@invago/mixin 1.0.15 → 1.0.17

package/index.ts

@@ -1,5 +1,4 @@
 import type { OpenClawPluginApi, OpenClawConfig } from "openclaw/plugin-sdk";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
 import { mixinPlugin } from "./src/channel.js";
 import {
   buildMixinAccountsText,
@@ -33,7 +32,11 @@ const plugin = {
   id: "mixin",
   name: "Mixin Messenger Channel",
   description: "Mixin Messenger channel via Blaze WebSocket",
-  configSchema: emptyPluginConfigSchema(),
+  configSchema: {
+    type: "object",
+    additionalProperties: false,
+    properties: {},
+  },
   register(api: OpenClawPluginApi): void {
     setMixinRuntime(api.runtime);
     api.registerChannel({ plugin: mixinPlugin });

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "mixin",
   "name": "Mixin Messenger Channel",
   "description": "Mixin Messenger channel via Blaze WebSocket",
-  "version": "1.0.15",
+  "version": "1.0.17",
   "channels": [
     "mixin"
   ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@invago/mixin",
-  "version": "1.0.15",
+  "version": "1.0.17",
   "description": "Mixin Messenger channel plugin for OpenClaw",
   "type": "module",
   "main": "index.ts",

package/src/channel.ts

@@ -3,8 +3,6 @@ import { promisify } from "node:util";
 import { uniqueConversationID } from "@mixin.dev/mixin-node-sdk";
 import {
   buildChannelConfigSchema,
-  formatPairingApproveHint,
-  resolveChannelMediaMaxBytes,
 } from "openclaw/plugin-sdk";
 import type { ChannelGatewayContext, OpenClawConfig, ReplyPayload } from "openclaw/plugin-sdk";
 import { runBlazeLoop } from "./blaze-service.js";
@@ -23,9 +21,10 @@ import { buildMixinAccountSnapshot, buildMixinChannelSummary, resolveMixinStatus
 type ResolvedMixinAccount = ReturnType<typeof resolveAccount>;
 
 const BASE_DELAY = 1000;
-const MAX_DELAY = 3000;
-const MULTIPLIER = 1.5;
-const MEDIA_MAX_BYTES = 30 * 1024 * 1024;
+const MAX_DELAY = 3000;
+const MULTIPLIER = 1.5;
+const MEDIA_MAX_BYTES = 30 * 1024 * 1024;
+const MB = 1024 * 1024;
 const execFileAsync = promisify(execFile);
 const CONVERSATION_CATEGORY_CACHE_TTL_MS = 5 * 60 * 1000;
 
@@ -44,6 +43,10 @@ function createDefaultMixinRuntimeState(accountId: string): {
     lastError: null,
   };
 }
+
+function formatMixinPairingApproveHint(channelId: string): string {
+  return `Approve via: \`openclaw pairing list ${channelId}\` / \`openclaw pairing approve ${channelId} <code>\``;
+}
 
 const conversationCategoryCache = new Map<string, {
   category: "CONTACT" | "GROUP";
@@ -172,13 +175,16 @@ async function resolveAudioDurationSeconds(filePath: string): Promise<number | n
   }
 }
 
-function resolveMixinMediaMaxBytes(cfg: OpenClawConfig, accountId?: string | null): number {
-  return resolveChannelMediaMaxBytes({
-    cfg,
-    resolveChannelLimitMb: ({ cfg, accountId }) => resolveMediaMaxMb(cfg, accountId),
-    accountId,
-  }) ?? MEDIA_MAX_BYTES;
-}
+function resolveMixinMediaMaxBytes(cfg: OpenClawConfig, accountId?: string | null): number {
+  const channelLimitMb = resolveMediaMaxMb(cfg, accountId ?? undefined);
+  if (channelLimitMb) {
+    return channelLimitMb * MB;
+  }
+  if (cfg.agents?.defaults?.mediaMaxMb) {
+    return cfg.agents.defaults.mediaMaxMb * MB;
+  }
+  return MEDIA_MAX_BYTES;
+}
 
