@botcord/daemon 0.2.59 → 0.2.61

package/dist/gateway-control.js

@@ -12,6 +12,7 @@ import { loadConfig, saveConfig, resolveConfiguredAgentIds, } from "./config.js"
 import { deleteGatewaySecret, loadGatewaySecret, saveGatewaySecret, } from "./gateway/channels/secret-store.js";
 import { LoginSessionStore, maskTokenPreview, mintLoginId, } from "./gateway/channels/login-session.js";
 import { DEFAULT_WECHAT_BASE_URL, getBotQrcode, getQrcodeStatus, } from "./gateway/channels/wechat-login.js";
+import { pollFeishuRegistration, startFeishuRegistration, } from "./gateway/channels/feishu-registration.js";
 import { WECHAT_BASE_INFO, wechatHeaders } from "./gateway/channels/wechat-http.js";
 import { assertSafeBaseUrl, UnsafeBaseUrlError } from "./gateway/channels/url-guard.js";
 import { log as daemonLog } from "./log.js";
@@ -24,6 +25,7 @@ export function createGatewayControl(ctx) {
     const cfgIO = ctx.configIO ?? { load: loadConfig, save: saveConfig };
     const sessions = ctx.loginSessions ?? new LoginSessionStore();
     const wechatLogin = ctx.wechatLoginClient ?? { getBotQrcode, getQrcodeStatus };
+    const feishuLogin = ctx.feishuLoginClient ?? { startFeishuRegistration, pollFeishuRegistration };
     // W7: validate fetch availability at construction so a missing global is
     // diagnosed at startup, not during the first control frame. Tests inject
     // `ctx.fetchImpl` explicitly and bypass the global lookup entirely.
@@ -79,9 +81,13 @@ export function createGatewayControl(ctx) {
             };
         }
         // Provider-specific secret resolution.
-        let botToken;
+        let secretPayload;
+        let tokenPreviewSource;
+        let feishuAppId;
+        let feishuDomain;
+        let feishuUserOpenId;
         if (params.type === "telegram") {
-            botToken = params.secret?.botToken;
+            const botToken = params.secret?.botToken;
             if (!botToken) {
                 // Allow updates that only flip enabled/whitelist — only require a
                 // token when none is on disk yet.
@@ -89,7 +95,12 @@ export function createGatewayControl(ctx) {
                 if (!existing?.botToken) {
                     return badParams("upsert_gateway: telegram requires secret.botToken on first install");
                 }
-                botToken = existing.botToken;
+                secretPayload = { botToken: existing.botToken };
+                tokenPreviewSource = existing.botToken;
+            }
+            else {
+                secretPayload = { botToken };
+                tokenPreviewSource = botToken;
             }
         }
         else if (params.type === "wechat") {
@@ -122,10 +133,48 @@ export function createGatewayControl(ctx) {
                     error: { code: "login_unconfirmed", message: "wechat login session has no bot token yet" },
                 };
             }
-            botToken = session.botToken;
+            secretPayload = { botToken: session.botToken };
+            tokenPreviewSource = session.botToken;
             // Bind the session to its eventual gateway id for forensic logging.
             sessions.update(loginId, { gatewayId: params.id });
         }
+        else if (params.type === "feishu") {
+            const loginId = params.loginId;
+            if (!loginId) {
+                return badParams("upsert_gateway: feishu requires loginId");
+            }
+            const session = sessions.get(loginId);
+            if (!session) {
+                return {
+                    ok: false,
+                    error: { code: "login_expired", message: `feishu login session "${loginId}" not found or expired` },
+                };
+            }
+            if (session.provider !== "feishu") {
+                return badParams(`upsert_gateway: login session provider "${session.provider}" != "feishu"`);
+            }
+            if (session.accountId !== params.accountId) {
+                return {
+                    ok: false,
+                    error: {
+                        code: "login_account_mismatch",
+                        message: "feishu login session accountId does not match upsert request",
+                    },
+                };
+            }
+            if (!session.appId || !session.appSecret) {
+                return {
+                    ok: false,
+                    error: { code: "login_unconfirmed", message: "feishu login session has no app credentials yet" },
+                };
+            }
+            secretPayload = { appSecret: session.appSecret };
+            tokenPreviewSource = session.appSecret;
+            feishuAppId = session.appId;
+            feishuDomain = session.domain ?? params.settings?.domain ?? "feishu";
+            feishuUserOpenId = session.userOpenId;
+            sessions.update(loginId, { gatewayId: params.id });
+        }
         else {
             return badParams(`upsert_gateway: unknown provider "${params.type}"`);
         }
@@ -141,7 +190,7 @@ export function createGatewayControl(ctx) {
             : null;
         // Persist secret first (so a config write that succeeds is never
         // followed by a missing-secret crash). Atomic rename inside saveSecret.
-        const secretFile = saveGatewaySecret(params.id, { botToken });
+        const secretFile = saveGatewaySecret(params.id, secretPayload);
         // Update or insert the third-party gateway profile in config.
