedValue(result, ["data", "items"]),
+    findNestedValue(result, ["items"]),
+    findNestedValue(result, ["data", "records"])
+  ];
+  for (const candidate of candidates) {
+    if (!Array.isArray(candidate)) {
+      continue;
+    }
+    for (const item of candidate) {
+      if (!item || typeof item !== "object") {
+        continue;
+      }
+      const record = item;
+      const fields = record.fields && typeof record.fields === "object" ? record.fields : {};
+      if (String(fields.user_id ?? "") !== userId) {
+        continue;
+      }
+      const recordId = record.record_id ?? record.recordId ?? record.id;
+      if (typeof recordId === "string" && recordId.trim()) {
+        return recordId;
+      }
+    }
+  }
+  return null;
+}
+function readFeishuAccountsFromOpenClawConfig() {
+  const openclawConfigPath = (0, import_node_path.join)((0, import_node_os.homedir)(), ".openclaw", "openclaw.json");
+  if (!(0, import_node_fs.existsSync)(openclawConfigPath)) {
+    return [];
+  }
+  try {
+    const parsed = JSON.parse((0, import_node_fs.readFileSync)(openclawConfigPath, "utf8"));
+    const channels = parsed.channels && typeof parsed.channels === "object" ? parsed.channels : {};
+    const feishu = channels.feishu && typeof channels.feishu === "object" ? channels.feishu : {};
+    const accounts = feishu.accounts && typeof feishu.accounts === "object" ? feishu.accounts : {};
+    const topLevel = normalizeFeishuAccount("default", feishu, feishu);
+    const values = Object.entries(accounts).map(([accountId, value]) => normalizeFeishuAccount(accountId, value, feishu)).filter((item) => item != null);
+    if (topLevel && !values.some((item) => item.accountId === topLevel.accountId)) {
+      values.unshift(topLevel);
+    }
+    return values;
+  } catch (error) {
+    logUserBindEvent("feishu-config-read-failed", {
+      message: error instanceof Error ? error.message : String(error)
+    });
+    return [];
+  }
+}
+function normalizeFeishuAccount(accountId, input, fallback) {
+  const record = input && typeof input === "object" ? input : {};
+  const enabled = record.enabled !== false && fallback.enabled !== false;
+  const appId = asNullableString(record.appId) ?? asNullableString(fallback.appId);
+  const appSecret = asNullableString(record.appSecret) ?? asNullableString(fallback.appSecret);
+  const domain = asNullableString(record.domain) ?? asNullableString(fallback.domain) ?? "feishu";
+  if (!enabled || !appId || !appSecret) {
+    return null;
+  }
+  return { accountId, appId, appSecret, domain };
+}
+function resolveFeishuOpenApiBase(domain) {
+  if (domain === "lark") {
+    return "https://open.larksuite.com";
+  }
+  if (domain === "feishu") {
+    return "https://open.feishu.cn";
+  }
+  return domain.replace(/\/+$/, "");
+}
+async function feishuJsonRequest(account, path, appAccessToken, init) {
+  const base = resolveFeishuOpenApiBase(account.domain);
+  const response = await fetch(`${base}${path}`, {
+    ...init,
+    headers: {
+      authorization: `Bearer ${appAccessToken}`,
+      "content-type": "application/json; charset=utf-8",
+      ...init?.headers ?? {}
+    }
+  });
+  const payload = await response.json();
+  if (!response.ok || Number(payload.code ?? 0) !== 0) {
+    throw new Error(JSON.stringify(payload));
+  }
+  return payload;
+}
 function getConfiguredAgentId(agent) {
   return asNullableString(agent.id) ?? asNullableString(agent.name) ?? asNullableString(agent.agentId);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bamdra/bamdra-user-bind",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Identity resolution, user profile binding, and admin-safe profile tools for OpenClaw channels.",
   "license": "MIT",
   "homepage": "https://www.bamdra.com",