@kodelyth/zalo 2026.5.39 → 2026.5.42

package/src/approval-auth.test.ts

@@ -0,0 +1,17 @@
+import { describe, expect, it } from "vitest";
+import { zaloApprovalAuth } from "./approval-auth.js";
+
+describe("zaloApprovalAuth", () => {
+  it("authorizes numeric Zalo user ids", () => {
+    const cfg = { channels: { zalo: { allowFrom: ["zl:123"] } } };
+
+    expect(
+      zaloApprovalAuth.authorizeActorAction({
+        cfg,
+        senderId: "123",
+        action: "approve",
+        approvalKind: "exec",
+      }),
+    ).toEqual({ authorized: true });
+  });
+});

package/src/approval-auth.ts

@@ -0,0 +1,25 @@
+import {
+  createResolvedApproverActionAuthAdapter,
+  resolveApprovalApprovers,
+} from "klaw/plugin-sdk/approval-auth-runtime";
+import { resolveZaloAccount } from "./accounts.js";
+
+function normalizeZaloApproverId(value: string | number): string | undefined {
+  const normalized = String(value)
+    .trim()
+    .replace(/^(zalo|zl):/i, "")
+    .trim();
+  return /^\d+$/.test(normalized) ? normalized : undefined;
+}
+
+export const zaloApprovalAuth = createResolvedApproverActionAuthAdapter({
+  channelLabel: "Zalo",
+  resolveApprovers: ({ cfg, accountId }) => {
+    const account = resolveZaloAccount({ cfg, accountId }).config;
+    return resolveApprovalApprovers({
+      allowFrom: account.allowFrom,
+      normalizeApprover: normalizeZaloApproverId,
+    });
+  },
+  normalizeSenderId: (value) => normalizeZaloApproverId(value),
+});

package/src/channel.directory.test.ts

@@ -0,0 +1,56 @@
+import {
+  createDirectoryTestRuntime,
+  expectDirectorySurface,
+} from "klaw/plugin-sdk/channel-test-helpers";
+import { describe, expect, it } from "vitest";
+import type { KlawConfig, RuntimeEnv } from "../runtime-api.js";
+import { zaloPlugin } from "./channel.js";
+
+describe("zalo directory", () => {
+  const runtimeEnv = createDirectoryTestRuntime() as RuntimeEnv;
+  const directory = expectDirectorySurface(zaloPlugin.directory);
+
+  async function expectPeersFromAllowFrom(allowFrom: string[]) {
+    const cfg = {
+      channels: {
+        zalo: {
+          allowFrom,
+        },
+      },
+    } as unknown as KlawConfig;
+
+    const peers = await directory.listPeers({
+      cfg,
+      accountId: undefined,
+      query: undefined,
+      limit: undefined,
+      runtime: runtimeEnv,
+    });
+    expect(peers).toStrictEqual([
+      { kind: "user", id: "123" },
+      { kind: "user", id: "234" },
+      { kind: "user", id: "345" },
+    ]);
+
+    await expect(
+      directory.listGroups({
+        cfg,
+        accountId: undefined,
+        query: undefined,
+        limit: undefined,
+        runtime: runtimeEnv,
+      }),
+    ).resolves.toStrictEqual([]);
+  }
+
+  it("lists peers from allowFrom", async () => {
+    await expectPeersFromAllowFrom(["zalo:123", "zl:234", "345"]);
+  });
+
+  it("normalizes spaced zalo prefixes in allowFrom and pairing entries", async () => {
+    await expectPeersFromAllowFrom(["  zalo:123  ", "  zl:234  ", " 345 "]);
+
+    expect(zaloPlugin.pairing?.normalizeAllowEntry?.("  zalo:123  ")).toBe("123");
+    expect(zaloPlugin.messaging?.normalizeTarget?.("  zl:234  ")).toBe("234");
+  });
+});

