@gakr-gakr/feishu 0.1.0

package/src/runtime.ts

@@ -0,0 +1,9 @@
+import type { PluginRuntime } from "autobot/plugin-sdk/core";
+import { createPluginRuntimeStore } from "autobot/plugin-sdk/runtime-store";
+
+const { setRuntime: setFeishuRuntime, getRuntime: getFeishuRuntime } =
+  createPluginRuntimeStore<PluginRuntime>({
+    pluginId: "feishu",
+    errorMessage: "Feishu runtime not initialized",
+  });
+export { getFeishuRuntime, setFeishuRuntime };

package/src/secret-contract.ts

@@ -0,0 +1,145 @@
+import {
+  collectConditionalChannelFieldAssignments,
+  collectSimpleChannelFieldAssignments,
+  getChannelSurface,
+  hasOwnProperty,
+  normalizeSecretStringValue,
+  type ResolverContext,
+  type SecretDefaults,
+  type SecretTargetRegistryEntry,
+} from "autobot/plugin-sdk/channel-secret-basic-runtime";
+
+export const secretTargetRegistryEntries: SecretTargetRegistryEntry[] = [
+  {
+    id: "channels.feishu.accounts.*.appSecret",
+    targetType: "channels.feishu.accounts.*.appSecret",
+    configFile: "autobot.json",
+    pathPattern: "channels.feishu.accounts.*.appSecret",
+    secretShape: "secret_input",
+    expectedResolvedValue: "string",
+    includeInPlan: true,
+    includeInConfigure: true,
+    includeInAudit: true,
+  },
+  {
+    id: "channels.feishu.accounts.*.encryptKey",
+    targetType: "channels.feishu.accounts.*.encryptKey",
+    configFile: "autobot.json",
+    pathPattern: "channels.feishu.accounts.*.encryptKey",
+    secretShape: "secret_input",
+    expectedResolvedValue: "string",
+    includeInPlan: true,
+    includeInConfigure: true,
+    includeInAudit: true,
+  },
+  {
+    id: "channels.feishu.accounts.*.verificationToken",
+    targetType: "channels.feishu.accounts.*.verificationToken",
+    configFile: "autobot.json",
+    pathPattern: "channels.feishu.accounts.*.verificationToken",
+    secretShape: "secret_input",
+    expectedResolvedValue: "string",
+    includeInPlan: true,
+    includeInConfigure: true,
+    includeInAudit: true,
+  },
+  {
+    id: "channels.feishu.appSecret",
+    targetType: "channels.feishu.appSecret",
+    configFile: "autobot.json",
+    pathPattern: "channels.feishu.appSecret",
+    secretShape: "secret_input",
+    expectedResolvedValue: "string",
+    includeInPlan: true,
+    includeInConfigure: true,
+    includeInAudit: true,
+  },
+  {
+    id: "channels.feishu.encryptKey",
+    targetType: "channels.feishu.encryptKey",
+    configFile: "autobot.json",
+    pathPattern: "channels.feishu.encryptKey",
+    secretShape: "secret_input",
+    expectedResolvedValue: "string",
+    includeInPlan: true,
+    includeInConfigure: true,
+    includeInAudit: true,
+  },
+  {
+    id: "channels.feishu.verificationToken",
+    targetType: "channels.feishu.verificationToken",
+    configFile: "autobot.json",
+    pathPattern: "channels.feishu.verificationToken",
+    secretShape: "secret_input",
+    expectedResolvedValue: "string",
+    includeInPlan: true,
+    includeInConfigure: true,
+    includeInAudit: true,
+  },
+];
+
+export function collectRuntimeConfigAssignments(params: {
+  config: { channels?: Record<string, unknown> };
+  defaults?: SecretDefaults;
+  context: ResolverContext;
+}): void {
+  const resolved = getChannelSurface(params.config, "feishu");
+  if (!resolved) {
+    return;
+  }
+  const { channel: feishu, surface } = resolved;
+  collectSimpleChannelFieldAssignments({
+    channelKey: "feishu",
+    field: "appSecret",
+    channel: feishu,
+    surface,
+    defaults: params.defaults,
+    context: params.context,
+    topInactiveReason: "no enabled account inherits this top-level Feishu appSecret.",
+    accountInactiveReason: "Feishu account is disabled.",
+  });
+  const baseConnectionMode =
+    normalizeSecretStringValue(feishu.connectionMode) === "webhook" ? "webhook" : "websocket";
+  const resolveAccountMode = (account: Record<string, unknown>) =>
+    hasOwnProperty(account, "connectionMode")
+      ? normalizeSecretStringValue(account.connectionMode)
+      : baseConnectionMode;
+  collectConditionalChannelFieldAssignments({
+    channelKey: "feishu",
+    field: "encryptKey",
+    channel: feishu,
+    surface,
+    defaults: params.defaults,
+    context: params.context,
+    topLevelActiveWithoutAccounts: baseConnectionMode === "webhook",
+    topLevelInheritedAccountActive: ({ account, enabled }) =>
+      enabled &&
+      !hasOwnProperty(account, "encryptKey") &&
+      resolveAccountMode(account) === "webhook",
+    accountActive: ({ account, enabled }) => enabled && resolveAccountMode(account) === "webhook",
+    topInactiveReason: "no enabled Feishu webhook-mode surface inherits this top-level encryptKey.",
+    accountInactiveReason: "Feishu account is disabled or not running in webhook mode.",
+  });
+  collectConditionalChannelFieldAssignments({
+    channelKey: "feishu",
+    field: "verificationToken",
+    channel: feishu,
+    surface,
+    defaults: params.defaults,
+    context: params.context,
+    topLevelActiveWithoutAccounts: baseConnectionMode === "webhook",
+    topLevelInheritedAccountActive: ({ account, enabled }) =>
+      enabled &&
+      !hasOwnProperty(account, "verificationToken") &&
+      resolveAccountMode(account) === "webhook",
+    accountActive: ({ account, enabled }) => enabled && resolveAccountMode(account) === "webhook",
+    topInactiveReason:
+      "no enabled Feishu webhook-mode surface inherits this top-level verificationToken.",
+    accountInactiveReason: "Feishu account is disabled or not running in webhook mode.",
+  });
+}
+
+export const channelSecrets = {
+  secretTargetRegistryEntries,
+  collectRuntimeConfigAssignments,
+};