 async function deliverOutboundMixinPayload(params: {
   cfg: OpenClawConfig;
@@ -344,12 +350,12 @@ export const mixinPlugin = {
         policy,
         allowFrom,
         policyPath: `channels.mixin${basePath}.dmPolicy`,
-        allowFromPath: `channels.mixin${basePath}.allowFrom`,
-        approveHint: policy === "pairing"
-          ? formatPairingApproveHint("mixin")
-          : allowFrom.length > 0
-            ? `宸查厤缃櫧鍚嶅崟鐢ㄦ埛鏁?${allowFrom.length}锛屽皢鐢ㄦ埛鐨?Mixin UUID 娣诲姞鍒?allowFrom 鍒楄〃鍗冲彲鎺堟潈`
-            : "灏嗙敤鎴风殑 Mixin UUID 娣诲姞鍒?allowFrom 鍒楄〃鍗冲彲鎺堟潈",
+        allowFromPath: `channels.mixin${basePath}.allowFrom`,
+        approveHint: policy === "pairing"
+          ? formatMixinPairingApproveHint("mixin")
+          : allowFrom.length > 0
+            ? `宸查厤缃櫧鍚嶅崟鐢ㄦ埛鏁?${allowFrom.length}锛屽皢鐢ㄦ埛鐨?Mixin UUID 娣诲姞鍒?allowFrom 鍒楄〃鍗冲彲鎺堟潈`
+            : "灏嗙敤鎴风殑 Mixin UUID 娣诲姞鍒?allowFrom 鍒楄〃鍗冲彲鎺堟潈",
       };
     },
   },

package/src/inbound-handler.ts

@@ -1,10 +1,9 @@
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { createRequire } from "node:module";
-import { pathToFileURL } from "node:url";
-import { buildAgentMediaPayload, evaluateSenderGroupAccess, resolveDefaultGroupPolicy } from "openclaw/plugin-sdk";
-import type { AgentMediaPayload, OpenClawConfig } from "openclaw/plugin-sdk";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { createRequire } from "node:module";
+import { pathToFileURL } from "node:url";
+import type { AgentMediaPayload, OpenClawConfig } from "openclaw/plugin-sdk";
 import { getAccountConfig, resolveConversationPolicy } from "./config.js";
 import type { MixinAccountConfig } from "./config-schema.js";
 import { decryptMixinMessage } from "./crypto.js";
@@ -30,8 +29,9 @@ export interface MixinInboundMessage {
   publicKey?: string;
 }
 
-const processedMessages = new Set<string>();
-const MAX_DEDUP_SIZE = 2000;
+const processedMessages = new Set<string>();
+const processingMessages = new Set<string>();
+const MAX_DEDUP_SIZE = 2000;
 const unauthNotifiedUsers = new Map<string, number>();
 const unauthNotifiedGroups = new Map<string, number>();
 const loggedAllowFromAccounts = new Set<string>();
@@ -69,6 +69,13 @@ type CachedBotIdentity = {
   expiresAt: number;
 };
 