package/src/channel.runtime.ts

@@ -0,0 +1,89 @@
+import { createAccountStatusSink } from "klaw/plugin-sdk/channel-lifecycle";
+import { probeZalo } from "./probe.js";
+import { resolveZaloProxyFetch } from "./proxy.js";
+import { PAIRING_APPROVED_MESSAGE, type ChannelPlugin, type KlawConfig } from "./runtime-api.js";
+import { normalizeSecretInputString } from "./secret-input.js";
+import { sendMessageZalo } from "./send.js";
+import type { ResolvedZaloAccount } from "./types.js";
+
+export async function notifyZaloPairingApproval(params: { cfg: KlawConfig; id: string }) {
+  const { resolveZaloAccount } = await import("./accounts.js");
+  const account = resolveZaloAccount({ cfg: params.cfg });
+  if (!account.token) {
+    throw new Error("Zalo token not configured");
+  }
+  await sendMessageZalo(params.id, PAIRING_APPROVED_MESSAGE, {
+    token: account.token,
+  });
+}
+
+export async function sendZaloText(
+  params: Parameters<typeof sendMessageZalo>[2] & {
+    to: string;
+    text: string;
+  },
+) {
+  return await sendMessageZalo(params.to, params.text, params);
+}
+
+export async function probeZaloAccount(params: {
+  account: import("./accounts.js").ResolvedZaloAccount;
+  timeoutMs?: number;
+}) {
+  return await probeZalo(
+    params.account.token,
+    params.timeoutMs,
+    resolveZaloProxyFetch(params.account.config.proxy),
+  );
+}
+
+export async function startZaloGatewayAccount(
+  ctx: Parameters<
+    NonNullable<NonNullable<ChannelPlugin<ResolvedZaloAccount>["gateway"]>["startAccount"]>
+  >[0],
+) {
+  const account = ctx.account;
+  const token = account.token.trim();
+  const mode = account.config.webhookUrl ? "webhook" : "polling";
+  let zaloBotLabel = "";
+  const fetcher = resolveZaloProxyFetch(account.config.proxy);
+  try {
+    const probe = await probeZalo(token, 2500, fetcher);
+    const name = probe.ok ? probe.bot?.name?.trim() : null;
+    if (name) {
+      zaloBotLabel = ` (${name})`;
+    }
+    if (!probe.ok) {
+      ctx.log?.warn?.(
+        `[${account.accountId}] Zalo probe failed before provider start (${String(probe.elapsedMs)}ms): ${probe.error}`,
+      );
+    }
+    ctx.setStatus({
+      accountId: account.accountId,
+      bot: probe.bot,
+    });
+  } catch (err) {
+    ctx.log?.warn?.(
+      `[${account.accountId}] Zalo probe threw before provider start: ${err instanceof Error ? (err.stack ?? err.message) : String(err)}`,
+    );
+  }
+  const statusSink = createAccountStatusSink({
+    accountId: ctx.accountId,
+    setStatus: ctx.setStatus,
+  });
+  ctx.log?.info(`[${account.accountId}] starting provider${zaloBotLabel} mode=${mode}`);
+  const { monitorZaloProvider } = await import("./monitor.js");
+  return monitorZaloProvider({
+    token,
+    account,
+    config: ctx.cfg,
+    runtime: ctx.runtime,
+    abortSignal: ctx.abortSignal,
+    useWebhook: Boolean(account.config.webhookUrl),
+    webhookUrl: account.config.webhookUrl,
+    webhookSecret: normalizeSecretInputString(account.config.webhookSecret),
+    webhookPath: account.config.webhookPath,
+    fetcher,
+    statusSink,
+  });
+}

