@invago/mixin 1.0.7

package/src/blaze-service.ts

@@ -0,0 +1,167 @@
+import {
+  decodeMessage,
+  sendRaw,
+  signAccessToken,
+  type BlazeHandler,
+  type BlazeOptions,
+} from "@mixin.dev/mixin-node-sdk";
+import WebSocket from "ws";
+import crypto from "crypto";
+import type { MixinAccountConfig } from "./config-schema.js";
+import { createProxyAgent } from "./proxy.js";
+
+type SendLog = {
+  info: (msg: string) => void;
+  error: (msg: string, err?: unknown) => void;
+  warn: (msg: string) => void;
+};
+
+function buildKeystore(config: MixinAccountConfig) {
+  return {
+    app_id: config.appId!,
+    session_id: config.sessionId!,
+    server_public_key: config.serverPublicKey!,
+    session_private_key: config.sessionPrivateKey!,
+  };
+}
+
+async function dispatchMessage(handler: BlazeHandler, msg: any): Promise<void> {
+  if (msg.source === "ACKNOWLEDGE_MESSAGE_RECEIPT" && handler.onAckReceipt) {
+    await handler.onAckReceipt(msg);
+    return;
+  }
+
+  if (msg.category === "SYSTEM_CONVERSATION" && handler.onConversation) {
+    await handler.onConversation(msg);
+    return;
+  }
+
+  if (msg.category === "SYSTEM_ACCOUNT_SNAPSHOT" && handler.onTransfer) {
+    await handler.onTransfer(msg);
+    return;
+  }
+
+  await handler.onMessage(msg);
+}
+
+export async function runBlazeLoop(params: {
+  config: MixinAccountConfig;
+  options?: BlazeOptions;
+  handler: BlazeHandler;
+  log: SendLog;
+  abortSignal?: AbortSignal;
+}): Promise<void> {
+  const { config, options, handler, log, abortSignal } = params;
+  const keystore = buildKeystore(config);
+  const jwtToken = signAccessToken("GET", "/", "", crypto.randomUUID(), keystore) || "";
+  const agent = createProxyAgent(config.proxy);
+
+  await new Promise<void>((resolve, reject) => {
+    let ws: WebSocket | undefined;
+    let opened = false;
+    let settled = false;
+    let pingTimeout: NodeJS.Timeout | null = null;
+
+    const cleanup = () => {
+      if (pingTimeout) {
+        clearTimeout(pingTimeout);
+        pingTimeout = null;
+      }
+      abortSignal?.removeEventListener("abort", onAbort);
+    };
+
+    const finish = (err?: unknown) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      cleanup();
+      if (err) {
+        reject(err);
+        return;
+      }
+      resolve();
+    };
+
+    const terminate = () => {
+      if (!ws) {
+        return;
+      }
+      ws.terminate();
+      ws = undefined;
+    };
+
+    const heartbeat = () => {
+      if (pingTimeout) {
+        clearTimeout(pingTimeout);
+      }
+      pingTimeout = setTimeout(() => {
+        terminate();
+      }, 30_000);
+    };
+
+    const onAbort = () => {
+      terminate();
+      finish();
+    };
+
+    ws = new WebSocket("wss://blaze.mixin.one", "Mixin-Blaze-1", {
+      headers: {
+        Authorization: `Bearer ${jwtToken}`,
+      },
+      handshakeTimeout: 3000,
+      agent,
+    });
+
+    abortSignal?.addEventListener("abort", onAbort);
+
+    ws.on("open", () => {
+      opened = true;
+      heartbeat();
+      void sendRaw(ws!, {
+        id: crypto.randomUUID(),
+        action: "LIST_PENDING_MESSAGES",
+      });
+    });
+
+    ws.on("ping", () => {
+      heartbeat();
+    });
+
+    ws.on("message", async (data) => {
+      try {
+        const msg = decodeMessage(data as Uint8Array, options ?? { parse: false, syncAck: false });
+        if (!msg) {
+          return;
+        }
+
+        if (options?.syncAck && msg.message_id) {
+          await sendRaw(ws!, {
+            id: crypto.randomUUID(),
+            action: "ACKNOWLEDGE_MESSAGE_RECEIPT",
+            params: {
+              message_id: msg.message_id,
+              status: "READ",
+            },
+          });
+        }
+
+        await dispatchMessage(handler, msg);
+      } catch (err) {
+        log.error("[mixin] blaze message error", err);
+      }
+    });
+
+    ws.on("close", () => {
+      finish();
+    });
+
+    ws.on("error", (err) => {
+      if (!opened) {
+        finish(err);
+        return;
+      }
+      log.error("[mixin] blaze websocket error", err);
+    });
+  });
+}