+type GroupAccessDecision = {
+  allowed: boolean;
+  groupPolicy: "open" | "allowlist" | "disabled";
+  providerMissingFallbackApplied: boolean;
+  reason: "allowed" | "disabled" | "empty_allowlist" | "sender_not_allowlisted";
+};
+
 type MixinAttachmentRequest = {
   attachmentId: string;
   mimeType?: string;
@@ -84,21 +91,99 @@ const cachedBotIdentities = new Map<string, CachedBotIdentity>();
 let cachedUpdateSessionStore:
   | ((storePath: string, mutator: (store: Record<string, Record<string, unknown>>) => void | Promise<void>) => Promise<unknown>)
   | null
-  | undefined;
-
-function isProcessed(messageId: string): boolean {
-  return processedMessages.has(messageId);
-}
+  | undefined;
+
+function buildMixinAgentMediaPayload(mediaList: Array<{ path: string; contentType?: string }>): AgentMediaPayload {
+  const first = mediaList[0];
+  const mediaPaths = mediaList.map((media) => media.path);
+  const mediaTypes = mediaList.map((media) => media.contentType).filter((value): value is string => Boolean(value));
+  return {
+    MediaPath: first?.path,
+    MediaType: first?.contentType ?? undefined,
+    MediaUrl: first?.path,
+    MediaPaths: mediaPaths.length > 0 ? mediaPaths : undefined,
+    MediaUrls: mediaPaths.length > 0 ? mediaPaths : undefined,
+    MediaTypes: mediaTypes.length > 0 ? mediaTypes : undefined,
+  };
+}
+
+function resolveMixinDefaultGroupPolicy(cfg: OpenClawConfig): "open" | "allowlist" | "disabled" | undefined {
+  const groupPolicy = cfg.channels?.defaults?.groupPolicy;
+  return groupPolicy === "open" || groupPolicy === "allowlist" || groupPolicy === "disabled"
+    ? groupPolicy
+    : undefined;
+}
+
+function evaluateMixinSenderGroupAccess(params: {
+  providerConfigPresent: boolean;
+  configuredGroupPolicy?: "open" | "allowlist" | "disabled";
+  defaultGroupPolicy?: "open" | "allowlist" | "disabled";
+  groupAllowFrom: string[];
+  senderId: string;
+  isSenderAllowed: (senderId: string, allowFrom: string[]) => boolean;
+}): GroupAccessDecision {
+  const configuredPolicy = params.configuredGroupPolicy ?? params.defaultGroupPolicy;
+  const providerMissingFallbackApplied = !params.providerConfigPresent && !configuredPolicy;
+  const groupPolicy = configuredPolicy ?? (params.providerConfigPresent ? "open" : "allowlist");
+
+  if (groupPolicy === "disabled") {
+    return {
+      allowed: false,
+      groupPolicy,
+      providerMissingFallbackApplied,
+      reason: "disabled",
+    };
+  }
+
+  if (groupPolicy === "allowlist") {
+    if (params.groupAllowFrom.length === 0) {
+      return {
+        allowed: false,
+        groupPolicy,
+        providerMissingFallbackApplied,
+        reason: "empty_allowlist",
+      };
+    }
+    if (!params.isSenderAllowed(params.senderId, params.groupAllowFrom)) {
+      return {
+        allowed: false,
+        groupPolicy,
+        providerMissingFallbackApplied,
+        reason: "sender_not_allowlisted",
+      };
+    }
+  }
+
+  return {
+    allowed: true,
+    groupPolicy,
+    providerMissingFallbackApplied,
+    reason: "allowed",
+  };
+}
 
-function markProcessed(messageId: string): void {
-  if (processedMessages.size >= MAX_DEDUP_SIZE) {
-    const first = processedMessages.values().next().value;
-    if (first) {
-      processedMessages.delete(first);
+function markProcessing(messageId: string): boolean {
+  if (processedMessages.has(messageId) || processingMessages.has(messageId)) {
+    return false;
+  }
+  processingMessages.add(messageId);
+  return true;
+}
+
+function markProcessed(messageId: string): void {
+  processingMessages.delete(messageId);
+  if (processedMessages.size >= MAX_DEDUP_SIZE) {
+    const first = processedMessages.values().next().value;
+    if (first) {
+      processedMessages.delete(first);
     }
   }
-  processedMessages.add(messageId);
-}
+  processedMessages.add(messageId);
+}
+
+function clearProcessing(messageId: string): void {
+  processingMessages.delete(messageId);
+}
 
 function pruneUnauthNotifiedUsers(now: number): void {
   for (const [userId, lastNotified] of unauthNotifiedUsers) {
@@ -577,11 +662,11 @@ async function resolveInboundAttachment(params: {
     );
 
     return {
-      text: formatInboundAttachmentText(params.msg.category, payload),
-      mediaPayload: buildAgentMediaPayload([
-        {
-          path: saved.path,
-          contentType: saved.contentType ?? payload.mimeType ?? fetched.contentType,
+      text: formatInboundAttachmentText(params.msg.category, payload),
+      mediaPayload: buildMixinAgentMediaPayload([
+        {
+          path: saved.path,
+          contentType: saved.contentType ?? payload.mimeType ?? fetched.contentType,
         },
       ]),
     };
@@ -887,14 +972,14 @@ function evaluateMixinGroupAccess(params: {
     };
   }
 