         const enabled = params.enabled !== false;
         const next = upsertProfileInConfig(cfg, {
@@ -154,6 +203,9 @@ export function createGatewayControl(ctx) {
             allowedSenderIds: params.settings?.allowedSenderIds,
             allowedChatIds: params.settings?.allowedChatIds,
             splitAt: params.settings?.splitAt,
+            appId: feishuAppId,
+            domain: feishuDomain,
+            userOpenId: feishuUserOpenId,
         });
         cfgIO.save(next);
         // Hot-plug. removeChannel is a no-op when the id isn't registered, so
@@ -166,7 +218,10 @@ export function createGatewayControl(ctx) {
                 // best-effort
             }
             try {
-                await ctx.gateway.addChannel(buildChannelConfig(params, secretFile));
+                await ctx.gateway.addChannel(buildChannelConfig(params, secretFile, {
+                    ...(feishuAppId ? { appId: feishuAppId } : {}),
+                    ...(feishuDomain ? { domain: feishuDomain } : {}),
+                }));
             }
             catch (addErr) {
                 const message = addErr instanceof Error ? addErr.message : String(addErr);
@@ -210,8 +265,12 @@ export function createGatewayControl(ctx) {
                                     allowedSenderIds: prevProfile.allowedSenderIds,
                                     allowedChatIds: prevProfile.allowedChatIds,
                                     splitAt: prevProfile.splitAt,
+                                    domain: prevProfile.domain,
                                 },
-                            }, secretFile));
+                            }, secretFile, {
+                                ...(prevProfile.appId ? { appId: prevProfile.appId } : {}),
+                                ...(prevProfile.domain ? { domain: prevProfile.domain } : {}),
+                            }));
                         }
                     }
                     catch {
@@ -246,7 +305,10 @@ export function createGatewayControl(ctx) {
             type: params.type,
             accountId: params.accountId,
             enabled,
-            tokenPreview: maskTokenPreview(botToken),
+            tokenPreview: maskTokenPreview(tokenPreviewSource),
+            ...(feishuAppId ? { appId: feishuAppId } : {}),
+            ...(feishuDomain ? { domain: feishuDomain } : {}),
+            ...(feishuUserOpenId ? { userOpenId: feishuUserOpenId } : {}),
             ...(liveStatus ? { status: pickStatus(liveStatus) } : {}),
         };
         daemonLog.info("upsert_gateway applied", {
@@ -352,9 +414,8 @@ export function createGatewayControl(ctx) {
                 return { ok: true, result };
             }
         }
-        // WeChat: iLink has no no-side-effect probe today. Fall back to the
-        // adapter's last poll snapshot. `authorized === true` means the secret
-        // is loaded and at least one poll succeeded.
+        // WeChat/Feishu: fall back to the adapter snapshot. `authorized === true`
+        // means the secret is loaded and the provider client started.
         const snap = ctx.gateway.snapshot().channels[profile.id];
         const result = snap
             ? {
@@ -367,7 +428,7 @@ export function createGatewayControl(ctx) {
                 },
                 ...(snap.lastError ? { error: snap.lastError } : {}),
             }
-            : { id: profile.id, ok: false, error: "wechat channel not running" };
+            : { id: profile.id, ok: false, error: `${profile.type} channel not running` };
         return { ok: true, result };
     }
     // --- gateway_login_start ------------------------------------------------
@@ -378,9 +439,7 @@ export function createGatewayControl(ctx) {
         if (!params.accountId || typeof params.accountId !== "string") {
             return badParams("gateway_login_start: accountId is required");
         }
-        if (params.provider !== "wechat") {
-            // Telegram has no qrcode flow; surface a clear error so the dashboard
-            // can fall through to the token form.
+        if (params.provider !== "wechat" && params.provider !== "feishu") {
             return badParams(`gateway_login_start: provider "${params.provider}" does not require login`);
         }
         // W1: SSRF guard — `baseUrl` flows directly into an authenticated fetch.
@@ -392,6 +451,38 @@ export function createGatewayControl(ctx) {
                 return badParams(urlErr.message);
             throw urlErr;
         }
+        if (params.provider === "feishu") {
+            const domain = params.domain === "lark" ? "lark" : "feishu";
+            try {
+                const r = await feishuLogin.startFeishuRegistration({ domain });
+                const loginId = mintLoginId("feishu");
+                const session = sessions.create({
+                    loginId,
+                    accountId: params.accountId,
+                    ...(params.gatewayId ? { gatewayId: params.gatewayId } : {}),
+                    provider: "feishu",
+                    qrcode: r.deviceCode,
+                    qrcodeUrl: r.verificationUriComplete,
+                    domain: r.domain,
+                });
+                const result = {
+                    loginId,
+                    qrcode: r.deviceCode,
+                    qrcodeUrl: r.verificationUriComplete,