package/src/channel.ts

@@ -0,0 +1,199 @@
+import { buildChannelConfigSchema } from "openclaw/plugin-sdk";
+import type { ChannelGatewayContext, OpenClawConfig } from "openclaw/plugin-sdk";
+import { runBlazeLoop } from "./blaze-service.js";
+import { MixinConfigSchema } from "./config-schema.js";
+import { describeAccount, isConfigured, listAccountIds, resolveAccount } from "./config.js";
+import { handleMixinMessage, type MixinInboundMessage } from "./inbound-handler.js";
+import { sendTextMessage, startSendWorker } from "./send-service.js";
+
+type ResolvedMixinAccount = ReturnType<typeof resolveAccount>;
+
+const BASE_DELAY = 1000;
+const MAX_DELAY = 3000;
+const MULTIPLIER = 1.5;
+
+async function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+function maskKey(key: string): string {
+  if (!key || key.length < 8) {
+    return "****";
+  }
+  return key.slice(0, 4) + "****" + key.slice(-4);
+}
+
+export const mixinPlugin = {
+  id: "mixin",
+
+  meta: {
+    id: "mixin",
+    label: "Mixin Messenger",
+    selectionLabel: "Mixin Messenger (Blaze WebSocket)",
+    docsPath: "/channels/mixin",
+    blurb: "Mixin Messenger channel via Blaze WebSocket",
+    aliases: ["mixin-messenger", "mixin"],
+  },
+
+  configSchema: buildChannelConfigSchema(MixinConfigSchema),
+
+  capabilities: {
+    chatTypes: ["direct", "group"] as Array<"direct" | "group">,
+    reactions: false,
+    threads: false,
+    media: false,
+    nativeCommands: false,
+    blockStreaming: false,
+  },
+
+  config: {
+    listAccountIds,
+    resolveAccount: (cfg: OpenClawConfig, accountId?: string | null) =>
+      resolveAccount(cfg, accountId ?? undefined),
+    defaultAccountId: () => "default",
+  },
+
+  security: {
+    resolveDmPolicy: ({ account, accountId }: { account: ResolvedMixinAccount; accountId?: string | null }) => {
+      const allowFrom = account.config.allowFrom ?? [];
+      const basePath = accountId && accountId !== "default" ? `.accounts.${accountId}` : "";
+
+      return {
+        policy: "allowlist" as const,
+        allowFrom,
+        allowFromPath: `channels.mixin${basePath}.allowFrom`,
+        approveHint: allowFrom.length > 0
+          ? `已配置白名单用户数 ${allowFrom.length}，将用户的 Mixin UUID 添加到 allowFrom 列表即可授权`
+          : "将用户的 Mixin UUID 添加到 allowFrom 列表即可授权",
+      };
+    },
+  },
+
+  outbound: {
+    deliveryMode: "direct" as const,
+
+    sendText: async (ctx: {
+      cfg: OpenClawConfig;
+      to: string;
+      text: string;
+      accountId?: string | null;
+    }) => {
+      const id = ctx.accountId ?? "default";
+      const result = await sendTextMessage(ctx.cfg, id, ctx.to, undefined, ctx.text);
+      if (result.ok) {
+        return { channel: "mixin", messageId: result.messageId ?? ctx.to };
+      }
+      throw new Error(result.error ?? "sendText failed");
+    },
+  },
+
+  gateway: {
+    startAccount: async (ctx: ChannelGatewayContext<ResolvedMixinAccount>): Promise<unknown> => {
+      const { account, cfg, abortSignal } = ctx;
+      const log = (ctx as any).log ?? {
+        info: (m: string) => console.log(`[mixin] ${m}`),
+        warn: (m: string) => console.warn(`[mixin] ${m}`),
+        error: (m: string, e?: unknown) => console.error(`[mixin] ${m}`, e),
+      };
+      const accountId = account.accountId;
+      const config = account.config;
+
+      await startSendWorker(cfg, log);
+
+      let stopped = false;
+      const stop = () => {
+        stopped = true;
+      };
+      abortSignal?.addEventListener("abort", stop);
+
+      let attempt = 1;
+      let delay = BASE_DELAY;
+
+      const runLoop = async () => {
+        while (!stopped) {
+          try {
+            log.info(`connecting to Mixin Blaze (attempt ${attempt})`);
+            log.info(`config: appId=${maskKey(config.appId!)}, sessionId=${maskKey(config.sessionId!)}`);
+
+            await runBlazeLoop({
+              config,
+              options: { parse: false, syncAck: true },
+              log,
+              abortSignal,
+              handler: {
+                onMessage: async (rawMsg: any) => {
+                  if (stopped) {
+                    return;
+                  }
+                  if (!rawMsg || !rawMsg.message_id) {
+                    return;
+                  }
+                  if (!rawMsg.user_id || rawMsg.user_id === config.appId) {
+                    return;
+                  }
+
+                  const isDirect = rawMsg.conversation_id === undefined
+                    ? true
+                    : !rawMsg.representative_id;
+
+                  const msg: MixinInboundMessage = {
+                    conversationId: rawMsg.conversation_id ?? "",
+                    userId: rawMsg.user_id,
+                    messageId: rawMsg.message_id,
+                    category: rawMsg.category ?? "PLAIN_TEXT",
+                    data: rawMsg.data_base64 ?? rawMsg.data ?? "",
+                    createdAt: rawMsg.created_at ?? new Date().toISOString(),
+                  };
+
+                  try {
+                    await handleMixinMessage({ cfg, accountId, msg, isDirect, log });
+                  } catch (err) {
+                    log.error(`error handling message ${msg.messageId}`, err);
+                  }
+                },
+              },
+            });
+
+            if (stopped) {
+              break;
+            }
+
+            attempt = 1;
+            delay = BASE_DELAY;
+          } catch (err) {
+            if (stopped) {
+              break;
+            }
+            const errorMsg = err instanceof Error ? err.message : String(err);
+            log.error(`connection error: ${errorMsg}`, err);
+            log.warn(`retrying in ${delay}ms (attempt ${attempt})`);
+            await sleep(delay);
+            delay = Math.min(delay * MULTIPLIER, MAX_DELAY);
+            attempt++;
+          }
+        }
+
+        log.info("gateway stopped");
+      };
+
+      try {
+        await runLoop();
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        log.error(`[internal] unexpected loop error: ${msg}`, err);
+      }
+
+      return { stop };
+    },
+  },
+
+  status: {
+    defaultRuntime: {
+      accountId: "default",
+      running: false,
+      status: "stopped" as const,
+    },
+  },
+};
+
+export { describeAccount, isConfigured };