-  const normalizedGroupAllowFrom = normalizeAllowEntries(conversationPolicy.groupAllowFrom);
-  const decision = evaluateSenderGroupAccess({
-    providerConfigPresent: true,
-    configuredGroupPolicy: conversationPolicy.groupPolicy,
-    defaultGroupPolicy: resolveDefaultGroupPolicy(params.cfg),
-    groupAllowFrom: normalizedGroupAllowFrom,
-    senderId: normalizeAllowEntry(params.senderId),
-    isSenderAllowed: (senderId, allowFrom) => allowFrom.includes(normalizeAllowEntry(senderId)),
+  const normalizedGroupAllowFrom = normalizeAllowEntries(conversationPolicy.groupAllowFrom);
+  const decision = evaluateMixinSenderGroupAccess({
+    providerConfigPresent: true,
+    configuredGroupPolicy: conversationPolicy.groupPolicy,
+    defaultGroupPolicy: resolveMixinDefaultGroupPolicy(params.cfg),
+    groupAllowFrom: normalizedGroupAllowFrom,
+    senderId: normalizeAllowEntry(params.senderId),
+    isSenderAllowed: (senderId, allowFrom) => allowFrom.includes(normalizeAllowEntry(senderId)),
   });
 
   return {
@@ -905,76 +990,77 @@ function evaluateMixinGroupAccess(params: {
   };
 }
 
-export async function handleMixinMessage(params: {
+export async function handleMixinMessage(params: {
   cfg: OpenClawConfig;
   accountId: string;
   msg: MixinInboundMessage;
   isDirect: boolean;
   log: { info: (m: string) => void; warn: (m: string) => void; error: (m: string, e?: unknown) => void };
 }): Promise<void> {
-  const { cfg, accountId, msg, isDirect, log } = params;
-  const rt = getMixinRuntime();
-
-  if (isProcessed(msg.messageId)) {
-    return;
-  }
-
-  const config = getAccountConfig(cfg, accountId);
-
-  if (msg.category === "ENCRYPTED_TEXT" || msg.category === "ENCRYPTED_POST") {
-    log.info(`[mixin] decrypting encrypted message ${msg.messageId}, category=${msg.category}`);
-    try {
-      const decrypted = decryptMixinMessage(
-        msg.data,
-        config.sessionPrivateKey!,
-        config.sessionId!,
-      );
-      if (!decrypted) {
-        log.error(`[mixin] decryption failed for ${msg.messageId}`);
-        markProcessed(msg.messageId);
-        return;
-      }
-      log.info(`[mixin] decryption successful: messageId=${msg.messageId}, length=${decrypted.length}`);
-      msg.data = Buffer.from(decrypted).toString("base64");
-      msg.category = "PLAIN_TEXT";
-    } catch (err) {
-      log.error(`[mixin] decryption exception for ${msg.messageId}`, err);
-      markProcessed(msg.messageId);
-      return;
-    }
-  }
-
-  let isTextMessage = msg.category.startsWith("PLAIN_TEXT") || msg.category.startsWith("PLAIN_POST");
-  const isAttachmentMessage = msg.category === "PLAIN_DATA" || msg.category === "PLAIN_AUDIO";
+  const { cfg, accountId, msg, isDirect, log } = params;
+  const rt = getMixinRuntime();
 
-  if (!isTextMessage && !isAttachmentMessage) {
-    const fallbackText = tryDecodeFallbackText(msg.data);
-    if (fallbackText) {
-      log.warn(
-        `[mixin] treating unexpected category as text: messageId=${msg.messageId}, category=${msg.category}, fallbackLength=${fallbackText.length}`,
-      );
-      msg.category = "PLAIN_TEXT";
-      msg.data = Buffer.from(fallbackText).toString("base64");
-      isTextMessage = true;
-    }
-  }
-
-  if (!isTextMessage && !isAttachmentMessage) {
-    log.info(
-      `[mixin] skip non-text message: messageId=${msg.messageId}, category=${msg.category}, quoteMessageId=${msg.quoteMessageId ?? "none"}`,
-    );
+  if (!markProcessing(msg.messageId)) {
     return;
   }
 