package/src/secret-input.ts

@@ -0,0 +1 @@
+export { buildSecretInputSchema, hasConfiguredSecretInput } from "autobot/plugin-sdk/secret-input";

package/src/security-audit-shared.ts

@@ -0,0 +1,69 @@
+import { hasConfiguredSecretInput } from "autobot/plugin-sdk/secret-input";
+import type { AutoBotConfig } from "../runtime-api.js";
+
+function asRecord(value: unknown): Record<string, unknown> | undefined {
+  return value && typeof value === "object" && !Array.isArray(value)
+    ? (value as Record<string, unknown>)
+    : undefined;
+}
+
+function hasNonEmptyString(value: unknown): boolean {
+  return typeof value === "string" && value.trim().length > 0;
+}
+
+function isFeishuDocToolEnabled(cfg: AutoBotConfig): boolean {
+  const channels = asRecord(cfg.channels);
+  const feishu = asRecord(channels?.feishu);
+  if (!feishu || feishu.enabled === false) {
+    return false;
+  }
+
+  const baseTools = asRecord(feishu.tools);
+  const baseDocEnabled = baseTools?.doc !== false;
+  const baseAppId = hasNonEmptyString(feishu.appId);
+  const baseAppSecret = hasConfiguredSecretInput(feishu.appSecret, cfg.secrets?.defaults);
+  const baseConfigured = baseAppId && baseAppSecret;
+
+  const accounts = asRecord(feishu.accounts);
+  if (!accounts || Object.keys(accounts).length === 0) {
+    return baseDocEnabled && baseConfigured;
+  }
+
+  for (const accountValue of Object.values(accounts)) {
+    const account = asRecord(accountValue) ?? {};
+    if (account.enabled === false) {
+      continue;
+    }
+    const accountTools = asRecord(account.tools);
+    const effectiveTools = accountTools ?? baseTools;
+    const docEnabled = effectiveTools?.doc !== false;
+    if (!docEnabled) {
+      continue;
+    }
+    const accountConfigured =
+      (hasNonEmptyString(account.appId) || baseAppId) &&
+      (hasConfiguredSecretInput(account.appSecret, cfg.secrets?.defaults) || baseAppSecret);
+    if (accountConfigured) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+export function collectFeishuSecurityAuditFindings(params: { cfg: AutoBotConfig }) {
+  if (!isFeishuDocToolEnabled(params.cfg)) {
+    return [];
+  }
+  return [
+    {
+      checkId: "channels.feishu.doc_owner_open_id",
+      severity: "warn" as const,
+      title: "Feishu doc create can grant requester permissions",
+      detail:
+        'channels.feishu tools include "doc"; feishu_doc action "create" can grant document access to the trusted requesting Feishu user.',
+      remediation:
+        "Disable channels.feishu.tools.doc when not needed, and restrict tool access for untrusted prompts.",
+    },
+  ];
+}

