@lansenger-pm/openclaw-lansenger-channel 3.12.0 → 3.12.2

package/CHANGELOG.md

@@ -0,0 +1,310 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/), and this project adheres to [Semantic Versioning](https://semver.org/).
+
+## [3.12.2] - 2026-06-03
+
+### Outbound Hook Expansion
+
+- **`reply_payload_sending` hook**: Register typed plugin hook via `api.on()` for lansenger channel. Intercepts reply payloads before delivery for logging, approval context injection, and payload rewrite/cancel decisions.
+- **`normalizePayload` expansion**: Code block detection (`\`\`\``) now marks `_lansengerFormatText: true` even when payload has `mediaUrl` or `presentation`, ensuring Markdown rendering for code-rich replies.
+- **`beforeDeliverPayload` approval-resolved**: When `hint.kind === "approval-resolved"`, proactively updates the original appCard status via `updateDynamicCard`. Provides crash-recovery safety for card status updates since the delivery pipeline replays on gateway restart.
+- **`shouldSuppressLocalPayloadPrompt`**: Suppresses local text prompt when native approval route is active (`hint.kind === "approval-pending"` with `nativeRouteActive === true`). Prevents duplicate approval prompts (native appCard + local text).
+- **`pendingApprovalCards` Map**: Tracks sent approval card messageIds keyed by chatId, enabling `beforeDeliverPayload` to correlate approval-resolved payloads with the original card.
+- **Text chunking**: Add `textChunkLimit: 4000`, `chunkerMode: "markdown"`, and `chunker` (using SDK `chunkMarkdownTextWithMode`). Long agent replies are automatically split into multiple Lansenger messages, preserving Markdown structure across chunks.
+- **`resolveEffectiveTextChunkLimit`**: Uses SDK `resolveTextChunkLimit` to allow config-level override of the chunk limit.
+
+### Approval Flow Enhancement
+
+- `approvalCapability.transport.send` now stores card `messageId` in `pendingApprovalCards` Map for later correlation in `beforeDeliverPayload`.
+- Card status updates (pending → approved/denied) now happen both via `transport.update` (approval framework) and `beforeDeliverPayload` (delivery pipeline). The latter provides crash-recovery safety.
+
+## [3.12.1] - 2026-06-03
+
+### OpenClaw 2026.5.28 Compatibility
+
+- Pin npm install spec to exact version (`@lansenger-pm/openclaw-lansenger-channel@3.12.1`) to prevent supply-chain attacks and accidental upgrades.
+- Thread canonical `sessionKey` into outbound hooks (`sendText`, `sendMedia`, `sendFormattedText`) for multi-session/multi-agent routing and dedup.
+- Register `message_sending` hook in gateway startup for early-stage reply interception.
+- Add `normalizePayload` and `beforeDeliverPayload` callbacks on outbound base (structural preparation for `reply_payload_sending` hook).
+- Add session-scoped delivery dedup (`sessionDeliveryTracker`) to prevent duplicate sends across turns in the same session.
+- Fallback `sessionKey` now includes `accountId` for multi-bot scenarios (`agent:main:lansenger:<accountId>:<chatType>:<chatId>`).
+- Bump `openclaw` devDependency to `^2026.5.28`.
+
+### Security
+
+- **SecretRef support for appSecret**: `resolveAccount()` now detects SecretRef objects via `coerceSecretRef()` and resolves from env vars. No need to store appSecret as plaintext in config.
+- **Plaintext appSecret warning**: `resolveAccount()` now emits a `log.warn` when `appSecret` is stored as a plaintext string in `openclaw.json`, advising migration to SecretRef via `openclaw secrets configure`.
+- **README security notes**: All 5 locale READMEs now include a prominent security advisory urging users to migrate plaintext `appSecret` to SecretRef storage.
+- **SSRF protection for sendImageUrl**: `assertHttpUrlTargetsPrivateNetwork()` blocks RFC1918/link-local/metadata-IP targets by default (aligned with Feishu/Discord/BlueBubbles channels in 2026.5.28).
+- **`dangerouslyAllowPrivateNetwork` config**: Opt-in at top-level or per-account to allow private network image URLs. Audit finding (`lansenger/dangerously-allow-private-network`) warns when enabled.
+- **`mediaLocalRoots` config**: Restrict local file delivery to configured directories. If empty, all paths allowed. Prevents agents from accessing arbitrary files outside allowed roots. Available at top-level and per-account.
+- **Path validation**: `isPathAllowed()` validates local file paths against `mediaLocalRoots` before delivery; blocked paths are logged and skipped.
+
+## [3.12.0] - 2026-05-29
+
+### OpenClaw 2026.5.27 Compatibility
+
+- Migrate `api.runtime.channel.turn` → `api.runtime.channel.inbound` (OpenClaw removed the old `turn` runtime alias from `PluginRuntimeChannel`; the new `inbound` namespace provides the same `run` function with identical parameters).
+- Bump `openclaw` devDependency from `^2026.5.20` to `^2026.5.27`.
+- Split changelog out of READMEs into standalone `CHANGELOG.md` (all 5 locale READMEs now reference this file).
+
+## [3.11.0] - 2026-05-26
+
+### Breaking Changes
+
+- Remove `child_process` dependency (was blocking OpenClaw install due to security scan).
+- Video messages now require manual `coverImagePath` + `videoWidth`/`videoHeight`/`videoDuration` params (use ffmpeg/ffprobe before calling send-file; auto-probing removed because it depended on child_process).
+
+### Bug Fixes
+
+- Inbound video cover downloaded as image type (previously misclassified).
+
+## [3.10.0] - 2026-05-22
+
+### Features
+
+- Fix video message: Lansenger API requires `mediaIds=[video, coverImage]` (2 elements). `sendFile()` auto-extracts first frame via ffmpeg and uploads as cover image.
+- `send-text` with file attachment now uses correct mediaType instead of hardcoded `3`.