-  const decodedBody = decodeContent(msg.category, msg.data);
-  let text = decodedBody.trim();
-  let mediaPayload: AgentMediaPayload | undefined;
-  if (isAttachmentMessage) {
-    const resolved = await resolveInboundAttachment({ rt, config, msg, log });
-    text = resolved.text.trim();
-    mediaPayload = resolved.mediaPayload;
-  }
-  log.info(`[mixin] decoded text: messageId=${msg.messageId}, category=${msg.category}, length=${text.length}`);
+  try {
+    const config = getAccountConfig(cfg, accountId);
+
+    if (msg.category === "ENCRYPTED_TEXT" || msg.category === "ENCRYPTED_POST") {
+      log.info(`[mixin] decrypting encrypted message ${msg.messageId}, category=${msg.category}`);
+      try {
+        const decrypted = decryptMixinMessage(
+          msg.data,
+          config.sessionPrivateKey!,
+          config.sessionId!,
+        );
+        if (!decrypted) {
+          log.error(`[mixin] decryption failed for ${msg.messageId}`);
+          markProcessed(msg.messageId);
+          return;
+        }
+        log.info(`[mixin] decryption successful: messageId=${msg.messageId}, length=${decrypted.length}`);
+        msg.data = Buffer.from(decrypted).toString("base64");
+        msg.category = "PLAIN_TEXT";
+      } catch (err) {
+        log.error(`[mixin] decryption exception for ${msg.messageId}`, err);
+        markProcessed(msg.messageId);
+        return;
+      }
+    }
+
+    let isTextMessage = msg.category.startsWith("PLAIN_TEXT") || msg.category.startsWith("PLAIN_POST");
+    const isAttachmentMessage = msg.category === "PLAIN_DATA" || msg.category === "PLAIN_AUDIO";
+
+    if (!isTextMessage && !isAttachmentMessage) {
+      const fallbackText = tryDecodeFallbackText(msg.data);
+      if (fallbackText) {
+        log.warn(
+          `[mixin] treating unexpected category as text: messageId=${msg.messageId}, category=${msg.category}, fallbackLength=${fallbackText.length}`,
+        );
+        msg.category = "PLAIN_TEXT";
+        msg.data = Buffer.from(fallbackText).toString("base64");
+        isTextMessage = true;
+      }
+    }
+
+    if (!isTextMessage && !isAttachmentMessage) {
+      log.info(
+        `[mixin] skip non-text message: messageId=${msg.messageId}, category=${msg.category}, quoteMessageId=${msg.quoteMessageId ?? "none"}`,
+      );
+      return;
+    }
+
+    const decodedBody = decodeContent(msg.category, msg.data);
+    let text = decodedBody.trim();
+    let mediaPayload: AgentMediaPayload | undefined;
+    if (isAttachmentMessage) {
+      const resolved = await resolveInboundAttachment({ rt, config, msg, log });
+      text = resolved.text.trim();
+      mediaPayload = resolved.mediaPayload;
+    }
+    log.info(`[mixin] decoded text: messageId=${msg.messageId}, category=${msg.category}, length=${text.length}`);
 
   const botIdentity = await resolveBotIdentity({
     accountId,
@@ -1322,26 +1408,31 @@ export async function handleMixinMessage(params: {
 
   log.info(`[mixin] dispatching ${msg.messageId} from ${msg.userId}`);
 
-  await rt.channel.reply.dispatchReplyWithBufferedBlockDispatcher({
-    ctx,
-    cfg,
-    dispatcherOptions: {
-      deliver: async (payload) => {
-        const replyText = payload.text ?? "";
-        if (!replyText) {
-          return;
-        }
-        const recipientId = isDirect ? msg.userId : undefined;
-        await deliverMixinReply({
-          cfg,
-          accountId,
-          conversationId: msg.conversationId,
-          recipientId,
-          creatorId: msg.userId,
-          text: replyText,
-          log,
-        });
-      },
-    },
-  });
-}
+    await rt.channel.reply.dispatchReplyWithBufferedBlockDispatcher({
+      ctx,
+      cfg,
+      dispatcherOptions: {
+        deliver: async (payload) => {
+          const replyText = payload.text ?? "";
+          if (!replyText) {
+            return;
+          }
+          const recipientId = isDirect ? msg.userId : undefined;
+          await deliverMixinReply({
+            cfg,
+            accountId,
+            conversationId: msg.conversationId,
+            recipientId,
+            creatorId: msg.userId,
+            text: replyText,
+            log,
+          });
+        },
+      },
+    });
+  } finally {
+    if (!processedMessages.has(msg.messageId)) {
+      clearProcessing(msg.messageId);
+    }
+  }
+}