+                    expiresAt: session.expiresAt,
+                };
+                daemonLog.info("gateway_login_start", { provider: "feishu", loginId, accountId: params.accountId });
+                return { ok: true, result };
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : String(err);
+                daemonLog.warn("gateway_login_start.feishu failed", { error: message });
+                return {
+                    ok: false,
+                    error: { code: "provider_unreachable", message },
+                };
+            }
+        }
         const baseUrl = params.baseUrl ?? DEFAULT_WECHAT_BASE_URL;
         let qrcode;
         let qrcodeUrl;
@@ -466,8 +557,55 @@ export function createGatewayControl(ctx) {
             };
             return { ok: true, result };
         }
+        if (params.provider === "feishu") {
+            if (!session.qrcode) {
+                return {
+                    ok: false,
+                    error: { code: "no_qrcode", message: "login session has no device code to poll" },
+                };
+            }
+            try {
+                const probe = await feishuLogin.pollFeishuRegistration(session.qrcode, {
+                    domain: session.domain ?? "feishu",
+                });
+                if (probe.status === "confirmed" && probe.appId && probe.appSecret) {
+                    const tokenPreview = maskTokenPreview(probe.appSecret);
+                    sessions.update(params.loginId, {
+                        appId: probe.appId,
+                        appSecret: probe.appSecret,
+                        domain: probe.domain,
+                        userOpenId: probe.userOpenId,
+                        tokenPreview,
+                    });
+                    const result = {
+                        status: "confirmed",
+                        appId: probe.appId,
+                        domain: probe.domain,
+                        userOpenId: probe.userOpenId,
+                        tokenPreview,
+                    };
+                    return { ok: true, result };
+                }
+                const status = probe.status === "denied"
+                    ? "failed"
+                    : probe.status === "expired"
+                        ? "expired"
+                        : probe.status === "failed"
+                            ? "failed"
+                            : "pending";
+                const result = { status, domain: probe.domain };
+                return { ok: true, result };
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : String(err);
+                daemonLog.warn("gateway_login_status.feishu failed", { error: message });
+                return {
+                    ok: false,
+                    error: { code: "provider_unreachable", message },
+                };
+            }
+        }
         if (params.provider !== "wechat") {
-            // Future provider hook — today only WeChat poll path exists.
             return badParams(`gateway_login_status: provider "${params.provider}" not supported`);
         }
         if (!session.qrcode) {
@@ -612,7 +750,7 @@ function badParams(message) {
     return { ok: false, error: { code: "bad_params", message } };
 }
 function isProvider(p) {
-    return p === "telegram" || p === "wechat";
+    return p === "telegram" || p === "wechat" || p === "feishu";
 }
 function validateUpsertParams(p) {
     if (!p.id || typeof p.id !== "string")
@@ -631,6 +769,9 @@ function annotateProfile(p, status) {
         ...(p.label !== undefined ? { label: p.label } : {}),
         enabled: p.enabled !== false,
         ...(p.baseUrl !== undefined ? { baseUrl: p.baseUrl } : {}),
+        ...(p.appId !== undefined ? { appId: p.appId } : {}),
+        ...(p.domain !== undefined ? { domain: p.domain } : {}),
+        ...(p.userOpenId !== undefined ? { userOpenId: p.userOpenId } : {}),
         ...(p.allowedSenderIds !== undefined ? { allowedSenderIds: p.allowedSenderIds } : {}),
         ...(p.allowedChatIds !== undefined ? { allowedChatIds: p.allowedChatIds } : {}),
         ...(p.splitAt !== undefined ? { splitAt: p.splitAt } : {}),
@@ -674,6 +815,12 @@ function compactProfile(p) {
         out.enabled = p.enabled;
     if (p.baseUrl !== undefined)
         out.baseUrl = p.baseUrl;
+    if (p.appId !== undefined)
+        out.appId = p.appId;
+    if (p.domain !== undefined)
+        out.domain = p.domain;
+    if (p.userOpenId !== undefined)
+        out.userOpenId = p.userOpenId;
     if (p.allowedSenderIds !== undefined)
         out.allowedSenderIds = p.allowedSenderIds;
     if (p.allowedChatIds !== undefined)
@@ -686,7 +833,7 @@ function compactProfile(p) {
         out.stateFile = p.stateFile;
     return out;
 }
-function buildChannelConfig(params, secretFile) {
+function buildChannelConfig(params, secretFile, extra = {}) {
     const ch = {
         id: params.id,
         type: params.type,
@@ -698,6 +845,12 @@ function buildChannelConfig(params, secretFile) {
     const s = params.settings ?? {};
     if (s.baseUrl !== undefined)
         ch.baseUrl = s.baseUrl;
+    if (params.type === "feishu") {
+        if (extra.appId)
+            ch.appId = extra.appId;
+        if (extra.domain)
+            ch.domain = extra.domain;
+    }
     if (s.allowedSenderIds !== undefined)
         ch.allowedSenderIds = s.allowedSenderIds;
     if (s.allowedChatIds !== undefined)