+
+### Bug Fixes
+
+- Inbound video downloads cover as image type.
+- Auto-probe video metadata (width/height/duration) via ffprobe for video uploads.
+
+## [3.9.0] - 2026-05-20
+
+### Features
+
+- Switch file upload to `/v1/app/medias/create` API (supports larger files up to 10M/20M, uses string type `image`/`video`/`audio`/`file` instead of numeric media type).
+- Previous `/v1/medias/create` was limited to 1M and intended for avatar uploads only.
+
+## [3.8.2] - 2026-05-20
+
+### Features
+
+- Add `security.collectWarnings` and `security.collectAuditFindings` for `openclaw doctor --lint` integration. Checks: credentials missing/incomplete, dmPolicy not pairing, apiGatewayUrl not set, group config unused.
+- Add `doctor.repairConfig` to auto-fix dmPolicy to pairing.
+- Require OpenClaw >= 2026.5.20.
+- Fix apiGatewayUrl lint check to skip when accounts have gateway set.
+
+## [3.7.9] - 2026-05-18
+
+### Features
+
+- **Inbound debounce**: integrate OpenClaw `messages.inbound.debounceMs` for merging rapid consecutive messages (uses `createChannelInboundDebouncer` + `shouldDebounceTextInbound` from `openclaw/plugin-sdk/channel-inbound`).
+- **Ack message feature**: send a brief acknowledgment before agent processing. Config: `ackMessage` (bool, default false), `ackMessageTextZh` / `ackMessageTextEn` (auto-detected language), `revokeAckMessage` (bool, default true — auto-revokes ack after reply delivery).
+- Account-level `ackMessage`/`revokeAckMessage` inherits from top-level when not explicitly set; `!== undefined` check so account-level `false` overrides top-level `true`.
+- Rebind messageHandler on WS adopt to pick up updated account config (ack/debounce).
+- Always disconnect+reconnect WS on `gatewayStartAccount` to ensure updated handler config is active.
+- Sanitize placeholder IDs in docs and config — use generic `orgId-applicationId` format instead of real IDs.
+
+### Bug Fixes
+
+- Fix `ackMessage` not resolved from top-level config in multi-account mode.
+- Fix `apiGatewayUrl` lint check to skip when accounts have gateway set.
+
+## [3.6.0] - 2026-05-16
+
+### Bug Fixes
+
+- Fix health-monitor infinite restart loop: register `gateway.startAccount`/`stopAccount` so channelManager runtime store gets `running=true` + `connected=true`.
+- WS lifecycle callbacks (`onOpen`/`onClose`) report connection status changes to runtime store via `createAccountStatusSink`.
+- Fix `account.configured` in `buildAccountSnapshot` to avoid false negative from `inspectAccount` desensitized object.
+
+## [3.5.0] - 2026-05-14
+
+### Features
+
+- **Per-turn dedup**: prevent duplicate text/media delivery within a single inbound turn.
+- Strip OpenClaw UUID suffix from filenames (removes `---<uuid>` pattern from upload filenames).
+- MEDIA whitelist docs in SKILL.md; `alsoAllow` tip in README; README accuracy fixes across all 5 locales.
+- Add runtime API diagnostic logging, try-catch guards, WS state logging, heartbeat zombie detection.
+
+### Bug Fixes
+
+- Exclude test files from npm package (fix OpenClaw security scan blocking install).
+- Add OpenClaw device pairing troubleshooting section (all 5 locales).
+
+## [3.4.5] - 2026-05-12
+
+### Bug Fixes
+
+- Fix duplicate delivery — `deliver()` deferred to outbound adapter; text dedup + empty caption for files.
+- Fix filename: pass `originalName` in else branch too; add upload filename debug logging.
+
+## [3.3.0] - 2026-05-10
+
+### Features
+
+- **Merge tools into channel plugin**: all 9 agent tools (`send_file`, `send_text`, `send_format_text`, `send_image_url`, `revoke_message`, `send_link_card`, `send_app_articles`, `send_app_card`, `update_dynamic_card`, `query_groups`) are now built-in. No separate `openclaw-lansenger-tools` plugin needed.
+- Add `contracts.tools` + `toolMetadata` to plugin manifest.
+- Remove `companionPlugins` + `peerDependencies` on tools plugin.
+- `message(action=send)` with `filePath` param sends file attachment; no MEDIA tags needed.
+
+## [3.2.10] - 2026-05-08
+
+### Features
+
+- Startup warning for missing `group:plugins` in tool allowlist (`openclaw doctor` integration).
+- `configWrites` in channel config schema (allows Lansenger to auto-write config like `homeChannel`).
+- Companion plugin cross-runtime state via `globalThis.__lansenger_channel` (`getRunningClient`, `getRunningAccount`, `getLastInboundChatId`).
+- **Slash command authorization**: enables `/new`, `/reset` etc. for Lansenger DM sessions (uses `shouldHandleTextCommands`, `isControlCommandMessage`, `resolveCommandAuthorizedFromAuthorizers` from OpenClaw SDK).
+- **DM pairing enforcement**: pairing mode blocks unauthorized DMs; command auth bypasses pairing for approved users.
+- CLI multi-credential profile support (`--profile <appId>`).
+
+## [3.1.0] - 2026-05-06
+
+### Features
+
+- **Multi-account setup wizard**: add multiple bots with independent App IDs; agent routing via `bindings[]` config.
+- Migrate `dmSecurity` → `dmPolicy` (OpenClaw standard: `pairing`, `allowlist`, `open`, `disabled`).
+- Bilingual wizard prompts (Chinese + English).
+- Credential `shouldPrompt` skips already-configured steps.
+- Clean multi-account config migration: top-level credentials → `accounts.<appId>` when adding second bot.
+
+## [3.0.0] - 2026-05-04
+
+### Features
+
+- Add `lansenger_send_format_text` tool (Markdown + @mention support via `formatText` API).
+- Rewrite SKILL.md from agent perspective: remove internal implementation details, focus on actionable decision rules.
+- Fix `headStatusInfo` description+colour semantics for dynamic appCard approval cards.
+- Add `.opencode/` to `.gitignore`.
+
+### Bug Fixes
+