package/src/channel.startup.test.ts

@@ -0,0 +1,121 @@
+import {
+  expectLifecyclePatch,
+  expectPendingUntilAbort,
+  startAccountAndTrackLifecycle,
+  waitForStartedMocks,
+} from "klaw/plugin-sdk/channel-test-helpers";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import type { ResolvedZaloAccount } from "./accounts.js";
+
+const hoisted = vi.hoisted(() => ({
+  monitorZaloProvider: vi.fn(),
+  probeZalo: vi.fn(async () => ({
+    ok: false as const,
+    error: "probe failed",
+    elapsedMs: 1,
+  })),
+}));
+
+vi.mock("./monitor.js", () => {
+  return {
+    monitorZaloProvider: hoisted.monitorZaloProvider,
+  };
+});
+
+vi.mock("./probe.js", () => {
+  return {
+    probeZalo: hoisted.probeZalo,
+  };
+});
+
+vi.mock("./channel.runtime.js", () => ({
+  probeZaloAccount: hoisted.probeZalo,
+  startZaloGatewayAccount: async (ctx: {
+    account: ResolvedZaloAccount;
+    abortSignal: AbortSignal;
+    setStatus: (patch: Partial<ResolvedZaloAccount>) => void;
+  }) => {
+    await hoisted.probeZalo();
+    ctx.setStatus({ accountId: ctx.account.accountId });
+    return await hoisted.monitorZaloProvider({
+      token: ctx.account.token,
+      account: ctx.account,
+      abortSignal: ctx.abortSignal,
+      useWebhook: false,
+    });
+  },
+}));
+
+import { zaloPlugin } from "./channel.js";
+
+type ZaloGateway = NonNullable<typeof zaloPlugin.gateway>;
+type ZaloStartAccount = NonNullable<ZaloGateway["startAccount"]>;
+
+function requireStartAccount(): ZaloStartAccount {
+  const startAccount = zaloPlugin.gateway?.startAccount;
+  if (!startAccount) {
+    throw new Error("Expected Zalo gateway startAccount");
+  }
+  return startAccount;
+}
+
+function buildAccount(): ResolvedZaloAccount {
+  return {
+    accountId: "default",
+    enabled: true,
+    token: "test-token",
+    tokenSource: "config",
+    config: {},
+  };
+}
+
+function requireMonitorArgs() {
+  const [call] = hoisted.monitorZaloProvider.mock.calls;
+  if (!call) {
+    throw new Error("expected Zalo monitor call");
+  }
+  const [monitorArgs] = call;
+  return monitorArgs;
+}
+
+describe("zaloPlugin gateway.startAccount", () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("keeps startAccount pending until abort", async () => {
+    hoisted.monitorZaloProvider.mockImplementationOnce(
+      async ({ abortSignal }: { abortSignal: AbortSignal }) =>
+        await new Promise<void>((resolve) => {
+          if (abortSignal.aborted) {
+            resolve();
+            return;
+          }
+          abortSignal.addEventListener("abort", () => resolve(), { once: true });
+        }),
+    );
+
+    const { abort, patches, task, isSettled } = startAccountAndTrackLifecycle({
+      startAccount: requireStartAccount(),
+      account: buildAccount(),
+    });
+
+    await expectPendingUntilAbort({
+      waitForStarted: waitForStartedMocks(hoisted.probeZalo, hoisted.monitorZaloProvider),
+      isSettled,
+      abort,
+      task,
+    });
+
+    expectLifecyclePatch(patches, { accountId: "default" });
+    expect(isSettled()).toBe(true);
+    expect(hoisted.monitorZaloProvider).toHaveBeenCalledTimes(1);
+    const monitorArgs = requireMonitorArgs();
+    expect(monitorArgs).toStrictEqual({
+      token: "test-token",
+      account: buildAccount(),
+      abortSignal: abort.signal,
+      useWebhook: false,
+    });
+  });
+});