package/src/security-audit.ts

@@ -0,0 +1 @@
+export { collectFeishuSecurityAuditFindings } from "./security-audit-shared.js";

package/src/send-result.ts

@@ -0,0 +1,80 @@
+import {
+  createMessageReceiptFromOutboundResults,
+  type MessageReceipt,
+  type MessageReceiptPartKind,
+} from "autobot/plugin-sdk/channel-message";
+
+type FeishuMessageApiResponse = {
+  code?: number;
+  msg?: string;
+  data?: {
+    message_id?: string;
+  };
+};
+
+export function resolveFeishuReceiptKind(msgType?: string): MessageReceiptPartKind {
+  switch (msgType) {
+    case "audio":
+      return "voice";
+    case "image":
+    case "media":
+    case "file":
+      return "media";
+    case "interactive":
+      return "card";
+    case "post":
+    case "text":
+      return "text";
+    default:
+      return "unknown";
+  }
+}
+
+export function createFeishuSendReceipt(params: {
+  messageId?: string;
+  chatId: string;
+  kind?: MessageReceiptPartKind;
+}): MessageReceipt {
+  const messageId = params.messageId?.trim();
+  const chatId = params.chatId.trim();
+  return createMessageReceiptFromOutboundResults({
+    results: messageId
+      ? [
+          {
+            channel: "feishu",
+            messageId,
+            chatId,
+            conversationId: chatId,
+          },
+        ]
+      : [],
+    ...(chatId ? { threadId: chatId } : {}),
+    kind: params.kind ?? "unknown",
+  });
+}
+
+export function assertFeishuMessageApiSuccess(
+  response: FeishuMessageApiResponse,
+  errorPrefix: string,
+) {
+  if (response.code !== 0) {
+    throw new Error(`${errorPrefix}: ${response.msg || `code ${response.code}`}`);
+  }
+}
+
+export function toFeishuSendResult(
+  response: FeishuMessageApiResponse,
+  chatId: string,
+  kind?: MessageReceiptPartKind,
+): {
+  messageId: string;
+  chatId: string;
+  receipt: MessageReceipt;
+} {
+  const messageId = response.data?.message_id ?? "unknown";
+  return {
+    messageId,
+    chatId,
+    receipt: createFeishuSendReceipt({ messageId, chatId, kind }),
+  };
+}

package/src/send-target.ts

@@ -0,0 +1,35 @@
+import type { ClawdbotConfig } from "../runtime-api.js";
+import { resolveFeishuRuntimeAccount } from "./accounts.js";
+import { createFeishuClient } from "./client.js";
+import { resolveReceiveIdType, normalizeFeishuTarget } from "./targets.js";
+
+type FeishuSendTarget = {
+  client: ReturnType<typeof createFeishuClient>;
+  receiveId: string;
+  receiveIdType: ReturnType<typeof resolveReceiveIdType>;
+};
+
+export function resolveFeishuSendTarget(params: {
+  cfg: ClawdbotConfig;
+  to: string;
+  accountId?: string;
+}): FeishuSendTarget {
+  const target = params.to.trim();
+  const account = resolveFeishuRuntimeAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+  const client = createFeishuClient(account);
+  const receiveId = normalizeFeishuTarget(target);
+  if (!receiveId) {
+    throw new Error(`Invalid Feishu target: ${params.to}`);
+  }
+  // Preserve explicit routing prefixes (chat/group/user/dm/open_id) when present.
+  // normalizeFeishuTarget strips these prefixes, so infer type from the raw target first.
+  const withoutProviderPrefix = target.replace(/^(feishu|lark):/i, "");
+  return {
+    client,
+    receiveId,
+    receiveIdType: resolveReceiveIdType(withoutProviderPrefix),
+  };
+}