+- Fix SKILL.md nested code blocks, missing params, false group-chat fallback warnings.
+- Emphasize `@姓名` in group mentions (formatText reminder guidance).
+
+## [2.10.0] - 2026-04-28
+
+### Features
+
+- **px→pt auto-conversion**: `sendAppCard` converts CSS `font-size` from px to pt (Lansenger requires pt; px renders incorrectly).
+- `sendImageUrl` error classification: distinguishes 404/5xx/timeout/content-type mismatches.
+- Tool registration logging for debugging.
+
+## [2.9.12] - 2026-04-26
+
+### Features
+
+- **Status adapter**: expose channel status via `buildChannelSummary` + `probeAccount` + `buildAccountSnapshot`.
+- **Env var fallback**: `LANSENGER_APP_ID`, `LANSENGER_APP_SECRET`, `LANSENGER_API_GATEWAY_URL` used when config not set.
+- GUI config cleanup: remove `defaultAccount`, add `uiHints` for all fields.
+- Move `openclaw` to `devDependencies` only (compile-first, publish-compiled; runtime deps now only `ws`).
+
+## [2.8.1] - 2026-04-24
+
+### Features
+
+- **OpenClaw bindings multi-agent routing**: use `resolveAgentRoute` from SDK for agent routing; remove per-account `agentId` and `BindingManager`/`execSync` dependency.
+- **Group access control**: `groupPolicy` (`open`/`allowlist`/`disabled`), `groupAllowFrom`, per-group `groups` config (`requireMention`, `enabled`, `allowFrom`).
+- Rename channel identifier to `Lansenger`; then revert to lowercase `lansenger` (SDK requires lowercase).
+- SKILL.md frontmatter aligned with `AgentSkills` spec.
+
+## [2.7.0] - 2026-04-22
+
+### Features
+
+- Register tools as plain objects (not factory functions) — external plugin capture API only accepts non-function tool descriptors.
+- Use runtime state for client/account/target instead of ctx closure.
+- Add VERSION file; complete changelog in all 5 README locales.
+
+## [2.6.0] - 2026-04-20
+
+### Bug Fixes
+
+- Register tools unconditionally — resolve account at execute time instead of registration time (fixes `tools.allow 'no registered tools matched'`).
+- Removed phantom `delete_message` tool.
+
+## [2.5.0] - 2026-04-18
+
+### Features
+
+- `formatText` reminder support (auto-fallback: strips reminder on API error).
+- `AppArticles` uses `summary` field (not `description`).
+- Revoke `chatType` limited to `bot`/`group` only.
+- Remove `staff chat` concept — only group chat and DM.
+- Add `deleteMessage` + `sysMsg` for revoke (rollback: both not working, removed).
+
+## [2.4.0] - 2026-04-16
+
+### Bug Fixes
+
+- Fix message body assembly: `wrap()` excludes `msgType` from `msgData`; `appArticles` uses correct `msgType`/`summary`/flat array.
+- `linkCard` adds missing required params.
+
+## [2.3.0] - 2026-04-14
+
+### Features
+
+- Remove legacy `sendGroupText`/`sendGroupFormatText`; all routing via `msgTarget(chatId)` helper (determines private vs group endpoint automatically).
+
+## [2.2.0] - 2026-04-12
+
+### Features
+
+- Add 9 dedicated agent tools: `send_file`, `send_text`, `send_format_text`, `send_image_url`, `revoke_message`, `send_link_card`, `send_app_articles`, `send_app_card`, `update_dynamic_card`, `query_groups`.
+- Add `queryGroups` + `updateDynamicCard` client methods.
+- Add `contracts.tools` + `toolMetadata` to plugin.json.
+- Fix chatId lowercase bug — `resolveSessionTarget` case-insensitive fallback.
+- Fix `uploadMedia` endpoint, stop key mismatch, `sendCard` dynamic params & `headTitle`.
+- Fix WS reconnect — `startAccount` checks `isWsAlive()` before skipping, cleans stale entries.
+
+## [2.1.0] - 2026-04-10
+
+### Features
+
+- **sendAttachment → send action**: merge `sendAttachment` into `send` action — `filePath` param in `send` action sends file, no MEDIA tags needed. Align with Telegram pattern.
+- `send` action auto-resolves target from `sessionKey`/`requesterSenderId` — `to` param optional.
+
+## [2.0.0] - 2026-04-08
+
+### Breaking Changes
+
+- **Migrate to Channel Turn Kernel**: replace `BindingManager`/`execSync` with OpenClaw's `channel.inbound.run` for inbound processing.
+- Remove bind/unbind/bindings gateway methods — use config-based `agentId` and `bindings[]`.
+- Add `defaultAccount` concept.
+
+### Features
+
+- Add `runtimeExtensions`/`runtimeSetupEntry` per SDK entrypoint best practices.
+- Add complete `openclaw.channel` metadata: `order`, `docsPath`, `markdownCapable`, `exposure`, `aliases`, `quickstartAllowFrom`.
+- Rewrite SKILL.md from agent perspective.
+
+## [1.0.3] - 2026-04-04
+
+### Features
+
+- Quick Start section in all READMEs: one-command setup with `openclaw channels add`, pairing approval flow.
+- Multi-bot config: warn that `channels add` overwrites, show `config set` for additional accounts.
+- Replace real AppIDs with placeholder values in examples.
+- Document extensions workaround for OpenClaw CLI discovery bug.
+- Add `openclaw.channel` metadata.
+
+### Bug Fixes
+
+- Fix README install commands: use `--channel` flag, split `--base-url` as optional for enterprise.
+- Fix autoStart: include top-level account when not duplicated in accounts.
+
+## [1.0.1] - 2026-04-02
+
+### Bug Fixes
+
+- Fix README `dmSecurity` example: `allowlist` → `paired`.
+- Fix README install instructions format.
+
+## [1.0.0] - 2026-04-01
+
+### Initial Release
+
+- Lansenger (蓝信) channel plugin for OpenClaw.
+- WebSocket inbound long connection.
+- HTTP API outbound: `sendText`, `sendFormatText`, `sendImage`, `sendFile`, `sendLinkCard`, `sendAppCard`, `sendAppArticles`.
+- Multi-language READMEs (en, zhHans, zhHant, zhHantHK, fr).
+- DM security: pairing mode (default), allowlist, open, disabled.
+- Approval workflow: appCard with `headStatusInfo` for pending/approved/denied states.
+- Auto-start WebSocket gateway on plugin activation.