package/src/config-schema.ts

@@ -0,0 +1,43 @@
+import { z } from "zod";
+
+export const MixinProxyConfigSchema = z.object({
+  enabled: z.boolean().optional().default(false),
+  url: z.string().optional(),
+  username: z.string().optional(),
+  password: z.string().optional(),
+}).superRefine((value, ctx) => {
+  if (!value.enabled) {
+    return;
+  }
+
+  if (!value.url) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "proxy.url is required when proxy.enabled is true",
+      path: ["url"],
+    });
+  }
+});
+
+export type MixinProxyConfig = z.infer<typeof MixinProxyConfigSchema>;
+
+export const MixinAccountConfigSchema = z.object({
+  name: z.string().optional(),
+  enabled: z.boolean().optional().default(true),
+  appId: z.string().optional(),
+  sessionId: z.string().optional(),
+  serverPublicKey: z.string().optional(),
+  sessionPrivateKey: z.string().optional(),
+  allowFrom: z.array(z.string()).optional().default([]),
+  requireMentionInGroup: z.boolean().optional().default(true),
+  debug: z.boolean().optional().default(false),
+  proxy: MixinProxyConfigSchema.optional(),
+});
+
+export type MixinAccountConfig = z.infer<typeof MixinAccountConfigSchema>;
+
+export const MixinConfigSchema: z.ZodTypeAny = MixinAccountConfigSchema.extend({
+  accounts: z.record(z.string(), MixinAccountConfigSchema.optional()).optional(),
+});
+
+export type MixinConfig = z.infer<typeof MixinConfigSchema>;