package/dist/provision.js

@@ -164,11 +164,17 @@ export function createProvisioner(opts) {
                 const roomId = typeof params.room_id === "string" ? params.room_id : undefined;
                 if (params.policy) {
                     // Embedded policy payload — install directly to avoid a refetch.
+                    const embeddedPolicy = params.policy;
                     policyResolver.put(agentId, roomId ?? null, {
-                        mode: params.policy.mode,
+                        mode: embeddedPolicy.mode === "allowed_senders"
+                            ? "allowed_senders"
+                            : params.policy.mode,
                         keywords: Array.isArray(params.policy.keywords)
                             ? params.policy.keywords.slice()
                             : [],
+                        allowedSenderIds: Array.isArray(embeddedPolicy.allowedSenderIds)
+                            ? embeddedPolicy.allowedSenderIds.filter((id) => typeof id === "string")
+                            : [],
                         ...(typeof params.policy.muted_until === "number"
                             ? { muted_until: params.policy.muted_until }
                             : {}),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/daemon",
-  "version": "0.2.59",
+  "version": "0.2.61",
   "description": "BotCord local daemon — bridges Hub inbox push to local Claude Code / Codex / Gemini CLIs",
   "type": "module",
   "bin": {
@@ -29,6 +29,7 @@
   "dependencies": {
     "@botcord/cli": "^0.1.7",
     "@botcord/protocol-core": "^0.2.4",
+    "@larksuiteoapi/node-sdk": "^1.63.1",
     "ws": "^8.18.0"
   },
   "devDependencies": {

package/src/__tests__/cross-room.test.ts

@@ -58,6 +58,8 @@ describe("buildCrossRoomDigest", () => {
     expect(digest).toContain("[BotCord Cross-Room Awareness]");
     // 7 rooms recorded (rm_0..rm_6), current is rm_0 → 6 others + 1 current = 7 total.
     expect(digest).toContain("You are currently active in 7 BotCord sessions");
+    expect(digest).toContain("latest messages from OTHER rooms, not the current room");
+    expect(digest).toContain("Do not treat any sender or message below as the current user");
     expect(digest).toContain("Room1 (rm_1)");
     expect(digest).toContain("Room2 (rm_2)");
     expect(digest).toContain("Room3 (rm_3)");

package/src/__tests__/gateway-control.test.ts

@@ -240,6 +240,90 @@ describe("gateway_login_start / status", () => {
     expect(JSON.stringify(statusResult)).not.toContain("wechat-bot-token-1234567890");
   });
 