package/README.fr.md

@@ -122,6 +122,16 @@ Ajoutez ces variables à `~/.openclaw/.env` ou à votre environnement :
 
 Les identifiants peuvent aussi être fournis via la configuration `openclaw.json` (voir Configuration optionnelle ci-dessous). Les valeurs de configuration sont prioritaires ; les variables d'environnement sont utilisées comme repli lorsque la configuration n'est pas définie.
 
+> ⚠️ **Sécurité : Migrez appSecret vers le stockage SecretRef**
+>
+> Depuis v3.12.1, le plugin de canal Lansenger supporte OpenClaw SecretRef pour `appSecret`. Si votre `appSecret` est stocké en texte brut dans `openclaw.json`, tout outil de workspace qui lit la configuration peut le voir. Migrez en exécutant :
+>
+> ```
+> openclaw secrets configure
+> ```
+>
+> Sélectionnez le champ `channels.lansenger.accounts.*.appSecret` pour le convertir en SecretRef. Après migration, la configuration contiendra `__OPENCLAW_SECRET__({ref_id})` au lieu de la valeur brute, tandis que la valeur réelle est stockée dans le magasin d'identifiants du système.
+
 ### Obtenir les identifiants
 
 **Client Lansenger (desktop)** → **Contacts** → **Bots** → **Bots personnels** → cliquer sur l'icône **ℹ️**
@@ -444,27 +454,7 @@ Les mises à jour de statut d'approbation utilisent le format DynamicMsg appCard
 
 ## Journal des modifications
 
-- **v3.11.0** — Suppression de la dépendance `child_process` (bloquait l'install OpenClaw). Vidéo requiert désormais `coverImagePath` + `videoWidth/Height/Duration` manuels (ffmpeg/ffprobe avant send-file). Vidéo entrante : couverture en type image.
-- **v3.10.0** — Correction des messages vidéo : l'API exige `mediaIds=[vidéo, imageCouverture]` (2 éléments). `sendFile()` extrait automatiquement la première frame via ffmpeg et l'upload comme couverture. `send-text` avec fichier utilise désormais le mediaType correct au lieu du codé en dur `3`. Vidéo entrante : couverture téléchargée comme type image.
-- **v3.9.0** — Passage à l'API `/v1/app/medias/create` pour l'upload de fichiers (fichiers plus volumineux, 10M/20M par défaut, type en chaîne `image`/`video`/`audio`/`file` au lieu de numérique). L'ancienne API `/v1/medias/create` était limitée à 1M et destinée aux avatars uniquement.
-- **v3.8.0** — Ajout de `security.collectWarnings` et `security.collectAuditFindings` pour `openclaw doctor --lint` (vérifications : identifiants absents/incomplets, dmPolicy non pairing, apiGatewayUrl non défini, config de groupe inutilisée). Ajout de `doctor.repairConfig` pour auto-corriger dmPolicy. Requiert OpenClaw >= 2026.5.20.
-- **v3.7.0** — Debounce entrant : intégration d'OpenClaw `messages.inbound.debounceMs` pour fusionner les messages consécutifs rapides ; fonctionnalité de message ack (`ackMessage` / `revokeAckMessage` config) : envoyer « reçu, en cours de traitement... » avant le traitement, révocabilité automatique après la réponse (`revokeAckMessage` défaut `true`), langue auto-détectée
-- **v3.6.0** — Correction boucle de redémarrage infini du health-monitor : enregistrement `gateway.startAccount`/`stopAccount` pour que le channelManager runtime store reçoive `running=true` + `connected=true` ; callbacks WS lifecycle rapportent les changements de connexion via `createAccountStatusSink`
-- **v3.5.0** — Correction de la livraison en double des messages (déduplication par tour) ; suppression du suffixe UUID OpenClaw des noms de fichiers ; documentation whitelist MEDIA ; conseil alsoAllow ; corrections d'exactitude README
-- **v3.3.0** — Fusion du plugin tools dans le plugin canal ; outils agent désormais intégrés (pas d'installation séparée) ; suppression des peerDependencies sur `@lansenger-pm/openclaw-lansenger-tools`
-- **v3.2.10** — Alerte au démarrage si `group:plugins` absent de l'allowlist ; `configWrites` dans le schema de config canal ; plugin compagnon via `globalThis.__lansenger_channel`
-- **v3.1.0** — Wizard multi-compte ; alignement dmPolicy (dmSecurity→dmPolicy + paired→pairing) ; prompts bilingues ; shouldPrompt skip steps configurés ; migration config multi-compte
-- **v3.0.0** — Ajout `lansenger_send_format_text` (Markdown + @mention) ; réécriture SKILL.md ; correction headStatusInfo description+colour
-- **v2.10.0** — Conversion px→pt appCard ; classification erreurs sendImageUrl ; journalisation outils
-- **v2.9.0** — Adaptateur statut ; repli env vars ; uiHints chinois ; README nettoyage (5 langues)
-- **v2.8.0** — Routage multi-agent OpenClaw `bindings[]` ; groupPolicy/groupAllowFrom/groups ; SKILL.md AgentSkills
-- **v2.7.0** — Enregistrement outils objets simples ; état runtime client/target
-- **v2.6.0** — Enregistrement inconditionnel ; suppression ghost delete_message
-- **v2.5.0** — formatText reminder ; AppArticles `summary` ; revoke bot/group uniquement
-- **v2.4.0** — Correction assemblage message ; corrections appArticles/linkCard
-- **v2.3.0** — Suppression envoi groupe/privé legacy ; routage via msgTarget
-- **v2.2.0** — Ajout 9 outils agent
-- **v2.0.0** — Version initiale
+Historique complet des versions : [CHANGELOG.md](CHANGELOG.md).
 