package/src/config.ts

@@ -0,0 +1,63 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk";
+import { MixinAccountConfigSchema, type MixinAccountConfig, type MixinConfig } from "./config-schema.js";
+
+function getRawConfig(cfg: OpenClawConfig): any {
+  return (cfg.channels as Record<string, unknown>)?.mixin ?? {};
+}
+
+export function listAccountIds(cfg: OpenClawConfig): string[] {
+  const raw = getRawConfig(cfg);
+  if (raw.accounts && Object.keys(raw.accounts).length > 0) {
+    return Object.keys(raw.accounts);
+  }
+  return ["default"];
+}
+
+export function getAccountConfig(cfg: OpenClawConfig, accountId?: string): MixinAccountConfig {
+  const raw = getRawConfig(cfg);
+  let accountRaw: Partial<MixinAccountConfig>;
+
+  if (accountId && accountId !== "default" && raw.accounts?.[accountId]) {
+    accountRaw = raw.accounts[accountId] as Partial<MixinAccountConfig>;
+  } else {
+    accountRaw = raw as MixinConfig as Partial<MixinAccountConfig>;
+  }
+
+  const result = MixinAccountConfigSchema.safeParse(accountRaw);
+  if (result.success) return result.data;
+  return MixinAccountConfigSchema.parse({});
+}
+
+export function resolveAccount(cfg: OpenClawConfig, accountId?: string) {
+  const id = accountId ?? "default";
+  const config = getAccountConfig(cfg, id);
+  const configured = Boolean(config.appId && config.sessionId && config.serverPublicKey && config.sessionPrivateKey);
+  return {
+    accountId: id,
+    enabled: config.enabled !== false,
+    configured,
+    name: config.name,
+    appId: config.appId,
+    sessionId: config.sessionId,
+    serverPublicKey: config.serverPublicKey,
+    sessionPrivateKey: config.sessionPrivateKey,
+    allowFrom: config.allowFrom,
+    requireMentionInGroup: config.requireMentionInGroup,
+    debug: config.debug,
+    config,
+  };
+}
+
+export function isConfigured(account: ReturnType<typeof resolveAccount>): boolean {
+  return account.configured;
+}
+
+export function describeAccount(account: ReturnType<typeof resolveAccount>) {
+  const { config, accountId } = account;
+  return {
+    accountId,
+    name: config.name ?? accountId,
+    configured: account.configured,
+    enabled: account.enabled,
+  };
+}

