@jimiford/webex 0.1.2 → 0.1.3

package/README.md

@@ -309,6 +309,52 @@ WEBHOOK_SECRET=your_webhook_secret
 
 The plugin includes automatic retry with exponential backoff for rate-limited requests. Adjust `maxRetries` and `retryDelayMs` in config if needed.
 
+## Security Considerations
+
+When connecting a Webex bot to OpenClaw, keep these security implications in mind:
+
+### Access Control
+
+- **DM Policy**: The `dmPolicy` setting controls who can interact with your bot:
+  - `allow`: Anyone can message the bot and receive responses (use with caution)
+  - `deny`: The bot won't respond to direct messages
+  - `allowlisted`: Only users in the `allowFrom` list receive responses
+- **Recommendation**: Use `allowlisted` in production and explicitly specify trusted users
+
+### Bot Token Permissions
+
+- The bot access token can read messages sent to the bot and send replies
+- Keep your token secret — never commit it to version control
+- Rotate tokens periodically via the [Webex Developer Portal](https://developer.webex.com)
+
+### Webhook Security
+
+- **Always use a webhook secret** in production to verify incoming requests
+- The `webhookSecret` enables HMAC-SHA1 signature verification
+- Without verification, attackers could send fake webhook payloads to your endpoint
+
+### Network Exposure
+
+- Your webhook endpoint must be publicly accessible for Webex to deliver messages
+- Use HTTPS in production (required by Webex)
+- Consider IP allowlisting if your infrastructure supports it
+- For development, tools like ngrok create temporary public URLs
+
+### OpenClaw Agent Access
+
+- Messages received by the bot flow through your OpenClaw agent
+- The agent has access to whatever tools you've configured (file access, web browsing, etc.)
+- Treat bot conversations with the same security considerations as direct OpenClaw access
+- Review your agent's tool permissions and workspace access
+
+### Best Practices
+
+1. Start with `dmPolicy: 'deny'` or `dmPolicy: 'allowlisted'` and explicitly allow trusted users
+2. Always configure a `webhookSecret` for production deployments
+3. Monitor bot activity through Webex admin tools and OpenClaw logs
+4. Use separate bots for development and production environments
+5. Regularly audit the `allowFrom` list
+
 ## License
 
 MIT

package/openclaw.plugin.json

@@ -6,28 +6,90 @@
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
-    "properties": {}
+    "properties": {
+      "enabled": {
+        "type": "boolean",
+        "description": "Enable the Webex channel",
+        "default": false
+      },
+      "token": {
+        "type": "string",
+        "description": "Webex bot access token from developer.webex.com"
+      },
+      "webhookUrl": {
+        "type": "string",
+        "description": "Public URL for receiving Webex webhooks"
+      },
+      "webhookSecret": {
+        "type": "string",
+        "description": "Secret for verifying webhook signatures (recommended)"
+      },
+      "dmPolicy": {
+        "type": "string",
+        "enum": ["allow", "deny", "allowlisted", "pairing"],
+        "description": "Policy for handling direct messages",
+        "default": "deny"
+      },
+      "allowFrom": {
+        "type": "array",
+        "items": { "type": "string" },
+        "description": "List of allowed person IDs or emails (when dmPolicy is allowlisted)"
+      },
+      "apiBaseUrl": {
+        "type": "string",
+        "description": "Custom Webex API base URL",
+        "default": "https://webexapis.com/v1"
+      },
+      "maxRetries": {
+        "type": "number",
+        "description": "Maximum retry attempts for failed API calls",
+        "default": 3
+      },
+      "retryDelayMs": {
+        "type": "number",
+        "description": "Delay between retries in milliseconds",
+        "default": 1000
+      }
+    },
+    "required": ["token", "webhookUrl"]
   },
   "uiHints": {
     "token": {
       "label": "Bot Access Token",
       "sensitive": true,
-      "placeholder": "Your Webex bot token"
+      "placeholder": "Your Webex bot token from developer.webex.com"
     },
     "webhookUrl": {
       "label": "Webhook URL",
-      "placeholder": "https://your-domain.com/webhooks/webex"
+      "placeholder": "https://your-domain.com/webhooks/webex/default"
     },
     "webhookSecret": {
       "label": "Webhook Secret",
       "sensitive": true,
-      "placeholder": "Optional secret for webhook verification"
+      "placeholder": "Strong random secret for webhook verification"
     },
     "dmPolicy": {
-      "label": "DM Policy"
+      "label": "DM Policy",
+      "options": [
+        { "value": "allow", "label": "Allow all" },
+        { "value": "deny", "label": "Deny all" },
+        { "value": "allowlisted", "label": "Allowlist only" },
+        { "value": "pairing", "label": "Pairing required" }
+      ]
     },
     "allowFrom": {
-      "label": "Allowed Senders"
+      "label": "Allowed Senders",
+      "placeholder": "Person ID or email address"
+    },
+    "apiBaseUrl": {
+      "label": "API Base URL",
+      "placeholder": "https://webexapis.com/v1"
+    },
+    "maxRetries": {
+      "label": "Max Retries"
+    },
+    "retryDelayMs": {
+      "label": "Retry Delay (ms)"
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jimiford/webex",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "OpenClaw channel plugin for Cisco Webex messaging",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",