 ## Licence
 

package/README.md

@@ -114,6 +114,16 @@ Add these to `~/.openclaw/.env` or your environment:
 
 Credentials can also be provided via `openclaw.json` config (see Optional Configuration below). Config values take precedence; env vars are used as fallback when config is unset.
 
+> ⚠️ **Security: Migrate appSecret to SecretRef storage**
+>
+> As of v3.12.1, the Lansenger channel plugin supports OpenClaw SecretRef for `appSecret`. If your `appSecret` is stored as plaintext in `openclaw.json`, any workspace tool that reads config can see it. Migrate by running:
+>
+> ```
+> openclaw secrets configure
+> ```
+>
+> Select the `channels.lansenger.accounts.*.appSecret` field to convert it to a SecretRef. After migration, the config will contain `__OPENCLAW_SECRET__({ref_id})` instead of the raw secret value, while the actual value is stored in the system credential store.
+
 ### Get Credentials
 
 **Lansenger Desktop** → **Contacts** → **Bots** → **Personal Bots** → click **ℹ️** icon
@@ -436,27 +446,7 @@ Approval status updates use the DynamicMsg appCard format. The `updateCardStatus
 
 ## Changelog
 
-- **v3.11.0** — Remove `child_process` dependency (was blocking OpenClaw install). Video now requires manual `coverImagePath` + `videoWidth/Height/Duration` params (use ffmpeg/ffprobe before calling send-file). Inbound video cover downloaded as image type.
-- **v3.10.0** — Fix video message: API requires `mediaIds=[video, coverImage]` (2 elements). `sendFile()` now auto-extracts first frame via ffmpeg and uploads as cover. `send-text` with file attachment now uses correct mediaType instead of hardcoded `3`. Inbound video downloads cover as image type.
-- **v3.9.0** — Switch file upload to `/v1/app/medias/create` API (supports larger files up to 10M/20M, uses string type `image`/`video`/`audio`/`file` instead of numeric media type). Previous `/v1/medias/create` was limited to 1M and intended for avatar uploads only.
-- **v3.8.0** — Add `security.collectWarnings` and `security.collectAuditFindings` for `openclaw doctor --lint` integration (checks: credentials missing/incomplete, dmPolicy not pairing, apiGatewayUrl not set, group config unused). Add `doctor.repairConfig` to auto-fix dmPolicy to pairing. Require OpenClaw >= 2026.5.20.
-- **v3.7.0** — Inbound debounce: integrate OpenClaw `messages.inbound.debounceMs` for merging rapid consecutive messages; ack message feature (`ackMessage` / `revokeAckMessage` config): send a brief acknowledgment before agent processing, optionally auto-revoked after reply (`revokeAckMessage` default `true`), language auto-detected
-- **v3.6.0** — Fix health-monitor infinite restart loop: register `gateway.startAccount`/`stopAccount` so channelManager runtime store gets `running=true` + `connected=true`; WS lifecycle callbacks report connection status changes to runtime store via `createAccountStatusSink`
-- **v3.5.0** — Fix duplicate message delivery (per-turn dedup); strip OpenClaw UUID suffix from filenames; MEDIA whitelist docs; alsoAllow tip; README accuracy fixes
-- **v3.3.0** — Merge tools plugin into channel plugin; agent tools now built-in (no separate install); remove peerDependencies on `@lansenger-pm/openclaw-lansenger-tools`
-- **v3.2.10** — Startup warning for missing `group:plugins` in tool allowlist; `configWrites` in channel config schema; companion plugin cross-runtime state via `globalThis.__lansenger_channel`
-- **v3.1.0** — Multi-account setup wizard; dmPolicy/dmSecurity→dmPolicy+pairing (OpenClaw standard); bilingual prompts; credential shouldPrompt skips configured steps; clean multi-account config migration
-- **v3.0.0** — Add `lansenger_send_format_text` tool (Markdown + @mention); rewrite SKILL.md; fix headStatusInfo description+colour semantics
-- **v2.10.0** — font-size px→pt auto-conversion; sendImageUrl error classification; tool registration logging
-- **v2.9.0** — Status adapter; env var fallback; uiHints; README cleanup (5 locales)
-- **v2.8.0** — OpenClaw `bindings[]` multi-agent routing; groupPolicy/groupAllowFrom/groups access control; SKILL.md AgentSkills spec
-- **v2.7.0** — Plain-object tool registration; runtime state for client/target
-- **v2.6.0** — Register tools unconditionally; removed phantom delete_message
-- **v2.5.0** — formatText reminder; appArticles `summary`; revoke chatType bot/group only
-- **v2.4.0** — Fix message body assembly; appArticles/linkCard field fixes
-- **v2.3.0** — Remove legacy group/private send; all routing via msgTarget
-- **v2.2.0** — Add 9 agent tools
-- **v2.0.0** — Initial release
+See [CHANGELOG.md](CHANGELOG.md) for the full version history.
 