package/src/crypto.ts

@@ -0,0 +1,93 @@
+import crypto from "crypto";
+import { x25519, ed25519 } from "@noble/curves/ed25519.js";
+
+function uuidToBuffer(uuid: string): Buffer {
+  return Buffer.from(uuid.replace(/-/g, ""), "hex");
+}
+
+function aes256CbcDecrypt(key: Buffer, iv: Buffer, ciphertext: Buffer): Buffer {
+  const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+  decipher.setAutoPadding(false);
+  const decrypted = decipher.update(ciphertext);
+  const final = Buffer.concat([decrypted, decipher.final()]);
+  const padLen = final[final.length - 1];
+  if (padLen > 0 && padLen <= 16) {
+    return final.slice(0, final.length - padLen);
+  }
+  return final;
+}
+
+export function decryptMixinMessage(
+  encryptedBase64: string,
+  sessionPrivateKeyHex: string,
+  mySessionIdStr: string
+): string | null {
+  try {
+    let b64 = encryptedBase64.replace(/-/g, "+").replace(/_/g, "/");
+    while (b64.length % 4 !== 0) b64 += "=";
+    const encryptedData = Buffer.from(b64, "base64");
+
+    const version = encryptedData[0];
+    if (version !== 1) {
+      return null;
+    }
+
+    const receiversCount = encryptedData.readUInt16LE(1);
+    const senderCurve25519Pub = encryptedData.slice(3, 35);
+
+    const seedBytes = Buffer.from(sessionPrivateKeyHex, "hex");
+    const myCurve25519Priv = ed25519.utils.toMontgomerySecret(seedBytes);
+    const sharedSecret = Buffer.from(x25519.getSharedSecret(myCurve25519Priv, senderCurve25519Pub));
+
+    let cursor = 35;
+    const mySessionIdBuffer = mySessionIdStr ? uuidToBuffer(mySessionIdStr) : null;
+    let ivForKey: Buffer | null = null;
+    let encryptedMessageKey: Buffer | null = null;
+    let found = false;
+
+    for (let i = 0; i < receiversCount; i++) {
+      if (cursor + 64 > encryptedData.length) break;
+
+      const blockSessionId = encryptedData.slice(cursor, cursor + 16);
+
+      if (!mySessionIdBuffer || blockSessionId.equals(mySessionIdBuffer) || i === 0) {
+        ivForKey = encryptedData.slice(cursor + 16, cursor + 32);
+        encryptedMessageKey = encryptedData.slice(cursor + 32, cursor + 64);
+        found = true;
+        if (mySessionIdBuffer && blockSessionId.equals(mySessionIdBuffer)) break;
+      }
+      cursor += 64;
+    }
+
+    if (!found || !ivForKey || !encryptedMessageKey) {
+      return null;
+    }
+
+    const paddedMessageKey = aes256CbcDecrypt(sharedSecret, ivForKey, encryptedMessageKey);
+    const messageKey16 = paddedMessageKey.slice(0, 16);
+
+    cursor = 35 + receiversCount * 64;
+
+    const gcmNonce = encryptedData.slice(cursor, cursor + 12);
+    cursor += 12;
+
+    const gcmPayload = encryptedData.slice(cursor);
+
+    if (gcmPayload.length < 16) {
+      return null;
+    }
+
+    const gcmCiphertext = gcmPayload.slice(0, gcmPayload.length - 16);
+    const gcmAuthTag = gcmPayload.slice(gcmPayload.length - 16);
+
+    const decipher = crypto.createDecipheriv("aes-128-gcm", messageKey16, gcmNonce);
+    decipher.setAuthTag(gcmAuthTag);
+
+    let decryptedText = decipher.update(gcmCiphertext, undefined, "utf8");
+    decryptedText += decipher.final("utf8");
+
+    return decryptedText;
+  } catch {
+    return null;
+  }
+}