package/src/channel.ts

@@ -0,0 +1,309 @@
+import { describeWebhookAccountSnapshot } from "klaw/plugin-sdk/account-helpers";
+import { DEFAULT_ACCOUNT_ID } from "klaw/plugin-sdk/account-id";
+import { formatAllowFromLowercase } from "klaw/plugin-sdk/allow-from";
+import {
+  adaptScopedAccountAccessor,
+  createScopedChannelConfigAdapter,
+  createScopedDmSecurityResolver,
+  mapAllowFromEntries,
+} from "klaw/plugin-sdk/channel-config-helpers";
+import type { ChannelAccountSnapshot } from "klaw/plugin-sdk/channel-contract";
+import {
+  buildChannelConfigSchema,
+  createChatChannelPlugin,
+  type ChannelPlugin,
+} from "klaw/plugin-sdk/channel-core";
+import { defineChannelMessageAdapter } from "klaw/plugin-sdk/channel-message";
+import {
+  buildOpenGroupPolicyRestrictSendersWarning,
+  buildOpenGroupPolicyWarning,
+  createOpenProviderGroupPolicyWarningCollector,
+} from "klaw/plugin-sdk/channel-policy";
+import {
+  createEmptyChannelResult,
+  createRawChannelSendResultAdapter,
+} from "klaw/plugin-sdk/channel-send-result";
+import { buildTokenChannelStatusSummary } from "klaw/plugin-sdk/channel-status";
+import type { KlawConfig } from "klaw/plugin-sdk/config-contracts";
+import { createStaticReplyToModeResolver } from "klaw/plugin-sdk/conversation-runtime";
+import { createChannelDirectoryAdapter } from "klaw/plugin-sdk/directory-runtime";
+import { listResolvedDirectoryUserEntriesFromAllowFrom } from "klaw/plugin-sdk/directory-runtime";
+import { createLazyRuntimeModule } from "klaw/plugin-sdk/lazy-runtime";
+import {
+  isNumericTargetId,
+  sendPayloadWithChunkedTextAndMedia,
+} from "klaw/plugin-sdk/reply-payload";
+import {
+  createComputedAccountStatusAdapter,
+  createDefaultChannelRuntimeState,
+} from "klaw/plugin-sdk/status-helpers";
+import { chunkTextForOutbound } from "klaw/plugin-sdk/text-chunking";
+import {
+  listZaloAccountIds,
+  resolveDefaultZaloAccountId,
+  resolveZaloAccount,
+  type ResolvedZaloAccount,
+} from "./accounts.js";
+import { zaloMessageActions } from "./actions.js";
+import { zaloApprovalAuth } from "./approval-auth.js";
+import { ZaloConfigSchema } from "./config-schema.js";
+import type { ZaloProbeResult } from "./probe.js";
+import { collectRuntimeConfigAssignments, secretTargetRegistryEntries } from "./secret-contract.js";
+import { resolveZaloOutboundSessionRoute } from "./session-route.js";
+import { createZaloSetupWizardProxy, zaloSetupAdapter } from "./setup-core.js";
+import { collectZaloStatusIssues } from "./status-issues.js";
+
+const meta = {
+  id: "zalo",
+  label: "Zalo",
+  selectionLabel: "Zalo (Bot API)",
+  docsPath: "/channels/zalo",
+  docsLabel: "zalo",
+  blurb: "Vietnam-focused messaging platform with Bot API.",
+  aliases: ["zl"],
+  order: 80,
+  quickstartAllowFrom: true,
+};
+
+function normalizeZaloMessagingTarget(raw: string): string | undefined {
+  const trimmed = raw?.trim();
+  if (!trimmed) {
+    return undefined;
+  }
+  return trimmed.replace(/^(zalo|zl):/i, "").trim();
+}
+
+const loadZaloChannelRuntime = createLazyRuntimeModule(() => import("./channel.runtime.js"));
+const zaloSetupWizard = createZaloSetupWizardProxy(
+  async () => (await import("./setup-surface.js")).zaloSetupWizard,
+);
+const zaloTextChunkLimit = 2000;
+
+const zaloRawSendResultAdapter = createRawChannelSendResultAdapter({
+  channel: "zalo",
+  sendText: async ({ to, text, accountId, cfg }) =>
+    await (
+      await loadZaloChannelRuntime()
+    ).sendZaloText({
+      to,
+      text,
+      accountId: accountId ?? undefined,
+      cfg,
+    }),
+  sendMedia: async ({ to, text, mediaUrl, accountId, cfg }) =>
+    await (
+      await loadZaloChannelRuntime()
+    ).sendZaloText({
+      to,
+      text,
+      accountId: accountId ?? undefined,
+      mediaUrl,
+      cfg,
+    }),
+});
+
+export const zaloMessageAdapter = defineChannelMessageAdapter({
+  id: "zalo",
+  durableFinal: {
+    capabilities: {
+      text: true,
+      media: true,
+      messageSendingHooks: true,
+    },
+  },
+  send: {
+    text: async ({ to, text, accountId, cfg }) =>
+      await (
+        await loadZaloChannelRuntime()
+      ).sendZaloText({
+        to,
+        text,
+        accountId: accountId ?? undefined,
+        cfg,
+      }),
+    media: async ({ to, text, mediaUrl, accountId, cfg }) =>
+      await (
+        await loadZaloChannelRuntime()
+      ).sendZaloText({
+        to,
+        text,
+        accountId: accountId ?? undefined,
+        mediaUrl,
+        cfg,
+      }),
+  },
+});
+
+const zaloConfigAdapter = createScopedChannelConfigAdapter<ResolvedZaloAccount>({
+  sectionKey: "zalo",
+  listAccountIds: listZaloAccountIds,
+  resolveAccount: adaptScopedAccountAccessor(resolveZaloAccount),
+  defaultAccountId: resolveDefaultZaloAccountId,
+  clearBaseFields: ["botToken", "tokenFile", "name"],
+  resolveAllowFrom: (account: ResolvedZaloAccount) => account.config.allowFrom,
+  formatAllowFrom: (allowFrom) =>
+    formatAllowFromLowercase({ allowFrom, stripPrefixRe: /^(zalo|zl):/i }),
+});
+
+const resolveZaloDmPolicy = createScopedDmSecurityResolver<ResolvedZaloAccount>({
+  channelKey: "zalo",
+  resolvePolicy: (account) => account.config.dmPolicy,
+  resolveAllowFrom: (account) => account.config.allowFrom,
+  policyPathSuffix: "dmPolicy",
+  normalizeEntry: (raw) => raw.trim().replace(/^(zalo|zl):/i, ""),
+});
+
+const collectZaloSecurityWarnings = createOpenProviderGroupPolicyWarningCollector<{
+  cfg: KlawConfig;
+  account: ResolvedZaloAccount;
+}>({
+  providerConfigPresent: (cfg) => cfg.channels?.zalo !== undefined,