 ## License
 

package/README.zhHans.md

@@ -122,6 +122,16 @@ openclaw pairing approve lansenger <配对码>
 
 凭证也可通过 `openclaw.json` 配置提供（见下方可选配置）。配置值优先；环境变量仅在配置未设置时作为回退。
 
+> ⚠️ **安全：将 appSecret 迁移至 SecretRef 存储**
+>
+> 自 v3.12.1 起，蓝信频道插件支持 OpenClaw SecretRef 存储 `appSecret`。如果 `appSecret` 以明文存储在 `openclaw.json` 中，任何读取配置的工作区工具都能看到它。请运行以下命令迁移：
+>
+> ```
+> openclaw secrets configure
+> ```
+>
+> 选择 `channels.lansenger.accounts.*.appSecret` 字段将其转换为 SecretRef。迁移后，配置中将包含 `__OPENCLAW_SECRET__({ref_id})` 而非原始密钥值，实际值存储在系统凭证库中。
+
 ### 获取凭证
 
 **蓝信桌面端** → **通讯录** → **智能机器人** → **个人机器人** → 点击 **ℹ️** 图标
@@ -444,26 +454,7 @@ Agent 路由由 OpenClaw 的 `bindings[]` 配置管理——见[多 Agent 路由
 
 ## 更新日志
 
-- **v3.11.0** — 移除 `child_process` 依赖（之前导致 OpenClaw 安装被拦截）。视频现在要求手动提供 `coverImagePath` + `videoWidth/Height/Duration` 参数（调用 send-file 前先用 ffmpeg/ffprobe 提取）。入站视频封面以图片类型下载。
-- **v3.10.0** — 修复视频消息：API要求 `mediaIds=[视频mediaId, 封面图片mediaId]`（数组长度必须为2）。`sendFile()` 自动用ffmpeg提取首帧作为封面并上传。`send-text` 文件附件现在根据文件类型设置正确的 mediaType，不再硬编码为3。入站视频封面以图片类型下载。
-- **v3.9.0** — 文件上传接口改为 `/v1/app/medias/create`（支持更大文件，默认图片10M/其他20M，type 参数改用字符串 `image`/`video`/`audio`/`file`）。旧接口 `/v1/medias/create` 仅限1M且为头像上传专用。
-- **v3.8.0** — 新增 `security.collectWarnings` 和 `security.collectAuditFindings` 支持 `openclaw doctor --lint` 检查（凭证缺失/不完整、dmPolicy 不适合个人机器人、apiGatewayUrl 未设置、群聊配置暂无效）。新增 `doctor.repairConfig` 自动修复 dmPolicy。依赖 OpenClaw >= 2026.5.20。
-- **v3.7.0** — 入站防抖合并：接入 OpenClaw `messages.inbound.debounceMs`，合并同一用户的连续快速消息；确认消息功能（`ackMessage` / `revokeAckMessage` 配置）：代理处理前发送"收到，正在处理..."，可选代理回复后自动撤回（`revokeAckMessage` 默认 `true`），语言自动检测
-- **v3.6.0** — 修复 health-monitor 无限重启循环：注册 `gateway.startAccount`/`stopAccount`，让 channelManager runtime store 正确记录 `running=true` + `connected=true`；WS 生命周期回调通过 `createAccountStatusSink` 实时上报连接状态变更
-- **v3.5.0** — 修复重复消息送达（每回合去重）；剥离文件名中的 OpenClaw UUID 后缀；MEDIA 白名单文档；alsoAllow 提示；README 准确性修复
-- **v3.3.0** — 合并 tools 插件至频道插件；代理工具现已内置（无需单独安装）；移除 `@lansenger-pm/openclaw-lansenger-tools` 的 peerDependencies
-- **v3.1.0** — 多账号设置向导；dmPolicy 对齐 OpenClaw 标准（dmSecurity→dmPolicy + paired→pairing）；中英双语提示文案；凭证 shouldPrompt 跳过已配置步骤；多账号配置迁移清理
-- **v3.0.0** — 新增 `lansenger_send_format_text` 工具（Markdown + @提及）；重写 SKILL.md；修正 headStatusInfo description+colour 语义
-- **v2.10.0** — appCard font-size px→pt 自动转换；sendImageUrl 错误分类；工具注册日志
-- **v2.9.0** — 状态适配器；环境变量回退；uiHints 中文标签；README 精简（5 语言）
-- **v2.8.0** — OpenClaw `bindings[]` 多 Agent 路由；groupPolicy/groupAllowFrom/groups 群聊准入；SKILL.md AgentSkills 规范
-- **v2.7.0** — 纯对象工具注册；运行时状态获取 client/target
-- **v2.6.0** — 无条件注册工具；移除幽灵 delete_message
-- **v2.5.0** — formatText reminder；AppArticles `summary`；撤回仅 bot/group
-- **v2.4.0** — 修复消息体组装；appArticles/linkCard 字段修复
-- **v2.3.0** — 移除遗留群聊/私聊发送；全部通过 msgTarget 路由
-- **v2.2.0** — 添加 9 个 agent 工具
-- **v2.0.0** — 初始发布
+完整版本历史见 [CHANGELOG.md](CHANGELOG.md)。
 