package/src/decrypt.ts

@@ -0,0 +1,126 @@
+import crypto from 'crypto';
+
+/**
+ * 将 Mixin 的 Ed25519 seed 转换为 Curve25519 私钥，并与对端公钥协商出共享密钥
+ * @param seedHex 64 字符的 Hex 字符串，对应 session_private_key
+ * @param peerPublicKey 32 字节的对端 Curve25519 公钥
+ */
+export function x25519KeyAgreement(seedHex: string, peerPublicKey: Buffer): Buffer {
+  // 1. 将 64 字符的 Hex 转换为 32 字节的 seed
+  const seedBytes = Buffer.from(seedHex, 'hex');
+  if (seedBytes.length !== 32) {
+    throw new Error('Invalid Ed25519 seed length, expected 32 bytes.');
+  }
+
+  // 2. SHA-512 散列
+  const hash = crypto.createHash('sha512').update(seedBytes).digest();
+  
+  // 3. 提取前 32 字节并进行 Curve25519 位截断 (Clamping)
+  const privateKeyX25519 = Buffer.from(hash.slice(0, 32));
+  privateKeyX25519[0] &= 248;
+  privateKeyX25519[31] &= 127;
+  privateKeyX25519[31] |= 64;
+
+  const ecdh = crypto.createECDH('x25519');
+  ecdh.setPrivateKey(privateKeyX25519);
+  
+  return ecdh.computeSecret(peerPublicKey);
+}
+
+/**
+ * 解密 Mixin ENCRYPTED_TEXT 消息 (对应 Go SDK DecryptMessageData)
+ * @param data Base64 编码的加密数据
+ * @param sessionId 机器人的 session_id
+ * @param privateKey 机器人的 ed25519 私钥（hex 格式，实为 seed）
+ * @returns 解密后的明文，失败返回 null
+ */
+export function decryptMessageData(
+  data: string,
+  sessionId: string,
+  privateKey: string
+): string | null {
+  try {
+    // 1. Base64 解码，处理可能的 URL-safe Base64
+    let base64 = data.replace(/-/g, '+').replace(/_/g, '/');
+    while (base64.length % 4) {
+      base64 += '=';
+    }
+    const encryptedBytes = Buffer.from(base64, 'base64');
+
+    // 验证最小长度: version(1) + sessionCount(2) + senderPubKey(32) + nonce(12)
+    if (encryptedBytes.length < 1 + 2 + 32 + 12) {
+      console.error('[mixin decrypt] data too short:', encryptedBytes.length);
+      return null;
+    }
+
+    // 解析消息结构
+    const version = encryptedBytes[0];
+    if (version !== 1) {
+      console.error('[mixin decrypt] unsupported version:', version);
+      return null;
+    }
+
+    const sessionCount = encryptedBytes.readUInt16LE(1);
+    let offset = 3;
+
+    // 2. 提取发送者公钥 (已经是 Curve25519)
+    const senderPublicKey = encryptedBytes.slice(offset, offset + 32);
+    offset += 32;
+
+    // 查找匹配的 session
+    const sessionIdBuffer = Buffer.from(sessionId.replace(/-/g, ''), 'hex');
+
+    let sessionData: Buffer | null = null;
+    for (let i = 0; i < sessionCount; i++) {
+      const sessionIdInMsg = encryptedBytes.slice(offset, offset + 16);
+
+      if (sessionIdInMsg.equals(sessionIdBuffer)) {
+        sessionData = encryptedBytes.slice(offset + 16, offset + 64);
+        break; // 暂不中断读取，只取我们自己的 session 块
+      }
+      offset += 64;
+    }
+
+    if (!sessionData) {
+      console.error('[mixin decrypt] session not found');
+      return null;
+    }
+
+    // 3. 计算 Shared Secret
+    const sharedSecret = x25519KeyAgreement(privateKey, senderPublicKey);
+    
+    // 4. 解密 Message Key (AES-256-CBC)
+    // sessionData 的前 16 字节为 IV，后 32 字节为加密后的 key
+    const sessionIv = sessionData.slice(0, 16);
+    const encryptedKey = sessionData.slice(16, 48);
+    
+    const decipherKey = crypto.createDecipheriv('aes-256-cbc', sharedSecret, sessionIv);
+    // Mixin SDK 这里加了 padding 处理。如果后续失败，尝试 decipherKey.setAutoPadding(false);
+    const rawMessageKey = Buffer.concat([decipherKey.update(encryptedKey), decipherKey.final()]);
+    
+    // 取前 16 字节！
+    const messageKey = rawMessageKey.slice(0, 16);
+
+    // 5. 获取 Nonce 和 密文
+    const prefixSize = 3 + 32 + sessionCount * 64;
+    const nonce = encryptedBytes.slice(prefixSize, prefixSize + 12); // 注意这里是 12 字节!!!
+    const encryptedText = encryptedBytes.slice(prefixSize + 12);
+
+    // 6. 解密消息体 (AES-128-GCM)
+    // 对于 GCM，还需要分离出 authentication tag (后 16 字节)
+    const tag = encryptedText.slice(-16);
+    const ciphertext = encryptedText.slice(0, -16);
+
+    const decipherGcm = crypto.createDecipheriv('aes-128-gcm', messageKey, nonce);
+    decipherGcm.setAuthTag(tag);
+    
+    let decryptedText = decipherGcm.update(ciphertext);
+    decryptedText = Buffer.concat([decryptedText, decipherGcm.final()]);
+
+    return decryptedText.toString('utf8');
+
+  } catch (error) {
+    console.error('[mixin decrypt] error:', error);
+    return null;
+  }
+}