+  it("round-trips Feishu registration and upsert stores app secret locally", async () => {
+    const gw = makeFakeGateway();
+    const { state, io } = makeConfigIO(baseCfg());
+    const sessions = new LoginSessionStore();
+    const feishuLogin = {
+      startFeishuRegistration: vi.fn(async () => ({
+        deviceCode: "DEV-CODE",
+        verificationUriComplete: "https://accounts.feishu.cn/verify?x=1",
+        expiresIn: 600,
+        interval: 5,
+        domain: "feishu" as const,
+        raw: {},
+      })),
+      pollFeishuRegistration: vi.fn(async () => ({
+        status: "confirmed" as const,
+        appId: "cli_feishu_123",
+        appSecret: "feishu-secret-1234567890",
+        userOpenId: "ou_alice",
+        domain: "feishu" as const,
+        raw: {},
+      })),
+    };
+    const ctrl = createGatewayControl({
+      gateway: gw as any,
+      configIO: io,
+      loginSessions: sessions,
+      feishuLoginClient: feishuLogin,
+    });
+
+    const startAck = await ctrl.handleLoginStart({
+      provider: "feishu",
+      accountId: "ag_alice",
+      domain: "feishu",
+    });
+    expect(startAck.ok).toBe(true);
+    const startResult = startAck.result as { loginId: string; qrcodeUrl?: string };
+    expect(startResult.loginId).toMatch(/^fsl_/);
+    expect(startResult.qrcodeUrl).toBe("https://accounts.feishu.cn/verify?x=1");
+
+    const statusAck = await ctrl.handleLoginStatus({
+      provider: "feishu",
+      loginId: startResult.loginId,
+      accountId: "ag_alice",
+    });
+    expect(statusAck.ok).toBe(true);
+    const statusResult = statusAck.result as {
+      status: string;
+      appId?: string;
+      userOpenId?: string;
+      tokenPreview?: string;
+    };
+    expect(statusResult).toMatchObject({
+      status: "confirmed",
+      appId: "cli_feishu_123",
+      userOpenId: "ou_alice",
+      tokenPreview: "feis...7890",
+    });
+    expect(JSON.stringify(statusResult)).not.toContain("feishu-secret-1234567890");
+
+    const gwId = uniqId("fs");
+    const upsertAck = await ctrl.handleUpsert({
+      id: gwId,
+      type: "feishu",
+      accountId: "ag_alice",
+      enabled: true,
+      loginId: startResult.loginId,
+      settings: { allowedSenderIds: ["ou_alice"], domain: "feishu" },
+    });
+    expect(upsertAck.ok).toBe(true);
+    expect(state.cfg.thirdPartyGateways?.[0]).toMatchObject({
+      id: gwId,
+      type: "feishu",
+      appId: "cli_feishu_123",
+      domain: "feishu",
+      userOpenId: "ou_alice",
+    });
+    expect(gw.addChannel).toHaveBeenLastCalledWith(
+      expect.objectContaining({ id: gwId, type: "feishu", appId: "cli_feishu_123" }),
+    );
+    const secretPath = trackSecret(gwId);
+    const secret = JSON.parse(readFileSync(secretPath, "utf8")) as { appSecret?: string };
+    expect(secret.appSecret).toBe("feishu-secret-1234567890");
+  });
+
   it("discovers recent WeChat senders from a confirmed login session", async () => {
     const gw = makeFakeGateway();
     const { io } = makeConfigIO(baseCfg());

package/src/__tests__/policy-updated-handler.test.ts

@@ -48,16 +48,13 @@ function makeFakeGateway(): unknown {
   };
 }
 
-function makeFakeResolver(): PolicyResolverLike & {
-  invalidate: ReturnType<typeof vi.fn>;
-  put: ReturnType<typeof vi.fn>;
-  resolve: ReturnType<typeof vi.fn>;
-} {
-  return {
-    resolve: vi.fn(async () => ({ mode: "always", keywords: [] })),
+function makeFakeResolver() {
+  const resolver = {
+    resolve: vi.fn(async () => ({ mode: "always" as const, keywords: [] })),
     invalidate: vi.fn(),
     put: vi.fn(),
   };
+  return resolver as PolicyResolverLike & typeof resolver;
 }
 