+  resolveGroupPolicy: ({ account }) => account.config.groupPolicy,
+  collect: ({ account, groupPolicy }) => {
+    if (groupPolicy !== "open") {
+      return [];
+    }
+    const explicitGroupAllowFrom = mapAllowFromEntries(account.config.groupAllowFrom);
+    const dmAllowFrom = mapAllowFromEntries(account.config.allowFrom);
+    const effectiveAllowFrom =
+      explicitGroupAllowFrom.length > 0 ? explicitGroupAllowFrom : dmAllowFrom;
+    if (effectiveAllowFrom.length > 0) {
+      return [
+        buildOpenGroupPolicyRestrictSendersWarning({
+          surface: "Zalo groups",
+          openScope: "any member",
+          groupPolicyPath: "channels.zalo.groupPolicy",
+          groupAllowFromPath: "channels.zalo.groupAllowFrom",
+        }),
+      ];
+    }
+    return [
+      buildOpenGroupPolicyWarning({
+        surface: "Zalo groups",
+        openBehavior:
+          "with no groupAllowFrom/allowFrom allowlist; any member can trigger (mention-gated)",
+        remediation: 'Set channels.zalo.groupPolicy="allowlist" + channels.zalo.groupAllowFrom',
+      }),
+    ];
+  },
+});
+
+export const zaloPlugin: ChannelPlugin<ResolvedZaloAccount, ZaloProbeResult> =
+  createChatChannelPlugin({
+    base: {
+      id: "zalo",
+      meta,
+      setup: zaloSetupAdapter,
+      setupWizard: zaloSetupWizard,
+      capabilities: {
+        chatTypes: ["direct", "group"],
+        media: true,
+        reactions: false,
+        threads: false,
+        polls: false,
+        nativeCommands: false,
+        blockStreaming: true,
+      },
+      reload: { configPrefixes: ["channels.zalo"] },
+      configSchema: buildChannelConfigSchema(ZaloConfigSchema),
+      config: {
+        ...zaloConfigAdapter,
+        isConfigured: (account) => Boolean(account.token?.trim()),
+        describeAccount: (account): ChannelAccountSnapshot =>
+          describeWebhookAccountSnapshot({
+            account,
+            configured: Boolean(account.token?.trim()),
+            mode: account.config.webhookUrl ? "webhook" : "polling",
+            extra: {
+              tokenSource: account.tokenSource,
+            },
+          }),
+      },
+      approvalCapability: zaloApprovalAuth,
+      secrets: {
+        secretTargetRegistryEntries,
+        collectRuntimeConfigAssignments,
+      },
+      groups: {
+        resolveRequireMention: () => true,
+      },
+      actions: zaloMessageActions,
+      messaging: {
+        targetPrefixes: ["zalo", "zl"],
+        normalizeTarget: normalizeZaloMessagingTarget,
+        resolveOutboundSessionRoute: (params) => resolveZaloOutboundSessionRoute(params),
+        targetResolver: {
+          looksLikeId: isNumericTargetId,
+          hint: "<chatId>",
+        },
+      },
+      directory: createChannelDirectoryAdapter({
+        listPeers: async (params) =>
+          listResolvedDirectoryUserEntriesFromAllowFrom<ResolvedZaloAccount>({
+            ...params,
+            resolveAccount: adaptScopedAccountAccessor(resolveZaloAccount),
+            resolveAllowFrom: (account) => account.config.allowFrom,
+            normalizeId: (entry) => entry.trim().replace(/^(zalo|zl):/i, ""),
+          }),
+        listGroups: async () => [],
+      }),
+      status: createComputedAccountStatusAdapter<ResolvedZaloAccount, ZaloProbeResult>({
+        defaultRuntime: createDefaultChannelRuntimeState(DEFAULT_ACCOUNT_ID),
+        collectStatusIssues: collectZaloStatusIssues,
+        buildChannelSummary: ({ snapshot }) => buildTokenChannelStatusSummary(snapshot),
+        probeAccount: async ({ account, timeoutMs }) =>
+          await (await loadZaloChannelRuntime()).probeZaloAccount({ account, timeoutMs }),
+        resolveAccountSnapshot: ({ account }) => {
+          const configured = Boolean(account.token?.trim());
+          return {
+            accountId: account.accountId,
+            name: account.name,
+            enabled: account.enabled,
+            configured,
+            extra: {
+              tokenSource: account.tokenSource,
+              mode: account.config.webhookUrl ? "webhook" : "polling",
+              dmPolicy: account.config.dmPolicy ?? "pairing",
+            },
+          };
+        },
+      }),
+      gateway: {
+        startAccount: async (ctx) =>
+          await (await loadZaloChannelRuntime()).startZaloGatewayAccount(ctx),
+      },
+      message: zaloMessageAdapter,
+    },
+    security: {
+      resolveDmPolicy: resolveZaloDmPolicy,
+      collectWarnings: collectZaloSecurityWarnings,
+    },
+    pairing: {
+      text: {
+        idLabel: "zaloUserId",
+        message: "Your pairing request has been approved.",
+        normalizeAllowEntry: (entry) => entry.trim().replace(/^(zalo|zl):/i, ""),
+        notify: async (params) =>
+          await (await loadZaloChannelRuntime()).notifyZaloPairingApproval(params),
+      },
+    },
+    threading: {
+      resolveReplyToMode: createStaticReplyToModeResolver("off"),
+    },
+    outbound: {
+      deliveryMode: "direct",
+      chunker: chunkTextForOutbound,
+      chunkerMode: "text",
+      textChunkLimit: zaloTextChunkLimit,
+      sendPayload: async (ctx) =>
+        await sendPayloadWithChunkedTextAndMedia({
+          ctx,
+          textChunkLimit: zaloTextChunkLimit,
+          chunker: chunkTextForOutbound,
+          sendText: (nextCtx) => zaloRawSendResultAdapter.sendText!(nextCtx),
+          sendMedia: (nextCtx) => zaloRawSendResultAdapter.sendMedia!(nextCtx),
+          emptyResult: createEmptyChannelResult("zalo"),
+        }),
+      ...zaloRawSendResultAdapter,
+    },
+  });