 ## 许可证
 

package/README.zhHant.md

@@ -122,6 +122,16 @@ openclaw pairing approve lansenger <配對碼>
 
 憑證也可透過 `openclaw.json` 配置提供（見下方可選設定）。配置值優先；環境變數僅在配置未設定時作為回退。
 
+> ⚠️ **安全：將 appSecret 遷移至 SecretRef 儲存**
+>
+> 自 v3.12.1 起，藍信頻道插件支援 OpenClaw SecretRef 儲存 `appSecret`。如果 `appSecret` 以明文儲存在 `openclaw.json` 中，任何讀取配置的工作區工具都能看到它。請執行以下指令遷移：
+>
+> ```
+> openclaw secrets configure
+> ```
+>
+> 選擇 `channels.lansenger.accounts.*.appSecret` 欄位將其轉換為 SecretRef。遷移後，配置中將包含 `__OPENCLAW_SECRET__({ref_id})` 而非原始密鑰值，實際值儲存在系統憑證庫中。
+
 ### 取得憑證
 
 **藍信桌面端** → **通訊錄** → **智慧機器人** → **個人機器人** → 點擊 **ℹ️** 圖標
@@ -444,26 +454,7 @@ Agent 路由由 OpenClaw 的 `bindings[]` 設定管理——見[多 Agent 路由
 
 ## 更新日誌
 
-- **v3.11.0** — 移除 `child_process` 依賴（之前導致 OpenClaw 安裝被攔截）。影片現在要求手動提供 `coverImagePath` + `videoWidth/Height/Duration` 參數（呼叫 send-file 前先用 ffmpeg/ffprobe 提取）。入站影片封面以圖片類型下載。
-- **v3.10.0** — 修復影片訊息：API要求 `mediaIds=[影片mediaId, 封面圖片mediaId]`（陣列長度必須為2）。`sendFile()` 自動用ffmpeg提取首帧作為封面並上傳。`send-text` 檔案附件現在根據檔案類型設定正確的 mediaType，不再硬編碼為3。入站影片封面以圖片類型下載。
-- **v3.9.0** — 檔案上傳介面改為 `/v1/app/medias/create`（支援更大檔案，預設圖片10M/其他20M，type 參數改用字串 `image`/`video`/`audio`/`file`）。舊介面 `/v1/medias/create`僅限1M且為頭像上傳專用。
-- **v3.8.0** — 新增 `security.collectWarnings` 和 `security.collectAuditFindings` 支援 `openclaw doctor --lint` 檢查（憑證缺失/不完整、dmPolicy 不適合個人機械人、apiGatewayUrl 未設定、群聊設定暫無效）。新增 `doctor.repairConfig` 自動修復 dmPolicy。依賴 OpenClaw >= 2026.5.20。
-- **v3.7.0** — 入站防抖合併：接入 OpenClaw `messages.inbound.debounceMs`，合併同一使用者的連續快速訊息；確認訊息功能（`ackMessage` / `revokeAckMessage` 配置）：代理處理前傳送「收到，正在處理...」，可選代理回覆後自動撤回（`revokeAckMessage` 預設 `true`），語言自動偵測
-- **v3.6.0** — 修正 health-monitor 無限重啟循環：註冊 `gateway.startAccount`/`stopAccount`，讓 channelManager runtime store 正確記錄 `running=true` + `connected=true`；WS 生命週期回呼透過 `createAccountStatusSink` 即時上報連線狀態變更
-- **v3.5.0** — 修正重複訊息遞送（每回合去重）；從檔案名稱中移除 OpenClaw UUID 後綴；MEDIA 白名單文件；alsoAllow 提示；README 准確性修正
-- **v3.3.0** — 合併 tools 插件至頻道插件；代理工具現已內建（無需單獨安裝）；移除 `@lansenger-pm/openclaw-lansenger-tools` 的 peerDependencies
-- **v3.1.0** — 多帳號設定精靈；dmPolicy 對齊 OpenClaw 標準（dmSecurity→dmPolicy + paired→pairing）；中英雙語提示文案；憑證 shouldPrompt 跳過已設定步驟；多帳號設定遷移清理
-- **v3.0.0** — 新增 `lansenger_send_format_text` 工具（Markdown + @提及）；重寫 SKILL.md；修正 headStatusInfo description+colour 語義
-- **v2.10.0** — appCard font-size px→pt 自動轉換；sendImageUrl 錯誤分類；工具註冊日誌
-- **v2.9.0** — 狀態適配器；環境變數回退；uiHints 中文標籤；README 精簡（5 語言）
-- **v2.8.0** — OpenClaw `bindings[]` 多 Agent 路由；groupPolicy/groupAllowFrom/groups 羣聊准入；SKILL.md AgentSkills 規範
-- **v2.7.0** — 純物件工具註冊；運行時狀態取得 client/target
-- **v2.6.0** — 無條件註冊工具；移除幽靈 delete_message
-- **v2.5.0** — formatText reminder；AppArticles `summary`；撤回僅 bot/group
-- **v2.4.0** — 修復訊息體組裝；appArticles/linkCard 欄位修復
-- **v2.3.0** — 移除遺留群組/私聊傳送；全部透過 msgTarget 路由
-- **v2.2.0** — 新增 9 個 agent 工具
-- **v2.0.0** — 初始發佈
+完整版本歷史見 [CHANGELOG.md](CHANGELOG.md)。
 