 describe("policy_updated control-frame handler", () => {
@@ -110,6 +107,7 @@ describe("policy_updated control-frame handler", () => {
     expect(resolver.put).toHaveBeenCalledWith("ag_a", null, {
       mode: "keyword",
       keywords: ["foo", "bar"],
+      allowedSenderIds: [],
       muted_until: 123,
     });
     expect(resolver.invalidate).not.toHaveBeenCalled();

package/src/__tests__/third-party-gateway.test.ts

@@ -37,6 +37,15 @@ describe("toGatewayConfig + thirdPartyGateways", () => {
           allowedSenderIds: ["abc@im.wechat"],
           splitAt: 1800,
         },
+        {
+          id: "gw_fs_1",
+          type: "feishu",
+          accountId: "ag_daemon",
+          appId: "cli_xxx",
+          domain: "feishu",
+          allowedSenderIds: ["ou_alice"],
+          allowedChatIds: ["oc_team"],
+        },
       ],
     });
     const gw = toGatewayConfig(cfg);
@@ -44,6 +53,7 @@ describe("toGatewayConfig + thirdPartyGateways", () => {
       { id: "ag_daemon", type: BOTCORD_CHANNEL_TYPE },
       { id: "gw_tg_1", type: TELEGRAM_CHANNEL_TYPE },
       { id: "gw_wx_1", type: WECHAT_CHANNEL_TYPE },
+      { id: "gw_fs_1", type: "feishu" },
     ]);
     const tg = gw.channels[1]!;
     expect(tg.accountId).toBe("ag_daemon");
@@ -52,6 +62,11 @@ describe("toGatewayConfig + thirdPartyGateways", () => {
     expect(wx.baseUrl).toBe("https://ilinkai.weixin.qq.com");
     expect(wx.allowedSenderIds).toEqual(["abc@im.wechat"]);
     expect(wx.splitAt).toBe(1800);
+    const fs = gw.channels[3]!;
+    expect(fs.appId).toBe("cli_xxx");
+    expect(fs.domain).toBe("feishu");
+    expect(fs.allowedSenderIds).toEqual(["ou_alice"]);
+    expect(fs.allowedChatIds).toEqual(["oc_team"]);
   });
 
   it("filters out gateways with enabled === false", () => {
@@ -115,6 +130,19 @@ describe("createDaemonChannel", () => {
     expect(adapter.id).toBe("gw_wx_1");
   });
 
+  it("dispatches feishu type to the Feishu adapter", () => {
+    const chCfg: GatewayChannelConfig = {
+      id: "gw_fs_1",
+      type: "feishu",
+      accountId: "ag_x",
+      appId: "cli_xxx",
+      domain: "feishu",
+    };
+    const adapter = createDaemonChannel(chCfg, deps);
+    expect(adapter.type).toBe("feishu");
+    expect(adapter.id).toBe("gw_fs_1");
+  });
+
   it("throws on unknown channel type", () => {
     const chCfg: GatewayChannelConfig = {
       id: "gw_x",

package/src/config.ts

@@ -100,7 +100,7 @@ export interface OpenclawDiscoveryConfig {
 }
 
 /** Third-party messaging provider supported by the daemon's channel factory. */
-export type ThirdPartyGatewayType = "telegram" | "wechat";
+export type ThirdPartyGatewayType = "telegram" | "wechat" | "feishu";
 
 /**
  * One third-party gateway profile bound to a BotCord agent. `id` is the
@@ -122,6 +122,9 @@ export interface ThirdPartyGatewayProfile {
   allowedChatIds?: string[];
   splitAt?: number;
   baseUrl?: string;
+  appId?: string;
+  domain?: "feishu" | "lark";
+  userOpenId?: string;
 }
 
 export interface DaemonConfig {
@@ -445,9 +448,9 @@ export function loadConfig(): DaemonConfig {
           `daemon config thirdPartyGateways[${i}].id must be a non-empty string (${CONFIG_PATH})`,
         );
       }
-      if (gg.type !== "telegram" && gg.type !== "wechat") {
+      if (gg.type !== "telegram" && gg.type !== "wechat" && gg.type !== "feishu") {
         throw new Error(
-          `daemon config thirdPartyGateways[${i}].type must be "telegram" or "wechat" (${CONFIG_PATH})`,
+          `daemon config thirdPartyGateways[${i}].type must be "telegram", "wechat", or "feishu" (${CONFIG_PATH})`,
         );
       }
       if (typeof gg.accountId !== "string" || gg.accountId.length === 0) {