package/src/config-schema.test.ts

@@ -0,0 +1,30 @@
+import { describe, expect, it } from "vitest";
+import { ZaloConfigSchema } from "./config-schema.js";
+
+describe("ZaloConfigSchema SecretInput", () => {
+  it("accepts SecretRef botToken and webhookSecret at top-level", () => {
+    const result = ZaloConfigSchema.safeParse({
+      botToken: { source: "env", provider: "default", id: "ZALO_BOT_TOKEN" },
+      webhookUrl: "https://example.com/zalo",
+      webhookSecret: { source: "env", provider: "default", id: "ZALO_WEBHOOK_SECRET" },
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it("accepts SecretRef botToken and webhookSecret on account", () => {
+    const result = ZaloConfigSchema.safeParse({
+      accounts: {
+        work: {
+          botToken: { source: "env", provider: "default", id: "ZALO_WORK_BOT_TOKEN" },
+          webhookUrl: "https://example.com/zalo/work",
+          webhookSecret: {
+            source: "env",
+            provider: "default",
+            id: "ZALO_WORK_WEBHOOK_SECRET",
+          },
+        },
+      },
+    });
+    expect(result.success).toBe(true);
+  });
+});

package/src/config-schema.ts

@@ -0,0 +1,29 @@
+import {
+  AllowFromListSchema,
+  buildCatchallMultiAccountChannelSchema,
+  DmPolicySchema,
+  GroupPolicySchema,
+  MarkdownConfigSchema,
+} from "klaw/plugin-sdk/channel-config-schema";
+import { z } from "zod";
+import { buildSecretInputSchema } from "./secret-input.js";
+
+const zaloAccountSchema = z.object({
+  name: z.string().optional(),
+  enabled: z.boolean().optional(),
+  markdown: MarkdownConfigSchema,
+  botToken: buildSecretInputSchema().optional(),
+  tokenFile: z.string().optional(),
+  webhookUrl: z.string().optional(),
+  webhookSecret: buildSecretInputSchema().optional(),
+  webhookPath: z.string().optional(),
+  dmPolicy: DmPolicySchema.optional(),
+  allowFrom: AllowFromListSchema,
+  groupPolicy: GroupPolicySchema.optional(),
+  groupAllowFrom: AllowFromListSchema,
+  mediaMaxMb: z.number().optional(),
+  proxy: z.string().optional(),
+  responsePrefix: z.string().optional(),
+});
+
+export const ZaloConfigSchema = buildCatchallMultiAccountChannelSchema(zaloAccountSchema);