 ## 授權條款
 

package/README.zhHantHK.md

@@ -122,6 +122,16 @@ openclaw pairing approve lansenger <配對碼>
 
 憑證也可透過 `openclaw.json` 配置提供（見下方可選設定）。配置值優先；環境變數僅在配置未設定時作為回退。
 
+> ⚠️ **安全：將 appSecret 遷移至 SecretRef 儲存**
+>
+> 自 v3.12.1 起，藍信頻道插件支援 OpenClaw SecretRef 儲存 `appSecret`。如果 `appSecret` 以明文儲存在 `openclaw.json` 中，任何讀取配置的工作區工具都能看到它。請執行以下指令遷移：
+>
+> ```
+> openclaw secrets configure
+> ```
+>
+> 選擇 `channels.lansenger.accounts.*.appSecret` 欄位將其轉換為 SecretRef。遷移後，配置中將包含 `__OPENCLAW_SECRET__({ref_id})` 而非原始密鑰值，實際值儲存在系統憑證庫中。
+
 ### 取得憑證
 
 **藍信桌面端** → **通訊錄** → **智能機械人** → **個人機械人** → 點擊 **ℹ️** 圖標
@@ -446,26 +456,7 @@ Agent 路由由 OpenClaw 的 `bindings[]` 設定管理——見[多 Agent 路由
 
 ## 更新日誌
 
-- **v3.11.0** — 移除 `child_process` 依賴（之前導致 OpenClaw 安裝被攔截）。影片現在要求手動提供 `coverImagePath` + `videoWidth/Height/Duration` 參數（呼叫 send-file 前先用 ffmpeg/ffprobe 提取）。入站影片封面以圖片類型下載。
-- **v3.10.0** — 修復影片訊息：API要求 `mediaIds=[影片mediaId, 封面圖片mediaId]`（陣列長度必須為2）。`sendFile()` 自動用ffmpeg提取首帧作為封面並上傳。`send-text` 檔案附件現在根據檔案類型設定正確的 mediaType，不再硬編碼為3。入站影片封面以圖片類型下載。
-- **v3.9.0** — 檔案上傳介面改為 `/v1/app/medias/create`（支援更大檔案，預設圖片10M/其他20M，type 參數改用字串 `image`/`video`/`audio`/`file`）。舊介面 `/v1/medias/create`僅限1M且為頭像上傳專用。
-- **v3.8.0** — 新增 `security.collectWarnings` 和 `security.collectAuditFindings` 支援 `openclaw doctor --lint` 檢查（憑證缺失/不完整、dmPolicy 不適合個人機械人、apiGatewayUrl 未設定、群聊設定暫無效）。新增 `doctor.repairConfig` 自動修復 dmPolicy。依賴 OpenClaw >= 2026.5.20。
-- **v3.7.0** — 入站防抖合併：接入 OpenClaw `messages.inbound.debounceMs`，合併同一使用者的連續快速訊息；確認訊息功能（`ackMessage` / `revokeAckMessage` 配置）：代理處理前發送「收到，正在處理...」，可選代理回覆後自動撤回（`revokeAckMessage` 預設 `true`），語言自動偵測
-- **v3.6.0** — 修正 health-monitor 無限重啟循環：註冊 `gateway.startAccount`/`stopAccount`，讓 channelManager runtime store 正確記錄 `running=true` + `connected=true`；WS 生命週期回呼透過 `createAccountStatusSink` 即時上報連線狀態變更
-- **v3.5.0** — 修正重複訊息發送（每回合去重）；從檔案名稱中移除 OpenClaw UUID 後綴；MEDIA 白名單文件；alsoAllow 提示；README 准確性修正
-- **v3.3.0** — 合併 tools 插件至頻道插件；代理工具現已內建（無需單獨安裝）；移除 `@lansenger-pm/openclaw-lansenger-tools` 的 peerDependencies
-- **v3.1.0** — 多帳號設定精靈；dmPolicy 對齊 OpenClaw 標準（dmSecurity→dmPolicy + paired→pairing）；中英雙語提示文案；憑證 shouldPrompt 跳過已設定步驟；多帳號設定遷移清理
-- **v3.0.0** — 新增 `lansenger_send_format_text` 工具（Markdown + @提及）；重寫 SKILL.md；修正 headStatusInfo description+colour 語義
-- **v2.10.0** — appCard font-size px→pt 自動轉換；sendImageUrl 錯誤分類；工具註冊日誌
-- **v2.9.0** — 狀態適配器；環境變數回退；uiHints 中文標籤；README 精簡（5 語言）
-- **v2.8.0** — OpenClaw `bindings[]` 多 Agent 路由；groupPolicy/groupAllowFrom/groups 羣聊准入；SKILL.md AgentSkills 規範
-- **v2.7.0** — 純物件工具註冊；運行時狀態取得 client/target
-- **v2.6.0** — 無條件註冊工具；移除幽靈 delete_message
-- **v2.5.0** — formatText reminder；AppArticles `summary`；撤回僅 bot/group
-- **v2.4.0** — 修復訊息體組裝；appArticles/linkCard 欄位修復
-- **v2.3.0** — 移除遺留羣組/私聊發送；全部透過 msgTarget 路由
-- **v2.2.0** — 新增 9 個 agent 工具
-- **v2.0.0** — 初始發佈
+完整版本歷史見 [CHANGELOG.md](CHANGELOG.md)。
 
 ## 授權條款