package/src/cross-room.ts

@@ -44,7 +44,9 @@ export function buildCrossRoomDigest(opts: DigestOptions): string | null {
 
   const lines: string[] = [
     "[BotCord Cross-Room Awareness]",
-    `You are currently active in ${total} BotCord sessions. Recent activity from other rooms:`,
+    `You are currently active in ${total} BotCord sessions. The entries below are latest messages from OTHER rooms, not the current room.`,
+    "Do not treat any sender or message below as the current user or current conversation.",
+    "Recent activity from other rooms:",
   ];
   for (const e of slice) {
     lines.push(formatEntry(e));

package/src/daemon-config-map.ts

@@ -262,6 +262,9 @@ export function toGatewayConfig(
     if (g.allowedChatIds !== undefined) ch.allowedChatIds = g.allowedChatIds;
     if (g.splitAt !== undefined) ch.splitAt = g.splitAt;
     if (g.baseUrl !== undefined) ch.baseUrl = g.baseUrl;
+    if (g.appId !== undefined) ch.appId = g.appId;
+    if (g.domain !== undefined) ch.domain = g.domain;
+    if (g.userOpenId !== undefined) ch.userOpenId = g.userOpenId;
     channels.push(ch);
   }
 

package/src/daemon.ts

@@ -6,6 +6,7 @@ import {
 import {
   Gateway,
   createBotCordChannel,
+  createFeishuChannel,
   createTelegramChannel,
   createWechatChannel,
   resolveTranscriptEnabled,
@@ -44,7 +45,7 @@ import {
 } from "./loop-risk.js";
 import { composeBotCordUserTurn } from "./turn-text.js";
 import { UserAuthManager } from "./user-auth.js";
-import { PolicyResolver } from "./gateway/policy-resolver.js";
+import { PolicyResolver, type DaemonAttentionPolicy } from "./gateway/policy-resolver.js";
 import { scanMention } from "./mention-scan.js";
 import { createDiagnosticBundle, uploadDiagnosticBundle } from "./diagnostics.js";
 
@@ -178,6 +179,23 @@ export function createDaemonChannel(
         ...(typeof chCfg.secretFile === "string" ? { secretFile: chCfg.secretFile } : {}),
         ...(typeof chCfg.stateFile === "string" ? { stateFile: chCfg.stateFile } : {}),
       });
+    case "feishu":
+      return createFeishuChannel({
+        id: chCfg.id,
+        accountId: chCfg.accountId,
+        ...(typeof chCfg.appId === "string" ? { appId: chCfg.appId } : {}),
+        ...(chCfg.domain === "feishu" || chCfg.domain === "lark"
+          ? { domain: chCfg.domain }
+          : {}),
+        ...(Array.isArray(chCfg.allowedSenderIds)
+          ? { allowedSenderIds: chCfg.allowedSenderIds as string[] }
+          : {}),
+        ...(Array.isArray(chCfg.allowedChatIds)
+          ? { allowedChatIds: chCfg.allowedChatIds as string[] }
+          : {}),
+        ...(typeof chCfg.splitAt === "number" ? { splitAt: chCfg.splitAt } : {}),
+        ...(typeof chCfg.secretFile === "string" ? { secretFile: chCfg.secretFile } : {}),
+      });
     default:
       throw new Error(`unknown channel type "${chCfg.type}"`);
   }
@@ -436,15 +454,18 @@ export async function startDaemon(opts: DaemonRuntimeOptions): Promise<DaemonHan
   // with a local `@<display_name>` / `@<agent_id>` text scan, resolve the
   // effective policy, then defer to the protocol-core `shouldWake` decision.
   const attentionGate = async (msg: GatewayInboundMessage): Promise<boolean> => {
-    const policy: AttentionPolicy = await policyResolver.resolve(
+    const policy: DaemonAttentionPolicy = await policyResolver.resolve(
       msg.accountId,
       msg.conversation.id,
     );
+    if (policy.mode === "allowed_senders") {
+      return (policy.allowedSenderIds ?? []).includes(msg.sender.id);
+    }
     const localMention = scanMention(msg.text, {
       agentId: msg.accountId,
       displayName: displayNameByAgent.get(msg.accountId),
     });
-    return shouldWake(policy, {
+    return shouldWake(policy as AttentionPolicy, {
       mentioned: msg.mentioned === true || localMention,
       text: msg.text,
     });